diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 5a6c632..117fa80 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -49,6 +49,16 @@ func Scan(info common.HostInfo) { AddScan(scantype, info, ch, &wg) } } + if common.URL != "" { + info.Url = common.URL + AddScan("1000003", info, ch, &wg) + } + if len(common.Urls) > 0 { + for _, url := range common.Urls { + info.Url = url + AddScan("1000003", info, ch, &wg) + } + } wg.Wait() common.WaitSave() } diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go index ed2a5d7..b75d70b 100644 --- a/Plugins/webtitle.go +++ b/Plugins/webtitle.go @@ -13,19 +13,25 @@ import ( func WebTitle(info *common.HostInfo) error { var CheckData []WebScan.CheckDatas - - if info.Ports == "80" { - info.Url = fmt.Sprintf("http://%s", info.Host) - } else if info.Ports == "443" { - info.Url = fmt.Sprintf("https://%s", info.Host) + if info.Url == "" { + if info.Ports == "80" { + info.Url = fmt.Sprintf("http://%s", info.Host) + } else if info.Ports == "443" { + info.Url = fmt.Sprintf("https://%s", info.Host) + } else { + info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports) + } } else { - info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports) + if !strings.Contains(info.Url, "://") { + info.Url = fmt.Sprintf("http://%s", info.Url) + } } err, result, CheckData := geturl(info, true, CheckData) if err != nil { return err } + if result == "https" { err, _, CheckData = geturl(info, true, CheckData) if err != nil { @@ -43,7 +49,6 @@ func WebTitle(info *common.HostInfo) error { if common.IsWebCan == false { WebScan.WebScan(info) } - return err } @@ -58,8 +63,11 @@ func geturl(info *common.HostInfo, flag bool, CheckData []WebScan.CheckDatas) (e res.Header.Set("Accept", "*/*") res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9") res.Header.Set("Accept-Encoding", "gzip, deflate") + if common.Pocinfo.Cookie != "" { + res.Header.Set("Cookie", common.Pocinfo.Cookie) + } if flag == true { - res.Header.Set("Cookie", "rememberMe=1") + res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie) } res.Header.Set("Connection", "close") resp, err := lib.Client.Do(res) diff --git a/WebScan/lib/check.go b/WebScan/lib/check.go index aab1ab1..3883d7f 100644 --- a/WebScan/lib/check.go +++ b/WebScan/lib/check.go @@ -37,7 +37,7 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string continue } if isVul { - result := fmt.Sprintf("%s %s", task.Req.URL, task.Poc.Name) + result := fmt.Sprintf("[+] %s %s", task.Req.URL, task.Poc.Name) common.LogSuccess(result) } } @@ -183,6 +183,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) { for k, v := range rule.Headers { newRequest.Header.Set(k, v) } + resp, err := DoRequest(newRequest, rule.FollowRedirects) if err != nil { return false, err @@ -200,7 +201,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) { return false, nil } } - out, err := Evaluate(env, rule.Expression, variableMap) if err != nil { return false, err @@ -486,8 +486,8 @@ func clusterpoc1(oReq *http.Request, p *Poc, variableMap map[string]interface{}, if len(varset) == 2 { look2: // (var1 tomcat ,keys[0] username) - for _, var1 := range p.Sets[varset[0]] { - for _, var2 := range p.Sets[varset[1]] { + for _, var1 := range p.Sets[varset[0]] { //username + for _, var2 := range p.Sets[varset[1]] { //password setMap := cloneMap1(setMapbak) setMap[varset[0]] = var1 setMap[varset[1]] = var2 diff --git a/WebScan/lib/http.go b/WebScan/lib/http.go index 9f6a515..278ce64 100644 --- a/WebScan/lib/http.go +++ b/WebScan/lib/http.go @@ -37,6 +37,9 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err DisableKeepAlives: false, } if DownProxy != "" { + if DownProxy == "1" { + DownProxy = "http://127.0.0.1:8080" + } u, err := url.Parse(DownProxy) if err != nil { return err @@ -144,7 +147,6 @@ func getRespBody(oResp *http.Response) ([]byte, error) { if err != nil { return nil, err } - defer gr.Close() for { buf := make([]byte, 1024) diff --git a/WebScan/pocs/swagger-ui-unauth-No1.yml b/WebScan/pocs/swagger-ui-unauth-No1.yml index 591293f..5971c53 100644 --- a/WebScan/pocs/swagger-ui-unauth-No1.yml +++ b/WebScan/pocs/swagger-ui-unauth-No1.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth1 rules: - method: GET path: /swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No2.yml b/WebScan/pocs/swagger-ui-unauth-No2.yml index f93e8f9..a3f663e 100644 --- a/WebScan/pocs/swagger-ui-unauth-No2.yml +++ b/WebScan/pocs/swagger-ui-unauth-No2.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth2 rules: - method: GET path: /api/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No3.yml b/WebScan/pocs/swagger-ui-unauth-No3.yml index da56fc4..66e81f1 100644 --- a/WebScan/pocs/swagger-ui-unauth-No3.yml +++ b/WebScan/pocs/swagger-ui-unauth-No3.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth3 rules: - method: GET path: /service/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No4.yml b/WebScan/pocs/swagger-ui-unauth-No4.yml index 296ea00..e109fc9 100644 --- a/WebScan/pocs/swagger-ui-unauth-No4.yml +++ b/WebScan/pocs/swagger-ui-unauth-No4.