From 3089484f52f857d2949e4c43bc8d7bc2703b8496 Mon Sep 17 00:00:00 2001
From: shadow1ng <shadow1ng>
Date: Mon, 8 Feb 2021 15:11:43 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=8C=87=E7=BA=B9=E8=AF=86?=
 =?UTF-8?q?=E5=88=AB=E5=8A=9F=E8=83=BD,=E5=8F=AF=E8=AF=86=E5=88=AB?=
 =?UTF-8?q?=E5=B0=9D=E8=AF=95CMS=E3=80=81=E6=A1=86=E6=9E=B6,=E5=A6=82?=
 =?UTF-8?q?=E8=87=B4=E8=BF=9COA=E3=80=81=E9=80=9A=E8=BE=BEOA=E7=AD=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Plugins/webtitle.go    |  59 +++++++++++++-----
 WebScan/InfoScan.go    |  69 +++++++++++++++++++++
 WebScan/info/rules.go  | 137 +++++++++++++++++++++++++++++++++++++++++
 WebScan/pocs/shiro.yml |  12 ----
 common/ParseIP.go      |   2 -
 common/flag.go         |   2 +-
 6 files changed, 250 insertions(+), 31 deletions(-)
 create mode 100644 WebScan/InfoScan.go
 create mode 100644 WebScan/info/rules.go
 delete mode 100644 WebScan/pocs/shiro.yml

diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go
index 171100c..910ffe9 100644
--- a/Plugins/webtitle.go
+++ b/Plugins/webtitle.go
@@ -13,7 +13,9 @@ import (
 	"time"
 )
 
-func WebTitle(info *common.HostInfo) (err error, result string) {
+var CheckData []WebScan.CheckDatas
+
+func WebTitle(info *common.HostInfo) error {
 	if info.Ports == "80" {
 		info.Url = fmt.Sprintf("http://%s", info.Host)
 	} else if info.Ports == "443" {
@@ -22,24 +24,36 @@ func WebTitle(info *common.HostInfo) (err error, result string) {
 		info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
 	}
 
-	err, result = geturl(info)
-	if common.IsWebCan || err != nil {
-		return
+	err, result := geturl(info, true)
+	if err != nil {
+		return err
+	}
+	if result == "https" {
+		err, _ := geturl(info, true)
+		if err != nil {
+			return err
+		}
 	}
 
-	if result == "https" {
-		err, result = geturl(info)
-		if err == nil {
-			WebScan.WebScan(info)
-		}
-	} else {
+	err, _ = geturl(info, false)
+	if err != nil {
+		return err
+	}
+
+	WebScan.InfoCheck(info.Url, CheckData)
+
+	if common.IsWebCan == false {
 		WebScan.WebScan(info)
 	}
-	return err, result
+
+	return err
 }
 
-func geturl(info *common.HostInfo) (err error, result string) {
-	url := info.Url
+func geturl(info *common.HostInfo, flag bool) (err error, result string) {
+	Url := info.Url
+	if flag == false {
+		Url += "/favicon.ico"
+	}
 	tr := &http.Transport{
 		TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
 		DisableKeepAlives: false,
@@ -52,14 +66,22 @@ func geturl(info *common.HostInfo) (err error, result string) {
 		IdleConnTimeout:     time.Duration(info.WebTimeout+3) * time.Second,
 		TLSHandshakeTimeout: 5 * time.Second,
 	}
+	//u, err := url.Parse("http://127.0.0.1:8080")
+	//if err != nil {
+	//	return err,result
+	//}
+	//tr.Proxy = http.ProxyURL(u)
 
