1、优化http密码爆破，支持外挂字典

2、重写、优化file fuzz，包括性能优化，字典优化、内存开销优化
   a、同时fix vscan中多线程并发内存共享bug
   b、同一目标错误次数达到20关闭当前目标所有乡村，退出无意义fuzz
   c、增加智能算法，识别404、识别异常页面
   d、顺带check Shiro指纹
   e、优化并发、多线程控制
   f、优化跳转检测：状态码、html跳转、js跳转
3、优化POCcheck中case为小写，提高效率 2022-07-16 22:51:1657983064

brute/basic_brute.go

@@ -4,14 +4,29 @@ import (
 	"github.com/hktalent/scan4all/pkg"
 )
 
+// 优化应该考虑
+//  1、一天内相同目标的结果缓存，只执行一次
+//  2、应该考虑多线程并发执行
 func Basic_brute(url string) (username string, password string) {
-	var basicusers = []string{"admin", "root"}
 	if req, err := pkg.HttpRequsetBasic("asdasdascsacacs", "adcadcadcadcadcadc", url, "HEAD", "", false, nil); err == nil {
+		// 超文本传输​​协议(HTTP) 401 Unauthorized 客户端错误状态响应代码表示客户端请求尚未完成，因为它缺少所请求资源的有效身份验证凭据
+		// https://www.jianshu.com/p/ca3e561e09ae
 		if req.StatusCode == 401 {
 			for useri := range basicusers {
 				for passi := range top100pass {
 					if req2, err2 := pkg.HttpRequsetBasic(basicusers[useri], top100pass[passi], url, "HEAD", "", false, nil); err2 == nil {
-						if req2.StatusCode == 200 || req2.StatusCode == 403 {
+						// 403 Forbidden 是HTTP协议中的一个HTTP状态码（Status Code）。403状态码意为服务器成功解析请求但是客户端没有访问该资源的权限
+						// 理论上可能存在： https://zhuanlan.zhihu.com/p/270297661
+						// 1、成功爆破后，页面跳转（3XX），
+						// 2、402 Payment Required（要求付款）
+						// 403 Forbidden（被禁止）；
+						// 404 Not Found（找不到）
+						// 405 Method Not Allowed（不允许的方法）
+						// 406 Not Acceptable（不可接受）
+						// 407 Proxy Authentication Required（需要代理身份验证）
+						// 408 Request Timeout（请求超时）410 Gone（不存在） 409 Conflict（冲突）
+						// 400 Bad Request（错误请求）
+						if req2.StatusCode != 401 && req2.StatusCode != 400 && req2.StatusCode != 408 && req2.StatusCode < 405 {
 							//pkg.LogJson(rst.Result{PluginName: pkg.GetPluginName("Basic_brute"), StatusCode: req2.StatusCode, URL: url, Technologies: []string{fmt.Sprintf("Found vuln basic password|%s:%s|%s", basicusers[useri], top100pass[passi], url)}})
 							return basicusers[useri], top100pass[passi]
 						}

brute/bypass403.go

@@ -95,20 +95,20 @@ func PenetrateEndpoint(wg *sync.WaitGroup, url string, rst chan Result403, heade
 	}
 }
 
-func ByPass403(domain, path *string) []string {
+// 403 bypass
+func ByPass403(domain, path *string, wg *sync.WaitGroup) []string {
 	validDomain := getValidDomain(*domain)
 	validPath := strings.TrimSpace(*path)
 	endpoints := constructEndpointPayloads(validDomain, validPath)
-	var wg sync.WaitGroup
 	var xL int = len(endpoints) + len(headerPayloads)
 	var x01 = make(chan Result403, xL)
 
 	wg.Add(xL)
 	for _, e := range endpoints {
-		go PenetrateEndpoint(&wg, e, x01)
+		go PenetrateEndpoint(wg, e, x01)
 	}
 	for _, h := range headerPayloads {
-		go PenetrateEndpoint(&wg, validDomain+"/"+validPath, x01, h)
+		go PenetrateEndpoint(wg, validDomain+"/"+validPath, x01, h)
 	}
 	wg.Wait()
 	aR := []string{}

