From 958b15663cd689a563f66f46461d18c1c0492e51 Mon Sep 17 00:00:00 2001
From: Sandeep Singh <sandeep@projectdiscovery.io>
Date: Sun, 8 May 2022 12:13:38 +0530
Subject: [PATCH] Strict matchers / f/p fix (#4320)

* more strict matcher + matcher fix

* misc updates
---
 cves/2018/CVE-2018-18069.yaml                   | 12 +++++++++---
 cves/2019/CVE-2019-14223.yaml                   | 12 ++++++++----
 cves/2020/CVE-2020-15129.yaml                   |  6 ++++--
 cves/2020/CVE-2020-17506.yaml                   |  7 +++++--
 cves/2020/CVE-2020-24550.yaml                   |  4 ++--
 vulnerabilities/other/aspnuke-openredirect.yaml |  7 ++++---
 6 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/cves/2018/CVE-2018-18069.yaml b/cves/2018/CVE-2018-18069.yaml
index fa3a667894..1a56c2d92d 100644
--- a/cves/2018/CVE-2018-18069.yaml
+++ b/cves/2018/CVE-2018-18069.yaml
@@ -20,12 +20,18 @@ requests:
   - method: POST
     path:
       - "{{BaseURL}}/wp-admin/admin.php"
-    body: 'icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>'
-    redirects: true
 
+    body: |
+      icl_post_action=save_theme_localization&locale_file_name_en=EN"><script>alert(0);</script>
+
+    redirects: true
+    max-redirects: 2
     matchers:
       - type: dsl
         dsl:
-          - 'contains(tolower(all_headers), "text/html") && contains(set_cookie, "_icl_current_admin_language") && contains(body, "\"><script>alert(0);</script>")'
+          - 'contains(tolower(all_headers), "text/html")'
+          - 'contains(set_cookie, "_icl_current_admin_language")'
+          - 'contains(body, "\"><script>alert(0);</script>")'
+        condition: and
 
 # Enhanced by mp on 2022/04/08
diff --git a/cves/2019/CVE-2019-14223.yaml b/cves/2019/CVE-2019-14223.yaml
index 2617acac22..b2780cf573 100644
--- a/cves/2019/CVE-2019-14223.yaml
+++ b/cves/2019/CVE-2019-14223.yaml
@@ -14,17 +14,21 @@ info:
     cvss-score: 6.1
     cve-id: CVE-2019-14223
     cwe-id: CWE-601
-  tags: cve,cve2019,redirect
+  tags: cve,cve2019,redirect,alfresco
 
 requests:
   - method: POST
     path:
       - '{{BaseURL}}/share/page/dologin'
+
     headers:
       Content-Type: application/x-www-form-urlencoded
-    body: success=%2Fshare%2Fpage%2F&failure=:\\google.com&username=baduser&password=badpass
+
+    body: |
+      success=%2Fshare%2Fpage%2F&failure=:\\example.com&username=baduser&password=badpass
+
     matchers:
       - type: regex
-        part: body
+        part: header
         regex:
-          - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?google\\.com(?:\\s*)$"
\ No newline at end of file
+          - "(?m)^(?:Location\\s*:\\s*)(?:https?://|//|\\\\)?(?:[a-zA-Z0-9\\-_]*\\.)?example\\.com(?:\\s*)$"
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-15129.yaml b/cves/2020/CVE-2020-15129.yaml
index 32dceeb7ce..ba9f538db5 100644
--- a/cves/2020/CVE-2020-15129.yaml
+++ b/cves/2020/CVE-2020-15129.yaml
@@ -19,15 +19,17 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}"
+
     headers:
       X-Forwarded-Prefix: "https://foo.nl"
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 302
+
       - type: word
+        part: body
         words:
           - "<a href=\"https://foo.nl/dashboard/\">Found</a>"
-        condition: or
-        part: body
\ No newline at end of file
diff --git a/cves/2020/CVE-2020-17506.yaml b/cves/2020/CVE-2020-17506.yaml
index 02f0f27585..b0d7e9d074 100644
--- a/cves/2020/CVE-2020-17506.yaml
+++ b/cves/2020/CVE-2020-17506.yaml
@@ -19,6 +19,7 @@ requests:
   - method: GET
     path:
       - "{{BaseURL}}/fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;"
+
     redirects: true
     max-redirects: 1
     matchers-condition: and
@@ -26,17 +27,19 @@ requests:
       - type: word
         words:
           - "artica-applianc"
+
       - type: status
         status:
           - 200
           - 301
           - 302
         condition: or
+
       - type: word
-        name: session
+        part: header
         words:
           - "PHPSESSID"
-        part: header
+
     extractors:
       - type: kval
         kval:
diff --git a/cves/2020/CVE-2020-24550.yaml b/cves/2020/CVE-2020-24550.yaml
index 0425f411ee..173fe2c0d3 100644
--- a/cves/2020/CVE-2020-24550.yaml
+++ b/cves/2020/CVE-2020-24550.yaml
@@ -16,16 +16,16 @@ info:
 
 requests:
   - method: GET
-
     path:
       - '{{BaseURL}}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://example.com'
 
     matchers-condition: and
     matchers:
       - type: word
+        part: header
         words:
           - "Location: https://example.com"
-        part: header
+
       - type: status
         status:
           - 301
diff --git a/vulnerabilities/other/aspnuke-openredirect.yaml b/vulnerabilities/other/aspnuke-openredirect.yaml
index ca498927f1..e6ce2c4e2f 100644
--- a/vulnerabilities/other/aspnuke-openredirect.yaml
+++ b/vulnerabilities/other/aspnuke-openredirect.yaml
@@ -9,9 +9,10 @@ info:
 requests:
   - method: GET
     path:
-      - "{{BaseURL}}/gotoURL.asp?url=google.com&id=43569"
+      - "{{BaseURL}}/gotoURL.asp?url=example.com&id=43569"
+
     matchers:
       - type: regex
-        part: body
+        part: header
         regex:
-          - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?google\.com(?:\s*)$'
\ No newline at end of file
+          - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?example\.com(?:\s*)$'
\ No newline at end of file