114 lines
13 KiB
YAML
114 lines
13 KiB
YAML
id: open-proxy-internal
|
|
|
|
info:
|
|
name: Open Proxy To Internal Network
|
|
author: sullo
|
|
severity: high
|
|
description: The host is configured as a proxy which allows access to other hosts on the internal network.
|
|
reference:
|
|
- https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
|
|
- https://en.wikipedia.org/wiki/Open_proxy
|
|
- https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
|
|
classification:
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
|
|
cvss-score: 8.6
|
|
cwe-id: CWE-441
|
|
remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
|
|
tags: exposure,config,proxy,misconfig,fuzz
|
|
|
|
requests:
|
|
- raw:
|
|
- |+
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |+
|
|
GET http://192.168.0.1/ HTTP/1.1
|
|
Host: 192.168.0.1
|
|
- |+
|
|
GET https://192.168.0.1/ HTTP/1.1
|
|
Host: 192.168.0.1
|
|
- |+
|
|
GET http://192.168.0.1:22/ HTTP/1.1
|
|
Host: 192.168.0.1
|
|
- |+
|
|
GET http://192.168.1.1/ HTTP/1.1
|
|
Host: 192.168.1.1
|
|
- |+
|
|
GET https://192.168.1.1/ HTTP/1.1
|
|
Host: 192.168.1.1
|
|
- |+
|
|
GET http://192.168.1.1:22/ HTTP/1.1
|
|
Host: 192.168.1.1
|
|
- |+
|
|
GET http://192.168.2.1/ HTTP/1.1
|
|
Host: 192.168.2.1
|
|
- |+
|
|
GET https://192.168.2.1/ HTTP/1.1
|
|
Host: 192.168.2.1
|
|
- |+
|
|
GET http://192.168.2.1:22/ HTTP/1.1
|
|
Host: 192.168.2.1
|
|
- |+
|
|
GET http:/10.0.0.1/ HTTP/1.1
|
|
Host: 10.0.0.1
|
|
- |+
|
|
GET https://10.0.0.1/ HTTP/1.1
|
|
Host: 10.0.0.1
|
|
- |+
|
|
GET http://10.0.0.1:22/ HTTP/1.1
|
|
Host: 10.0.0.1
|
|
- |+
|
|
GET http:/172.16.0.1/ HTTP/1.1
|
|
Host: 172.16.0.1
|
|
- |+
|
|
GET https://172.16.0.1/ HTTP/1.1
|
|
Host: 172.16.0.1
|
|
- |+
|
|
GET http://172.16.0.1:22/ HTTP/1.1
|
|
Host: 172.16.0.1
|
|
- |+
|
|
GET http:/intranet/ HTTP/1.1
|
|
Host: intranet
|
|
- |+
|
|
GET https://intranet/ HTTP/1.1
|
|
Host: intranet
|
|
- |+
|
|
GET http://intranet:22/ HTTP/1.1
|
|
Host: intranet
|
|
- |+
|
|
GET http:/mail/ HTTP/1.1
|
|
Host: mail
|
|
- |+
|
|
GET https://mail/ HTTP/1.1
|
|
Host: mail
|
|
- |+
|
|
GET http://mail:22/ HTTP/1.1
|
|
Host: mail
|
|
- |+
|
|
GET http:/ntp/ HTTP/1.1
|
|
Host: ntp
|
|
- |+
|
|
GET https://ntp/ HTTP/1.1
|
|
Host: ntp
|
|
- |+
|
|
GET http://ntp:22/ HTTP/1.1
|
|
Host: ntp
|
|
unsafe: true
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- (!contains(body_1, "It works")) && (contains(body_2, "It works") || contains(body_3, "It works")) || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works") || contains(body_7, "It works") || contains(body_8, "It works") || contains(body_9, "It works") || contains(body_10, "It works") || contains(body_11, "It works") || contains(body_12, "It works") || contains(body_13, "It works") || contains(body_14, "It works") || contains(body_15, "It works") || contains(body_16, "It works") || contains(body_17, "It works") || contains(body_18, "It works") || contains(body_19, "It works") || contains(body_20, "It works") || contains(body_21, "It works") || contains(body_22, "It works") || contains(body_23, "It works")
|
|
- (!contains(body_1, "IIS Windows Server")) && (contains(body_2, "IIS Windows Server") || contains(body_3, "IIS Windows Server")) || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server") || contains(body_7, "IIS Windows Server") || contains(body_8, "IIS Windows Server") || contains(body_9, "IIS Windows Server") || contains(body_10, "IIS Windows Server") || contains(body_11, "IIS Windows Server") || contains(body_12, "IIS Windows Server") || contains(body_13, "IIS Windows Server") || contains(body_14, "IIS Windows Server") || contains(body_15, "IIS Windows Server") || contains(body_16, "IIS Windows Server") || contains(body_17, "IIS Windows Server") || contains(body_18, "IIS Windows Server") || contains(body_19, "IIS Windows Server") || contains(body_20, "IIS Windows Server") || contains(body_21, "IIS Windows Server") || contains(body_22, "IIS Windows Server") || contains(body_23, "IIS Windows Server")
|
|
