已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblog…

…ic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试
shadow1ng · Dec 12, 2020 · 7742b1f · 7742b1f
1 parent c27eccb
commit 7742b1f
Show file tree

Hide file tree

Showing 15 changed files with 190 additions and 77 deletions.
diff --git a/Plugins/CVE-2020-0796.go b/Plugins/CVE-2020-0796.go
@@ -1,9 +1,5 @@
 package Plugins
 
-//Ladon Scanner for golang
-//Author: k8gege
-//K8Blog: http://k8gege.org
-//Github: https://github.com/k8gege
 import (
 	"bytes"
 	"fmt"

diff --git a/Plugins/ms17017.go b/Plugins/ms17017.go
@@ -3,16 +3,11 @@ package Plugins
 import (
 	"encoding/binary"
 	"encoding/hex"
-	"sync"
-
-	//"flag"
 	"fmt"
+	"github.com/shadow1ng/fscan/common"
 	"net"
 	"strings"
-
-	"github.com/shadow1ng/fscan/common"
-
-	//"sync"
+	"sync"
 	"time"
 )
 
@@ -112,7 +107,7 @@ func MS17010Scan(info *common.HostInfo) {
 		//fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
 		//if runtime.GOOS=="windows" {fmt.Printf("%s\tMS17-010\t(%s)\n", ip, os)
 		//} else{fmt.Printf("\033[33m%s\tMS17-010\t(%s)\033[0m\n", ip, os)}
-		result := fmt.Sprintf("%s\tMS17-010\t(%s)", ip, os)
+		result := fmt.Sprintf("[+] %s\tMS17-010\t(%s)", ip, os)
 		common.LogSuccess(result)
 		// detect present of DOUBLEPULSAR SMB implant
 		trans2SessionSetupRequest[28] = treeID[0]

diff --git a/Plugins/mssql.go b/Plugins/mssql.go
@@ -35,7 +35,7 @@ func MssqlConn(info *common.HostInfo, user string, pass string) (flag bool, err
 		defer db.Close()
 		err = db.Ping()
 		if err == nil {
-			result := fmt.Sprintf("mssql:%v:%v:%v %v", Host, Port, Username, Password)
+			result := fmt.Sprintf("[+] mssql:%v:%v:%v %v", Host, Port, Username, Password)
 			common.LogSuccess(result)
 			flag = true
 		}

diff --git a/Plugins/mysql.go b/Plugins/mysql.go
@@ -36,7 +36,7 @@ func MysqlConn(info *common.HostInfo, user string, pass string) (flag bool, err
 		defer db.Close()
 		err = db.Ping()
 		if err == nil {
-			result := fmt.Sprintf("mysql:%v:%v:%v %v", Host, Port, Username, Password)
+			result := fmt.Sprintf("[+] mysql:%v:%v:%v %v", Host, Port, Username, Password)
 			common.LogSuccess(result)
 			flag = true
 		}

diff --git a/Plugins/redis.go b/Plugins/redis.go
@@ -42,7 +42,7 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	conn.Write([]byte(fmt.Sprintf("auth %s\r\n", pass)))
 	reply, err := readreply(conn)
 	if strings.Contains(reply, "+OK") {
-		result := fmt.Sprintf("Redis:%s %s", realhost, pass)
+		result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
 		common.LogSuccess(result)
 		flag = true
 		Expoilt(info, realhost, conn)
@@ -62,7 +62,7 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	conn.Write([]byte("info\r\n"))
 	reply, err := readreply(conn)
 	if strings.Contains(reply, "redis_version") {
-		result := fmt.Sprintf("Redis:%s unauthorized", realhost)
+		result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
 		common.LogSuccess(result)
 		flag = true
 		Expoilt(info, realhost, conn)

diff --git a/Plugins/ssh.go b/Plugins/ssh.go
@@ -51,7 +51,7 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 				result := fmt.Sprintf("SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
 				common.LogSuccess(result)
 			} else {
-				result := fmt.Sprintf("SSH:%v:%v:%v %v", Host, Port, Username, Password)
+				result := fmt.Sprintf("[+] SSH:%v:%v:%v %v", Host, Port, Username, Password)
 				common.LogSuccess(result)
 			}
 		}

diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go
@@ -15,13 +15,13 @@ import (
 func WebTitle(info *common.HostInfo, ch chan int, wg *sync.WaitGroup) (err error, result string) {
 	info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
 	err, result = geturl(info)
-	if err == nil {
+	if err == nil && info.IsWebCan == false {
 		WebScan.WebScan(info)
 	}
 
 	info.Url = fmt.Sprintf("https://%s:%s", info.Host, info.Ports)
 	err, result = geturl(info)
-	if err == nil {
+	if err == nil && info.IsWebCan == false {
 		WebScan.WebScan(info)
 	}
 

diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
 # fscan
 
 # 简介
-一款内网扫描工具，方便一键大保健。  
-支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写私钥、计划任务反弹shell、读取win网卡信息等。  
+一款内网扫描工具，方便一键大保健。    
+支持主机存活探测、端口扫描、常见服务的爆破、ms17010、redis批量写私钥、计划任务反弹shell、读取win网卡信息、web漏洞扫描等。  
 趁着最近有空，用go把f-scrack重构了一遍。使用go来编写，也有更好的扩展性及兼容性。  
 还在逐步增加功能，欢迎各位师傅提意见。
 
@@ -14,6 +14,7 @@
    因为用习惯了f-scrack，习惯一条命令跑完所有模块，省去一个个模块单独调用的时间，当然我附加了-m 指定模块的功能。
 
