Merge pull request #10702 from projectdiscovery/nginx-api-traversal

Create nginx-api-traversal.yaml
2024-09-06 19:12:53 +04:00 · 2024-09-06 19:12:53 +04:00 · beaa3be244
parent 812b711440 72661315fd
commit beaa3be244
1 changed files with 109 additions and 0 deletions
--- a/http/misconfiguration/nginx/nginx-api-traversal.yaml
+++ b/http/misconfiguration/nginx/nginx-api-traversal.yaml
@ -0,0 +1,109 @@
 id: nginx-api-traversal
 info:
  name: Nginx Plus Rest API - Traversal
  author: encodedguy
  severity: high
  description: |
    Access to Nginx Plus Rest API was discovered.
  reference:
    - https://nginx.org/en/docs/http/ngx_http_api_module.html
    - https://x.com/akshaysharma71/status/1825815869953552844
  metadata:
    verified: true
  tags: nginx,fuzz,misconfig,lfi
 http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/api/1/nginx"
        - "/api/2/nginx"
        - "/api/3/nginx"
        - "/api/5/nginx"
        - "/api/9/nginx"
        - "/../../../../../../api/1/nginx"
        - "/../../../../../../api/2/nginx"
        - "/../../../../../../api/3/nginx"
        - "/../../../../../../api/5/nginx"
        - "/../../../../../../api/9/nginx"
        - "/../../../../../api/1/nginx"
        - "/../../../../../api/2/nginx"
        - "/../../../../../api/3/nginx"
        - "/../../../../../api/5/nginx"
        - "/../../../../../api/9/nginx"
        - "/../../../../api/1/nginx"
        - "/../../../../api/2/nginx"
        - "/../../../../api/3/nginx"
        - "/../../../../api/5/nginx"
        - "/../../../../api/9/nginx"
        - "/../../../api/1/nginx"
        - "/../../../api/2/nginx"
        - "/../../../api/3/nginx"
        - "/../../../api/5/nginx"
        - "/../../../api/9/nginx"
        - "/../../api/1/nginx"
        - "/../../api/2/nginx"
        - "/../../api/3/nginx"
        - "/../../api/5/nginx"
        - "/../../api/9/nginx"
        - "/../api/1/nginx"
        - "/../api/2/nginx"
        - "/../api/3/nginx"
        - "/../api/5/nginx"
        - "/../api/9/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/..;/api/9/nginx"
        - "/..;/..;/..;/api/1/nginx"
        - "/..;/..;/..;/api/2/nginx"
        - "/..;/..;/..;/api/3/nginx"
        - "/..;/..;/..;/api/5/nginx"
        - "/..;/..;/..;/api/9/nginx"
        - "/..;/..;/api/1/nginx"
        - "/..;/..;/api/2/nginx"
        - "/..;/..;/api/3/nginx"
        - "/..;/..;/api/5/nginx"
        - "/..;/..;/api/9/nginx"
        - "/..;/api/1/nginx"
        - "/..;/api/2/nginx"
        - "/..;/api/3/nginx"
        - "/..;/api/5/nginx"
        - "/..;/api/9/nginx"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "version"
          - "build"
          - "address"
          - "load_timestamp"
        condition: and
      - type: word
        part: content_type
        words:
          - application/json
      - type: status
        status:
          - 200