Improving the code legibility and new modules for misconfig on s3 buc…

…kets (#84) * add linter * fix linter warnings * add zarn * new exploit * Exploit for CVE-2021-24891, Dom XSS Elementor plugin of wordpress * return to HTTP * improve description on module * update license year * added uuid lib * enable all rules of level 5 on linter * dont follow redirects * delete draft of a module * new modules aroung aws s3 buckets * add secret scanning in the pipeline * Exploit for XSS vulnerability on grafana * fix module/using new data source
htrgouvea · Jan 21, 2024 · 610b033 · 610b033
1 parent a743540
commit 610b033
Show file tree

Hide file tree

Showing 10 changed files with 174 additions and 67 deletions.
diff --git a/.config/modules.json b/.config/modules.json
@@ -206,9 +206,9 @@
         },
         {
             "id": "0035",
-            "category": "exploit",
-            "module": "S3_Misconfig",
-            "description": "Upload files into AWS S3 Buckets with weak security policies"
+            "category": "parser",
+            "module": "S3_Bucket",
+            "description": "Extract the path of files from a S3 Bucket with object listing"
         },
         {
             "id": "0036",
@@ -238,7 +238,7 @@
             "id": "0040",
             "category": "exploit",
             "module": "Reflected_XSS",
-            "description": ""
+            "description": "PoC"
         },
         {  
             "id": "0041",
@@ -268,13 +268,13 @@
             "id": "0045",
             "category": "recon",
             "module": "Detect_Error",
-            "description": ""
+            "description": "PoC"
         },
         {  
             "id": "0046",
             "category": "exploit",
             "module": "DataBreach",
-            "description": ""
+            "description": "PoC"
         },
         {  
             "id": "0047",
@@ -299,6 +299,36 @@
             "category": "exploit",
             "module": "S3_Bucket_Takeover",
             "description": "Detection possible of takeover on AWS S3 Bucket resource"
+        },
+        {  
+            "id": "0051",
+            "category": "exploit",
+            "module": "Upload_Via_PUT",
+            "description": ""
+        },
+        {
+            "id": "0052",
+            "category": "exploit",
+            "module": "Open_Redirect",
+            "description": "Detect application vulnerable"
+        },
+        {
+            "id": "0053",
+            "category": "exploit",
+            "module": "Dependency_Confusion",
+            "description": ""
+        },
+        {
+            "id": "0054",
+            "category": "parser",
+            "module": "Nozaki",
+            "description": ""
+        },
+        {
+            "id": "0055",
+            "category": "advisory",
+            "module": "CVE_2021_41174",
+            "description": "Exploit for XSS vulnerability on grafana"
         }
     ]
 }
diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml
@@ -0,0 +1,39 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  id-token: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  TruffleHog:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Secret Scanning - TruffleHog
+        id: trufflehog
+        uses: trufflesecurity/trufflehog@main
+        continue-on-error: true
+        with:
+          path: ./
+          base: "${{ github.event.repository.default_branch }}"
+          head: HEAD
+          extra_args: --debug
+
+      - name: Scan Results Status
+        if: steps.trufflehog.outcome == 'failure'
+        run: exit 1
diff --git a/.perlcriticrc b/.perlcriticrc
@@ -1,4 +1,3 @@
-only = 1
-include = ProhibitUnusedVariables ProhibitUnusedConstant ProhibitUnusedInclude ProhibitUnusedImport ProhibitUnreachableCode ProhibitComplexRegexes ProhibitDuplicatedSub ProhibitDuplicateHashKeys ProhibitUnusedPrivateSubroutines ProhibitUnlessBlocks RequireCamelCase ProhibitExcessiveColons ProhibitExplicitReturnUndef ProhibitTrailingWhitespace
+severity = 5
 
-# ProhibitTrailingWhitespace ProhibitMagicNumbers ProhibitHardTabs
+[-TestingAndDebugging::RequireUseStrict]
diff --git a/cpanfile b/cpanfile
@@ -4,4 +4,5 @@ requires "YAML::Tiny", "1.73";
 requires "Masscan::Scanner";
 requires "Net::DNS", "1.34";
 requires "WWW::Mechanize", "2.11";
-requires "Net::IP";
+requires "Net::IP";
+requires "UUID::Tiny", "1.04";
diff --git a/lib/Spellbook/Core/UserAgent.pm b/lib/Spellbook/Core/UserAgent.pm
@@ -14,6 +14,7 @@ package Spellbook::Core::UserAgent {
         );
 
