From 610b0336bc3e5bd88a6625ea01e7626abb75df79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Heitor=20Gouv=C3=AAa?= Date: Sun, 21 Jan 2024 17:57:15 -0300 Subject: [PATCH 1/2] Improving the code legibility and new modules for misconfig on s3 buckets (#84) * add linter * fix linter warnings * add zarn * new exploit * Exploit for CVE-2021-24891, Dom XSS Elementor plugin of wordpress * return to HTTP * improve description on module * update license year * added uuid lib * enable all rules of level 5 on linter * dont follow redirects * delete draft of a module * new modules aroung aws s3 buckets * add secret scanning in the pipeline * Exploit for XSS vulnerability on grafana * fix module/using new data source --- .config/modules.json | 42 ++++++++++++--- .github/workflows/secret-scanning.yml | 39 ++++++++++++++ .perlcriticrc | 5 +- cpanfile | 3 +- lib/Spellbook/Core/UserAgent.pm | 1 + lib/Spellbook/Exploit/S3_Misconfig.pm | 52 ------------------- lib/Spellbook/Exploit/S3_Takeover.pm | 43 +++++++++++++++ lib/Spellbook/Exploit/Upload_Via_PUT.pm | 46 ++++++++++++++++ lib/Spellbook/Helper/CDN_Checker.pm | 8 +-- .../Parser/{Bucket.pm => S3_Bucket.pm} | 2 +- 10 files changed, 174 insertions(+), 67 deletions(-) create mode 100644 .github/workflows/secret-scanning.yml delete mode 100644 lib/Spellbook/Exploit/S3_Misconfig.pm create mode 100644 lib/Spellbook/Exploit/S3_Takeover.pm create mode 100644 lib/Spellbook/Exploit/Upload_Via_PUT.pm rename lib/Spellbook/Parser/{Bucket.pm => S3_Bucket.pm} (96%) diff --git a/.config/modules.json b/.config/modules.json index 8804ee4..283e2ac 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -206,9 +206,9 @@ }, { "id": "0035", - "category": "exploit", - "module": "S3_Misconfig", - "description": "Upload files into AWS S3 Buckets with weak security policies" + "category": "parser", + "module": "S3_Bucket", + "description": "Extract the path of files from a S3 Bucket with object listing" }, { "id": "0036", @@ -238,7 +238,7 @@ "id": "0040", "category": "exploit", "module": "Reflected_XSS", - "description": "" + "description": "PoC" }, { "id": "0041", @@ -268,13 +268,13 @@ "id": "0045", "category": "recon", "module": "Detect_Error", - "description": "" + "description": "PoC" }, { "id": "0046", "category": "exploit", "module": "DataBreach", - "description": "" + "description": "PoC" }, { "id": "0047", @@ -299,6 +299,36 @@ "category": "exploit", "module": "S3_Bucket_Takeover", "description": "Detection possible of takeover on AWS S3 Bucket resource" + }, + { + "id": "0051", + "category": "exploit", + "module": "Upload_Via_PUT", + "description": "" + }, + { + "id": "0052", + "category": "exploit", + "module": "Open_Redirect", + "description": "Detect application vulnerable" + }, + { + "id": "0053", + "category": "exploit", + "module": "Dependency_Confusion", + "description": "" + }, + { + "id": "0054", + "category": "parser", + "module": "Nozaki", + "description": "" + }, + { + "id": "0055", + "category": "advisory", + "module": "CVE_2021_41174", + "description": "Exploit for XSS vulnerability on grafana" } ] } \ No newline at end of file diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml new file mode 100644 index 0000000..d76ec7f --- /dev/null +++ b/.github/workflows/secret-scanning.yml @@ -0,0 +1,39 @@ +name: Secret Scanning + +on: + push: + branches: + - main + pull_request: + +permissions: + contents: read + id-token: write + issues: write + pull-requests: write + +jobs: + TruffleHog: + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Secret Scanning - TruffleHog + id: trufflehog + uses: trufflesecurity/trufflehog@main + continue-on-error: true + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 \ No newline at end of file diff --git a/.perlcriticrc b/.perlcriticrc index 729a0e0..8fe04ee 100644 --- a/.perlcriticrc +++ b/.perlcriticrc @@ -1,4 +1,3 @@ -only = 1 -include = ProhibitUnusedVariables ProhibitUnusedConstant ProhibitUnusedInclude ProhibitUnusedImport ProhibitUnreachableCode ProhibitComplexRegexes ProhibitDuplicatedSub ProhibitDuplicateHashKeys ProhibitUnusedPrivateSubroutines ProhibitUnlessBlocks RequireCamelCase ProhibitExcessiveColons ProhibitExplicitReturnUndef ProhibitTrailingWhitespace +severity = 5 -# ProhibitTrailingWhitespace ProhibitMagicNumbers ProhibitHardTabs \ No newline at end of file +[-TestingAndDebugging::RequireUseStrict] \ No newline at end of file diff --git a/cpanfile b/cpanfile index 9083ea7..046e7ff 100644 --- a/cpanfile +++ b/cpanfile @@ -4,4 +4,5 @@ requires "YAML::Tiny", "1.73"; requires "Masscan::Scanner"; requires "Net::DNS", "1.34"; requires "WWW::Mechanize", "2.11"; -requires "Net::IP"; \ No newline at end of file +requires "Net::IP"; +requires "UUID::Tiny", "1.04"; \ No newline at end of file diff --git a/lib/Spellbook/Core/UserAgent.pm b/lib/Spellbook/Core/UserAgent.pm index f83f845..2a748d2 100644 --- a/lib/Spellbook/Core/UserAgent.pm +++ b/lib/Spellbook/Core/UserAgent.pm @@ -14,6 +14,7 @@ package Spellbook::Core::UserAgent { ); $userAgent -> default_headers -> push_header("Cache-Control" => "no-cache"); + $userAgent -> max_redirect(0); return $userAgent; } diff --git a/lib/Spellbook/Exploit/S3_Misconfig.pm b/lib/Spellbook/Exploit/S3_Misconfig.pm deleted file mode 100644 index b819764..0000000 --- a/lib/Spellbook/Exploit/S3_Misconfig.pm +++ /dev/null @@ -1,52 +0,0 @@ -package Spellbook::Exploit::S3_Misconfig { - use strict; - use warnings; - use Amazon::S3; - - # https://metacpan.org/pod/Net::Amazon::S3 - # https://metacpan.org/pod/AWS::S3 - # https://metacpan.org/pod/Amazon::S3 - - sub new { - my ($self, $parameters) = @_; - my ($help, $target); - - Getopt::Long::GetOptionsFromArray ( - $parameters, - "h|help" => \$help, - "t|target=s" => \$target - ); - - if ($target) { - my $s3 = Amazon::S3 -> new ( - aws_access_key_id => "spellbook", - aws_secret_access_key => "spellbook", - ); - - my $bucket = $s3 -> bucket($target); - - my $success = $bucket -> add_key("./lib/Spellbook/Exploit/S3_Misconfig.pm", "spellbook.txt"); - - if ($success) { - $bucket -> delete_key("spellbook.txt"); - - return "Bucket is publicly writable!"; - } - - return "Bucket is not publicly writable."; - } - - if ($help) { - return " - \rExploit::S3_Misconfig - \r======================= - \r-h, --help See this menu - \r-t, --target Define a aws s3 bucket - "; - } - - return 0; - } -} - -1; \ No newline at end of file diff --git a/lib/Spellbook/Exploit/S3_Takeover.pm b/lib/Spellbook/Exploit/S3_Takeover.pm new file mode 100644 index 0000000..d264015 --- /dev/null +++ b/lib/Spellbook/Exploit/S3_Takeover.pm @@ -0,0 +1,43 @@ +package Spellbook::Exploit::S3_Bucket_Takeover { + use strict; + use warnings; + use Spellbook::Core::UserAgent; + + sub new { + my ($self, $parameters) = @_; + my ($help, $target, @result); + + Getopt::Long::GetOptionsFromArray ( + $parameters, + "h|help" => \$help, + "t|target=s" => \$target + ); + + if ($target) { + if ($target !