From 795143b0ae48b6e277a00fd471207c7f70a14ab0 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 12 Nov 2023 11:52:34 -0300 Subject: [PATCH 01/18] add linter --- .github/linter.yml | 16 ++++++++++++++++ .perlcriticrc | 4 ++++ 2 files changed, 20 insertions(+) create mode 100644 .github/linter.yml create mode 100644 .perlcriticrc diff --git a/.github/linter.yml b/.github/linter.yml new file mode 100644 index 0000000..1bc1e02 --- /dev/null +++ b/.github/linter.yml @@ -0,0 +1,16 @@ +name: Linter / Perl Critic + +on: + pull_request: + branches: + - main + +jobs: + critic: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Perl::Critic + uses: natanlao/perl-critic-action@v1.1 + with: + files: critic \ No newline at end of file diff --git a/.perlcriticrc b/.perlcriticrc new file mode 100644 index 0000000..729a0e0 --- /dev/null +++ b/.perlcriticrc @@ -0,0 +1,4 @@ +only = 1 +include = ProhibitUnusedVariables ProhibitUnusedConstant ProhibitUnusedInclude ProhibitUnusedImport ProhibitUnreachableCode ProhibitComplexRegexes ProhibitDuplicatedSub ProhibitDuplicateHashKeys ProhibitUnusedPrivateSubroutines ProhibitUnlessBlocks RequireCamelCase ProhibitExcessiveColons ProhibitExplicitReturnUndef ProhibitTrailingWhitespace + +# ProhibitTrailingWhitespace ProhibitMagicNumbers ProhibitHardTabs \ No newline at end of file From 5b3fa3b0f3768339a045fe299917df18560e793a Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 12 Nov 2023 11:52:42 -0300 Subject: [PATCH 02/18] fix linter warnings --- lib/Spellbook/Advisory/CVE_2016_10045.pm | 2 ++ lib/Spellbook/Exploit/HAProxy_Exposed.pm | 1 + lib/Spellbook/Exploit/None_Attack.pm | 2 +- lib/Spellbook/Exploit/Pwn_DB.pm | 2 +- lib/Spellbook/Helper/Exifs_Write.pm | 2 +- lib/Spellbook/Helper/Host_Normalization.pm | 2 +- lib/Spellbook/Helper/Reverse_Shell.pm | 2 +- lib/Spellbook/Recon/Nmap_Scanner.pm | 2 ++ 8 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/Spellbook/Advisory/CVE_2016_10045.pm b/lib/Spellbook/Advisory/CVE_2016_10045.pm index 7bc2676..fb285f2 100644 --- a/lib/Spellbook/Advisory/CVE_2016_10045.pm +++ b/lib/Spellbook/Advisory/CVE_2016_10045.pm @@ -57,6 +57,8 @@ package Spellbook::Advisory::CVE_2016_10045 { "message" => $shell{code} ]); }; + + return @results; } if ($help) { diff --git a/lib/Spellbook/Exploit/HAProxy_Exposed.pm b/lib/Spellbook/Exploit/HAProxy_Exposed.pm index 7715869..b40ca6c 100644 --- a/lib/Spellbook/Exploit/HAProxy_Exposed.pm +++ b/lib/Spellbook/Exploit/HAProxy_Exposed.pm @@ -13,6 +13,7 @@ package Spellbook::Exploit::HAProxy_Exposed { ); if ($target) { + return @result; } if ($help) { diff --git a/lib/Spellbook/Exploit/None_Attack.pm b/lib/Spellbook/Exploit/None_Attack.pm index 4db0f37..dfc794b 100644 --- a/lib/Spellbook/Exploit/None_Attack.pm +++ b/lib/Spellbook/Exploit/None_Attack.pm @@ -12,7 +12,7 @@ package Spellbook::Exploit::None_Attack { ); if (1) { - + return @result; } if ($help) { diff --git a/lib/Spellbook/Exploit/Pwn_DB.pm b/lib/Spellbook/Exploit/Pwn_DB.pm index 796e341..5632817 100644 --- a/lib/Spellbook/Exploit/Pwn_DB.pm +++ b/lib/Spellbook/Exploit/Pwn_DB.pm @@ -6,7 +6,7 @@ package Spellbook::Exploit::Pwn_DB { sub new { my ($self, $parameters) = @_; - my ($help, $target, $user); + my ($help, $target); Getopt::Long::GetOptionsFromArray ( $parameters, diff --git a/lib/Spellbook/Helper/Exifs_Write.pm b/lib/Spellbook/Helper/Exifs_Write.pm index ead8f71..ea7fb0b 100755 --- a/lib/Spellbook/Helper/Exifs_Write.pm +++ b/lib/Spellbook/Helper/Exifs_Write.pm @@ -5,7 +5,7 @@ package Spellbook::Helper::Exifs_Write { sub new { my ($self, $parameters)= @_; - my ($help, $file, $payload, @result); + my ($help, $file, $payload); Getopt::Long::GetOptionsFromArray ( $parameters, diff --git a/lib/Spellbook/Helper/Host_Normalization.pm b/lib/Spellbook/Helper/Host_Normalization.pm index 51c3e9a..949f0ad 100644 --- a/lib/Spellbook/Helper/Host_Normalization.pm +++ b/lib/Spellbook/Helper/Host_Normalization.pm @@ -5,7 +5,7 @@ package Spellbook::Helper::Host_Normalization { sub new { my ($self, $parameters) = @_; - my ($help, $target, @result); + my ($help, $target); Getopt::Long::GetOptionsFromArray ( $parameters, diff --git a/lib/Spellbook/Helper/Reverse_Shell.pm b/lib/Spellbook/Helper/Reverse_Shell.pm index 233f912..5e7c3ae 100644 --- a/lib/Spellbook/Helper/Reverse_Shell.pm +++ b/lib/Spellbook/Helper/Reverse_Shell.pm @@ -5,7 +5,7 @@ package Spellbook::Helper::Reverse_Shell { sub new { my ($self, $parameters) = @_; - my ($help, $target, @result); + my ($help, $target); my $port = 1337; my $lang = "perl"; diff --git a/lib/Spellbook/Recon/Nmap_Scanner.pm b/lib/Spellbook/Recon/Nmap_Scanner.pm index 5830736..7b0b5cc 100644 --- a/lib/Spellbook/Recon/Nmap_Scanner.pm +++ b/lib/Spellbook/Recon/Nmap_Scanner.pm @@ -49,6 +49,8 @@ package Spellbook::Recon::Nmap_Scanner { my $results = $scanner -> scan(); # print Dumper($results); + + return @result; } if ($help) { From a89af5c975cdc1d781f59f13a344951fb87e240d Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Mon, 20 Nov 2023 16:39:03 -0300 Subject: [PATCH 03/18] add zarn --- .github/workflows/zarn.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zarn.yml diff --git a/.github/workflows/zarn.yml b/.github/workflows/zarn.yml new file mode 100644 index 0000000..4c6edb2 --- /dev/null +++ b/.github/workflows/zarn.yml @@ -0,0 +1,25 @@ +name: ZARN + +on: + pull_request: + branches: + - main + - develop + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: | + git clone https://github.com/htrgouvea/zarn + sudo apt install -y perl cpanminus + cd zarn && sudo cpanm --installdeps . + - name: Hunt for findings + run: | + perl zarn.pl --source ../ --sarif zarn.sarif + - uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: zarn.sarif \ No newline at end of file From beee677a8111c7fb44ada1dfe82b4f8ea1e25aa1 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 10 Dec 2023 15:39:13 -0300 Subject: [PATCH 04/18] new exploit --- .config/modules.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.config/modules.json b/.config/modules.json index b273cd5..5e1eed2 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -287,6 +287,12 @@ "category": "recon", "module": "Technologies", "description": "Detect the stack of a web application" + }, + { + "id": "0049", + "category": "advisory", + "module": "CVE_2021_24891", + "description": "DOM XSS elementor Wordpress plugin" } ] } \ No newline at end of file From ac9b525be7fc363e01dc240d1f7253000fbb81de Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 10 Dec 2023 15:39:45 -0300 Subject: [PATCH 05/18] Exploit for CVE-2021-24891, Dom XSS Elementor plugin of wordpress --- lib/Spellbook/Advisory/CVE_2021_24891.pm | 58 ++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 lib/Spellbook/Advisory/CVE_2021_24891.pm diff --git a/lib/Spellbook/Advisory/CVE_2021_24891.pm b/lib/Spellbook/Advisory/CVE_2021_24891.pm new file mode 100644 index 0000000..d48e1d1 --- /dev/null +++ b/lib/Spellbook/Advisory/CVE_2021_24891.pm @@ -0,0 +1,58 @@ +package Spellbook::Advisory::CVE_2021_24891 { + use strict; + use warnings; + use Spellbook::Core::UserAgent; + + sub new { + my ($self, $parameters) = @_; + my ($help, $target, @results); + + Getopt::Long::GetOptionsFromArray ( + $parameters, + "h|help" => \$help, + "t|target=s" => \$target + ); + + if ($target) { + if ($target !