admin/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-06-22 02:40:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
fscan/Plugins/Rsync.go

484 lines
12 KiB
Go
Raw Permalink Blame History

package Plugins
import (
"context"
"fmt"
"github.com/shadow1ng/fscan/Common"
"net"
"strings"
"sync"
"time"
)
// RsyncCredential 表示一个Rsync凭据
type RsyncCredential struct {
Username string
Password string
}
// RsyncScanResult 表示Rsync扫描结果
type RsyncScanResult struct {
Success bool
Error error
Credential RsyncCredential
IsAnonymous bool
ModuleName string
}
func RsyncScan(info *Common.HostInfo) error {
if Common.DisableBrute {
return nil
}
target := fmt.Sprintf("%v:%v", info.Host, info.Ports)
Common.LogDebug(fmt.Sprintf("开始扫描 %s", target))
// 设置全局超时上下文
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(Common.GlobalTimeout)*time.Second)
defer cancel()
// 首先尝试匿名访问
Common.LogDebug("尝试匿名访问...")
anonymousResult := tryRsyncCredential(ctx, info, RsyncCredential{"", ""}, Common.Timeout, Common.MaxRetries)
if anonymousResult.Success {
// 匿名访问成功
saveRsyncResult(info, target, anonymousResult)
return nil
}
// 构建凭据列表
var credentials []RsyncCredential
for _, user := range Common.Userdict["rsync"] {
for _, pass := range Common.Passwords {
actualPass := strings.Replace(pass, "{user}", user, -1)
credentials = append(credentials, RsyncCredential{
Username: user,
Password: actualPass,
})
}
}
Common.LogDebug(fmt.Sprintf("开始尝试用户名密码组合 (总用户数: %d, 总密码数: %d, 总组合数: %d)",
len(Common.Userdict["rsync"]), len(Common.Passwords), len(credentials)))
// 使用工作池并发扫描
result := concurrentRsyncScan(ctx, info, credentials, Common.Timeout, Common.MaxRetries)
if result != nil {
// 保存成功结果
saveRsyncResult(info, target, result)
return nil
}
// 检查是否因为全局超时而退出
select {
case <-ctx.Done():
Common.LogDebug("Rsync扫描全局超时")
return fmt.Errorf("全局超时")
default:
Common.LogDebug(fmt.Sprintf("扫描完成,共尝试 %d 个组合", len(credentials)+1)) // +1 是因为还尝试了匿名访问
return nil
}
}
// concurrentRsyncScan 并发扫描Rsync服务
func concurrentRsyncScan(ctx context.Context, info *Common.HostInfo, credentials []RsyncCredential, timeoutSeconds int64, maxRetries int) *RsyncScanResult {
// 使用ModuleThreadNum控制并发数
maxConcurrent := Common.ModuleThreadNum
if maxConcurrent <= 0 {
maxConcurrent = 10 // 默认值
}
if maxConcurrent > len(credentials) {
maxConcurrent = len(credentials)
}
// 创建工作池
var wg sync.WaitGroup
resultChan := make(chan *RsyncScanResult, 1)
workChan := make(chan RsyncCredential, maxConcurrent)
scanCtx, scanCancel := context.WithCancel(ctx)
defer scanCancel()
// 启动工作协程
for i := 0; i < maxConcurrent; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for credential := range workChan {
select {
case <-scanCtx.Done():
return
default:
result := tryRsyncCredential(scanCtx, info, credential, timeoutSeconds, maxRetries)
if result.Success {
select {
case resultChan <- result:
scanCancel() // 找到有效凭据,取消其他工作
default:
}
return
}
}
}
}()
}
// 发送工作
go func() {
for i, cred := range credentials {
select {
case <-scanCtx.Done():
break
default:
Common.LogDebug(fmt.Sprintf("[%d/%d] 尝试: %s:%s", i+1, len(credentials), cred.Username, cred.Password))
workChan <- cred
}
}
close(workChan)
}()
// 等待结果或完成
go func() {
wg.Wait()
close(resultChan)
}()
