20240912

adysec · Sep 12, 2024 · ca0d737 · ca0d737
1 parent deeb63a
commit ca0d737
Show file tree

Hide file tree

Showing 252 changed files with 9,412 additions and 384 deletions.
diff --git a/date.txt b/date.txt
@@ -1 +1 @@
-20240911
+20240912
diff --git a/poc.txt b/poc.txt
diff --git a/poc/apache/apache-impala.yaml b/poc/apache/apache-impala.yaml
@@ -4,6 +4,7 @@ info:
   name: Apache Impala - Exposure
   author: DhiyaneshDk
   severity: medium
+  description: Apache Impala is exposed.
   reference:
     - https://www.facebook.com/photo/?fbid=627585602745296&set=pcb.627585619411961
   metadata:
@@ -32,5 +33,4 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 4a0a004730450221009a2bb01334c3631544baac5fa27e43d8c6ef0d3840a1d8cc956d0cf32b7f15f2022022b76f87a33c3ccf12e54a3531009144fea1e30598d54a932fd1db0479d3146f:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a0047304502201dc3cd253eed22c678589452bebea6692552bfa91a81c9467c9a5a82f1f8ecdd022100e382474589312820dc0673ff200915a390c42824a0a4ee59a86114f1b7a800b5:922c64590222798bb761d5b6d8e72950
diff --git a/poc/apache/apache-zeppelin-unauth.yaml b/poc/apache/apache-zeppelin-unauth.yaml
@@ -0,0 +1,45 @@
+id: apache-zeppelin-unauth
+
+info:
+  name: Apache Zeppelin - Unauthenticated Access
+  author: j4vaovo
+  severity: high
+  description: |
+    Apache Zeppelin server was able to be accessed because no authentication was required.
+  reference: |
+    - https://www.adminxe.com/2172.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
+    cvss-score: 8.6
+    cwe-id: CWE-285
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Zeppelin"
+    fofa-query: title="Zeppelin"
+  tags: misconfig,apache,zeppelin,unauth
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/security/ticket"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'status":"OK'
+          - '"ticket":"anonymous"'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4b0a00483046022100d19c5f3d615eed414c17a664909cb53f1ba0e1a99c7f6d297a1b7fb62a168baa022100ba595777c8c3a57f62dda3cdb38e4a0b8c03bec264faff87458b48fabd7c5dc0:922c64590222798bb761d5b6d8e72950
diff --git a/poc/apache/default-apache-shiro.yaml b/poc/apache/default-apache-shiro.yaml
@@ -0,0 +1,29 @@
+id: default-apache-shiro
+
+info:
+  name: Apache Shiro Default Page
+  author: DhiyaneshDK
+  severity: info
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Apache Shiro Quickstart"
+  tags: tech,apache,shiro
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<title>Apache Shiro Quickstart</title>"
+
+      - type: status
+        status:
+          - 200
+
+# digest: 490a0046304402206679e43f4e2125fa6ab7f37680f2c0464b2b7251690168259de5ac9c1f18fb51022071a731cd2862bb734edb2e7491f15198961599fa7ed8cb84bfa49805b92df0f3:922c64590222798bb761d5b6d8e72950
diff --git a/poc/api/clickhouse-unauth-api.yaml b/poc/api/clickhouse-unauth-api.yaml
@@ -4,6 +4,7 @@ info:
   name: ClickHouse API Database Interface - Improper Authorization
   author: DhiyaneshDk
   severity: high
+  description: Clickhouse API Database is exposed.
