From 09962be03ed56303b1dd2d0c5e25e7fa34c5d36d Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 23 Jul 2024 16:51:51 +0400 Subject: [PATCH 1/2] updated example and evil.com domains --- http/cves/2018/CVE-2018-17422.yaml | 8 ++++---- http/cves/2020/CVE-2020-13121.yaml | 2 +- http/cves/2022/CVE-2022-0826.yaml | 2 +- http/cves/2022/CVE-2022-1386.yaml | 2 +- http/cves/2022/CVE-2022-29153.yaml | 2 +- http/cves/2022/CVE-2022-38131.yaml | 4 ++-- http/cves/2023/CVE-2023-24044.yaml | 4 ++-- http/cves/2023/CVE-2023-34362.yaml | 4 ++-- http/exposures/backups/zip-backup-files.yaml | 2 +- http/token-spray/api-scraperbox.yaml | 4 ++-- http/token-spray/api-scrapestack.yaml | 4 ++-- http/token-spray/api-zenrows.yaml | 4 ++-- http/vulnerabilities/other/bitrix-open-redirect.yaml | 2 +- 13 files changed, 22 insertions(+), 22 deletions(-) diff --git a/http/cves/2018/CVE-2018-17422.yaml b/http/cves/2018/CVE-2018-17422.yaml index b18db5b54b..11965dd707 100644 --- a/http/cves/2018/CVE-2018-17422.yaml +++ b/http/cves/2018/CVE-2018-17422.yaml @@ -37,14 +37,14 @@ info: http: - method: GET path: - - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://evil.com' - - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=evil.com' + - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://oast.me' + - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=oast.me' stop-at-first-match: true matchers: - type: word part: body words: - - "self.location = 'http://evil.com'" - - "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eevil\\x2ecom'" + - "self.location = 'http://oast.me'" + - "location.href = 'http\\x3a\\x2f\\x2fwww\\x2eoast\\x2eme'" # digest: 4a0a00473045022100ef42faf462b056809e87c56a2bd991601c0d4b37f9b1b0aa4e16c58a0cc1762802204ecf6513868b5bb6ce9f8b4a830ded2d3c2a660d9e27255179622995bacbc87e:922c64590222798bb761d5b6d8e72950 \ No newline at end of file diff --git a/http/cves/2020/CVE-2020-13121.yaml b/http/cves/2020/CVE-2020-13121.yaml index 2084b341c2..72a743d2bd 100644 --- a/http/cves/2020/CVE-2020-13121.yaml +++ b/http/cves/2020/CVE-2020-13121.yaml @@ -30,7 +30,7 @@ info: http: - raw: - | - POST /authentication/check_login?old=http%253A%252F%252Fexample.com%252Fhome HTTP/1.1 + POST /authentication/check_login?old=http%253A%252F%252Finteract.sh%252Fhome HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded diff --git a/http/cves/2022/CVE-2022-0826.yaml b/http/cves/2022/CVE-2022-0826.yaml index 65d995b0c0..f317288c1a 100644 --- a/http/cves/2022/CVE-2022-0826.yaml +++ b/http/cves/2022/CVE-2022-0826.yaml @@ -40,7 +40,7 @@ http: Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - action=wp_video_gallery_ajax_add_single_youtube&url=http://example.com/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523 + action=wp_video_gallery_ajax_add_single_youtube&url=http://oast.me/?x%26v=1%2522 AND (SELECT 1780 FROM (SELECT(SLEEP(6)))uPaz)%2523 matchers: - type: dsl diff --git a/http/cves/2022/CVE-2022-1386.yaml b/http/cves/2022/CVE-2022-1386.yaml index 79dd35b2e1..f4276830ae 100644 --- a/http/cves/2022/CVE-2022-1386.yaml +++ b/http/cves/2022/CVE-2022-1386.yaml @@ -51,7 +51,7 @@ http: -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="formData" - email=example%40example.