daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update and rename defacement-detector.yaml to defacement-detect.yaml

patch-1
Dhiyaneshwaran 2024-01-22 15:15:56 +05:30 committed by GitHub
parent bb6d184317
commit 575ea833b6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 274 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

274
http/miscellaneous/defacement-detect.yaml Normal file
View File

@ -0,0 +1,274 @@
id: defacement-detect
info:
name: Defacement Content - Detection
author: ricardomaia
severity: info
description: |
This template detects defacement content in the response body, using a list of commom paths as payload.It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.The URL paths and regex rules were based on research from several sources.Other rules are based in the author's experience and are not exhaustive.
reference:
- https://www.zone-h.org
- https://zone-xsec.com
- https://hax.or.id
- https://www.haxor.id
- https://www.defacer.net
- https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023
metadata:
verified: true
tags: misc,defacement,spam,hacktivism,osint
http:
- method: GET
path:
- "{{BaseURL}}{{path}}"
redirects: true
max-redirects: 1
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
name: defacement-signature
regex:
- '(?i)\bhack[e|3]d.?(by)?\b'
- '(?i)\bwh(00|oo)pz\b'
- '(?i)\bdefaced.?(by)?\b'
- '(?i)\bPa?wn(e|3)d.?(by)?\b'
- '(?i)\b0wned.?(by)?\b'
- '(?i)\bGreetz.?(to)?\b'
- '(?i)\bXploit\b'
- '(?i)\brulez\b'
- '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b'
- '(?i)\bh(a|4)x(o|0)r\b'
- '(?i)\bHack.Team\b'
- '(?i)\bpwnted.?(by)?\b'
- '(?i)\bBUY.WEBSHELL\b'
- '(?i)\bHello.Admin\b'
- '(?i)\bShootz\b'
- type: regex
part: body
name: spamdexing
regex:
- '(?i)\bcialis\b'
- '(?i)\btadacip\b'
- '(?i)\bpurinethol\b'
- '(?i)\bbactrim\b'
- '(?i)\bfemale-cialis\b'
- '(?i)\btoprol-xl\b'
- '(?i)\bbupropion\b'
- '(?i)\blevitra\b'
- '(?i)\bfeldene\b'
- '(?i)\bapcalis\b'
- '(?i)\batacand\b'
- '(?i)\bzerit\b'
- '(?i)\bisordil\b'
- '(?i)\bviagra-soft\b'
- '(?i)\bdanazol\b'
- '(?i)\blasix\b'
- '(?i)\bapcalis-sx\b'
- '(?i)\btadalafil\b'
- '(?i)\bviagra-jelly\b'
- '(?i)\btadalis-sx\b'
- '(?i)\btelmisartan\b'
- '(?i)\bcialis-soft\b'
- '(?i)\brevia\b'
- '(?i)\bcardura\b'
- '(?i)\bfempro\b'
- '(?i)\bfemale-viagra\b'
- '(?i)\berectalis\b'
- '(?i)\bforzest\b'
- '(?i)\bisoptin-sr\b'
- '(?i)\bkamagra-soft\b'
- '(?i)\blioresal\b'
- '(?i)\bneoral\b'
- '(?i)\bcytoxan\b'
- '(?i)\bphenytoin\b'
- '(?i)\bvibramycin\b'
- '(?i)\binstant.fortune\b'
- '(?i)\win.the.lottery\b'
- '(?i)\bwin.the.lotto\b'
- '(?i)\bcassino\b'
- type: regex
part: body
name: zone-h-top-50
regex:
- '(?i)\bHmei7\b'
- '(?i)\bd3b~x\b'
- '(?i)\bIndex Php\b'
- '(?i)\biskorpitx\b'
- '(?i)\bchinafans\b'
- '(?i)\bSejeal\b'
- '(?i)\b1923Turk\b'
- '(?i)\bmuhmademad\b'
- '(?i)\bTeam_CC\b'
- '(?i)\bimam\b'
