From 07e31135aea9a63a4d2c35a4eec68a5f8e7dd423 Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Thu, 17 Feb 2022 23:55:37 +0530 Subject: [PATCH] Added Consul Templates (#3720) * added request condition to avoid false positive detection * misc updates --- cves/2020/CVE-2020-25864.yaml | 39 +++++++++++++++++++++ exposed-panels/hashicorp-consul-agent.yaml | 26 ++++++++++++++ exposed-panels/hashicorp-consul-webgui.yaml | 37 +++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 cves/2020/CVE-2020-25864.yaml create mode 100644 exposed-panels/hashicorp-consul-agent.yaml create mode 100644 exposed-panels/hashicorp-consul-webgui.yaml diff --git a/cves/2020/CVE-2020-25864.yaml b/cves/2020/CVE-2020-25864.yaml new file mode 100644 index 0000000000..e5604bec51 --- /dev/null +++ b/cves/2020/CVE-2020-25864.yaml @@ -0,0 +1,39 @@ +id: CVE-2020-25864 + +info: + name: HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode is vulnerable to cross-site scripting + severity: medium + author: c-sh0 + reference: + - https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 + - https://nvd.nist.gov/vuln/detail/CVE-2020-25864 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + cvss-score: 6.10 + cve-id: CVE-2020-25864 + cwe-id: CWE-79 + tags: cve,cve2020,consul,xss + +requests: + - raw: + - | + PUT {{BaseURL}}/v1/kv/{{randstr}} HTTP/1.1 + Host: {{Hostname}} + + + + - | + GET {{BaseURL}}/v1/kv/{{randstr}}%3Fraw HTTP/1.1 + Host: {{Hostname}} + + req-condition: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body_2 + words: + - "" \ No newline at end of file diff --git a/exposed-panels/hashicorp-consul-agent.yaml b/exposed-panels/hashicorp-consul-agent.yaml new file mode 100644 index 0000000000..9864f3c349 --- /dev/null +++ b/exposed-panels/hashicorp-consul-agent.yaml @@ -0,0 +1,26 @@ +id: hashicorp-consul-agent + +info: + name: Hashicorp Consul Agent Detection + author: c-sh0 + severity: info + description: Obtain Consul Version Information + tags: tech,consul,api + +requests: + - method: GET + path: + - "{{BaseURL}}/v1/agent/self" + + matchers: + - type: word + words: + - '"Datacenter":' + - '"Revision":' + - '"PrimaryDatacenter"' + condition: and + + extractors: + - type: json + json: + - " .Config.Version" \ No newline at end of file diff --git a/exposed-panels/hashicorp-consul-webgui.yaml b/exposed-panels/hashicorp-consul-webgui.yaml new file mode 100644 index 0000000000..a157a7fed6 --- /dev/null +++ b/exposed-panels/hashicorp-consul-webgui.yaml @@ -0,0 +1,37 @@ +id: hashicorp-consul-webgui + +info: + name: HashiCorp Consul WebGUI Detection + author: c-sh0 + description: Detection of HashiCorp Consul WebGUI + severity: info + metadata: + shodan-query: http.title:"Consul by HashiCorp" + tags: consul,webserver,panel + +requests: + - method: GET + path: + - "{{BaseURL}}/ui/" + + redirects: true + max-redirects: 2 + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: body + words: + - 'Consul by HashiCorp' + - '%22%2C%22CONSUL_COPYRIGHT_URL%22%3A%22https%3A%2F%2Fwww.hashicorp.com%22' + condition: or + + extractors: + - type: regex + part: body + group: 1 + regex: + - "CONSUL_VERSION:.*([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" \ No newline at end of file