20241016

date.txt

@@ -1 +1 @@
-20241015
+20241016

poc/adobe/adobe-coldfusion-admin-interface.yaml

@@ -0,0 +1,29 @@
+id: adobe-coldfusion-admin-interface
+
+info:
+  name: Adobe ColdFusion Admin Interface
+  author: Caddyshack2175
+  severity: info
+  description: Test to find/detect Coldfusion Admin login interface.
+  tags: adobe,coldfusion,tech
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/CFIDE/administrator/index.cfm"
+      - "{{BaseURL}}/cfide/administrator/index.cfm"
+    redirects: true
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        condition: and
+        regex:
+          - 'ColdFusion Administrator Login'
+          - 'name="loginform" action="/CFIDE/administrator/enter.cfm"'
+          - 'background="/CFIDE/administrator/images/loginbackground.jpg"'
+          - 'Please enable Javascript to use ColdFusion Administrator'
+      - type: status
+        status:
+          - 200

poc/api/api_manager.yaml

@@ -0,0 +1,24 @@
+id: api_manager
+info:
+  name: api_manager
+  author: cn-kali-team
+  tags: detect,tech,api_manager
+  severity: info
+  metadata:
+    fofa-query:
+    - icon_hash=1398055326
+    google-query:
+    - inurl:"carbon/admin/login"
+    product: api_manager
+    shodan-query:
+    - http.favicon.hash:1398055326
+    vendor: wso2
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: favicon
+    hash:
+    - '1398055326'

poc/auth/keycloak.yaml

@@ -0,0 +1,34 @@
+id: keycloak
+info:
+  name: keycloak
+  author: cn-kali-team
+  tags: detect,tech,keycloak
+  severity: info
+  metadata:
+    fofa-query:
+    - title="keycloak"
+    - icon_hash=-1105083093
+    - body="keycloak"
+    google-query:
+    - intitle:"keycloak"
+    product: keycloak
+    shodan-query:
+    - title:"keycloak"
+    - http.title:"keycloak"
+    - http.html:"keycloak"
+    - http.favicon.hash:-1105083093
+    - html:"keycloak"
+    vendor: redhat
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: word
+    words:
+    - keycloak
+    case-insensitive: true
+  - type: favicon
+    hash:
+    - '-1105083093'

poc/auth/nextend-social-login-pro-c25f3a5689217d407e64d17fa2f55687.yaml

@@ -0,0 +1,59 @@
+id: nextend-social-login-pro-c25f3a5689217d407e64d17fa2f55687
+
+info:
+  name: >
+    Nextend Social Login Pro <= 3.1.14 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e4588d1-f21e-48ba-a8cb-d18c421f000a?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/nextend-social-login-pro/"
+    google-query: inurl:"/wp-content/plugins/nextend-social-login-pro/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,nextend-social-login-pro,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/nextend-social-login-pro/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "nextend-social-login-pro"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.1.14')

poc/auth/onekeyadmin.yaml

@@ -0,0 +1,24 @@
+id: onekeyadmin
+info:
+  name: onekeyadmin
+  author: cn-kali-team
+  tags: detect,tech
+  severity: info
+  metadata:
+    product: onekeyadmin
+    vendor: 00_unknown
+    verified: false
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: word
+    words:
+    - onekeyadmin
+    - /admin/css/onekey.min.cs
+    condition: and
+    case-insensitive: true
+  - type: favicon
+    hash:
+    - 507fcbebf363f4327fcb49294a864c24

poc/auth/two-factor-login-telegram.yaml

@@ -0,0 +1,59 @@
+id: two-factor-login-telegram
+
+info:
+  name: >
+    WP 2FA with Telegram <= 3.0 - Authenticated (Subscriber+) Authentication Bypass
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/13b5292f-4484-498b-b6b7-2895871ab794?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/two-factor-login-telegram/"
+    google-query: inurl:"/wp-content/plugins/two-factor-login-telegram/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,two-factor-login-telegram,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/two-factor-login-telegram/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "two-factor-login-telegram"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.0')

poc/aws/CVE-2018-25105-ec285d2d6c4e0896c988504fde36e466.yaml

@@ -0,0 +1,59 @@
+id: CVE-2018-25105-ec285d2d6c4e0896c988504fde36e466
+
+info:
+  name: >
+    File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download
+  author: topscoder
+  severity: critical
+  description: >
+    The  File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution.
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=api-prod
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2018-25105
+  metadata:
+    fofa-query: "wp-content/plugins/wp-file-manager/"
+    google-query: inurl:"/wp-content/plugins/wp-file-manager/"
+    shodan-query: 'vuln:CVE-2018-25105'
+  tags: cve,wordpress,wp-plugin,wp-file-manager,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/wp-file-manager/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "wp-file-manager"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.0')

poc/cisco/cisco-ios-xe.yaml

@@ -0,0 +1,23 @@
+id: cisco-ios-xe
+info:
+  name: cisco-ios-xe
+  author: cn-kali-team
+  tags: detect,tech
+  severity: info
+  metadata:
+    product: cisco-ios-xe
+    vendor: 00_unknown
+    verified: false
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: favicon
+    hash:
+    - d2962d133fd209cf567d05d1683f3fc1
+  - type: word
+    words:
+    - <script>window.onload=function(){ url ='/webui';window.location.href=url;}</script>
+    - <script>window.onload=function(){ url ='/webui/';window.location.href=url;}</script>
+    case-insensitive: true

poc/coldfusion/adobe-coldfusion-admin-interface.yaml

@@ -0,0 +1,29 @@
+id: adobe-coldfusion-admin-interface
+
+info:
+  name: Adobe ColdFusion Admin Interface
+  author: Caddyshack2175
+  severity: info
+  description: Test to find/detect Coldfusion Admin login interface.
+  tags: adobe,coldfusion,tech
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/CFIDE/administrator/index.cfm"
+      - "{{BaseURL}}/cfide/administrator/index.cfm"
+    redirects: true
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        condition: and
+        regex:
+          - 'ColdFusion Administrator Login'
+          - 'name="loginform" action="/CFIDE/administrator/enter.cfm"'
+          - 'background="/CFIDE/administrator/images/loginbackground.jpg"'
+          - 'Please enable Javascript to use ColdFusion Administrator'
+      - type: status
+        status:
+          - 200

poc/config/micollab_audio,_web_&_video_conferencing.yaml

@@ -0,0 +1,24 @@
+id: micollab_audio,_web_&_video_conferencing
+info:
+  name: micollab_audio,_web_&_video_conferencing
+  author: cn-kali-team
+  tags: detect,tech,micollab_audio,_web_&_video_conferencing
+  severity: info
+  metadata:
+    fofa-query:
+    - body="mitel" html:"micollab"
+    product: micollab_audio,_web_&_video_conferencing
+    shodan-query:
+    - html:"mitel" html:"micollab"
+    - http.html:"mitel" html:"micollab"
+    vendor: mitel
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: word
+    words:
+    - mitel" html:"micollab
+    case-insensitive: true