漏洞描述
Detected the presence of a .credentials file and extracts sensitive authentication tokens, passwords, or API keys.
dot-credentials-exposure: Dot Credentials - Exposure
PoC代码[已公开]
id: dot-credentials-exposure
info:
name: Dot Credentials - Exposure
author: theamanrawat
severity: high
description: |
Detected the presence of a .credentials file and extracts sensitive authentication tokens, passwords, or API keys.
metadata:
verified: true
max-request: 1
tags: exposure,config,credentials,sensitive,token
http:
- method: GET
path:
- "{{BaseURL}}/.credentials"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "client_id"
- "client_secret"
- "access_token"
- "refresh_token"
- "password"
- "aws_access_key_id"
condition: or
- type: word
part: body
words:
- "<html"
- "<body"
- "<!DOCTYPE"
- "<script"
- "<?php"
negative: true
- type: status
status:
- 200
extractors:
- type: regex
part: body
name: aws_access_key
group: 1
regex:
- "(?i)aws_access_key_id\\s*[:=]\\s*[\"']?([A-Z0-9]{20})[\"']?"
- type: regex
part: body
name: aws_secret_key
group: 1
regex:
- "(?i)aws_secret_access_key\\s*[:=]\\s*[\"']?([A-Za-z0-9/+=]{40})[\"']?"
- type: regex
part: body
name: generic_secrets
group: 1
regex:
- "(?i)(?:client_secret|access_token|refresh_token|password|secret)\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-\\.~]+)[\"']?"
- type: regex
part: body
name: client_id
group: 1
regex:
- "(?i)client_id\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-\\.]+)[\"']?"
# digest: 4b0a00483046022100f401186abb8363069ea775bdd60f460af2e008dbcc6046884ef0fdd33c5e0efd022100bf09846112892df5b0e843561253044089e38ed712f3ff62143c9df07534989d:922c64590222798bb761d5b6d8e72950