k
/
404StarLink
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

weekly update at 2022-07-25

Browse Source
pull/95/head
xx 2 years ago
parent 62cb3cea10
commit 4a1c99f5c6
7 changed files with 128 additions and 132 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 26
      README.md
  2. 2
      allprojects.md
  3. 69
      detail/CDK.md
  4. 95
      detail/afrog.md
  5. 17
      detail/ct.md
  6. 35
      detail/pocsuite3.md
  7. 2
      vulnerability_assessment.md

26
README.md
Unescape View File

@ -17,6 +17,7 @@
| 时间 | 项目名称 | 项目动态 | | 时间 | 项目名称 | 项目动态 |
|----|-----------|--------------------------| |----|-----------|--------------------------|
|2022-07-24|[**afrog**](detail/afrog.md)|更新 [v1.3.6](detail/afrog.md#最近更新) 版本|
|2022-07-18|[**ct**](detail/ct.md)|更新 [v1.0.9](detail/ct.md#最近更新) 版本| |2022-07-18|[**ct**](detail/ct.md)|更新 [v1.0.9](detail/ct.md#最近更新) 版本|
|2022-07-18|[**antSword**](detail/antSword.md)|发布文章[《AntSword v2.1.15 更新汇总》](https://mp.weixin.qq.com/s/QzbREMp8JaQiP9qo48OyHg)| |2022-07-18|[**antSword**](detail/antSword.md)|发布文章[《AntSword v2.1.15 更新汇总》](https://mp.weixin.qq.com/s/QzbREMp8JaQiP9qo48OyHg)|
|2022-07-17|[**antSword**](detail/antSword.md)|更新 [v2.1.15](detail/antSword.md#最近更新) 版本| |2022-07-17|[**antSword**](detail/antSword.md)|更新 [v2.1.15](detail/antSword.md#最近更新) 版本|
@ -24,7 +25,6 @@
|2022-07-15|[**veinmind-tools**](detail/veinmind-tools.md)|更新 [v1.4.0](detail/veinmind-tools.md#最近更新) 版本| |2022-07-15|[**veinmind-tools**](detail/veinmind-tools.md)|更新 [v1.4.0](detail/veinmind-tools.md#最近更新) 版本|
|2022-07-13|[**pocsuite3**](detail/pocsuite3.md)|发布文章[《Pocsuite3 入门教程》](https://paper.seebug.org/1931/)| |2022-07-13|[**pocsuite3**](detail/pocsuite3.md)|发布文章[《Pocsuite3 入门教程》](https://paper.seebug.org/1931/)|
|2022-07-10|[**CDK**](detail/CDK.md)|更新 [v1.3.0](detail/CDK.md#最近更新) 版本| |2022-07-10|[**CDK**](detail/CDK.md)|更新 [v1.3.0](detail/CDK.md#最近更新) 版本|
|2022-07-10|[**afrog**](detail/afrog.md)|更新 [v1.3.5](detail/afrog.md#最近更新) 版本|
|2022-07-09|[**GShark**](detail/gshark.md)|更新 [v0.9.9](detail/gshark.md#最近更新) 版本| |2022-07-09|[**GShark**](detail/gshark.md)|更新 [v0.9.9](detail/gshark.md#最近更新) 版本|
|2022-07-07|[**pocsuite3**](detail/pocsuite3.md)|更新 [v1.9.6](detail/pocsuite3.md#最近更新) 版本| |2022-07-07|[**pocsuite3**](detail/pocsuite3.md)|更新 [v1.9.6](detail/pocsuite3.md#最近更新) 版本|
@ -32,22 +32,22 @@
| 序号 | 项目名称 | 项目简介 | Star | | 序号 | 项目名称 | 项目简介 | Star |
|----|-----------|--------------------------|----| |----|-----------|--------------------------|----|
|1|[**HackBrowserData**](detail/HackBrowserData.md)|hack-browser-data 是一个解密浏览器数据(密码/历史记录/Cookies/书签)的导出工具,支持全平台主流浏览器的数据导出窃取。|4923| |1|[**HackBrowserData**](detail/HackBrowserData.md)|hack-browser-data 是一个解密浏览器数据(密码/历史记录/Cookies/书签)的导出工具,支持全平台主流浏览器的数据导出窃取。|4968|
|2|[**fscan**](detail/fscan.md)|一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。|4053| |2|[**fscan**](detail/fscan.md)|一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。|4134|