         $userAgent -> default_headers -> push_header("Cache-Control" => "no-cache");
+        $userAgent -> max_redirect(0);
 
         return $userAgent;
     }

diff --git a/lib/Spellbook/Exploit/S3_Misconfig.pm b/lib/Spellbook/Exploit/S3_Misconfig.pm
diff --git a/lib/Spellbook/Exploit/S3_Takeover.pm b/lib/Spellbook/Exploit/S3_Takeover.pm
@@ -0,0 +1,43 @@
+package Spellbook::Exploit::S3_Bucket_Takeover {
+    use strict;
+    use warnings;
+    use Spellbook::Core::UserAgent;
+
+    sub new {
+        my ($self, $parameters) = @_;
+        my ($help, $target, @result);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my $request = $userAgent -> get($target);
+
+            if ($request -> code() == 404 && $request-> content() =~ m/Code: NoSuchBucket/) {
+                push @result, $target;
+            }
+
+            return @result;
+        } 
+
+        if ($help) {
+            return "
+                \rExploit::S3_Bucket_Takeover
+                \r=====================
+                \r-h, --help     See this menu
+                \r-t, --target   Check the possibility to takeover an s3 resource\n";
+        }
+
+        return 0;
+    }
+}
+
+1;
diff --git a/lib/Spellbook/Exploit/Upload_Via_PUT.pm b/lib/Spellbook/Exploit/Upload_Via_PUT.pm
@@ -0,0 +1,46 @@
+package Spellbook::Exploit::Upload_Via_PUT {
+    use strict;
+    use warnings;
+    use Spellbook::Core::UserAgent;
+    use Spellbook::Helper::Generate_UUID;
+
+    sub new {
+        my ($self, $parameters) = @_;
+        my ($help, $target, @result);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my @uuid      = Spellbook::Helper::Generate_UUID -> new(["--version" => 4]);
+            my $upload    = $userAgent -> put("$target/$uuid[0].txt", Content => "$uuid[0]");
+            my $request   = $userAgent -> get("$target/$uuid[0].txt");
+
+            if (($request -> code() == 200) && ($request -> content() eq "$uuid[0]")) {
+                push @result, "$target/$uuid[0].txt\n";
+            }
+
+            return @result;
+        }
+
+        if ($help) {
+            return "
+                \rRecon::Explioit
+                \r=====================
+                \r-h, --help     See this menu
+                \r-t, --target   Define\n\n";
+        }
+
+        return 0;
+    }
+}
+
+1;
diff --git a/lib/Spellbook/Helper/CDN_Checker.pm b/lib/Spellbook/Helper/CDN_Checker.pm
@@ -20,17 +20,17 @@ package Spellbook::Helper::CDN_Checker {
             my $ip = Spellbook::Recon::Get_IP -> new (["--target" => $target]);
 
             if ($ip) {
-                my $cnd_list  = "https://cdn.nuclei.sh";
+                my $cnd_list  = "https://raw.githubusercontent.com/projectdiscovery/cdncheck/main/cmd/generate-index/sources_data.json";
                 my $useragent = Spellbook::Core::UserAgent -> new ();
                 my $request   = $useragent -> get($cnd_list);
 
                 if ($request -> code == 200) {
-                    my $content = decode_json($request -> content);
-
+                    my $data    = decode_json($request -> content);
+                    my $content = $data -> {"cdn"};
+
                     for (keys %{$content}) {
                         for (@{$content -> {$_}}) {
                             my $range = Net::IP -> new($_);
-
                             my $value = Net::IP -> new($ip);
                             my $match =  $range -> overlaps($value);
 

diff --git a/lib/Spellbook/Parser/Bucket.pm → lib/Spellbook/Parser/S3_Bucket.pm b/lib/Spellbook/Parser/Bucket.pm → lib/Spellbook/Parser/S3_Bucket.pm
@@ -1,4 +1,4 @@
-package Spellbook::Parser::Bucket {
+package Spellbook::Parser::S3_Bucket {
     use strict;
     use warnings;
     use XML::Simple;
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ package Spellbook::Core::UserAgent { @@
             );
             $userAgent -> default_headers -> push_header("Cache-Control" => "no-cache");
+            $userAgent -> max_redirect(0);
             return $userAgent;
         }
@@ Expand Down @@