 	var client = &http.Client{Timeout: time.Duration(info.WebTimeout) * time.Second, Transport: tr}
-	res, err := http.NewRequest("GET", url, nil)
+	res, err := http.NewRequest("GET", Url, nil)
 	if err == nil {
 		res.Header.Add("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
 		res.Header.Add("Accept", "*/*")
 		res.Header.Add("Accept-Language", "zh-CN,zh;q=0.9")
 		res.Header.Add("Accept-Encoding", "gzip, deflate")
+		if flag == true {
+			res.Header.Add("Cookie", "rememberMe=1")
+		}
 		res.Header.Add("Connection", "close")
 		resp, err := client.Do(res)
 		if err == nil {
@@ -76,8 +98,13 @@ func geturl(info *common.HostInfo) (err error, result string) {
 			} else {
 				title = "None"
 			}
-			result = fmt.Sprintf("WebTitle:%-25v %-3v %v", url, resp.StatusCode, title)
-			common.LogSuccess(result)
+			if flag == true {
+				result = fmt.Sprintf("WebTitle:%-25v %-3v %v", Url, resp.StatusCode, title)
+				common.LogSuccess(result)
+			}
+
+			CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
+
 			if resp.StatusCode == 400 && info.Url[:5] != "https" {
 				info.Url = strings.Replace(info.Url, "http://", "https://", 1)
 				return err, "https"
diff --git a/WebScan/InfoScan.go b/WebScan/InfoScan.go
new file mode 100644
index 0000000..4ed02a2
--- /dev/null
+++ b/WebScan/InfoScan.go
@@ -0,0 +1,69 @@
+package WebScan
+
+import (
+	"crypto/md5"
+	"fmt"
+	"github.com/shadow1ng/fscan/WebScan/info"
+	"github.com/shadow1ng/fscan/common"
+	"regexp"
+	"strings"
+)
+
+type CheckDatas struct {
+	Body    []byte
+	Headers string
+}
+
+func InfoCheck(Url string, CheckData []CheckDatas) {
+	var matched bool
+	var infoname []string
+
+	for _, data := range CheckData {
+		for _, rule := range info.RuleDatas {
+			if rule.Type == "code" {
+				matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
+			} else {
+				matched, _ = regexp.MatchString(rule.Rule, data.Headers)
+			}
+			if matched == true {
+				infoname = append(infoname, rule.Name)
+			}
+		}
+		flag, name := CalcMd5(data.Body)
+
+		if flag == true {
+			infoname = append(infoname, name)
+		}
+	}
+
+	infostr := RemoveMore(infoname)
+
+	if len(infoname) > 0 {
+		result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infostr)
+		common.LogSuccess(result)
+	}
+}
+
+func CalcMd5(Body []byte) (bool, string) {
+	has := md5.Sum(Body)
+	md5str := fmt.Sprintf("%x", has)
+	for _, md5data := range info.Md5Datas {
+		if md5str == md5data.Md5Str {
+			return true, md5data.Name
+		}
+	}
+	return false, ""
+}
+
+func RemoveMore(a []string) (infostr string) {
+	var ret []string
+	for i := 0; i < len(a); i++ {
+		if (i > 0 && a[i-1] == a[i]) || len(a[i]) == 0 {
+			continue
+		}
+		ret = append(ret, a[i])
+	}
+	infostr = strings.ReplaceAll(fmt.Sprintf("%s ", ret), "[", "")
+	infostr = strings.ReplaceAll(infostr, "]", "")
+	return
+}
diff --git a/WebScan/info/rules.go b/WebScan/info/rules.go
new file mode 100644
index 0000000..0c667c8
--- /dev/null
+++ b/WebScan/info/rules.go
@@ -0,0 +1,137 @@
+package info
+
+type RuleData struct {
+	Name string
+	Type string
+	Rule string
+}
+
+type Md5Data struct {
+	Name   string
+	Md5Str string
+}
+
+var RuleDatas = []RuleData{
+	{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
+	{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
+	{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
+	{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
+	{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
+	{"Nexus", "code", "(Nexus Repository Manager)"},
+	{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
+	{"Harbor", "code", "(<title>Harbor</title>)"},
+	{"Harbor", "cookie", "(harbor-lang)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png)"},
