Latest Joomla-Vuln + Ruleset-Update
12 weergaven
Naar het eerste ongelezen bericht
mex
15 dec 2015, 02:15:1315-12-2015
aan naxsi-discuss
Hi, just added some sigs against known exploits for jenkins and wp,
the rules itself might be found here:
http://spike.nginx-goodies.com/rules/
for the latest joomla-vuln + exploit (see
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html)
you might want to look at 42000343
http://spike.nginx-goodies.com/rules/edit/42000343
that detects generic PHP-Object-Attacks.
i modified this rule to check headers now as well,
updates are pushed to the repo already
MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object
Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343 ;
rules are available here: https://bitbucket.org/lazy_dogtown/doxi-rules
-----------------------------
[+] new sigs:
42000443 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.listMethods
42000444 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.getCapabilities
42000445 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000446 :: app_server.rules :: Jenkins User-Credentials-Access (POST)
42000447 :: app_server.rules :: Jenkins User-Credentials-Access (GET)
42000448 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000449 :: app_server.rules :: Possible Jenkins/Hudson
RCE-Exploit (/script)
the rules itself might be found here:
http://spike.nginx-goodies.com/rules/
for the latest joomla-vuln + exploit (see
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html)
you might want to look at 42000343
http://spike.nginx-goodies.com/rules/edit/42000343
that detects generic PHP-Object-Attacks.
i modified this rule to check headers now as well,
updates are pushed to the repo already
MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object
Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343 ;
rules are available here: https://bitbucket.org/lazy_dogtown/doxi-rules
-----------------------------
[+] new sigs:
42000443 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.listMethods
42000444 :: web_apps.rules :: WordPress XMLRPC Enumeration
system.getCapabilities
42000445 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000446 :: app_server.rules :: Jenkins User-Credentials-Access (POST)
42000447 :: app_server.rules :: Jenkins User-Credentials-Access (GET)
42000448 :: app_server.rules :: Possible Jenkins/Hudson RCE-Exploit
42000449 :: app_server.rules :: Possible Jenkins/Hudson
RCE-Exploit (/script)
Allen beantwoorden
Auteur beantwoorden
Doorsturen
0 nieuwe berichten