Releases: zan8in/afrog
v2.5.2
v2.5.1
Add
Writing TCP/UDP POC files using YAML
Writing POC files for Go programming language using YAML
The Shiro Key detection script by default checks 20 keys.
Optimization
Resolve the path error issue during program updates with the "-update" command.
Enhance the console prompt messages
Disable the "-up" command and switch to automatic execution.
Change the notification level for the unconfigured reverse connection platform to Info
By default, target access is not monitored. Please enable it using the "-monitor-targets" or "-mt" command
Remove duplicate PoC: hikvision-applyct-fastjson-rce
新增
使用 YAML 编写 TCP/UDP 的 POC 文件
使用 YAML 调用 Go 语言的 POC 文件
Shiro Key 检测脚本默认检测 20 个 Key
优化
解决 -update 程序更新时的路径错误问题
改进控制台提示信息
禁用 -up 命令,改为自动执行
将反连平台未配置的提示等级改为 Info
默认情况下不会监视目标访问,请使用 "-monitor-targets" 或 "-mt" 命令进行启用
删除重复 PoC: hikvision-applyct-fastjson-rce
v2.3.2
Add:
- The result will be written to the JSON file, but it will not include the request and response content.
- Writes a JSON file including all vulnerability results.
- The "disable-output-html" command can be used to prevent the automatic generation of an HTML report, and its priority is higher than the "-o" command.
- PoC script info information adds three fields affected, solutions, and created
Optimization:
- Duplicated PoC removed: springboot-env-unauth
- When performing an update operation, the -up command prompt is not friendly enough
- Scan in order of increasing security risk level
新增:
- 使用命令参数 -json 或 -j,将漏洞结果写入 JSON 文件,不包括 request 和 response
- 使用命令参数 -json-all 或 -ja,将漏洞结果写入 JSON 文件,包括 request 和 response
- 使用 disable-output-html 命令可以禁止生成 HTML 报告,该命令的优先级高于 -o 命令。
- PoC 脚本 info 信息增加 affected、solutions、created 三个字段
优化:
- 已移除重复的PoC: springboot-env-unauth
- 执行更新操作时,-up 命令提示不够友好
- 按照从低到高的安全风险级别顺序进行扫描
- 优化 url.path 编码问题
v2.3.1
Urgent update:
BUG:
- Solve the problem that the intranet cannot be used due to
version check
Added:
- command -disable-update-check, -duc disable automatic update check
Revise:
- Now update-poc will be executed automatically, to disable this function, please use -duc command
紧急更新
BUG:
- 解决
版本检查
导致内网无法使用问题
新增:
- 命令 -disable-update-check,-duc 禁用自动更新检查
修改:
- 现在 update-poc 会自动执行,禁用这个功能,请使用 -duc 命令
v2.3.0
Added:
- command -poc-detail / -pd, view poc details (full file name, no suffix)
- Command -monitor-targets / -mt, monitor target survival in real time during scanning, enabled by default
Optimization:
- Command -poc-list / -pl, view poc list (file name, vulnerability name, vulnerability level and author)
新增:
- 命令 -poc-detail / -pd,查看 poc 详情 (完整文件名,后缀可无)
- 命令 -monitor-targets / -mt,在扫描中实时监控目标存活,默认开启
优化:
- 命令 -poc-list / -pl,查看 poc 列表(文件名、漏洞名、漏洞等级和作者)
Release 2.2.2 Zhang Jike, I advise you to be kind
bug:
- Fix afrog html report XSS vulnerability
optimization:
- Simplified URL blacklist mechanism
- Optimize http/s detection function
- Optimized file upload (all) PoC
- Optimize RCE (all) PoC
delete:
- Remove Fingerprint fingerprint recognition and command parameters (replacement tool pyxis)
- Remove uncommon command parameters
PoC:
- Added 52 PoCs
- Validate and optimize n multiple PoCs
- Remove PoC csz-cms-multiple-blind-sql-injection
- Remove PoC phpstudy-nginx-wrong-resolve
- Built-in several private PoC
修复:
- 修复 afrog html 报告 XSS 漏洞
优化:
- 简化 URL 黑名单机制
- 优化 http/s 检测功能
- 优化 文件上传 (所有) PoC
- 优化 RCE (所有) PoC
删除:
- 去掉 Fingerprint 指纹识别及命令参数 (替代工具 pyxis)
- 去掉不常用命令参数
PoC:
- 新增 52 PoC
- 验证和优化 n 多个 PoC
- 删除 PoC csz-cms-multiple-blind-sql-injection
- 删除 PoC phpstudy-nginx-wrong-resolve
- 内置几个 private PoC
Release 2.2.1 The Wandering Earth II
Merge many fingerprint pocs into the panel-detect.yaml file to reduce the number of http requests
Console print date format, 2023-01-01 changed to 01-01
Simplified afrog-config configuration
Fixed: invalid -fc
configuration
Tip: Configure the -c
command, which can increase the concurrency speed very quickly
将多个 panel 指纹探测合并到文件 panel-detect.yaml,大幅减少 http 请求
精简控制台日期打印,2023-01-01 改为 01-01
精简 afrog-config 配置信息
解决:-fc
命令配置无效问题
提示:配置 -c
命令能明显提高扫描速度
v2.2.0 Bright Future
Added optional -onlyfinger/-of option for fingerprint scan only
Added CEL function year
、shortyear
、month
、day
、timestamp_sencond
, eg: tongda-oa-api-ali-upload.yaml
Added Boolean type attribute verified
, default false, verified PoC is true
Added rule attribute expressions
, a request to verify multiple rules
v2.1.1 I wanna be one of the great.
- Fixed a bug with high false positives in fingerprint
- Added optional -json option for write output in JSON format, eg: -json result.json
2.1.0 Lost in your uniqueness even though we are all ordinary.
- 新增 -update 将 afrog 引擎更新到最新发布的版本
- 新增 -proxy 使用 http/socks5 代理列表(逗号分隔或文件输入)
- 新增 -rate-limit、concurrency、fingerprint-concurrency、max-host-error、retries、timeout 等参数
- 修复 html 报告(返回多个请求记录)URL 不准确的 BUG
- 优化 banner 展示界面(模仿 nuclei)
- 屏蔽 GoPoc 功能(暂时)