gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ac7912e0a1
secubox-openwrt/package/secubox/secubox-app-mitmproxy/files/srv/mitmproxy/waf-rules.json
CyberMind-FR a469076297 feat(waf): Add CVE-2025-14528 router botnet detection 
Add new router_botnet WAF category for IoT/router exploitation:

CVE-2025-14528 (D-Link DIR-803 getcfg.php):
- AUTHORIZED_GROUP parameter manipulation
- SERVICES=DEVICE.ACCOUNT enumeration
- Newline injection bypass (%0a, %0d)

Additional router exploit patterns:
- D-Link hedwig.cgi, HNAP, service.cgi RCE
- UPnP SOAP injection
- Goform command injection
- ASUS/TP-Link/Netgear/Zyxel exploits

Mirai-variant botnet scanner detection:
- User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.)
- Router payload injection patterns

Sources: CrowdSec Threat Intel, Global Security Mag

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-24 11:04:05 +01:00

222 lines
14 KiB
JSON
Raw Blame History

{
"_meta": {
"version": "1.2.0",
"updated": "2026-02-24",
"sources": ["OWASP Top 10", "CERT advisories", "CVE database", "VoIP Security Research", "XMPP Standards Foundation", "CrowdSec Threat Intel"]
},
"categories": {
"sqli": {
"name": "SQL Injection",
"severity": "critical",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "sqli-001", "pattern": "union\\s+(all\\s+)?select", "desc": "UNION-based injection"},
{"id": "sqli-002", "pattern": "['\"]\\s*(or|and)\\s*['\"]?\\d", "desc": "Boolean-based injection"},
{"id": "sqli-003", "pattern": "(sleep|benchmark|waitfor|pg_sleep)\\s*\\(", "desc": "Time-based blind injection"},
{"id": "sqli-004", "pattern": "information_schema\\.", "desc": "Schema enumeration"},
{"id": "sqli-005", "pattern": "(load_file|into\\s+outfile|into\\s+dumpfile)", "desc": "File operations"},
{"id": "sqli-006", "pattern": "group\\s+by.+having", "desc": "HAVING clause injection"},
{"id": "sqli-007", "pattern": "order\\s+by\\s+\\d+(,\\d+)*--", "desc": "ORDER BY injection"}
]
},
"xss": {
"name": "Cross-Site Scripting",
"severity": "high",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "xss-001", "pattern": "<script[^>]*>", "desc": "Script tag injection"},
{"id": "xss-002", "pattern": "javascript\\s*:", "desc": "JavaScript protocol"},
{"id": "xss-003", "pattern": "on(error|load|click|mouse|focus|blur)\\s*=", "desc": "Event handler injection"},
{"id": "xss-004", "pattern": "<iframe[^>]*>", "desc": "Iframe injection"},
{"id": "xss-005", "pattern": "<svg[^>]*onload", "desc": "SVG-based XSS"},
{"id": "xss-006", "pattern": "expression\\s*\\(", "desc": "CSS expression injection"}
]
},
"lfi": {
"name": "Local File Inclusion",
"severity": "critical",
"enabled": true,
"owasp": "A01:2021",
"patterns": [
{"id": "lfi-001", "pattern": "\\.\\./", "desc": "Directory traversal"},
{"id": "lfi-002", "pattern": "/etc/(passwd|shadow|hosts)", "desc": "System file access"},
{"id": "lfi-003", "pattern": "/proc/(self|version|cmdline)", "desc": "Proc filesystem access"},
{"id": "lfi-004", "pattern": "php://filter", "desc": "PHP filter wrapper"},
{"id": "lfi-005", "pattern": "file://", "desc": "File protocol"},
{"id": "lfi-006", "pattern": "expect://", "desc": "Expect wrapper RCE"}
]
},
"rce": {
"name": "Remote Code Execution",
"severity": "critical",
"enabled": true,
"owasp": "A03:2021",
"patterns": [
{"id": "rce-001", "pattern": ";\\s*(cat|ls|id|whoami|uname|pwd)", "desc": "Command chaining"},
{"id": "rce-002", "pattern": "\\|\\s*(cat|ls|id|whoami|bash|sh)", "desc": "Pipe injection"},
