A Security Tool for Bug Bounty, Pentest and Red Teaming.
修复一个BUG,该BUG导致在Linux环境内使用 -ap 命令时,指定路径全部转为小写,从而无法正常工作。 Fix a bug where the -ap command cannot be used due to all specified paths being converted to lowercase within the Linux environment.
-header '"Cookie: PHPSESSION=xxxxx","Authorization: yyyyyyyyyy","Token: zzzzz"'
-header '"Cookie: PHPSESSION=xxxxx","Authorization: yyyyyyyyyy","Token: zzzzz"'
新增了 -config
参数,用于自定义 afrog-config.yaml 文件的目录。需要注意的是,每次执行扫描时都必须指定 -config
参数来指定目录,否则将读取默认位置的 afrog-config.yaml 配置文件。
We have added the -config
parameter to support customizing the directory for the afrog-config.yaml file. Please note that it is necessary to specify the -config
parameter each time you perform a scan; otherwise, the default afrog-config.yaml configuration file will be read.
id: oob-demo
set:
oob: oob()
oobHTTP: oob.HTTP // http://xxxxxx.dnslog.cn
oobDNS: oob.DNS // xxxxxx.dnslog.cn
rules:
r0:
request:
method: GET
path: /?url={{oobHTTP}}
expression: oobCheck(oob, oob.ProtocolHTTP, 3)
r1:
request:
method: POST
path: /test
body: cmd=ping+{{oobDNS}}
expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: r0() || r1()
oob()
: 声明一个 oob 对象
oobHTTP
: 获取 http 协议信息 http://xxxxxx.dnslog.cn/
oobDNS
: 获取 dns 协议信息 xxxxxx.dnslog.cn
oobCheck(oob, oob.ProtocolDNS, 3)
:检查反连结果,参数1是 oob 对象,参数2是检查的协议 http 或 dns,参数3是验证请求延时访问时间(秒)
afrog -t example.com -oob dnslogcn // 使用 dnslog.cn
afrog -t example.com -oob alphalog // 使用 alphalog ,需自搭建反连服务
afrog -t example.com -oob xray // 使用 xray 反连,需自搭建反连服务
afrog -t example.com // 默认使用 ceyeio
随着新版本的发布,所有历史 PoC 的 newReverse() 方法均已升级为新版的 oob() 方法。为确保兼容性和功能完整性,我们强烈建议所有用户尽快升级至 3.0.1 版本。否则,之后的版本可能无法支持旧版的反连功能。
新版 oob() 功能需要修改 afrog-config.yaml 配置文件 afrog-config.yaml 会自动创建在 c:/users/yourname/.config/afrog/afrog-config.yaml ,linux系统是 ~/.config/afrog/afrog-config.yaml 文件。
afrog-config.yaml 配置如下:
server: :16868
reverse:
ceye:
api-key: "your ceye api key"
domain: "your ceye"
dnslogcn:
domain: dnslog.cn
jndi:
jndi_address: ""
ldap_port: ""
api_port: ""
eye:
host: ""
token: ""
domain: ""
alphalog:
domain: yourdnslog.sh
api_url: "http://yourdnslog.sh/"
xray:
x_token: "xraytest"
domain: dnslogus.top
api_url: "http://x.1x.0.xx:8777"
webhook:
dingtalk:
tokens:
- ""
at_mobiles:
- ""
at_all: false
range: high,critical
cyberspace:
zoom_eyes:
- ""
【BUG】修复 proxy 命令中的 BUG,解决在使用 HTTP 代理进行 HTTPS 请求时因 user canceled 操作而导致 afrog 未能接收到响应的问题。
Fix the BUG in the proxy command, addressing the issue where afrog fails to receive a response due to user cancellation during the use of HTTP proxy for HTTPS requests.
【新增】引入 ysoserial 函数,用于生成 Java 反序列化 payload。例如,可通过以下方式生成适用于 DNSLog 验证的 payload: ysoserial("URLDNS", reverseHost, "base64")。有关详细使用方法,请参考 PoC:CVE-2023-49070、CVE-2021-29200。 【新增】引入 aesCBC 函数。有关详细使用方法,请参考 PoC:CVE-2023-20888。
PoCs 1286
[New] Introducing the ysoserial function for generating Java deserialization payloads. For instance, generate a payload for DNSLog verification using the following syntax: ysoserial("URLDNS", reverseHost, "base64"). Refer to the PoC for detailed usage instructions: CVE-2023-49070、CVE-2021-29200. [New] Introducing the aesCBC function. For detailed usage instructions, please refer to the PoC: CVE-2023-20888
【优化】调整反连平台优先级逻辑,确保自建Eye反连平台具有最高优先权,其次是Ceye反连平台,最后是eyes.sh反连平台。 【优化】花里胡哨的进度条,看起来炫,实际并没什么卵用。
【Optimization】Refine the priority logic of the reverse connection platforms, ensuring that the self-built Eye reverse connection platform takes precedence, followed by the Ceye reverse connection platform, and finally, the eyes.sh reverse connection platform. 【Optimization】Fancy progress bars that may look flashy but don't actually serve much purpose.
【优化】进行TCP PoC验证时,新增返回十六进制数据包类型的功能。使用response.raw可获取正常数据包,而使用response.body则可获取经过十六进制解码的数据包。 【PoC】总数:1266
During TCP PoC verification, an enhancement has been made to return the hexadecimal data packet type. Use response.raw to retrieve the normal data packet, and response.body to obtain the data packet after hex decoding. PoC count: 1266
【新增】-cyberspace / -cs 网络测绘空间搜索功能,支持 ZoomEye,命令实例:-cs zoomeye -q "app:'Yonyou NC httpd'" -qc 200 详情见 wiki 【优化】PoC GitLab public snippets 漏洞等级由 INFO 改为 HIGH
[New] -cyberspace / -cs network surveying and mapping space search function, supports ZoomEye, command example: -cs zoomeye -q "app:'Yonyou NC httpd'" -qc 200 For details, see wiki [Optimization] PoC GitLab public snippets vulnerability level changed from INFO to HIGH