|3|[**pocsuite3**](detail/pocsuite3.md)|pocsuite3是由Knownsec 404团队开发的开源远程漏洞测试和概念验证开发框架。它带有强大的概念验证引擎,以及针对最终渗透测试人员和安全研究人员的许多强大功能。|2615| |3|[**pocsuite3**](detail/pocsuite3.md)|pocsuite3是由Knownsec 404团队开发的开源远程漏洞测试和概念验证开发框架。它带有强大的概念验证引擎,以及针对最终渗透测试人员和安全研究人员的许多强大功能。|2640|
|4|[**CDK**](detail/CDK.md)|CDK是一款为容器环境定制的渗透测试工具,在已攻陷的容器内部提供零依赖的常用命令及PoC/EXP。集成Docker/K8s场景特有的逃逸、横向移动、持久化利用方式,插件化管理。|2399| |4|[**CDK**](detail/CDK.md)|CDK是一款为容器环境定制的渗透测试工具,在已攻陷的容器内部提供零依赖的常用命令及PoC/EXP。集成Docker/K8s场景特有的逃逸、横向移动、持久化利用方式,插件化管理。|2428|
|5|[**Viper**](detail/Viper.md)|VIPER是一款图形化内网渗透工具,将内网渗透过程中常用的战术及技术进行模块化及武器化。|2372| |5|[**Viper**](detail/Viper.md)|VIPER是一款图形化内网渗透工具,将内网渗透过程中常用的战术及技术进行模块化及武器化。|2385|
|6|[**antSword**](detail/antSword.md)|中国蚁剑是一款开源的跨平台网站管理工具。|1796| |6|[**antSword**](detail/antSword.md)|中国蚁剑是一款开源的跨平台网站管理工具。|1831|
|7|[**KunLun-M**](detail/KunLun-M.md)|KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。|1539| |7|[**KunLun-M**](detail/KunLun-M.md)|KunLun-M是一个完全开源的静态白盒扫描工具,支持PHP、JavaScript的语义扫描,基础安全、组件安全扫描,Chrome Ext\Solidity的基础扫描。|1549|
|8|[**Kunpeng**](detail/Kunpeng.md)|Kunpeng是一个Golang编写的开源POC检测框架,集成了包括数据库、中间件、web组件、cms等等的漏洞POC,可检测弱口令、SQL注入、XSS、RCE等漏洞类型,以动态链接库的形式提供调用,通过此项目可快速开发漏洞检测类的系统,比攻击者快一步发现风险漏洞。|1490| |8|[**Kunpeng**](detail/Kunpeng.md)|Kunpeng是一个Golang编写的开源POC检测框架,集成了包括数据库、中间件、web组件、cms等等的漏洞POC,可检测弱口令、SQL注入、XSS、RCE等漏洞类型,以动态链接库的形式提供调用,通过此项目可快速开发漏洞检测类的系统,比攻击者快一步发现风险漏洞。|1490|
|9|[**Stowaway**](detail/Stowaway.md)|Stowaway 是一款多级代理工具,可将外部流量通过多个节点代理至内网,突破内网访问限制。Stowaway 可以方便渗透测试人员通过多级跳跃,从外部dmz等一系列区域逐步深入核心网络;Stowaway 除了流量转发功能,还提供了端口复用、ssh隧道,流量伪装等专为渗透测试人员所用的功能。|1486| |9|[**Stowaway**](detail/Stowaway.md)|Stowaway 是一款多级代理工具,可将外部流量通过多个节点代理至内网,突破内网访问限制。Stowaway 可以方便渗透测试人员通过多级跳跃,从外部dmz等一系列区域逐步深入核心网络;Stowaway 除了流量转发功能,还提供了端口复用、ssh隧道,流量伪装等专为渗透测试人员所用的功能。|1486|
|10|[**AppInfoScanner**](detail/AppInfoScanner.md)|一款适用于以HW行动/红队/渗透测试团队为场景的移动端(Android、iOS、WEB、H5、静态网站)信息收集扫描工具,可以帮助渗透测试工程师、攻击队成员、红队成员快速收集到移动端或者静态WEB站点中关键的资产信息并提供基本的信息输出,如:Title、Domain、CDN、指纹信息、状态信息等。|1298| |10|[**AppInfoScanner**](detail/AppInfoScanner.md)|一款适用于以HW行动/红队/渗透测试团队为场景的移动端(Android、iOS、WEB、H5、静态网站)信息收集扫描工具,可以帮助渗透测试工程师、攻击队成员、红队成员快速收集到移动端或者静态WEB站点中关键的资产信息并提供基本的信息输出,如:Title、Domain、CDN、指纹信息、状态信息等。|1317|
**3.项目更新** **3.项目更新**
| 时间 | 项目迭代版本 | | 时间 | 项目迭代版本 |
|----|-----------| |----|-----------|
|第29周|[**ct**](detail/ct.md) 更新 [v1.0.9](detail/ct.md#最近更新)| |第29周|[**afrog**](detail/afrog.md) 更新 [v1.3.6](detail/afrog.md#最近更新) / [**ct**](detail/ct.md) 更新 [v1.0.9](detail/ct.md#最近更新)|
|第28周|[**antSword**](detail/antSword.md) 更新 [v2.1.15](detail/antSword.md#最近更新) / [**HaE**](detail/HaE.md) 更新 [v2.4.2](detail/HaE.md#最近更新) / [**veinmind-tools**](detail/veinmind-tools.md) 更新 [v1.4.0](detail/veinmind-tools.md#最近更新)| |第28周|[**antSword**](detail/antSword.md) 更新 [v2.1.15](detail/antSword.md#最近更新) / [**HaE**](detail/HaE.md) 更新 [v2.4.2](detail/HaE.md#最近更新) / [**veinmind-tools**](detail/veinmind-tools.md) 更新 [v1.4.0](detail/veinmind-tools.md#最近更新)|
