From dfd6d5cbd40bcd14ebf17611a4e5093f8d1f6782 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Thu, 1 Aug 2024 14:36:53 +0530
Subject: [PATCH 1/2] Create x11-unauth-access.yaml

---
 .../x11/x11-unauth-access.yaml                | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 javascript/misconfiguration/x11/x11-unauth-access.yaml

diff --git a/javascript/misconfiguration/x11/x11-unauth-access.yaml b/javascript/misconfiguration/x11/x11-unauth-access.yaml
new file mode 100644
index 0000000000..2305b2f82c
--- /dev/null
+++ b/javascript/misconfiguration/x11/x11-unauth-access.yaml
@@ -0,0 +1,44 @@
+id: x11-unauth-access
+
+info:
+  name: x11 - Unauthenticated
+  author: pussycat0x
+  severity: high
+  description: |
+    To check if you can connect to a remote X server, send an X11 initial connection request to TCP port 6000+n (where n is the display number). The response success byte (0x00 or 0x01) indicates if you are allowed; if successful, the script will display "X server access is granted," confirming that an attacker can connect to the X server
+  reference:
+    - https://nmap.org/nsedoc/scripts/x11-access.html
+    - https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11
+    - https://www.hackingarticles.in/penetration-testing-on-x11-server/
+  tags: x11,network,js,remote,unauth
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port);
+    code: |
+      let packet = bytes.NewBuffer();
+      const c = require("nuclei/net");
+      const cmd = "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"
+      packet.WriteString(cmd)
+      let conn = c.Open('tcp', `${Host}:${Port}`);
+      conn.SendHex(packet.Hex());
+      const result = conn.RecvFull();
+
+      let accessGranted;
+
+      if (result[0] === 1) {
+      accessGranted = true;
+        } else {
+          conn.Close();
+        }
+
+      accessGranted
+
+    args:
+      Host: "{{Host}}"
+      Port: 6000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - response

From 8bf5b35eb94f68d88077fe078f1dfe1dfe2c8e1f Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 1 Aug 2024 15:41:36 +0530
Subject: [PATCH 2/2] Update x11-unauth-access.yaml

---
 javascript/misconfiguration/x11/x11-unauth-access.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/javascript/misconfiguration/x11/x11-unauth-access.yaml b/javascript/misconfiguration/x11/x11-unauth-access.yaml
index 2305b2f82c..b22f12fe53 100644
--- a/javascript/misconfiguration/x11/x11-unauth-access.yaml
+++ b/javascript/misconfiguration/x11/x11-unauth-access.yaml
@@ -1,7 +1,7 @@
 id: x11-unauth-access
 
 info:
-  name: x11 - Unauthenticated
+  name: x11 - Unauthenticated Access
   author: pussycat0x
   severity: high
   description: |
@@ -10,6 +10,10 @@ info:
     - https://nmap.org/nsedoc/scripts/x11-access.html
     - https://book.hacktricks.xyz/network-services-pentesting/6000-pentesting-x11
     - https://www.hackingarticles.in/penetration-testing-on-x11-server/
+  metadata:
+    shodan-query: "Open X Server:"
+    verified: true
+    max-request: 1
   tags: x11,network,js,remote,unauth
 
 javascript: