mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-07-13 21:02:44 +08:00
307 lines
7.2 KiB
Go
307 lines
7.2 KiB
Go
package Plugins
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"fmt"
|
|
_ "github.com/go-sql-driver/mysql"
|
|
"github.com/shadow1ng/fscan/Common"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// MySQLCredential 表示一个MySQL凭据
|
|
type MySQLCredential struct {
|
|
Username string
|
|
Password string
|
|
}
|
|
|
|
// MySQLScanResult 表示MySQL扫描结果
|
|
type MySQLScanResult struct {
|
|
Success bool
|
|
Error error
|
|
Credential MySQLCredential
|
|
}
|
|
|
|
// MysqlScan 执行MySQL服务扫描
|
|
func MysqlScan(info *Common.HostInfo) error {
|
|
if Common.DisableBrute {
|
|
return nil
|
|
}
|
|
|
|
target := fmt.Sprintf("%v:%v", info.Host, info.Ports)
|
|
Common.LogDebug(fmt.Sprintf("开始扫描 %s", target))
|
|
|
|
// 设置全局超时上下文
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(Common.GlobalTimeout)*time.Second)
|
|
defer cancel()
|
|
|
|
// 构建凭据列表
|
|
var credentials []MySQLCredential
|
|
for _, user := range Common.Userdict["mysql"] {
|
|
for _, pass := range Common.Passwords {
|
|
actualPass := strings.Replace(pass, "{user}", user, -1)
|
|
credentials = append(credentials, MySQLCredential{
|
|
Username: user,
|
|
Password: actualPass,
|
|
})
|
|
}
|
|
}
|
|
|
|
Common.LogDebug(fmt.Sprintf("开始尝试用户名密码组合 (总用户数: %d, 总密码数: %d, 总组合数: %d)",
|
|
len(Common.Userdict["mysql"]), len(Common.Passwords), len(credentials)))
|
|
|
|
// 使用工作池并发扫描
|
|
result := concurrentMySQLScan(ctx, info, credentials, Common.Timeout, Common.MaxRetries)
|
|
if result != nil {
|
|
// 记录成功结果
|
|
saveMySQLResult(info, target, result.Credential)
|
|
return nil
|
|
}
|
|
|
|
// 检查是否因为全局超时而退出
|
|
select {
|
|
case <-ctx.Done():
|
|
Common.LogDebug("MySQL扫描全局超时")
|
|
return fmt.Errorf("全局超时")
|
|
default:
|
|
Common.LogDebug(fmt.Sprintf("扫描完成,共尝试 %d 个组合", len(credentials)))
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// concurrentMySQLScan 并发扫描MySQL服务
|
|
func concurrentMySQLScan(ctx context.Context, info *Common.HostInfo, credentials []MySQLCredential, timeoutSeconds int64, maxRetries int) *MySQLScanResult {
|
|
// 使用ModuleThreadNum控制并发数
|
|
maxConcurrent := Common.ModuleThreadNum
|
|
if maxConcurrent <= 0 {
|
|
maxConcurrent = 10 // 默认值
|
|
}
|
|
if maxConcurrent > len(credentials) {
|
|
maxConcurrent = len(credentials)
|
|
}
|
|
|
|
// 创建工作池
|
|
var wg sync.WaitGroup
|
|
resultChan := make(chan *MySQLScanResult, 1)
|
|
workChan := make(chan MySQLCredential, maxConcurrent)
|
|
scanCtx, scanCancel := context.WithCancel(ctx)
|
|
defer scanCancel()
|
|
|
|
// 启动工作协程
|
|
for i := 0; i < maxConcurrent; i++ {
|
|
wg.Add(1)
|
|
go func() {
|
|
defer wg.Done()
|
|
for credential := range workChan {
|
|
select {
|
|
case <-scanCtx.Done():
|
|
return
|
|
default:
|
|
result := tryMySQLCredential(scanCtx, info, credential, timeoutSeconds, maxRetries)
|
|
if result.Success {
|
|
select {
|
|
case resultChan <- result:
|
|
scanCancel() // 找到有效凭据,取消其他工作
|
|
default:
|
|
}
|
|
return
|
|
}
|
|
}
|
|
}
|
|
}()
|
|
}
|
|
|
|
// 发送工作
|
|
go func() {
|
|
for i, cred := range credentials {
|
|
select {
|
|
case <-scanCtx.Done():
|
|
break
|
|
default:
|
|
Common.LogDebug(fmt.Sprintf("[%d/%d] 尝试: %s:%s", i+1, len(credentials), cred.Username, cred.Password))
|
|
workChan <- cred
|
|
}
|
|
}
|
|
close(workChan)
|
|
}()
|
|
|
|
// 等待结果或完成
|
|
go func() {
|
|
wg.Wait()
|
|
close(resultChan)
|
|
}()
|
|
|
|
// 获取结果,考虑全局超时
|
|
select {
|
|
case result, ok := <-resultChan:
|
|
if ok && result != nil && result.Success {
|
|
return result
|
|
}
|
|
return nil
|
|
case <-ctx.Done():
|
|
Common.LogDebug("MySQL并发扫描全局超时")
|
|
scanCancel() // 确保取消所有未完成工作
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// tryMySQLCredential 尝试单个MySQL凭据
|
|
func tryMySQLCredential(ctx context.Context, info *Common.HostInfo, credential MySQLCredential, timeoutSeconds int64, maxRetries int) *MySQLScanResult {
|
|
var lastErr error
|
|
|
|
for retry := 0; retry < maxRetries; retry++ {
|
|
select {
|
|
case <-ctx.Done():
|
|
return &MySQLScanResult{
|
|
Success: false,
|
|
Error: fmt.Errorf("全局超时"),
|
|
Credential: credential,
|
|
}
|
|
default:
|
|
if retry > 0 {
|
|
Common.LogDebug(fmt.Sprintf("第%d次重试: %s:%s", retry+1, credential.Username, credential.Password))
|
|
time.Sleep(500 * time.Millisecond) // 重试前等待
|
|
}
|
|
|
|
// 创建独立的超时上下文
|
|
connCtx, cancel := context.WithTimeout(ctx, time.Duration(timeoutSeconds)*time.Second)
|
|
success, err := MysqlConn(connCtx, info, credential.Username, credential.Password)
|
|
cancel()
|
|
|
|
if success {
|
|
return &MySQLScanResult{
|
|
Success: true,
|
|
Credential: credential,
|
|
}
|
|
}
|
|
|
|
lastErr = err
|
|
if err != nil {
|
|
// Access denied 表示用户名或密码错误,无需重试
|
|
if strings.Contains(err.Error(), "Access denied") {
|
|
break
|
|
}
|
|
|
|
// 检查是否需要重试
|
|
if retryErr := Common.CheckErrs(err); retryErr == nil {
|
|
break // 不需要重试的错误
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return &MySQLScanResult{
|
|
Success: false,
|
|
Error: lastErr,
|
|
Credential: credential,
|
|
}
|
|
}
|
|
|
|
// MysqlConn 尝试MySQL连接
|
|
func MysqlConn(ctx context.Context, info *Common.HostInfo, user string, pass string) (bool, error) {
|
|
host, port, username, password := info.Host, info.Ports, user, pass
|
|
timeout := time.Duration(Common.Timeout) * time.Second
|
|
|
|
// 构造连接字符串,包含超时设置
|
|
connStr := fmt.Sprintf(
|
|
"%v:%v@tcp(%v:%v)/mysql?charset=utf8&timeout=%v",
|
|
username, password, host, port, timeout,
|
|
)
|
|
|
|
// 创建结果通道
|
|
resultChan := make(chan struct {
|
|
success bool
|
|
err error
|
|
}, 1)
|
|
|
|
// 在协程中尝试连接
|
|
go func() {
|
|
// 建立数据库连接
|
|
db, err := sql.Open("mysql", connStr)
|
|
if err != nil {
|
|
select {
|
|
case <-ctx.Done():
|
|
case resultChan <- struct {
|
|
success bool
|
|
err error
|
|
}{false, err}:
|
|
}
|
|
return
|
|
}
|
|
defer db.Close()
|
|
|
|
// 设置连接参数
|
|
db.SetConnMaxLifetime(timeout)
|
|
db.SetConnMaxIdleTime(timeout)
|
|
db.SetMaxIdleConns(0)
|
|
|
|
// 添加上下文支持
|
|
conn, err := db.Conn(ctx)
|
|
if err != nil {
|
|
select {
|
|
case <-ctx.Done():
|
|
case resultChan <- struct {
|
|
success bool
|
|
err error
|
|
}{false, err}:
|
|
}
|
|
return
|
|
}
|
|
defer conn.Close()
|
|
|
|
// 测试连接
|
|
err = conn.PingContext(ctx)
|
|
if err != nil {
|
|
select {
|
|
case <-ctx.Done():
|
|
case resultChan <- struct {
|
|
success bool
|
|
err error
|
|
}{false, err}:
|
|
}
|
|
return
|
|
}
|
|
|
|
// 连接成功
|
|
select {
|
|
case <-ctx.Done():
|
|
case resultChan <- struct {
|
|
success bool
|
|
err error
|
|
}{true, nil}:
|
|
}
|
|
}()
|
|
|
|
// 等待结果或上下文取消
|
|
select {
|
|
case result := <-resultChan:
|
|
return result.success, result.err
|
|
case <-ctx.Done():
|
|
return false, ctx.Err()
|
|
}
|
|
}
|
|
|
|
// saveMySQLResult 保存MySQL扫描结果
|
|
func saveMySQLResult(info *Common.HostInfo, target string, credential MySQLCredential) {
|
|
successMsg := fmt.Sprintf("MySQL %s %v %v", target, credential.Username, credential.Password)
|
|
Common.LogSuccess(successMsg)
|
|
|
|
// 保存结果
|
|
vulnResult := &Common.ScanResult{
|
|
Time: time.Now(),
|
|
Type: Common.VULN,
|
|
Target: info.Host,
|
|
Status: "vulnerable",
|
|
Details: map[string]interface{}{
|
|
"port": info.Ports,
|
|
"service": "mysql",
|
|
"username": credential.Username,
|
|
"password": credential.Password,
|
|
"type": "weak-password",
|
|
},
|
|
}
|
|
Common.SaveResult(vulnResult)
|
|
}
|