From dd8514784e60eb3cbe79a2fb99d8507756f659f5 Mon Sep 17 00:00:00 2001
From: ZacharyZcR <2903735704@qq.com>
Date: Wed, 18 Dec 2024 23:40:11 +0800
Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96Mongodb.go=E7=9A=84?=
 =?UTF-8?q?=E4=BB=A3=E7=A0=81=EF=BC=8C=E6=B7=BB=E5=8A=A0=E6=B3=A8=E9=87=8A?=
 =?UTF-8?q?=EF=BC=8C=E8=A7=84=E8=8C=83=E8=BE=93=E5=87=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Plugins/Mongodb.go | 114 +++++++++++++++++++++++++++------------------
 1 file changed, 68 insertions(+), 46 deletions(-)

diff --git a/Plugins/Mongodb.go b/Plugins/Mongodb.go
index 82a6af2..25822b7 100644
--- a/Plugins/Mongodb.go
+++ b/Plugins/Mongodb.go
@@ -8,22 +8,80 @@ import (
 	"time"
 )
 
+// MongodbScan 执行MongoDB未授权扫描
 func MongodbScan(info *Config.HostInfo) error {
 	if Common.IsBrute {
 		return nil
 	}
+
 	_, err := MongodbUnauth(info)
 	if err != nil {
-		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
+		errlog := fmt.Sprintf("[-] MongoDB %v:%v %v", info.Host, info.Ports, err)
 		Common.LogError(errlog)
 	}
 	return err
 }
 
-func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
-	flag = false
-	// op_msg
-	packet1 := []byte{
+// MongodbUnauth 检测MongoDB未授权访问
+func MongodbUnauth(info *Config.HostInfo) (bool, error) {
+	// MongoDB查询数据包
+	msgPacket := createOpMsgPacket()
+	queryPacket := createOpQueryPacket()
+
+	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
+
+	// 尝试OP_MSG查询
+	reply, err := checkMongoAuth(realhost, msgPacket)
+	if err != nil {
+		// 失败则尝试OP_QUERY查询
+		reply, err = checkMongoAuth(realhost, queryPacket)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	// 检查响应结果
+	if strings.Contains(reply, "totalLinesWritten") {
+		result := fmt.Sprintf("[+] MongoDB %v 未授权访问", realhost)
+		Common.LogSuccess(result)
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// checkMongoAuth 检查MongoDB认证状态
+func checkMongoAuth(address string, packet []byte) (string, error) {
+	// 建立TCP连接
+	conn, err := Common.WrapperTcpWithTimeout("tcp", address, time.Duration(Common.Timeout)*time.Second)
+	if err != nil {
+		return "", err
+	}
+	defer conn.Close()
+
+	// 设置超时时间
+	if err := conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second)); err != nil {
+		return "", err
+	}
+
+	// 发送查询包
+	if _, err := conn.Write(packet); err != nil {
+		return "", err
+	}
+
+	// 读取响应
+	reply := make([]byte, 1024)
+	count, err := conn.Read(reply)
+	if err != nil {
+		return "", err
+	}
+
+	return string(reply[:count]), nil
+}
+
+// createOpMsgPacket 创建OP_MSG查询包
+func createOpMsgPacket() []byte {
+	return []byte{
 		0x69, 0x00, 0x00, 0x00, // messageLength
 		0x39, 0x00, 0x00, 0x00, // requestID
 		0x00, 0x00, 0x00, 0x00, // responseTo
@@ -32,8 +90,11 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
 		// sections db.adminCommand({getLog: "startupWarnings"})
 		0x00, 0x54, 0x00, 0x00, 0x00, 0x02, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x02, 0x24, 0x64, 0x62, 0x00, 0x06, 0x00, 0x00, 0x00, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x00, 0x03, 0x6c, 0x73, 0x69, 0x64, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x05, 0x69, 0x64, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04, 0x6e, 0x81, 0xf8, 0x8e, 0x37, 0x7b, 0x4c, 0x97, 0x84, 0x4e, 0x90, 0x62, 0x5a, 0x54, 0x3c, 0x93, 0x00, 0x00,
 	}
-	//op_query
-	packet2 := []byte{
+}
+
+// createOpQueryPacket 创建OP_QUERY查询包
+func createOpQueryPacket() []byte {
+	return []byte{
 		0x48, 0x00, 0x00, 0x00, // messageLength
 		0x02, 0x00, 0x00, 0x00, // requestID
 		0x00, 0x00, 0x00, 0x00, // responseTo
@@ -45,43 +106,4 @@ func MongodbUnauth(info *Config.HostInfo) (flag bool, err error) {
 		// query db.adminCommand({getLog: "startupWarnings"})
 		0x21, 0x00, 0x00, 0x00, 0x2, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x00,
 	}
-
-	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
-
-	checkUnAuth := func(address string, packet []byte) (string, error) {
-		conn, err := Common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(Common.Timeout)*time.Second)
-		if err != nil {
-			return "", err
-		}
-		defer conn.Close()
-		err = conn.SetReadDeadline(time.Now().Add(time.Duration(Common.Timeout) * time.Second))
-		if err != nil {
-			return "", err
-		}
-		_, err = conn.Write(packet)
-		if err != nil {
-			return "", err
-		}
-		reply := make([]byte, 1024)
-		count, err := conn.Read(reply)
-		if err != nil {
-			return "", err
-		}
-		return string(reply[0:count]), nil
-	}
-
-	// send OP_MSG first
-	reply, err := checkUnAuth(realhost, packet1)
-	if err != nil {
-		reply, err = checkUnAuth(realhost, packet2)
-		if err != nil {
-			return flag, err
-		}
-	}
-	if strings.Contains(reply, "totalLinesWritten") {
-		flag = true
-		result := fmt.Sprintf("[+] Mongodb %v unauthorized", realhost)
-		Common.LogSuccess(result)
-	}
-	return flag, err
 }