v1.2.1

Author: zan8in

afrog-pocs/vulnerability/grafana-file-read.yml

@@ -1,8 +1,8 @@
 id: grafana-file-read
 
 info:
-    name: grafana-default-password
-    author: For3stCo1d (https://github.com/For3stCo1d)
+    name: Grafana v8.x Arbitrary File Read
+    author: zan8in
     severity: high
     description: |
         app="Grafana_Labs-公司产品"

pkg/core/celprogram.go

@@ -449,28 +449,32 @@ func reverseCheck(r *proto.Reverse, timeout int64) bool {
 	req, _ := http.NewRequest("GET", urlStr, nil)
 
 	time.Sleep(time.Second * time.Duration(timeout))
+	// fmt.Println(sub)
 
 	redirectsCount := 0
 	for {
 		resp, err := FastClientReverse.SampleHTTPRequest(req)
 		if err != nil {
+			// fmt.Println("rediSampleHTTPRequest", err.Error())
 			log.Log().Error(err.Error())
 			return false
 		}
 
 		if !bytes.Contains(resp.Body, []byte(`"data": []`)) && bytes.Contains(resp.Body, []byte(`{"code": 200`)) { // api返回结果不为空
+			// fmt.Println(string(resp.Body))
 			return true
 		}
 
 		if bytes.Contains(resp.Body, []byte(`<title>503`)) { // api返回结果不为空
 			redirectsCount++
+			// fmt.Println("redirectsCount++", redirectsCount)
 			if redirectsCount > 1 {
 				return false
 			}
 			utils.RandSleep(500)
 			continue
 		}
-
+		// fmt.Println(string(resp.Body))
 		return false
 	}
 }

pkg/core/checker.go

@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
-	"sync"
 
 	"github.com/google/cel-go/checker/decls"
 	"github.com/zan8in/afrog/pkg/config"
@@ -18,157 +17,51 @@ import (
 )
 
 type Checker struct {
-	Options         *sync.Pool
-	Target          *sync.Pool
-	PocItem         *sync.Pool
-	PocHandler      *sync.Pool
-	OriginalRequest *sync.Pool
-	VariableMap     *sync.Pool
-	Result          *sync.Pool
-	CustomLib       *sync.Pool
-	FastClient      *sync.Pool
+	Options         *config.Options
+	OriginalRequest *http.Request
+	VariableMap     map[string]interface{}
+	Result          *Result
+	CustomLib       *CustomLib
+	FastClient      *http2.FastClient
 }
 