|第27周|[**CDK**](detail/CDK.md) 更新 [v1.3.0](detail/CDK.md#最近更新) / [**afrog**](detail/afrog.md) 更新 [v1.3.5](detail/afrog.md#最近更新) / [**GShark**](detail/gshark.md) 更新 [v0.9.9](detail/gshark.md#最近更新) / [**pocsuite3**](detail/pocsuite3.md) 更新 [v1.9.6](detail/pocsuite3.md#最近更新) / [**veinmind-tools**](detail/veinmind-tools.md) 更新 [v1.3.5](detail/veinmind-tools.md#最近更新) / [**fscan**](detail/fscan.md) 更新 [v1.8.1](detail/fscan.md#最近更新)| |第27周|[**CDK**](detail/CDK.md) 更新 [v1.3.0](detail/CDK.md#最近更新) / [**afrog**](detail/afrog.md) 更新 [v1.3.5](detail/afrog.md#最近更新) / [**GShark**](detail/gshark.md) 更新 [v0.9.9](detail/gshark.md#最近更新) / [**pocsuite3**](detail/pocsuite3.md) 更新 [v1.9.6](detail/pocsuite3.md#最近更新) / [**veinmind-tools**](detail/veinmind-tools.md) 更新 [v1.3.5](detail/veinmind-tools.md#最近更新) / [**fscan**](detail/fscan.md) 更新 [v1.8.1](detail/fscan.md#最近更新)|
|第26周|[**GShark**](detail/gshark.md) 更新 [v0.9.8](detail/gshark.md#最近更新) / [**fscan**](detail/fscan.md) 更新 [v1.8.0](detail/fscan.md#最近更新) / [**HaE**](detail/HaE.md) 更新 [v2.4.1](detail/HaE.md#最近更新)| |第26周|[**GShark**](detail/gshark.md) 更新 [v0.9.8](detail/gshark.md#最近更新) / [**fscan**](detail/fscan.md) 更新 [v1.8.0](detail/fscan.md#最近更新) / [**HaE**](detail/HaE.md) 更新 [v2.4.1](detail/HaE.md#最近更新)|
@ -77,9 +77,9 @@
| 序号 | 项目名称 | 作者 | 项目简介 | Star | | 序号 | 项目名称 | 作者 | 项目简介 | Star |
|------|----------|------|----------|------| |------|----------|------|----------|------|
|1|[**linglong**](detail/linglong.md)|awake1t|linglong是一款甲方资产巡航扫描系统。系统定位是发现资产,进行端口爆破。帮助企业更快发现弱口令问题。主要功能包括: 资产探测、端口爆破、定时任务、管理后台识别、报表展示。|1197| |1|[**linglong**](detail/linglong.md)|awake1t|linglong是一款甲方资产巡航扫描系统。系统定位是发现资产,进行端口爆破。帮助企业更快发现弱口令问题。主要功能包括: 资产探测、端口爆破、定时任务、管理后台识别、报表展示。|1210|
|2|[**OpenStar**](detail/OpenStar.md)|starjun|OpenStar 是一个基于 OpenResty 的高性能 Web 应用防火墙,支持复杂规则编写。提供了常规的 HTTP 字段规则配置,还提供了 IP 黑白名单、访问频次等配置,对于 CC 防护更提供的特定的规则算法,并且支持搭建集群进行防护。|1084| |2|[**OpenStar**](detail/OpenStar.md)|starjun|OpenStar 是一个基于 OpenResty 的高性能 Web 应用防火墙,支持复杂规则编写。提供了常规的 HTTP 字段规则配置,还提供了 IP 黑白名单、访问频次等配置,对于 CC 防护更提供的特定的规则算法,并且支持搭建集群进行防护。|1084|
|3|[**veinmind-tools**](detail/veinmind-tools.md)|长亭科技|veinmind-tools 是基于 veinmind-sdk 打造的一个容器安全工具集,目前已支持镜像 恶意文件/后门/敏感信息/弱口令 的扫描,更多功能正在逐步开发中。|631| |3|[**veinmind-tools**](detail/veinmind-tools.md)|长亭科技|veinmind-tools 是基于 veinmind-sdk 打造的一个容器安全工具集,目前已支持镜像 恶意文件/后门/敏感信息/弱口令 的扫描,更多功能正在逐步开发中。|659|
|4|[**GShark**](detail/gshark.md)|madneal|一款开源敏感信息监测系统,可以监测包括 github、gitlab(目前不太稳定,由于gitlab对于免费用户不提供代码全文检索API)、searchcode 多平台的敏感信息监测。|535| |4|[**GShark**](detail/gshark.md)|madneal|一款开源敏感信息监测系统,可以监测包括 github、gitlab(目前不太稳定,由于gitlab对于免费用户不提供代码全文检索API)、searchcode 多平台的敏感信息监测。|535|
|5|[**Juggler**](detail/Juggler.md)|C4o|一个也许能骗到黑客的系统,可以作为WAF等防护体系的一环。|401| |5|[**Juggler**](detail/Juggler.md)|C4o|一个也许能骗到黑客的系统,可以作为WAF等防护体系的一环。|401|
@ -87,7 +87,7 @@
| 序号 | 项目名称 | 作者 | 项目简介 | Star | | 序号 | 项目名称 | 作者 | 项目简介 | Star |
