漏洞描述
Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
exposed-pki-cert: Exposed Internal PKI Infrastructure - Detect
PoC代码[已公开]
id: exposed-pki-cert
info:
name: Exposed Internal PKI Infrastructure - Detect
author: nullenc0de
severity: high
description: |
Detects exposed internal PKI infrastructure including CRL distribution points and OCSP responders
metadata:
verified: true
max-request: 10
tags: pki,exposure,misconfig,vuln
http:
- method: GET
path:
- "{{BaseURL}}{{paths}}"
payloads:
paths:
- "/"
- "/certsrv/"
- "/pki/"
- "/PKI/"
- "/crl/"
- "/CRL/"
- "/.well-known/pki-validation/"
- "/ocsp/"
- "/CertEnroll/"
- "/CertSrv/"
stop-at-first-match: true
host-redirects: true
max-redirects: 2
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains_any(body, "Certificate Services", "CRL Distribution Point", "OCSP Responder")'
- '!regex("(?i)^\\s*This is an OCSP responder\\.?\\s*$", body)'
condition: and
- type: regex
regex:
- '\\bCN=[A-Za-z0-9-]+-CA\\b'
- '(?i)href\s*=\s*"[^"]+\.(?:crl|cer|p7b)"'
extractors:
- type: regex
name: certificate_details
regex:
- 'CN=[A-Za-z0-9-]+-CA'
- 'O=[A-Za-z0-9 ]+'
- 'OU=[A-Za-z0-9 ]+'
# digest: 490a00463044022064e85761643bdce114bff0ec9fecda36293cb7ea7ed79b6313ef46ed7567f3ca02205744b10e40ee476989e9d68dc7307bd9fd6c24c56286ba262fa64fa37916d47b:922c64590222798bb761d5b6d8e72950