 ## 最近更新
+[+] 2020/12/12 已加入yaml解析引擎,支持xray的Poc,默认使用所有Poc(已对xray的poc进行了筛选),可以使用-pocname weblogic,只使用某种或某个poc。需要go版本1.16以上,只能自行编译最新版go来进行测试    
 [+] 2020/12/6 优化icmp模块,新增-domain 参数(用于smb爆破模块,适用于域用户)  
 [+] 2020/12/03 优化ip段处理模块、icmp、端口扫描模块。新增支持192.168.1.1-192.168.255.255。  
 [+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。   
@@ -42,8 +43,12 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
 
 完整参数
 ```
+  -Num int
+        poc rate (default 20)
   -c string
         exec command (ssh)
+  -domain string
+        smb domain
   -h string
         IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
   -hf string
@@ -54,14 +59,20 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
         Select scan type ,as: -m ssh (default "all")
   -no
         not to save output log
+  -nopoc
+        not to scan web vul
   -np
         not to ping
   -o string
         Outputfile (default "result.txt")
   -p string
-        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,23,80,135,443,445,1433,1521,3306,5432,6379,7001,8080,8089,9000,9200,11211,27017")
+        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,1521,3306,5432,6379,7001,8000,8080,8089,11211,27017")
   -ping
         using ping replace icmp
+  -pocname string
+        use the pocs these contain pocname, -pocname weblogic
+  -proxy string
+        set poc proxy, -proxy http://127.0.0.1:8080
   -pwd string
         password
   -pwdf string
@@ -96,6 +107,8 @@ fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
 `fscan.exe -h 192.168.x.x -c "whoami;id" (ssh 命令)`
 ![](image/3.png)
 
+`fscan.exe -h 192.168.x.x -p80 -proxy http://127.0.0.1:8080 一键支持xray的poc`
+![](image/2020-12-12-13-34-44.png)
 
 ## 未来计划
 [*] 合理输出当前扫描进度  
@@ -109,3 +122,4 @@ https://github.com/Adminisme/ServerScan
 https://github.com/netxfly/x-crack  
 https://github.com/hack2fun/Gscan  
 https://github.com/k8gege/LadonGo   
+https://github.com/jjf012/gopoc
diff --git a/WebScan/WebScan.go b/WebScan/WebScan.go
@@ -1,9 +1,42 @@
 package WebScan
 
 import (
+	"embed"
+	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
+	"net/http"
+	"time"
 )
 
+//go:embed pocs
+var Pocs embed.FS
+
 func WebScan(info *common.HostInfo) {
-	Shiro(info)
-}
+	info.PocInfo.Target = info.Url
+	Execute(info.PocInfo)
+}
+
+func Execute(PocInfo common.PocInfo) error {
+	//PocInfo.Proxy = "http://127.0.0.1:8080"
+	err := lib.InitHttpClient(PocInfo.Num, PocInfo.Proxy, time.Duration(PocInfo.Timeout)*time.Second)
+	if err != nil {
+		return err
+	}
+	req, err := http.NewRequest("GET", PocInfo.Target, nil)
+	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	if err != nil {
+		return err
+	}
+	if PocInfo.Cookie != "" {
+		req.Header.Set("Cookie", PocInfo.Cookie)
+	}
+
+	//PocInfo.PocName = "weblogic-cve-2017-10271.yml"
+	if PocInfo.PocName != "" {
+		lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
+	} else {
+		lib.CheckMultiPoc(req, Pocs, PocInfo.Num, "")
+	}
+
+	return nil
+}
diff --git a/WebScan/shiro.go b/WebScan/shiro.go
diff --git a/common/config.go b/common/config.go
@@ -79,4 +79,22 @@ type HostInfo struct {
 	IsSave      bool
 	RedisFile   string
 	RedisShell  string
+	IsWebCan    bool
+	PocInfo     PocInfo
+}
+
+type PocInfo struct {
+	Num        int
+	Rate       int
+	Timeout    int64
+	Proxy      string
+	PocName    string
+	PocDir     string
+	Target     string
+	TargetFile string
+	RawFile    string
+	Cookie     string
+	ForceSSL   bool
+	ApiKey     string
+	CeyeDomain string
 }
diff --git a/common/flag.go b/common/flag.go
@@ -38,5 +38,10 @@ func Flag(Info *HostInfo) {
 	flag.StringVar(&Info.Scantype, "m", "all", "Select scan type ,as: -m ssh")
 	flag.StringVar(&Info.RedisFile, "rf", "", "redis file to write sshkey file (as: -rf id_rsa.pub) ")
 	flag.StringVar(&Info.RedisShell, "rs", "", "redis shell to write cron file (as: -rs 192.168.1.1:6666) ")
+
+	flag.BoolVar(&Info.IsWebCan, "nopoc", false, "not to scan web vul")
+	flag.StringVar(&Info.PocInfo.PocName, "pocname", "", "use the pocs these contain pocname, -pocname weblogic")
+	flag.StringVar(&Info.PocInfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
+	flag.IntVar(&Info.PocInfo.Num, "Num", 20, "poc rate")
 	flag.Parse()
 }
diff --git a/go.mod b/go.mod
@@ -1,12 +1,20 @@
 module github.com/shadow1ng/fscan
 
-go 1.13
+go 1.15
 
 require (
+	github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f // indirect
 	github.com/denisenkom/go-mssqldb v0.9.0
 	github.com/go-sql-driver/mysql v1.5.0
+	github.com/golang/protobuf v1.4.1
+	github.com/google/cel-go v0.4.2
 	github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126
 	github.com/lib/pq v1.8.0
 	github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8
 	golang.org/x/crypto v0.0.0-20201116153603-4be66e5b6582
+	golang.org/x/net v0.0.0-20200505041828-1ed23360d12c // indirect
+	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 // indirect
+	google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84
+	google.golang.org/grpc v1.29.1 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
 )