rexify-config-exposure: Rexify Configuration - Exposure

日期: 2026-01-08 | 影响软件: Rexify | POC: 已公开

漏洞描述

Rexfile configuration from the Rex/Rexify automation framework was exposed. These files may contain SSH credentials, server hostnames, private key paths, and other sensitive data.

PoC代码[已公开]

id: rexify-config-exposure

info:
  name: Rexify Configuration - Exposure
  author: theamanrawat
  severity: high
  description: |
    Rexfile configuration from the Rex/Rexify automation framework was exposed. These files may contain SSH credentials, server hostnames, private key paths, and other sensitive data.
  reference:
    - https://www.rexify.org/
  metadata:
    verified: true
    max-request: 1
  tags: exposure,config,rexify,rex,devops

http:
  - method: GET
    path:
      - "{{BaseURL}}/Rexfile"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "use Rex"
          - "task"
          - "group"
          - "user"
          - "password"
          - "desc"
        condition: and
        part: body

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a73cb68d9c3e4c3a4478f3c1ef4f7e225ebee882b0b62989516948b916fc748a022100a6e218fdbdc3dff10cfef945d9c50d67d8a7be10a204becab53c9c30d6fa178c:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/configs/rexify-config-exposure.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