~ /^http(s)?:\/\//) { + $target = "https://$target"; + } + + my $useragent = Spellbook::Core::UserAgent -> new(); + + my $fingerprints = { + 1 => { + endpoint => "/wp-content/plugins/elementor/assets/js/frontend.min.js", + regex => "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" + }, + 2 => { + endpoint => "/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9", + regex => "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" + } + }; + + foreach my $key (keys %$fingerprints) { + my $inner_hash = $fingerprints -> {$key}; + my $request = $useragent -> get($target . $inner_hash->{endpoint}); + + if (($request -> code() == 200) && $request -> decoded_content() =~ m/$inner_hash->{regex}/) { + push @results, $target . $inner_hash -> {endpoint}; + } + } + + return @results; + } + + if ($help) { + return " + \rAdvisory::CVE_2021_24891 + \r======================= + \r-h, --help See this menu + \r-t, --target Define a target\n\n"; + } + + return 0; + } +} + +1; \ No newline at end of file From d8260f484d060f86e895d4ffa4f180893691f31b Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Mon, 25 Dec 2023 20:04:30 -0300 Subject: [PATCH 06/18] return to HTTP --- .config/modules.json | 6 +++ lib/Spellbook/Advisory/CVE_2020_9377.pm | 2 +- lib/Spellbook/Exploit/S3_Bucket_Takeover.pm | 43 +++++++++++++++++++++ lib/Spellbook/Recon/HTTP_Probe.pm | 2 +- 4 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 lib/Spellbook/Exploit/S3_Bucket_Takeover.pm diff --git a/.config/modules.json b/.config/modules.json index 5e1eed2..5c38b8d 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -293,6 +293,12 @@ "category": "advisory", "module": "CVE_2021_24891", "description": "DOM XSS elementor Wordpress plugin" + }, + { + "id": "0050", + "category": "exploit", + "module": "S3_Bucket_Takeover", + "description": "" } ] } \ No newline at end of file diff --git a/lib/Spellbook/Advisory/CVE_2020_9377.pm b/lib/Spellbook/Advisory/CVE_2020_9377.pm index 06cd139..207c3a4 100644 --- a/lib/Spellbook/Advisory/CVE_2020_9377.pm +++ b/lib/Spellbook/Advisory/CVE_2020_9377.pm @@ -1,4 +1,4 @@ -package Spellbook::Advisory::CVE_2020_9376 { +package Spellbook::Advisory::CVE_2020_9377 { use strict; use warnings; use Mojo::UserAgent; diff --git a/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm b/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm new file mode 100644 index 0000000..43c0971 --- /dev/null +++ b/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm @@ -0,0 +1,43 @@ +package Spellbook::Exploit::S3_Bucket_Takeover { + use strict; + use warnings; + use Spellbook::Core::UserAgent; + + sub new { + my ($self, $parameters) = @_; + my ($help, $target, @result); + + Getopt::Long::GetOptionsFromArray ( + $parameters, + "h|help" => \$help, + "t|target=s" => \$target + ); + + if ($target) { + if ($target !~ /^http(s)?:\/\//) { + $target = "https://$target"; + } + + my $userAgent = Spellbook::Core::UserAgent -> new(); + my $request = $userAgent -> get($target); + + if ($request -> code() == 404 && $request-> content() =~ m/Code: NoSuchBucket/) { + push @result, $target; + } + + return @result; + } + + if ($help) { + return " + \rExploit:: + \r===================== + \r-h, --help See this menu + \r-t, --target Set an \n"; + } + + return 0; + } +} + +1; \ No newline at end of file diff --git a/lib/Spellbook/Recon/HTTP_Probe.pm b/lib/Spellbook/Recon/HTTP_Probe.pm index adbae60..221b4a4 100644 --- a/lib/Spellbook/Recon/HTTP_Probe.pm +++ b/lib/Spellbook/Recon/HTTP_Probe.pm @@ -15,7 +15,7 @@ package Spellbook::Recon::HTTP_Probe { if ($target) { if ($target !