   reference:
     - https://github.com/luck-ying/Library-POC/blob/master/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93/ClickHouse%E6%95%B0%E6%8D%AE%E5%BA%93%208123%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.py
     - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/redteam/vulnerability/unauthorized/ClickHouse%208123%E7%AB%AF%E5%8F%A3.md?plain=1
@@ -12,7 +13,7 @@ info:
     max-request: 1
     shodan-query: "X-ClickHouse-Summary"
     fofa-query: "X-ClickHouse-Summary"
-  tags: clickhouse,unauth,disclosure
+  tags: misconfig,clickhouse,unauth,disclosure
 
 http:
   - method: GET
@@ -36,5 +37,4 @@ http:
       - type: status
         status:
           - 200
-
-# digest: 490a00463044022036599550131f2de458fc72e772f69cae1e3aa73931f856c352ff8ebc85d72ac7022004567b098e2ae9a91cc1f46ed381cb9c41b904d4393b286fbc3cf77bd930d4ae:922c64590222798bb761d5b6d8e72950
+# digest: 4a0a00473045022100a0b5c453b540196a3297c18713c3638b6327d815009a24c1b054e31cd98ab0ab02203243446e5cb8801e67889a19c0c6dd4298a25228b1181c835f909574b5096336:922c64590222798bb761d5b6d8e72950
diff --git a/poc/api/discuz-api-pathinfo.yaml b/poc/api/discuz-api-pathinfo.yaml
@@ -0,0 +1,41 @@
+id: discuz-api-pathinfo
+
+info:
+  name: Discuz! X2.5 - Path Disclosure
+  author: ritikchaddha
+  severity: low
+  description: Discuz! X2.5 api.php path disclosure vulnerability
+  reference:
+    - https://crx.xmspace.net/discuz_x25_api_php.html
+    - http://www.1314study.com/t/87417.html
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Discuz!"
+    fofa-query: title="Discuz!"
+  tags: discuz,info,disclosure
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api.php?mod[]=auto'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '.php</b> on line'
+          - 'function.array'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a0047304502202a08c3fa9304cacdc32c84c55e79263202268de3fd524bd2edc44d0a687648af022100b8d1d52d3b88bcf50cd5f659d3e59024543fa9e29086e2f1383aa904b46e2d68:922c64590222798bb761d5b6d8e72950
diff --git a/poc/api/graylog-api-exposure.yaml b/poc/api/graylog-api-exposure.yaml
@@ -0,0 +1,91 @@
+id: graylog-api-exposure
+
+info:
+  name: Graylog REST API Endpoints - Exposure
+  author: Arqsz
+  severity: info
+  description: |
+    Graylog is a centralized log management solution. According to the official documentation, it exposes multiple endpoints (some by default).
+  reference:
+    - https://go2docs.graylog.org/5-0/setting_up_graylog/rest_api.html
+    - https://gist.github.com/asachs01/f1f317b2924a688deb8ed2520a4520bd
+  metadata:
+    verified: true
+    max-request: 50
+    shodan-query: Graylog
+  tags: tech,graylog,api,swagger,fuzz
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+      - "{{BaseURL}}/api/api-docs"
+      - "{{BaseURL}}/api/api-browser"
+      - "{{BaseURL}}/api/cluster"
+      - "{{BaseURL}}/api/dashboards"
+      - "{{BaseURL}}/api/events/definitions"
+      - "{{BaseURL}}/api/events/definitions/validate"
+      - "{{BaseURL}}/api/events/notifications/test"
+      - "{{BaseURL}}/api/events/search"
+      - "{{BaseURL}}/api/free-enterprise/license"
+      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/checkSubscriptions"
+      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/inputs"
+      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/startSubscription"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/cloudwatch/log_groups"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/inputs"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_stream"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription_policy"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/health_check"
+      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/streams"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/archives/catalog/rebuild"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/backends"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/cluster/archives/catalog/rebuild"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.collector/configurations"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.license/licenses/verify"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.report/reports"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/team-sync/test/backend"
+      - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/teams"
+      - "{{BaseURL}}/api/scheduler/jobs"
+      - "{{BaseURL}}/api/system/authentication/services/backends"
+      - "{{BaseURL}}/api/system/authentication/services/test/backend/connection"
+      - "{{BaseURL}}/api/system/authentication/services/test/backend/login"
+      - "{{BaseURL}}/api/system"
