From 0995d529b8579a94c2657519af3a5e8a7a981d15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= Date: Wed, 14 Aug 2024 08:58:50 +0200 Subject: [PATCH 1/3] Fewer FPs for http/default-logins/xui-weak-login.yaml --- http/default-logins/xui-weak-login.yaml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/http/default-logins/xui-weak-login.yaml b/http/default-logins/xui-weak-login.yaml index 9a399ef088..cf066a640a 100644 --- a/http/default-logins/xui-weak-login.yaml +++ b/http/default-logins/xui-weak-login.yaml @@ -18,6 +18,10 @@ info: tags: x-ui,default-login http: + - method: GET + path: + - "{{BaseURL}}/login" + - method: POST path: - "{{BaseURL}}/login" @@ -35,18 +39,12 @@ http: matchers-condition: and matchers: - - type: word - part: body - words: - - '"success":true' - - - type: word - part: header - words: - - 'application/json' - - - type: status - status: - - 200 + - type: dsl + condition: and + dsl: + - '!contains(http_1_body, "\"success\":true")' + - 'contains(http_2_body, "\"success\":true")' + - "contains(http_2_header, 'application/json')" + - "http_2_status_code == 200" # digest: 4a0a00473045022100e1f36784ffef57d558271751b0e7a92bab17976ca7606e37cc01a6952f9c0b14022058f645f21814ae9bc4b00d071c3bd6027ff97c1ddb010526500e0799955827ad:922c64590222798bb761d5b6d8e72950 From a7e9d4454d23404e577ff91aa4292c9dfe229519 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Sun, 25 Aug 2024 05:07:09 +0400 Subject: [PATCH 2/3] updated matcher and name --- .../{xui-weak-login.yaml => xui-default-login.yaml} | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) rename http/default-logins/{xui-weak-login.yaml => xui-default-login.yaml} (90%) diff --git a/http/default-logins/xui-weak-login.yaml b/http/default-logins/xui-default-login.yaml similarity index 90% rename from http/default-logins/xui-weak-login.yaml rename to http/default-logins/xui-default-login.yaml index cf066a640a..1ffe5507e8 100644 --- a/http/default-logins/xui-weak-login.yaml +++ b/http/default-logins/xui-default-login.yaml @@ -1,4 +1,4 @@ -id: xui-weak-login +id: xui-default-login info: name: X-UI - Default Login @@ -13,7 +13,8 @@ info: cwe-id: CWE-798 metadata: verified: true - max-request: 1 + max-request: 2 + fofa-query: title="X-UI Login" shodan-query: title:"X-UI Login" tags: x-ui,default-login @@ -30,6 +31,7 @@ http: content-type: application/x-www-form-urlencoded body: "username={{username}}&password={{password}}" + attack: pitchfork payloads: username: @@ -40,11 +42,11 @@ http: matchers-condition: and matchers: - type: dsl - condition: and dsl: - '!contains(http_1_body, "\"success\":true")' - - 'contains(http_2_body, "\"success\":true")' + - 'contains_all(http_2_body, "\"success\":true", "msg\":")' - "contains(http_2_header, 'application/json')" - "http_2_status_code == 200" + condition: and # digest: 4a0a00473045022100e1f36784ffef57d558271751b0e7a92bab17976ca7606e37cc01a6952f9c0b14022058f645f21814ae9bc4b00d071c3bd6027ff97c1ddb010526500e0799955827ad:922c64590222798bb761d5b6d8e72950 From 4c9ad9bca248b859f85c3569a8487d6040a426c9 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 27 Aug 2024 05:18:40 +0530 Subject: [PATCH 3/3] minor-update --- http/default-logins/{ => xui}/xui-default-login.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename http/default-logins/{ => xui}/xui-default-login.yaml (100%) diff --git a/http/default-logins/xui-default-login.yaml b/http/default-logins/xui/xui-default-login.yaml similarity index 100% rename from http/default-logins/xui-default-login.yaml rename to http/default-logins/xui/xui-default-login.yaml