-
Notifications
You must be signed in to change notification settings - Fork 387
Usage
To specify the scanning target, use the -target
or -t
command. The input can be a complete URL (e.g., http(s)://example.com
) or a domain name or IP address (e.g., 192.168.66.100
, example.com
). If the target is provided in the latter format, afrog will automatically detect the HTTP(S) protocol and fill in the correct protocol before initiating the PoC scan.
afrog -t https://example.com
To specify a scan file, use the -target-file
or -T
command. Each line in the file should contain a scan target, which can be a complete URL (e.g., http(s)://example.com
) or a domain/IP address (e.g., 192.168.66.100
, example.com
). For domain/IP targets, afrog automatically detects the HTTP(S) protocol and fills in the correct protocol before conducting the PoC scan.
afrog -T urls.txt
urls.txt
https://example.com
http://hackerone.com
...
afrog automatically includes all PoCs within the binary program, eliminating the need to specify PoC files or paths. If you want to invoke or debug local PoCs, you can utilize the -poc-file
or -P
commands. To view the complete list of PoCs included in afrog, simply use the poc-list
or -pl
command. If you desire to examine the details of a specific PoC, employ the poc-detail
or -pd
command.
You can specify a local PoC file or folder using the -poc-file
or -P
command. Typically, the -P
command is used for debugging local PoCs. For instance, suppose I'm working on a PoC called phpinfo-detect.yaml
in the d:/mypocs
folder. You can execute the following command: afrog -t https://example.com -P d:/mypocs/phpinfo-detect.yaml
. Additionally, you can specify a folder: afrog -t https://example.com -P d:/mypocs/
, which will scan all files with the .yaml
or .yml
extension in the mypocs
folder.
afrog -t https://example.com -P ./mypocs
afrog -t https://example.com -P ./mypocs/phpinfo-detect.yaml
To view all the PoCs included in afrog, use the -poc-list
or -pl
command. This command will print a PoC list on the console, displaying the id
, info.name
, info.severity
, and info.author
information for each PoC. If you want to delve into the details of a specific PoC, use the -poc-detail
or -pd
command, followed by the desired PoC's id
name.
afrog -poc-list
afrog -pl
The example output is displayed as follows:
[CVE-2013-1965][Apache Struts2 S2-012 RCE][critical] author:xx
[CVE-2013-2251][Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution (S2-016)][critical] author:xx
[CVE-2014-3120][ElasticSearch v1.1.1/1.2 RCE][critical] author:xx
[CVE-2014-3704][Drupal SQL Injection][high] author:xx
[CVE-2014-6271][ShellShock - Remote Code Execution][critical] author:xx
[CVE-2015-1427][ElasticSearch - Remote Code Execution][critical] author:xx
[CVE-2015-3337][Elasticsearch CVE-2015-3337][medium] author:xx
[CVE-2015-5531][Elasticsearch CVE-2015-5531][medium] author:xx
[CVE-2015-7297][Joomla Core SQL Injection][high] author:xx
[CVE-2015-8399][Atlassian Confluence configuration files read][medium] author:xx
[CVE-2016-10134][Zabbix CVE-2016-10134][critical] author:xx
[CVE-2016-3081][Apache S2-032 Struts RCE][high] author:xx
...
To view the specific content of a PoC, use the -poc-detail or -pd command. This command will print the detailed content of the PoC on the console.
afrog -poc-detail CVE-2015-8399
afrog -pd CVE-2015-8399
The example output is displayed as follows:
id: CVE-2015-8399
info:
name: Atlassian Confluence configuration files read
author: whynot(https://github.com/notwhy)
severity: medium
verified: false
rules:
r0
request:
method: GET
path: /spaces/viewdefaultdecorator.action?decoratorName
expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
expression: r0()
The new feature, -append-poc / -ap, allows specifying one or multiple PoC files or directories to be merged with the built-in PoC for scanning together.
afrog -t example.com -ap ./mypocs/
afrog -t example.com -ap ./mypocs/cve/2023-xx-xx.yaml
afrog v2.7.3 introduces two new commands, they are -ep (--exclude-pocs) and -epf (--exclude-pocs-file). These two commands are mainly used to exclude PoCs from the scan. POCs to exclude can be specified comma-separated or as a list of files. Excluded PoCs are based on pattern matching. Some examples are provided below to illustrate the usage of the commands in detail.
