New modules and fixes for lint warnings (#82)

* add linter * fix linter warnings * add zarn * new exploit * Exploit for CVE-2021-24891, Dom XSS Elementor plugin of wordpress * return to HTTP * improve description on module * update license year
htrgouvea · Jan 1, 2024 · e6fa96e · e6fa96e
1 parent 007debc
commit e6fa96e
Show file tree

Hide file tree

Showing 17 changed files with 171 additions and 8 deletions.
diff --git a/.config/modules.json b/.config/modules.json
@@ -287,6 +287,18 @@
             "category": "recon",
             "module": "Technologies",
             "description": "Detect the stack of a web application"
+        },
+        {  
+            "id": "0049",
+            "category": "advisory",
+            "module": "CVE_2021_24891",
+            "description": "DOM XSS elementor Wordpress plugin"
+        },
+        {  
+            "id": "0050",
+            "category": "exploit",
+            "module": "S3_Bucket_Takeover",
+            "description": "Detection possible of takeover on AWS S3 Bucket resource"
         }
     ]
 }
diff --git a/.github/linter.yml b/.github/linter.yml
@@ -0,0 +1,16 @@
+name: Linter / Perl Critic
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  critic:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Run Perl::Critic
+      uses: natanlao/[email protected]
+      with:
+        files: critic
diff --git a/.github/workflows/zarn.yml b/.github/workflows/zarn.yml
@@ -0,0 +1,25 @@
+name: ZARN
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install dependencies
+      run: |
+        git clone https://github.com/htrgouvea/zarn
+        sudo apt install -y perl cpanminus
+        cd zarn && sudo cpanm --installdeps .
+    - name: Hunt for findings
+      run: |
+        perl zarn/zarn.pl --source . --sarif zarn.sarif
+    - uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: zarn.sarif
diff --git a/.perlcriticrc b/.perlcriticrc
@@ -0,0 +1,4 @@
+only = 1
+include = ProhibitUnusedVariables ProhibitUnusedConstant ProhibitUnusedInclude ProhibitUnusedImport ProhibitUnreachableCode ProhibitComplexRegexes ProhibitDuplicatedSub ProhibitDuplicateHashKeys ProhibitUnusedPrivateSubroutines ProhibitUnlessBlocks RequireCamelCase ProhibitExcessiveColons ProhibitExplicitReturnUndef ProhibitTrailingWhitespace
+
+# ProhibitTrailingWhitespace ProhibitMagicNumbers ProhibitHardTabs
diff --git a/LICENSE.md b/LICENSE.md
@@ -2,7 +2,7 @@ License
 ==============
 The MIT License (MIT)
 
-Copyright (c) 2016 - 2023 | Heitor Gouvêa.
+Copyright (c) 2016 - 2024 | Heitor Gouvêa.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/lib/Spellbook/Advisory/CVE_2016_10045.pm b/lib/Spellbook/Advisory/CVE_2016_10045.pm
@@ -57,6 +57,8 @@ package Spellbook::Advisory::CVE_2016_10045 {
                     "message" => $shell{code}
                 ]);
             };
+
+            return @results;
         }
 
         if ($help) {

diff --git a/lib/Spellbook/Advisory/CVE_2020_9377.pm b/lib/Spellbook/Advisory/CVE_2020_9377.pm
@@ -1,4 +1,4 @@
-package Spellbook::Advisory::CVE_2020_9376 {
+package Spellbook::Advisory::CVE_2020_9377 {
     use strict;
     use warnings;
     use Mojo::UserAgent;

diff --git a/lib/Spellbook/Advisory/CVE_2021_24891.pm b/lib/Spellbook/Advisory/CVE_2021_24891.pm
@@ -0,0 +1,58 @@
+package Spellbook::Advisory::CVE_2021_24891 {
+    use strict;
+    use warnings;
+    use Spellbook::Core::UserAgent;
+
+    sub new {
+        my ($self, $parameters) = @_;
+        my ($help, $target, @results);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
+            my $useragent = Spellbook::Core::UserAgent -> new();
+
+            my $fingerprints = {
+                1 => {
+                    endpoint => "/wp-content/plugins/elementor/assets/js/frontend.min.js",
+                    regex    => "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
+                },
+                2 => {
+                    endpoint => "/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9",
+                    regex    => "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
+                }
+            };
+
+            foreach my $key (keys %$fingerprints) {
+                my $inner_hash = $fingerprints -> {$key};
+                my $request = $useragent -> get($target . $inner_hash->{endpoint});
+
+                if (($request -> code() == 200) && $request -> decoded_content() =~ m/$inner_hash->{regex}/) {
+                    push @results, $target . $inner_hash -> {endpoint};
+                }
+            }
+
+            return @results;
+        }
+
+        if ($help) {
+            return "
+                \rAdvisory::CVE_2021_24891
+                \r=======================
+                \r-h, --help     See this menu
+                \r-t, --target   Define a target\n\n";
+        }
+
+        return 0;
+    }
+}
+
+1;
diff --git a/lib/Spellbook/Exploit/HAProxy_Exposed.pm b/lib/Spellbook/Exploit/HAProxy_Exposed.pm
@@ -13,6 +13,7 @@ package Spellbook::Exploit::HAProxy_Exposed {
         );
 
