20240701

zan8in · Jul 1, 2024 · 8e503a1 · 8e503a1
1 parent 8d5b7db
commit 8e503a1
Show file tree

Hide file tree

Showing 9 changed files with 291 additions and 0 deletions.
diff --git a/poc.txt b/poc.txt
@@ -2058,6 +2058,7 @@
 ./poc/auth/canal-default-login-849.yaml
 ./poc/auth/canal-default-login.yaml
 ./poc/auth/cap-hookexkeylogger-malware.yaml
+./poc/auth/caprover-default-login.yaml
 ./poc/auth/captcha-code-authentication-198c2fa27cc518c127d49255679341f9.yaml
 ./poc/auth/captcha-code-authentication-c7faba710d318637d4639fc04a02d42a.yaml
 ./poc/auth/captcha-code-authentication.yaml
@@ -3119,6 +3120,7 @@
 ./poc/auth/jboss-default-password.yaml
 ./poc/auth/jboss-jbpm-default-login.yaml
 ./poc/auth/jboss-unauth.yaml
+./poc/auth/jeedom-default-login.yaml
 ./poc/auth/jeesite-default-login.yaml
 ./poc/auth/jenkins-credentials-disclosure.yml
 ./poc/auth/jenkins-default-login.yaml
@@ -6893,6 +6895,7 @@
 ./poc/config/extreme-netconfig-ui-7371.yaml
 ./poc/config/extreme-netconfig-ui-7372.yaml
 ./poc/config/extreme-netconfig-ui.yaml
+./poc/config/filestash-admin-config.yaml
 ./poc/config/find-config-7472.yaml
 ./poc/config/find-config-7473.yaml
 ./poc/config/find-config-xml.yaml
@@ -46166,6 +46169,7 @@
 ./poc/default/canal-default-login-848.yaml
 ./poc/default/canal-default-login-849.yaml
 ./poc/default/canal-default-login.yaml
+./poc/default/caprover-default-login.yaml
 ./poc/default/change-default-login-logo-url-and-title-fef61a56dbdca375b6c1f6da9b2473d7.yaml
 ./poc/default/change-default-login-logo-url-and-title.yaml
 ./poc/default/chinaunicom-default-login-906.yaml
@@ -46527,6 +46531,7 @@
 ./poc/default/iptime-default-login.yaml
 ./poc/default/jboss-default-password.yaml
 ./poc/default/jboss-jbpm-default-login.yaml
+./poc/default/jeedom-default-login.yaml
 ./poc/default/jeesite-default-login.yaml
 ./poc/default/jenkins-default-8270.yaml
 ./poc/default/jenkins-default-8271.yaml
@@ -49589,6 +49594,7 @@
 ./poc/exposed/flink-exposure-7509.yaml
 ./poc/exposed/flink-exposure-7510.yaml
 ./poc/exposed/flink-exposure.yaml
+./poc/exposed/forgejo-repo-exposure.yaml
 ./poc/exposed/ftp-credentials-exposure-7567.yaml
 ./poc/exposed/ftp-credentials-exposure-7568.yaml
 ./poc/exposed/ftp-credentials-exposure.yaml
@@ -76735,6 +76741,7 @@
 ./poc/other/pivotal-crm.yaml
 ./poc/other/pivotaltracker.yaml
 ./poc/other/pivotx.yaml
+./poc/other/piwigo-installer.yaml
 ./poc/other/piwigo-panel.yaml
 ./poc/other/piwigo.yaml
 ./poc/other/piwik-installer.yaml
@@ -77385,6 +77392,7 @@
 ./poc/other/postaffiliatepro-9ed24bf70201233fb5c59de83955e65e.yaml
 ./poc/other/postaffiliatepro.yaml
 ./poc/other/postcrossing.yaml
+./poc/other/poste-io-installer.yaml
 ./poc/other/posterous.yaml
 ./poc/other/posthog-admin-panel.yaml
 ./poc/other/postie-37af4fad5c12509e72c1ef2660c11a10.yaml