Use the -ep
command to exclude Redis, Mysql POC scans.
afrog.exe -t 127.0.0.1 -ep redis,mysql
You can also use the file list to add content to be excluded. First, create a file called exclude.txt
and fill it with the following:
redis
php
cnvd
Excuting an Code
afrog.exe -t 127.0.0.1 -epf .\exclude.txt
Optional command: -o
, writes the vulnerability scan results to the specified HTML file in real time. If the filename is not specified, a HTML file will be automatically created in the ./reports directory.
afrog -t https://example.com -o result.html
Optional command: -json
-j
, Save the scan results to a JSON file. The JSON file includes the following contents by default: target
, fulltarget
, id
, and info
. The info field includes the following sub-fields: name
, author
, severity
, description
, and reference
. If you want to save both request
and response
contents, please use the -json-all command parameter.
afrog -t https://example.com -json result.json
afrog -t https://example.com -j result.json
::: warning
The content of the JSON file is updated in real time. However, there is an important note to keep in mind: before the scan is completed, if developers want to parse the file content, they need to add a ']
' symbol to the end of the file by themselves, otherwise it will cause parsing errors. Of course, if you wait for the scan to complete before parsing the file, this issue will not occur.
:::
Optional command: -json-all
-ja
, The only difference between the -json-all
and -json
commands is that -json-all
writes all vulnerability results, including request
and response
, to a JSON file.
afrog -t https://example.com -json-all result.json
afrog -t https://example.com -ja result.json
The "disable-output-html" command can be used to prevent the automatic generation of an HTML report, and its priority is higher than the "-o" command.
afrog -t https://example.com -disable-output-html
afrog -t https://example.com -doh
Afrog supports two basic filters for custom execution.
-
Keywords (-s)
Filter based on
id
andinfo.name
field available in the PoCs -
Severity (-S)
Filter based on
severity
field available in the PoCs
Use the command -s keyword
to perform a fuzzy search on all PoCs and scan the search results. Multiple keywords can be used, separated by commas. For example: -s weblogic,jboss
.
afrog -t https://example.com -s weblogic,jboss
Use the command -S keyword
to scan vulnerabilities based on their severity level. Severity levels include: info
, low
, medium
, high
, and critical
. For example, to only scan high and critical vulnerabilities, use the command -S high,critical
.
afrog -t https://example.com -S high,critical
Afrog provides two rate limiting commands, one for executing PoCs in parallel, and the other for limiting the number of requests per second. The following are examples of each command along with their description.
-
Rate-Limit (-rl)
Control the total number of request to send per seconds
-
Concurrency (-c)
Control the number of PoCs to process in parallel
::: tip Please note that the rate-limit flag should be given higher priority than the Concurrency flag, as the former determines the maximum number of requests to be sent per second, regardless of any changes made to the value of the c flag. :::
The rate limit feature controls the overall number of requests sent per second, with a default value set to 150.
afrog -t https://example.com -rl 200
You can use this command to control the maximum number of PoCs processed in parallel, which has a default value of 25.
afrog -t https://example.com -c 600
When conducting batch asset scanning, the scanning progress slows down as the number of assets increases, and the default scanning rate seems inadequate. However, by using the "-smart" command, you can effectively address this issue. This command dynamically adjusts the scanning rate based on the number of assets being scanned, resulting in accelerated scanning progress.
afrog -t https://example.com -smart
afrog -T url.txt -smart
In order to further enhance the accuracy of POC validation and reduce the impact caused by a large number of requests on the backlink platform, version 2.7.8 of afrog has introduced a dedicated concurrent rate control feature. This effectively disperses requests, ensuring the stability of the backlink platform and providing more accurate and reliable vulnerability scanning results.