+      - "{{BaseURL}}/api/system/content_packs"
+      - "{{BaseURL}}/api/system/indexer/cluster/health"
+      - "{{BaseURL}}/api/system/indexer/cluster/name"
+      - "{{BaseURL}}/api/system/debug/events/cluster"
+      - "{{BaseURL}}/api/system/debug/events/local"
+      - "{{BaseURL}}/api/system/jobs"
+      - "{{BaseURL}}/api/system/pipelines/pipeline"
+      - "{{BaseURL}}/api/system/pipelines/rule"
+      - "{{BaseURL}}/api/system/urlwhitelist/check"
+      - "{{BaseURL}}/api/system/urlwhitelist/generate_regex"
+      - "{{BaseURL}}/api/views"
+      - "{{BaseURL}}/api/views/fields"
+      - "{{BaseURL}}/api/views/forValue"
+      - "{{BaseURL}}/api/views/search/messages"
+      - "{{BaseURL}}/api/views/search/metadata"
+      - "{{BaseURL}}/api/views/search/sync"
+      - "{{BaseURL}}/api/users"
+
+    host-redirects: true
+    stop-at-first-match: true
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains_any(header, 'X-Graylog-Node-Id', 'Graylog', 'graylog')"
+          - "contains_any(body, 'X-Graylog-Node-Id', 'Graylog', 'graylog')"
+          - "contains_any(body, 'swagger')"
+        condition: and
+
+      - type: dsl
+        name: unauthorized-graylog-header
+        dsl:
+          - "status_code == 401"
+          - "contains(header, 'X-Graylog-Node-Id') || contains(header, 'Graylog Server')"
+        condition: and
+# digest: 4b0a00483046022100cfdfa42b1d6eceea7948a44eebd55448c0553992200628d09080452422232dd7022100a11fdf4e1c293d3669c0923ed6177f2192e0ac22ff1af23651878299747ad7e4:922c64590222798bb761d5b6d8e72950
diff --git a/poc/api/seafile-api.yaml b/poc/api/seafile-api.yaml
@@ -0,0 +1,49 @@
+id: seafile-api
+
+info:
+  name: Seafile API - Detect
+  author: righettod
+  severity: info
+  description: |
+    Seafile API was detected.
+  reference:
+    - https://download.seafile.com/published/web-api/home.md
+    - https://manual.seafile.com/
+    - https://www.seafile.com/en/home/
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.html:"seafile"
+  tags: exposure,api,detect
+
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api2/server-info/'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'seafile-basic'
+          - 'seafile-pro'
+        condition: or
+
+      - type: word
+        part: header
+        words:
+          - 'application/json'
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - '"version":\s*"([0-9.]+)"'
+
+# digest: 4a0a00473045022100c47c1ae5d724d7b5a58f902d8807a9c455951aea612d75bae34e5f0b5fbf0d5f022004cbf64a4224a7d86c861b15ee1983a7b9a0d5ea80efc59b92ff61adb2cc285d:922c64590222798bb761d5b6d8e72950
diff --git a/poc/atlassian/bamboo-detect.yaml b/poc/atlassian/bamboo-detect.yaml
@@ -0,0 +1,35 @@
+id: bamboo-detect
+
+info:
+  name: Bamboo - Detection
+  author: bhutch
+  severity: info
+  description: |
+    Detect the presence of Bamboo, a CI/CD tool.
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: atlassian
+    shodan-query: http.favicon.hash:-1379982221
+    category: devops
+  tags: tech,bamboo,atlassian,detect,cicd
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(to_lower(body), "<title>log into atlassian - atlassian bamboo</title>")
+          - contains(to_lower(body), "meta name=\"application-name\" content=\"bamboo\" />")
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '(?i)atlassian bamboo</a> version (.*) -'
+# digest: 490a00463044022054fee6be26df8b05fe917fc020a1087009848dc48a25b2df27954e6f1d71ac4802205b3267d31138e786117de003787658c20c23a8956efe95880a085e183df4ab62:922c64590222798bb761d5b6d8e72950
diff --git a/poc/atlassian/bitbucket-auth-bypass.yaml b/poc/atlassian/bitbucket-auth-bypass.yaml
@@ -0,0 +1,36 @@
+id: bitbucket-auth-bypass
+
+info:
+  name: Bitbucket Server > 4.8 - Authentication Bypass
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    There is a permission bypass vulnerability through %20, which allows arbitrary users to obtain sensitive data
+  reference:
+    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Atlassian%20Bitbucket%20%E7%99%BB%E5%BD%95%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.md
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: title:"Log in - Bitbucket"
+    fofa-query: title="Log in - Bitbucket"
+  tags: misconfig,atlassian,bitbucket,auth-bypass
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin%20/db"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<h2>Database</h2>"
+          - "Migrate database"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# digest: 4a0a0047304502201946e48b08668a0597ded653e54bb13c9963cbdb12f6346ec925a3e6e076ed1b022100a2f3c87d0283a2d813f657de5284441fcb2c45757e5892bac85dee2fbec0a7ed:922c64590222798bb761d5b6d8e72950