|------|----------|------|----------|------| |------|----------|------|----------|------|
|1|[**HaE**](detail/HaE.md)|gh0stkey|HaE是一款可以快速挖掘目标指纹和关键信息的Burp插件。|1214| |1|[**HaE**](detail/HaE.md)|gh0stkey|HaE是一款可以快速挖掘目标指纹和关键信息的Burp插件。|1231|
|2|[**Kunyu**](detail/Kunyu.md)|风起|Kunyu(坤舆),是一款基于ZoomEye API开发的信息收集工具,旨在让企业资产收集更高效,使更多安全相关从业者了解、使用网络空间测绘技术。|672| |2|[**Kunyu**](detail/Kunyu.md)|风起|Kunyu(坤舆),是一款基于ZoomEye API开发的信息收集工具,旨在让企业资产收集更高效,使更多安全相关从业者了解、使用网络空间测绘技术。|672|
|3|[**Glass**](detail/Glass.md)|s7ckTeam|Glass是一款针对资产列表的快速指纹识别工具,通过调用Fofa/ZoomEye/Shodan/360等api接口快速查询资产信息并识别重点资产的指纹,也可针对IP/IP段或资产列表进行快速的指纹识别。|660| |3|[**Glass**](detail/Glass.md)|s7ckTeam|Glass是一款针对资产列表的快速指纹识别工具,通过调用Fofa/ZoomEye/Shodan/360等api接口快速查询资产信息并识别重点资产的指纹,也可针对IP/IP段或资产列表进行快速的指纹识别。|660|
|4|[**scaninfo**](detail/scaninfo.md)|华东360安服团队|scaninfo 是一款开源、轻量、快速、跨平台的红队内外网打点扫描器。比较同类工具,其能够在 nmap 的扫描速度和 masscan 的准确度之间寻找一个较好的平衡点,能够快速进行端口扫描和服务识别,内置指纹识别用于 web 探测,可以用报告的方式整理扫描结果。|500| |4|[**scaninfo**](detail/scaninfo.md)|华东360安服团队|scaninfo 是一款开源、轻量、快速、跨平台的红队内外网打点扫描器。比较同类工具,其能够在 nmap 的扫描速度和 masscan 的准确度之间寻找一个较好的平衡点,能够快速进行端口扫描和服务识别,内置指纹识别用于 web 探测,可以用报告的方式整理扫描结果。|500|

2
allprojects.md
Unescape View File

@ -257,7 +257,7 @@ Pocassist 是一个 Golang 编写的全新开源漏洞测试框架,帮助安
![Author](https://img.shields.io/badge/Author-zan8in-orange) ![Author](https://img.shields.io/badge/Author-zan8in-orange)
![Language](https://img.shields.io/badge/Language-Golang-blue) ![Language](https://img.shields.io/badge/Language-Golang-blue)
![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github) ![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github)
![Version](https://img.shields.io/badge/Version-V1.3.5-red) ![Version](https://img.shields.io/badge/Version-V1.3.6-red)
<https://github.com/zan8in/afrog> <https://github.com/zan8in/afrog>

69
detail/CDK.md
Unescape View File

@ -11,7 +11,7 @@
English | [简体中文](https://github.com/cdk-team/CDK/wiki/CDK-Home-CN) English | [简体中文](https://github.com/cdk-team/CDK/wiki/CDK-Home-CN)
![png](https://static.cdxy.me/20201203170308_NwzGiT_Screenshot.jpeg) ![png](https://user-images.githubusercontent.com/7868679/177925206-8d83dc95-0f2f-4d61-9a45-0d43b1b0468f.png)
## Legal Disclaimer ## Legal Disclaimer
@ -22,6 +22,28 @@ CDK is for security testing purposes only.
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily. CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.
## Quick Start
Run **`cdk eva`** to get evaluate info and a recommend exploit, then run **`cdk run`** to start the attack.
```
> ./cdk eva --full
[*] Maybe you can exploit the *Capabilities* below:
[!] CAP_DAC_READ_SEARCH enabled. You can read files from host. Use 'cdk run cap-dac-read-search' ... for exploitation.
[!] CAP_SYS_MODULE enabled. You can escape the container via loading kernel module. More info at https://xcellerator.github.io/posts/docker_escape/.
Critical - SYS_ADMIN Capability Found. Try 'cdk run rewrite-cgroup-devices/mount-cgroup/...'.
