mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-13 21:02:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: #457

Browse Source
This commit is contained in:
ZacharyZcR 2025-04-13 19:15:16 +08:00
parent f79b12a23c
commit b89e892f14
1 changed files with 275 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

373
Plugins/Neo4j.go
View File

@ -1,162 +1,259 @@
package Plugins package Plugins
import ( import (
"context"
"fmt" "fmt"
"github.com/neo4j/neo4j-go-driver/v4/neo4j" "github.com/neo4j/neo4j-go-driver/v4/neo4j"
"github.com/shadow1ng/fscan/Common" "github.com/shadow1ng/fscan/Common"
"strings" "strings"
"sync"
"time" "time"
) )
func Neo4jScan(info *Common.HostInfo) (tmperr error) { // Neo4jCredential 表示一个Neo4j凭据
if Common.DisableBrute { type Neo4jCredential struct {
return Username string
Password string
} }
maxRetries := Common.MaxRetries // Neo4jScanResult 表示Neo4j扫描结果
target := fmt.Sprintf("%v:%v", info.Host, info.Ports) type Neo4jScanResult struct {
Success bool
Error error
Credential Neo4jCredential
IsUnauth bool
IsDefaultCreds bool
}
func Neo4jScan(info *Common.HostInfo) error {
if Common.DisableBrute {
return nil
}
target := fmt.Sprintf("%v:%v", info.Host, info.Ports)
Common.LogDebug(fmt.Sprintf("开始扫描 %s", target)) Common.LogDebug(fmt.Sprintf("开始扫描 %s", target))
// 首先测试无认证访问和默认凭证 // 设置全局超时上下文
initialChecks := []struct { ctx, cancel := context.WithTimeout(context.Background(), time.Duration(Common.GlobalTimeout)*time.Second)
user string defer cancel()
pass string
}{ // 初始检查列表 - 无认证和默认凭证
initialCredentials := []Neo4jCredential{
{"", ""}, // 无认证 {"", ""}, // 无认证
{"neo4j", "neo4j"}, // 默认凭证 {"neo4j", "neo4j"}, // 默认凭证
} }
// 先检查无认证和默认凭证
Common.LogDebug("尝试默认凭证...") Common.LogDebug("尝试默认凭证...")
for _, check := range initialChecks { for _, credential := range initialCredentials {
Common.LogDebug(fmt.Sprintf("尝试: %s:%s", check.user, check.pass)) Common.LogDebug(fmt.Sprintf("尝试: %s:%s", credential.Username, credential.Password))
flag, err := Neo4jConn(info, check.user, check.pass)
if flag && err == nil {
var msg string
if check.user == "" {
msg = fmt.Sprintf("Neo4j服务 %s 无需认证即可访问", target)
Common.LogSuccess(msg)
// 保存结果 - 无认证访问 result := tryNeo4jCredential(ctx, info, credential, Common.Timeout, 1)
result := &Common.ScanResult{ if result.Success {
Time: time.Now(), // 标记结果类型
Type: Common.VULN, if credential.Username == "" && credential.Password == "" {
Target: info.Host, result.IsUnauth = true
Status: "vulnerable",
Details: map[string]interface{}{
"port": info.Ports,
"service": "neo4j",
"type": "unauthorized-access",
},
}
Common.SaveResult(result)
} else { } else {
msg = fmt.Sprintf("Neo4j服务 %s 默认凭证可用 用户名: %s 密码: %s", target, check.user, check.pass) result.IsDefaultCreds = true
Common.LogSuccess(msg) }
// 保存结果 - 默认凭证 // 保存结果
result := &Common.ScanResult{ saveNeo4jResult(info, target, result)
Time: time.Now(), return nil
Type: Common.VULN,
Target: info.Host,
Status: "vulnerable",
Details: map[string]interface{}{
"port": info.Ports,
"service": "neo4j",
"type": "default-credentials",
"username": check.user,
"password": check.pass,
},
}
Common.SaveResult(result)
}
return err
} }
} }
totalUsers := len(Common.Userdict["neo4j"]) // 构建凭据列表
totalPass := len(Common.Passwords) var credentials []Neo4jCredential
Common.LogDebug(fmt.Sprintf("开始尝试用户名密码组合 (总用户数: %d, 总密码数: %d)", totalUsers, totalPass))
tried := 0
total := totalUsers * totalPass
// 遍历所有用户名密码组合
for _, user := range Common.Userdict["neo4j"] { for _, user := range Common.Userdict["neo4j"] {
for _, pass := range Common.Passwords { for _, pass := range Common.Passwords {
tried++ actualPass := strings.Replace(pass, "{user}", user, -1)
