fscan/Plugins/scanner.go

package Plugins

import (
	"fmt"
	"github.com/shadow1ng/fscan/WebScan/lib"
	"github.com/shadow1ng/fscan/common"
	"reflect"
	"strconv"
	"strings"
	"sync"
)

func Scan(info common.HostInfo) {
	fmt.Println("start infoscan")
	Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)
	if err != nil {
		fmt.Println("len(hosts)==0", err)
		return
	}
	lib.Inithttp(common.Pocinfo)
	var ch = make(chan struct{}, common.Threads)
	var wg = sync.WaitGroup{}
	web := strconv.Itoa(common.PORTList["web"])
	ms17010 := strconv.Itoa(common.PORTList["ms17010"])
	if len(Hosts) > 0 || len(common.HostPort) > 0 {
		if common.NoPing == false && len(Hosts) > 1 || common.Scantype == "icmp" {
			Hosts = CheckLive(Hosts, common.Ping)
			fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))
		}
		if common.Scantype == "icmp" {
			common.LogWG.Wait()
			return
		}
		var AlivePorts []string
		if common.Scantype == "webonly" || common.Scantype == "webpoc" {
			AlivePorts = NoPortScan(Hosts, common.Ports)
		} else if common.Scantype == "hostname" {
			common.Ports = "139"
			AlivePorts = NoPortScan(Hosts, common.Ports)
		} else if len(Hosts) > 0 {
			AlivePorts = PortScan(Hosts, common.Ports, common.Timeout)
			fmt.Println("[*] alive ports len is:", len(AlivePorts))
			if common.Scantype == "portscan" {
				common.LogWG.Wait()
				return
			}
		}
		if len(common.HostPort) > 0 {
			AlivePorts = append(AlivePorts, common.HostPort...)
			AlivePorts = common.RemoveDuplicate(AlivePorts)
			common.HostPort = nil
			fmt.Println("[*] AlivePorts len is:", len(AlivePorts))
		}
		var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
		for _, port := range common.PORTList {
			severports = append(severports, strconv.Itoa(port))
		}
		fmt.Println("start vulscan")
		for _, targetIP := range AlivePorts {
			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
			if common.Scantype == "all" || common.Scantype == "main" {
				switch {
				case info.Ports == "135":
					AddScan(info.Ports, info, &ch, &wg) //findnet
					if common.IsWmi {
						AddScan("1000005", info, &ch, &wg) //wmiexec
					}
				case info.Ports == "445":
					AddScan(ms17010, info, &ch, &wg) //ms17010
					//AddScan(info.Ports, info, ch, &wg)  //smb
					//AddScan("1000002", info, ch, &wg) //smbghost
				case info.Ports == "9000":
					AddScan(web, info, &ch, &wg)        //http
					AddScan(info.Ports, info, &ch, &wg) //fcgiscan
				case IsContain(severports, info.Ports):
					AddScan(info.Ports, info, &ch, &wg) //plugins scan
				default:
					AddScan(web, info, &ch, &wg) //webtitle
				}
			} else {
				scantype := strconv.Itoa(common.PORTList[common.Scantype])
				AddScan(scantype, info, &ch, &wg)
			}
		}
	}
	for _, url := range common.Urls {
		info.Url = url
		AddScan(web, info, &ch, &wg)
	}
	wg.Wait()
	common.LogWG.Wait()
	close(common.Results)
	fmt.Printf("已完成 %v/%v\n", common.End, common.Num)
}

var Mutex = &sync.Mutex{}

func AddScan(scantype string, info common.HostInfo, ch *chan struct{}, wg *sync.WaitGroup) {
	*ch <- struct{}{}
	wg.Add(1)
	go func() {
		Mutex.Lock()
		common.Num += 1
		Mutex.Unlock()
		ScanFunc(&scantype, &info)
		Mutex.Lock()
		common.End += 1
		Mutex.Unlock()
		wg.Done()
		<-*ch
	}()
}

func ScanFunc(name *string, info *common.HostInfo) {
	f := reflect.ValueOf(PluginList[*name])
	in := []reflect.Value{reflect.ValueOf(info)}
	f.Call(in)
}

func IsContain(items []string, item string) bool {
	for _, eachItem := range items {
		if eachItem == item {
			return true
		}
	}
	return false
}
commit message 2020-12-29 17:17:10 +08:00			`package Plugins`

