20241017

date.txt

@@ -1 +1 @@
-20241016
+20241017

poc/auth/ETIC_telecom_router_login_page.yaml

@@ -0,0 +1,24 @@
+id: custom_http_template
+info:
+  name: find up ETIC telecom web panel
+  author: biero-el-corridor
+  severity: info
+
+http:
+  - method: GET
+
+    path:
+      - "{{Host}}:4433/login.htm"
+      - "{{Host}}:8080/login.htm"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+
+      - type: word
+        words: 
+          - "Please identify yourself"
+        part: body
+

poc/auth/LOYETC_PLC_defaul_password.yaml

@@ -0,0 +1,30 @@
+id: loytec-default-password
+
+info:
+  name: Loytec PLC Default Password testing
+  author: biero
+  severity: high
+  tags: loytec
+
+requests:
+  - raw:
+    - |
+      POST /webui/login HTTP/2
+      Host: {{Hostname}}
+      X-Create-Session: 1
+      Content-Type: application/x-www-form-urlencoded
+      Content-Length: 32
+
+      username=admin&password=loytec4u&login=Login
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+
+      - type: word
+        words:
+          - '"sessUser":"admin","loggedIn":true}'
+        part: body

poc/auth/SIEMENS_SIMATIC_HMI_Miniweb_defualt_password.yaml

@@ -0,0 +1,24 @@
+id: SIEMENS-SIMATIC-HMI-Miniweb-defualt-password
+
+info:
+  name: Loytec PLC Default Password testing
+  author: biero-el-corridor
+  severity: high
+  tags: loytec
+
+requests:
+  - raw:
+    - |
+      POST /FormLogin HTTP/1.1
+      Host: {{Hostname}}
+      X-Create-Session: 1
+      Content-Type: application/x-www-form-urlencoded
+      Content-Length: 74
+
+      Login=Administrator&Redirection=%2FTemplates%2FLoginpage.html&Password=100
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200

poc/auth/Siemens_LOGO_login_page.yaml

@@ -0,0 +1,21 @@
+id: Detect_Siemens_LOGO_8_PLC
+
+info:
+  name: find up siemens logo! 8 web panel
+  author: biero-el-corridor
+  severity: low
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/logo_login.shtm?!App-Language="
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+        condition: and
+      - type: word
+        part: body
+          - "ReadMe OSS"

poc/auth/iam-user-password-change.yaml

@@ -0,0 +1,29 @@
+id: iam-user-password-change
+info:
+  name: Enable Self-Service Password Change for IAM Users
+  author: princechaddha
+  severity: high
+  description: |
+    Verifies that all Amazon IAM users have permissions to change their own console passwords, allowing access to 'iam:ChangePassword' for their accounts and 'iam:GetAccountPasswordPolicy' action.
+  reference:
+    - https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
+  tags: cloud,devops,aws,amazon,iam,aws-cloud-config
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws iam get-account-password-policy --query 'PasswordPolicy.AllowUsersToChangePassword'
+
+    matchers:
+      - type: word
+        words:
+          - "true"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"AllowUsersToChangePassword Policy is not enabled in your AWS account"'
+# digest: 4b0a00483046022100b046545d3c72c54dee9c4051661d61c8241cbce1fb0f655fa4bb1e8461b3f295022100a7bb33ba3ddff07e68db9bd748802715215b8d62be69ab27fab22c5e539cbb28:922c64590222798bb761d5b6d8e72950

poc/auth/nextend-social-login-pro.yaml

@@ -0,0 +1,59 @@
+id: nextend-social-login-pro
+
+info:
+  name: >
+    Nextend Social Login Pro <= 3.1.14 - Authentication Bypass
+  author: topscoder
+  severity: critical
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/0e4588d1-f21e-48ba-a8cb-d18c421f000a?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/nextend-social-login-pro/"
+    google-query: inurl:"/wp-content/plugins/nextend-social-login-pro/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,nextend-social-login-pro,critical
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/nextend-social-login-pro/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "nextend-social-login-pro"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 3.1.14')

poc/auth/pinata-keys-exposed.yaml

@@ -0,0 +1,28 @@
+id: pinata-keys-exposed
+
+info:
+  name: Pinata API Secrets Exposed
+  author: kaks3c
+  severity: high
+  reference: https://github.com/karkis3c/bugbounty/blob/main/poc/pinata-api-key.md
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    matchers:
+      - type: word
+        words:
+          - "pinata_api_secret"
+          - "pinata_api_key"
+        condition: and
+        case-insensitive: true
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(?i)pinata_api_key\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-]+)[\"']?"
+          - "(?i)pinata_api_secret\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-]+)[\"']?"
+        group: 1

poc/auth/publishpress-authors-aaae11f293980d2db000f794df5fea87.yaml

@@ -0,0 +1,59 @@
+id: publishpress-authors-aaae11f293980d2db000f794df5fea87
+
+info:
+  name: >
+    Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/d0506137-82e3-4988-9b23-370465a866c0?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/publishpress-authors/"
+    google-query: inurl:"/wp-content/plugins/publishpress-authors/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,publishpress-authors,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/publishpress-authors/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "publishpress-authors"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 4.7.1')

poc/auth/stored-credentials.yaml

@@ -0,0 +1,13 @@
+id: basic-auth-creds
+info:
+  name: Basic Auth Credentials
+  author: gaurang
+  severity: high
+  tags: token,file
+file:
+  - extensions:
+      - all
+    extractors:
+      - type: regex
+        regex:
+          - "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]"

poc/aws/create-flipbook-from-pdf-83c50a0124641ec28b087d66d2852640.yaml

@@ -0,0 +1,59 @@
+id: create-flipbook-from-pdf-83c50a0124641ec28b087d66d2852640
+
+info:
+  name: >
+    Creates 3D Flipbook, PDF Flipbook <= 1.2 - Authenticated (Subscriber+) Arbitrary File Upload
+  author: topscoder
+  severity: low
+  description: >
+    
+  reference:
+    - https://github.com/topscoder/nuclei-wordfence-cve
+    - https://www.wordfence.com/threat-intel/vulnerabilities/id/5b5c8733-7396-4ae5-862d-15db370dbdd7?source=api-scan
+  classification:
+    cvss-metrics: 
+    cvss-score: 
+    cve-id: 
+  metadata:
+    fofa-query: "wp-content/plugins/create-flipbook-from-pdf/"
+    google-query: inurl:"/wp-content/plugins/create-flipbook-from-pdf/"
+    shodan-query: 'vuln:'
+  tags: cve,wordpress,wp-plugin,create-flipbook-from-pdf,low
+
+http:
+  - method: GET
+    redirects: true
+    max-redirects: 3
+    path:
+      - "{{BaseURL}}/wp-content/plugins/create-flipbook-from-pdf/readme.txt"
+
+    extractors:
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+      - type: regex
+        name: version
+        part: body
+        group: 1
+        regex:
+          - "(?mi)Stable tag: ([0-9.]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "create-flipbook-from-pdf"
+        part: body
+
+      - type: dsl
+        dsl:
+          - compare_versions(version, '<= 1.2')