feat: 增加单独的Elasticsearch扫描

2025-05-05 10:17:49 +00:00 · 2024-12-22 02:31:56 +08:00 · 2024-12-22 02:31:56 +08:00 · 8be8f94d82
commit 8be8f94d82
parent 2e3ccee2e0
7 changed files with 137 additions and 5 deletions
--- a/Common/Config.go
+++ b/Common/Config.go
@ -12,9 +12,10 @@ var Userdict = map[string][]string{
 	"mongodb":    {"root", "admin"},
 	"oracle":     {"sys", "system", "admin", "test", "web", "orcl"},
 	"telnet":     {"root", "admin", "test"},
+	"elastic":    {"elastic", "admin", "kibana"},
 }

-var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "P@ssword123", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"}
+var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "P@ssword123", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789", "elastic123"}

 var Outputfile = "result.txt"
 var IsSave = true
--- a/Common/ParseScanMode.go
+++ b/Common/ParseScanMode.go
@ -20,7 +20,7 @@ var pluginGroups = map[string][]string{
 	ModeAll: {
 		"web", "fcgi", // web类
 		"mysql", "mssql", "redis", "mongodb", "postgres", // 数据库类
-		"oracle", "memcached", // 数据库类
+		"oracle", "memcached", "elasticsearch", // 数据库类
 		"ftp", "ssh", "telnet", "smb", "rdp", "vnc", "netbios", // 服务类
 		"ms17010", "smbghost", "smb2", // 漏洞类
 		"findnet", "wmiexec", // 其他
@ -30,7 +30,7 @@ var pluginGroups = map[string][]string{
 	},
 	ModeDatabase: {
 		"mysql", "mssql", "redis", "mongodb",
-		"postgres", "oracle", "memcached",
+		"postgres", "oracle", "memcached", "elasticsearch",
 	},
 	ModeWeb: {
 		"web", "fcgi",
--- a/Common/Ports.go
+++ b/Common/Ports.go
@ -5,8 +5,8 @@ import (
 	"strings"
 )

-var ServicePorts = "21,22,23,135,139,445,1433,1521,2222,3306,3389,5432,6379,9000,11211,27017"
-var DbPorts = "1433,1521,3306,5432,6379,11211,27017"
+var ServicePorts = "21,22,23,135,139,445,1433,1521,2222,3306,3389,5432,6379,9000,9200,11211,27017"
+var DbPorts = "1433,1521,3306,5432,6379,9200,11211,27017"
 var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
 var AllPorts = "1-65535"
 var MainPorts = "21,22,23,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"
--- a/Core/Registry.go
+++ b/Core/Registry.go
@ -61,6 +61,12 @@ func init() {
 		ScanFunc: Plugins.MysqlScan,
 	})

+	Common.RegisterPlugin("elasticsearch", Common.ScanPlugin{
+		Name:     "Elasticsearch",
+		Ports:    []int{9200, 9300}, // Elasticsearch 默认HTTP和Transport端口
+		ScanFunc: Plugins.ElasticScan,
+	})
+
 	Common.RegisterPlugin("rdp", Common.ScanPlugin{
 		Name:     "RDP",
 		Ports:    []int{3389},
--- a/Plugins/Elasticsearch.go
+++ b/Plugins/Elasticsearch.go
@ -0,0 +1,104 @@
+package Plugins
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"fmt"
+	"github.com/shadow1ng/fscan/Common"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// ElasticScan 执行 Elasticsearch 服务扫描
+func ElasticScan(info *Common.HostInfo) (tmperr error) {
+	if Common.DisableBrute {
+		return
+	}
+
+	starttime := time.Now().Unix()
+
+	// 首先测试无认证访问
+	flag, err := ElasticConn(info, "", "")
+	if flag && err == nil {
+		return err
+	}
+
+	// 尝试用户名密码组合
+	for _, user := range Common.Userdict["elastic"] {
+		for _, pass := range Common.Passwords {
+			// 替换密码中的用户名占位符
+			pass = strings.Replace(pass, "{user}", user, -1)
+
+			flag, err := ElasticConn(info, user, pass)
+			if flag && err == nil {
+				return err
+			}
+
+			// 记录错误信息
+			errlog := fmt.Sprintf("[-] Elasticsearch服务 %v:%v 尝试失败 用户名: %v 密码: %v 错误: %v", info.Host, info.Ports, user, pass, err)
+			Common.LogError(errlog)
+			tmperr = err
+
+			if Common.CheckErrs(err) {
+				return err
+			}
+
+			// 超时检查
+			if time.Now().Unix()-starttime > (int64(len(Common.Userdict["elastic"])*len(Common.Passwords)) * Common.Timeout) {
+				return err
+			}
+		}
+	}
+	return tmperr
+}
+
+// ElasticConn 尝试 Elasticsearch 连接
+func ElasticConn(info *Common.HostInfo, user string, pass string) (bool, error) {
+	host, port := info.Host, info.Ports
+	timeout := time.Duration(Common.Timeout) * time.Second
+
+	// 构造请求客户端
+	client := &http.Client{
+		Timeout: timeout,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+	}
+
+	// 构造基础URL
+	baseURL := fmt.Sprintf("http://%s:%s", host, port)
+
+	// 创建请求
+	req, err := http.NewRequest("GET", baseURL+"/_cat/indices", nil)
+	if err != nil {
+		return false, err
+	}
+
+	// 如果提供了认证信息,添加Basic认证头
+	if user != "" || pass != "" {
+		auth := base64.StdEncoding.EncodeToString([]byte(user + ":" + pass))
+		req.Header.Add("Authorization", "Basic "+auth)
+	}
+
+	// 发送请求
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer resp.Body.Close()
+
+	// 检查响应状态
+	if resp.StatusCode == 200 {
+		result := fmt.Sprintf("[+] Elasticsearch服务 %v:%v ", host, port)
+		if user != "" {
+			result += fmt.Sprintf("爆破成功 用户名: %v 密码: %v", user, pass)
+		} else {
+			result += "无需认证即可访问"
+		}
+		Common.LogSuccess(result)
+		return true, nil
+	}
+
+	return false, fmt.Errorf("认证失败")
+}
--- a/TestDocker/Elasticsearch/Dockerfile
+++ b/TestDocker/Elasticsearch/Dockerfile
@ -0,0 +1,19 @@
+FROM docker.elastic.co/elasticsearch/elasticsearch:7.9.3
+
+# 设置环境变量允许单节点运行
+ENV discovery.type=single-node
+
+# 允许任意IP访问
+ENV network.host=0.0.0.0
+
+# 设置弱密码
+ENV ELASTIC_PASSWORD=elastic123
+
+# 暴露端口
+EXPOSE 9200 9300
+
+# 设置默认用户名elastic和密码elastic123
+RUN echo 'elastic:elastic123' > /usr/share/elasticsearch/config/users
+
+# 关闭xpack安全功能，使其可以无认证访问
+RUN echo 'xpack.security.enabled: false' >> /usr/share/elasticsearch/config/elasticsearch.yml
--- a/TestDocker/Elasticsearch/README.txt
+++ b/TestDocker/Elasticsearch/README.txt
@ -0,0 +1,2 @@
+docker build -t elastic-test .
+docker run -d -p 9200:9200 -p 9300:9300 elastic-test