~ /^http(s)?:\/\//) { - $target = "https://$target"; + $target = "http://$target"; } my $userAgent = Spellbook::Core::UserAgent -> new(); From 284ed8421c24f122ab5e9f473e6362671b8dfe4d Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Mon, 25 Dec 2023 20:06:35 -0300 Subject: [PATCH 07/18] improve description on module --- .config/modules.json | 2 +- lib/Spellbook/Exploit/S3_Bucket_Takeover.pm | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.config/modules.json b/.config/modules.json index 5c38b8d..8804ee4 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -298,7 +298,7 @@ "id": "0050", "category": "exploit", "module": "S3_Bucket_Takeover", - "description": "" + "description": "Detection possible of takeover on AWS S3 Bucket resource" } ] } \ No newline at end of file diff --git a/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm b/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm index 43c0971..d264015 100644 --- a/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm +++ b/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm @@ -30,10 +30,10 @@ package Spellbook::Exploit::S3_Bucket_Takeover { if ($help) { return " - \rExploit:: + \rExploit::S3_Bucket_Takeover \r===================== \r-h, --help See this menu - \r-t, --target Set an \n"; + \r-t, --target Check the possibility to takeover an s3 resource\n"; } return 0; From 6e07a608c9823aae662f70ed9fc5285bede1ed73 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Mon, 1 Jan 2024 11:39:34 -0300 Subject: [PATCH 08/18] update license year --- LICENSE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.md b/LICENSE.md index ede939a..3b05fb4 100755 --- a/LICENSE.md +++ b/LICENSE.md @@ -2,7 +2,7 @@ License ============== The MIT License (MIT) -Copyright (c) 2016 - 2023 | Heitor GouvĂȘa. +Copyright (c) 2016 - 2024 | Heitor GouvĂȘa. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 2750661576ea913becadeb714f8550497f4e08ab Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Tue, 2 Jan 2024 09:53:31 -0300 Subject: [PATCH 09/18] added uuid lib --- cpanfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cpanfile b/cpanfile index 9083ea7..046e7ff 100644 --- a/cpanfile +++ b/cpanfile @@ -4,4 +4,5 @@ requires "YAML::Tiny", "1.73"; requires "Masscan::Scanner"; requires "Net::DNS", "1.34"; requires "WWW::Mechanize", "2.11"; -requires "Net::IP"; \ No newline at end of file +requires "Net::IP"; +requires "UUID::Tiny", "1.04"; \ No newline at end of file From b4fed6dc910caf29a622d12cd23d6afea8456c2a Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Thu, 11 Jan 2024 19:54:35 -0300 Subject: [PATCH 10/18] enable all rules of level 5 on linter --- .perlcriticrc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.perlcriticrc b/.perlcriticrc index 729a0e0..8fe04ee 100644 --- a/.perlcriticrc +++ b/.perlcriticrc @@ -1,4 +1,3 @@ -only = 1 -include = ProhibitUnusedVariables ProhibitUnusedConstant ProhibitUnusedInclude ProhibitUnusedImport ProhibitUnreachableCode ProhibitComplexRegexes ProhibitDuplicatedSub ProhibitDuplicateHashKeys ProhibitUnusedPrivateSubroutines ProhibitUnlessBlocks RequireCamelCase ProhibitExcessiveColons ProhibitExplicitReturnUndef ProhibitTrailingWhitespace +severity = 5 -# ProhibitTrailingWhitespace ProhibitMagicNumbers ProhibitHardTabs \ No newline at end of file +[-TestingAndDebugging::RequireUseStrict] \ No newline at end of file From 784716d176c3791fa884b8b4cde8c9c002fb8b6c Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Tue, 16 Jan 2024 07:29:05 -0300 Subject: [PATCH 11/18] dont follow redirects --- lib/Spellbook/Core/UserAgent.