update 2.7.5

zan8in · Jul 23, 2023 · 6844ad9 · 6844ad9
1 parent 4529fe5
commit 6844ad9
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 100 deletions.
diff --git a/pkg/config/banner.go b/pkg/config/banner.go
@@ -8,7 +8,7 @@ import (
 	"github.com/zan8in/gologger"
 )
 
-const Version = "2.7.3"
+const Version = "2.7.5"
 
 func InitBanner() {
 	fmt.Printf("\r\n|\tA F 🐸 O G\t|")

diff --git a/pocs/afrog-pocs/CVE/2021/CVE-2021-22205.yaml b/pocs/afrog-pocs/CVE/2021/CVE-2021-22205.yaml
@@ -1,10 +1,14 @@
 id: CVE-2021-22205
 
 info:
-  name: Fingerprinting GitLab CE/EE Unauthenticated RCE using ExifTool - Passive Detection
-  author: GitLab Red Team
+  name: GitLab CE/EE Unauthenticated RCE Using ExifTool
+  author: pdteam
   severity: critical
-  description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.  This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests.  Positive matches do not guarantee exploitability.  Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
+  description: |
+    An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.  This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-<hash>.css file in the header for unauthenticated requests.  Positive matches do not guarantee exploitability.  Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.
+    FOFA: title="Gitlab"
+    SHODAN: http.title:"GitLab"
+  solutions: Upgrade to versions 13.10.3, 13.9.6, 13.8.8, or higher.
   reference:
     - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
     - https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196
@@ -13,102 +17,40 @@ info:
     - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
     - https://hackerone.com/reports/1154542
     - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
+    - https://mp.weixin.qq.com/s/4QT-vxKpBn4ppNM9ipt-nQ
+  tags: oast,intrusive,hackerone,cve,cve2021,gitlab,rce,kev
 