{"id": "rce-003", "pattern": "\\$\\((cat|ls|id|whoami)", "desc": "Command substitution"},
{"id": "rce-004", "pattern": "`(cat|ls|id|whoami|curl|wget)`", "desc": "Backtick execution"},
{"id": "rce-005", "pattern": "(curl|wget)\\s+.+\\s*\\|\\s*(bash|sh)", "desc": "Remote script execution"},
{"id": "rce-006", "pattern": "\\{\\{.*\\}\\}", "desc": "Template injection (SSTI)"}
]
},
"cve_2024": {
"name": "CVE 2024-2025 Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-2024-3400", "pattern": "/api/v\\d/totp/user-backup", "desc": "PAN-OS GlobalProtect RCE", "cve": "CVE-2024-3400"},
{"id": "cve-2024-21887", "pattern": "/api/v1/totp/user-backup", "desc": "Ivanti Connect Secure", "cve": "CVE-2024-21887"},
{"id": "cve-2023-46747", "pattern": "/mgmt/tm/util/bash", "desc": "F5 BIG-IP RCE", "cve": "CVE-2023-46747"},
{"id": "cve-2023-22515", "pattern": "/setup/setupadministrator.action", "desc": "Confluence RCE", "cve": "CVE-2023-22515"},
{"id": "cve-2024-1709", "pattern": "/SetupWizard\\.aspx", "desc": "ConnectWise ScreenConnect", "cve": "CVE-2024-1709"},
{"id": "cve-2024-27198", "pattern": "/app/rest/users/id:\\d+/tokens", "desc": "TeamCity auth bypass", "cve": "CVE-2024-27198"}
]
},
"scanners": {
"name": "Vulnerability Scanners",
"severity": "medium",
"enabled": true,
"patterns": [
{"id": "scan-001", "pattern": "(nikto|nmap|sqlmap|burp|zap|acunetix)", "desc": "Scanner user-agent", "check": "user-agent"},
{"id": "scan-002", "pattern": "/\\.git/config", "desc": "Git config probe"},
{"id": "scan-003", "pattern": "/\\.env", "desc": "Environment file probe"},
{"id": "scan-004", "pattern": "/(wp-login|xmlrpc)\\.php", "desc": "WordPress probe"},
{"id": "scan-005", "pattern": "/actuator/(health|info|env)", "desc": "Spring Boot actuator"},
{"id": "scan-006", "pattern": "/debug/pprof", "desc": "Go pprof debug"}
]
},
"webmail": {
"name": "Webmail Specific",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "mail-001", "pattern": "\\.\\./(config|db|data)", "desc": "Roundcube path traversal"},
{"id": "mail-002", "pattern": "_action=(upload|import).*\\.(php|phtml)", "desc": "Malicious upload"},
{"id": "mail-003", "pattern": "_uid=.*['\"><>]", "desc": "XSS in mail UID"},
{"id": "mail-004", "pattern": "installer/", "desc": "Installer access attempt"},
{"id": "mail-005", "pattern": "(temp|logs)/.*\\.(php|sh|pl)", "desc": "Script in temp/logs"}
]
},
"api_abuse": {
"name": "API Abuse",
"severity": "medium",
"enabled": true,
"patterns": [
{"id": "api-001", "pattern": "/api/.*/admin", "desc": "Admin API access"},
{"id": "api-002", "pattern": "graphql.*(__schema|introspection)", "desc": "GraphQL introspection"},
{"id": "api-003", "pattern": "\\{.*\\$where.*\\}", "desc": "NoSQL injection"},
{"id": "api-004", "pattern": "jwt=.*\\.\\.\\.\\.", "desc": "JWT manipulation"}
]
},
"voip": {
"name": "VoIP/SIP Security",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "voip-001", "pattern": "SIP/2\\.0.*\\r\\n.*Via:.*\\r\\n.*<sip:[^>]*;[^>]*exec", "desc": "SIP header injection", "check": "body"},
{"id": "voip-002", "pattern": "INVITE sip:.*\\$\\(|`|;", "desc": "SIP INVITE command injection"},
{"id": "voip-003", "pattern": "/ari/(channels|bridges|endpoints|recordings)/.*(\\||;|`|\\$\\()", "desc": "Asterisk ARI command injection"},
{"id": "voip-004", "pattern": "/admin/config\\.php.*(system|exec|passthru|shell_exec)", "desc": "FreePBX RCE attempt", "cve": "CVE-2019-19006"},
