nuclei-templates/file/bash/bash-scanner.yaml

id: bash-scanner

info:
  name: Bash Scanner
  author: ransomsec
  severity: info
  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
  reference:
    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
  tags: bash,shell,sh

file:
  - extensions:
      - sh

    extractors:
      - type: regex
        name: fork-bomb
        regex:
          - ":(){:|:&};:"

      - type: regex
        name: rm command found
        regex:
          - "rm -(f|r)"
          - "rm -(fr|rf)"

      - type: regex
        name: code injection
        regex:
          - "/bin/(sh|bash) -"
          - "eval"
          - "echo -c"
          - "/bin/(sh|bash) -c"
          - "(sh|bash) -"
          - "(sh|bash) -c"

      - type: regex
        name: file manipulation
        regex:
          - "cat /dev/null >"

      - type: regex
        name: unknown filedownload
        regex:
          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
+								id: bash-scanner
 								info:
-												Update bash.yaml
											
										
										
											2022-09-19 09:27:53 +00:00
+								  name: Bash Scanner
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
+								  author: ransomsec
 								  severity: info
-												Update bash.yaml
											
										
										
											2022-09-19 09:27:53 +00:00
+								  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
+								  reference:
-												Update bash.yaml
											
										
										
											2022-09-19 09:27:53 +00:00
+								    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
 								    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
 								  tags: bash,shell,sh
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
 								file:
 								  - extensions:
-												Update bash.yaml
											
										
										
											2022-09-19 09:27:53 +00:00
+								      - sh
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
 								    extractors:
 								      - type: regex
 								        name: fork-bomb
 								        regex:
 								          - ":(){:|:&};:"
 								      - type: regex
-												Dashboard Content Enhancements (#5497)

Dashboard Content Enhancements
											
										
										
											2022-09-29 13:38:41 +00:00
+								        name: rm command found
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
+								        regex:
 								          - "rm -(f|r)"
 								          - "rm -(fr|rf)"
 								      - type: regex
 								        name: code injection
 								        regex:
 								          - "/bin/(sh|bash) -"
 								          - "eval"
 								          - "echo -c"
 								          - "/bin/(sh|bash) -c"
 								          - "(sh|bash) -"
 								          - "(sh|bash) -c"
 								      - type: regex
 								        name: file manipulation
 								        regex:
 								          - "cat /dev/null >"
 								      - type: regex
-												Update bash.yaml
											
										
										
											2022-09-19 09:27:53 +00:00
+								        name: unknown filedownload
-												Bash Scanner!

Idea behind this file, i downloaded a shell script from the internet, and i don't revive the source code of the file, and run it, but the file is contains `rm -rf .` command, after running the file, my all files are deleted in current directory. :-(
											
										
										
											2022-09-14 10:36:58 +00:00
+								        regex:
 								          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'