crash.software
Projects
Pull Requests
Issues
Builds
afrog
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY afrog Commits 8c2425c3
🤬
  • ■ ■ ■ ■ ■ ■
    afrog-pocs/vulnerability/grafana-file-read.yml
    1 1  id: grafana-file-read
    2 2   
    3 3  info:
    4  - name: grafana-default-password
    5  - author: For3stCo1d (https://github.com/For3stCo1d)
     4 + name: Grafana v8.x Arbitrary File Read
     5 + author: zan8in
    6 6   severity: high
    7 7   description: |
    8 8   app="Grafana_Labs-公司产品"
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/core/celprogram.go
    skipped 448 lines
    449 449   req, _ := http.NewRequest("GET", urlStr, nil)
    450 450   
    451 451   time.Sleep(time.Second * time.Duration(timeout))
     452 + // fmt.Println(sub)
    452 453   
    453 454   redirectsCount := 0
    454 455   for {
    455 456   resp, err := FastClientReverse.SampleHTTPRequest(req)
    456 457   if err != nil {
     458 + // fmt.Println("rediSampleHTTPRequest", err.Error())
    457 459   log.Log().Error(err.Error())
    458 460   return false
    459 461   }
    460 462   
    461 463   if !bytes.Contains(resp.Body, []byte(`"data": []`)) && bytes.Contains(resp.Body, []byte(`{"code": 200`)) { // api返回结果不为空
     464 + // fmt.Println(string(resp.Body))
    462 465   return true
    463 466   }
    464 467   
    465 468   if bytes.Contains(resp.Body, []byte(`<title>503`)) { // api返回结果不为空
    466 469   redirectsCount++
     470 + // fmt.Println("redirectsCount++", redirectsCount)
    467 471   if redirectsCount > 1 {
    468 472   return false
    469 473   }
    470 474   utils.RandSleep(500)
    471 475   continue
    472 476   }
    473  - 
     477 + // fmt.Println(string(resp.Body))
    474 478   return false
    475 479   }
    476 480  }
    skipped 1 lines
  • ■ ■ ■ ■ ■
    pkg/core/checker.go
    skipped 4 lines
    5 5   "net/http"
    6 6   "net/url"
    7 7   "strings"
    8  - "sync"
    9 8   
    10 9   "github.com/google/cel-go/checker/decls"
    11 10   "github.com/zan8in/afrog/pkg/config"
    skipped 6 lines
    18 17  )
    19 18   
    20 19  type Checker struct {
    21  - Options *sync.Pool
    22  - Target *sync.Pool
    23  - PocItem *sync.Pool
    24  - PocHandler *sync.Pool
    25  - OriginalRequest *sync.Pool
    26  - VariableMap *sync.Pool
    27  - Result *sync.Pool
    28  - CustomLib *sync.Pool
    29  - FastClient *sync.Pool
     20 + Options *config.Options
     21 + OriginalRequest *http.Request
     22 + VariableMap map[string]interface{}
     23 + Result *Result
     24 + CustomLib *CustomLib
     25 + FastClient *http2.FastClient
    30 26  }
    31 27   
    32 28  var ReverseCeyeApiKey string
    33 29  var ReverseCeyeDomain string
    34 30   
    35  -func NewChecker(options *config.Options, target string, pocItem poc.Poc) *Checker {
    36  - ReverseCeyeApiKey = options.Config.Reverse.Ceye.ApiKey
    37  - ReverseCeyeDomain = options.Config.Reverse.Ceye.Domain
    38  - 
    39  - if len(ReverseCeyeApiKey) == 0 || len(ReverseCeyeDomain) == 0 {
    40  - log.Log().Error("Rerverse CeyeApiKey or CeyeDomain is Empty.")