+set:
+    randbody: randomLowercase(32)
+    rboundary: randomLowercase(8)
 rules:
     r0:
         request:
             method: GET
             path: /users/sign_in
             follow_redirects: true
-        expression: >
-            response.body.bcontains(b"015d088713b23c749d8be0118caeb21039491d9812c75c913f48d53559ab09df") ||
-            response.body.bcontains(b"02aa9533ec4957bb01d206d6eaa51d762c7b7396362f0f7a3b5fb4dd6088745b") ||
-            response.body.bcontains(b"051048a171ccf14f73419f46d3bd8204aa3ed585a72924faea0192f53d42cfce") ||
-            response.body.bcontains(b"08858ced0ff83694fb12cf155f6d6bf450dcaae7192ea3de8383966993724290") ||
-            response.body.bcontains(b"0993beabc8d2bb9e3b8d12d24989426b909921e20e9c6a704de7a5f1dfa93c59") ||
-            response.body.bcontains(b"0a5b4edebfcb0a7be64edc06af410a6fbc6e3a65b76592a9f2bcc9afea7eb753") ||
-            response.body.bcontains(b"1084266bd81c697b5268b47c76565aa86b821126a6b9fe6ea7b50f64971fc96f") ||
-            response.body.bcontains(b"14c313ae08665f7ac748daef8a70010d2ea9b52fd0cae594ffa1ffa5d19c43f4") ||
-            response.body.bcontains(b"1626b2999241b5a658bddd1446648ed0b9cc289de4cc6e10f60b39681a0683c4") ||
-            response.body.bcontains(b"20f01320ba570c73e01af1a2ceb42987bcb7ac213cc585c187bec2370cf72eb6") ||
-            response.body.bcontains(b"27d2c4c4e2fcf6e589e3e1fe85723537333b087003aa4c1d2abcf74d5c899959") ||
-            response.body.bcontains(b"292ca64c0c109481b0855aea6b883a588bd293c6807e9493fc3af5a16f37f369") ||
-            response.body.bcontains(b"2eaf7e76aa55726cc0419f604e58ee73c5578c02c9e21fdbe7ae887925ea92ae") ||
-            response.body.bcontains(b"30a9dffe86b597151eff49443097496f0d1014bb6695a2f69a7c97dc1c27828f") ||
-            response.body.bcontains(b"318ee33e5d14035b04832fa07c492cdf57788adda50bb5219ef75b735cbf00e2") ||
-            response.body.bcontains(b"33313f1ff2602ef43d945e57e694e747eb00344455ddb9b2544491a3af2696a1") ||
-            response.body.bcontains(b"335f8ed58266e502d415f231f6675a32bb35cafcbaa279baa2c0400d4a9872ac") ||
-            response.body.bcontains(b"34031b465d912c7d03e815c7cfaff77a3fa7a9c84671bb663026d36b1acd3f86") ||
-            response.body.bcontains(b"3407a4fd892e9d5024f3096605eb1e25cad75a8bf847d26740a1e6a77e45b087") ||
-            response.body.bcontains(b"340c31a75c5150c5e501ec143849adbed26fed0da5a5ee8c60fb928009ea3b86") ||
-            response.body.bcontains(b"38981e26a24308976f3a29d6e5e2beef57c7acda3ad0d5e7f6f149d58fd09d3d") ||
-            response.body.bcontains(b"3963d28a20085f0725884e2dbf9b5c62300718aa9c6b4b696c842a3f4cf75fcd") ||
-            response.body.bcontains(b"39b154eeefef684cb6d56db45d315f8e9bf1b2cc86cf24d8131c674521f5b514") ||
-            response.body.bcontains(b"39fdbd63424a09b5b065a6cc60c9267d3f49950bf1f1a7fd276fe1ece4a35c09") ||
-            response.body.bcontains(b"3b51a43178df8b4db108a20e93a428a889c20a9ed5f41067d1a2e8224740838e") ||
-            response.body.bcontains(b"3cbf1ae156fa85f16d4ca01321e0965db8cfb9239404aaf52c3cebfc5b4493fb") ||
-            response.body.bcontains(b"40d8ac21e0e120f517fbc9a798ecb5caeef5182e01b7e7997aac30213ef367b3") ||
-            response.body.bcontains(b"4448d19024d3be03b5ba550b5b02d27f41c4bdba4db950f6f0e7136d820cd9e1") ||
-            response.body.bcontains(b"450cbe5102fb0f634c533051d2631578c8a6bae2c4ef1c2e50d4bfd090ce3b54") ||
-            response.body.bcontains(b"455d114267e5992b858fb725de1c1ddb83862890fe54436ffea5ff2d2f72edc8") ||
-            response.body.bcontains(b"4568941e60dbfda3472e3f745cd4287172d4e6cce44bed85390af9e4e2112d0b") ||
-            response.body.bcontains(b"45b2cf643afd34888294a073bf55717ea00860d6a1dca3d301ded1d0040cac44") ||
-            response.body.bcontains(b"473ef436c59830298a2424616d002865f17bb5a6e0334d3627affa352a4fc117") ||
-            response.body.bcontains(b"4990bb27037f3d5f1bffc0625162173ad8043166a1ae5c8505aabe6384935ce2") ||
-            response.body.bcontains(b"4a081f9e3a60a0e580cad484d66fbf5a1505ad313280e96728729069f87f856e") ||
-            response.body.bcontains(b"4abc4e078df94075056919bd59aed6e7a0f95067039a8339b8f614924d8cb160") ||
-            response.body.bcontains(b"504940239aafa3b3a7b49e592e06a0956ecaab8dbd4a5ea3a8ffd920b85d42eb") ||
-            response.body.bcontains(b"52560ba2603619d2ff1447002a60dcb62c7c957451fb820f1894e1ce7c23821c") ||
-            response.body.bcontains(b"530a8dd34c18ca91a31fbae2f41d4e66e253db0343681b3c9640766bf70d8edf") ||
-            response.body.bcontains(b"5440e2dd89d3c803295cc924699c93eb762e75d42178eb3fe8b42a5093075c71") ||
-            response.body.bcontains(b"62e4cc014d9d96f9cbf443186289ffd9c41bdfe951565324891dcf38bcca5a51") ||
-            response.body.bcontains(b"64e10bc92a379103a268a90a7863903eacb56843d8990fff8410f9f109c3b87a") ||
-            response.body.bcontains(b"655ad8aea57bdaaad10ff208c7f7aa88c9af89a834c0041ffc18c928cc3eab1f") ||
-            response.body.bcontains(b"67ac5da9c95d82e894c9efe975335f9e8bdae64967f33652cd9a97b5449216d2") ||
-            response.body.bcontains(b"69a1b8e44ba8b277e3c93911be41b0f588ac7275b91a184c6a3f448550ca28ca") ||
-            response.body.bcontains(b"6ae610d783ba9a520b82263f49d2907a52090fecb3ac37819cea12b67e6d94fb") ||
-            response.body.bcontains(b"70ce56efa7e602d4b127087b0eca064681ecdd49b57d86665da8b081da39408b") ||
-            response.body.bcontains(b"7310c45f08c5414036292b0c4026f281a73cf8a01af82a81257dd343f378bbb5") ||
-            response.body.bcontains(b"73a21594461cbc9a2fb00fc6f94aec1a33ccf435a7d008d764ddd0482e08fc8d") ||
-            response.body.bcontains(b"77566acc818458515231d0a82c131a42890d771ea998b9f578dc38e0eb7e517f") ||
-            response.body.bcontains(b"78812856e55613c6803ecb31cc1864b7555bf7f0126d1dfa6f37376d37d3aeab") ||
