Skip to content

Commit

Permalink
20240930
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Sep 30, 2024
1 parent b271810 commit e051e55
Show file tree
Hide file tree
Showing 1,114 changed files with 32,351 additions and 9,070 deletions.
2 changes: 1 addition & 1 deletion date.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
20240929
20240930
1 change: 1 addition & 0 deletions poc.txt
Original file line number Diff line number Diff line change
Expand Up @@ -85415,6 +85415,7 @@
./poc/other/provider-path.yaml
./poc/other/proxmox-panel.yaml
./poc/other/proxmox-ve.yaml
./poc/other/proxy-checker.yaml
./poc/other/prtg-workflow.yaml
./poc/other/prtg_network_monitor.yaml
./poc/other/prvpl.yaml
Expand Down
14 changes: 12 additions & 2 deletions poc/adobe/adobe-connect-central-login.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,18 @@
id: adobe-connect-central-login

info:
name: Adobe Connect Central Login
name: Adobe Connect Central Login Panel
author: dhiyaneshDk
description: An Adobe Connect Central login panel was detected.
severity: info
tags: adobe,panel
tags: adobe,panel,connect-central
reference:
- https://www.adobe.com/products/adobeconnect.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score: 0.0
cve-id:
cwe-id: CWE-200

requests:
- method: GET
Expand All @@ -21,3 +29,5 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/03/20
52 changes: 26 additions & 26 deletions poc/adobe/adobe-connect-username-exposure.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
id: adobe-connect-username-exposure

info:
name: Adobe Connect Username Exposure
reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
author: dhiyaneshDk
severity: low
tags: adobe,disclosure

requests:
- method: GET
path:
- "{{BaseURL}}/system/help/support"

matchers-condition: and
matchers:
- type: word
words:
- 'Administrators name:'
- 'Support Administrators email address:'
part: body
condition: and

- type: status
status:
- 200
id: adobe-connect-username-exposure

info:
name: Adobe Connect Username Exposure
reference: https://packetstormsecurity.com/files/161345/Adobe-Connect-10-Username-Disclosure.html
author: dhiyaneshDk
severity: low
tags: adobe,disclosure

requests:
- method: GET
path:
- "{{BaseURL}}/system/help/support"

matchers-condition: and
matchers:
- type: word
words:
- 'Administrators name:'
- 'Support Administrators email address:'
part: body
condition: and

- type: status
status:
- 200
6 changes: 6 additions & 0 deletions poc/adobe/aem-crx-bypass.yaml
Original file line number Diff line number Diff line change
@@ -1,22 +1,26 @@
id: aem-crx-bypass

info:
author: dhiyaneshDK
name: AEM CRX Bypass
severity: critical
reference: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
tags: aem

requests:
- raw:
- |
GET /crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
- |
GET /content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: word
Expand All @@ -26,10 +30,12 @@ requests:
- 'downloadName'
- 'acHandling'
condition: and

- type: word
part: header
words:
- 'application/json'

- type: status
status:
- 200
19 changes: 4 additions & 15 deletions poc/adobe/aem-default-get-servlet-139.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,15 @@
id: aem-default-get-servlet

info:
name: AEM DefaultGetServlet
author: DhiyaneshDk
name: AEM DefaultGetServlet
severity: low
description: Sensitive information might be exposed via AEM DefaultGetServlet.
reference:
- https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
- https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
tags: aem,adobe
reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
tags: aem


requests:
- method: GET
path:
- '{{BaseURL}}/etc'
- '{{BaseURL}}/var'
- '{{BaseURL}}/apps'
- '{{BaseURL}}/home'
- '{{BaseURL}}///etc'
- '{{BaseURL}}///var'
- '{{BaseURL}}///apps'
- '{{BaseURL}}///home'
- '{{BaseURL}}/.json'
- '{{BaseURL}}/.1.json'
- '{{BaseURL}}/....4.2.1....json'
Expand Down
6 changes: 3 additions & 3 deletions poc/adobe/aem-detection-146.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,8 @@ id: aem-detection

