Skip to content

Commit

Permalink
20241008
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Oct 8, 2024
1 parent 720a6f0 commit 3f1756a
Show file tree
Hide file tree
Showing 1,084 changed files with 12,973 additions and 16,358 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20241007
20241008
59 changes: 59 additions & 0 deletions poc.txt

Large diffs are not rendered by default.

2 changes: 0 additions & 2 deletions poc/adobe/AEM_misconfig.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
id: aem-misconfigs

info:
name: Misconfigs and Auth bypasses for older unpatched AEM versions not an exhaustive list but ones Ive had luck with
author: panch0r3d
severity: high

requests:
- method: GET
path:
Expand Down
53 changes: 27 additions & 26 deletions poc/adobe/adobe-connect-username-exposure-98.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,27 @@
id: adobe-connect-username-exposure

info:
name: Adobe Connect Username Exposure
reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
author: dhiyaneshDk
severity: low
tags: adobe,disclosure

requests:
- method: GET
path:
- "{{BaseURL}}/system/help/support"

matchers-condition: and
matchers:
- type: word
words:
- 'Administrators name:'
- 'Support Administrators email address:'
part: body
condition: and

- type: status
status:
- 200
id: adobe-connect-username-exposure

info:
name: Adobe Connect Username Exposure
author: dhiyaneshDk
severity: low
reference:
- https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
tags: adobe,disclosure

requests:
- method: GET
path:
- "{{BaseURL}}/system/help/support"

matchers-condition: and
matchers:
- type: word
words:
- 'Administrators name:'
- 'Support Administrators email address:'
part: body
condition: and

- type: status
status:
- 200
11 changes: 9 additions & 2 deletions poc/adobe/adobe-experience-manager-login-105.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,15 @@
id: adobe-experience-manager-login

info:
name: Adobe-Experience-Manager
name: Adobe Experience Manager Login Panel
author: dhiyaneshDK
severity: info
reference: https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22
description: An Adobe Experience Manager login panel was detected.
reference:
- https://www.shodan.io/search?query=http.title%3A%22AEM+Sign+In%22
- https://business.adobe.com/products/experience-manager/adobe-experience-manager.html
classification:
cwe-id: CWE-200
tags: panel,aem,adobe

requests:
Expand All @@ -21,3 +26,5 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/03/20
15 changes: 13 additions & 2 deletions poc/adobe/aem-default-get-servlet-139.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,24 @@ info:
author: DhiyaneshDk
name: AEM DefaultGetServlet
severity: low
reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
tags: aem
description: Sensitive information might be exposed via AEM DefaultGetServlet.
reference:
- https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
tags: aem,adobe


requests:
- method: GET
path:
- '{{BaseURL}}/etc'
- '{{BaseURL}}/var'
- '{{BaseURL}}/apps'
- '{{BaseURL}}/home'
- '{{BaseURL}}///etc'
- '{{BaseURL}}///var'
- '{{BaseURL}}///apps'
- '{{BaseURL}}///home'
- '{{BaseURL}}/.json'
- '{{BaseURL}}/.1.json'
- '{{BaseURL}}/....4.2.1....json'
Expand Down
4 changes: 2 additions & 2 deletions poc/adobe/aem-detection-145.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,9 @@ id: aem-detection

info:
name: Favicon based AEM Detection
author: shifacyclewala,hackergautam
severity: info
author: shifacyclewala,hackergautam
tags: aem,favicon,tech
reference:
- https://twitter.com/brsn76945860/status/1171233054951501824
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
Expand All @@ -12,7 +13,6 @@ info:
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,favicon,tech

requests:
- method: GET
Expand Down
16 changes: 7 additions & 9 deletions poc/adobe/aem-detection.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
id: aem-detection
id: favicon-detection-AEM

info:
name: Favicon based AEM Detection
author: shifacyclewala,hackergautam
name: favicon-detection-AEM (Adobe Experience Manager)
severity: info
reference:
author: shifacyclewala hackergautam
reference: |
- https://twitter.com/brsn76945860/status/1171233054951501824
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
- https://medium.com/@Asm0d3us/weaponizing-favicon-ico-for-bugbounties-osint-and-what-not-ace3c214e139
- https://github.com/devanshbatham/FavFreak
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,favicon,tech

requests:
- method: GET
path:
Expand All @@ -24,5 +21,6 @@ requests:

matchers:
- type: dsl
name: "Adobe Experience Manager (AEM)"
dsl:
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
11 changes: 7 additions & 4 deletions poc/adobe/aem-hash-querybuilder-160.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
id: aem-hash-querybuilder

