gitea-mirror/sif
1
0
Fork 0
mirror of https://github.com/lunchcat/sif.git synced 2026-03-12 13:13:05 -07:00
Code Issues Packages Projects Releases Wiki Activity

feat: add built-in yaml modules for security scanning

Browse Source
This commit is contained in:
vmfunc
2026-01-03 00:54:53 -08:00
parent 01a10c6a2f
commit a5ea29b88d
8 changed files with 362 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
modules/http/lfi-basic.yaml Normal file
View File

@@ -0,0 +1,49 @@
# Basic LFI Detection Module
id: lfi-basic
info:
name: Basic LFI Detection
author: sif
severity: high
description: Detects basic Local File Inclusion vulnerabilities
tags: [lfi, injection, file-inclusion, owasp-top10]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/?file={{payload}}"
- "{{BaseURL}}/?page={{payload}}"
- "{{BaseURL}}/?path={{payload}}"
- "{{BaseURL}}/?include={{payload}}"
- "{{BaseURL}}/?doc={{payload}}"
- "{{BaseURL}}/?template={{payload}}"
payloads:
- "../../../../../../../etc/passwd"
- "....//....//....//....//....//etc/passwd"
- "..%2f..%2f..%2f..%2f..%2fetc/passwd"
- "/etc/passwd"
- "../../../../../../../etc/shadow"
- "../../../../../../../windows/system32/drivers/etc/hosts"
threads: 10
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- "daemon:.*:1:1:"
- "nobody:.*:65534:"
- "127\\.0\\.0\\.1\\s+localhost"
condition: or
extractors:
- type: regex
name: detected_file
part: body
regex:
- "(root|daemon|nobody):.*:[0-9]+:[0-9]+:"
group: 0

66
modules/http/sqli-error.yaml Normal file
View File

@@ -0,0 +1,66 @@
# SQL Injection Error-Based Detection Module
id: sqli-error-based
info:
name: SQL Injection (Error-Based)
author: sif
severity: high
description: Detects SQL injection via database error messages
tags: [sqli, injection, database, owasp-top10]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/?id={{payload}}"
- "{{BaseURL}}/?user={{payload}}"
- "{{BaseURL}}/?search={{payload}}"
- "{{BaseURL}}/?q={{payload}}"
- "{{BaseURL}}/?query={{payload}}"
- "{{BaseURL}}/?cat={{payload}}"
payloads:
- "'"
- "''"
- "1'"
- "1' OR '1'='1"
- "1' OR '1'='1'--"
- "1' OR '1'='1'/*"
- "1; DROP TABLE--"
- "' UNION SELECT NULL--"
- "1 AND 1=1"
- "1 AND 1=2"
threads: 10
matchers:
- type: regex
part: body
regex:
- "SQL syntax.*MySQL"
- "Warning.*mysql_"
- "MySqlException"
- "valid MySQL result"
- "ORA-[0-9]+"
- "Oracle.*Driver"
- "Oracle.*Error"
- "PostgreSQL.*ERROR"
- "pg_query.*failed"
- "Microsoft SQL Server"
- "ODBC SQL Server Driver"
- "SQLite3::"
- "sqlite_query"
- "SQLite/JDBCDriver"
- "SQL Server.*Driver"
- "Unclosed quotation mark"
- "quoted string not properly terminated"
condition: or
extractors:
- type: regex
name: db_type
part: body
regex:
- "(MySQL|PostgreSQL|Oracle|MSSQL|SQLite|MariaDB)"
group: 1

41
modules/http/xss-reflected.yaml Normal file
View File

@@ -0,0 +1,41 @@
# Reflected XSS Detection Module
id: xss-reflected
info:
name: Reflected XSS Detection
author: sif
severity: medium
description: Detects reflected Cross-Site Scripting vulnerabilities
tags: [xss, injection, javascript, owasp-top10]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/?q={{payload}}"
- "{{BaseURL}}/?search={{payload}}"
- "{{BaseURL}}/?name={{payload}}"
- "{{BaseURL}}/?input={{payload}}"
- "{{BaseURL}}/?message={{payload}}"
- "{{BaseURL}}/?text={{payload}}"
payloads:
- "<script>alert('XSS')</script>"
- "'><script>alert('XSS')</script>"
- "\"><script>alert('XSS')</script>"
- "<img src=x onerror=alert('XSS')>"
- "<svg onload=alert('XSS')>"
- "javascript:alert('XSS')"
- "<body onload=alert('XSS')>"
threads: 10
matchers:
- type: word
part: body
words:
- "<script>alert('XSS')</script>"
- "<img src=x onerror=alert('XSS')>"
- "<svg onload=alert('XSS')>"
condition: or

