From 33882e9fbed5ea28827fd9ce811eac952403ee8b Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 17 Oct 2024 15:48:58 +0100 Subject: [PATCH 1/2] enhance: add generic wordpress uploads directory execution of php like files --- .../generic-wordpress-uploads-php/config.yaml | 3 ++ .../generic-wordpress-uploads-php.yaml | 50 +++++++++++++++++++ .../generic-wordpress-uploads-php.yaml | 23 +++++++++ .../crowdsecurity/appsec-generic-rules.yaml | 1 + .../crowdsecurity/appsec-wordpress.yaml | 1 + 5 files changed, 78 insertions(+) create mode 100644 .appsec-tests/generic-wordpress-uploads-php/config.yaml create mode 100644 .appsec-tests/generic-wordpress-uploads-php/generic-wordpress-uploads-php.yaml create mode 100644 appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml diff --git a/.appsec-tests/generic-wordpress-uploads-php/config.yaml b/.appsec-tests/generic-wordpress-uploads-php/config.yaml new file mode 100644 index 00000000000..f7c1f53ba3c --- /dev/null +++ b/.appsec-tests/generic-wordpress-uploads-php/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: +- ./appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml +nuclei_template: generic-wordpress-uploads-php.yaml diff --git a/.appsec-tests/generic-wordpress-uploads-php/generic-wordpress-uploads-php.yaml b/.appsec-tests/generic-wordpress-uploads-php/generic-wordpress-uploads-php.yaml new file mode 100644 index 00000000000..11abc6cf977 --- /dev/null +++ b/.appsec-tests/generic-wordpress-uploads-php/generic-wordpress-uploads-php.yaml @@ -0,0 +1,50 @@ +id: generic-wordpress-uploads-php +info: + name: generic-wordpress-uploads-php + author: crowdsec + severity: info + description: generic-wordpress-uploads-php testing + tags: appsec-testing +http: + - raw: + - | + GET /wp-content/uploads/2024/10/test.php?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.phtml?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.hphp?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.shtml?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.module?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.phar?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.phtm?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.pht?exec=id HTTP/1.1 + Host: {{Hostname}} + - | + GET /wp-content/uploads/2024/10/test.php7?exec=id HTTP/1.1 + Host: {{Hostname}} + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + - "status_code_2 == 403" + - "status_code_3 == 403" + - "status_code_4 == 403" + - "status_code_5 == 403" + - "status_code_6 == 403" + - "status_code_7 == 403" + - "status_code_8 == 403" + - "status_code_9 == 403" + diff --git a/appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml b/appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml new file mode 100644 index 00000000000..3964b6275f1 --- /dev/null +++ b/appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml @@ -0,0 +1,23 @@ +name: crowdsecurity/generic-wordpress-uploads-php +description: "Detect php execution in wordpress uploads directory" +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: regex + value: '/wp-content/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)' + +labels: + type: exploit + service: http + confidence: 2 + spoofable: 0 + behavior: "http:exploit" + label: "Detect Wordpress PHP execution in uploads directory" + classification: + - attack.T1595 + - attack.T1190 \ No newline at end of file diff --git a/collections/crowdsecurity/appsec-generic-rules.yaml b/collections/crowdsecurity/appsec-generic-rules.yaml index 9fa18226f17..150f3d36a01 100644 --- a/collections/crowdsecurity/appsec-generic-rules.yaml +++ b/collections/crowdsecurity/appsec-generic-rules.yaml @@ -2,6 +2,7 @@ name: crowdsecurity/appsec-generic-rules appsec-rules: - crowdsecurity/base-config - crowdsecurity/generic-freemarker-ssti + - crowdsecurity/generic-wordpress-uploads-php appsec-configs: - crowdsecurity/generic-rules - crowdsecurity/appsec-default diff --git a/collections/crowdsecurity/appsec-wordpress.yaml