diff --git a/poc/auth/caprover-default-login.yaml b/poc/auth/caprover-default-login.yaml
@@ -0,0 +1,34 @@
+id: caprover-default-login
+
+info:
+  name: Caprover - Default Login
+  author: ritikchaddha
+  severity: high
+  description: |
+    Caprover defaultl login has been detected.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.favicon.hash:988422585
+  tags: caprover,default-login,misconfig
+
+variables:
+  password: captain42
+
+http:
+  - raw:
+      - |
+        POST /api/v2/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        x-namespace: captain
+
+        {"password":"{{password}}"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_all(body, "status\":100", "Login succeeded", "token\":")'
+          - 'contains(header, "application/json")'
+          - 'status_code == 200'
+        condition: and
diff --git a/poc/auth/jeedom-default-login.yaml b/poc/auth/jeedom-default-login.yaml
@@ -0,0 +1,46 @@
+id: jeedom-default-login
+
+info:
+  name: Jeedom - Default Login
+  author: ritikchaddha
+  severity: high
+  description: |
+    Jeedom default login has been detected.
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: title:"Jeedom"
+  tags: jeedom,default-login,misconfig
+
+variables:
+  username: admin
+  password: admin
+
+http:
+  - raw:
+      - |
+        POST /core/ajax/user.ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        action=login&username={{username}}&password={{password}}&twoFactorCode=&storeConnection=0
+
+      - |
+        GET /index.php?v=d&p=dashboard HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_1
+        words:
+          - 'state":"ok'
+          - 'result":'
+        condition: and
+
+      - type: word
+        part: body_2
+        words:
+          - "logout=1"
+          - "Plugins</span>"
+        condition: and
diff --git a/poc/config/filestash-admin-config.yaml b/poc/config/filestash-admin-config.yaml
@@ -0,0 +1,31 @@
+id: filestash-admin-config
+
+info:
+  name: Filestash Admin Password Configuration
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Filestash is susceptible to the Admin Password Configuration page exposure due to misconfiguration.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"<title>Admin Console</title>"
+  tags: exposure,filestash,config
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/setup"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<title>Admin Console</title>'
+          - 'component-loader'
+        condition: and
+
+      - type: status
+        status:
+          - 200
diff --git a/poc/default/caprover-default-login.yaml b/poc/default/caprover-default-login.yaml
@@ -0,0 +1,34 @@
+id: caprover-default-login
+
+info:
+  name: Caprover - Default Login
+  author: ritikchaddha
+  severity: high
+  description: |
+    Caprover defaultl login has been detected.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: http.favicon.hash:988422585
+  tags: caprover,default-login,misconfig
+
+variables:
+  password: captain42
+
+http:
+  - raw:
+      - |
+        POST /api/v2/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        x-namespace: captain
+
+        {"password":"{{password}}"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_all(body, "status\":100", "Login succeeded", "token\":")'
+          - 'contains(header, "application/json")'
+          - 'status_code == 200'
+        condition: and
diff --git a/poc/default/jeedom-default-login.yaml b/poc/default/jeedom-default-login.yaml
@@ -0,0 +1,46 @@
+id: jeedom-default-login
+
+info:
+  name: Jeedom - Default Login
+  author: ritikchaddha
+  severity: high
+  description: |
+    Jeedom default login has been detected.
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: title:"Jeedom"
+  tags: jeedom,default-login,misconfig
+
+variables:
+  username: admin
+  password: admin
+
+http:
+  - raw:
+      - |
+        POST /core/ajax/user.ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+
+        action=login&username={{username}}&password={{password}}&twoFactorCode=&storeConnection=0
+
+      - |
+        GET /index.php?v=d&p=dashboard HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_1
+        words:
+          - 'state":"ok'
+          - 'result":'
+        condition: and
+
+      - type: word
+        part: body_2
+        words:
+          - "logout=1"
+          - "Plugins</span>"
+        condition: and
diff --git a/poc/exposed/forgejo-repo-exposure.yaml b/poc/exposed/forgejo-repo-exposure.yaml
@@ -0,0 +1,32 @@
+id: forgejo-repo-exposure
+
+info:
+  name: Forgejo Repositories - Exposure
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    The Forgejo repo is being exposed publically.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Forgejo"
+  tags: misconfig,exposure,forgejo
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/explore/repos"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Powered by Forgejo'
+          - 'Explore</a>'
+          - 'Repositories'
+        condition: and
+
+      - type: status
+        status:
+          - 200
diff --git a/poc/other/piwigo-installer.yaml b/poc/other/piwigo-installer.yaml
@@ -0,0 +1,29 @@
+id: piwigo-installer
+
+info:
+  name: Piwigo Installation Page - Exposure
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Piwigo is susceptible to the Installation page exposure due to misconfiguration.
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Piwigo" html:"- Installation"
+  tags: misconfig,exposure,install,piwigo
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/install.php"
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - 'Piwigo ([0-9.]+) \- Installation'
+
+      - type: status
+        status:
+          - 200
diff --git a/poc/other/poste-io-installer.yaml b/poc/other/poste-io-installer.yaml
@@ -0,0 +1,31 @@
+id: poste-io-installer
+
+info:
+  name: Poste.io - Installer
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Poste.io is susceptible to the Installation page exposure due to misconfiguration.
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="Initial server configuration"
+  tags: misconfig,exposure,poste-io,install
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/admin/install/server"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Initial server configuration'
+          - 'poste'
+        condition: and
+
+      - type: status
+        status:
+          - 200