Critical - Possible Privileged Container Found.
> ./cdk run cap-dac-read-search
Running with target: /etc/shadow, ref: /etc/hostname
ubuntu:$6$*******:19173:0:99999:7:::
root:*:18659:0:99999:7:::
daemon:*:18659:0:99999:7:::
bin:*:18659:0:99999:7:::
```
## Installation/Delivery ## Installation/Delivery
Download latest release in https://github.com/cdk-team/CDK/releases/ Download latest release in https://github.com/cdk-team/CDK/releases/
@ -51,7 +73,6 @@ chmod a+x cdk
Usage: Usage:
cdk evaluate [--full] cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...]) cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...] cdk <tool> [<args>...]
Evaluate: Evaluate:
@ -71,6 +92,7 @@ Tool:
nc [options] Create TCP tunnel. nc [options] Create TCP tunnel.
ifconfig Show network information. ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server. kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ectl <endpoint> get <key> Unauthorized enumeration of ectd keys.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket. ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
@ -106,6 +128,7 @@ This command will run the scripts below without local file scanning, using `--fu
|Information Gathering|Sensitive Process|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Services)| |Information Gathering|Sensitive Process|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Services)|
|Information Gathering|Sensitive Local Files|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files)| |Information Gathering|Sensitive Local Files|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files)|
|Information Gathering|Kube-proxy Route Localnet(CVE-2020-8558)|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-check-net.ipv4.conf.all.route_localnet)| |Information Gathering|Kube-proxy Route Localnet(CVE-2020-8558)|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-check-net.ipv4.conf.all.route_localnet)|
|Information Gathering|DNS-Based Service Discovery|✔|[link](https://github.com/kubernetes/dns/blob/master/docs/specification.md)|
|Discovery|K8s Api-server Info|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server)| |Discovery|K8s Api-server Info|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server)|
|Discovery|K8s Service-account Info|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account)| |Discovery|K8s Service-account Info|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account)|
|Discovery|Cloud Provider Metadata API|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API)| |Discovery|Cloud Provider Metadata API|✔|[link](https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API)|
@ -141,8 +164,10 @@ cdk run <script-name> [options]
| Discovery | Dump Istio Sidecar Meta | istio-check | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio) | | Discovery | Dump Istio Sidecar Meta | istio-check | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio) |
| Discovery | Dump K8s Pod Security Policies | k8s-psp-dump | ✔ || [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-psp-dump) | | Discovery | Dump K8s Pod Security Policies | k8s-psp-dump | ✔ || [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-psp-dump) |
| Remote Control | Reverse Shell | reverse-shell | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell) | | Remote Control | Reverse Shell | reverse-shell | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell) |
| Remote Control | Kubelet Exec | kubelet-exec | ✔ | ✔ | |
| Credential Access | Registry BruteForce | registry-brute | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-Container-Image-Registry-Brute) | | Credential Access | Registry BruteForce | registry-brute | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-Container-Image-Registry-Brute) |
| Credential Access | Access Key Scanning | ak-leakage | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage) | | Credential Access | Access Key Scanning | ak-leakage | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage) |
| Credential Access | Etcd Get K8s Token | etcd-get-k8s-token | ✔ | ✔ | |
| Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump) | | Credential Access | Dump K8s Secrets | k8s-secret-dump | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump) |
| Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump) | | Credential Access | Dump K8s Config | k8s-configmap-dump | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump) |
| Privilege Escalation | K8s RBAC Bypass | k8s-get-sa-token | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-get-sa-token) | | Privilege Escalation | K8s RBAC Bypass | k8s-get-sa-token | ✔ | ✔ | [link](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-get-sa-token) |
@ -168,51 +193,13 @@ cdk ps
|ps|Process Information|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ps)| |ps|Process Information|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ps)|
|ifconfig|Network Information|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig)| |ifconfig|Network Information|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig)|
|vi|Edit Files|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-vi)| |vi|Edit Files|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-vi)|
|ectl|Unauthorized enumeration of ectd keys|✔||
|kcurl|Request to K8s api-server|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-kcurl)| |kcurl|Request to K8s api-server|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-kcurl)|
|dcurl|Request to Docker HTTP API|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-dcurl)| |dcurl|Request to Docker HTTP API|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-dcurl)|
|ucurl|Request to Docker Unix Socket|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ucurl)| |ucurl|Request to Docker Unix Socket|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-ucurl)|
|rcurl|Request to Docker Registry API||| |rcurl|Request to Docker Registry API|||
|probe|IP/Port Scanning|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-probe)| |probe|IP/Port Scanning|✔|[link](https://github.com/cdk-team/CDK/wiki/Tool:-probe)|
### Release Document
If you want to know how we released a new version, how thin is produced, why we provide upx versions, what the differences between different versions about all, normal, thin, upx are, and how to choose specific CDK exploits and tools to compile an own release for yourself, please check the [Release Document](https://github.com/cdk-team/CDK/wiki/Release).