			`import (`
			`"fmt"`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`"github.com/shadow1ng/fscan/WebScan/lib"`
commit message 2020-12-29 17:17:10 +08:00			`"github.com/shadow1ng/fscan/common"`
			`"reflect"`
			`"strconv"`
			`"strings"`
			`"sync"`
			`)`

			`func Scan(info common.HostInfo) {`
修改线程处理机制 2021-03-30 22:30:16 +08:00			`fmt.Println("start infoscan")`
优化ip解析模块 2021-12-01 15:22:48 +08:00			`Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)`
			`if err != nil {`
			`fmt.Println("len(hosts)==0", err)`
			`return`
			`}`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`lib.Inithttp(common.Pocinfo)`
修改icmp发包模式,更适合大规模探测。修改报错提示,--debug时,如果10秒内没有LogSuccess的消息,每隔10秒就会打印一下当前进度 2021-02-05 14:43:07 +08:00			`var ch = make(chan struct{}, common.Threads)`
commit message 2020-12-29 17:17:10 +08:00			`var wg = sync.WaitGroup{}`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`web := strconv.Itoa(common.PORTList["web"])`
			`ms17010 := strconv.Itoa(common.PORTList["ms17010"])`
-hf 支持host:port和host/xx:port格式 2022-07-14 12:04:47 +08:00			`if len(Hosts) > 0 \|\| len(common.HostPort) > 0 {`
Update 2023-11-13 17:41:54 +08:00			`if common.NoPing == false && len(Hosts) > 1 \|\| common.Scantype == "icmp" {`
新增LiveTop功能,检测存活时,默认会输出top10的b、c段ip存活数量 2022-01-07 13:38:38 +08:00			`Hosts = CheckLive(Hosts, common.Ping)`
			`fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`}`
减少info结构体大小 2022-07-03 23:41:39 +08:00			`if common.Scantype == "icmp" {`
新增LiveTop功能,检测存活时,默认会输出top10的b、c段ip存活数量 2022-01-07 13:38:38 +08:00			`common.LogWG.Wait()`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`return`
			`}`
新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito 2022-02-25 15:29:45 +08:00			`var AlivePorts []string`
加入hash碰撞、wmiiexec无回显命令执行 2022-11-19 17:04:13 +08:00			`if common.Scantype == "webonly" \|\| common.Scantype == "webpoc" {`
Update 2023-11-13 16:23:19 +08:00			`AlivePorts = NoPortScan(Hosts, common.Ports)`
加入hash碰撞、wmiiexec无回显命令执行 2022-11-19 17:04:13 +08:00			`} else if common.Scantype == "hostname" {`
Update 2023-11-13 16:23:19 +08:00			`common.Ports = "139"`
			`AlivePorts = NoPortScan(Hosts, common.Ports)`
-hf 支持host:port和host/xx:port格式 2022-07-14 12:04:47 +08:00			`} else if len(Hosts) > 0 {`
Update 2023-11-13 16:23:19 +08:00			`AlivePorts = PortScan(Hosts, common.Ports, common.Timeout)`
新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito 2022-02-25 15:29:45 +08:00			`fmt.Println("[*] alive ports len is:", len(AlivePorts))`
减少info结构体大小 2022-07-03 23:41:39 +08:00			`if common.Scantype == "portscan" {`
新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito 2022-02-25 15:29:45 +08:00			`common.LogWG.Wait()`
			`return`
			`}`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`}`
-hf 支持host:port和host/xx:port格式 2022-07-14 12:04:47 +08:00			`if len(common.HostPort) > 0 {`
			`AlivePorts = append(AlivePorts, common.HostPort...)`
			`AlivePorts = common.RemoveDuplicate(AlivePorts)`
-hf 支持host:port和host/xx:port格式 2022-07-14 12:19:16 +08:00			`common.HostPort = nil`
-hf 支持host:port和host/xx:port格式 2022-07-14 12:04:47 +08:00			`fmt.Println("[*] AlivePorts len is:", len(AlivePorts))`
			`}`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}`
			`for _, port := range common.PORTList {`
			`severports = append(severports, strconv.Itoa(port))`
			`}`
修改线程处理机制 2021-03-30 22:30:16 +08:00			`fmt.Println("start vulscan")`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`for _, targetIP := range AlivePorts {`
			`info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]`
减少info结构体大小 2022-07-03 23:41:39 +08:00			`if common.Scantype == "all" \|\| common.Scantype == "main" {`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`switch {`
加入hash碰撞、wmiiexec无回显命令执行 2022-11-19 17:04:13 +08:00			`case info.Ports == "135":`
			`AddScan(info.Ports, info, &ch, &wg) //findnet`
			`if common.IsWmi {`
			`AddScan("1000005", info, &ch, &wg) //wmiexec`
			`}`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`case info.Ports == "445":`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`AddScan(ms17010, info, &ch, &wg) //ms17010`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`//AddScan(info.Ports, info, ch, &wg) //smb`
poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程 2022-04-20 17:45:27 +08:00			`//AddScan("1000002", info, ch, &wg) //smbghost`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`case info.Ports == "9000":`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`AddScan(web, info, &ch, &wg) //http`
			`AddScan(info.Ports, info, &ch, &wg) //fcgiscan`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`case IsContain(severports, info.Ports):`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`AddScan(info.Ports, info, &ch, &wg) //plugins scan`
加入fcgi协议未授权命令执行扫描,优化poc模块 2021-05-29 12:13:10 +08:00			`default:`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`AddScan(web, info, &ch, &wg) //webtitle`
修复一个web超时的bug 2021-03-05 11:44:21 +08:00			`}`
ftp默认列出前5个目录 2020-12-30 21:30:36 +08:00			`} else {`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`scantype := strconv.Itoa(common.PORTList[common.Scantype])`
			`AddScan(scantype, info, &ch, &wg)`
commit message 2020-12-29 17:17:10 +08:00			`}`
			`}`
			`}`
加入手工gc回收,尝试节省无用内存。 -url 支持逗号隔开。修复一个poc模块bug。 2022-07-06 21:42:00 +08:00			`for _, url := range common.Urls {`
			`info.Url = url`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`AddScan(web, info, &ch, &wg)`
支持-u url或者-uf url.txt,进行url批量扫描 2021-03-04 14:42:10 +08:00			`}`
commit message 2020-12-29 17:17:10 +08:00			`wg.Wait()`
更新mod库、编码、poc等 2021-05-06 11:37:29 +08:00			`common.LogWG.Wait()`
修改线程处理机制 2021-03-30 22:30:16 +08:00			`close(common.Results)`
Update 2023-11-13 16:23:19 +08:00			`fmt.Printf("已完成 %v/%v\n", common.End, common.Num)`
commit message 2020-12-29 17:17:10 +08:00			`}`

