id: honeypot-detect

info:
  name: Honeypot Detection
  author: j4vaovo
  severity: info
  description: |
    Honeypot was Detected.
  reference:
    - https://github.com/zema1/yarx
  metadata:
    max-request: 1
  tags: honeypot,tech,cti
variables:
  rand1: "{{randstr}}"
  rand2: "{{rand_int(11111, 99999)}}"
  rand3: "{{randstr}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/?{{rand1}}=../../../../../../../../etc/passwd&{{rand3}}=1%20and%20updatexml(1,concat(0x7e,(select%20md5({{rand2}}))),1)"

    matchers-condition: or
    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0"

      - type: word
        part: body
        words:
          - '{{md5({{rand2}})}}'

# digest: 4a0a0047304502210083990c596350d6c5a038d9bafb347b8548401c473917a664781c9041a263482e02202db480b104a846e016bb209ad90dbfd99b7751eb394184eb1f17af90265ca465:922c64590222798bb761d5b6d8e72950