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Spellbook/Core/UserAgent.pm b/lib/Spellbook/Core/UserAgent.pm index f83f845..2a748d2 100644 --- a/lib/Spellbook/Core/UserAgent.pm +++ b/lib/Spellbook/Core/UserAgent.pm @@ -14,6 +14,7 @@ package Spellbook::Core::UserAgent { ); $userAgent -> default_headers -> push_header("Cache-Control" => "no-cache"); + $userAgent -> max_redirect(0); return $userAgent; } From 2632442ccce3a773ddab1a6f114abf849820a9e0 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Tue, 16 Jan 2024 07:29:46 -0300 Subject: [PATCH 12/18] delete draft of a module --- lib/Spellbook/Exploit/S3_Misconfig.pm | 52 --------------------------- 1 file changed, 52 deletions(-) delete mode 100644 lib/Spellbook/Exploit/S3_Misconfig.pm diff --git a/lib/Spellbook/Exploit/S3_Misconfig.pm b/lib/Spellbook/Exploit/S3_Misconfig.pm deleted file mode 100644 index b819764..0000000 --- a/lib/Spellbook/Exploit/S3_Misconfig.pm +++ /dev/null @@ -1,52 +0,0 @@ -package Spellbook::Exploit::S3_Misconfig { - use strict; - use warnings; - use Amazon::S3; - - # https://metacpan.org/pod/Net::Amazon::S3 - # https://metacpan.org/pod/AWS::S3 - # https://metacpan.org/pod/Amazon::S3 - - sub new { - my ($self, $parameters) = @_; - my ($help, $target); - - Getopt::Long::GetOptionsFromArray ( - $parameters, - "h|help" => \$help, - "t|target=s" => \$target - ); - - if ($target) { - my $s3 = Amazon::S3 -> new ( - aws_access_key_id => "spellbook", - aws_secret_access_key => "spellbook", - ); - - my $bucket = $s3 -> bucket($target); - - my $success = $bucket -> add_key("./lib/Spellbook/Exploit/S3_Misconfig.pm", "spellbook.txt"); - - if ($success) { - $bucket -> delete_key("spellbook.txt"); - - return "Bucket is publicly writable!"; - } - - return "Bucket is not publicly writable."; - } - - if ($help) { - return " - \rExploit::S3_Misconfig - \r======================= - \r-h, --help See this menu - \r-t, --target Define a aws s3 bucket - "; - } - - return 0; - } -} - -1; \ No newline at end of file From 32dc439d692c2017a693d265c35f2e222446dd6b Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Tue, 16 Jan 2024 07:30:40 -0300 Subject: [PATCH 13/18] new modules aroung aws s3 buckets --- .config/modules.json | 36 ++++++++++++--- .../{S3_Bucket_Takeover.pm => S3_Takeover.pm} | 0 lib/Spellbook/Exploit/Upload_Via_PUT.pm | 46 +++++++++++++++++++ .../Parser/{Bucket.pm => S3_Bucket.pm} | 2 +- 4 files changed, 77 insertions(+), 7 deletions(-) rename lib/Spellbook/Exploit/{S3_Bucket_Takeover.pm => S3_Takeover.pm} (100%) create mode 100644 lib/Spellbook/Exploit/Upload_Via_PUT.pm rename lib/Spellbook/Parser/{Bucket.pm => S3_Bucket.pm} (96%) diff --git a/.config/modules.json b/.config/modules.json index 8804ee4..491d5f4 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -206,9 +206,9 @@ }, { "id": "0035", - "category": "exploit", - "module": "S3_Misconfig", - "description": "Upload files into AWS S3 Buckets with weak security policies" + "category": "parser", + "module": "S3_Bucket", + "description": "Extract the path of files from a S3 Bucket with object listing" }, { "id": "0036", @@ -238,7 +238,7 @@ "id": "0040", "category": "exploit", "module": "Reflected_XSS", - "description": "" + "description": "PoC" }, { "id": "0041", @@ -268,13 +268,13 @@ "id": "0045", "category": "recon", "module": "Detect_Error", - "description": "" + "description": "PoC" }, { "id": "0046", "category": "exploit", "module": "DataBreach", - "description": "" + "description": "PoC" }, { "id": "0047", @@ -299,6 +299,30 @@ "category": "exploit", "module": "S3_Bucket_Takeover", "description": "Detection possible of takeover on AWS S3 Bucket resource" + }, + { + "id": "0051", + "category": "exploit", + "module": "Upload_Via_PUT", + "description": "" + }, + { + "id": "0052", + "category": "exploit", + "module": "Open_Redirect", + "description": "Detect application vulnerable" + }, + { + "id": "0053", + "category": "exploit", + "module": "Dependency_Confusion", + "description": "" + }, + { + "id": "0054", + "category": "parser", + "module": "Nozaki", + "description": "" } ] } \ No newline at end of file diff --git a/lib/Spellbook/Exploit/S3_Bucket_Takeover.pm b/lib/Spellbook/Exploit/S3_Takeover.pm similarity index 100% rename from lib/Spellbook/Exploit/S3_Bucket_Takeover.pm rename to lib/Spellbook/Exploit/S3_Takeover.pm diff --git a/lib/Spellbook/Exploit/Upload_Via_PUT.pm b/lib/Spellbook/Exploit/Upload_Via_PUT.pm new file mode 100644 index 0000000..66f12d2 --- /dev/null +++ b/lib/Spellbook/Exploit/Upload_Via_PUT.pm @@ -0,0 +1,46 @@ +package Spellbook::Exploit::Upload_Via_PUT { + use strict; + use warnings; + use Spellbook::Core::UserAgent; + use Spellbook::Helper::Generate_UUID; + + sub new { + my ($self, $parameters) = @_; + my ($help, $target, @result); + + Getopt::Long::GetOptionsFromArray ( + $parameters, + "h|help" => \$help, + "t|target=s" => \$target + ); + + if ($target) { + if ($target !~ /^http(s)?:\/\//) { + $target = "https://$target"; + } + + my $userAgent = Spellbook::Core::UserAgent -> new(); + my @uuid = Spellbook::Helper::Generate_UUID -> new(["--version" => 4]); + my $upload = $userAgent -> put("$target/$uuid[0].txt", Content => "$uuid[0]"); + my $request = $userAgent -> get("$target/$uuid[0].txt"); + + if (($request -> code() == 200) && ($request -> content() eq "$uuid[0]")) { + push @result, "$target/$uuid[0].txt\n"; + } + + return @result; + } + + if ($help) { + return " + \rRecon::Explioit + \r===================== + \r-h, --help See this menu + \r-t, --target Define\n\n"; + } + + return 0; + } +} + +1; \ No newline at end of file diff --git a/lib/Spellbook/Parser/Bucket.pm b/lib/Spellbook/Parser/S3_Bucket.pm similarity index 96% rename from lib/Spellbook/Parser/Bucket.pm rename to lib/Spellbook/Parser/S3_Bucket.pm index ca85fd2..011cab8 100644 --- a/lib/Spellbook/Parser/Bucket.pm +++ b/lib/Spellbook/Parser/S3_Bucket.pm @@ -1,4 +1,4 @@ -package Spellbook::Parser::Bucket { +package Spellbook::Parser::S3_Bucket { use strict; use warnings; use XML::Simple; From db220d698ba8f0649fc9021a5a625a31f9e4ae97 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 19 Jan 2024 08:48:31 -0300 Subject: [PATCH 14/18] add secret scanning in the pipeline --- .github/workflows/secret-scanning.yml | 39 +++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/secret-scanning.yml diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml new file mode 100644 index 0000000..d76ec7f --- /dev/null +++ b/.github/workflows/secret-scanning.yml @@ -0,0 +1,39 @@ +name: Secret Scanning + +on: + push: + branches: + - main + pull_request: + +permissions: + contents: read + id-token: write + issues: write + pull-requests: write + +jobs: + TruffleHog: + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Secret Scanning - TruffleHog + id: trufflehog + uses: trufflesecurity/trufflehog@main + continue-on-error: true + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug + + - name: Scan Results Status + if: steps.trufflehog.outcome == 'failure' + run: exit 1 \ No newline at end of file From b0109ebf044f4f995acc1dfd4277548352185455 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Fri, 19 Jan 2024 08:53:14 -0300 Subject: [PATCH 15/18] Exploit for XSS vulnerability on grafana --- .config/modules.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.config/modules.json b/.config/modules.json index 491d5f4..283e2ac 100644 --- a/.config/modules.json +++ b/.config/modules.json @@ -323,6 +323,12 @@ "category": "parser", "module": "Nozaki", "description": "" + }, + { + "id": "0055", + "category": "advisory", + "module": "CVE_2021_41174", + "description": "Exploit for XSS vulnerability on grafana" } ] } \ No newline at end of file From f36a15ce3c35149b26610f8e1f4b58a22f143556 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Sun, 21 Jan 2024 17:56:40 -0300 Subject: [PATCH 16/18] fix module/using new data source --- lib/Spellbook/Helper/CDN_Checker.pm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/Spellbook/Helper/CDN_Checker.pm b/lib/Spellbook/Helper/CDN_Checker.pm index 0b8c89a..e804201 100644 --- a/lib/Spellbook/Helper/CDN_Checker.pm +++ b/lib/Spellbook/Helper/CDN_Checker.pm @@ -20,17 +20,17 @@ package Spellbook::Helper::CDN_Checker { my $ip = Spellbook::Recon::Get_IP -> new (["--target" => $target]); if ($ip) { - my $cnd_list = "https://cdn.nuclei.sh"; + my $cnd_list = "https://raw.githubusercontent.com/projectdiscovery/cdncheck/main/cmd/generate-index/sources_data.json"; my $useragent = Spellbook::Core::UserAgent -> new (); my $request = $useragent -> get($cnd_list); if ($request -> code == 200) { - my $content = decode_json($request -> content); - + my $data = decode_json($request -> content); + my $content = $data -> {"cdn"}; + for (keys %{$content}) { for (@{$content -> {$_}}) { my $range = Net::IP -> new($_); - my $value = Net::IP -> new($ip); my $match = $range -> overlaps($value); From 39420294c1f6c1bc1351909553f7723dd8fb038c Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Wed, 24 Jan 2024 10:40:21 -0300 Subject: [PATCH 17/18] move linter.yml --- .github/{ => workflows}/linter.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/linter.yml (100%) diff --git a/.github/linter.yml b/.github/workflows/linter.yml similarity index 100% rename from .github/linter.yml rename to .github/workflows/linter.yml From 54c6e51c62bafbd88813a114199852fcb08f07c2 Mon Sep 17 00:00:00 2001 From: htrgouvea Date: Thu, 25 Jan 2024 18:25:01 -0300 Subject: [PATCH 18/18] update SAST workflow --- .github/workflows/zarn.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/zarn.yml b/.github/workflows/zarn.yml index f66840c..f552764 100644 --- a/.github/workflows/zarn.yml +++ b/.github/workflows/zarn.yml @@ -1,11 +1,13 @@ name: ZARN on: + push: + branches: [ "main" ] pull_request: - branches: - - main - - develop - + branches: [ "main" ] + schedule: + - cron: '28 23 * * 1' + jobs: build: runs-on: ubuntu-latest @@ -19,7 +21,7 @@ jobs: cd zarn && sudo cpanm --installdeps . - name: Hunt for findings run: | - perl zarn/zarn.pl --source . --sarif zarn.sarif + cd zarn && perl zarn.pl --source ../ --sarif ../zarn.sarif - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: zarn.sarif \ No newline at end of file