+	{"禅道", "cookie", "(zentaosid)"},
+	{"协众OA", "code", "(Powered by 协众OA)"},
+	{"协众OA", "cookie", "(CNOAOASESSID)"},
+	{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
+	{"atmail-WebMail", "cookie", "(atmail6)"},
+	{"atmail-WebMail", "code", "(Powered by Atmail)"},
+	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
+	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
+	{"Typecho", "code", "(Typecho</a>)"},
+	{"金蝶EAS", "code", "(easSessionId)"},
+	{"phpMyAdmin", "cookie", "(pma_lang|phpMyAdmin)"},
+	{"phpMyAdmin", "code", "(/themes/pmahomme/img/logo_right.png)"},
+	{"H3C-AM8000", "code", "(AM8000)"},
+	{"360企业版", "code", "(360EntWebAdminMD5Secret)"},
+	{"H3C公司产品", "code", "(service@h3c.com)"},
+	{"H3C ICG 1000", "code", "(ICG 1000系统管理)"},
+	{"Citrix-Metaframe", "code", "(window.location=\"/Citrix/MetaFrame)"},
+	{"H3C ER5100", "code", "(ER5100系统管理)"},
+	{"阿里云CDN", "code", "(cdn.aliyuncs.com)"},
+	{"CISCO_EPC3925", "code", "(Docsis_system)"},
+	{"CISCO ASR", "code", "(CISCO ASR)"},
+	{"H3C ER3200", "code", "(ER3200系统管理)"},
+	{"万户ezOFFICE", "headers", "(LocLan)"},
+	{"万户网络", "code", "(css/css_whir.css)"},
+	{"Spark_Master", "code", "(Spark Master at)"},
+	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
+	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp)"},
+	{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
+	{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
+	{"juniper_vpn", "code", "(welcome.cgi?p=logo|/images/logo_juniper_reversed.gif)"},
+	{"360主机卫士", "headers", "(zhuji.360.cn)"},
+	{"Nagios", "headers", "(Nagios Access)"},
+	{"H3C ER8300", "code", "(ER8300系统管理)"},
+	{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
+	{"华为 MCU", "code", "(McuR5-min.js)"},
+	{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
+	{"泛微协同办公OA", "headers", "(ecology_JSessionid)"},
+	{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
+	{"360网站卫士", "code", "(360wzb)"},
+	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
+	{"H3C ER2100V2", "code", "(ER2100V2系统管理)"},
+	{"zabbix", "cookie", "(zbx_sessionid)"},
+	{"zabbix", "code", "(images/general/zabbix.ico|Zabbix SIA)"},
+	{"CISCO_VPN", "headers", "(webvpn)"},
+	{"360站长平台", "code", "(360-site-verification)"},
+	{"H3C ER3108GW", "code", "(ER3108GW系统管理)"},
+	{"o2security_vpn", "headers", "(client_param=install_active)"},
+	{"H3C ER3260G2", "code", "(ER3260G2系统管理)"},
+	{"H3C ICG1000", "code", "(ICG1000系统管理)"},
+	{"CISCO-CX20", "code", "(CISCO-CX20)"},
+	{"H3C ER5200", "code", "(ER5200系统管理)"},
+	{"linksys-vpn-bragap14-parintins", "code",
+		"(linksys-vpn-bragap14-parintins)"},
+	{"360网站卫士常用前端公共库", "code", "(libs.useso.com)"},
+	{"H3C ER3100", "code", "(ER3100系统管理)"},
+	{"H3C-SecBlade-FireWall", "code", "(js/MulPlatAPI.js)"},
+	{"360webfacil_360WebManager", "code", "(publico/template/)"},
+	{"Citrix_Netscaler", "code", "(ns_af)"},
+	{"H3C ER6300G2", "code", "(ER6300G2系统管理)"},
+	{"H3C ER3260", "code", "(ER3260系统管理)"},
+	{"华为_HUAWEI_SRG3250", "code", "(HUAWEI SRG3250)"},
+	{"exchange", "code", "(/owa/auth.owa)"},
+	{"Spark_Worker", "code", "(Spark Worker at)"},
+	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
+	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
+	{"Citrix-ConfProxy", "code", "(confproxy)"},
+	{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
+	{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
+	{"华为（HUAWEI）安全设备", "code", "(sweb-lib/resource/)"},
+	{"H3C ER6300", "code", "(ER6300系统管理)"},
+	{"华为_HUAWEI_ASG2100", "code", "(HUAWEI ASG2100)"},
+	{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
+	{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
+	{"H3C ER2100", "code", "(ER2100系统管理)"},