35
modules/info/cms-drupal.yaml Normal file
View File

@@ -0,0 +1,35 @@
# Drupal CMS Detection Module
id: cms-drupal
info:
name: Drupal Detection
author: sif
severity: info
description: Detects Drupal CMS installations
tags: [cms, drupal, detection, info]
type: http
http:
method: GET
paths:
- "{{BaseURL}}"
matchers:
- type: word
part: all
words:
- "Drupal.settings"
- "X-Drupal-Cache"
- "/sites/default/files"
- "drupal.js"
condition: or
extractors:
- type: regex
name: drupal_version
part: body
regex:
- 'Drupal ([0-9.]+)'
- 'content="Drupal ([0-9.]+)"'
group: 1

37
modules/info/cms-wordpress.yaml Normal file
View File

@@ -0,0 +1,37 @@
# WordPress CMS Detection Module
id: cms-wordpress
info:
name: WordPress Detection
author: sif
severity: info
description: Detects WordPress CMS installations
tags: [cms, wordpress, detection, info]
type: http
http:
method: GET
paths:
- "{{BaseURL}}"
- "{{BaseURL}}/wp-login.php"
- "{{BaseURL}}/wp-admin/"
matchers:
- type: word
part: body
words:
- "wp-content"
- "wp-includes"
- "wp-json"
- "wordpress"
condition: or
extractors:
- type: regex
name: wp_version
part: body
regex:
- 'content="WordPress ([0-9.]+)"'
- 'wp-includes/js/wp-embed.min.js\?ver=([0-9.]+)'
group: 1

50
modules/info/security-headers.yaml Normal file
View File

@@ -0,0 +1,50 @@
# Security Headers Check Module
# Checks for missing or misconfigured security headers
id: security-headers
info:
name: Security Headers Analysis
author: sif
severity: info
description: Checks for presence and configuration of security headers
tags: [headers, security, info, owasp]
type: http
http:
method: GET
paths:
- "{{BaseURL}}"
matchers:
- type: regex
part: header
regex:
- "X-Frame-Options"
- "X-Content-Type-Options"
- "Strict-Transport-Security"
- "Content-Security-Policy"
- "X-XSS-Protection"
condition: or
extractors:
- type: regex
name: x_frame_options
part: header
regex:
- "X-Frame-Options: (.+)"
group: 1
- type: regex
name: content_security_policy
part: header
regex:
- "Content-Security-Policy: (.+)"
group: 1
- type: regex
name: strict_transport_security
part: header
regex:
- "Strict-Transport-Security: (.+)"
group: 1

45
modules/recon/backup-files.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Backup Files Detection Module
id: backup-files
info:
name: Backup Files Detection
author: sif
severity: medium
description: Detects common backup files that may expose sensitive information
tags: [backup, exposure, misconfiguration, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/backup.sql"
- "{{BaseURL}}/backup.zip"
- "{{BaseURL}}/backup.tar.gz"
- "{{BaseURL}}/database.sql"
- "{{BaseURL}}/db.sql"
- "{{BaseURL}}/dump.sql"
- "{{BaseURL}}/.env"
- "{{BaseURL}}/.env.backup"
- "{{BaseURL}}/config.php.bak"
- "{{BaseURL}}/web.config.bak"
- "{{BaseURL}}/wp-config.php.bak"
- "{{BaseURL}}/settings.py.bak"
threads: 5
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- "CREATE TABLE"
- "INSERT INTO"
- "DB_PASSWORD"
- "APP_KEY"
- "SECRET_KEY"
- "database_password"
condition: or

39
modules/recon/git-exposed.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Exposed Git Repository Detection Module
id: git-exposed
info:
name: Exposed Git Repository
author: sif
severity: high
description: Detects exposed .git directories that may leak source code
tags: [git, exposure, source-code, misconfiguration]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/.git/HEAD"
- "{{BaseURL}}/.git/config"
- "{{BaseURL}}/.git/index"
matchers:
- type: word
part: body
words:
- "ref: refs/"
- "[core]"
- "repositoryformatversion"
condition: or
- type: status
status:
- 200
extractors:
- type: regex
name: git_branch
part: body
regex:
- "ref: refs/heads/(.+)"
group: 1