Add vpatch-CVE-2024-3605 rule and test

[crowdsec-automation]

This rule targets SQL injection attempts in the WP Hotel Booking plugin's /wp-json/wphb/v1/rooms/search-rooms REST API endpoint, specifically focusing on the room_type parameter. The detection logic is as follows:

• The first condition matches requests to the vulnerable endpoint by checking if the URI contains /wp-json/wphb/v1/rooms/search-rooms, using both lowercase and urldecode transforms to ensure normalization and case insensitivity.
• The second condition inspects the room_type argument in the query string for the presence of a double quote ("), which is a common SQL injection metacharacter and is present in the exploit payload (room_type=1%22%29%20OR%20SLEEP...). Again, lowercase and urldecode are applied for normalization.
• The rule avoids matching on full payloads or SQL keywords, focusing instead on the presence of SQL metacharacters in the relevant parameter, as per best practices for SQLi detection.
• The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.

The test config and nuclei template are adapted to ensure the rule is triggered by a request containing the SQLi payload in the room_type parameter, expecting a 403 response from the WAF. All value: fields are lowercase, and all transforms include lowercase where applicable. The rule uses contains for matching, not regex, as per guidelines.

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2024-3605 🔴

[github-actions]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.