diff --git a/Common/Config.go b/Common/Config.go index 9da44e0..d8c160b 100644 --- a/Common/Config.go +++ b/Common/Config.go @@ -12,9 +12,10 @@ var Userdict = map[string][]string{ "mongodb": {"root", "admin"}, "oracle": {"sys", "system", "admin", "test", "web", "orcl"}, "telnet": {"root", "admin", "test"}, + "elastic": {"elastic", "admin", "kibana"}, } -var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "P@ssword123", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"} +var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "P@ssword123", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789", "elastic123"} var Outputfile = "result.txt" var IsSave = true diff --git a/Common/ParseScanMode.go b/Common/ParseScanMode.go index 4068d33..6247a6d 100644 --- a/Common/ParseScanMode.go +++ b/Common/ParseScanMode.go @@ -20,7 +20,7 @@ var pluginGroups = map[string][]string{ ModeAll: { "web", "fcgi", // web类 "mysql", "mssql", "redis", "mongodb", "postgres", // 数据库类 - "oracle", "memcached", // 数据库类 + "oracle", "memcached", "elasticsearch", // 数据库类 "ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", // 服务类 "ms17010", "smbghost", "smb2", // 漏洞类 "findnet", "wmiexec", // 其他 @@ -30,7 +30,7 @@ var pluginGroups = map[string][]string{ }, ModeDatabase: { "mysql", "mssql", "redis", "mongodb", - "postgres", "oracle", "memcached", + "postgres", "oracle", "memcached", "elasticsearch", }, ModeWeb: { "web", "fcgi", diff --git a/Common/Ports.go b/Common/Ports.go index 2d8f2a6..41d0b2f 100644 --- a/Common/Ports.go +++ b/Common/Ports.go @@ -5,8 +5,8 @@ import ( "strings" ) -var ServicePorts = "21,22,23,135,139,445,1433,1521,2222,3306,3389,5432,6379,9000,11211,27017" -var DbPorts = "1433,1521,3306,5432,6379,11211,27017" +var ServicePorts = "21,22,23,135,139,445,1433,1521,2222,3306,3389,5432,6379,9000,9200,11211,27017" +var DbPorts = "1433,1521,3306,5432,6379,9200,11211,27017" var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880" var AllPorts = "1-65535" var MainPorts = "21,22,23,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017" diff --git a/Core/Registry.go b/Core/Registry.go index 51e6fb1..51537c1 100644 --- a/Core/Registry.go +++ b/Core/Registry.go @@ -61,6 +61,12 @@ func init() { ScanFunc: Plugins.MysqlScan, }) + Common.RegisterPlugin("elasticsearch", Common.ScanPlugin{ + Name: "Elasticsearch", + Ports: []int{9200, 9300}, // Elasticsearch 默认HTTP和Transport端口 + ScanFunc: Plugins.ElasticScan, + }) + Common.RegisterPlugin("rdp", Common.ScanPlugin{ Name: "RDP", Ports: []int{3389}, diff --git a/Plugins/Elasticsearch.go b/Plugins/Elasticsearch.go new file mode 100644 index 0000000..2536265 --- /dev/null +++ b/Plugins/Elasticsearch.go @@ -0,0 +1,104 @@ +package Plugins + +import ( + "crypto/tls" + "encoding/base64" + "fmt" + "github.com/shadow1ng/fscan/Common" + "net/http" + "strings" + "time" +) + +// ElasticScan 执行 Elasticsearch 服务扫描 +func ElasticScan(info *Common.HostInfo) (tmperr error) { + if Common.DisableBrute { + return + } + + starttime := time.Now().Unix() + + // 首先测试无认证访问 + flag, err := ElasticConn(info, "", "") + if flag && err == nil { + return err + } + + // 尝试用户名密码组合 + for _, user := range Common.Userdict["elastic"] { + for _, pass := range Common.Passwords { + // 替换密码中的用户名占位符 + pass = strings.Replace(pass, "{user}", user, -1) + + flag, err := ElasticConn(info, user, pass) + if flag && err == nil { + return err + } + + // 记录错误信息 + errlog := fmt.Sprintf("[-] Elasticsearch服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v", info.Host, info.Ports, user, pass, err) + Common.LogError(errlog) + tmperr = err + + if Common.CheckErrs(err) { + return err + } + + // 超时检查 + if time.Now().Unix()-starttime > (int64(len(Common.Userdict["elastic"])*len(Common.Passwords)) * Common.Timeout) { + return err + } + } + } + return tmperr +} + +// ElasticConn 尝试 Elasticsearch 连接 +func ElasticConn(info *Common.HostInfo, user string, pass string) (bool, error) { + host, port := info.Host, info.Ports + timeout := time.Duration(Common.Timeout) * time.Second + + // 构造请求客户端 + client := &http.Client{ + Timeout: timeout, + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + }, + } + + // 构造基础URL + baseURL := fmt.Sprintf("http://%s:%s", host, port) + + // 创建请求 + req, err := http.NewRequest("GET", baseURL+"/_cat/indices", nil) + if err != nil { + return false, err + } + + // 如果提供了认证信息,添加Basic认证头 + if user != "" || pass != "" { + auth := base64.StdEncoding.EncodeToString([]byte(user + ":" + pass)) + req.Header.Add("Authorization", "Basic "+auth) + } + + // 发送请求 + resp, err := client.Do(req) + if err != nil { + return false, err + } + defer resp.Body.Close() + + // 检查响应状态 + if resp.StatusCode == 200 { + result := fmt.Sprintf("[+] Elasticsearch服务 %v:%v ", host, port) + if user != "" { + result += fmt.Sprintf("爆破成功 用户名: %v 密码: %v", user, pass) + } else { + result += "无需认证即可访问" + } + Common.LogSuccess(result) + return true, nil + } + + return false, fmt.Errorf("认证失败") +} diff --git a/TestDocker/Elasticsearch/Dockerfile b/TestDocker/Elasticsearch/Dockerfile new file mode 100644 index 0000000..eb1514f --- /dev/null +++ b/TestDocker/Elasticsearch/Dockerfile @@ -0,0 +1,19 @@ +FROM docker.elastic.co/elasticsearch/elasticsearch:7.9.3 + +# 设置环境变量允许单节点运行 +ENV discovery.type=single-node + +# 允许任意IP访问 +ENV network.host=0.0.0.0 + +# 设置弱密码 +ENV ELASTIC_PASSWORD=elastic123 + +# 暴露端口 +EXPOSE 9200 9300 + +# 设置默认用户名elastic和密码elastic123 +RUN echo 'elastic:elastic123' > /usr/share/elasticsearch/config/users + +# 关闭xpack安全功能,使其可以无认证访问 +RUN echo 'xpack.security.enabled: false' >> /usr/share/elasticsearch/config/elasticsearch.yml \ No newline at end of file diff --git a/TestDocker/Elasticsearch/README.txt b/TestDocker/Elasticsearch/README.txt new file mode 100644 index 0000000..cd65b5b --- /dev/null +++ b/TestDocker/Elasticsearch/README.txt @@ -0,0 +1,2 @@ +docker build -t elastic-test . +docker run -d -p 9200:9200 -p 9300:9300 elastic-test \ No newline at end of file