b/collections/crowdsecurity/appsec-wordpress.yaml index ac768891cf5..4ae06a6bac6 100644 --- a/collections/crowdsecurity/appsec-wordpress.yaml +++ b/collections/crowdsecurity/appsec-wordpress.yaml @@ -12,6 +12,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-6623 - crowdsecurity/vpatch-CVE-2024-1061 - crowdsecurity/vpatch-CVE-2024-1071 + - crowdsecurity/generic-wordpress-uploads-php appsec-configs: - crowdsecurity/virtual-patching description: "A virtual patching collection, suitable for WordPress websites" From 9f93d6bb6be4a065e01ea71ec948480ff57d7e0e Mon Sep 17 00:00:00 2001 From: Laurence Date: Thu, 17 Oct 2024 16:06:12 +0100 Subject: [PATCH 2/2] enhance: manually run index workflow --- .index.json | 47 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/.index.json b/.index.json index 6fb81d5a880..f6614c05d18 100644 --- a/.index.json +++ b/.index.json @@ -149,6 +149,31 @@ "type": "exploit" } }, + "crowdsecurity/generic-wordpress-uploads-php": { + "path": "appsec-rules/crowdsecurity/generic-wordpress-uploads-php.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "6f367a1b94adcc96f3494a5703cddb325686b2a9ce1ed31949ca61076d5b80c6", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLXBocApkZXNjcmlwdGlvbjogIkRldGVjdCBwaHAgZXhlY3V0aW9uIGluIHdvcmRwcmVzcyB1cGxvYWRzIGRpcmVjdG9yeSIKcnVsZXM6CiAgLSBhbmQ6CiAgICAtIHpvbmVzOiAKICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICAtIHVybGRlY29kZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiByZWdleAogICAgICAgIHZhbHVlOiAnL3dwLWNvbnRlbnQvdXBsb2Fkcy8uKlwuKGg/cGgocHx0bT9sP3xhcil8bW9kdWxlfHNodG1sKScKCmxhYmVsczoKICAgdHlwZTogZXhwbG9pdAogICBzZXJ2aWNlOiBodHRwCiAgIGNvbmZpZGVuY2U6IDIKICAgc3Bvb2ZhYmxlOiAwCiAgIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogICBsYWJlbDogIkRldGVjdCBXb3JkcHJlc3MgUEhQIGV4ZWN1dGlvbiBpbiB1cGxvYWRzIGRpcmVjdG9yeSIKICAgY2xhc3NpZmljYXRpb246CiAgICAgLSBhdHRhY2suVDE1OTUKICAgICAtIGF0dGFjay5UMTE5MA==", + "description": "Detect php execution in wordpress uploads directory", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "attack.T1595", + "attack.T1190" + ], + "confidence": 2, + "label": "Detect Wordpress PHP execution in uploads directory", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2017-9841": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2017-9841.yaml", "version": "0.3", @@ -3151,7 +3176,7 @@ }, "crowdsecurity/appsec-generic-rules": { "path": "collections/crowdsecurity/appsec-generic-rules.yaml", - "version": "0.5", + "version": "0.6", "versions": { "0.1": { "digest": "f538ca65415d016977a2ed77939df0cecdea212bb16c3e1c22f1df0b1ec2775b", @@ -3172,10 +3197,14 @@ "0.5": { "digest": "712078647aa7414a2447248cbf68a75919be37767452b14cb7e0b845e51d9972", "deprecated": false + }, + "0.6": { + "digest": "7428b01d3f12284c6a5e4db84c641ee0bfa37672911e364fabe8ffea816fcd83", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgR2VuZXJpYyBSdWxlcwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIGdlbmVyaWMgc2NlbmFyaW9zIGZvciBhcHBzZWMuIFRoZXNlIGdlbmVyaWMgcnVsZXMgdHJ5IHRvIGRldGVjdCBhdHRhY2sgdmVjdG9ycyB0aGF0IG1pZ2h0IGJlIHVzZWQgdG8gZXhwbG9pdCBuZXdseSBkaXNjb3ZlcmVkIHZ1bG5lcmFiaWxpdGllcy4gRm9yIGluc3RhbmNlLCBhIHNjZW5hcmlvIGNvdWxkIGxvb2sgZm9yIGNhbGxzIHN1Y2ggYXMgYGNhdCAvZXRjL3Bhc3N3ZGAuIFRoZSBnb2FsIG9mIHRoaXMgY29sbGVjdGlvbiBpcyB0byBwcm92aWRlIHNvbWUgbGV2ZWwgb2YgcHJvdGVjdGlvbiBpbiBjYXNlcyB3aGVyZSBhIHNjZW5hcmlvIGZvciB0aGUgc3BlY2lmaWMgdnVsbmVyYWJpbGl0eSBpcyBhYnNlbnQu", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtZ2VuZXJpYy1ydWxlcwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L2dlbmVyaWMtZnJlZW1hcmtlci1zc3RpCmFwcHNlYy1jb25maWdzOgogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXJ1bGVzCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1kZWZhdWx0CnBhcnNlcnM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaApjb250ZXh0czoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246ICJBIGNvbGxlY3Rpb24gb2YgZ2VuZXJpYyBhdHRhY2sgdmVjdG9ycyBmb3IgYWRkaXRpb25hbCBwcm90ZWN0aW9uLiIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5Cg==", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtZ2VuZXJpYy1ydWxlcwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L2dlbmVyaWMtZnJlZW1hcmtlci1zc3RpCiAgLSBjcm93ZHNlY3VyaXR5L2dlbmVyaWMtd29yZHByZXNzLXVwbG9hZHMtcGhwCmFwcHNlYy1jb25maWdzOgogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXJ1bGVzCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1kZWZhdWx0CnBhcnNlcnM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaApjb250ZXh0czoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246ICJBIGNvbGxlY3Rpb24gb2YgZ2VuZXJpYyBhdHRhY2sgdmVjdG9ycyBmb3IgYWRkaXRpb25hbCBwcm90ZWN0aW9uLiIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5Cg==", "description": "A collection of generic attack vectors for additional protection.", "author": "crowdsecurity", "labels": null, @@ -3187,7 +3216,8 @@ ], "appsec-rules": [ "crowdsecurity/base-config", - "crowdsecurity/generic-freemarker-ssti" + "crowdsecurity/generic-freemarker-ssti", + "crowdsecurity/generic-wordpress-uploads-php" ], "appsec-configs": [ "crowdsecurity/generic-rules", @@ -3447,7 +3477,7 @@ }, "crowdsecurity/appsec-wordpress": { "path": "collections/crowdsecurity/appsec-wordpress.yaml", - "version": "0.2", + "version": "0.3", "versions": { "0.1": { "digest": "6e7995f560a05aa0229b9aa7a4ff23d1d6418777ab4e732be74d52bea2d875f7", @@ -3456,10 +3486,14 @@ "0.2": { "digest": "6b682d61b32739dbea965b3dfc34d2c9f19577216fe49b7ea905d733d25c68e6", "deprecated": false + }, + "0.3": { + "digest": "db408d5534c3d187fa010e2889f0e79a3ac840ae055bcd7f1d01e1f57a51dbaf", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgV29yZFByZXNzIFZpcnR1YWwgUGF0Y2hpbmcKClRoaXMgY29sbGVjdGlvbiBjb250YWlucyB2aXJ0dWFsIHBhdGNoaW5nIGZvciBrbm93biBXb3JkUHJlc3MgdnVsbmVyYWJpbGl0aWVzLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLgo=", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtd29yZHByZXNzCmFwcHNlYy1ydWxlczoKICAtIGNyb3dkc2VjdXJpdHkvYmFzZS1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA2MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA5MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMDkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIzNDg4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDYzNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjM2MAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU2NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjYyMwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA2MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA3MQphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwpkZXNjcmlwdGlvbjogIkEgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgV29yZFByZXNzIHdlYnNpdGVzIgphdXRob3I6IGNyb3dkc2VjdXJpdHkK", + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtd29yZHByZXNzCmFwcHNlYy1ydWxlczoKICAtIGNyb3dkc2VjdXJpdHkvYmFzZS1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA2MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTA5MDAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMDkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIzNDg4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDYzNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjM2MAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU2NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjYyMwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA2MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTA3MQogIC0gY3Jvd2RzZWN1cml0eS9nZW5lcmljLXdvcmRwcmVzcy11cGxvYWRzLXBocAphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwpkZXNjcmlwdGlvbjogIkEgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgV29yZFByZXNzIHdlYnNpdGVzIgphdXRob3I6IGNyb3dkc2VjdXJpdHkK", "description": "A virtual patching collection, suitable for WordPress websites", "author": "crowdsecurity", "labels": null, @@ -3475,7 +3509,8 @@ "crowdsecurity/vpatch-CVE-2023-6567", "crowdsecurity/vpatch-CVE-2023-6623", "crowdsecurity/vpatch-CVE-2024-1061", - "crowdsecurity/vpatch-CVE-2024-1071" + "crowdsecurity/vpatch-CVE-2024-1071", + "crowdsecurity/generic-wordpress-uploads-php" ], "appsec-configs": [ "crowdsecurity/virtual-patching"