- '(?i)\bmisafir\b'
- '(?i)\bZoRRoKiN\b'
- '(?i)\bpanataran\b'
- '(?i)\bGHoST61\b'
- '(?i)\bAshiyane Digital Security Team\b'
- '(?i)\bFatal Error\b'
- '(?i)\bErrOr SquaD\b'
- '(?i)\bw4l3xzy3\b'
- '(?i)\bBD GREY HAT HACKERS\b'
- '(?i)\bSA3D HaCk3D\b'
- '(?i)\bjok3r\b'
- '(?i)\bHighTech\b'
- '(?i)\bMr.Kro0oz\b'
- '(?i)\bTheWayEnd\b'
- '(?i)\bLUN4T1C0\b'
- '(?i)\bKaMtiEz\b'
- '(?i)\bHolaKo\b'
- '(?i)\bMiSh\b'
- '(?i)\bMister Spy\b'
- '(?i)\bClash Hackers\b'
- '(?i)\bKkK1337\b'
- '(?i)\bKuroi\b'
- '(?i)\bBALA SNIPER\b'
- '(?i)\bRayzky_\b'
- '(?i)\bRXR\b'
- '(?i)\bTOP-TEAM\b'
- '(?i)\bMagelang6etar\b'
- '(?i)\bifactoryx\b'
- '(?i)\bthe_warri0r\b'
- '(?i)\bRed Eye\b'
- '(?i)\bdarkshadow-tn\b'
- '(?i)\bs13doeL\b'
- '(?i)\bFallaga Team\b'
- '(?i)\bulow\b'
- '(?i)\bSPYKIDS\b'
- '(?i)\bCyb3r_Sw0rd\b'
- '(?i)\blinuXploit_crew\b'
- '(?i)\bIr4dex 735\b'
- '(?i)\bKingSam\b'
- type: regex
part: body
name: other-groups-attacker
regex:
- '(?i)\bLapsus$\b'
- '(?i)\bLulzSec\b'
- '(?i)\bmilw0rm\b'
- '(?i)\bNoName05\b'
- '(?i)\bAnonymousSudan\b'
- '(?i)\bAnon_by\b'
- '(?i)\bAnonGhost\b'
- '(?i)\bTeam.Insane\b'
- '(?i)\bEagle Cyber\b'
- type: regex
part: body
name: hacktivism-operation
regex:
- '(?i)\bOpIsrael\b'
- '(?i)\bOpRussia\b'
- '(?i)\bOpIran\b'
- '(?i)\bOpPhilippines\b'
- '(?i)\bOpAustralia\b'
- '(?i)\bAnonymousItalia\b'
- '(?i)\bStopRussia\b'
- '(?i)\bStopInvasion\b'
- '(?i)\bWe.are.legion\b'
- '(?i)\bAnonOps\b'
- '(?i)\bOpGOP\b'
- '(?i)\bOpStonewall\b'
- '(?i)\bTangoDown\b'
- '(?i)\bFREE_PALESTINE\b'
- '(?i)\bFREE_AL-AQSA\b'
- type: status
status:
- 200
payloads:
path:
- /
- /old
- /ssh
- /tmp
- /uploads
- /index.html
- /index.php
- /indexx.html
- /defaced.html
- /readme.html
- /readme.php
- /kurd.html
- /kurd1943.html
- /evil.html
- /ghost.htm
- /pwnd.html
- /pwn.html
- /hacked.html
- /hacked.txt
- /1.php
- /1.txt
- /1.html
- /a.htm
- /a.html
- /a.php
- /V.txt
- /0day.txt
- /1337.txt
- /r00t.php
- /root.html
- /id.htm
- /by.html
- /by.htm
- /me.php
- /o.htm
- /O.html
- /a.php
- /a.html
- /z.php
- /zz.txt
- /z.txt
- /M.html
- /ie.txt
- /xxx.html
- /x.txt
- /logs.txt
- /ownz.html
- /update_note.txt
- /k.html
- /y.txt
- /T.html
- /ts.html
- /tr.html
- /core.html
- /el.htm
- /ie.htm
- /si.html
- /sad.html
- /fake.html
- /broken.html
- /buy.html
- /access.php
- /info.php
- /jquery.php
- /news.php
- /services.php
- /boxed.php
- /main.php
- /pbw.txt
- /aw.txt
- /hx.txt
- /vz.txt
- /cl.html
- /asi.html
- /public
- /cache
- /info.txt
- /ir.html
- /me.html
- /px.html
- /px.php
- /F.html
- /frost.txt
- /-.txt
- /!.txt

403
http/miscellaneous/defacement-detector.yaml
View File

@ -1,403 +0,0 @@
id: defacement-detector
info:
name: Defacement Content Detector
author: ricardomaia
severity: info
description: |
This template detects defacement content in the response body, using a list of commom paths as payload.
