Skip to content
Permalink
Browse files

add check for Palo Alto no-cve RCE: https://blog.orange.tw/2019/07/at…

  • Loading branch information
jcran committed Jul 17, 2019
1 parent c5980d4 commit 6ce222984e69df560d17bc92092c57dfe067ee0b
Showing with 146 additions and 104 deletions.
  1. +19 −0 lib/tasks/enrich/uri.rb
  2. +39 −20 lib/tasks/helpers/web.rb
  3. +88 −84 lib/tasks/uri_brute_focused_content.rb
@@ -212,6 +212,22 @@ def run

end

###
### get the favicon & hash it
###
favicon_response = http_request(:get, "#{uri}/favicon.ico")
if favicon_response.code == "200"
favicon_data = Base64.strict_encode64(favicon_response.body)
favicon_md5 = Digest::MD5.hexdigest(favicon_response.body)
favicon_sha1 = Digest::SHA1.hexdigest(favicon_response.body)
# else
#
# try link in the body
# TODO... maybe this should be the other way around?
#
end


###
### Fingerprint the app server
###
@@ -249,13 +265,16 @@ def run
"api_endpoint" => api_enabled,
"code" => response.code,
"title" => title,
"favicon_md5" => favicon_md5,
"favicon_sha1" => favicon_sha1,
"generator" => generator_string,
"verbs" => verbs_enabled,
"scripts" => script_links,
"headers" => headers,
"cookies" => response.header['set-cookie'],
"forms" => contains_forms,
"response_data_hash" => response_data_hash,
"hidden_favicon_data" => favicon_data,
"hidden_response_data" => response.body,
"hidden_screenshot_contents" => encoded_screenshot,
"javascript" => js_libraries,
@@ -62,11 +62,11 @@ def make_http_requests_from_queue(uri, work_q, threads=1, create_url=false, crea
while request_details = work_q.pop(true)

request_uri = "#{uri}#{request_details[:path]}"
positive_regex = request_details[:regex]


# Do the check
_log "Checking #{request_uri}"
result = check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, positive_regex)
# request details will have regexes if we want to check, so just pass it directly
result = check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, request_details)

if result
# create a new entity for each one if we specified that
@@ -662,7 +662,7 @@ def download_and_extract_metadata(uri,extract_content=true)



def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, positive_regex=nil)
def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, success_cases=nil)

to_return = false

@@ -683,25 +683,44 @@ def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_
# make sure we have a valid response
return false unless response

######### BEST CASE IS WHEN WE KNOW WHAT IT SHOULD LOOK LIKE
######### BEST CASE IS WHEN WE KNOW WHAT IT SHOULD LOOK LIKE
# if we have a positive regex, always check that first and just return it if it matches
if positive_regex
if response.body =~ positive_regex
_log_good "Matched positive regex!!! #{positive_regex}"
return {
name: request_uri,
uri: request_uri,
response_code: response.code,
response_body: response.body
}
else
_log "Didn't match our positive regex, skipping"
return false
if success_cases

_log "Checking success cases: #{success_cases}"

if success_cases[:body_regex]
if response.body =~ success_cases[:body_regex]
_log_good "Matched positive body regex!!! #{success_cases[:body_regex]}"
return {
name: request_uri,
uri: request_uri,
response_code: response.code,
response_body: response.body
}
else
_log "Didn't match our positive body regex, skipping"
return false
end
elsif success_cases[:header_regex]
response.each do |header|
_log "Checking header: '#{header}: #{response[header]}'"
if "#{header}: #{response[header]}" =~ success_cases[:header_regex] ### ALWAYS LOWERCASE!!!!
_log_good "Matched positive header regex!!! #{success_cases[:header_regex]}"
return {
name: request_uri,
uri: request_uri,
response_code: response.code,
response_body: response.body
}
end
end
return false
end
end
##############

# otherwise fall through into our more generic checking.
##############
# otherwise fall through into our more generic checking.

# always check for content...
["404", "forbidden", "Request Rejected"].each do |s|

0 comments on commit 6ce2229

Please sign in to comment.
You can’t perform that action at this time.