pass = strings.Replace(pass, "{user}", user, -1) credentials = append(credentials, Neo4jCredential{
Common.LogDebug(fmt.Sprintf("[%d/%d] 尝试: %s:%s", tried, total, user, pass)) Username: user,
Password: actualPass,
// 重试循环 })
for retryCount := 0; retryCount < maxRetries; retryCount++ { }
if retryCount > 0 {
Common.LogDebug(fmt.Sprintf("第%d次重试: %s:%s", retryCount+1, user, pass))
} }
done := make(chan struct { Common.LogDebug(fmt.Sprintf("开始尝试用户名密码组合 (总用户数: %d, 总密码数: %d, 总组合数: %d)",
len(Common.Userdict["neo4j"]), len(Common.Passwords), len(credentials)))
// 使用工作池并发扫描
result := concurrentNeo4jScan(ctx, info, credentials, Common.Timeout, Common.MaxRetries)
if result != nil {
// 记录成功结果
saveNeo4jResult(info, target, result)
return nil
}
// 检查是否因为全局超时而退出
select {
case <-ctx.Done():
Common.LogDebug("Neo4j扫描全局超时")
return fmt.Errorf("全局超时")
default:
Common.LogDebug(fmt.Sprintf("扫描完成,共尝试 %d 个组合", len(credentials)+len(initialCredentials)))
return nil
}
}
// concurrentNeo4jScan 并发扫描Neo4j服务
func concurrentNeo4jScan(ctx context.Context, info *Common.HostInfo, credentials []Neo4jCredential, timeoutSeconds int64, maxRetries int) *Neo4jScanResult {
// 使用ModuleThreadNum控制并发数
maxConcurrent := Common.ModuleThreadNum
if maxConcurrent <= 0 {
maxConcurrent = 10 // 默认值
}
if maxConcurrent > len(credentials) {
maxConcurrent = len(credentials)
}
// 创建工作池
var wg sync.WaitGroup
resultChan := make(chan *Neo4jScanResult, 1)
workChan := make(chan Neo4jCredential, maxConcurrent)
scanCtx, scanCancel := context.WithCancel(ctx)
defer scanCancel()
// 启动工作协程
for i := 0; i < maxConcurrent; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for credential := range workChan {
select {
case <-scanCtx.Done():
return
default:
result := tryNeo4jCredential(scanCtx, info, credential, timeoutSeconds, maxRetries)
if result.Success {
select {
case resultChan <- result:
scanCancel() // 找到有效凭据,取消其他工作
default:
}
return
}
}
}
}()
}
// 发送工作
go func() {
for i, cred := range credentials {
select {
case <-scanCtx.Done():
break
default:
Common.LogDebug(fmt.Sprintf("[%d/%d] 尝试: %s:%s", i+1, len(credentials), cred.Username, cred.Password))
workChan <- cred
}
}
close(workChan)
}()
// 等待结果或完成
go func() {
wg.Wait()
close(resultChan)
}()
// 获取结果,考虑全局超时
select {
case result, ok := <-resultChan:
if ok && result != nil && result.Success {
return result
}
return nil
case <-ctx.Done():
Common.LogDebug("Neo4j并发扫描全局超时")
scanCancel() // 确保取消所有未完成工作
return nil
}
}
// tryNeo4jCredential 尝试单个Neo4j凭据
func tryNeo4jCredential(ctx context.Context, info *Common.HostInfo, credential Neo4jCredential, timeoutSeconds int64, maxRetries int) *Neo4jScanResult {
var lastErr error
for retry := 0; retry < maxRetries; retry++ {
select {
case <-ctx.Done():
return &Neo4jScanResult{
Success: false,
Error: fmt.Errorf("全局超时"),
Credential: credential,
}
default:
if retry > 0 {
Common.LogDebug(fmt.Sprintf("第%d次重试: %s:%s", retry+1, credential.Username, credential.Password))
time.Sleep(500 * time.Millisecond) // 重试前等待
}
// 创建连接结果通道
resultChan := make(chan struct {
success bool success bool
err error err error
}, 1) }, 1)
go func(user, pass string) { // 在协程中尝试连接
flag, err := Neo4jConn(info, user, pass) connCtx, cancel := context.WithTimeout(ctx, time.Duration(timeoutSeconds)*time.Second)
go func() {
defer cancel()
success, err := Neo4jConn(info, credential.Username, credential.Password)
select { select {
case done <- struct { case <-connCtx.Done():
case resultChan <- struct {
success bool success bool
err error err error
}{flag, err}: }{success, err}:
default:
} }
}(user, pass) }()
// 等待结果或超时
var success bool
var err error var err error
select {
