Skip to content

fix: apply severity filter to output stage for console and report res…#208

Open
adeljck wants to merge 1 commit into
zan8in:mainfrom
adeljck:fix/severity-filter
Open

fix: apply severity filter to output stage for console and report res…#208
adeljck wants to merge 1 commit into
zan8in:mainfrom
adeljck:fix/severity-filter

Conversation

@adeljck

@adeljck adeljck commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

fix: 将严重性过滤器应用到输出阶段

fix #206

变更说明

-S(severity)参数此前仅在 POC 加载阶段生效,输出阶段(控制台和报告)未做过滤。本次修改在以下位置补充了严重性过滤:

  • cmd/afrog/main.go — CLI 模式控制台输出
  • afrog.go — SDK 模式结果收集
  • pkg/config/options.go — 选项初始化

测试

环境
测试目标 http://127.0.0.1:8848/ (Nacos 1.4.0)
编译环境 Go 1.26.2 windows/amd64
afrog Core 3.5.2 / POC 0.5.28 
PS C:\Users\username\GolandProjects\afrog> .\afrog.exe -t http://127.0.0.1:8848/ -S critical

Afrog/3.5.2 | Security Toolkit | Lightweight, Fast, and Direct to the Flaw.
════════════════════════════════════════════════════════
[✓] Core:  3.5.2
[✓] POC:   0.5.28
[✓] Cur:   0/pocs https://t.zsxq.com/lV66x
[✖] OOB:   ceyeio (Not configured)
════════════════════════════════════════════════════════
[INF] HOST-DISC | skipped   | -ps not enabled
[INF] PORT-SCAN | skipped   | -ps not enabled
[INF] VULN-SCAN | started   | targets=1 pocs=626 tasks=600
001 04-26 16:10:35 nacos-authentication-bypass CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g
002 04-26 16:10:35 nacos-core-auth-enabled-bypass CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken
003 04-26 16:10:35 nacos-token-create-user CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?username=vpqfuz
[━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 100% (600/600), 30s oobf=0/0 skipped
[INF] VULN-SCAN | completed | tasks=600/600 found=3 duration=30s
image 
PS C:\Users\username\GolandProjects\afrog> .\afrog.exe -t http://127.0.0.1:8848/ -S high

Afrog/3.5.2 | Security Toolkit | Lightweight, Fast, and Direct to the Flaw.
════════════════════════════════════════════════════════
[✓] Core:  3.5.2
[✓] POC:   0.5.28
[✓] Cur:   0/pocs https://t.zsxq.com/lV66x
[✖] OOB:   ceyeio (Not configured)
════════════════════════════════════════════════════════
[INF] HOST-DISC | skipped   | -ps not enabled
[INF] PORT-SCAN | skipped   | -ps not enabled
[INF] VULN-SCAN | started   | targets=1 pocs=894 tasks=870
001 04-26 16:11:13 nacos-config-server-sql-inject HIGH http://127.0.0.1:8848/nacos/v1/cs/ops/derby?sql=select%20*%20from%20users%20
002 04-26 16:11:13 nacos-secret-default-key-unauth HIGH http://127.0.0.1:8848/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9
003 04-26 16:11:13 nacos-severidentity-bypass HIGH http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken
004 04-26 16:11:13 nacos-user-list-unauthorized HIGH http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9
005 04-26 16:11:13 nacos-create-user-unauthorized HIGH http://127.0.0.1:8848/nacos/v1/auth/users?username=cgofomyg
[━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 100% (870/870), 5s oobf=0/0 skipped
[INF] VULN-SCAN | completed | tasks=870/870 found=5 duration=5s
image 
PS C:\Users\username\GolandProjects\afrog> .\afrog.exe -t http://127.0.0.1:8848/ -S high,critical

Afrog/3.5.2 | Security Toolkit | Lightweight, Fast, and Direct to the Flaw.
════════════════════════════════════════════════════════
[✓] Core:  3.5.2
[✓] POC:   0.5.28
[✓] Cur:   0/pocs https://t.zsxq.com/lV66x
[✖] OOB:   ceyeio (Not configured)
════════════════════════════════════════════════════════
[INF] HOST-DISC | skipped   | -ps not enabled
[INF] PORT-SCAN | skipped   | -ps not enabled
[INF] VULN-SCAN | started   | targets=1 pocs=1492 tasks=1461
001 04-26 16:12:27 nacos-config-server-sql-inject HIGH http://127.0.0.1:8848/nacos/v1/cs/ops/derby?sql=select%20*%20from%20users%20
002 04-26 16:12:27 nacos-secret-default-key-unauth HIGH http://127.0.0.1:8848/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9
003 04-26 16:12:27 nacos-severidentity-bypass HIGH http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken
004 04-26 16:12:27 nacos-user-list-unauthorized HIGH http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9
005 04-26 16:12:27 nacos-create-user-unauthorized HIGH http://127.0.0.1:8848/nacos/v1/auth/users?username=uklzfdvl
006 04-26 16:12:32 nacos-authentication-bypass CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=10&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.-isk56R8NfioHVYmpj4oz92nUteNBCN3HRd0-Hfk76g
007 04-26 16:12:32 nacos-core-auth-enabled-bypass CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1&pageSize=9&search=accurate&accessToken
008 04-26 16:12:32 nacos-token-create-user CRITICAL http://127.0.0.1:8848/nacos/v1/auth/users?username=jkgmtm
[━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━] 100% (1461/1461), 35s oobf=0/0 skipped
[INF] VULN-SCAN | completed | tasks=1461/1461 found=8 duration=35s
image

结果

无 -S 参数:  tasks=1662/1662  found=10  duration=37s
-S critical,high,medium:  tasks=2/2  found=0  duration=69s

INFO 级别的 nacos-detect 在无过滤时被检出,加 -s critical,high,medium 后正确过滤不显示。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

指纹输出的日志/漏洞是否可以关掉

1 participant

@adeljck