feat: 增加单独的Elasticsearch扫描

2026-02-09 02:09:17 +08:00 · 2024-12-22 02:31:56 +08:00
parent 2e3ccee2e0
commit 8be8f94d82
7 changed files with 137 additions and 5 deletions
--- a/Plugins/Elasticsearch.go
+++ b/Plugins/Elasticsearch.go
@@ -0,0 +1,104 @@
+package Plugins
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"fmt"
+	"github.com/shadow1ng/fscan/Common"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// ElasticScan 执行 Elasticsearch 服务扫描
+func ElasticScan(info *Common.HostInfo) (tmperr error) {
+	if Common.DisableBrute {
+		return
+	}
+
+	starttime := time.Now().Unix()
+
+	// 首先测试无认证访问
+	flag, err := ElasticConn(info, "", "")
+	if flag && err == nil {
+		return err
+	}
+
+	// 尝试用户名密码组合
+	for _, user := range Common.Userdict["elastic"] {
+		for _, pass := range Common.Passwords {
+			// 替换密码中的用户名占位符
+			pass = strings.Replace(pass, "{user}", user, -1)
+
+			flag, err := ElasticConn(info, user, pass)
+			if flag && err == nil {
+				return err
+			}
+
+			// 记录错误信息
+			errlog := fmt.Sprintf("[-] Elasticsearch服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v", info.Host, info.Ports, user, pass, err)
+			Common.LogError(errlog)
+			tmperr = err
+
+			if Common.CheckErrs(err) {
+				return err
+			}
+
+			// 超时检查
+			if time.Now().Unix()-starttime > (int64(len(Common.Userdict["elastic"])*len(Common.Passwords)) * Common.Timeout) {
+				return err
+			}
+		}
+	}
+	return tmperr
+}
+
+// ElasticConn 尝试 Elasticsearch 连接
+func ElasticConn(info *Common.HostInfo, user string, pass string) (bool, error) {
+	host, port := info.Host, info.Ports
+	timeout := time.Duration(Common.Timeout) * time.Second
+
+	// 构造请求客户端
+	client := &http.Client{
+		Timeout: timeout,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+
+	// 构造基础URL
+	baseURL := fmt.Sprintf("http://%s:%s", host, port)
+
+	// 创建请求
+	req, err := http.NewRequest("GET", baseURL+"/_cat/indices", nil)
+	if err != nil {
+		return false, err
+	}
+
+	// 如果提供了认证信息,添加Basic认证头
+	if user != "" || pass != "" {
+		auth := base64.StdEncoding.EncodeToString([]byte(user + ":" + pass))
+		req.Header.Add("Authorization", "Basic "+auth)
+	}
+
+	// 发送请求
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+
+	// 检查响应状态
+	if resp.StatusCode == 200 {
+		result := fmt.Sprintf("[+] Elasticsearch服务 %v:%v ", host, port)
+		if user != "" {
+			result += fmt.Sprintf("爆破成功 用户名: %v 密码: %v", user, pass)
+		} else {
+			result += "无需认证即可访问"
+		}
+		Common.LogSuccess(result)
+		return true, nil
+	}
+
+	return false, fmt.Errorf("认证失败")
+}