20241105

date.txt

@@ -1 +1 @@
-20241104
+20241105

poc/auth/loginizer-a645aa27d21902e8047247162f3fd0fb.yaml

@@ -0,0 +1,59 @@
+id: loginizer-a645aa27d21902e8047247162f3fd0fb
+
+info:
+  name: >
+    Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00b22-d766-4fde-86fe-98d90936028c?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/loginizer/"
+    google-query: inurl:"/wp-content/plugins/loginizer/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,loginizer,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/loginizer/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "loginizer"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.9.2')

poc/auth/loginizer-security-a645aa27d21902e8047247162f3fd0fb.yaml

@@ -0,0 +1,59 @@
+id: loginizer-security-a645aa27d21902e8047247162f3fd0fb
+
+info:
+  name: >
+    Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5db00b22-d766-4fde-86fe-98d90936028c?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/loginizer-security/"
+    google-query: inurl:"/wp-content/plugins/loginizer-security/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,loginizer-security,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/loginizer-security/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "loginizer-security"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.9.2')

poc/auth/secret-manager-not-inuse.yaml

@@ -0,0 +1,39 @@
+id: secret-manager-not-inuse
+
+info:
+  name: Secrets Manager Not In Use
+  author: DhiyaneshDK
+  severity: info
+  description: |
+    Ensure that Amazon Secrets Manager service is used in your AWS account to manage access credentials (i.e. secrets) such as API keys, OAuth tokens and database credentials.
+  impact: |
+    AWS Secrets Manager improves security by securely managing and rotating sensitive credentials, reducing the risk of exposure and unauthorized access.
+  remediation: |
+    Ensure AWS Secrets Manager is used to securely store, manage, and rotate sensitive credentials such as API keys, database passwords, and tokens, and remove hard-coded secrets from applications.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/secrets-manager-in-use.html
+    - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
+  tags: cloud,devops,aws,amazon,secret-manager,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json
+
+    matchers:
+      - type: word
+        words:
+          - '[]'
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Secrets Manager Not In Use" + region + " AWS region"'
+
+# digest: 490a0046304402200e2c354631b02316b048496d0fdf8cb56979021e7471502f4bac411eb968cf27022070f19dc772acf073dd838446984ed564fa37ede750abec65bfc4b2f2e30d1a71:922c64590222798bb761d5b6d8e72950

poc/auth/secrets-rotation-disabled.yaml

@@ -0,0 +1,60 @@
+id: secrets-rotation-disabled
+
+info:
+  name: Secret Rotation Disabled
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets).
+  impact: |
+    Secret rotation disabled in AWS increases the risk of credential compromise and prolonged unauthorized access due to outdated or exposed secrets.
+  remediation: |
+    Enable automatic secret rotation in AWS Secrets Manager by configuring a rotation schedule and associating a Lambda function to periodically update and securely rotate the secrets.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/rotation-enabled.html
+    - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/rotate-secret.html
+  tags: cloud,devops,aws,amazon,secrets-manager,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let SecretListName of iterate(template.secrets)){
+    set("secretlist", SecretListName)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json
+
+    extractors:
+      - type: json
+        name: secrets
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws secretsmanager describe-secret --region $region --secret-id $secretlist --query 'RotationEnabled'
+
+    matchers:
+      - type: word
+        words:
+          - "false"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Secrets Rotation  " + secretlist + " is disabled"'
+
+# digest: 4a0a0047304502202b6d8744ea62cccd83f82092a5c2ad3f1f297cccd8718800b6b9b4ea03ec7d01022100d33f07d7af0dba63fa6aed833e1fbdfae2617eea7a3035cee5c46c2f90df90f1:922c64590222798bb761d5b6d8e72950

poc/auth/woo-social-login-a64e5bcd27fefd85d4b1e668e5e4d7eb.yaml

@@ -0,0 +1,59 @@
+id: woo-social-login-a64e5bcd27fefd85d4b1e668e5e4d7eb
+
+info:
+  name: >
+    Social Login - WordPress / WooCommerce Plugin <= 2.7.7 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/71df23bf-8f51-4260-be1f-ed5bc29d4afe?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/woo-social-login/"
+    google-query: inurl:"/wp-content/plugins/woo-social-login/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,woo-social-login,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/woo-social-login/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "woo-social-login"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 2.7.7')

poc/aws/photo-gallery-12f78c4bb323292b8a5ec4ec298d6026.yaml

@@ -0,0 +1,59 @@
+id: photo-gallery-12f78c4bb323292b8a5ec4ec298d6026
+
+info:
+  name: >
+    Photo Gallery by 10Web <= 1.8.30 - Authenticated (Administrator+) Stored Cross-Site Scripting
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/bfa1192b-34f5-4b71-8fff-14f2d4ac4aca?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/photo-gallery/"
+    google-query: inurl:"/wp-content/plugins/photo-gallery/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,photo-gallery,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/photo-gallery/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "photo-gallery"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.8.30')

poc/backup/veritas-netbackup-panel.yaml

@@ -0,0 +1,32 @@
+id: veritas-netbackup-panel
+
+info:
+  name: Veritas NetBackup OpsCenter Analytics Login - Detect
+  author: rxerium
+  severity: info
+  description: |
+    A Veritas NetBackup OpsCenter Analytics page was detected.
+  reference:
+    - https://www.veritas.com/
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Veritas NetBackup OpsCenter Analytics"
+  tags: panel,veritas,netbackup,opscenter,login,detect
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/opscenter/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Veritas NetBackup OpsCenter Analytics'
+
+      - type: status
+        status:
+          - 200
+# digest: 4a0a00473045022100aae7c24c1b275e2b7f5090b2f5edd0730740a14f3394b0df694d6e8278c1830002207b203080262845c5af9bd9067d76fe44f4cc8b2abfbe27d84bc4c25805cf9c96:922c64590222798bb761d5b6d8e72950