case result := <-done:
err = result.err
if result.success && err == nil {
msg := fmt.Sprintf("Neo4j服务 %s 爆破成功 用户名: %s 密码: %s", target, user, pass)
Common.LogSuccess(msg)
// 保存结果 - 成功爆破 select {
vulnResult := &Common.ScanResult{ case result := <-resultChan:
Time: time.Now(), success = result.success
Type: Common.VULN, err = result.err
Target: info.Host, case <-connCtx.Done():
Status: "vulnerable", if ctx.Err() != nil {
Details: map[string]interface{}{ // 全局超时
"port": info.Ports, return &Neo4jScanResult{
"service": "neo4j", Success: false,
"type": "weak-password", Error: ctx.Err(),
"username": user, Credential: credential,
"password": pass,
},
} }
Common.SaveResult(vulnResult)
return nil
} }
case <-time.After(time.Duration(Common.Timeout) * time.Second): // 单个连接超时
err = fmt.Errorf("连接超时") err = fmt.Errorf("连接超时")
} }
if success {
return &Neo4jScanResult{
Success: true,
Credential: credential,
}
}
lastErr = err
if err != nil { if err != nil {
errlog := fmt.Sprintf("Neo4j服务 %s 尝试失败 用户名: %s 密码: %s 错误: %v", target, user, pass, err) // 检查是否需要重试
Common.LogError(errlog) if retryErr := Common.CheckErrs(err); retryErr == nil {
break // 不需要重试的错误
if retryErr := Common.CheckErrs(err); retryErr != nil {
if retryCount == maxRetries-1 {
continue
} }
continue
}
}
break
} }
} }
} }
Common.LogDebug(fmt.Sprintf("扫描完成,共尝试 %d 个组合", tried)) return &Neo4jScanResult{
return tmperr Success: false,
Error: lastErr,
Credential: credential,
}
} }
// Neo4jConn 尝试Neo4j连接 // Neo4jConn 尝试Neo4j连接
@ -170,6 +267,7 @@ func Neo4jConn(info *Common.HostInfo, user string, pass string) (bool, error) {
// 配置驱动选项 // 配置驱动选项
config := func(c *neo4j.Config) { config := func(c *neo4j.Config) {
c.SocketConnectTimeout = timeout c.SocketConnectTimeout = timeout
c.ConnectionAcquisitionTimeout = timeout
} }
var driver neo4j.Driver var driver neo4j.Driver
@ -189,11 +287,70 @@ func Neo4jConn(info *Common.HostInfo, user string, pass string) (bool, error) {
} }
defer driver.Close() defer driver.Close()
// 测试连接 // 测试连接有效性
err = driver.VerifyConnectivity() err = driver.VerifyConnectivity()
if err != nil { if err != nil {
return false, err return false, err
} }
// 尝试执行简单查询以确认权限
session := driver.NewSession(neo4j.SessionConfig{AccessMode: neo4j.AccessModeRead})
defer session.Close()
_, err = session.Run("MATCH (n) RETURN count(n) LIMIT 1", nil)
if err != nil {
return false, err
}
return true, nil return true, nil
} }
// saveNeo4jResult 保存Neo4j扫描结果
func saveNeo4jResult(info *Common.HostInfo, target string, result *Neo4jScanResult) {
var successMsg string
var details map[string]interface{}
if result.IsUnauth {
// 无认证访问
successMsg = fmt.Sprintf("Neo4j服务 %s 无需认证即可访问", target)
details = map[string]interface{}{
"port": info.Ports,
"service": "neo4j",
"type": "unauthorized-access",
}
} else if result.IsDefaultCreds {
// 默认凭证
successMsg = fmt.Sprintf("Neo4j服务 %s 默认凭证可用 用户名: %s 密码: %s",
target, result.Credential.Username, result.Credential.Password)
details = map[string]interface{}{
"port": info.Ports,
"service": "neo4j",
"type": "default-credentials",
"username": result.Credential.Username,
"password": result.Credential.Password,
}
} else {
// 弱密码
successMsg = fmt.Sprintf("Neo4j服务 %s 爆破成功 用户名: %s 密码: %s",
target, result.Credential.Username, result.Credential.Password)
details = map[string]interface{}{
"port": info.Ports,
"service": "neo4j",
"type": "weak-password",
"username": result.Credential.Username,
"password": result.Credential.Password,
}
}
Common.LogSuccess(successMsg)
// 保存结果
vulnResult := &Common.ScanResult{
Time: time.Now(),
Type: Common.VULN,
Target: info.Host,
Status: "vulnerable",
Details: details,
}
Common.SaveResult(vulnResult)
}