Add more appsec vpatch rules (#1134)

.appsec-tests/vpatch-CVE-2018-20062/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml
+nuclei_template: vpatch-CVE-2018-20062.yaml

.appsec-tests/vpatch-CVE-2018-20062/vpatch-CVE-2018-20062.yaml

@@ -0,0 +1,31 @@
+id: vpatch-CVE-2018-20062
+info:
+  name: vpatch-CVE-2018-20062
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2018-20062 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();' HTTP/1.1
+      Host: {{Hostname}}
+    - |
+      GET /public/index.php?s=foo' HTTP/1.1
+      Host: {{Hostname}}
+    - |
+      GET /public/index.php?s=' HTTP/1.1
+      Host: {{Hostname}}
+
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: dsl
+      condition: and
+      dsl:
+       - "status_code_1 == 403"
+       - "status_code_2 == 404"
+       - "status_code_3 == 404"
+

.appsec-tests/vpatch-CVE-2021-26086/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml
+nuclei_template: vpatch-CVE-2021-26086.yaml

.appsec-tests/vpatch-CVE-2021-26086/vpatch-CVE-2021-26086.yaml

@@ -0,0 +1,43 @@
+id: vpatch-CVE-2021-26086
+info:
+  name: vpatch-CVE-2021-26086
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2021-26086 testing
+  tags: appsec-testing
+http:
+  - raw:
+     - |
+        GET /s/{{randstr}}/_/%3b/WEB-INF/web.xml HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/%3b/WEB-INF/decorators.xml HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
+        Host: {{Hostname}}
+     - |
+        GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
+        Host: {{Hostname}}
+
+    cookie-reuse: true
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - "status_code_1 == 403"
+          - "status_code_2 == 403"
+          - "status_code_3 == 403"
+          - "status_code_4 == 403"
+          - "status_code_5 == 403"
+          - "status_code_6 == 403"
+          - "status_code_7 == 403"

.appsec-tests/vpatch-CVE-2024-28987/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml
+nuclei_template: vpatch-CVE-2024-28987.yaml

.appsec-tests/vpatch-CVE-2024-28987/vpatch-CVE-2024-28987.yaml

@@ -0,0 +1,21 @@
+id: vpatch-CVE-2024-28987
+info:
+  name: vpatch-CVE-2024-28987
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2024-28987 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      GET / HTTP/1.1
+      Host: {{Hostname}}
+      Authorization: aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/vpatch-CVE-2024-38856/config.yaml

@@ -0,0 +1,3 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml
+nuclei_template: vpatch-CVE-2024-38856.yaml

.appsec-tests/vpatch-CVE-2024-38856/vpatch-CVE-2024-38856.yaml

@@ -0,0 +1,48 @@
+id: vpatch-CVE-2024-38856
+info:
+  name: vpatch-CVE-2024-38856
+  author: crowdsec
+  severity: info
+  description: vpatch-CVE-2024-38856 testing
+  tags: appsec-testing
+http:
+  - raw:
+    - |
+      POST /{{randstr}}/webtools/control/forgotPassword/ProgramExport HTTP/1.1
+      Content-Type: application/x-www-form-urlencoded
+      Host: {{Hostname}}
+
+      groovyProgram=throw+new+Exception('id'.execute().text)
+    - |
+      POST /{{randstr}}/webtools/control/main/ProgramExport HTTP/1.1
+      Content-Type: application/x-www-form-urlencoded
+      Host: {{Hostname}}
+
+      groovyProgram=throw+new+Exception('id'.execute().text)
+    - |
+      POST /{{randstr}}/webtools/control/view/ProgramExport HTTP/1.1
+      Content-Type: application/x-www-form-urlencoded
+      Host: {{Hostname}}
+
+      groovyProgram=throw+new+Exception('id'.execute().text)#
+    - |
+      POST /{{randstr}}/webtools/control/testService/ProgramExport HTTP/1.1
+      Content-Type: application/x-www-form-urlencoded
+      Host: {{Hostname}}
+
+      groovyProgram=throw+new+Exception('id'.execute().text)
+    - |
+      GET /{{randstr}}/webtools/control/testService/ProgramExport?groovyProgram=throw+new+Exception('id'.execute().text) HTTP/1.1
+      Host: {{Hostname}}
+
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+      - type: dsl
+        condition: and
+        dsl:
+          - "status_code_1 == 403"
+          - "status_code_2 == 403"
+          - "status_code_3 == 403"
+          - "status_code_4 == 403"
+          - "status_code_5 == 403"

appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml

@@ -0,0 +1,43 @@
+name: crowdsecurity/vpatch-CVE-2018-20062
+description: "ThinkPHP - RCE (CVE-2018-20062)"
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: index.php
+    - zones:
+      - ARGS
+      variables:
+      - s
+      transform:
+      - lowercase
+      match:
+        type: contains
+        value: think
+    - zones:
+      - ARGS
+      variables:
+      - s
+      transform:
+      - lowercase
+      match:
+        type: regex
+        value: "[^A-Za-z0-9_.]*"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "ThinkPHP - RCE"
+  references:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-20062
+    - https://www.exploit-db.com/exploits/45978
+  classification:
+   - cve.CVE-2018-20062
+   - attack.T1595
+   - attack.T1190

appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml

@@ -0,0 +1,34 @@
+name: crowdsecurity/vpatch-CVE-2021-26086
+description: "Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086)"
+rules:
+  - or:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /;/web-inf/
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /;/meta-inf/
+
+labels:
+   type: exploit
+   service: http
+   confidence: 3
+   spoofable: 0
+   behavior: "http:exploit"
+   label: "Atlassian Jira Server/Data Center 8.4.0 File Read"
+   references:
+    - https://github.com/ColdFusionX/CVE-2021-26086
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-26086
+   classification:
+     - cve.CVE-2021-26086
+     - CWE.22
+     - attack.T1595
+     - attack.T1190

appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml

@@ -0,0 +1,27 @@
+
+name: crowdsecurity/vpatch-CVE-2024-28987
+description: "SolarWinds WHD Hardcoded Credentials (CVE-2024-28987)"
+rules:
+  - and:
+    - zones:
+      - HEADERS
+      variables:
+      - Authorization
+      transform:
+      - b64decode
+      - lowercase
+      match:
+        type: contains
+        value: "helpdeskintegrationuser:dev-c4f8025e7"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "SolarWinds WHD Hardcoded Credentials"
+  classification:
+   - cve.CVE-2024-28987
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-798

appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml

@@ -0,0 +1,38 @@
+name: crowdsecurity/vpatch-CVE-2024-38856
+description: "Apache OFBiz Incorrect Authorization (CVE-2024-38856)"
+rules:
+  - and:
+      - zones:
+          - METHOD
+        match:
+          type: regex
+          value: (GET|POST)
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: regex
+          value: /webtools/control/(main|view|testservice|showdatetime|forgotpassword)/programexport
+      - zones:
+          - BODY_ARGS
+          - ARGS
+        variables:
+          - groovyProgram
+        transform:
+          - count
+        match:
+          type: gte
+          value: 1
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "Apache OFBiz Incorrect Authorization"
+  classification:
+    - cve.CVE-2024-38856
+    - attack.T1595
+    - attack.T1190
+    - cwe.CWE-853

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -64,6 +64,10 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2022-41082
 - crowdsecurity/vpatch-CVE-2019-18935
 - crowdsecurity/vpatch-CVE-2024-8190
+- crowdsecurity/vpatch-CVE-2024-28987
+- crowdsecurity/vpatch-CVE-2024-38856
+- crowdsecurity/vpatch-CVE-2018-20062
+- crowdsecurity/vpatch-CVE-2021-26086
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base