- (!contains(body_1, "<title>IIS7</title>")) && (contains(body_2, "<title>IIS7</title>") || contains(body_3, "<title>IIS7</title>")) || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>") || contains(body_7, "<title>IIS7</title>") || contains(body_8, "<title>IIS7</title>") || contains(body_9, "<title>IIS7</title>") || contains(body_10, "<title>IIS7</title>") || contains(body_11, "<title>IIS7</title>") || contains(body_12, "<title>IIS7</title>") || contains(body_13, "<title>IIS7</title>") || contains(body_14, "<title>IIS7</title>") || contains(body_15, "<title>IIS7</title>") || contains(body_16, "<title>IIS7</title>") || contains(body_17, "<title>IIS7</title>") || contains(body_18, "<title>IIS7</title>") || contains(body_19, "<title>IIS7</title>") || contains(body_20, "<title>IIS7</title>") || contains(body_21, "<title>IIS7</title>") || contains(body_22, "<title>IIS7</title>") || contains(body_23, "<title>IIS7</title>")
|
|
- (!contains(body_1, "Welcome to Windows")) && (contains(body_2, "Welcome to Windows") || contains(body_3, "Welcome to Windows")) || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows") || contains(body_7, "Welcome to Windows") || contains(body_8, "Welcome to Windows") || contains(body_9, "Welcome to Windows") || contains(body_10, "Welcome to Windows") || contains(body_11, "Welcome to Windows") || contains(body_12, "Welcome to Windows") || contains(body_13, "Welcome to Windows") || contains(body_14, "Welcome to Windows") || contains(body_15, "Welcome to Windows") || contains(body_16, "Welcome to Windows") || contains(body_17, "Welcome to Windows") || contains(body_18, "Welcome to Windows") || contains(body_19, "Welcome to Windows") || contains(body_20, "Welcome to Windows") || contains(body_21, "Welcome to Windows") || contains(body_22, "Welcome to Windows") || contains(body_23, "Welcome to Windows")
|
|
- (!contains(body_1, "Welcome to Microsoft Windows")) && (contains(body_2, "Welcome to Microsoft Windows") || contains(body_3, "Welcome to Microsoft Windows")) || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows") || contains(body_7, "Welcome to Microsoft Windows") || contains(body_8, "Welcome to Microsoft Windows") || contains(body_9, "Welcome to Microsoft Windows") || contains(body_10, "Welcome to Microsoft Windows") || contains(body_11, "Welcome to Microsoft Windows") || contains(body_12, "Welcome to Microsoft Windows") || contains(body_13, "Welcome to Microsoft Windows") || contains(body_14, "Welcome to Microsoft Windows") || contains(body_15, "Welcome to Microsoft Windows") || contains(body_16, "Welcome to Microsoft Windows") || contains(body_17, "Welcome to Microsoft Windows") || contains(body_18, "Welcome to Microsoft Windows") || contains(body_19, "Welcome to Microsoft Windows") || contains(body_20, "Welcome to Microsoft Windows") || contains(body_21, "Welcome to Microsoft Windows") || contains(body_22, "Welcome to Microsoft Windows") || contains(body_23, "Welcome to Microsoft Windows")
|
|
- (!contains(body_1, "Welcome to IIS")) && (contains(body_2, "Welcome to IIS") || contains(body_3, "Welcome to IIS")) || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS") || contains(body_7, "Welcome to IIS") || contains(body_8, "Welcome to IIS") || contains(body_9, "Welcome to IIS") || contains(body_10, "Welcome to IIS") || contains(body_11, "Welcome to IIS") || contains(body_12, "Welcome to IIS") || contains(body_13, "Welcome to IIS") || contains(body_14, "Welcome to IIS") || contains(body_15, "Welcome to IIS") || contains(body_16, "Welcome to IIS") || contains(body_17, "Welcome to IIS") || contains(body_18, "Welcome to IIS") || contains(body_19, "Welcome to IIS") || contains(body_20, "Welcome to IIS") || contains(body_21, "Welcome to IIS") || contains(body_22, "Welcome to IIS") || contains(body_23, "Welcome to IIS")
|
|