修改线程处理机制 2021-03-30 18:12:54 +08:00			`var Mutex = &sync.Mutex{}`

增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg sync.WaitGroup) {`
			`*ch <- struct{}{}`
commit message 2020-12-29 17:17:10 +08:00			`wg.Add(1)`
			`go func() {`
修改线程处理机制 2021-03-30 18:12:54 +08:00			`Mutex.Lock()`
			`common.Num += 1`
			`Mutex.Unlock()`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`ScanFunc(&scantype, &info)`
修改线程处理机制 2021-03-30 18:12:54 +08:00			`Mutex.Lock()`
			`common.End += 1`
			`Mutex.Unlock()`
update 2022-05-12 17:56:32 +08:00			`wg.Done()`
增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`<-*ch`
commit message 2020-12-29 17:17:10 +08:00			`}()`
			`}`

增加-dns参数启用dnslog poc 2022-08-16 11:18:09 +08:00			`func ScanFunc(name string, info common.HostInfo) {`
			`f := reflect.ValueOf(PluginList[*name])`
			`in := []reflect.Value{reflect.ValueOf(info)}`
			`f.Call(in)`
commit message 2020-12-29 17:17:10 +08:00			`}`

			`func IsContain(items []string, item string) bool {`
			`for _, eachItem := range items {`
			`if eachItem == item {`
			`return true`
			`}`
			`}`
			`return false`
			`}`