## Developer Docs
* [run test in container.](https://github.com/cdk-team/CDK/wiki/Run-Test)
## Contributing to CDK
First off, thanks for taking the time to contribute!
By reporting any issue, ideas or PRs, your GitHub ID will be listed here.
* https://github.com/cdk-team/CDK/blob/main/thanks.md
#### Bug Reporting
Bugs are tracked as [GitHub Issues](https://github.com/cdk-team/CDK/issues). Create an issue with the current CDK version, error msg and the environment. Describe the exact steps which reproduce the problem.
#### Suggesting Enhancements
Enhancement suggestions are tracked as [GitHub Discussions](https://github.com/cdk-team/CDK/discussions). You can publish any thoughts here to discuss with developers directly.
#### Pull Requests
Fix problems or maintain CDK's quality:
* Describe the current CDK version, environment, problem and exact steps that reproduce the problem.
* Running screenshots or logs before and after you fix the problem.
New feature or exploits:
* Explain why this enhancement would be useful to other users.
* Please enable a sustainable environment for us to review contributions.
* Screenshots about how this new feature works.
* If you are committing a new evaluate/exploit scripts, please add a simple doc to your PR message, here is an [example](https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy).
<!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b--> <!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b-->
## 项目相关 ## 项目相关

95
detail/afrog.md
Unescape View File

@ -3,7 +3,7 @@
![Language](https://img.shields.io/badge/Language-Golang-blue) ![Language](https://img.shields.io/badge/Language-Golang-blue)
![Author](https://img.shields.io/badge/Author-zan8in-orange) ![Author](https://img.shields.io/badge/Author-zan8in-orange)
![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github) ![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github)
![Version](https://img.shields.io/badge/Version-V1.3.5-red) ![Version](https://img.shields.io/badge/Version-V1.3.6-red)
![Time](https://img.shields.io/badge/Join-20220615-green) ![Time](https://img.shields.io/badge/Join-20220615-green)
<!--auto_detail_badge_end_fef74f2d7ea73fcc43ff78e05b1e7451--> <!--auto_detail_badge_end_fef74f2d7ea73fcc43ff78e05b1e7451-->
@ -13,70 +13,52 @@ afrog 是一款性能卓越、快速稳定、PoC 可定制的漏洞扫描工具
## 特点 ## 特点
* [x] 基于 xray 内核,又不像 xray([**afrog 模板语法**](https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/README.md)) * [x] 开源
* [x] 性能卓越,快速稳定 * [x] 快速、稳定、误报低
* [x] 实时显示,扫描进度 * [x] 详细的 html 漏洞报告
* [x] 输出 html 报告,方便查看 `request``response` * [x] PoC 可定制化、稳定更新
* [x] 启动程序,自动更新本地 PoC 库 * [x] 活跃的社区 [交流群](https://github.com/zan8in/afrog#%E4%BA%A4%E6%B5%81%E7%BE%A4)
* [x] 长期维护、更新 PoC([**afrog-pocs**](https://github.com/zan8in/afrog/tree/main/pocs/afrog-pocs)) * [x] 长期维护
* [x] 二次开发,参考 `cmd/afrog/main.go` 或加入 **[交流群](https://github.com/zan8in/afrog#%E4%BA%A4%E6%B5%81%E7%BE%A4)**
## 下载 ## 示例
### [下载地址](https://github.com/zan8in/afrog/releases) 基本用法
```
## 使用指南 # 扫描一个目标
afrog -t http://127.0.0.1
### [查看指南](https://github.com/zan8in/afrog/blob/main/GUIDE.md)
## 例子 # 扫描多个目标
afrog -T urls.txt
扫描单个目标 # 指定漏扫报告文件
```
afrog -t http://127.0.0.1-o result.html afrog -t http://127.0.0.1-o result.html
``` ```
![](https://github.com/zan8in/afrog/raw/main/images/onescan.png)
扫描多个目标 高级用法
``` ```
afrog -T urls.txt -o result.html # 测试 PoC
``` afrog -t http://127.0.0.1 -P ./test/
例如:`urls.txt` afrog -t http://127.0.0.1 -P ./test/demo.yaml
```
http://192.168.139.129:8080
http://127.0.0.1
```
![](https://github.com/zan8in/afrog/raw/main/images/twoscan.png)
测试单个 PoC 文件 # 按 PoC 关键字扫描
afrog -t http://127.0.0.1 -s tomcat,springboot,shiro
``` # 按 Poc 漏洞等级扫描
afrog -t http://127.0.0.1 -P ./testing/poc-test.yaml -o result.html afrog -t http://127.0.0.1 -S high,critical
```
![](https://github.com/zan8in/afrog/raw/main/images/threescan.png)
测试多个 PoC 文件 # 在线更新 afrog-pocs
afrog --up
# 禁用指纹识别,直接漏扫
afrog -t http://127.0.0.1 --nf
``` ```
afrog -t http://127.0.0.1 -P ./testing/ -o result.html
```
![](https://github.com/zan8in/afrog/raw/main/images/fourscan.png)
输出 html 报告
![](https://github.com/zan8in/afrog/raw/main/images/2.png)
![](https://github.com/zan8in/afrog/raw/main/images/3.png)