 var ReverseCeyeApiKey string
 var ReverseCeyeDomain string
 
-func NewChecker(options *config.Options, target string, pocItem poc.Poc) *Checker {
-	ReverseCeyeApiKey = options.Config.Reverse.Ceye.ApiKey
-	ReverseCeyeDomain = options.Config.Reverse.Ceye.Domain
-
-	if len(ReverseCeyeApiKey) == 0 || len(ReverseCeyeDomain) == 0 {
-		log.Log().Error("Rerverse CeyeApiKey or CeyeDomain is Empty.")
-		return nil
-	}
-
-	return &Checker{
-		Options: &sync.Pool{
-			New: func() interface{} {
-				return options
-			},
-		},
-		Target: &sync.Pool{
-			New: func() interface{} {
-				return target
-			},
-		},
-		PocItem: &sync.Pool{
-			New: func() interface{} {
-				return &pocItem
-			},
-		},
-		PocHandler: &sync.Pool{
-			New: func() interface{} {
-				pocHandler := ""
-				if strings.Contains(pocItem.Expression, "&&") && !strings.Contains(pocItem.Expression, "||") {
-					pocHandler = poc.ALLAND
-				}
-				if strings.Contains(pocItem.Expression, "||") && !strings.Contains(pocItem.Expression, "&&") {
-					pocHandler = poc.ALLOR
-				}
-				return pocHandler
-			},
-		},
-		OriginalRequest: &sync.Pool{
-			New: func() interface{} {
-				return &http.Request{}
-			},
-		},
-		VariableMap: &sync.Pool{
-			New: func() interface{} {
-				return make(map[string]interface{})
-			},
-		},
-		Result: &sync.Pool{
-			New: func() interface{} {
-				return &Result{
-					Target:  target,
-					PocInfo: &pocItem,
-					Output:  options.Output,
-				}
-			},
-		},
-		CustomLib: &sync.Pool{
-			New: func() interface{} {
-				return NewCustomLib()
-			},
-		},
-		FastClient: &sync.Pool{
-			New: func() interface{} {
-				return &http2.FastClient{}
-			},
-		},
-	}
-}
-
-func (c *Checker) ReleaseVariableMap(vmap map[string]interface{}) {
-	if vmap != nil {
-		vmap = nil
-		c.VariableMap.Put(vmap)
-	}
-}
-
-func (c *Checker) ReleaseTarget(r string) {
-	if len(r) > 0 {
-		r = ""
-		c.Target.Put(r)
-	}
-}
-
-func (c *Checker) ReleaseHandler(h string) {
-	if len(h) > 0 {
-		h = ""
-		c.Target.Put(h)
-	}
-}
-
-func (c *Checker) ReleaseOriginalRequest(o *http.Request) {
-	if o != nil {
-		*o = http.Request{}
-		c.OriginalRequest.Put(o)
-	}
-}
-
 var FastClientReverse *http2.FastClient // 用于 reverse http client
 
-func (c *Checker) Check() (err error) {
+func (c *Checker) Check(target string, pocItem poc.Poc) (err error) {
+
+	options := c.Options
 
-	options := c.Options.Get().(*config.Options)
-	defer c.Options.Put(options)
+	ReverseCeyeApiKey = options.Config.Reverse.Ceye.ApiKey
+	ReverseCeyeDomain = options.Config.Reverse.Ceye.Domain
 
-	fc := c.FastClient.Get().(*http2.FastClient)
+	fc := c.FastClient
 	fc.Client = http2.New(options)
 	fc.DialTimeout = options.Config.ConfigHttp.DialTimeout
-	defer c.FastClient.Put(fc)
-	defer fc.Reset()
-
-	variableMap := c.VariableMap.Get().(map[string]interface{})
-	defer c.ReleaseVariableMap(variableMap)
-
-	target := c.Target.Get().(string)
-	defer c.ReleaseTarget(target)
 
-	pocItem := c.PocItem.Get().(*poc.Poc)
-	defer c.PocItem.Put(pocItem)
-	defer pocItem.Reset()
+	variableMap := c.VariableMap
 
-	result := c.Result.Get().(*Result)
-	defer c.Result.Put(result)
-	defer result.Reset()
+	result := c.Result
+	result.Target = target
+	result.PocInfo = &pocItem
 
-	customLib := c.CustomLib.Get().(*CustomLib)
-	defer c.CustomLib.Put(customLib)
-	defer customLib.Reset()
+	customLib := c.CustomLib
 
-	originalRequest := c.OriginalRequest.Get().(*http.Request)
-	defer c.ReleaseOriginalRequest(originalRequest)
+	originalRequest := c.OriginalRequest
 
-	pocHandler := c.PocHandler.Get().(string)
-	defer c.ReleaseHandler(pocHandler)
+	pocHandler := ""
+	if strings.Contains(pocItem.Expression, "&&") && !strings.Contains(pocItem.Expression, "||") {
+		pocHandler = poc.ALLAND
+	}
+	if strings.Contains(pocItem.Expression, "||") && !strings.Contains(pocItem.Expression, "&&") {
+		pocHandler = poc.ALLOR
+	}
 
 	// update request variablemap
-	tempRequest := http2.AcquireProtoRequestPool()
-	defer http2.ReleaseProtoRequestPool(tempRequest)
+	// tempRequest := http2.AcquireProtoRequestPool()
+	// defer http2.ReleaseProtoRequestPool(tempRequest)
 	if pocItem.Transport != "tcp" && pocItem.Transport != "udp" {
 		if !strings.HasPrefix(target, "http://") && !strings.HasPrefix(target, "https://") {
 			target = "http://" + target
@@ -183,7 +76,9 @@ func (c *Checker) Check() (err error) {
 			return err
 		}
 