+	{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
+	{"jira", "code", "(jira.webresources)"},
+	{"金和协同管理平台", "code", "(金和协同管理平台)"},
+	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
+	{"linksys-vpn", "headers", "(linksys-vpn)"},
+	{"通达OA", "code", "(/static/images/tongda.ico)"},
+	{"华为（HUAWEI）Secoway设备", "code", "(Secoway)"},
+	{"华为_HUAWEI_SRG1220", "code", "(HUAWEI SRG1220)"},
+	{"H3C ER2100n", "code", "(ER2100n系统管理)"},
+	{"H3C ER8300G2", "code", "(ER8300G2系统管理)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js)"},
+	{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
+	{"Jboss", "headers", "(JBoss)"},
+	{"泛微E-mobile", "code", "(Weaver E-mobile)"},
+	{"齐治堡垒机", "code", "(logo-icon-ico72.png)"},
+}
+
+var Md5Datas = []Md5Data{
+	{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
+	{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
+	{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
+	{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
+	{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
+	{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
+	{"致远OA", "57f307ad3764553df84e7b14b7a85432"},
+	{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
+	{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
+	{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
+	{"SprintBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
+	{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
+	{"通达OA", "ed0044587917c76d08573577c8b72883"},
+	{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
+	{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
+	{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
+	{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
+}
diff --git a/WebScan/pocs/shiro.yml b/WebScan/pocs/shiro.yml
deleted file mode 100644
index b1df169..0000000
--- a/WebScan/pocs/shiro.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-name: poc-yaml-shiro
-rules:
-  - method: GET
-    path: /
-    headers:
-      Cookie: rememberMe=1
-    expression: |
-      "Set-Cookie" in response.headers && response.headers["Set-Cookie"].contains("rememberMe")
-detail:
-  author: test
-  links:
-    - https://baidu.com/shiro
diff --git a/common/ParseIP.go b/common/ParseIP.go
index 707c2f3..4716ed2 100644
--- a/common/ParseIP.go
+++ b/common/ParseIP.go
@@ -117,7 +117,6 @@ func ParseIPC(ip string) ([]string, error) {
 	} else {
 		SplitIP1 := strings.Split(IPRange[0], ".")
 		SplitIP2 := strings.Split(IPRange[1], ".")
-		fmt.Println(SplitIP1, SplitIP2, len(SplitIP1), len(SplitIP2))
 		if len(SplitIP1) != 4 || len(SplitIP2) != 4 {
 			return nil, ParseIPErr
 		}
@@ -132,7 +131,6 @@ func ParseIPC(ip string) ([]string, error) {
 		}
 		startNum := start[0]<<24 | start[1]<<16 | start[2]<<8 | start[3]
 		endNum := end[0]<<24 | end[1]<<16 | end[2]<<8 | end[3]
-		fmt.Println(startNum, endNum)
 		for num := startNum; num < endNum; num++ {
 			ip := strconv.Itoa((num>>24)&0xff) + "." + strconv.Itoa((num>>16)&0xff) + "." + strconv.Itoa((num>>8)&0xff) + "." + strconv.Itoa((num)&0xff)
 			AllIP = append(AllIP, ip)
diff --git a/common/flag.go b/common/flag.go
index dd8991c..3dd313d 100644
--- a/common/flag.go
+++ b/common/flag.go
@@ -25,7 +25,7 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&Info.Username, "user", "", "username")
 	flag.StringVar(&Info.Password, "pwd", "", "password")
 	flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout")
-	flag.Int64Var(&Info.WebTimeout, "wt", 3, "Set web timeout")
+	flag.Int64Var(&Info.WebTimeout, "wt", 5, "Set web timeout")
 	flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh")
 
 	flag.IntVar(&Threads, "t", 200, "Thread nums")