server-private-keys: SSL/SSH/TLS/JWT Keys - Detect

日期: 2025-08-01 | 影响软件: server private keys | POC: 已公开

漏洞描述

Private SSL, SSH, TLS, and JWT keys were detected.

PoC代码[已公开]

id: server-private-keys

info:
  name: SSL/SSH/TLS/JWT Keys - Detect
  author: geeknik,R12W4N,j4vaovo,VulnSCOUT
  severity: high
  description: Private SSL, SSH, TLS, and JWT keys were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-200
  metadata:
    max-request: 47
  tags: config,exposure,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/localhost.key"
        - "/host.key"
        - "/www.key"
        - "/private-key"
        - "/privatekey.key"
        - "/server.key"
        - "/my.key"
        - "/key.pem"
        - "/ssl/localhost.key"
        - "/ssl/{{Hostname}}.key"
        - "/id_rsa"
        - "/id_dsa"
        - "/id_rsa_1024"
        - "/id_rsa_2048"
        - "/id_rsa_3072"
        - "/id_rsa_4096"
        - "/id_ed25519"
        - "/.ssh/id_rsa"
        - "/.ssh/id_dsa"
        - "/.ssh/id_rsa_1024"
        - "/.ssh/id_rsa_2048"
        - "/.ssh/id_rsa_3072"
        - "/.ssh/id_rsa_4096"
        - "/.ssh/id_ed25519"
        - "/{{Hostname}}.key"
        - "/{{Hostname}}.pem"
        - "/config/jwt/private.pem"
        - "/jwt/private.pem"
        - "/var/jwt/private.pem"
        - "/private.pem"
        - "/ssl.txt"
        - "/ssl_key.txt"
        - "/certificates/{{Host}}.pfx"
        - "/certificates/{{Host}}.p12"
        - "/ssl/{{Host}}.pem"
        - "/ssl/{{Host}}_key.txt"
        - "/cert/{{Host}}_key.txt"
        - "/cert/{{RDN}}_key.txt"
        - "/cert/{{Host}}.txt"
        - "/ssl/private/{{Host}}_key.pem"
        - "/certs/{{Host}}_private.key"
        - "/certs/{{Host}}.key"
        - "/certificates/{{Host}}_priv.pem"
        - "/certificates/{{Host}}_privkey.pem"
        - "/certs/{{Host}}.pem"
        - "/private/{{Host}}.key"
        - "/keys/{{Host}}.pem"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "BEGIN OPENSSH PRIVATE KEY"
          - "BEGIN PRIVATE KEY"
          - "BEGIN RSA PRIVATE KEY"
          - "BEGIN DSA PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "BEGIN PGP PRIVATE KEY BLOCK"
          - "BEGIN ENCRYPTED PRIVATE KEY"
        condition: or

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - '!contains(body, "<html")'
          - '!contains(body, "<HTML")'
        condition: and
# digest: 490a00463044022035c6383cb8bac76b612497265a3b972db5401ee41d15172768536381f626bce8022002bac525815c3c79abbb6fa5b19e81ca1d49dbcdace486f87c2fa59e3df79854:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/configs/server-private-keys.yaml