-            response.body.bcontains(b"79837fd1939f90d58cc5a842a81120e8cecbc03484362e88081ebf3b7e3830e9") ||
-            response.body.bcontains(b"7b1dcbacca4f585e2cb98f0d48f008acfec617e473ba4fd88de36b946570b8b9") ||
-            response.body.bcontains(b"7f1c7b2bfaa6152740d453804e7aa380077636cad101005ed85e70990ec20ec5") ||
-            response.body.bcontains(b"81c5f2c7b2c0b0abaeb59585f36904031c21b1702c24349404df52834fbd7ad3") ||
-            response.body.bcontains(b"83dc10f687305b22e602ba806619628a90bd4d89be7c626176a0efec173ecff1") ||
-            response.body.bcontains(b"93ebf32a4bd988b808c2329308847edd77e752b38becc995970079a6d586c39b") ||
-            response.body.bcontains(b"969119f639d0837f445a10ced20d3a82d2ea69d682a4e74f39a48a4e7b443d5e") ||
-            response.body.bcontains(b"9b4e140fad97320405244676f1a329679808e02c854077f73422bd8b7797476b") ||
-            response.body.bcontains(b"9c095c833db4364caae1659f4e4dcb78da3b5ec5e9a507154832126b0fe0f08e") ||
-            response.body.bcontains(b"a0c92bafde7d93e87af3bc2797125cba613018240a9f5305ff949be8a1b16528") ||
-            response.body.bcontains(b"a9308f85e95b00007892d451fd9f6beabcd8792b4c5f8cd7524ba7e941d479c9") ||
-            response.body.bcontains(b"ac9b38e86b6c87bf8db038ae23da3a5f17a6c391b3a54ad1e727136141a7d4f5") ||
-            response.body.bcontains(b"ae0edd232df6f579e19ea52115d35977f8bdbfa9958e0aef2221d62f3a39e7d8") ||
-            response.body.bcontains(b"aeddf31361633b3d1196c6483f25c484855e0f243e7f7e62686a4de9e10ec03b") ||
-            response.body.bcontains(b"b50bfeb87fe7bb245b31a0423ccfd866ca974bc5943e568ce47efb4cd221d711") ||
-            response.body.bcontains(b"b64a1277a08c2901915525143cd0b62d81a37de0a64ec135800f519cb0836445") ||
-            response.body.bcontains(b"bb1565ffd7c937bea412482ed9136c6057be50356f1f901379586989b4dfe2ca") ||
-            response.body.bcontains(b"be9a23d3021354ec649bc823b23eab01ed235a4eb730fd2f4f7cdb2a6dee453a") ||
-            response.body.bcontains(b"bec9544b57b8b2b515e855779735ad31c3eacf65d615b4bfbd574549735111e7") ||
-            response.body.bcontains(b"bf1ba5d5d3395adc5bad6f17cc3cb21b3fb29d3e3471a5b260e0bc5ec7a57bc4") ||
-            response.body.bcontains(b"bf1c397958ee5114e8f1dadc98fa9c9d7ddb031a4c3c030fa00c315384456218") ||
-            response.body.bcontains(b"c8d8d30d89b00098edab024579a3f3c0df2613a29ebcd57cdb9a9062675558e4") ||
-            response.body.bcontains(b"c923fa3e71e104d50615978c1ab9fcfccfcbada9e8df638fc27bf4d4eb72d78c") ||
-            response.body.bcontains(b"d0850f616c5b4f09a7ff319701bce0460ffc17ca0349ad2cf7808b868688cf71") ||
-            response.body.bcontains(b"d161b6e25db66456f8e0603de5132d1ff90f9388d0a0305d2d073a67fd229ddb") ||
-            response.body.bcontains(b"d56f0577fbbbd6f159e9be00b274270cb25b60a7809871a6a572783b533f5a3c") ||
-            response.body.bcontains(b"d812b9bf6957fafe35951054b9efc5be6b10c204c127aa5a048506218c34e40f") ||
-            response.body.bcontains(b"dc6b3e9c0fad345e7c45a569f4c34c3e94730c33743ae8ca055aa6669ad6ac56") ||
-            response.body.bcontains(b"def1880ada798c68ee010ba2193f53a2c65a8981871a634ae7e18ccdcd503fa3") ||
-            response.body.bcontains(b"e2578590390a9eb10cd65d130e36503fccb40b3921c65c160bb06943b2e3751a") ||
-            response.body.bcontains(b"e4b6f040fe2e04c86ed1f969fc72710a844fe30c3501b868cb519d98d1fe3fd0") ||
-            response.body.bcontains(b"eb078ffe61726e3898dc9d01ea7955809778bde5be3677d907cbd3b48854e687") ||
-            response.body.bcontains(b"ec9dfedd7bd44754668b208858a31b83489d5474f7606294f6cc0128bb218c6d") ||
-            response.body.bcontains(b"ed4780bb05c30e3c145419d06ad0ab3f48bd3004a90fb99601f40c5b6e1d90fd") ||
-            response.body.bcontains(b"ef53a4f4523a4a0499fb892d9fb5ddb89318538fef33a74ce0bf54d25777ea83") ||
-            response.body.bcontains(b"f154ef27cf0f1383ba4ca59531058312b44c84d40938bc8758827023db472812") ||
-            response.body.bcontains(b"f7d1309f3caef67cb63bd114c85e73b323a97d145ceca7d6ef3c1c010078c649") ||
-            response.body.bcontains(b"f9ab217549b223c55fa310f2007a8f5685f9596c579f5c5526e7dcb204ba0e11")
-    
-expression: r0()
+        expression: 'response.status == 200 && "csrf-token\" content=\"(.*?)\"".bmatches(response.body)'
+        output:
+            search: '"csrf-token\" content=\"(?P<token>.*?)\"".bsubmatch(response.body)'
+            token: search["token"]
+            search1: '"Set-Cookie: (?P<cookie>.*?);".bsubmatch(response.raw_header)'
+            cookie: search1["cookie"]
+    r1:
+        request:
+            method: POST
+            path: /uploads/user
+            headers: 
+                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+                X-CSRF-Token: "{{token}}"
+                Cookie: "{{cookie}}"
+            follow_redirects: true
+            body: "\
+                ------WebKitFormBoundary{{rboundary}}\r\n\
+                Content-Disposition: form-data; name=\"file\";filename=\"test.jpg\"\r\n\
+                Content-Type: image/jpeg\r\n\
+                \r\n\
+                {{randbody}}\r\n\
+                ------WebKitFormBoundary{{rboundary}}--\r\n\
+                "
+        expression: response.status == 422 && response.body.bcontains(b'Failed to process image')
+expression: r0() && r1()
diff --git a/pocs/afrog-pocs/CVE/2023/CVE-2023-28432.yaml b/pocs/afrog-pocs/CVE/2023/CVE-2023-28432.yaml
@@ -8,7 +8,7 @@ info:
   expression: |
     Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
     fofa: app="minio"
-  solutions: RELEASE.2019-12-17T23-16-33Z <= MinIo < RELEASE.2023-03-20T20-16-18Z
+  affected: RELEASE.2019-12-17T23-16-33Z <= MinIo < RELEASE.2023-03-20T20-16-18Z
   reference:
     - https://mp.weixin.qq.com/s/JSGlEsTrahnBLIwIW-DD5Q
     - https://mp.weixin.qq.com/s/jCQC3Z9RdkHzPwsouurIGA