{"id": "voip-005", "pattern": "/recordings/misc/audio\\.php.*file=\\.\\./", "desc": "FreePBX path traversal", "cve": "CVE-2019-19006"},
{"id": "voip-006", "pattern": "Action:\\s*(originate|redirect).*Channel:.*Local/.*@", "desc": "AMI command injection via Channel"},
{"id": "voip-007", "pattern": "/cgi-bin/asterisk\\.cgi.*\\|", "desc": "Asterisk CGI injection"},
{"id": "voip-008", "pattern": "Content-Type:.*multipart.*boundary.*\\.\\./", "desc": "SIP multipart traversal"},
{"id": "voip-009", "pattern": "Digest.*uri=\".*\\.\\./", "desc": "SIP Digest auth traversal"},
{"id": "voip-010", "pattern": "SIP.*realm=\".*[<>'\"]", "desc": "SIP realm injection"},
{"id": "voip-011", "pattern": "/asterisk/rawman\\?action=", "desc": "Unauth AMI web access"},
{"id": "voip-012", "pattern": "Record-Route:.*<sip:[^>]*\\$\\{", "desc": "SIP header expression injection"}
]
},
"xmpp": {
"name": "XMPP/Jabber Security",
"severity": "high",
"enabled": true,
"patterns": [
{"id": "xmpp-001", "pattern": "<message.*<script", "desc": "XSS in XMPP message"},
{"id": "xmpp-002", "pattern": "<iq.*type=[\"']set[\"'].*<query.*xmlns=[\"']jabber:iq:register", "desc": "Open registration abuse"},
{"id": "xmpp-003", "pattern": "/http-bind.*<body.*sid=[\"'].*[<>'\"\\x00]", "desc": "BOSH session hijack"},
{"id": "xmpp-004", "pattern": "xmlns:xi=[\"']http://www.w3.org/2001/XInclude", "desc": "XXE via XInclude"},
{"id": "xmpp-005", "pattern": "<!ENTITY.*SYSTEM.*file://", "desc": "XXE in XMPP stream"},
{"id": "xmpp-006", "pattern": "/xmpp-websocket.*<stream:stream.*xmlns:.*=.*javascript:", "desc": "WebSocket XSS"},
{"id": "xmpp-007", "pattern": "<presence.*<show>.*<script", "desc": "XSS in presence"},
{"id": "xmpp-008", "pattern": "/upload.*filename=[\"'].*(php|phtml|jsp|asp)", "desc": "HTTP upload abuse"},
{"id": "xmpp-009", "pattern": "<x.*xmlns=[\"']jabber:x:oob[\"'].*<url>.*file://", "desc": "OOB file access"},
{"id": "xmpp-010", "pattern": "to=[\"'][^\"']*(@|%)00", "desc": "Null byte in JID"}
]
},
"cve_voip": {
"name": "VoIP CVE Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-ast-2021-26906", "pattern": "/asterisk.*res_pjsip.*malformed.*sdp", "desc": "Asterisk PJSIP crash", "cve": "CVE-2021-26906"},
{"id": "cve-ast-2022-42705", "pattern": "Content-Length:\\s*-", "desc": "Asterisk negative CL DoS", "cve": "CVE-2022-42705"},
{"id": "cve-ast-2022-42706", "pattern": "Via:.*branch=z9hG4bK.*\\x00", "desc": "Asterisk Via header overflow", "cve": "CVE-2022-42706"},
{"id": "cve-ast-2023-37457", "pattern": "Route:.*<sip:.*;lr>\\s*,\\s*<sip:.*;lr>.*\\x00", "desc": "Asterisk Route header crash", "cve": "CVE-2023-37457"},
{"id": "cve-ast-2023-49294", "pattern": "INVITE.*m=audio.*a=rtpmap:\\d+.*\\s{1000,}", "desc": "Asterisk SDP buffer overflow", "cve": "CVE-2023-49294"},
{"id": "cve-ast-2024-35190", "pattern": "CSeq:.*[A-Z]{50,}", "desc": "Asterisk CSeq method overflow", "cve": "CVE-2024-35190"},
{"id": "cve-fpbx-2023-26566", "pattern": "/admin/ajax\\.php.*command=.*`", "desc": "FreePBX command injection", "cve": "CVE-2023-26566"},
{"id": "cve-kamailio-2020-27507", "pattern": "Via:.*received=.*\\[\\d{1000,}", "desc": "Kamailio overflow", "cve": "CVE-2020-27507"},
{"id": "cve-opensips-2023-49323", "pattern": "Contact:.*<sip:.*>;\\+sip\\.instance=.*\\x00", "desc": "OpenSIPS crash", "cve": "CVE-2023-49323"}
]
},
"cve_xmpp": {
"name": "XMPP CVE Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-prosody-2021-37601", "pattern": "xmlns=[\"'].*[\"']\\s*xmlns=[\"']", "desc": "Prosody namespace confusion", "cve": "CVE-2021-37601"},
