404StarLink/detail/afrog.md

afrog https://github.com/zan8in/afrog

What is afrog

afrog is an excellent performance, fast and stable, PoC customizable vulnerability scanning (hole digging) tool. PoC involves CVE, CNVD, default password, information leakage, fingerprint identification, unauthorized access, arbitrary file reading, command execution, etc. It helps network security practitioners quickly verify and fix vulnerabilities in a timely manner.

Features

• Open Source
• Fast, stable, low false positives
• Detailed html vulnerability report
• PoC can be customized and updated stably
• Active community exchange group

Example

Basic usage

# Scan a target
afrog -t http://127.0.0.1

# Scan multiple targets
afrog -T urls.txt

# Specify a scan report file
afrog -t http://127.0.0.1 -o result.html

Advanced usage

# Test PoC 
afrog -t http://127.0.0.1 -P ./test/ 
afrog -t http://127.0.0.1 -P ./test/demo.yaml 

# Scan by PoC Keywords 
afrog -t http://127.0.0.1 -s tomcat,springboot,shiro 

# Scan by PoC Vulnerability Severity Level 
afrog -t http://127.0.0.1 -S high,critical 

# Online update afrog-pocs 
afrog -up 

# Disable fingerprint recognition 
afrog -t http://127.0.0.1 -nf

Screenshot

项目相关

最近更新

[v2.2.3] - 2023-04-22

优化

• 可自定义 html report 报告生成目录

PoC

• 新增 22 PoC

[v2.2.2] - 2023-04-05

修复

• 修复 afrog html 报告 XSS 漏洞

优化

• 简化 URL 黑名单机制
• 优化 http/s 检测功能
• 优化 文件上传 (所有) PoC
• 优化 RCE (所有) PoC

删除

• 去掉 Fingerprint 指纹识别及命令参数 (替代工具 pyxis)
• 去掉不常用命令参数

PoC

• 新增 52 PoC
• 验证和优化 n 多个 PoC
• 删除 PoC csz-cms-multiple-blind-sql-injection
• 删除 PoC phpstudy-nginx-wrong-resolve
• 内置几个 private PoC

[v2.2.1] - 2023-02-04

更新

• 将多个 panel 指纹探测合并到文件 panel-detect.yaml，大幅减少 http 请求
• 精简控制台日期打印，2023-01-01 改为 01-01
• 精简 afrog-config 配置信息

修复

• 解决：-fc 命令配置无效问题
• 提示：配置 -c 命令能明显提高扫描速度

[v2.2.0] - 2023-01-07

更新

• 新增仅指纹扫描选项 -onlyfinger
• 新增 CEL 函数，如 year/shortyear 等
• 新增 PoC 验证属性，默认为 false
• 新增规则属性表达式

[v2.1.1] - 2022-12-22

更新

• 修复了指纹中误报率高的bug
• 添加 -json 选项，用于 json 格式输出