~ /^http(s)?:\/\//) { + $target = "https://$target"; + } + + my $userAgent = Spellbook::Core::UserAgent -> new(); + my $request = $userAgent -> get($target); + + if ($request -> code() == 404 && $request-> content() =~ m/Code: NoSuchBucket/) { + push @result, $target; + } + + return @result; + } + + if ($help) { + return " + \rExploit::S3_Bucket_Takeover + \r===================== + \r-h, --help See this menu + \r-t, --target Check the possibility to takeover an s3 resource\n"; + } + + return 0; + } +} + +1; \ No newline at end of file diff --git a/lib/Spellbook/Exploit/Upload_Via_PUT.pm b/lib/Spellbook/Exploit/Upload_Via_PUT.pm new file mode 100644 index 0000000..66f12d2 --- /dev/null +++ b/lib/Spellbook/Exploit/Upload_Via_PUT.pm @@ -0,0 +1,46 @@ +package Spellbook::Exploit::Upload_Via_PUT { + use strict; + use warnings; + use Spellbook::Core::UserAgent; + use Spellbook::Helper::Generate_UUID; + + sub new { + my ($self, $parameters) = @_; + my ($help, $target, @result); + + Getopt::Long::GetOptionsFromArray ( + $parameters, + "h|help" => \$help, + "t|target=s" => \$target + ); + + if ($target) { + if ($target !~ /^http(s)?:\/\//) { + $target = "https://$target"; + } + + my $userAgent = Spellbook::Core::UserAgent -> new(); + my @uuid = Spellbook::Helper::Generate_UUID -> new(["--version" => 4]); + my $upload = $userAgent -> put("$target/$uuid[0].txt", Content => "$uuid[0]"); + my $request = $userAgent -> get("$target/$uuid[0].txt"); + + if (($request -> code() == 200) && ($request -> content() eq "$uuid[0]")) { + push @result, "$target/$uuid[0].txt\n"; + } + + return @result; + } + + if ($help) { + return " + \rRecon::Explioit + \r===================== + \r-h, --help See this menu + \r-t, --target Define\n\n"; + } + + return 0; + } +} + +1; \ No newline at end of file diff --git a/lib/Spellbook/Helper/CDN_Checker.pm b/lib/Spellbook/Helper/CDN_Checker.pm index 0b8c89a..e804201 100644 --- a/lib/Spellbook/Helper/CDN_Checker.pm +++ b/lib/Spellbook/Helper/CDN_Checker.pm @@ -20,17 +20,17 @@ package Spellbook::Helper::CDN_Checker { my $ip = Spellbook::Recon::Get_IP -> new (["--target" => $target]); if ($ip) { - my $cnd_list = "https://cdn.nuclei.sh"; + my $cnd_list = "https://raw.githubusercontent.com/projectdiscovery/cdncheck/main/cmd/generate-index/sources_data.json"; my $useragent = Spellbook::Core::UserAgent -> new (); my $request = $useragent -> get($cnd_list); if ($request -> code == 200) { - my $content = decode_json($request -> content); - + my $data = decode_json($request -> content); + my $content = $data -> {"cdn"}; + for (keys %{$content}) { for (@{$content -> {$_}}) { my $range = Net::IP -> new($_); - my $value = Net::IP -> new($ip); my $match = $range -> overlaps($value); diff --git a/lib/Spellbook/Parser/Bucket.pm b/lib/Spellbook/Parser/S3_Bucket.pm similarity index 96% rename from lib/Spellbook/Parser/Bucket.pm rename to lib/Spellbook/Parser/S3_Bucket.pm index ca85fd2..011cab8 100644 --- a/lib/Spellbook/Parser/Bucket.pm +++ b/lib/Spellbook/Parser/S3_Bucket.pm @@ -1,4 +1,4 @@ -package Spellbook::Parser::Bucket { +package Spellbook::Parser::S3_Bucket { use strict; use warnings; use XML::Simple; From 7f4701db32f965a0dc39bdc7bcbafeec0eae6443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Heitor=20Gouv=C3=AAa?= Date: Wed, 24 Jan 2024 10:47:39 -0300 Subject: [PATCH 2/2] New things! Lets go! (#85) * add linter * fix linter warnings * add zarn * new exploit * Exploit for CVE-2021-24891, Dom XSS Elementor plugin of wordpress * return to HTTP * improve description on module * update license year * added uuid lib * enable all rules of level 5 on linter * dont follow redirects * delete draft of a module * new modules aroung aws s3 buckets * add secret scanning in the pipeline * Exploit for XSS vulnerability on grafana * fix module/using new data source * move linter.yml --- .github/{ => workflows}/linter.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/linter.yml (100%) diff --git a/.github/linter.yml b/.github/workflows/linter.yml similarity index 100% rename from .github/linter.yml rename to .github/workflows/linter.yml