nuclei-templates/misconfiguration/proxy/open-proxy-internal.yaml

111 lines
13 KiB
YAML

id: open-proxy-internal
info:
name: Open Proxy To Internal Network
author: sullo
severity: high
tags: exposure,config,proxy,misconfig,fuzz
description: The host is configured as a proxy which allows access to other hosts on the internal network.
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
reference:
- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
- https://en.wikipedia.org/wiki/Open_proxy
- https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cwe-id: CWE-441
requests:
- raw:
- |+
GET / HTTP/1.1
Host: {{Hostname}}
- |+
GET http://192.168.0.1/ HTTP/1.1
Host: 192.168.0.1
- |+
GET https://192.168.0.1/ HTTP/1.1
Host: 192.168.0.1
- |+
GET http://192.168.0.1:22/ HTTP/1.1
Host: 192.168.0.1
- |+
GET http://192.168.1.1/ HTTP/1.1
Host: 192.168.1.1
- |+
GET https://192.168.1.1/ HTTP/1.1
Host: 192.168.1.1
- |+
GET http://192.168.1.1:22/ HTTP/1.1
Host: 192.168.1.1
- |+
GET http://192.168.2.1/ HTTP/1.1
Host: 192.168.2.1
- |+
GET https://192.168.2.1/ HTTP/1.1
Host: 192.168.2.1
- |+
GET http://192.168.2.1:22/ HTTP/1.1
Host: 192.168.2.1
- |+
GET http:/10.0.0.1/ HTTP/1.1
Host: 10.0.0.1
- |+
GET https://10.0.0.1/ HTTP/1.1
Host: 10.0.0.1
- |+
GET http://10.0.0.1:22/ HTTP/1.1
Host: 10.0.0.1
- |+
GET http:/172.16.0.1/ HTTP/1.1
Host: 172.16.0.1
- |+
GET https://172.16.0.1/ HTTP/1.1
Host: 172.16.0.1
- |+
GET http://172.16.0.1:22/ HTTP/1.1
Host: 172.16.0.1
- |+
GET http:/intranet/ HTTP/1.1
Host: intranet
- |+
GET https://intranet/ HTTP/1.1
Host: intranet
- |+
GET http://intranet:22/ HTTP/1.1
Host: intranet
- |+
GET http:/mail/ HTTP/1.1
Host: mail
- |+
GET https://mail/ HTTP/1.1
Host: mail
- |+
GET http://mail:22/ HTTP/1.1
Host: mail
- |+
GET http:/ntp/ HTTP/1.1
Host: ntp
- |+
GET https://ntp/ HTTP/1.1
Host: ntp
- |+
GET http://ntp:22/ HTTP/1.1
Host: ntp
unsafe: true
matchers:
- type: dsl
dsl:
- (!contains(body_1, "It works")) && (contains(body_2, "It works") || contains(body_3, "It works")) || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works") || contains(body_7, "It works") || contains(body_8, "It works") || contains(body_9, "It works") || contains(body_10, "It works") || contains(body_11, "It works") || contains(body_12, "It works") || contains(body_13, "It works") || contains(body_14, "It works") || contains(body_15, "It works") || contains(body_16, "It works") || contains(body_17, "It works") || contains(body_18, "It works") || contains(body_19, "It works") || contains(body_20, "It works") || contains(body_21, "It works") || contains(body_22, "It works") || contains(body_23, "It works")
- (!contains(body_1, "IIS Windows Server")) && (contains(body_2, "IIS Windows Server") || contains(body_3, "IIS Windows Server")) || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server") || contains(body_7, "IIS Windows Server") || contains(body_8, "IIS Windows Server") || contains(body_9, "IIS Windows Server") || contains(body_10, "IIS Windows Server") || contains(body_11, "IIS Windows Server") || contains(body_12, "IIS Windows Server") || contains(body_13, "IIS Windows Server") || contains(body_14, "IIS Windows Server") || contains(body_15, "IIS Windows Server") || contains(body_16, "IIS Windows Server") || contains(body_17, "IIS Windows Server") || contains(body_18, "IIS Windows Server") || contains(body_19, "IIS Windows Server") || contains(body_20, "IIS Windows Server") || contains(body_21, "IIS Windows Server") || contains(body_22, "IIS Windows Server") || contains(body_23, "IIS Windows Server")
- (!contains(body_1, "<title>IIS7</title>")) && (contains(body_2, "<title>IIS7</title>") || contains(body_3, "<title>IIS7</title>")) || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>") || contains(body_7, "<title>IIS7</title>") || contains(body_8, "<title>IIS7</title>") || contains(body_9, "<title>IIS7</title>") || contains(body_10, "<title>IIS7</title>") || contains(body_11, "<title>IIS7</title>") || contains(body_12, "<title>IIS7</title>") || contains(body_13, "<title>IIS7</title>") || contains(body_14, "<title>IIS7</title>") || contains(body_15, "<title>IIS7</title>") || contains(body_16, "<title>IIS7</title>") || contains(body_17, "<title>IIS7</title>") || contains(body_18, "<title>IIS7</title>") || contains(body_19, "<title>IIS7</title>") || contains(body_20, "<title>IIS7</title>") || contains(body_21, "<title>IIS7</title>") || contains(body_22, "<title>IIS7</title>") || contains(body_23, "<title>IIS7</title>")
