Share
## https://sploitus.com/exploit?id=C3BC4E0E-8322-518E-B85A-672D1F0E14BE
# CVE-2023-27997 (XORtigate) Detection System

ู†ุธุงู… ุขู„ูŠ ู„ู„ูƒุดู ุนู† ุงู„ุฃุฌู‡ุฒุฉ ุงู„ู…ุนุฑุถุฉ ู„ุซุบุฑุฉ **CVE-2023-27997** ููŠ Fortinet FortiGate/FortiProxy SSL-VPNุŒ ูŠุนู…ู„ ุจุงู„ูƒุงู…ู„ ุนู„ู‰ **GitHub Actions**.

---

## ๐Ÿ” ุงู„ู…ู†ู‡ุฌูŠุฉ (Pipeline)

```
subdomains.txt
    โ†“
[1] DNS Resolution (dnsx) โ€” ุนุฒู„ ุงู„ู†ุทุงู‚ุงุช ุงู„ุญูŠุฉ
    โ†“
[2] HTTP Probing (httpx) โ€” ูุญุต ุงู„ู…ู†ุงูุฐ 80,443,10443,8443,4443,11443
    โ†“
[3] Fortinet Fingerprinting
    โ€ข Favicon MurmurHash3 = 945408572
    โ€ข Cookies: SVPNCOOKIE / SVPNTMPCOOKIE
    โ€ข Body: "var fgt_lang"
    โ†“
[4] Vulnerability Check (Patch Diffing)
    GET /remote/fgt_lang?lang=en
    ุบูŠุงุจ "confirm_pkg_upgrade_invalid_signature" โ†’ VULNERABLE โš ๏ธ
```

---

## ๐Ÿ“ ู‡ูŠูƒู„ ุงู„ู…ุดุฑูˆุน

```
โ”œโ”€โ”€ .github/workflows/
โ”‚   โ”œโ”€โ”€ scan_batch.yml      # workflow ู„ูƒู„ batch (500 ู†ุทุงู‚)
โ”‚   โ””โ”€โ”€ trigger_all.yml     # ุงู„ู…ู†ุณู‚ ุงู„ุฑุฆูŠุณูŠ
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ check_fortinet.py   # ุงู„ูุญุต ุงู„ูƒุงู…ู„
โ”‚   โ”œโ”€โ”€ prepare_batches.py  # ุชู‚ุณูŠู… batches
โ”‚   โ””โ”€โ”€ install_tools.sh    # ุชุซุจูŠุช httpx/dnsx
โ”œโ”€โ”€ targets/                # ู…ู„ูุงุช ุงู„ู€ subdomains
โ””โ”€โ”€ results/                # ู†ุชุงุฆุฌ ุงู„ูุญุต (CSV)
```

---

## ๐Ÿš€ ุงู„ุงุณุชุฎุฏุงู…

### ุงู„ุฅุนุฏุงุฏ ุงู„ุฃูˆู„ูŠ

1. ุฃุถู ุงู„ู€ Target files ููŠ ู…ุฌู„ุฏ `targets/`
2. ุฃุถู secret: `GH_PAT` = GitHub Personal Access Token (ููŠ Settings โ†’ Secrets)

### ุชุดุบูŠู„ ุงู„ูุญุต

**Actions โ†’ "CVE-2023-27997 Full Scanner Orchestrator" โ†’ Run workflow**

| ุงู„ู…ุฏุฎู„ | ุงู„ูˆุตู | ุงู„ุงูุชุฑุงุถูŠ |
|--------|-------|-----------|
| `target_file` | ุงู„ู…ู„ู ุงู„ู…ุณุชู‡ุฏู | `t-systems.com.txt` |
| `batch_size` | ู†ุทุงู‚ุงุช ู„ูƒู„ batch | `500` |
| `start_from_batch` | ุงุณุชุฆู†ุงู ู…ู† batch ู…ุญุฏุฏ | `1` |

---

## ๐Ÿ“Š ุงู„ู†ุชุงุฆุฌ

ุชูุญูุธ ููŠ `results/{target_name}/`:
- `batch_N_start_X.csv` โ€” ู†ุชุงุฆุฌ Fortinet ูƒุงู…ู„ุฉ
- `all_active_batch_N.csv` โ€” ุฌู…ูŠุน ุงู„ุฎูˆุงุฏู… ุงู„ู†ุดุทุฉ
- `summary.md` โ€” ู…ู„ุฎุต ูƒู„ batch
- `GLOBAL_SUMMARY.md` โ€” ุงู„ู…ู„ุฎุต ุงู„ุฅุฌู…ุงู„ูŠ

**ุฃุนู…ุฏุฉ CSV ุงู„ู†ุชุงุฆุฌ:**
| ุงู„ุนู…ูˆุฏ | ุงู„ูˆุตู |
|--------|-------|
| `domain` | ุงู„ู†ุทุงู‚ |
| `url` | ุงู„ู€ URL ุงู„ูƒุงู…ู„ |
| `port` | ุงู„ู…ู†ูุฐ |
| `is_fortinet` | ู‡ู„ ู‡ูˆ FortinetุŸ |
| `is_vulnerable` | ู‡ู„ ูŠุญู…ู„ ุงู„ุซุบุฑุฉุŸ |
| `vuln_status` | `vulnerable` / `patched` / `unknown` |
| `patch_indicator` | ู‡ู„ ูˆูุฌุฏ ู…ุคุดุฑ ุงู„ุชุฑู‚ูŠุน? |

---

## โฑ๏ธ ุงู„ุชูˆู‚ูŠุช ุงู„ู…ุชูˆู‚ุน

| ุงู„ู…ู„ู | ุงู„ุญุฌู… | ุนุฏุฏ ุงู„ู€ batches |
|-------|-------|----------------|
| t-systems.com.txt | ~2,900 | ~6 batches |
| telekom.com.txt | ~2,500 | ~5 batches |
| telekom.de.txt | ~50,000 | ~100 batches |
| telekom.net.txt | ~2,500 | ~5 batches |
| att.com.txt | ~500,000 | ~1,000 batches |

---

## โš ๏ธ ุชู†ุจูŠู‡ ู‚ุงู†ูˆู†ูŠ

ู‡ุฐุง ุงู„ู†ุธุงู… ู…ุฎุตุต ู„ู„ุงุณุชุฎุฏุงู… ุถู…ู† ู†ุทุงู‚ ุจุฑุงู…ุฌ Bug Bounty ุงู„ู…ุฑุฎุตุฉ ูู‚ุท.