Very useful when checking sensitive file but you don’t the know exact content to check for.
Can be enable with --fi option or inside the signature like this filter: true.
First, Jaeles gonna send requests with these paths then calculate the structure of those requests.
Then in detection part we can use Diff() detection mean the new request checksum is different from base checksum from some requests send from beginning above.
Command line need to run should looks like this
jaeles scan -s /tmp/dot-config-exposed.yaml -u http://target.com --fi
id: dot-config-exposed
filter: true
info:
name: Dot Config Exposed
risk: Potential
confidence: Tentative
params:
- root: "{{.BaseURL}}"
origin:
method: GET
redirect: false
headers:
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
url: >-
{{.BaseURL}}/hopefully404.config
variables:
- secret: |
web.config
rebar.config
packages.config
app.config
nuget.config
nginx.config
server.config
cake.packages.config
linux.config
ripple.config
theme.config
game.config
dev.config
website.config
lift-standard.config
pachamama.config
reltool.config
git.config
requests:
- method: GET
redirect: false
headers:
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
url: >-
{{.root}}/{{.secret}}
detections:
- >-
Diff() && StatusCode() == 200 && !RegexSearch("response", "(?i)(Oops!|Whoops!|AutodiscoverService|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") && (RegexSearch("resHeaders", "Accept-Ranges.*bytes") || RegexSearch("resHeaders", ".*Content-Type:.*octet-stream") || RegexSearch("resHeaders", "text/plain")) && (Math.abs(ContentLength() - OriginContentLength()) > 200) && !RegexSearch("body", "(?i)(\<\!doctype|\<html|\<head|\<body||\<div)") && ContentLength('body') > 200 && !StringSearch("oresHeaders", "text/plain")