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva + email=example%40oast.me&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva cy_expiration_action=ignore&fusion-form-nonce-0={{fusionformnonce}}&fusion-fields-hold-private-data= -----------------------------30259827232283860776499538268 Content-Disposition: form-data; name="action" diff --git a/http/cves/2022/CVE-2022-29153.yaml b/http/cves/2022/CVE-2022-29153.yaml index 8c528e6b4b..3f5acccdfa 100644 --- a/http/cves/2022/CVE-2022-29153.yaml +++ b/http/cves/2022/CVE-2022-29153.yaml @@ -43,7 +43,7 @@ http: Host: {{Hostname}} Content-Type: application/json - {"id":"{{randstr}}","name":"TEST NODE","method":"GET","http":"http://example.com","interval":"10s","timeout":"1s","disable_redirects":true} + {"id":"{{randstr}}","name":"TEST NODE","method":"GET","http":"http://oast.me","interval":"10s","timeout":"1s","disable_redirects":true} - | # deregister test node PUT /v1/agent/check/deregister/{{randstr}} HTTP/1.1 Host: {{Hostname}} diff --git a/http/cves/2022/CVE-2022-38131.yaml b/http/cves/2022/CVE-2022-38131.yaml index 7fc1afd85a..c195e55da3 100644 --- a/http/cves/2022/CVE-2022-38131.yaml +++ b/http/cves/2022/CVE-2022-38131.yaml @@ -39,7 +39,7 @@ info: http: - raw: - | - GET //%5cexample.com HTTP/1.1 + GET //%5coast.me HTTP/1.1 Host: {{Hostname}} matchers-condition: and @@ -47,7 +47,7 @@ http: - type: regex part: header regex: - - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' + - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' - type: status status: diff --git a/http/cves/2023/CVE-2023-24044.yaml b/http/cves/2023/CVE-2023-24044.yaml index b06bf94b42..7f24971864 100644 --- a/http/cves/2023/CVE-2023-24044.yaml +++ b/http/cves/2023/CVE-2023-24044.yaml @@ -46,14 +46,14 @@ http: - "{{BaseURL}}/login.php" headers: - Host: "evil.com" + Host: "oast.me" matchers-condition: and matchers: - type: word part: location words: - - 'https://evil.com/login_up.php' + - 'https://oast.me/login_up.php' - type: status status: diff --git a/http/cves/2023/CVE-2023-34362.yaml b/http/cves/2023/CVE-2023-34362.yaml index ac5b3e2c32..3dcb6a1b1f 100644 --- a/http/cves/2023/CVE-2023-34362.yaml +++ b/http/cves/2023/CVE-2023-34362.yaml @@ -49,7 +49,7 @@ http: X-siLock-Transaction: session_setvars X-siLock-SessVar0: MyUsername: Guest X-siLock-SessVar1: MyPkgAccessCode: 123 - X-siLock-SessVar2: MyGuestEmailAddr: my_guest_email@example.com + X-siLock-SessVar2: MyGuestEmailAddr: my_guest_email@oast.me Cookie: siLockLongTermInstID=0 - | POST /guestaccess.aspx HTTP/1.1 @@ -83,7 +83,7 @@ http: Cookie: siLockLongTermInstID=0 Content-Type: application/x-www-form-urlencoded - CsrfToken={{csrf}}&transaction=secmsgpost&Arg01=email_subject&Arg04=email_body&Arg06=123&Arg05=send&Arg08=email%40example.com&Arg09=attachment_list + CsrfToken={{csrf}}&transaction=secmsgpost&Arg01=email_subject&Arg04=email_body&Arg06=123&Arg05=send&Arg08=email%40oast.me&Arg09=attachment_list - | POST /api/v1/auth/token HTTP/1.1 Host: {{Hostname}} diff --git a/http/exposures/backups/zip-backup-files.yaml b/http/exposures/backups/zip-backup-files.yaml index 6b334785e5..53bcdde076 100644 --- a/http/exposures/backups/zip-backup-files.yaml +++ b/http/exposures/backups/zip-backup-files.yaml @@ -22,7 +22,7 @@ http: payloads: FILENAME: - "{{FQDN}}" # www.example.com - - "{{RDN}}" # example.com + - "{{RDN}}" # - "{{DN}}" # example - "{{SD}}" # www - "{{date_time('%Y')}}" # 2023 diff --git a/http/token-spray/api-scraperbox.yaml b/http/token-spray/api-scraperbox.yaml index b43ab27672..013f8137fb 100644 --- a/http/token-spray/api-scraperbox.yaml +++ b/http/token-spray/api-scraperbox.yaml @@ -17,7 +17,7 @@ self-contained: true http: - method: GET path: - - "https://api.scraperbox.com/scrape?token={{token}}&url=https://example.com" + - "https://api.scraperbox.com/scrape?token={{token}}&url=https://oast.me" matchers-condition: and matchers: @@ -28,6 +28,6 @@ http: - type: word part: body words: - - 'Example Domain' + - '

