added confluence metadata and minor matcher updates (#3929)

2022-03-19 16:12:08 +05:30 · 2022-03-19 16:12:08 +05:30 · ec2246ee22
parent bf8b545fed
commit ec2246ee22
8 changed files with 43 additions and 14 deletions
--- a/cves/2015/CVE-2015-8399.yaml
+++ b/cves/2015/CVE-2015-8399.yaml
@ -1,21 +1,25 @@
 id: CVE-2015-8399
+
 info:
  author: princechaddha
  name: Atlassian Confluence configuration files read
  severity: medium
  description: Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
  reference: https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacro
-  tags: cve,cve2015,atlassian,confluence
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4.30
    cve-id: CVE-2015-8399
    cwe-id: CWE-200
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: cve,cve2015,atlassian,confluence

 requests:
  - method: GET
    path:
      - "{{BaseURL}}/spaces/viewdefaultdecorator.action?decoratorName"
+
    matchers-condition: and
    matchers:
      - type: status
@ -23,8 +27,8 @@ requests:
          - 200

      - type: word
+        part: body
        words:
          - "confluence-init.properties"
          - "View Default Decorator"
        condition: and
-        part: body
--- a/cves/2018/CVE-2018-5230.yaml
+++ b/cves/2018/CVE-2018-5230.yaml
@ -12,6 +12,8 @@ info:
    cvss-score: 6.10
    cve-id: CVE-2018-5230
    cwe-id: CWE-79
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
  tags: cve,cve2018,atlassian,confluence,xss

 requests:
--- a/cves/2019/CVE-2019-3396.yaml
+++ b/cves/2019/CVE-2019-3396.yaml
@ -5,12 +5,14 @@ info:
  severity: critical
  description: The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
  reference: https://github.com/x-f1v3/CVE-2019-3396
-  tags: cve,cve2019,atlassian,confluence,lfi,rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2019-3396
    cwe-id: CWE-22
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: cve,cve2019,atlassian,confluence,lfi,rce

 requests:
  - raw:
--- a/cves/2021/CVE-2021-26084.yaml
+++ b/cves/2021/CVE-2021-26084.yaml
@ -5,7 +5,6 @@ info:
  severity: critical
  name: Confluence Server OGNL injection - RCE
  description: In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
-  tags: cve,cve2021,rce,confluence,injection,ognl
  reference:
    - https://jira.atlassian.com/browse/CONFSERVER-67940
    - https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2021-26084
@ -16,6 +15,9 @@ info:
    cvss-score: 9.80
    cve-id: CVE-2021-26084
    cwe-id: CWE-74
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: cve,cve2021,rce,confluence,injection,ognl

 requests:
  - raw:
--- a/cves/2021/CVE-2021-26085.yaml
+++ b/cves/2021/CVE-2021-26085.yaml
@ -7,12 +7,14 @@ info:
  reference:
    - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26085
-  tags: cve,cve2021,confluence,atlassian,lfi
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.30
    cve-id: CVE-2021-26085
    cwe-id: CWE-862
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: cve,cve2021,confluence,atlassian,lfi

 requests:
  - method: GET
--- a/exposed-panels/servicedesk-login-panel.yaml
+++ b/exposed-panels/servicedesk-login-panel.yaml
@ -5,6 +5,8 @@ info:
  author: aashiq
  severity: info
  description: Searches for ServiceDesk login panels by trying to query the "/servicedesk/customer/user/login" endpoint
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
  tags: servicedesk,confluence,jira,panel,login

 requests:
--- a/technologies/confluence-detect.yaml
+++ b/technologies/confluence-detect.yaml
@ -5,9 +5,10 @@ info:
  author: philippedelteil
  severity: info
  description: Allows you to detect Atlassian Confluence instances
-  tags: tech,confluence,atlassian
  metadata:
-    shodan-query: https://www.shodan.io/search?query=http.component%3A%22atlassian+confluence%22
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: tech,confluence,atlassian
+

 requests:
  - method: GET
@ -19,19 +20,18 @@ requests:

    redirects: true
    stop-at-first-match: true
-    matchers-condition: and
+    matchers-condition: or
    matchers:
      - type: word
-        words:
-          - '-Confluence-'
-          - '-confluence-'
        part: header
-        condition: or
+        words:
+          - '-confluence-'
+        case-insensitive: true

      - type: word
+        part: body
        words:
          - 'confluence-base-url'
-        part: body

    extractors:
      - type: regex
--- a/vulnerabilities/confluence/confluence-ssrf-sharelinks.yaml
+++ b/vulnerabilities/confluence/confluence-ssrf-sharelinks.yaml
@ -8,14 +8,29 @@ info:
  reference:
    - https://bitbucket.org/atlassian/confluence-business-blueprints/pull-requests/144/issue-60-conf-45342-ssrf-in-sharelinks
    - https://github.com/assetnote/blind-ssrf-chains#confluence
-  tags: confluence,atlassian,ssrf,jira,oast
+  metadata:
+    shodan-query: http.component:"Atlassian Confluence"
+  tags: confluence,atlassian,ssrf,oast

 requests:
  - method: GET
    path:
      - '{{BaseURL}}/rest/sharelinks/1.0/link?url=https://{{interactsh-url}}/'
+
+    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
+
+      - type: word
+        part: body
+        words:
+          - "faviconURL"
+          - "domain"
+        condition: and
+
+      - type: status
+        status:
+          - 200