## 如何贡献 PoC?
### [查看教程](https://github.com/zan8in/afrog/blob/main/CONTRIBUTION.md)
## PoC 列表
### [查看 PoC 列表](https://github.com/zan8in/afrog/blob/main/POCLIST.md)
## 截图
控制台
![](https://github.com/zan8in/afrog/blob/main/images/scan-new.png)
html 报告
![](https://github.com/zan8in/afrog/blob/main/images/report-new.png)
<!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b--> <!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b-->
## 项目相关 ## 项目相关
@ -84,6 +66,19 @@ afrog -t http://127.0.0.1 -P ./testing/ -o result.html
## 最近更新 ## 最近更新
#### [v1.3.6] - 2022-07-24
**更新**
- add Gitee 更新 afrog-pocs
- add 自动识别 http(s)
- add target 存活验证
- add Console Print 实时显示指纹识别结果
- update 更新 fingerprint 指纹库
- fixed 解决 gbk 编码导致 PoC 漏报问题
- bug 修复 GoPoC Console Print 不显示 target
- delete tongda-insert-sql-inject poc
- poc 新增 PoC 33 个,共 656 个
#### [v1.3.5] - 2022-07-10 #### [v1.3.5] - 2022-07-10
**新增** **新增**

17
detail/ct.md
Unescape View File

@ -26,18 +26,21 @@ Windows 编译环境安装请下载[rustup-init.exe](https://static.rust-lang.or
从[releases](https://github.com/knownsec/ct/releases "releases")下载二进制文件。 从[releases](https://github.com/knownsec/ct/releases "releases")下载二进制文件。
``` ```
ct 1.0.0 ct 1.0.9
Autor: rungobier@knownsec 404 team <rungobier@gmail.com> Autor: rungobier@knownsec 404 team <rungobier@gmail.com>
Collect information tools about the target domain. Collect information tools about the target domain.
USAGE: USAGE:
ct [FLAGS] [OPTIONS] [domain] ct_win64.exe [FLAGS] [OPTIONS] [domain]
FLAGS: FLAGS:
-E Extended analysis domain
-T Network upload speed test. -T Network upload speed test.
-Z Do not use zoomeye data -Z Do not use zoomeye data
-C, --cidr Convert the IP related to the target domain name to cidr for extended search. Default is false.
-h, --help Prints help information -h, --help Prints help information
-i, --info Get ZoomEye account base info -i, --info Get ZoomEye account base info
-q, --query-ip Use zoomeye to query ip information
-V, --version Prints version information -V, --version Prints version information
OPTIONS: OPTIONS:
@ -53,6 +56,10 @@ OPTIONS:
mail mail
dev dev
... ...
-F <filter-domains> Extended filter domain list.
Example of extended filtering domain name list:
knownsec.com,jiasule.com,365cyd.com...
--query-num <query-num> Maximum number of zoomeye query. Default query number 100
-t, --threads <thread-num> Maximum number of threads. Default number $CPU_NUM -t, --threads <thread-num> Maximum number of threads. Default number $CPU_NUM
-w, --work-dir <work-dir> Directory to save the results of tasks. Default -w, --work-dir <work-dir> Directory to save the results of tasks. Default
[/tmp|$DESKTOP]/YYYYmmddHHMM_$DOMAIN [/tmp|$DESKTOP]/YYYYmmddHHMM_$DOMAIN
@ -68,6 +75,12 @@ ARGS:
ZoomEye apikey 初始化 ZoomEye apikey 初始化
ct --init 62EC1239-xxxx-xxxxx-xxxx-e45291301ee ct --init 62EC1239-xxxx-xxxxx-xxxx-e45291301ee
开启扩展搜索
ct -E
过滤域名,域名之间以,分隔
ct -F
查看ZoomEye账号信息 查看ZoomEye账号信息
ct -i ct -i

35
detail/pocsuite3.md
Unescape View File

@ -7,7 +7,6 @@
![Time](https://img.shields.io/badge/Join-20200821-green) ![Time](https://img.shields.io/badge/Join-20200821-green)
<!--auto_detail_badge_end_fef74f2d7ea73fcc43ff78e05b1e7451--> <!--auto_detail_badge_end_fef74f2d7ea73fcc43ff78e05b1e7451-->
## Legal Disclaimer ## Legal Disclaimer
Usage of pocsuite3 for attacking targets without prior mutual consent is illegal. Usage of pocsuite3 for attacking targets without prior mutual consent is illegal.