info:
name: Favicon based AEM Detection
severity: info
author: shifacyclewala,hackergautam
tags: aem,favicon,tech
severity: info
reference:
- https://twitter.com/brsn76945860/status/1171233054951501824
- https://gist.github.com/yehgdotnet/b9dfc618108d2f05845c4d8e28c5fc6a
Expand All @@ -13,6 +12,7 @@ info:
- https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv
metadata:
shodan-query: http.component:"Adobe Experience Manager"
tags: aem,favicon,tech,adobe

requests:
- method: GET
Expand All @@ -25,4 +25,4 @@ requests:
matchers:
- type: dsl
dsl:
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
- "status_code==200 && (\"-144483185\" == mmh3(base64_py(body)))"
17 changes: 11 additions & 6 deletions poc/adobe/aem-groovyconsole-154.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,22 @@
id: aem-groovyconsole
info:
name: AEM Groovy console exposed
author: d3sca
name: AEM Groovy Console Discovery
author: Dheerajmadhukar
severity: critical
description: Groovy console is exposed.
tags: aem
description: An Adobe Experience Manager Groovy console was discovered. This can possibly lead to remote code execution.
reference:
- https://hackerone.com/reports/672243
- https://twitter.com/XHackerx007/status/1435139576314671105
tags: aem,adobe
requests:
- method: GET
path:
- "{{BaseURL}}/groovyconsole"
- "{{BaseURL}}/groovyconsole.html"
- "{{BaseURL}}/etc/groovyconsole.html"
headers:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9,hi;q=0.8
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
Expand All @@ -26,3 +29,5 @@ requests:
- type: status
status:
- 200

# Enhanced by mp on 2022/04/22
11 changes: 4 additions & 7 deletions poc/adobe/aem-hash-querybuilder-157.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
id: aem-hash-querybuilder

info:
author: DhiyaneshDk
name: Query hashed password via QueryBuilder Servlet
author: DhiyaneshDk
severity: medium
reference: https://twitter.com/AEMSecurity/status/1372392101829349376
reference:
- https://twitter.com/AEMSecurity/status/1372392101829349376
tags: aem

requests:
- raw:
- |
Expand All @@ -15,15 +14,13 @@ requests:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- '"success":true'
- 'rep:password'
condition: and
condition: and
8 changes: 7 additions & 1 deletion poc/adobe/aem-querybuilder-internal-path-read.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,30 @@
id: aem-querybuilder-internal-path-read

info:
author: DhiyaneshDk
name: AEM QueryBuilder Internal Path Read
severity: medium
reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
tags: aem


requests:
- method: GET
path:
- '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
- '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'

stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200

- type: word
words:
- 'jcr:path'
- 'success'
condition: and
condition: and
5 changes: 0 additions & 5 deletions poc/adobe/aem-querybuilder-json-servlet-187.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,6 @@ requests:
status:
- 200

- type: word
words:
- "application/json"
part: header

- type: word
words:
- 'success'
Expand Down
14 changes: 10 additions & 4 deletions poc/adobe/aem-userinfo-servlet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ info:
author: DhiyaneshDk
name: AEM UserInfo Servlet
severity: info
description: UserInfoServlet is exposed, it allows to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem
description: UserInfoServlet is exposed which allows an attacker to bruteforce credentials. You can get valid usernames from jcr:createdBy, jcr:lastModifiedBy, cq:LastModifiedBy attributes of any JCR node.
tags: aem,bruteforce


requests:
Expand All @@ -19,7 +19,13 @@ requests:
- 200

- type: word
part: body
words:
- 'userName'
- 'userID'
- '"userID":'
- '"userName":'
condition: and

- type: word
part: header
words:
- 'application/json'
4 changes: 2 additions & 2 deletions poc/apache/default-apache-test-page-6816.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ info:
name: Apache HTTP Server Test Page
author: dhiyaneshDk
severity: info
reference:
- https://www.shodan.io/search?query=http.title%3A%22Apache+HTTP+Server+Test+Page+powered+by+CentOS%22
metadata:
shodan-query: http.title:"Apache HTTP Server Test Page powered by CentOS"
tags: tech,apache

requests:
Expand Down
3 changes: 3 additions & 0 deletions poc/api/Google-api.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
id: google-api-key-file

info:
name: Google API key
author: gaurang
severity: info
tags: token,file,google

file:
- extensions:
- all

extractors:
- type: regex
regex:
Expand Down
Loading

0 comments on commit e051e55

Please sign in to comment.