// 获取结果,考虑全局超时
select {
case result, ok := <-resultChan:
if ok && result != nil && result.Success {
return result
}
return nil
case <-ctx.Done():
Common.LogDebug("Rsync并发扫描全局超时")
scanCancel() // 确保取消所有未完成工作
return nil
}
}
// tryRsyncCredential 尝试单个Rsync凭据
func tryRsyncCredential(ctx context.Context, info *Common.HostInfo, credential RsyncCredential, timeoutSeconds int64, maxRetries int) *RsyncScanResult {
var lastErr error
for retry := 0; retry < maxRetries; retry++ {
select {
case <-ctx.Done():
return &RsyncScanResult{
Success: false,
Error: fmt.Errorf("全局超时"),
Credential: credential,
}
default:
if retry > 0 {
Common.LogDebug(fmt.Sprintf("第%d次重试: %s:%s", retry+1, credential.Username, credential.Password))
time.Sleep(500 * time.Millisecond) // 重试前等待
}
// 创建连接超时上下文
connCtx, cancel := context.WithTimeout(ctx, time.Duration(timeoutSeconds)*time.Second)
success, moduleName, err := RsyncConn(connCtx, info, credential.Username, credential.Password)
cancel()
if success {
isAnonymous := credential.Username == "" && credential.Password == ""
return &RsyncScanResult{
Success: true,
Credential: credential,
IsAnonymous: isAnonymous,
ModuleName: moduleName,
}
}
lastErr = err
if err != nil {
// 检查是否需要重试
if retryErr := Common.CheckErrs(err); retryErr == nil {
break // 不需要重试的错误
}
}
}
}
return &RsyncScanResult{
Success: false,
Error: lastErr,
Credential: credential,
}
}
// RsyncConn 尝试Rsync连接
func RsyncConn(ctx context.Context, info *Common.HostInfo, user string, pass string) (bool, string, error) {
host, port := info.Host, info.Ports
timeout := time.Duration(Common.Timeout) * time.Second
// 设置带有上下文的拨号器
dialer := &net.Dialer{
Timeout: timeout,
}
// 建立连接
conn, err := dialer.DialContext(ctx, "tcp", fmt.Sprintf("%s:%s", host, port))
if err != nil {
return false, "", err
}
defer conn.Close()
// 创建结果通道用于超时控制
resultChan := make(chan struct {
success bool
moduleName string
err error
}, 1)
// 在协程中处理连接,以支持上下文取消
go func() {
buffer := make([]byte, 1024)
// 1. 读取服务器初始greeting
conn.SetReadDeadline(time.Now().Add(timeout))
n, err := conn.Read(buffer)
if err != nil {
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{false, "", err}:
}
return
}
greeting := string(buffer[:n])
if !strings.HasPrefix(greeting, "@RSYNCD:") {
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{false, "", fmt.Errorf("不是Rsync服务")}:
}
return
}
// 获取服务器版本号
version := strings.TrimSpace(strings.TrimPrefix(greeting, "@RSYNCD:"))
// 2. 回应相同的版本号
conn.SetWriteDeadline(time.Now().Add(timeout))
_, err = conn.Write([]byte(fmt.Sprintf("@RSYNCD: %s\n", version)))
if err != nil {
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{false, "", err}:
}
return
}
// 3. 选择模块 - 先列出可用模块
conn.SetWriteDeadline(time.Now().Add(timeout))
_, err = conn.Write([]byte("#list\n"))
if err != nil {
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{false, "", err}:
}
return
}
// 4. 读取模块列表
var moduleList strings.Builder
for {
// 检查上下文是否取消
select {
case <-ctx.Done():
return
default:
}
conn.SetReadDeadline(time.Now().Add(timeout))
n, err = conn.Read(buffer)
if err != nil {
break
}
chunk := string(buffer[:n])
moduleList.WriteString(chunk)
if strings.Contains(chunk, "@RSYNCD: EXIT") {
break
}
}
