From 01fa7f9f7bc4a455dc8b9cf02a269c05739628a4 Mon Sep 17 00:00:00 2001 From: Yury Sidarenka Date: Fri, 19 Jul 2024 01:52:42 +0300 Subject: [PATCH 1/3] Updated bitrix-panel template --- http/exposed-panels/bitrix-panel.yaml | 42 +++++++++++++++++---------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/http/exposed-panels/bitrix-panel.yaml b/http/exposed-panels/bitrix-panel.yaml index 7b90853823d..c5a21f6a7fa 100644 --- a/http/exposed-panels/bitrix-panel.yaml +++ b/http/exposed-panels/bitrix-panel.yaml @@ -2,7 +2,7 @@ id: bitrix-login info: name: Bitrix Login Panel - author: juicypotato1 + author: malwarework severity: info description: Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface. classification: @@ -18,22 +18,32 @@ info: http: - method: GET - path: - - "{{BaseURL}}/bitrix/admin/" - host-redirects: true max-redirects: 2 - matchers-condition: and - matchers: - - type: word - words: - - "USER_LOGIN" - - "/bitrix/js/main/" - part: body - condition: and + payloads: + payload: + - "/bitrix/components/bitrix/map.yandex.view/settings/settings.php" + - "/bitrix/components/bitrix/map.yandex.search/settings/settings.php" + - "/bitrix/components/bitrix/map.google.search/settings/settings.php" + - "/bitrix/components/bitrix/map.google.view/settings/settings.php" + - "/bitrix/admin/" - - type: status - status: - - 200 -# digest: 4a0a0047304502205c0b7a4a474bfad77d7caee6e5094a17fc30480c4bb7984c058f33c1597961750221008af382be31ff547030a86cf127a555ba2c5df6af24a798025c9b5d7c6c67e13d:922c64590222798bb761d5b6d8e72950 \ No newline at end of file + fuzzing: + - part: path + mode: single + type: postfix + fuzz: + - "{{payload}}" + + stop-at-first-match: true + matchers: + - type: dsl + dsl: + - 'status_code==200 && contains(body, "USER_LOGIN") && contains(body, "/bitrix/js/main/")' + - 'status_code==200 && contains(body, "Авторизация")' + - 'status_code==200 && contains(body, "Пожалуйста, авторизуйтесь")' + - 'status_code==200 && contains(body, "Authorization")' + - 'status_code==200 && contains(body, "Please log in")' + - 'status_code==200 && contains(body, "/bitrix/js/main/")' + condition: or \ No newline at end of file From 70c856a9fd500f7c21083548055ff7c0b521747c Mon Sep 17 00:00:00 2001 From: Yury Sidarenka Date: Fri, 19 Jul 2024 10:21:52 +0300 Subject: [PATCH 2/3] Change comparison --- http/exposed-panels/bitrix-panel.yaml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/http/exposed-panels/bitrix-panel.yaml b/http/exposed-panels/bitrix-panel.yaml index c5a21f6a7fa..91bf872b0e9 100644 --- a/http/exposed-panels/bitrix-panel.yaml +++ b/http/exposed-panels/bitrix-panel.yaml @@ -37,13 +37,20 @@ http: - "{{payload}}" stop-at-first-match: true + matchers-condition: and matchers: - type: dsl dsl: - - 'status_code==200 && contains(body, "USER_LOGIN") && contains(body, "/bitrix/js/main/")' - - 'status_code==200 && contains(body, "Авторизация")' - - 'status_code==200 && contains(body, "Пожалуйста, авторизуйтесь")' - - 'status_code==200 && contains(body, "Authorization")' - - 'status_code==200 && contains(body, "Please log in")' - - 'status_code==200 && contains(body, "/bitrix/js/main/")' + - 'contains(body, "USER_LOGIN") && contains(body, "/bitrix/js/main/")' + - 'contains(body, "Авторизация")' + - 'contains(body, "Пожалуйста, авторизуйтесь")' + - 'contains(body, "Authorization")' + - 'contains(body, "Please log in")' + - 'contains(body, "/bitrix/js/main/")' + condition: or + - type: status + status: + - 200 + - 403 + - 401 condition: or \ No newline at end of file From d5994fb03e6d00ea723b61606994a5db3b7fa6b2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 30 Dec 2024 14:43:36 +0530 Subject: [PATCH 3/3] removed extra path and extra (weak) matchers --- http/exposed-panels/bitrix-panel.yaml | 48 ++++++++------------------- 1 file changed, 13 insertions(+), 35 deletions(-) diff --git a/http/exposed-panels/bitrix-panel.yaml b/http/exposed-panels/bitrix-panel.yaml index a3bd7bd058e..acf1cd7a422 100644 --- a/http/exposed-panels/bitrix-panel.yaml +++ b/http/exposed-panels/bitrix-panel.yaml @@ -2,14 +2,16 @@ id: bitrix-login info: name: Bitrix Login Panel - author: malwarework + author: juicypotato1,malwarework severity: info - description: Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface. + description: | + Bitrix24 is a unified work space that places a complete set of business tools into a single, intuitive interface. classification: cwe-id: CWE-200 cpe: cpe:2.3:a:bitrix:bitrix24:*:*:*:*:*:*:*:* metadata: max-request: 1 + verified: true vendor: bitrix product: bitrix24 shodan-query: http.html:"/bitrix/" @@ -18,40 +20,16 @@ info: http: - method: GET + path: + - "{{BaseURL}}/bitrix/admin/" + - "{{BaseURL}}/bitrix/components/bitrix/map.yandex.view/settings/settings.php" + host-redirects: true max-redirects: 2 - - payloads: - payload: - - "/bitrix/components/bitrix/map.yandex.view/settings/settings.php" - - "/bitrix/components/bitrix/map.yandex.search/settings/settings.php" - - "/bitrix/components/bitrix/map.google.search/settings/settings.php" - - "/bitrix/components/bitrix/map.google.view/settings/settings.php" - - "/bitrix/admin/" - - fuzzing: - - part: path - mode: single - type: postfix - fuzz: - - "{{payload}}" - stop-at-first-match: true - matchers-condition: and matchers: - - type: dsl - dsl: - - 'contains(body, "USER_LOGIN") && contains(body, "/bitrix/js/main/")' - - 'contains(body, "Авторизация")' - - 'contains(body, "Пожалуйста, авторизуйтесь")' - - 'contains(body, "Authorization")' - - 'contains(body, "Please log in")' - - 'contains(body, "/bitrix/js/main/")' - condition: or - - type: status - status: - - 200 - - 403 - - 401 - condition: or - + - type: word + words: + - "USER_LOGIN" + - "/bitrix/js/main/" + condition: and