Skip to content

Commit

Permalink
add check for Palo Alto no-cve RCE: https://blog.orange.tw/2019/07/at…
Browse files Browse the repository at this point in the history 
…tacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html
  • Loading branch information
@jcran
jcran committed Jul 17, 2019
1 parent c5980d4 commit 6ce2229
Show file tree
Hide file tree
Showing 3 changed files with 146 additions and 104 deletions.
19 changes: 19 additions & 0 deletions lib/tasks/enrich/uri.rb
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -212,6 +212,22 @@ def run


end end


###
### get the favicon & hash it
###
favicon_response = http_request(:get, "#{uri}/favicon.ico")
if favicon_response.code == "200"
favicon_data = Base64.strict_encode64(favicon_response.body)
favicon_md5 = Digest::MD5.hexdigest(favicon_response.body)
favicon_sha1 = Digest::SHA1.hexdigest(favicon_response.body)
# else
#
# try link in the body
# TODO... maybe this should be the other way around?
#
end


### ###
### Fingerprint the app server ### Fingerprint the app server
### ###
Expand Down Expand Up @@ -249,13 +265,16 @@ def run
"api_endpoint" => api_enabled, "api_endpoint" => api_enabled,
"code" => response.code, "code" => response.code,
"title" => title, "title" => title,
"favicon_md5" => favicon_md5,
"favicon_sha1" => favicon_sha1,
"generator" => generator_string, "generator" => generator_string,
"verbs" => verbs_enabled, "verbs" => verbs_enabled,
"scripts" => script_links, "scripts" => script_links,
"headers" => headers, "headers" => headers,
"cookies" => response.header['set-cookie'], "cookies" => response.header['set-cookie'],
"forms" => contains_forms, "forms" => contains_forms,
"response_data_hash" => response_data_hash, "response_data_hash" => response_data_hash,
"hidden_favicon_data" => favicon_data,
"hidden_response_data" => response.body, "hidden_response_data" => response.body,
"hidden_screenshot_contents" => encoded_screenshot, "hidden_screenshot_contents" => encoded_screenshot,
"javascript" => js_libraries, "javascript" => js_libraries,
Expand Down
59 changes: 39 additions & 20 deletions lib/tasks/helpers/web.rb
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -62,11 +62,11 @@ def make_http_requests_from_queue(uri, work_q, threads=1, create_url=false, crea
while request_details = work_q.pop(true) while request_details = work_q.pop(true)


request_uri = "#{uri}#{request_details[:path]}" request_uri = "#{uri}#{request_details[:path]}"
positive_regex = request_details[:regex]

# Do the check # Do the check
_log "Checking #{request_uri}" _log "Checking #{request_uri}"
result = check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, positive_regex) # request details will have regexes if we want to check, so just pass it directly
result = check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, request_details)


if result if result
# create a new entity for each one if we specified that # create a new entity for each one if we specified that
Expand Down Expand Up @@ -662,7 +662,7 @@ def download_and_extract_metadata(uri,extract_content=true)






def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, positive_regex=nil) def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_page_content, success_cases=nil)


to_return = false to_return = false


Expand All @@ -683,25 +683,44 @@ def check_uri_exists(request_uri, missing_page_test, missing_page_code, missing_
# make sure we have a valid response # make sure we have a valid response
return false unless response return false unless response


######### BEST CASE IS WHEN WE KNOW WHAT IT SHOULD LOOK LIKE ######### BEST CASE IS WHEN WE KNOW WHAT IT SHOULD LOOK LIKE
# if we have a positive regex, always check that first and just return it if it matches # if we have a positive regex, always check that first and just return it if it matches
if positive_regex if success_cases
if response.body =~ positive_regex
_log_good "Matched positive regex!!! #{positive_regex}" _log "Checking success cases: #{success_cases}"
return {
name: request_uri, if success_cases[:body_regex]
uri: request_uri, if response.body =~ success_cases[:body_regex]
response_code: response.code, _log_good "Matched positive body regex!!! #{success_cases[:body_regex]}"
response_body: response.body return {
} name: request_uri,
else uri: request_uri,
_log "Didn't match our positive regex, skipping" response_code: response.code,
return false response_body: response.body
}
else
_log "Didn't match our positive body regex, skipping"
return false
end
elsif success_cases[:header_regex]
response.each do |header|
_log "Checking header: '#{header}: #{response[header]}'"
if "#{header}: #{response[header]}" =~ success_cases[:header_regex] ### ALWAYS LOWERCASE!!!!
_log_good "Matched positive header regex!!! #{success_cases[:header_regex]}"
return {
name: request_uri,
uri: request_uri,
response_code: response.code,
response_body: response.body
}
end
end
return false
end end
end end
############## ##############

# otherwise fall through into our more generic checking. # otherwise fall through into our more generic checking.


# always check for content... # always check for content...
["404", "forbidden", "Request Rejected"].each do |s| ["404", "forbidden", "Request Rejected"].each do |s|
Expand Down
Loading

0 comments on commit 6ce2229

Please sign in to comment.