- (!contains(body_1, "Welcome to Windows")) && (contains(body_2, "Welcome to Windows") || contains(body_3, "Welcome to Windows")) || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows") || contains(body_7, "Welcome to Windows") || contains(body_8, "Welcome to Windows") || contains(body_9, "Welcome to Windows") || contains(body_10, "Welcome to Windows") || contains(body_11, "Welcome to Windows") || contains(body_12, "Welcome to Windows") || contains(body_13, "Welcome to Windows") || contains(body_14, "Welcome to Windows") || contains(body_15, "Welcome to Windows") || contains(body_16, "Welcome to Windows") || contains(body_17, "Welcome to Windows") || contains(body_18, "Welcome to Windows") || contains(body_19, "Welcome to Windows") || contains(body_20, "Welcome to Windows") || contains(body_21, "Welcome to Windows") || contains(body_22, "Welcome to Windows") || contains(body_23, "Welcome to Windows")
- (!contains(body_1, "Welcome to Microsoft Windows")) && (contains(body_2, "Welcome to Microsoft Windows") || contains(body_3, "Welcome to Microsoft Windows")) || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows") || contains(body_7, "Welcome to Microsoft Windows") || contains(body_8, "Welcome to Microsoft Windows") || contains(body_9, "Welcome to Microsoft Windows") || contains(body_10, "Welcome to Microsoft Windows") || contains(body_11, "Welcome to Microsoft Windows") || contains(body_12, "Welcome to Microsoft Windows") || contains(body_13, "Welcome to Microsoft Windows") || contains(body_14, "Welcome to Microsoft Windows") || contains(body_15, "Welcome to Microsoft Windows") || contains(body_16, "Welcome to Microsoft Windows") || contains(body_17, "Welcome to Microsoft Windows") || contains(body_18, "Welcome to Microsoft Windows") || contains(body_19, "Welcome to Microsoft Windows") || contains(body_20, "Welcome to Microsoft Windows") || contains(body_21, "Welcome to Microsoft Windows") || contains(body_22, "Welcome to Microsoft Windows") || contains(body_23, "Welcome to Microsoft Windows")
- (!contains(body_1, "Welcome to IIS")) && (contains(body_2, "Welcome to IIS") || contains(body_3, "Welcome to IIS")) || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS") || contains(body_7, "Welcome to IIS") || contains(body_8, "Welcome to IIS") || contains(body_9, "Welcome to IIS") || contains(body_10, "Welcome to IIS") || contains(body_11, "Welcome to IIS") || contains(body_12, "Welcome to IIS") || contains(body_13, "Welcome to IIS") || contains(body_14, "Welcome to IIS") || contains(body_15, "Welcome to IIS") || contains(body_16, "Welcome to IIS") || contains(body_17, "Welcome to IIS") || contains(body_18, "Welcome to IIS") || contains(body_19, "Welcome to IIS") || contains(body_20, "Welcome to IIS") || contains(body_21, "Welcome to IIS") || contains(body_22, "Welcome to IIS") || contains(body_23, "Welcome to IIS")
- (!contains(body_1, "503 Service Unavailable")) && (contains(body_2, "503 Service Unavailable") || contains(body_3, "503 Service Unavailable")) || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable") || contains(body_7, "503 Service Unavailable") || contains(body_8, "503 Service Unavailable") || contains(body_9, "503 Service Unavailable") || contains(body_10, "503 Service Unavailable") || contains(body_11, "503 Service Unavailable") || contains(body_12, "503 Service Unavailable") || contains(body_13, "503 Service Unavailable") || contains(body_14, "503 Service Unavailable") || contains(body_15, "503 Service Unavailable") || contains(body_16, "503 Service Unavailable") || contains(body_17, "503 Service Unavailable") || contains(body_18, "503 Service Unavailable") || contains(body_19, "503 Service Unavailable") || contains(body_20, "503 Service Unavailable") || contains(body_21, "503 Service Unavailable") || contains(body_22, "503 Service Unavailable") || contains(body_23, "503 Service Unavailable")
- (!contains(body_1, "default welcome page")) && (contains(body_2, "default welcome page") || contains(body_3, "default welcome page")) || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page") || contains(body_7, "default welcome page") || contains(body_8, "default welcome page") || contains(body_9, "default welcome page") || contains(body_10, "default welcome page") || contains(body_11, "default welcome page") || contains(body_12, "default welcome page") || contains(body_13, "default welcome page") || contains(body_14, "default welcome page") || contains(body_15, "default welcome page") || contains(body_16, "default welcome page") || contains(body_17, "default welcome page") || contains(body_18, "default welcome page") || contains(body_19, "default welcome page") || contains(body_20, "default welcome page") || contains(body_21, "default welcome page") || contains(body_22, "default welcome page") || contains(body_23, "default welcome page")
- (!contains(body_1, "Microsoft Azure App")) && (contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App")
- (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh")
- (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH")
condition: or
# Enhanced by cs on 2022/02/14