         if ($target) {
+            return @result;
         } 
 
         if ($help) {

diff --git a/lib/Spellbook/Exploit/None_Attack.pm b/lib/Spellbook/Exploit/None_Attack.pm
@@ -12,7 +12,7 @@ package Spellbook::Exploit::None_Attack {
         );
 
         if (1) {
-
+            return @result;
         } 
 
         if ($help) {

diff --git a/lib/Spellbook/Exploit/Pwn_DB.pm b/lib/Spellbook/Exploit/Pwn_DB.pm
@@ -6,7 +6,7 @@ package Spellbook::Exploit::Pwn_DB {
 
     sub new {
         my ($self, $parameters) = @_;
-        my ($help, $target, $user);
+        my ($help, $target);
 
         Getopt::Long::GetOptionsFromArray (
             $parameters,

diff --git a/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm b/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm
@@ -0,0 +1,43 @@
+package Spellbook::Exploit::S3_Bucket_Takeover {
+    use strict;
+    use warnings;
+    use Spellbook::Core::UserAgent;
+
+    sub new {
+        my ($self, $parameters) = @_;
+        my ($help, $target, @result);
+
+        Getopt::Long::GetOptionsFromArray (
+            $parameters,
+            "h|help"     => \$help,
+            "t|target=s" => \$target
+        );
+
+        if ($target) {
+            if ($target !~ /^http(s)?:\/\//) {
+                $target = "https://$target";
+            }
+
+            my $userAgent = Spellbook::Core::UserAgent -> new();
+            my $request = $userAgent -> get($target);
+
+            if ($request -> code() == 404 && $request-> content() =~ m/Code: NoSuchBucket/) {
+                push @result, $target;
+            }
+
+            return @result;
+        } 
+
+        if ($help) {
+            return "
+                \rExploit::S3_Bucket_Takeover
+                \r=====================
+                \r-h, --help     See this menu
+                \r-t, --target   Check the possibility to takeover an s3 resource\n";
+        }
+
+        return 0;
+    }
+}
+
+1;
diff --git a/lib/Spellbook/Helper/Exifs_Write.pm b/lib/Spellbook/Helper/Exifs_Write.pm
@@ -5,7 +5,7 @@ package Spellbook::Helper::Exifs_Write {
 
     sub new {
         my ($self, $parameters)= @_;
-        my ($help, $file, $payload, @result);
+        my ($help, $file, $payload);
 
         Getopt::Long::GetOptionsFromArray (
             $parameters,

diff --git a/lib/Spellbook/Helper/Host_Normalization.pm b/lib/Spellbook/Helper/Host_Normalization.pm
@@ -5,7 +5,7 @@ package Spellbook::Helper::Host_Normalization {
 
     sub new {
         my ($self, $parameters) = @_;
-        my ($help, $target, @result);
+        my ($help, $target);
 
         Getopt::Long::GetOptionsFromArray (
             $parameters,

diff --git a/lib/Spellbook/Helper/Reverse_Shell.pm b/lib/Spellbook/Helper/Reverse_Shell.pm
@@ -5,7 +5,7 @@ package Spellbook::Helper::Reverse_Shell {
 
     sub new {
         my ($self, $parameters) = @_;
-        my ($help, $target, @result);
+        my ($help, $target);
 
         my $port = 1337;
         my $lang = "perl";

diff --git a/lib/Spellbook/Recon/HTTP_Probe.pm b/lib/Spellbook/Recon/HTTP_Probe.pm
@@ -15,7 +15,7 @@ package Spellbook::Recon::HTTP_Probe {
 
         if ($target) {
             if ($target !~ /^http(s)?:\/\//) { 
-                $target = "https://$target";
+                $target = "http://$target";
             }
 
             my $userAgent = Spellbook::Core::UserAgent -> new();

diff --git a/lib/Spellbook/Recon/Nmap_Scanner.pm b/lib/Spellbook/Recon/Nmap_Scanner.pm
@@ -49,6 +49,8 @@ package Spellbook::Recon::Nmap_Scanner {
             my $results = $scanner -> scan();
 
             # print Dumper($results);
+
+            return @result;
         } 
 
         if ($help) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,8 @@ package Spellbook::Advisory::CVE_2016_10045 { @@
                         "message" => $shell{code}
                     ]);
                 };
+                return @results;
             }
             if ($help) {
@@ Expand Down @@