nuclei扫描备份代码 - 《代码审计》

id: zip-backup-files
info:
  name: Compressed Backup File - Detect
  author: toufik-airane,dwisiswant0,ffffffff0x,pwnhxl,mastercho
  severity: medium
  description: Multiple compressed backup files were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-200
  metadata:
    max-request: 1440
  tags: exposure,backup
http:
  - method: GET
    path:
      - "{{BaseURL}}/{{FILENAME}}.{{EXT}}"
    attack: clusterbomb
    payloads:
      FILENAME:
        - "{{FQDN}}" # www.example.com
        - "{{RDN}}" # example.com
        - "{{DN}}" # example
        - "{{SD}}" # www
        - "{{date_time('%Y')}}" # 2023
        - "ROOT" # tomcat
        - "www"
        - "release"
        - "bin"
        - "bak"
        - "web"
      EXT:
        - "tar"
        - "rar"
        - "tar.gz"
        - "zip"
    max-size: 500 # Size in bytes - Max Size to read from server response
    matchers-condition: and
    matchers:
      - type: binary
        binary:
          - "7573746172202000" # tar
          - "7573746172003030" # tar
          - "377ABCAF271C" # 7z
          - "1f8b" # gz tar.gz
          - "526172211A0700" # rar RAR archive version 1.50
          - "526172211A070100" # rar RAR archive version 5.0
          - "FD377A585A0000" # xz tar.xz
          - "4C5A4950" # lz
          - "504B0304" # zip
        condition: or
        part: body
      - type: regex
        regex:
          - "application/[-\\w.]+"
        part: header
      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d7a028dbd5f7ea1cf187e1871d5065d2cd4d6ef130b04b73088820d6072435f50220673ba2cf4b143fa0d6b4b9b18d0d6290d902f76df58c73c764f7a99ccc1c671f:922c64590222798bb761d5b6d8e72950