DSL兼容性问题

[lovelyjuice]

用的这个poc:
https://github.com/iamHuFei/HVVault/blob/4558fdb/oa/%E9%87%91%E8%9D%B6OA/kingdee-erp-srm-scpsupreghandler-fileupload.yaml

两个请求包都正确发出去了，但是

PS D:\DevDir\Go\neutron> go run ./cmd/shot -proxy http://127.0.0.1:8083 D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml http://xxx.xx.xx.xx:8090
Using proxy: http://127.0.0.1:8083
Load success for D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml
OK: <nil>
Execution time: 841.3678ms

用nuclei和yakit都是可以扫出漏洞的，但是neutron不行

1. 将dsl改成 200 == 200 后，neutron显示OK: &{true false map[] map[] [] map[] map[] map[filename:OStCs]}
2. 改成status_code_1 == 200，neutron就不行了
3. status_code == 200，成功
4. - contains((body_1), 'true') ，失败
5. - contains((body), 'true')，成功
6. contains((body), '{{randstr}}')，失败

[lovelyjuice]

{{randstr_1}}这种形式是不是也不能在neutron中用？

[M09Ic]

{{randstr_1}}这种形式是不是也不能在neutron中用？

是的， 目前提供了的randstr和randnum都是固定长度的

		"randstr":  dsl.RandStr(8),
		"randnum":  dsl.RandNum(4),

这和nuclei的实现方式有关.

nuclei的randstr_1/rand_num 在 template compile前进行的replace, 要引入这种方式会极大降低性能.

后续我计划通过提供randstrn(1), randomn(2)这样的dsl函数代替实现类似的功能

[M09Ic]

用的这个poc: iamHuFei/HVVault@4558fdb/oa/%E9%87%91%E8%9D%B6OA/kingdee-erp-srm-scpsupreghandler-fileupload.yaml

两个请求包都正确发出去了，但是

PS D:\DevDir\Go\neutron> go run ./cmd/shot -proxy http://127.0.0.1:8083 D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml http://xxx.xx.xx.xx:8090
Using proxy: http://127.0.0.1:8083
Load success for D:\DevDir\Go\gogo\v2\templates\neutron\http\HVVault\oa\金蝶OA\kingdee-erp-srm-scpsupreghandler-fileupload.yaml
OK: <nil>
Execution time: 841.3678ms

用nuclei和yakit都是可以扫出漏洞的，但是neutron不行

1. 将dsl改成 200 == 200 后，neutron显示OK: &{true false map[] map[] [] map[] map[] map[filename:OStCs]}
2. 改成status_code_1 == 200，neutron就不行了
3. status_code == 200，成功
4. - contains((body_1), 'true') ，失败
5. - contains((body), 'true')，成功
6. contains((body), '{{randstr}}')，失败

nuclei老版本使用req-condition 字段控制这个功能, 新版本已经是自动的. neutron也适配了对应的特性

[lovelyjuice]

现在测试这个poc不会漏报了。对于{{randstr_1}} 这种，我现在的打算是写一个转换脚本，给已有poc的variable部分全部加上'randstr_1: {{rand_base(5)}}'和'randstr_2: {{rand_base(5)}}'

[lovelyjuice]

还是有问题，最新的代码，使用shot.go测试poc不会将{{randstr}}转换为随机字符串再发包，而使用gogo的时候却是成功解析了这个随机变量，请求包中能看到随机字符串。

这是shot.go的

gogo的请求包

另外，neutron在匹配dsl的时候不会解析{{randstr}}，而是会当作常规字符串。因此gogo使用该poc时因为发出随机字符串，匹配{{randstr}}常规字符串，导致无法匹配成功；shot.go发出{{randstr}}常规字符串，匹配{{randstr}}常规字符串，导致反常地匹配成功。

调试gogo的时候我发现data变量里面根本没有randstr这个key，但是有poc自定义的变量filename

[M09Ic]

现在测试这个poc不会漏报了。对于{{randstr_1}} 这种，我现在的打算是写一个转换脚本，给已有poc的variable部分全部加上'randstr_1: {{rand_base(5)}}'和'randstr_2: {{rand_base(5)}}'

有一个不太通用的解决办法， 我可以把randstr_1到randstr_9 ， 以及16，32，64 这些常见的length手动注册进去， 但是更大的数字就无法一一覆盖， 你觉得这个办法如何？

[M09Ic]

shot中randstr未解析的问题我没有复现， 是否可以提供对应的测试yaml

id: CVE-2023-32315

info:
  name: Administration Console Authentication Bypass in Openfire Console
  author: vsh00t
  severity: high
  description: |
    Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
  remediation: |
    The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
  reference:
    - https://github.com/advisories/GHSA-gw42-f939-fhvm
    - https://nvd.nist.gov/vuln/detail/CVE-2023-32315
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2023-32315
    cwe-id: CWE-22
  metadata:
    max-request: 1
    verified: true
    shodan-query: title:"openfire"
  tags: cve,cve2023,auth-bypass,openfire,console

http:
  - raw:
      - |+
        GET /setup/setup-s/{{randstr}}/log.jsp HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        
        {{randstr}}
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'class="head-num"'
        condition: and

      - type: status
        status:
          - 200

[M09Ic]

调试gogo的时候我发现data变量里面根本没有randstr这个key，但是有poc自定义的变量filename

我确认了一下, 在nuclei原本中, 也不会存在randstr

[lovelyjuice]

yaml就是一开始我提到的那个https://github.com/iamHuFei/HVVault/blob/4558fdb/oa/%E9%87%91%E8%9D%B6OA/kingdee-erp-srm-scpsupreghandler-fileupload.yaml

[M09Ic]

我用那个poc测试似乎不存在这个bug，你可以更新到最新的测试下

[lovelyjuice]

确实是我的问题，pull之后看到Already up to date.以为是最新了，结果忘了当前还有几个未追踪的修改，而且偏偏又不小心多注释掉了这一行

neutron/protocols/http/request_generator.go

Line 349 in 5f9e965

"randstr": dsl.RandStr(8),

[lovelyjuice]

不过最后dsl漏报的问题还是没解决，我用flask写了个demo放在云函数上

函数Url: ZFhKc09pQm9kSFJ3T2k4dk1USTFNalkxTWpNeU9DMWxkako0Y1dJd1pYSm1MbUZ3TFdkMVlXNW5lbWh2ZFM1MFpXNWpaVzUwYzJObUxtTnZiUzg9

[lovelyjuice]

from flask import Flask, request, Response, jsonify
import io

app = Flask(__name__)

# 全局变量用于存储上传的文件内容
uploaded_content = ""

@app.route('/k3cloud/SRM/ScpSupRegHandler', methods=['POST'])
def upload_file():
    global uploaded_content
    
    # 检查请求的Content-Type是否为multipart/form-data
    if request.content_type.startswith("multipart/form-data"):
        # 获取上传的文件
        uploaded_file = request.files.get('FAtt')
        if uploaded_file:
            # 读取文件内容并存储到全局变量
            uploaded_content = uploaded_file.read().decode('utf-8')
            
            # 返回成功的JSON响应
            return jsonify({
                "IsSuccess": True,
                "Msg": "附件保存成功！"
            }), 200
    
    return "Invalid request.", 400

@app.route('/K3Cloud/uploadfiles/<filename>.txt', methods=['GET'])
def serve_file(filename):
    global uploaded_content
    
    if not uploaded_content:
        return "No content uploaded yet.", 404
    return Response(uploaded_content, mimetype='text/plain')

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8090)