It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.
The URL paths and regex rules were based on research from several sources.
Other rules are based in the author's experience and are not exhaustive.
reference:
- https://www.zone-h.org
- https://zone-xsec.com
- https://hax.or.id
- https://www.haxor.id
- https://www.defacer.net
- https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023
metadata:
max-requests: 1
tags: misc,monitoring,defacement,spam,hacktivism
http:
- method: GET
path:
- "{{BaseURL}}{{path}}"
redirects: true
max-redirects: 1
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
part: body
regex:
# Commom defacement signatures
- '(?i)\bhack[e|3]d.?(by)?\b'
- '(?i)\bwh(00|oo)pz\b'
- '(?i)\bdefaced.?(by)?\b'
- '(?i)\bPa?wn(e|3)d.?(by)?\b'
- '(?i)\b0wned.?(by)?\b'
- '(?i)\bGreetz.?(to)?\b'
- '(?i)\bXploit\b'
- '(?i)\brulez\b'
- '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b'
- '(?i)\bh(a|4)x(o|0)r\b'
- '(?i)\bHack.Team\b'
- '(?i)\bpwnted.?(by)?\b'
- '(?i)\bBUY.WEBSHELL\b'
- '(?i)\bHello.Admin\b'
- '(?i)\bShootz\b'
- '(?i)\bTouched\sby\b' # Some false positives
- '(?i)\bHas.*been.*hacked\b' # Some false positives
- '(?i)\bStamped\sBy\b' # Some false positives
# Spamdexing
- '(?i)\bcialis\b'
- '(?i)\btadacip\b'
- '(?i)\bpurinethol\b'
- '(?i)\bbactrim\b'
- '(?i)\bfemale-cialis\b'
- '(?i)\btoprol-xl\b'
- '(?i)\bbupropion\b'
- '(?i)\blevitra\b'
- '(?i)\bfeldene\b'
- '(?i)\bapcalis\b'
- '(?i)\batacand\b'
- '(?i)\bzerit\b'
- '(?i)\bisordil\b'
- '(?i)\bviagra-soft\b'
- '(?i)\bdanazol\b'
- '(?i)\blasix\b'
- '(?i)\bapcalis-sx\b'
- '(?i)\btadalafil\b'
- '(?i)\bviagra-jelly\b'
- '(?i)\btadalis-sx\b'
- '(?i)\btelmisartan\b'
- '(?i)\bcialis-soft\b'
- '(?i)\brevia\b'
- '(?i)\bcardura\b'
- '(?i)\bfempro\b'
- '(?i)\bfemale-viagra\b'
- '(?i)\berectalis\b'
- '(?i)\bforzest\b'
- '(?i)\bisoptin-sr\b'
- '(?i)\bkamagra-soft\b'
- '(?i)\blioresal\b'
- '(?i)\bneoral\b'
- '(?i)\bcytoxan\b'
- '(?i)\bphenytoin\b'
- '(?i)\bvibramycin\b'
- '(?i)\binstant.fortune\b'
- '(?i)\win.the.lottery\b'
- '(?i)\bwin.the.lotto\b'
- '(?i)\bcassino\b'
# Attackets - Zone-H Top 50
- '(?i)\bHmei7\b'
- '(?i)\bd3b~x\b'
- '(?i)\bIndex Php\b'
- '(?i)\biskorpitx\b'
- '(?i)\bchinafans\b'
- '(?i)\bSejeal\b'
- '(?i)\b1923Turk\b'
- '(?i)\bmuhmademad\b'
- '(?i)\bTeam_CC\b'
- '(?i)\bimam\b'
- '(?i)\bmisafir\b'
- '(?i)\bZoRRoKiN\b'
- '(?i)\bpanataran\b'
- '(?i)\bGHoST61\b'
