From a3900456ae7bc286440dd94cac8f820d373464d0 Mon Sep 17 00:00:00 2001 From: jcran Date: Wed, 20 Mar 2019 17:53:58 -0500 Subject: [PATCH] Add splunk info disclosure --- lib/tasks/uri_brute_focused_content.rb | 6 +++++ lib/tasks/uri_check_subdomain_hijack.rb | 35 +++++++++++++------------ 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/lib/tasks/uri_brute_focused_content.rb b/lib/tasks/uri_brute_focused_content.rb index 795584e91..927694f3f 100644 --- a/lib/tasks/uri_brute_focused_content.rb +++ b/lib/tasks/uri_brute_focused_content.rb @@ -128,6 +128,11 @@ def run #{ path: "/_vti_bin/", regex: nil }, ] + splunk_list = [ + { path: "/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json", + regex: /os_name_extended/, severity: 4, status: "confirmed" }, + ] + # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Insecure%20Management%20Interface spring_boot_list =[ { path: "/trace", severity: 4, regex: nil, status: "potential" }, @@ -217,6 +222,7 @@ def run php_list.each { |x| work_q.push x } if is_product? "PHP" sharepoint_list.each { |x| work_q.push x } if is_product? "Sharepoint" sap_netweaver_list.each { |x| work_q.push x } if is_product? "NetWeaver" + splunk_list.each {|x| work_q.push x } if is_product? "Splunk" spring_boot_list.each { |x| work_q.push x } if is_product? "Spring Boot" tomcat_list.each { |x| work_q.push x } if is_product? "Tomcat" vmware_horizon_list.each { |x| work_q.push x } if ( diff --git a/lib/tasks/uri_check_subdomain_hijack.rb b/lib/tasks/uri_check_subdomain_hijack.rb index c22e82e27..18a8eb39f 100644 --- a/lib/tasks/uri_check_subdomain_hijack.rb +++ b/lib/tasks/uri_check_subdomain_hijack.rb @@ -26,23 +26,24 @@ def run uri = _get_entity_name response = http_request(:get, uri) - if response =~ /The specified bucket does not exist/ - _hijackable_subdomain "AWS S3", uri, "potential" - elsif response =~ /No such app/ - _hijackable_subdomain "Heroku", uri, "potential" - elsif response =~ /No settings were found for this company:/ - _hijackable_subdomain "Help Scout", uri, "potential" - elsif response =~ /We could not find what you're looking for./ - _hijackable_subdomain "Help Juice", uri, "potential" - elsif response =~ /is not a registered InCloud YouTrack/ - _hijackable_subdomain "JetBrains", uri, "potential" - elsif response =~ /Unrecognized domain/ - _hijackable_subdomain "Mashery", uri, "potential" - elsif response =~ /Project doesnt exist... yet!/ - _hijackable_subdomain "Readme.io", uri, "potential" - elsif response =~ /This domain is successfully pointed at WP Engine, but is not configured/ - _hijackable_subdomain "WPEngine", uri, "potential" - end + if response =~ /The specified bucket does not exist/ + _hijackable_subdomain "AWS S3", uri, "potential" + elsif response =~ /No such app/ + _hijackable_subdomain "Heroku", uri, "potential" + elsif response =~ /No settings were found for this company:/ + _hijackable_subdomain "Help Scout", uri, "potential" + elsif response =~ /We could not find what you're looking for./ + _hijackable_subdomain "Help Juice", uri, "potential" + elsif response =~ /is not a registered InCloud YouTrack/ + _hijackable_subdomain "JetBrains", uri, "potential" + elsif response =~ /Unrecognized domain/ + _hijackable_subdomain "Mashery", uri, "potential" + elsif response =~ /Project doesnt exist... yet!/ + _hijackable_subdomain "Readme.io", uri, "potential" + elsif response =~ /This domain is successfully pointed at WP Engine, but is not configured/ + _hijackable_subdomain "WPEngine", uri, "potential" + end + end #end run def _hijackable_subdomain type, uri, status