Bash Scanner

ID: bash-scanner

Severity: info

Author: ransomsec

Tags: bash,file,shell,sh

Description

Indicator for bash Dangerous Commands – You Should Never Execute on Linux

YAML Source

id: bash-scanner

info:
  name: Bash Scanner
  author: ransomsec
  severity: info
  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
  reference:
    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
  tags: bash,file,shell,sh

file:
  - extensions:
      - sh

    extractors:
      - type: regex
        name: fork-bomb
        regex:
          - ":(){:|:&};:"

      - type: regex
        name: rm command found
        regex:
          - "rm -(f|r)"
          - "rm -(fr|rf)"

      - type: regex
        name: code injection
        regex:
          - "/bin/(sh|bash) -"
          - "eval"
          - "echo -c"
          - "/bin/(sh|bash) -c"
          - "(sh|bash) -"
          - "(sh|bash) -c"

      - type: regex
        name: file manipulation
        regex:
          - "cat /dev/null >"

      - type: regex
        name: unknown filedownload
        regex:
          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
# digest: 4a0a004730450221009d958257bd9ea7aa63ea47fb4e99dde8f10a3c9899c1d9b1af8ae2f2d914d8290220350c7869bfb9bf6e242475bda1bd3bae8410b28d2288c03e6b139552091123f5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "file/bash/bash-scanner.yaml"

View on Github