mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-11-05 10:45:27 +00:00
Merge remote-tracking branch 'origin/main'
This commit is contained in:
影舞者
commit
5242388522
1
.github/conf/.goreleaser.yml
vendored
1
.github/conf/.goreleaser.yml
vendored
@ -1,5 +1,6 @@
|
|||||||
before:
|
before:
|
||||||
hooks:
|
hooks:
|
||||||
|
- sudo apt -y install libprotobuf-dev protobuf-compiler protoc-gen-go
|
||||||
- go mod tidy
|
- go mod tidy
|
||||||
- go generate ./...
|
- go generate ./...
|
||||||
builds:
|
builds:
|
||||||
|
|||||||
@ -18,7 +18,7 @@ func NetBIOS(info *common.HostInfo) error {
|
|||||||
netbios, _ := NetBIOS1(info)
|
netbios, _ := NetBIOS1(info)
|
||||||
output := netbios.String()
|
output := netbios.String()
|
||||||
if len(output) > 0 {
|
if len(output) > 0 {
|
||||||
result := fmt.Sprintf("[*] NetBios: %-15s %s ", info.Host, output)
|
result := fmt.Sprintf("[*] NetBios: %-15s %s", info.Host, output)
|
||||||
common.LogSuccess(result)
|
common.LogSuccess(result)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
@ -237,7 +237,7 @@ func (info *NetBiosInfo) String() (output string) {
|
|||||||
}
|
}
|
||||||
if text == "" {
|
if text == "" {
|
||||||
} else if info.DomainControllers != "" {
|
} else if info.DomainControllers != "" {
|
||||||
output = fmt.Sprintf("[+]DC %-24s", text)
|
output = fmt.Sprintf("[+] DC:%-24s", text)
|
||||||
} else {
|
} else {
|
||||||
output = fmt.Sprintf("%-30s", text)
|
output = fmt.Sprintf("%-30s", text)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,7 +2,6 @@ package Plugins
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
_ "github.com/denisenkom/go-mssqldb"
|
|
||||||
"github.com/shadow1ng/fscan/common"
|
"github.com/shadow1ng/fscan/common"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
@ -22,32 +21,67 @@ func MongodbScan(info *common.HostInfo) error {
|
|||||||
|
|
||||||
func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
|
func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
|
||||||
flag = false
|
flag = false
|
||||||
senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
|
// op_msg
|
||||||
|
packet1 := []byte{
|
||||||
|
0x69, 0x00, 0x00, 0x00, // messageLength
|
||||||
|
0x39, 0x00, 0x00, 0x00, // requestID
|
||||||
|
0x00, 0x00, 0x00, 0x00, // responseTo
|
||||||
|
0xdd, 0x07, 0x00, 0x00, // opCode OP_MSG
|
||||||
|
0x00, 0x00, 0x00, 0x00, // flagBits
|
||||||
|
// sections db.adminCommand({getLog: "startupWarnings"})
|
||||||
|
0x00, 0x54, 0x00, 0x00, 0x00, 0x02, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x02, 0x24, 0x64, 0x62, 0x00, 0x06, 0x00, 0x00, 0x00, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x00, 0x03, 0x6c, 0x73, 0x69, 0x64, 0x00, 0x1e, 0x00, 0x00, 0x00, 0x05, 0x69, 0x64, 0x00, 0x10, 0x00, 0x00, 0x00, 0x04, 0x6e, 0x81, 0xf8, 0x8e, 0x37, 0x7b, 0x4c, 0x97, 0x84, 0x4e, 0x90, 0x62, 0x5a, 0x54, 0x3c, 0x93, 0x00, 0x00,
|
||||||
|
}
|
||||||
|
//op_query
|
||||||
|
packet2 := []byte{
|
||||||
|
0x48, 0x00, 0x00, 0x00, // messageLength
|
||||||
|
0x02, 0x00, 0x00, 0x00, // requestID
|
||||||
|
0x00, 0x00, 0x00, 0x00, // responseTo
|
||||||
|
0xd4, 0x07, 0x00, 0x00, // opCode OP_QUERY
|
||||||
|
0x00, 0x00, 0x00, 0x00, // flags
|
||||||
|
0x61, 0x64, 0x6d, 0x69, 0x6e, 0x2e, 0x24, 0x63, 0x6d, 0x64, 0x00, // fullCollectionName admin.$cmd
|
||||||
|
0x00, 0x00, 0x00, 0x00, // numberToSkip
|
||||||
|
0x01, 0x00, 0x00, 0x00, // numberToReturn
|
||||||
|
// query db.adminCommand({getLog: "startupWarnings"})
|
||||||
|
0x21, 0x00, 0x00, 0x00, 0x2, 0x67, 0x65, 0x74, 0x4c, 0x6f, 0x67, 0x00, 0x10, 0x00, 0x00, 0x00, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x57, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x00,
|
||||||
|
}
|
||||||
|
|
||||||
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
|
||||||
|
|
||||||
|
checkUnAuth := func(address string, packet []byte) (string, error) {
|
||||||
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
conn, err := common.WrapperTcpWithTimeout("tcp", realhost, time.Duration(common.Timeout)*time.Second)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
if conn != nil {
|
if conn != nil {
|
||||||
conn.Close()
|
conn.Close()
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
if err != nil {
|
|
||||||
return flag, err
|
|
||||||
}
|
|
||||||
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
err = conn.SetReadDeadline(time.Now().Add(time.Duration(common.Timeout) * time.Second))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return flag, err
|
return "", err
|
||||||
}
|
}
|
||||||
_, err = conn.Write(senddata)
|
_, err = conn.Write(packet)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
reply := make([]byte, 1024)
|