- '(?i)\bAshiyane Digital Security Team\b'
- '(?i)\bFatal Error\b'
- '(?i)\bErrOr SquaD\b'
- '(?i)\bw4l3xzy3\b'
- '(?i)\bBD GREY HAT HACKERS\b'
- '(?i)\bSA3D HaCk3D\b'
- '(?i)\bjok3r\b'
- '(?i)\bHighTech\b'
- '(?i)\bMr.Kro0oz\b'
- '(?i)\bTheWayEnd\b'
- '(?i)\bLUN4T1C0\b'
- '(?i)\bKaMtiEz\b'
- '(?i)\bHolaKo\b'
- '(?i)\bMiSh\b'
- '(?i)\bMister Spy\b'
- '(?i)\bClash Hackers\b'
- '(?i)\bKkK1337\b'
- '(?i)\bKuroi\b'
- '(?i)\bBALA SNIPER\b'
- '(?i)\bRayzky_\b'
- '(?i)\bRXR\b'
- '(?i)\bTOP-TEAM\b'
- '(?i)\bMagelang6etar\b'
- '(?i)\bifactoryx\b'
- '(?i)\bthe_warri0r\b'
- '(?i)\bRed Eye\b'
- '(?i)\bdarkshadow-tn\b'
- '(?i)\bs13doeL\b'
- '(?i)\bFallaga Team\b'
- '(?i)\bulow\b'
- '(?i)\bSPYKIDS\b'
- '(?i)\bCyb3r_Sw0rd\b'
- '(?i)\blinuXploit_crew\b'
- '(?i)\bIr4dex 735\b'
- '(?i)\bKingSam\b'
# Others groups or attackers
- '(?i)\bLapsus$\b'
- '(?i)\bLulzSec\b'
- '(?i)\bmilw0rm\b'
- '(?i)\bNoName05\b'
- '(?i)\bAnonymousSudan\b'
- '(?i)\bAnon_by\b'
- '(?i)\bAnonGhost\b'
- '(?i)\bTeam.Insane\b'
- '(?i)\bEagle Cyber\b'
# Hacktivism Operations
- '(?i)\bOpIsrael\b'
- '(?i)\bOpRussia\b'
- '(?i)\bOpIran\b'
- '(?i)\bOpPhilippines\b'
- '(?i)\bOpAustralia\b'
- '(?i)\bAnonymousItalia\b'
- '(?i)\bStopRussia\b'
- '(?i)\bStopInvasion\b'
- '(?i)\bWe.are.legion\b'
- '(?i)\bAnonOps\b'
- '(?i)\bOpGOP\b'
- '(?i)\bOpStonewall\b'
- '(?i)\bTangoDown\b'
- '(?i)\bFREE_PALESTINE\b'
- '(?i)\bFREE_AL-AQSA\b'
- type: status
status:
- 200
extractors:
- type: regex
part: body
# Five characters before and after the match
name: text-snippet
regex:
# Commom defacement signatures
- '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}'
- '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}'
- '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}'
- '.{0,5}(?i)\bXploit\b.{0,5}'
- '.{0,5}(?i)\brulez\b.{0,5}'
- '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}'
- '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}'
- '.{0,5}(?i)\bHack.Team\b.{0,5}'
- '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}'
- '.{0,5}(?i)\bHello.Admin\b.{0,5}'
- '.{0,5}(?i)\bShootz\b.{0,5}'
- '.{0,5}(?i)\bTouched\sby\b.{0,5}' # Some false positives
- '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}' # Some false positives
- '.{0,5}(?i)\bStamped\sBy\b.{0,5}' # Some false positives
# Spamdexing
- '.{0,5}(?i)\bcialis\b.{0,5}'
- '.{0,5}(?i)\btadacip\b.{0,5}'
- '.{0,5}(?i)\bpurinethol\b.{0,5}'
- '.{0,5}(?i)\bbactrim\b.{0,5}'