modules := strings.Split(moduleList.String(), "\n")
for _, module := range modules {
if strings.HasPrefix(module, "@RSYNCD") || module == "" {
continue
}
// 获取模块名
moduleName := strings.Fields(module)[0]
// 检查上下文是否取消
select {
case <-ctx.Done():
return
default:
}
// 5. 为每个模块创建新连接尝试认证
authConn, err := dialer.DialContext(ctx, "tcp", fmt.Sprintf("%s:%s", host, port))
if err != nil {
continue
}
defer authConn.Close()
// 重复初始握手
authConn.SetReadDeadline(time.Now().Add(timeout))
_, err = authConn.Read(buffer)
if err != nil {
authConn.Close()
continue
}
authConn.SetWriteDeadline(time.Now().Add(timeout))
_, err = authConn.Write([]byte(fmt.Sprintf("@RSYNCD: %s\n", version)))
if err != nil {
authConn.Close()
continue
}
// 6. 选择模块
authConn.SetWriteDeadline(time.Now().Add(timeout))
_, err = authConn.Write([]byte(moduleName + "\n"))
if err != nil {
authConn.Close()
continue
}
// 7. 等待认证挑战
authConn.SetReadDeadline(time.Now().Add(timeout))
n, err = authConn.Read(buffer)
if err != nil {
authConn.Close()
continue
}
authResponse := string(buffer[:n])
if strings.Contains(authResponse, "@RSYNCD: OK") {
// 模块不需要认证
if user == "" && pass == "" {
authConn.Close()
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{true, moduleName, nil}:
}
return
}
} else if strings.Contains(authResponse, "@RSYNCD: AUTHREQD") {
if user != "" && pass != "" {
// 8. 发送认证信息
authString := fmt.Sprintf("%s %s\n", user, pass)
authConn.SetWriteDeadline(time.Now().Add(timeout))
_, err = authConn.Write([]byte(authString))
if err != nil {
authConn.Close()
continue
}
// 9. 读取认证结果
authConn.SetReadDeadline(time.Now().Add(timeout))
n, err = authConn.Read(buffer)
if err != nil {
authConn.Close()
continue
}
if !strings.Contains(string(buffer[:n]), "@ERROR") {
authConn.Close()
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{true, moduleName, nil}:
}
return
}
}
}
authConn.Close()
}
// 如果执行到这里,没有找到成功的认证
select {
case <-ctx.Done():
case resultChan <- struct {
success bool
moduleName string
err error
}{false, "", fmt.Errorf("认证失败或无可用模块")}:
}
}()
// 等待结果或上下文取消
select {
case result := <-resultChan:
return result.success, result.moduleName, result.err
case <-ctx.Done():
return false, "", ctx.Err()
}
}
// saveRsyncResult 保存Rsync扫描结果
func saveRsyncResult(info *Common.HostInfo, target string, result *RsyncScanResult) {
var successMsg string
var details map[string]interface{}
if result.IsAnonymous {
successMsg = fmt.Sprintf("Rsync服务 %s 匿名访问成功 模块: %s", target, result.ModuleName)
details = map[string]interface{}{
"port": info.Ports,
"service": "rsync",
"type": "anonymous-access",
"module": result.ModuleName,
}
} else {
successMsg = fmt.Sprintf("Rsync服务 %s 爆破成功 用户名: %v 密码: %v 模块: %s",
target, result.Credential.Username, result.Credential.Password, result.ModuleName)
details = map[string]interface{}{
"port": info.Ports,
"service": "rsync",
"type": "weak-password",
"username": result.Credential.Username,
"password": result.Credential.Password,
"module": result.ModuleName,
}
}
Common.LogSuccess(successMsg)
// 保存结果
vulnResult := &Common.ScanResult{
Time: time.Now(),
Type: Common.VULN,
Target: info.Host,
Status: "vulnerable",
Details: details,
}
Common.SaveResult(vulnResult)
}
Reference in New Issue View Git Blame Copy Permalink