info:
name: Query hashed password via QueryBuilder Servlet
author: DhiyaneshDk
name: Query hashed password via QueryBuilder Servlet
severity: medium
reference:
- https://twitter.com/AEMSecurity/status/1372392101829349376
reference: https://twitter.com/AEMSecurity/status/1372392101829349376
tags: aem

requests:
- raw:
- |
Expand All @@ -14,13 +15,15 @@ requests:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- '"success":true'
- 'rep:password'
condition: and
condition: and
14 changes: 10 additions & 4 deletions poc/adobe/aem-userinfo-servlet-193.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ info:
author: DhiyaneshDk
name: AEM UserInfo Servlet
severity: info
description: UserInfoServlet is exposed, it allows to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem,bruteforce


requests:
Expand All @@ -19,7 +19,13 @@ requests:
- 200

- type: word
part: body
words:
- 'userName'
- 'userID'
- '"userID":'
- '"userName":'
condition: and

- type: word
part: header
words:
- 'application/json'
3 changes: 0 additions & 3 deletions poc/airflow/airflow-debug.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,6 @@ info:
name: Airflow Debug Trace
author: pdteam
severity: low
metadata:
verified: true
shodan-query: title:"Airflow - DAGs"
tags: apache,airflow,fpd

requests:
Expand Down
11 changes: 9 additions & 2 deletions poc/airflow/airflow-default-login-234.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,27 @@
id: airflow-default-login

info:
name: Apache Airflow Default Login
author: pdteam
severity: high
description: An Apache Airflow default login was discovered.
reference:
- https://airflow.apache.org/docs/apache-airflow/stable/start/docker.html
metadata:
shodan-query: title:"Sign In - Airflow"
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cwe-id: CWE-522
metadata:
shodan-query: title:"Sign In - Airflow"
tags: airflow,default-login,apache

requests:
- raw:
- |
GET /login/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
- |
POST /login/ HTTP/1.1
Host: {{Hostname}}
Expand All @@ -27,12 +30,14 @@ requests:
Referer: {{BaseURL}}/admin/airflow/login
username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
attack: pitchfork
payloads:
username:
- airflow
password:
- airflow

cookie-reuse: true
extractors:
- type: regex
Expand All @@ -41,6 +46,7 @@ requests:
internal: true
regex:
- 'type="hidden" value="(.*?)">'

req-condition: true
matchers-condition: and
matchers:
Expand All @@ -50,6 +56,7 @@ requests:
- 'contains(all_headers_2, "session=.")'
- 'status_code_2 == 302'
condition: and

- type: word
words:
- 'You should be redirected automatically to target URL: <a href="/">'
Expand Down
3 changes: 3 additions & 0 deletions poc/airflow/airflow-detect.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ info:
name: Apache Airflow
author: pdteam
severity: info
metadata:
verified: true
shodan-query: http.html:"Apache Airflow"
tags: tech,apache,airflow

requests:
Expand Down
7 changes: 6 additions & 1 deletion poc/apache/apache-apisix-panel-336.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
id: apache-apisix-panel

info:
name: Apache APISIX Panel detect
name: Apache APISIX Login Panel
author: pikpikcu
severity: info
description: An Apache APISIX login panel was detected.
classification:
cwe-id: CWE-200
metadata:
fofa-query: title="Apache APISIX Dashboard"
tags: apache,apisix,panel
Expand All @@ -23,3 +26,5 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/03/16
58 changes: 29 additions & 29 deletions poc/apache/apache-detect-346.yaml
Original file line number Diff line number Diff line change
@@ -1,30 +1,30 @@
id: apache-detect
info:
name: Apache Detection
author: philippedelteil
description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained
severity: info
tags: tech,apache

requests:
- method: GET
path:
- "{{BaseURL}}"

matchers-condition: and
matchers:

- type: regex
part: header
regex:
- "Apache+"

- type: status
status:
- 200

extractors:
- type: kval
part: header
kval:
id: apache-detect
info:
name: Apache Detection
author: philippedelteil
description: Some Apache servers have the version on the response header. The OpenSSL version can be also obtained
severity: info
tags: tech,apache

requests:
- method: GET
path:
- "{{BaseURL}}"

matchers-condition: and
matchers:

- type: regex
part: header
regex:
- "Apache+"

- type: status
status:
- 200

extractors:
- type: kval
part: header
kval:
- Server
Loading

0 comments on commit 3f1756a

Please sign in to comment.