- (!contains(body_1, "503 Service Unavailable")) && (contains(body_2, "503 Service Unavailable") || contains(body_3, "503 Service Unavailable")) || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable") || contains(body_7, "503 Service Unavailable") || contains(body_8, "503 Service Unavailable") || contains(body_9, "503 Service Unavailable") || contains(body_10, "503 Service Unavailable") || contains(body_11, "503 Service Unavailable") || contains(body_12, "503 Service Unavailable") || contains(body_13, "503 Service Unavailable") || contains(body_14, "503 Service Unavailable") || contains(body_15, "503 Service Unavailable") || contains(body_16, "503 Service Unavailable") || contains(body_17, "503 Service Unavailable") || contains(body_18, "503 Service Unavailable") || contains(body_19, "503 Service Unavailable") || contains(body_20, "503 Service Unavailable") || contains(body_21, "503 Service Unavailable") || contains(body_22, "503 Service Unavailable") || contains(body_23, "503 Service Unavailable")
|
|
- (!contains(body_1, "default welcome page")) && (contains(body_2, "default welcome page") || contains(body_3, "default welcome page")) || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page") || contains(body_7, "default welcome page") || contains(body_8, "default welcome page") || contains(body_9, "default welcome page") || contains(body_10, "default welcome page") || contains(body_11, "default welcome page") || contains(body_12, "default welcome page") || contains(body_13, "default welcome page") || contains(body_14, "default welcome page") || contains(body_15, "default welcome page") || contains(body_16, "default welcome page") || contains(body_17, "default welcome page") || contains(body_18, "default welcome page") || contains(body_19, "default welcome page") || contains(body_20, "default welcome page") || contains(body_21, "default welcome page") || contains(body_22, "default welcome page") || contains(body_23, "default welcome page")
|
|
- (!contains(body_1, "Microsoft Azure App")) && (contains(body_2, "Microsoft Azure App") || contains(body_3, "Microsoft Azure App")) || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App") || contains(body_7, "Microsoft Azure App") || contains(body_8, "Microsoft Azure App") || contains(body_9, "Microsoft Azure App") || contains(body_10, "Microsoft Azure App") || contains(body_11, "Microsoft Azure App") || contains(body_12, "Microsoft Azure App") || contains(body_13, "Microsoft Azure App") || contains(body_14, "Microsoft Azure App") || contains(body_15, "Microsoft Azure App") || contains(body_16, "Microsoft Azure App") || contains(body_17, "Microsoft Azure App") || contains(body_18, "Microsoft Azure App") || contains(body_19, "Microsoft Azure App") || contains(body_20, "Microsoft Azure App") || contains(body_21, "Microsoft Azure App") || contains(body_22, "Microsoft Azure App") || contains(body_23, "Microsoft Azure App")
|
|
- (!contains(body_1, "ssh")) && (contains(body_2, "ssh") || contains(body_3, "ssh")) || contains(body_4, "ssh") || contains(body_5, "ssh") || contains(body_6, "ssh") || contains(body_7, "ssh") || contains(body_8, "ssh") || contains(body_9, "ssh") || contains(body_10, "ssh") || contains(body_11, "ssh") || contains(body_12, "ssh") || contains(body_13, "ssh") || contains(body_14, "ssh") || contains(body_15, "ssh") || contains(body_16, "ssh") || contains(body_17, "ssh") || contains(body_18, "ssh") || contains(body_19, "ssh") || contains(body_20, "ssh") || contains(body_21, "ssh") || contains(body_22, "ssh") || contains(body_23, "ssh") || contains(body_24, "ssh")
|
|
- (!contains(body_1, "SSH")) && (contains(body_2, "SSH") || contains(body_3, "SSH")) || contains(body_4, "SSH") || contains(body_5, "SSH") || contains(body_6, "SSH") || contains(body_7, "SSH") || contains(body_8, "SSH") || contains(body_9, "SSH") || contains(body_10, "SSH") || contains(body_11, "SSH") || contains(body_12, "SSH") || contains(body_13, "SSH") || contains(body_14, "SSH") || contains(body_15, "SSH") || contains(body_16, "SSH") || contains(body_17, "SSH") || contains(body_18, "SSH") || contains(body_19, "SSH") || contains(body_20, "SSH") || contains(body_21, "SSH") || contains(body_22, "SSH") || contains(body_23, "SSH")
|
|
condition: or
|
|
|
|
# Enhanced by mp on 2022/04/21
|