支持-u url或者-uf url.txt,进行url批量扫描

Plugins/scanner.go

@@ -49,6 +49,16 @@ func Scan(info common.HostInfo) {
 			AddScan(scantype, info, ch, &wg)
 		}
 	}
+	if common.URL != "" {
+		info.Url = common.URL
+		AddScan("1000003", info, ch, &wg)
+	}
+	if len(common.Urls) > 0 {
+		for _, url := range common.Urls {
+			info.Url = url
+			AddScan("1000003", info, ch, &wg)
+		}
+	}
 	wg.Wait()
 	common.WaitSave()
 }

Plugins/webtitle.go

@@ -13,19 +13,25 @@ import (
 
 func WebTitle(info *common.HostInfo) error {
 	var CheckData []WebScan.CheckDatas
-
+	if info.Url == "" {
-	if info.Ports == "80" {
+		if info.Ports == "80" {
-		info.Url = fmt.Sprintf("http://%s", info.Host)
+			info.Url = fmt.Sprintf("http://%s", info.Host)
-	} else if info.Ports == "443" {
+		} else if info.Ports == "443" {
-		info.Url = fmt.Sprintf("https://%s", info.Host)
+			info.Url = fmt.Sprintf("https://%s", info.Host)
+		} else {
+			info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
+		}
 	} else {
-		info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
+		if !strings.Contains(info.Url, "://") {
+			info.Url = fmt.Sprintf("http://%s", info.Url)
+		}
 	}
 
 	err, result, CheckData := geturl(info, true, CheckData)
 	if err != nil {
 		return err
 	}
+
 	if result == "https" {
 		err, _, CheckData = geturl(info, true, CheckData)
 		if err != nil {
@@ -43,7 +49,6 @@ func WebTitle(info *common.HostInfo) error {
 	if common.IsWebCan == false {
 		WebScan.WebScan(info)
 	}
-
 	return err
 }
 
@@ -58,8 +63,11 @@ func geturl(info *common.HostInfo, flag bool, CheckData []WebScan.CheckDatas) (e
 		res.Header.Set("Accept", "*/*")
 		res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
 		res.Header.Set("Accept-Encoding", "gzip, deflate")
+		if common.Pocinfo.Cookie != "" {
+			res.Header.Set("Cookie", common.Pocinfo.Cookie)
+		}
 		if flag == true {
-			res.Header.Set("Cookie", "rememberMe=1")
+			res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
 		}
 		res.Header.Set("Connection", "close")
 		resp, err := lib.Client.Do(res)

WebScan/lib/check.go

@@ -37,7 +37,7 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
 					continue
 				}
 				if isVul {
-					result := fmt.Sprintf("%s %s", task.Req.URL, task.Poc.Name)
+					result := fmt.Sprintf("[+] %s %s", task.Req.URL, task.Poc.Name)
 					common.LogSuccess(result)
 				}
 			}
@@ -183,6 +183,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 			for k, v := range rule.Headers {
 				newRequest.Header.Set(k, v)
 			}
+
 			resp, err := DoRequest(newRequest, rule.FollowRedirects)
 			if err != nil {
 				return false, err
@@ -200,7 +201,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 					return false, nil
 				}
 			}
-
 			out, err := Evaluate(env, rule.Expression, variableMap)
 			if err != nil {
 				return false, err
@@ -486,8 +486,8 @@ func clusterpoc1(oReq *http.Request, p *Poc, variableMap map[string]interface{},
 		if len(varset) == 2 {
 		look2:
 			//	(var1 tomcat ,keys[0] username)
-			for _, var1 := range p.Sets[varset[0]] {
+			for _, var1 := range p.Sets[varset[0]] { //username
-				for _, var2 := range p.Sets[varset[1]] {
+				for _, var2 := range p.Sets[varset[1]] { //password
 					setMap := cloneMap1(setMapbak)
 					setMap[varset[0]] = var1
 					setMap[varset[1]] = var2

WebScan/lib/http.go

@@ -37,6 +37,9 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 		DisableKeepAlives:   false,
 	}
 	if DownProxy != "" {
+		if DownProxy == "1" {
+			DownProxy = "http://127.0.0.1:8080"
+		}
 		u, err := url.Parse(DownProxy)
 		if err != nil {
 			return err
@@ -144,7 +147,6 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-
 		defer gr.Close()
 		for {
 			buf := make([]byte, 1024)