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth4 rules: - method: GET path: /web/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No5.yml b/WebScan/pocs/swagger-ui-unauth-No5.yml index 9b58279..f111855 100644 --- a/WebScan/pocs/swagger-ui-unauth-No5.yml +++ b/WebScan/pocs/swagger-ui-unauth-No5.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth5 rules: - method: GET path: /swagger/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No6.yml b/WebScan/pocs/swagger-ui-unauth-No6.yml index 52d330b..3f18e6e 100644 --- a/WebScan/pocs/swagger-ui-unauth-No6.yml +++ b/WebScan/pocs/swagger-ui-unauth-No6.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth6 rules: - method: GET path: /actuator/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No7.yml b/WebScan/pocs/swagger-ui-unauth-No7.yml index ebaebf4..2e130c9 100644 --- a/WebScan/pocs/swagger-ui-unauth-No7.yml +++ b/WebScan/pocs/swagger-ui-unauth-No7.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui-unauth7 rules: - method: GET path: /libs/swagger-ui.html diff --git a/WebScan/pocs/swagger-ui-unauth-No8.yml b/WebScan/pocs/swagger-ui-unauth-No8.yml index 323451b..33a63f4 100644 --- a/WebScan/pocs/swagger-ui-unauth-No8.yml +++ b/WebScan/pocs/swagger-ui-unauth-No8.yml @@ -1,4 +1,4 @@ -name: poc-yaml-druid-monitor-unauth +name: poc-yaml-swagger-ui8 rules: - method: GET path: /template/swagger-ui.html diff --git a/WebScan/pocs/weblogic-cve-2020-14750.yml b/WebScan/pocs/weblogic-cve-2020-14750.yml index 7129c38..8db8464 100644 --- a/WebScan/pocs/weblogic-cve-2020-14750.yml +++ b/WebScan/pocs/weblogic-cve-2020-14750.yml @@ -4,7 +4,7 @@ rules: path: /console/images/%252E./console.portal follow_redirects: false expression: | - response.status == 302 && (response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console/jsp/common/NoJMX.jsp"))) + (response.status == 302 && response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console.portal?_nfpb=true"))) detail: author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless) weblogic_version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 diff --git a/common/Parse.go b/common/Parse.go index d05218b..8cee786 100644 --- a/common/Parse.go +++ b/common/Parse.go @@ -63,7 +63,20 @@ func ParsePass(Info *HostInfo) { } } Passwords = Info.Passwords - + } + } + if UrlFile != "" { + urls, err := Readfile(UrlFile) + if err == nil { + TmpUrls := make(map[string]struct{}) + for _, url := range urls { + if _, ok := TmpUrls[url]; !ok { + TmpUrls[url] = struct{}{} + if url != "" { + Urls = append(Urls, url) + } + } + } } } } @@ -88,7 +101,7 @@ func Readfile(filename string) ([]string, error) { } func ParseInput(Info *HostInfo) { - if Info.Host == "" && HostFile == "" { + if Info.Host == "" && HostFile == "" && URL == "" && UrlFile == "" { fmt.Println("Host is none") flag.Usage() os.Exit(0) diff --git a/common/config.go b/common/config.go index 5c9420c..e01272d 100644 --- a/common/config.go +++ b/common/config.go @@ -54,7 +54,7 @@ var PortlistBack = map[string]int{ var Outputfile = getpath() + "result.txt" var IsSave = true - +var Webport = "9098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200" var DefaultPorts = "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,27017" type HostInfo struct { @@ -100,3 +100,6 @@ var Userfile string var Passfile string var HostFile string var Threads int +var URL string +var UrlFile string +var Urls []string diff --git a/common/flag.go b/common/flag.go index 6e33e3c..4f11e8b 100644 --- a/common/flag.go +++ b/common/flag.go @@ -18,6 +18,7 @@ func Banner() { func Flag(Info *HostInfo) { Banner() + DefaultPorts += Webport flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12") flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306") flag.StringVar(&Info.Command, "c", "", "exec command (ssh)") @@ -27,7 +28,6 @@ func Flag(Info *HostInfo) { flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout") flag.Int64Var(&Info.WebTimeout, "wt", 5, "Set web timeout") flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh") - flag.IntVar(&Threads, "t", 200, "Thread nums") flag.StringVar(&HostFile, "hf", "", "host file, -hs ip.txt") flag.StringVar(&Userfile, "userf", "", "username file") @@ -40,8 +40,11 @@ func Flag(Info *HostInfo) { flag.StringVar(&TmpOutputfile, "o", "result.txt", "Outputfile") flag.BoolVar(&TmpSave, "no", false, "not to save output log") flag.BoolVar(&LogErr, "debug", false, "debug mode will print more error info") + flag.StringVar(&URL, "u", "", "url") + flag.StringVar(&UrlFile, "uf", "", "url") flag.StringVar(&Pocinfo.PocName, "pocname", "", "use the pocs these contain pocname, -pocname weblogic") flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080") + flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie") flag.IntVar(&Pocinfo.Num, "Num", 20, "poc rate") flag.Parse() }