||||||
|
count, err := conn.Read(reply)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
return string(reply[0:count]), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// send OP_MSG first
|
||||||
|
reply, err := checkUnAuth(realhost, packet1)
|
||||||
|
if err != nil {
|
||||||
|
reply, err = checkUnAuth(realhost, packet2)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return flag, err
|
return flag, err
|
||||||
}
|
}
|
||||||
buf := make([]byte, 1024)
|
|
||||||
count, err := conn.Read(buf)
|
|
||||||
if err != nil {
|
|
||||||
return flag, err
|
|
||||||
}
|
}
|
||||||
text := string(buf[0:count])
|
if strings.Contains(reply, "totalLinesWritten") {
|
||||||
if strings.Contains(text, "totalLinesWritten") {
|
|
||||||
flag = true
|
flag = true
|
||||||
result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
|
result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
|
||||||
common.LogSuccess(result)
|
common.LogSuccess(result)
|
||||||
|
|||||||
@ -4,10 +4,6 @@ import (
|
|||||||
"compress/gzip"
|
"compress/gzip"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/shadow1ng/fscan/WebScan"
|
|
||||||
"github.com/shadow1ng/fscan/WebScan/lib"
|
|
||||||
"github.com/shadow1ng/fscan/common"
|
|
||||||
"golang.org/x/text/encoding/simplifiedchinese"
|
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -16,6 +12,11 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
"unicode/utf8"
|
"unicode/utf8"
|
||||||
|
|
||||||
|
"github.com/shadow1ng/fscan/WebScan"
|
||||||
|
"github.com/shadow1ng/fscan/WebScan/lib"
|
||||||
|
"github.com/shadow1ng/fscan/common"
|
||||||
|
"golang.org/x/text/encoding/simplifiedchinese"
|
||||||
)
|
)
|
||||||
|
|
||||||
func WebTitle(info *common.HostInfo) error {
|
func WebTitle(info *common.HostInfo) error {
|
||||||
@ -140,7 +141,7 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
|
|||||||
if !utf8.Valid(body) {
|
if !utf8.Valid(body) {
|
||||||
body, _ = simplifiedchinese.GBK.NewDecoder().Bytes(body)
|
body, _ = simplifiedchinese.GBK.NewDecoder().Bytes(body)
|
||||||
}
|
}
|
||||||
CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
|
CheckData = append(CheckData, WebScan.CheckDatas{Body: body, Headers: fmt.Sprintf("%s", resp.Header)})
|
||||||
var reurl string
|
var reurl string
|
||||||
if flag != 2 {
|
if flag != 2 {
|
||||||
title = gettitle(body)
|
title = gettitle(body)
|
||||||
|
|||||||
@ -38,7 +38,7 @@ func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
|
|||||||
infoname = removeDuplicateElement(infoname)
|
infoname = removeDuplicateElement(infoname)
|
||||||
|
|
||||||
if len(infoname) > 0 {
|
if len(infoname) > 0 {
|
||||||
result := fmt.Sprintf("[+] InfoScan:%-25v %s ", Url, infoname)
|
result := fmt.Sprintf("[+] InfoScan: %-25v %s ", Url, infoname)
|
||||||
common.LogSuccess(result)
|
common.LogSuccess(result)
|
||||||
return infoname
|
return infoname
|
||||||
}
|
}
|
||||||
|
|||||||
@ -627,7 +627,7 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
|
|||||||
defer oResp.Body.Close()
|
defer oResp.Body.Close()
|
||||||
resp, err := ParseResponse(oResp)
|
resp, err := ParseResponse(oResp)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
common.LogError("[-]ParseResponse error: " + err.Error())
|
common.LogError("[-] ParseResponse error: " + err.Error())
|
||||||
//return nil, err
|
//return nil, err
|
||||||
}
|
}
|
||||||
return resp, err
|
return resp, err
|
||||||
|
|||||||
@ -57,8 +57,8 @@ func Flag(Info *HostInfo) {
|
|||||||
flag.StringVar(&Passfile, "pwdf", "", "password file")
|
flag.StringVar(&Passfile, "pwdf", "", "password file")
|
||||||
flag.StringVar(&PortFile, "portf", "", "Port File")
|
flag.StringVar(&PortFile, "portf", "", "Port File")
|
||||||
flag.StringVar(&PocPath, "pocpath", "", "poc file path")
|
flag.StringVar(&PocPath, "pocpath", "", "poc file path")
|
||||||
flag.StringVar(&RedisFile, "rf", "", "redis file to write sshkey file (as: -rf id_rsa.pub) ")
|
flag.StringVar(&RedisFile, "rf", "", "redis file to write sshkey file (as: -rf id_rsa.pub)")
|
||||||
flag.StringVar(&RedisShell, "rs", "", "redis shell to write cron file (as: -rs 192.168.1.1:6666) ")
|
flag.StringVar(&RedisShell, "rs", "", "redis shell to write cron file (as: -rs 192.168.1.1:6666)")
|
||||||
flag.BoolVar(&IsWebCan, "nopoc", false, "not to scan web vul")
|
flag.BoolVar(&IsWebCan, "nopoc", false, "not to scan web vul")
|
||||||
flag.BoolVar(&IsBrute, "nobr", false, "not to Brute password")
|
flag.BoolVar(&IsBrute, "nobr", false, "not to Brute password")
|
||||||
flag.IntVar(&BruteThread, "br", 1, "Brute threads")
|
flag.IntVar(&BruteThread, "br", 1, "Brute threads")
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user