mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-13 21:02:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update check.go

Browse Source
This commit is contained in:
影舞者 2023-11-13 11:31:30 +08:00 committed by GitHub
parent 5ff8b781c8
commit 99d526d7d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
WebScan/lib/check.go
View File

@ -3,6 +3,9 @@ package lib
import ( import (
"crypto/md5" "crypto/md5"
"fmt" "fmt"
"github.com/google/cel-go/cel"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
"math/rand" "math/rand"
"net/http" "net/http"
"net/url" "net/url"
@ -10,10 +13,6 @@ import (
"strings" "strings"
"sync" "sync"
"time" "time"
"github.com/google/cel-go/cel"
"github.com/shadow1ng/fscan/WebScan/info"
"github.com/shadow1ng/fscan/common"
) )
var ( var (
@ -26,15 +25,15 @@ type Task struct {
Poc *Poc Poc *Poc
} }
func CheckMultiPoc(req *http.Request, pocs []*Poc, flags common.Flags) { func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
tasks := make(chan Task) tasks := make(chan Task)
var wg sync.WaitGroup var wg sync.WaitGroup
for i := 0; i < flags.PocNum; i++ { for i := 0; i < workers; i++ {
go func() { go func() {
for task := range tasks { for task := range tasks {
isVul, _, name := executePoc(task.Req, task.Poc, flags) isVul, _, name := executePoc(task.Req, task.Poc)
if isVul { if isVul {
result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name, name) result := fmt.Sprintf("[+] PocScan %s %s %s", task.Req.URL, task.Poc.Name, name)
common.LogSuccess(result) common.LogSuccess(result)
} }
wg.Done() wg.Done()
@ -53,7 +52,7 @@ func CheckMultiPoc(req *http.Request, pocs []*Poc, flags common.Flags) {
close(tasks) close(tasks)
} }
func executePoc(oReq *http.Request, p *Poc, flags common.Flags) (bool, error, string) { func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
c := NewEnvOption() c := NewEnvOption()
c.UpdateCompileOptions(p.Set) c.UpdateCompileOptions(p.Set)
if len(p.Sets) > 0 { if len(p.Sets) > 0 {
@ -83,7 +82,7 @@ func executePoc(oReq *http.Request, p *Poc, flags common.Flags) (bool, error, st
for _, item := range p.Set { for _, item := range p.Set {
k, expression := item.Key, item.Value k, expression := item.Key, item.Value
if expression == "newReverse()" { if expression == "newReverse()" {
if !flags.DnsLog { if !common.DnsLog {
return false, nil, "" return false, nil, ""
} }
variableMap[k] = newReverse() variableMap[k] = newReverse()
@ -97,7 +96,7 @@ func executePoc(oReq *http.Request, p *Poc, flags common.Flags) (bool, error, st
success := false success := false
//爆破模式,比如tomcat弱口令 //爆破模式,比如tomcat弱口令
if len(p.Sets) > 0 { if len(p.Sets) > 0 {
success, err = clusterpoc(oReq, p, flags.PocFull, variableMap, req, env) success, err = clusterpoc(oReq, p, variableMap, req, env)
return success, nil, "" return success, nil, ""
} }
@ -133,6 +132,7 @@ func executePoc(oReq *http.Request, p *Poc, flags common.Flags) (bool, error, st
newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, string([]rune(req.Url.Path))), strings.NewReader(rule.Body)) newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, string([]rune(req.Url.Path))), strings.NewReader(rule.Body))
if err != nil { if err != nil {
//fmt.Println("[-] newRequest error: ",err)
return false, err return false, err
} }
newRequest.Header = oReq.Header.Clone() newRequest.Header = oReq.Header.Clone()
@ -161,7 +161,6 @@ func executePoc(oReq *http.Request, p *Poc, flags common.Flags) (bool, error, st
if err != nil { if err != nil {
return false, err return false, err
} }
//如果false不继续执行后续rule //如果false不继续执行后续rule
// 如果最后一步执行失败,就算前面成功了最终依旧是失败 // 如果最后一步执行失败,就算前面成功了最终依旧是失败
flag, ok = out.Value().(bool) flag, ok = out.Value().(bool)
@ -258,7 +257,7 @@ func newReverse() *Reverse {
} }
} }
func clusterpoc(oReq *http.Request, p *Poc, pocFull bool, variableMap map[string]interface{}, req *Request, env *cel.Env) (success bool, err error) { func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{}, req *Request, env *cel.Env) (success bool, err error) {
var strMap StrMap var strMap StrMap
var tmpnum int var tmpnum int
for i, rule := range p.Rules { for i, rule := range p.Rules {
@ -277,8 +276,8 @@ func clusterpoc(oReq *http.Request, p *Poc, pocFull bool, variableMap map[string
ruleHash := make(map[string]struct{}) ruleHash := make(map[string]struct{})
look: look:
for j, item := range setsMap { for j, item := range setsMap {
//shiro only runs by default 10key //shiro默认只跑10key
if p.Name == "poc-yaml-shiro-key" && !pocFull && j >= 10 { if p.Name == "poc-yaml-shiro-key" && !common.PocFull && j >= 10 {
if item[1] == "cbc" { if item[1] == "cbc" {
continue continue
} else { } else {
@ -354,15 +353,15 @@ func clusterpoc(oReq *http.Request, p *Poc, pocFull bool, variableMap map[string
if success { if success {
if rule.Continue { if rule.Continue {
if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" { if p.Name == "poc-yaml-backup-file" || p.Name == "poc-yaml-sql-file" {
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name)) common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name))
} else { } else {
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap)) common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, tmpMap))
} }
continue continue
} }
strMap = append(strMap, tmpMap...) strMap = append(strMap, tmpMap...)
if i == len(p.Rules)-1 { if i == len(p.Rules)-1 {
common.LogSuccess(fmt.Sprintf("[+] %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap)) common.LogSuccess(fmt.Sprintf("[+] PocScan %s://%s%s %s %v", req.Url.Scheme, req.Url.Host, req.Url.Path, p.Name, strMap))
//防止后续继续打印poc成功信息 //防止后续继续打印poc成功信息
return false, nil return false, nil
} }
@ -445,6 +444,7 @@ func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Re
// //
newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body)) newRequest, err := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
if err != nil { if err != nil {
//fmt.Println("[-] newRequest error:",err)
return false, err return false, err
} }
newRequest.Header = oReq.Header.Clone() newRequest.Header = oReq.Header.Clone()
@ -476,7 +476,7 @@ func clustersend(oReq *http.Request, variableMap map[string]interface{}, req *Re
} }
return false, err return false, err
} }
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
return false, err // 如果最后一步执行失败,就算前面成功了最终依旧是失败 return false, err // 如果最后一步执行失败,就算前面成功了最终依旧是失败
} }