    41  - return nil
    42  - }
    43  - 
    44  - return &Checker{
    45  - Options: &sync.Pool{
    46  - New: func() interface{} {
    47  - return options
    48  - },
    49  - },
    50  - Target: &sync.Pool{
    51  - New: func() interface{} {
    52  - return target
    53  - },
    54  - },
    55  - PocItem: &sync.Pool{
    56  - New: func() interface{} {
    57  - return &pocItem
    58  - },
    59  - },
    60  - PocHandler: &sync.Pool{
    61  - New: func() interface{} {
    62  - pocHandler := ""
    63  - if strings.Contains(pocItem.Expression, "&&") && !strings.Contains(pocItem.Expression, "||") {
    64  - pocHandler = poc.ALLAND
    65  - }
    66  - if strings.Contains(pocItem.Expression, "||") && !strings.Contains(pocItem.Expression, "&&") {
    67  - pocHandler = poc.ALLOR
    68  - }
    69  - return pocHandler
    70  - },
    71  - },
    72  - OriginalRequest: &sync.Pool{
    73  - New: func() interface{} {
    74  - return &http.Request{}
    75  - },
    76  - },
    77  - VariableMap: &sync.Pool{
    78  - New: func() interface{} {
    79  - return make(map[string]interface{})
    80  - },
    81  - },
    82  - Result: &sync.Pool{
    83  - New: func() interface{} {
    84  - return &Result{
    85  - Target: target,
    86  - PocInfo: &pocItem,
    87  - Output: options.Output,
    88  - }
    89  - },
    90  - },
    91  - CustomLib: &sync.Pool{
    92  - New: func() interface{} {
    93  - return NewCustomLib()
    94  - },
    95  - },
    96  - FastClient: &sync.Pool{
    97  - New: func() interface{} {
    98  - return &http2.FastClient{}
    99  - },
    100  - },
    101  - }
    102  -}
    103  - 
    104  -func (c *Checker) ReleaseVariableMap(vmap map[string]interface{}) {
    105  - if vmap != nil {
    106  - vmap = nil
    107  - c.VariableMap.Put(vmap)
    108  - }
    109  -}
    110  - 
    111  -func (c *Checker) ReleaseTarget(r string) {
    112  - if len(r) > 0 {
    113  - r = ""
    114  - c.Target.Put(r)
    115  - }
    116  -}
    117  - 
    118  -func (c *Checker) ReleaseHandler(h string) {
    119  - if len(h) > 0 {
    120  - h = ""
    121  - c.Target.Put(h)
    122  - }
    123  -}
    124  - 
    125  -func (c *Checker) ReleaseOriginalRequest(o *http.Request) {
    126  - if o != nil {
    127  - *o = http.Request{}
    128  - c.OriginalRequest.Put(o)
    129  - }
    130  -}
    131  - 
    132 31  var FastClientReverse *http2.FastClient // 用于 reverse http client
    133 32   
    134  -func (c *Checker) Check() (err error) {
     33 +func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
    135 34   
    136  - options := c.Options.Get().(*config.Options)
    137  - defer c.Options.Put(options)
     35 + options := c.Options
    138 36   
    139  - fc := c.FastClient.Get().(*http2.FastClient)
     37 + ReverseCeyeApiKey = options.Config.Reverse.Ceye.ApiKey
     38 + ReverseCeyeDomain = options.Config.Reverse.Ceye.Domain
     39 + 
     40 + fc := c.FastClient
    140 41   fc.Client = http2.New(options)
    141 42   fc.DialTimeout = options.Config.ConfigHttp.DialTimeout
    142  - defer c.FastClient.Put(fc)
    143  - defer fc.Reset()
    144 43   
    145  - variableMap := c.VariableMap.Get().(map[string]interface{})
    146  - defer c.ReleaseVariableMap(variableMap)
    147  - 
    148  - target := c.Target.Get().(string)
    149  - defer c.ReleaseTarget(target)
    150  - 
    151  - pocItem := c.PocItem.Get().(*poc.Poc)
    152  - defer c.PocItem.Put(pocItem)
    153  - defer pocItem.Reset()
     44 + variableMap := c.VariableMap
    154 45   
    155  - result := c.Result.Get().(*Result)
    156  - defer c.Result.Put(result)
    157  - defer result.Reset()
     46 + result := c.Result
     47 + result.Target = target
     48 + result.PocInfo = &pocItem
    158 49   
    159  - customLib := c.CustomLib.Get().(*CustomLib)
    160  - defer c.CustomLib.Put(customLib)
    161  - defer customLib.Reset()
     50 + customLib := c.CustomLib
    162 51   
    163  - originalRequest := c.OriginalRequest.Get().(*http.Request)
    164  - defer c.ReleaseOriginalRequest(originalRequest)
     52 + originalRequest := c.OriginalRequest
    165 53   
    166  - pocHandler := c.PocHandler.Get().(string)
    167  - defer c.ReleaseHandler(pocHandler)
     54 + pocHandler := ""
     55 + if strings.Contains(pocItem.Expression, "&&") && !strings.Contains(pocItem.Expression, "||") {