pocsuite3 is for security testing purposes only pocsuite3 is for security testing purposes only
@ -29,15 +28,12 @@ It comes with a powerful proof-of-concept engine, many nice features for the ult
* Results can be easily exported * Results can be easily exported
* Dynamic patch and hook requests * Dynamic patch and hook requests
* Both command line tool and python package import to use * Both command line tool and python package import to use
* IPV6 support * IPv6 support
* Global HTTP/HTTPS/SOCKS proxy support * Global HTTP/HTTPS/SOCKS proxy support
* Simple spider API for PoC script to use * Simple spider API for PoC script to use
* Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website) * Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website)
* Integrate with [ZoomEye](https://www.zoomeye.org) (for load target from ZoomEye `Dork`) * Integrate with [ZoomEye](https://www.zoomeye.org), [Shodan](https://www.shodan.io), etc. (for load target use `Dork`)
* Integrate with [Shodan](https://www.shodan.io) (for load target from Shodan `Dork`) * Integrate with [Ceye](http://ceye.io/), [Interactsh](https://github.com/projectdiscovery/interactsh) (for verify blind DNS and HTTP request)
* Integrate with [Ceye](http://ceye.io/) (for verify blind DNS and HTTP request)
* Integrate with [Interactsh](https://github.com/projectdiscovery/interactsh) (for verify blind DNS and HTTP request)
* Integrate with Fofa (for load target from Fofa `Dork`)
* Friendly debug PoC scripts with IDEs * Friendly debug PoC scripts with IDEs
* More ... * More ...
@ -60,7 +56,7 @@ It comes with a powerful proof-of-concept engine, many nice features for the ult
## Requirements ## Requirements
- Python 3.6+ - Python 3.7+
- Works on Linux, Windows, Mac OSX, BSD, etc. - Works on Linux, Windows, Mac OSX, BSD, etc.
## Installation ## Installation
@ -91,6 +87,12 @@ sudo apt update
sudo apt install pocsuite3 sudo apt install pocsuite3
``` ```
### Docker
```
docker run -it pocsuite3/pocsuite3
```
### ArchLinux ### ArchLinux
``` bash ``` bash
@ -102,11 +104,11 @@ yay pocsuite3
Or click [here](https://github.com/knownsec/pocsuite3/archive/master.zip) to download the latest source zip package and extract Or click [here](https://github.com/knownsec/pocsuite3/archive/master.zip) to download the latest source zip package and extract
``` bash ``` bash
$ wget https://github.com/knownsec/pocsuite3/archive/master.zip wget https://github.com/knownsec/pocsuite3/archive/master.zip
$ unzip master.zip unzip master.zip
$ cd pocsuite3-master cd pocsuite3-master
$ pip3 install -r requirements.txt pip3 install -r requirements.txt
$ python3 setup.py install python3 setup.py install
``` ```
@ -114,7 +116,7 @@ The latest version of this software is available at: https://pocsuite.org
## Documentation ## Documentation
Documentation is available in the [```docs```](https://github.com/knownsec/pocsuite3/blob/master/docs) directory. Documentation is available at: https://pocsuite.org
## Usage ## Usage
@ -127,7 +129,7 @@ cli mode
# run poc with shell mode # run poc with shell mode
pocsuite -u http://example.com -r example.py -v 2 --shell pocsuite -u http://example.com -r example.py -v 2 --shell
# search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The thread is set to 20 # search for the target of redis service from ZoomEye and perform batch detection of vulnerabilities. The threads is set to 20
pocsuite -r redis.py --dork service:redis --threads 20 pocsuite -r redis.py --dork service:redis --threads 20
# load all poc in the poc directory and save the result as html # load all poc in the poc directory and save the result as html
@ -137,7 +139,7 @@ cli mode
pocsuite -f batch.txt --plugins poc_from_pocs,html_report pocsuite -f batch.txt --plugins poc_from_pocs,html_report
# load CIDR target # load CIDR target
pocsuite -u 10.0.0.0/24 -r example.py --plugins target_from_cidr pocsuite -u 10.0.0.0/24 -r example.py
# the custom parameters `command` is implemented in ecshop poc, which can be set from command line options # the custom parameters `command` is implemented in ecshop poc, which can be set from command line options
pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami" pocsuite -u http://example.com -r ecshop_rce.py --attack --command "whoami"
@ -146,7 +148,6 @@ console mode
poc-console poc-console
``` ```
<!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b--> <!--auto_detail_active_begin_e1c6fb434b6f0baf6912c7a1934f772b-->
## 项目相关 ## 项目相关

2
vulnerability_assessment.md
Unescape View File

@ -32,7 +32,7 @@ Pocassist 是一个 Golang 编写的全新开源漏洞测试框架,帮助安
![Author](https://img.shields.io/badge/Author-zan8in-orange) ![Author](https://img.shields.io/badge/Author-zan8in-orange)
![Language](https://img.shields.io/badge/Language-Golang-blue) ![Language](https://img.shields.io/badge/Language-Golang-blue)
![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github) ![GitHub stars](https://img.shields.io/github/stars/zan8in/afrog.svg?style=flat&logo=github)
![Version](https://img.shields.io/badge/Version-V1.3.5-red) ![Version](https://img.shields.io/badge/Version-V1.3.6-red)
<https://github.com/zan8in/afrog> <https://github.com/zan8in/afrog>

Write Preview
Loading…
Cancel
Save