From 753cf69312895e76316ebfbeb902b1cfc44e6498 Mon Sep 17 00:00:00 2001 From: QAQ <104293903+pwnhxl@users.noreply.github.com> Date: Thu, 2 Mar 2023 14:40:18 +0800 Subject: [PATCH] update zip-backup-files (#6816) --- exposures/backups/zip-backup-files.yaml | 36 ++++++++++++++++++++----- 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/exposures/backups/zip-backup-files.yaml b/exposures/backups/zip-backup-files.yaml index 97aebf8bca..22de7570b6 100644 --- a/exposures/backups/zip-backup-files.yaml +++ b/exposures/backups/zip-backup-files.yaml @@ -2,7 +2,7 @@ id: zip-backup-files info: name: Compressed Backup File - Detect - author: toufik-airane,dwisiswant0,ffffffff0x + author: toufik-airane,dwisiswant0,ffffffff0x,pwnhxl severity: medium description: Multiple compressed backup files were detected. classification: @@ -14,13 +14,36 @@ info: requests: - method: GET path: - - "{{BaseURL}}/{{FQDN}}.{{EXT}}" # www.example.com - - "{{BaseURL}}/{{RDN}}.{{EXT}}" # example.com - - "{{BaseURL}}/{{DN}}.{{EXT}}" # example - - "{{BaseURL}}/{{SD}}.{{EXT}}" # www + - "{{BaseURL}}/{{FILENAME}}.{{EXT}}" - attack: pitchfork + attack: clusterbomb payloads: + FILENAME: + - "{{FQDN}}" # www.example.com + - "{{RDN}}" # example.com + - "{{DN}}" # example + - "{{SD}}" # www + - "{{date_time('%Y')}}" #2023 + - "ROOT" #tomcat + - "wwwroot" + - "htdocs" + - "www" + - "html" + - "web" + - "webapps" + - "public" + - "public_html" + - "uploads" + - "website" + - "api" + - "test" + - "app" + - "backup" + - "bin" + - "bak" + - "old" + - "Release" + EXT: - "7z" - "bz2" @@ -46,6 +69,7 @@ requests: - "sql.zip" - "sql.z" - "sql.tar.z" + - "war" max-size: 500 # Size in bytes - Max Size to read from server response matchers-condition: and