-		tempRequest, err = http2.ParseRequest(originalRequest)
+		tempRequest, err := http2.ParseRequest(originalRequest)
+		variableMap["request"] = tempRequest
+
 		if err != nil {
 			log.Log().Error(fmt.Sprintf("ParseRequest err, %s", err.Error()))
 			result.IsVul = false
@@ -198,7 +93,6 @@ func (c *Checker) Check() (err error) {
 			originalRequest.Header.Set("User-Agent", utils.RandomUA())
 		}
 	}
-	variableMap["request"] = tempRequest
 
 	// update set cel and variablemap
 	if len(pocItem.Set) > 0 {
@@ -308,9 +202,9 @@ func (c *Checker) UpdateVariableMap(args yaml.MapSlice, variableMap map[string]i
 			customLib.UpdateCompileOption(key, decls.NewObjectType("proto.Reverse"))
 
 			// if reverse()，initilize a fasthttpclient
-			FastClientReverse = c.FastClient.Get().(*http2.FastClient)
-			FastClientReverse.DialTimeout = c.Options.Get().(*config.Options).Config.ConfigHttp.DialTimeout
-			FastClientReverse.Client = http2.New(c.Options.Get().(*config.Options))
+			FastClientReverse = c.FastClient
+			FastClientReverse.DialTimeout = c.Options.Config.ConfigHttp.DialTimeout
+			FastClientReverse.Client = http2.New(c.Options)
 			continue
 		}
 

pkg/core/engine.go

@@ -1,9 +1,42 @@
 package core
 
 import (
+	"net/http"
+	"sync"
+
 	"github.com/zan8in/afrog/pkg/config"
+	http2 "github.com/zan8in/afrog/pkg/protocols/http"
 )
 
+var CheckerPool = sync.Pool{
+	New: func() interface{} {
+		return &Checker{
+			Options:         &config.Options{},
+			OriginalRequest: &http.Request{},
+			VariableMap:     make(map[string]interface{}),
+			Result:          &Result{},
+			CustomLib:       NewCustomLib(),
+			FastClient:      &http2.FastClient{},
+		}
+	},
+}
+
+func (e *Engine) AcquireChecker() *Checker {
+	c := CheckerPool.Get().(*Checker)
+	c.Options = e.options
+	c.Result.Output = e.options.Output
+	return c
+}
+
+func (e *Engine) ReleaseChecker(c *Checker) {
+	*c.OriginalRequest = http.Request{}
+	c.VariableMap = make(map[string]interface{})
+	c.Result = &Result{}
+	c.CustomLib = NewCustomLib()
+	c.FastClient = &http2.FastClient{}
+	CheckerPool.Put(c)
+}
+
 type Engine struct {
 	workPool *WorkPool
 	options  *config.Options

pkg/core/excute.go

@@ -55,14 +55,16 @@ func (e *Engine) executeTargets(poc1 poc.Poc) {
 }
 
 func (e *Engine) executeExpression(target string, poc poc.Poc) {
-	defer func() {
-		if r := recover(); r != nil {
-			log.Log().Error("gorutine recover() error from pkg/core/exccute/executeExpression")
-		}
-	}()
+	// defer func() {
+	// 	if r := recover(); r != nil {
+	// 		log.Log().Error("gorutine recover() error from pkg/core/exccute/executeExpression")
+	// 	}
+	// }()
 
-	c := NewChecker(e.options, target, poc)
-	if err := c.Check(); err != nil {
+	// c := NewChecker(e.options, target, poc)
+	c := e.AcquireChecker()
+	defer e.ReleaseChecker(c)
+	if err := c.Check(target, poc); err != nil {
 		log.Log().Error(err.Error())
 	}
 }