Interactsh Server

' # digest: 4a0a0047304502207f36a4754fda5d47376179286a5929f95ecb39833d01276df125df4cbd5b3712022100e471d820cf8e65b92617364b2126738d2dcefb072e6073ae15af81d922a347f2:922c64590222798bb761d5b6d8e72950 diff --git a/http/token-spray/api-scrapestack.yaml b/http/token-spray/api-scrapestack.yaml index 0d41190b96..b1c3fe2098 100644 --- a/http/token-spray/api-scrapestack.yaml +++ b/http/token-spray/api-scrapestack.yaml @@ -17,12 +17,12 @@ self-contained: true http: - method: GET path: - - "https://api.scrapestack.com/scrape?access_key={{token}}&url=https://example.com" + - "https://api.scrapestack.com/scrape?access_key={{token}}&url=https://oast.me" matchers: - type: word part: body words: - - 'Example Domain' + - '

Interactsh Server

' # digest: 4b0a00483046022100eac15c431eb927c4e320c9e035ceca60c466be6beca8cf895164f574c60216a1022100ff782e772cac1246805653374e5809e611e222b90840b47d3ff64ebd78365124:922c64590222798bb761d5b6d8e72950 diff --git a/http/token-spray/api-zenrows.yaml b/http/token-spray/api-zenrows.yaml index 5707079f74..a8e192563d 100644 --- a/http/token-spray/api-zenrows.yaml +++ b/http/token-spray/api-zenrows.yaml @@ -17,12 +17,12 @@ self-contained: true http: - method: GET path: - - "https://api.zenrows.com/v1/?apikey={{token}}&url=https://example.com" + - "https://api.zenrows.com/v1/?apikey={{token}}&url=https://oast.me/" matchers: - type: word part: body words: - - 'Example Domain' + - '

Interactsh Server

' # digest: 490a00463044022053400d85ec2ff13f0c35b64bcadd50ad94e1a5dd83e8ee17fc28a0fba7da62cc022032c0210f12b83c7ebe8bd917a35c833b82ad629aa4e67377438baa7f4b673765:922c64590222798bb761d5b6d8e72950 diff --git a/http/vulnerabilities/other/bitrix-open-redirect.yaml b/http/vulnerabilities/other/bitrix-open-redirect.yaml index 31770764ae..305e6332f6 100644 --- a/http/vulnerabilities/other/bitrix-open-redirect.yaml +++ b/http/vulnerabilities/other/bitrix-open-redirect.yaml @@ -34,7 +34,7 @@ http: - '/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh' - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh' - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh' - - '/bitrix/redirect.php?goto=https://example.com%252F:123@interactsh.com/' + - '/bitrix/redirect.php?goto=https://{{Hostname}}%252F:123@interactsh.com/' - '/bitrix/tools/track_mail_click.php?url=http://site%252F@interactsh.com/' stop-at-first-match: true From aee12296041684a8262dee441da132241427c10b Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 23 Jul 2024 19:18:26 +0530 Subject: [PATCH 2/2] trail-space-fix --- http/exposures/backups/zip-backup-files.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/exposures/backups/zip-backup-files.yaml b/http/exposures/backups/zip-backup-files.yaml index 53bcdde076..fa91308566 100644 --- a/http/exposures/backups/zip-backup-files.yaml +++ b/http/exposures/backups/zip-backup-files.yaml @@ -22,7 +22,7 @@ http: payloads: FILENAME: - "{{FQDN}}" # www.example.com - - "{{RDN}}" # + - "{{RDN}}" # - "{{DN}}" # example - "{{SD}}" # www - "{{date_time('%Y')}}" # 2023 @@ -127,4 +127,4 @@ http: - type: status status: - 200 -# digest: 4b0a00483046022100a51f2952c9c24769da7d9ad5fa3f8ad2c01a800385052b494e5cf8b8cd2b0b2002210086e92de1a4bcde1fb7758917220ed3470e42201e239106f349d60c0e28d6452b:922c64590222798bb761d5b6d8e72950 \ No newline at end of file +# digest: 4b0a00483046022100a51f2952c9c24769da7d9ad5fa3f8ad2c01a800385052b494e5cf8b8cd2b0b2002210086e92de1a4bcde1fb7758917220ed3470e42201e239106f349d60c0e28d6452b:922c64590222798bb761d5b6d8e72950