Skip to content

Releases: zan8in/afrog

v2.5.2

07 Jun 08:35
Compare
Choose a tag to compare

Add:
-mrbs Dynamically set the maximum size of the http response body (default 2m)
remove poc shiro-key-detect

新增:
命令 -mrbs 动态设置 http 响应 body 的最大值(默认 2m)
删除 PoC shiro-key-detect

v2.5.1

22 May 09:05
Compare
Choose a tag to compare

Add
Writing TCP/UDP POC files using YAML
Writing POC files for Go programming language using YAML
The Shiro Key detection script by default checks 20 keys.
Optimization
Resolve the path error issue during program updates with the "-update" command.
Enhance the console prompt messages
Disable the "-up" command and switch to automatic execution.
Change the notification level for the unconfigured reverse connection platform to Info
By default, target access is not monitored. Please enable it using the "-monitor-targets" or "-mt" command
Remove duplicate PoC: hikvision-applyct-fastjson-rce
新增
使用 YAML 编写 TCP/UDP 的 POC 文件
使用 YAML 调用 Go 语言的 POC 文件
Shiro Key 检测脚本默认检测 20 个 Key
优化
解决 -update 程序更新时的路径错误问题
改进控制台提示信息
禁用 -up 命令,改为自动执行
将反连平台未配置的提示等级改为 Info
默认情况下不会监视目标访问,请使用 "-monitor-targets" 或 "-mt" 命令进行启用
删除重复 PoC: hikvision-applyct-fastjson-rce

v2.3.2

14 May 02:29
Compare
Choose a tag to compare

Add:

  • The result will be written to the JSON file, but it will not include the request and response content.
  • Writes a JSON file including all vulnerability results.
  • The "disable-output-html" command can be used to prevent the automatic generation of an HTML report, and its priority is higher than the "-o" command.
  • PoC script info information adds three fields affected, solutions, and created

Optimization:

  • Duplicated PoC removed: springboot-env-unauth
  • When performing an update operation, the -up command prompt is not friendly enough
  • Scan in order of increasing security risk level

新增:

  • 使用命令参数 -json 或 -j,将漏洞结果写入 JSON 文件,不包括 request 和 response
  • 使用命令参数 -json-all 或 -ja,将漏洞结果写入 JSON 文件,包括 request 和 response
  • 使用 disable-output-html 命令可以禁止生成 HTML 报告,该命令的优先级高于 -o 命令。
  • PoC 脚本 info 信息增加 affected、solutions、created 三个字段

优化:

  • 已移除重复的PoC: springboot-env-unauth
  • 执行更新操作时,-up 命令提示不够友好
  • 按照从低到高的安全风险级别顺序进行扫描
  • 优化 url.path 编码问题

v2.3.1

05 May 03:21
Compare
Choose a tag to compare

Urgent update:

BUG:

  • Solve the problem that the intranet cannot be used due to version check

Added:

  • command -disable-update-check, -duc disable automatic update check

Revise:

  • Now update-poc will be executed automatically, to disable this function, please use -duc command

紧急更新

BUG:

  • 解决 版本检查 导致内网无法使用问题

新增:

  • 命令 -disable-update-check,-duc 禁用自动更新检查

修改:

  • 现在 update-poc 会自动执行,禁用这个功能,请使用 -duc 命令

v2.3.0

02 May 11:06
Compare
Choose a tag to compare

Added:

  • command -poc-detail / -pd, view poc details (full file name, no suffix)
  • Command -monitor-targets / -mt, monitor target survival in real time during scanning, enabled by default

Optimization:

  • Command -poc-list / -pl, view poc list (file name, vulnerability name, vulnerability level and author)

新增:

  • 命令 -poc-detail / -pd,查看 poc 详情 (完整文件名,后缀可无)
  • 命令 -monitor-targets / -mt,在扫描中实时监控目标存活,默认开启

优化:

  • 命令 -poc-list / -pl,查看 poc 列表(文件名、漏洞名、漏洞等级和作者)

Release 2.2.2 Zhang Jike, I advise you to be kind

05 Apr 10:31
Compare
Choose a tag to compare

bug:

  • Fix afrog html report XSS vulnerability

optimization:

  • Simplified URL blacklist mechanism
  • Optimize http/s detection function
  • Optimized file upload (all) PoC
  • Optimize RCE (all) PoC

delete:

  • Remove Fingerprint fingerprint recognition and command parameters (replacement tool pyxis)
  • Remove uncommon command parameters

PoC:

  • Added 52 PoCs
  • Validate and optimize n multiple PoCs
  • Remove PoC csz-cms-multiple-blind-sql-injection
  • Remove PoC phpstudy-nginx-wrong-resolve
  • Built-in several private PoC

修复:
- 修复 afrog html 报告 XSS 漏洞

优化:
- 简化 URL 黑名单机制
- 优化 http/s 检测功能
- 优化 文件上传 (所有) PoC
- 优化 RCE (所有) PoC

删除:
- 去掉 Fingerprint 指纹识别及命令参数 (替代工具 pyxis)
- 去掉不常用命令参数

PoC:
- 新增 52 PoC
- 验证和优化 n 多个 PoC
- 删除 PoC csz-cms-multiple-blind-sql-injection
- 删除 PoC phpstudy-nginx-wrong-resolve
- 内置几个 private PoC

Release 2.2.1 The Wandering Earth II

04 Feb 14:54
Compare
Choose a tag to compare

Merge many fingerprint pocs into the panel-detect.yaml file to reduce the number of http requests
Console print date format, 2023-01-01 changed to 01-01
Simplified afrog-config configuration

Fixed: invalid -fc configuration
Tip: Configure the -c command, which can increase the concurrency speed very quickly


将多个 panel 指纹探测合并到文件 panel-detect.yaml,大幅减少 http 请求
精简控制台日期打印,2023-01-01 改为 01-01
精简 afrog-config 配置信息

解决:-fc 命令配置无效问题
提示:配置 -c 命令能明显提高扫描速度

v2.2.0 Bright Future

06 Jan 10:04
Compare
Choose a tag to compare

Added optional -onlyfinger/-of option for fingerprint scan only
Added CEL function yearshortyearmonthday timestamp_sencond, eg: tongda-oa-api-ali-upload.yaml
Added Boolean type attribute verified , default false, verified PoC is true
Added rule attribute expressions , a request to verify multiple rules

v2.1.1 I wanna be one of the great.

21 Dec 09:25
Compare
Choose a tag to compare
  • Fixed a bug with high false positives in fingerprint
  • Added optional -json option for write output in JSON format, eg: -json result.json

2.1.0 Lost in your uniqueness even though we are all ordinary.

12 Dec 01:09
Compare
Choose a tag to compare
  • 新增 -update 将 afrog 引擎更新到最新发布的版本
  • 新增 -proxy 使用 http/socks5 代理列表(逗号分隔或文件输入)
  • 新增 -rate-limit、concurrency、fingerprint-concurrency、max-host-error、retries、timeout 等参数
  • 修复 html 报告(返回多个请求记录)URL 不准确的 BUG
  • 优化 banner 展示界面(模仿 nuclei)
  • 屏蔽 GoPoc 功能(暂时)