- '.{0,5}(?i)\bfemale-cialis\b.{0,5}'
- '.{0,5}(?i)\btoprol-xl\b.{0,5}'
- '.{0,5}(?i)\bbupropion\b.{0,5}'
- '.{0,5}(?i)\blevitra\b.{0,5}'
- '.{0,5}(?i)\bfeldene\b.{0,5}'
- '.{0,5}(?i)\bapcalis\b.{0,5}'
- '.{0,5}(?i)\batacand\b.{0,5}'
- '.{0,5}(?i)\bzerit\b.{0,5}'
- '.{0,5}(?i)\bisordil\b.{0,5}'
- '.{0,5}(?i)\bviagra-soft\b.{0,5}'
- '.{0,5}(?i)\bdanazol\b.{0,5}'
- '.{0,5}(?i)\blasix\b.{0,5}'
- '.{0,5}(?i)\bapcalis-sx\b.{0,5}'
- '.{0,5}(?i)\btadalafil\b.{0,5}'
- '.{0,5}(?i)\bviagra-jelly\b.{0,5}'
- '.{0,5}(?i)\btadalis-sx\b.{0,5}'
- '.{0,5}(?i)\btelmisartan\b.{0,5}'
- '.{0,5}(?i)\bcialis-soft\b.{0,5}'
- '.{0,5}(?i)\brevia\b.{0,5}'
- '.{0,5}(?i)\bcardura\b.{0,5}'
- '.{0,5}(?i)\bfempro\b.{0,5}'
- '.{0,5}(?i)\bfemale-viagra\b.{0,5}'
- '.{0,5}(?i)\berectalis\b.{0,5}'
- '.{0,5}(?i)\bforzest\b.{0,5}'
- '.{0,5}(?i)\bisoptin-sr\b.{0,5}'
- '.{0,5}(?i)\bkamagra-soft\b.{0,5}'
- '.{0,5}(?i)\blioresal\b.{0,5}'
- '.{0,5}(?i)\bneoral\b.{0,5}'
- '.{0,5}(?i)\bcytoxan\b.{0,5}'
- '.{0,5}(?i)\bphenytoin\b.{0,5}'
- '.{0,5}(?i)\bvibramycin\b.{0,5}'
- '.{0,5}(?i)\binstant.fortune\b.{0,5}'
- '.{0,5}(?i)\win.the.lottery\b.{0,5}'
- '.{0,5}(?i)\bwin.the.lotto\b.{0,5}'
- '.{0,5}(?i)\bcassino\b.{0,5}'
# Attackets - Zone-H Top 50
- '.{0,5}(?i)\bHmei7\b.{0,5}'
- '.{0,5}(?i)\bd3b~x\b.{0,5}'
- '.{0,5}(?i)\bIndex Php\b.{0,5}'
- '.{0,5}(?i)\biskorpitx\b.{0,5}'
- '.{0,5}(?i)\bchinafans\b.{0,5}'
- '.{0,5}(?i)\bSejeal\b.{0,5}'
- '.{0,5}(?i)\b1923Turk\b.{0,5}'
- '.{0,5}(?i)\bmuhmademad\b.{0,5}'
- '.{0,5}(?i)\bTeam_CC\b.{0,5}'
- '.{0,5}(?i)\bimam\b.{0,5}'
- '.{0,5}(?i)\bmisafir\b.{0,5}'
- '.{0,5}(?i)\bZoRRoKiN\b.{0,5}'
- '.{0,5}(?i)\bpanataran\b.{0,5}'
- '.{0,5}(?i)\bGHoST61\b.{0,5}'
- '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}'
- '.{0,5}(?i)\bFatal Error\b.{0,5}'
- '.{0,5}(?i)\bErrOr SquaD\b.{0,5}'
- '.{0,5}(?i)\bw4l3xzy3\b.{0,5}'
- '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}'
- '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}'
- '.{0,5}(?i)\bjok3r\b.{0,5}'
- '.{0,5}(?i)\bHighTech\b.{0,5}'
- '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}'
- '.{0,5}(?i)\bTheWayEnd\b.{0,5}'
- '.{0,5}(?i)\bLUN4T1C0\b.{0,5}'
- '.{0,5}(?i)\bKaMtiEz\b.{0,5}'
- '.{0,5}(?i)\bHolaKo\b.{0,5}'
- '.{0,5}(?i)\bMiSh\b.{0,5}'
- '.{0,5}(?i)\bMister Spy\b.{0,5}'
- '.{0,5}(?i)\bClash Hackers\b.{0,5}'
- '.{0,5}(?i)\bKkK1337\b.{0,5}'
- '.{0,5}(?i)\bKuroi\b.{0,5}'
- '.{0,5}(?i)\bBALA SNIPER\b.{0,5}'
- '.{0,5}(?i)\bRayzky_\b.{0,5}'
- '.{0,5}(?i)\bRXR\b.{0,5}'
- '.{0,5}(?i)\bTOP-TEAM\b.{0,5}'
- '.{0,5}(?i)\bMagelang6etar\b.{0,5}'
- '.{0,5}(?i)\bifactoryx\b.{0,5}'
- '.{0,5}(?i)\bthe_warri0r\b.{0,5}'
- '.{0,5}(?i)\bRed Eye\b.{0,5}'
- '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}'
- '.{0,5}(?i)\bs13doeL\b.{0,5}'
- '.{0,5}(?i)\bFallaga Team\b.{0,5}'
- '.{0,5}(?i)\bulow\b.{0,5}'
- '.{0,5}(?i)\bSPYKIDS\b.{0,5}'
- '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}'
- '.{0,5}(?i)\blinuXploit_crew\b.{0,5}'
- '.{0,5}(?i)\bIr4dex 735\b.{0,5}'
- '.{0,5}(?i)\bKingSam\b.{0,5}'
# Others groups or attackers
- '.{0,5}(?i)\bLapsus$\b.{0,5}'
- '.{0,5}(?i)\bLulzSec\b.{0,5}'
- '.{0,5}(?i)\bmilw0rm\b.{0,5}'
- '.{0,5}(?i)\bNoName05\b.{0,5}'
- '.{0,5}(?i)\bAnonymousSudan\b.{0,5}'
- '.{0,5}(?i)\bAnon_by\b.{0,5}'
- '.{0,5}(?i)\bAnonGhost\b.{0,5}'
- '.{0,5}(?i)\bTeam.Insane\b.{0,5}'
- '.{0,5}(?i)\bEagle Cyber\b.{0,5}'
# Hacktivism Operations
- '.{0,5}(?i)\bOpIsrael\b.{0,5}'
- '.{0,5}(?i)\bOpRussia\b.{0,5}'
- '.{0,5}(?i)\bOpIran\b.{0,5}'
- '.{0,5}(?i)\bOpPhilippines\b.{0,5}'
- '.{0,5}(?i)\bOpAustralia\b.{0,5}'
- '.{0,5}(?i)\bAnonymousItalia\b.{0,5}'
- '.{0,5}(?i)\bStopRussia\b.{0,5}'
- '.{0,5}(?i)\bStopInvasion\b.{0,5}'
- '.{0,5}(?i)\bWe.are.legion\b.{0,5}'
- '.{0,5}(?i)\bAnonOps\b.{0,5}'
- '.{0,5}(?i)\bOpGOP\b.{0,5}'
- '.{0,5}(?i)\bOpStonewall\b.{0,5}'
- '.{0,5}(?i)\bTangoDown\b.{0,5}'
payloads:
path:
# Commom paths
- /
- /old
- /ssh
- /tmp
- /uploads
# Commom defacement files
- /index.html
- /index.php
- /indexx.html
- /defaced.html
- /readme.html
- /readme.php
- /kurd.html
- /kurd1943.html
- /evil.html
- /ghost.htm
- /pwnd.html
- /pwn.html
- /hacked.html
- /hacked.txt
- /1.php
- /1.txt
- /1.html
- /a.htm
- /a.html
- /a.php
- /V.txt
- /0day.txt
- /1337.txt
- /r00t.php
- /root.html
- /id.htm
- /by.html
- /by.htm
- /me.php
- /o.htm
- /O.html
- /a.php
- /a.html
- /z.php
- /zz.txt
- /z.txt
- /M.html
- /ie.txt
- /xxx.html
- /x.txt
- /logs.txt
- /ownz.html
- /update_note.txt
- /k.html
- /y.txt
- /T.html
- /ts.html
- /tr.html
- /core.html
- /el.htm
- /ie.htm
- /si.html
- /sad.html
- /fake.html
- /broken.html
- /buy.html
- /access.php
- /info.php
- /jquery.php
- /news.php
- /services.php
- /boxed.php
- /main.php
- /pbw.txt
- /aw.txt
- /hx.txt
- /vz.txt
- /cl.html
- /asi.html
- /public
- /cache
- /info.txt
- /ir.html
- /me.html
- /px.html
- /px.php
- /F.html
- /frost.txt
- /-.txt
- /!.txt