WebScan/pocs/swagger-ui-unauth-No1.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth1
 rules:
   - method: GET
     path: /swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No2.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth2
 rules:
   - method: GET
     path: /api/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No3.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth3
 rules:
   - method: GET
     path: /service/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No4.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth4
 rules:
   - method: GET
     path: /web/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No5.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth5
 rules:
   - method: GET
     path: /swagger/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No6.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth6
 rules:
   - method: GET
     path: /actuator/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No7.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui-unauth7
 rules:
   - method: GET
     path: /libs/swagger-ui.html

WebScan/pocs/swagger-ui-unauth-No8.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-druid-monitor-unauth
+name: poc-yaml-swagger-ui8
 rules:
   - method: GET
     path: /template/swagger-ui.html

WebScan/pocs/weblogic-cve-2020-14750.yml

@@ -4,7 +4,7 @@ rules:
     path: /console/images/%252E./console.portal
     follow_redirects: false
     expression: |
-      response.status == 302 && (response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console/jsp/common/NoJMX.jsp")))
+      (response.status == 302 && response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console.portal?_nfpb=true")))
 detail:
   author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless)
   weblogic_version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

common/Parse.go

@@ -63,7 +63,20 @@ func ParsePass(Info *HostInfo) {
 				}
 			}
 			Passwords = Info.Passwords
-
+		}
+	}
+	if UrlFile != "" {
+		urls, err := Readfile(UrlFile)
+		if err == nil {
+			TmpUrls := make(map[string]struct{})
+			for _, url := range urls {
+				if _, ok := TmpUrls[url]; !ok {
+					TmpUrls[url] = struct{}{}
+					if url != "" {
+						Urls = append(Urls, url)
+					}
+				}
+			}
 		}
 	}
 }
@@ -88,7 +101,7 @@ func Readfile(filename string) ([]string, error) {
 }
 
 func ParseInput(Info *HostInfo) {
-	if Info.Host == "" && HostFile == "" {
+	if Info.Host == "" && HostFile == "" && URL == "" && UrlFile == "" {
 		fmt.Println("Host is none")
 		flag.Usage()
 		os.Exit(0)

common/config.go

@@ -54,7 +54,7 @@ var PortlistBack = map[string]int{
 
 var Outputfile = getpath() + "result.txt"
 var IsSave = true
-
+var Webport = "9098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200"
 var DefaultPorts = "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,27017"
 
 type HostInfo struct {
@@ -100,3 +100,6 @@ var Userfile string
 var Passfile string
 var HostFile string
 var Threads int
+var URL string
+var UrlFile string
+var Urls []string

common/flag.go

@@ -18,6 +18,7 @@ func Banner() {
 
 func Flag(Info *HostInfo) {
 	Banner()
+	DefaultPorts += Webport
 	flag.StringVar(&Info.Host, "h", "", "IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12")
 	flag.StringVar(&Info.Ports, "p", DefaultPorts, "Select a port,for example: 22 | 1-65535 | 22,80,3306")
 	flag.StringVar(&Info.Command, "c", "", "exec command (ssh)")
@@ -27,7 +28,6 @@ func Flag(Info *HostInfo) {
 	flag.Int64Var(&Info.Timeout, "time", 3, "Set timeout")
 	flag.Int64Var(&Info.WebTimeout, "wt", 5, "Set web timeout")
 	flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh")
-
 	flag.IntVar(&Threads, "t", 200, "Thread nums")
 	flag.StringVar(&HostFile, "hf", "", "host file, -hs ip.txt")
 	flag.StringVar(&Userfile, "userf", "", "username file")
@@ -40,8 +40,11 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&TmpOutputfile, "o", "result.txt", "Outputfile")
 	flag.BoolVar(&TmpSave, "no", false, "not to save output log")
 	flag.BoolVar(&LogErr, "debug", false, "debug mode will print more error info")
+	flag.StringVar(&URL, "u", "", "url")
+	flag.StringVar(&UrlFile, "uf", "", "url")
 	flag.StringVar(&Pocinfo.PocName, "pocname", "", "use the pocs these contain pocname, -pocname weblogic")
 	flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
+	flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie")
 	flag.IntVar(&Pocinfo.Num, "Num", 20, "poc rate")
 	flag.Parse()
 }