     56 + pocHandler = poc.ALLAND
     57 + }
     58 + if strings.Contains(pocItem.Expression, "||") && !strings.Contains(pocItem.Expression, "&&") {
     59 + pocHandler = poc.ALLOR
     60 + }
    168 61   
    169 62   // update request variablemap
    170  - tempRequest := http2.AcquireProtoRequestPool()
    171  - defer http2.ReleaseProtoRequestPool(tempRequest)
     63 + // tempRequest := http2.AcquireProtoRequestPool()
     64 + // defer http2.ReleaseProtoRequestPool(tempRequest)
    172 65   if pocItem.Transport != "tcp" && pocItem.Transport != "udp" {
    173 66   if !strings.HasPrefix(target, "http://") && !strings.HasPrefix(target, "https://") {
    174 67   target = "http://" + target
    skipped 8 lines
    183 76   return err
    184 77   }
    185 78   
    186  - tempRequest, err = http2.ParseRequest(originalRequest)
     79 + tempRequest, err := http2.ParseRequest(originalRequest)
     80 + variableMap["request"] = tempRequest
     81 + 
    187 82   if err != nil {
    188 83   log.Log().Error(fmt.Sprintf("ParseRequest err, %s", err.Error()))
    189 84   result.IsVul = false
    skipped 8 lines
    198 93   originalRequest.Header.Set("User-Agent", utils.RandomUA())
    199 94   }
    200 95   }
    201  - variableMap["request"] = tempRequest
    202 96   
    203 97   // update set cel and variablemap
    204 98   if len(pocItem.Set) > 0 {
    skipped 103 lines
    308 202   customLib.UpdateCompileOption(key, decls.NewObjectType("proto.Reverse"))
    309 203   
    310 204   // if reverse(),initilize a fasthttpclient
    311  - FastClientReverse = c.FastClient.Get().(*http2.FastClient)
    312  - FastClientReverse.DialTimeout = c.Options.Get().(*config.Options).Config.ConfigHttp.DialTimeout
    313  - FastClientReverse.Client = http2.New(c.Options.Get().(*config.Options))
     205 + FastClientReverse = c.FastClient
     206 + FastClientReverse.DialTimeout = c.Options.Config.ConfigHttp.DialTimeout
     207 + FastClientReverse.Client = http2.New(c.Options)
    314 208   continue
    315 209   }
    316 210   
    skipped 35 lines
  • ■ ■ ■ ■ ■ ■
    pkg/core/engine.go
    1 1  package core
    2 2   
    3 3  import (
     4 + "net/http"
     5 + "sync"
     6 + 
    4 7   "github.com/zan8in/afrog/pkg/config"
     8 + http2 "github.com/zan8in/afrog/pkg/protocols/http"
    5 9  )
     10 + 
     11 +var CheckerPool = sync.Pool{
     12 + New: func() interface{} {
     13 + return &Checker{
     14 + Options: &config.Options{},
     15 + OriginalRequest: &http.Request{},
     16 + VariableMap: make(map[string]interface{}),
     17 + Result: &Result{},
     18 + CustomLib: NewCustomLib(),
     19 + FastClient: &http2.FastClient{},
     20 + }
     21 + },
     22 +}
     23 + 
     24 +func (e *Engine) AcquireChecker() *Checker {
     25 + c := CheckerPool.Get().(*Checker)
     26 + c.Options = e.options
     27 + c.Result.Output = e.options.Output
     28 + return c
     29 +}
     30 + 
     31 +func (e *Engine) ReleaseChecker(c *Checker) {
     32 + *c.OriginalRequest = http.Request{}
     33 + c.VariableMap = make(map[string]interface{})
     34 + c.Result = &Result{}
     35 + c.CustomLib = NewCustomLib()
     36 + c.FastClient = &http2.FastClient{}
     37 + CheckerPool.Put(c)
     38 +}
    6 39   
    7 40  type Engine struct {
    8 41   workPool *WorkPool
    skipped 17 lines
  • ■ ■ ■ ■ ■ ■
    pkg/core/excute.go
    skipped 54 lines
    55 55  }
    56 56   
    57 57  func (e *Engine) executeExpression(target string, poc poc.Poc) {
    58  - defer func() {
    59  - if r := recover(); r != nil {
    60  - log.Log().Error("gorutine recover() error from pkg/core/exccute/executeExpression")
    61  - }
    62  - }()
     58 + // defer func() {
     59 + // if r := recover(); r != nil {
     60 + // log.Log().Error("gorutine recover() error from pkg/core/exccute/executeExpression")
     61 + // }
     62 + // }()
    63 63   
    64  - c := NewChecker(e.options, target, poc)
    65  - if err := c.Check(); err != nil {
     64 + // c := NewChecker(e.options, target, poc)
     65 + c := e.AcquireChecker()
     66 + defer e.ReleaseChecker(c)
     67 + if err := c.Check(target, poc); err != nil {
    66 68   log.Log().Error(err.Error())
    67 69   }
    68 70  }
    skipped 1 lines
Please wait...
Page is in error, reload to recover