diff --git a/...-pocs/fingerprint/h3c-hci-management.yaml → ...cs/fingerprinting/h3c-hci-management.yaml b/...-pocs/fingerprint/h3c-hci-management.yaml → ...cs/fingerprinting/h3c-hci-management.yaml
diff --git a/...p/afrog-pocs/fingerprint/taihe-panel.yaml → ...frog-pocs/fingerprinting/taihe-panel.yaml b/...p/afrog-pocs/fingerprint/taihe-panel.yaml → ...frog-pocs/fingerprinting/taihe-panel.yaml
diff --git a/...frog-pocs/fingerprint/tianjing-panel.yaml → ...g-pocs/fingerprinting/tianjing-panel.yaml b/...frog-pocs/fingerprint/tianjing-panel.yaml → ...g-pocs/fingerprinting/tianjing-panel.yaml
diff --git a/...afrog-pocs/fingerprint/tianyue-panel.yaml → ...og-pocs/fingerprinting/tianyue-panel.yaml b/...afrog-pocs/fingerprint/tianyue-panel.yaml → ...og-pocs/fingerprinting/tianyue-panel.yaml
diff --git a/...lity/yonyou-nccloud-uapjs-upload-rce.yaml → ...lity/yonyou-nccloud-uapjs-upload-rce.yaml b/...lity/yonyou-nccloud-uapjs-upload-rce.yaml → ...lity/yonyou-nccloud-uapjs-upload-rce.yaml
diff --git a/pocs/temp/afrog-pocs/version b/pocs/temp/afrog-pocs/version
@@ -1 +1 @@
-0.2.28
+0.2.29
diff --git a/pocs/v/afrog-pocs.zip b/pocs/v/afrog-pocs.zip
diff --git a/pocs/v/afrog.version b/pocs/v/afrog.version
@@ -1 +1 @@
-2.7.3
+2.7.5
diff --git a/pocs/v/version b/pocs/v/version
@@ -1 +1 @@
-0.2.28
+0.2.29