{"id": "cve-prosody-2022-0217", "pattern": "<stream:stream.*version=[\"'].*\\x00", "desc": "Prosody stream DoS", "cve": "CVE-2022-0217"},
{"id": "cve-prosody-2024-25274", "pattern": "/http-upload.*Content-Length:\\s*\\d{10,}", "desc": "Prosody upload DoS", "cve": "CVE-2024-25274"},
{"id": "cve-ejabberd-2023-29529", "pattern": "<iq.*type=[\"']get[\"'].*<query.*xmlns=[\"']http://jabber.org/protocol/disco", "desc": "ejabberd disco info leak", "cve": "CVE-2023-29529"},
{"id": "cve-conversejs-2020-25017", "pattern": "converse\\.js.*message.*<img.*onerror", "desc": "Converse.js XSS", "cve": "CVE-2020-25017"},
{"id": "cve-strophe-2022-29168", "pattern": "Strophe\\.js.*<body.*xmlns=.*\\x00", "desc": "Strophe.js parsing crash", "cve": "CVE-2022-29168"},
{"id": "cve-xmpp-2021-21351", "pattern": "XMPPframework.*<iq.*<enable.*xmlns=[\"'].*push", "desc": "XMPP push auth bypass"},
{"id": "cve-tigase-2023-39350", "pattern": "/rest/adhoc/.*sess-man.*user-add", "desc": "Tigase unauth user creation", "cve": "CVE-2023-39350"}
]
},
"router_botnet": {
"name": "Router/IoT Botnet Exploits",
"severity": "critical",
"enabled": true,
"patterns": [
{"id": "cve-2025-14528", "pattern": "/getcfg\\.php.*AUTHORIZED_GROUP", "desc": "D-Link getcfg.php credential leak", "cve": "CVE-2025-14528"},
{"id": "cve-2025-14528-srv", "pattern": "/getcfg\\.php.*SERVICES=DEVICE\\.ACCOUNT", "desc": "D-Link DEVICE.ACCOUNT enumeration", "cve": "CVE-2025-14528"},
{"id": "cve-2025-14528-nl", "pattern": "/getcfg\\.php.*(%0a|%0d|\\n|\\r)", "desc": "D-Link getcfg newline injection", "cve": "CVE-2025-14528"},
{"id": "dlink-getcfg", "pattern": "/getcfg\\.php\\?", "desc": "D-Link getcfg.php probe (botnet recon)"},
{"id": "dlink-hedwig", "pattern": "/hedwig\\.cgi", "desc": "D-Link Hedwig command injection"},
{"id": "dlink-hnap", "pattern": "/HNAP1/", "desc": "D-Link HNAP protocol abuse"},
{"id": "dlink-service", "pattern": "/service\\.cgi.*(exec|system|passthru)", "desc": "D-Link service.cgi RCE"},
{"id": "router-upnp-soap", "pattern": "/(upnp|UPnP)/.*<SOAP-ENV", "desc": "UPnP SOAP injection"},
{"id": "router-setup-cgi", "pattern": "/setup\\.cgi.*next_file=", "desc": "Router setup.cgi traversal"},
{"id": "router-goform", "pattern": "/goform/.*\\$\\(|`|;", "desc": "Router goform command injection"},
{"id": "router-cgi-bin", "pattern": "/cgi-bin/(firmwareupgrade|upgrade|syscmd|syslog)", "desc": "Router sensitive CGI access"},
{"id": "router-admin-pw", "pattern": "/userRpm/.*admin.*password", "desc": "Router admin password access"},
{"id": "tplink-cgi", "pattern": "/cgi-bin/luci.*;.*admin", "desc": "TP-Link LuCI injection"},
{"id": "netgear-cgi", "pattern": "/cgi-bin/.*setup\\.cgi.*syscmd", "desc": "Netgear setup.cgi command exec"},
{"id": "asus-infosvr", "pattern": "/(infosvr|apply\\.cgi).*action_mode", "desc": "ASUS router command exec"},
{"id": "mirai-scan", "pattern": "User-Agent:.*(Mirai|Hajime|Mozi|BotenaGo)", "desc": "Mirai-variant botnet scanner", "check": "user-agent"},
{"id": "router-telnet-enable", "pattern": "/(syscmd|system_cmd).*telnetd", "desc": "Router telnet enable attempt"},
{"id": "router-wget-inject", "pattern": "/(setup|apply|cmd).*wget.*\\|", "desc": "Router wget payload injection"},
{"id": "zyxel-zhttpd", "pattern": "/cgi-bin/zhttpd/.*shell", "desc": "Zyxel zhttpd shell injection"}
]
}
}
}
Reference in New Issue View Git Blame Copy Permalink