Two new parameters have been added to regulate the concurrency of reverse link POC.
- The default maximum requests per second for reverse link POC is set to 50. (Modification is not recommended)
Command:
afrog -t example.com -rrl 20
- The default concurrency for reverse link POC is set to 20.
Command:
afrog -t example.com -c 10
Please note that the "smart" parameter in the new version will no longer affect the concurrency of reverse link POC.
Afrog has introduced the monitor-target
function since version 2.3.0, which is designed to monitor inaccessible URLs. Once the specified threshold is reached, the URL will be added to a blacklist to prevent any further PoCs detection attempts. This feature significantly enhances afrog’s scanning speed and effectively solves the problem of prolonged progress times or false-positive hang-ups.
By default, the monitor-target
function is disabled. To enable this feature, please use the command -monitor-target
或 -mt
.
afrog -t https://example.com -mt
This setting is used to limit the maximum target error threshold when the monitor target
function is enabled. Note that it only takes effect after enabling this function. Default value is 3
afrog -t https://example.com -mhe 1
The number of retries for failed HTTP requests. Defaults to 1 times
afrog -t https://example.com -retries 3
This attribute specifies the duration (in seconds) for waiting time before the HTTP request times out. Defaults to 10 seconds
afrog -t https://example.com -timeout 30
During the scanning process, the Silent
feature only outputs vulnerability results to the cmd console without displaying unnecessary details like the scanning progress. By default, this feature is turned off.
afrog -t https://example.com -silent
Afrog provides both version upgrade and PoC library upgrade functionalities. Starting from version 2.3.0
, the PoC upgrade feature is enabled by default. If you wish to disable this feature, please use the command disable-update-check
.
Update afrog engine to the latest released version. The default is no automatic update.
Here is an example update afrog command:
afrog -un
::: warning Deprecated since version 2.5.1. :::
Update afrog-pocs to latest released version. Automatic update by default.
afrog -up
Disable automatic afrog-pocs
update check.
afrog -t https://example.com -duc
Afrog Proxy supports both HTTP(S) and SOCKS5 protocols and allows for the configuration of one or multiple proxy addresses. If multiple proxy addresses are needed, they can be configured by reading from a file.
afrog -t https://example.com -proxy http://127.0.0.1:1082
afrog -t https://example.com -proxy socks5://127.0.0.1:1081
afrog -t https://example.com -proxy proxy_file.txt
Here is an example proxy_file.txt
file:
http://127.0.0.1:1082
socks5://127.0.0.1:1081
Start a Web Server
afrog -web
Start Dingtalk Webhook
afrog -t example.com -dingtalk
To enable DingTalk vulnerability push function, you need to add the following parameters to the afrog configuration file (afrog-config.yaml):
webhook:
dingtalk:
tokens:
- "051089e**********65c6b6aa"
- "1f7f537**********0230ce20"
at_mobiles:
- ""
at_all: false
range: high,critical
Parameter Description:
-
Tokens: This is the access_token of the DingTalk robot. Tokens are limited to the number of messages per unit time for a single robot. If necessary, multiple tokens can be initialized and randomly sent to one of the robots when sending a message.
-
at_mobiles: Optional parameter, used to specify the group members to @. Leave it blank to not @ anyone.
-
at_all: Optional parameter, set to true to indicate @everyone.
-
range: Vulnerability notification range, the default is high and critical. Only these vulnerabilities will push messages.
Finally, the complete configuration of afrog-config.yaml is as shown in the figure
Tutorial
In the new version, we have introduced the -oob
parameter, allowing users to specify the anti-connection platform used for scanning. Currently, the anti-connection platforms supported by afrog include ceyeio, dnslogcn, alphalog (self-built), and eyes (self-built). We will also gradually add support for more anti-connection platforms, and users are also welcome to recommend other anti-connection platforms.
afrog -t example.com -oob dnslogcn // dnslog.cn
afrog -t example.com -oob alphalog // alphalog
afrog -t example.com -oob xray // xray
afrog -t example.com // ceyeio
How to write PoCs:How to write PoCs