brute/dicts.go

@@ -12,13 +12,21 @@ type UserPass struct {
 }
 
 var (
-	tomcatuserpass   = []UserPass{}
-	jbossuserpass    = []UserPass{}
-	top100pass       = []string{}
-	weblogicuserpass = []UserPass{}
-	filedic          = []string{}
+	tomcatuserpass   = []UserPass{} // tomcat user pass 字典
+	jbossuserpass    = []UserPass{} // jboss user pass 字典
+	top100pass       = []string{}   // top 100 密码，用于 http爆破
+	weblogicuserpass = []UserPass{} // weblogic user pass 字典
+	filedic          = []string{}   // fuzz字典
 )
 
+// http 爆破user
+//go:embed dicts/httpuser.txt
+var httpuser string
+
+// http 爆破密码字典
+//go:embed dicts/httpass.txt
+var httpass string
+
 //go:embed dicts/tomcatuserpass.txt
 var szTomcatuserpass string
 
@@ -52,11 +60,16 @@ func CvtUps(s string) []UserPass {
 func CvtLines(s string) []string {
 	return strings.Split(s, "\n")
 }
+
+// http 密码爆破user
+var basicusers []string
+
 func init() {
 	tomcatuserpass = CvtUps(pkg.GetVal4File("tomcatuserpass", szTomcatuserpass))
 	jbossuserpass = CvtUps(pkg.GetVal4File("jbossuserpass", szJbossuserpass))
 	weblogicuserpass = CvtUps(pkg.GetVal4File("weblogicuserpass", szWeblogicuserpass))
 	filedic = append(filedic, CvtLines(pkg.GetVal4File("filedic", szFiledic))...)
 	top100pass = append(top100pass, CvtLines(pkg.GetVal4File("top100pass", szTop100pass))...)
-
+	basicusers = strings.Split(strings.TrimSpace(pkg.GetVal4File("httpuser", httpass)), "\n")
+	top100pass = append(top100pass, strings.Split(strings.TrimSpace(pkg.GetVal4File("httpass", httpass)), "\n")...)
 }

brute/dicts/404url.txt

@@ -0,0 +1,6 @@
+/auth/login/
+error.html
+404.html
+500.html
+404.jsp
+500.jsp

brute/dicts/bakSuffix.txt

@@ -5,4 +5,25 @@
 .7z
 .bz2
 .gz
-.war
+.txt
+.war
+.jar
+.bak
+.sql
+.dump
+.db
+.tar.bz2
+.tar.gpg
+.tar.gz.gpg
+.zip.gpg
+.rar.gpg
+.7z.gpg
+.bz2.gpg
+.gz.gpg
+.war.gpg
+.jar.gpg
+.bak.gpg
+.sql.gpg
+.dump.gpg
+.db.gpg
+.tar.bz2.gpg

brute/dicts/fuzz404.txt

@@ -1,6 +1,7 @@
 404
 不存在
 错误
+Forbidden
 403
 禁止访问
 请求含有不合法的参数
@@ -10,7 +11,7 @@
 网站防火墙
 访问拦截
 由于安全原因JSP功能默认关闭
-<title>网站改版中</title>
+(?i)<title>网站改版中</title>
 Our website is under construction
 Access Failed
 an error
@@ -40,7 +41,7 @@ unable to open
 Web access denied
 Hack Attempts
 does not exist
-<b>Wrong URL.
+Wrong URL.
 page may no longer exist
 page no longer exist
 Your session has expired
@@ -50,4 +51,4 @@ More about this error
 No target SAP system for request
 no valid destination server available for
 unauthorized public IP address
-<TITLE>Invalid URL</TITLE>
+Invalid URL

brute/dicts/httpass.txt

@@ -0,0 +1,135 @@
+000000
+
+000000a
+100200
+110110
+110120
+111111
+11111111
+111111a
+112233
+1123581321
+123000
+123123
+123123a
+123321
+123456
+12345678
+123456789
+123456789a
+123456a
+123456aa
+123456abc
+123456q
+123456qq
+1234qwer
+123654
+123qwe
+123qweasd
+12qwaszx
+1314520
+1314521
+147258
+159357
+159753
+1A2B3C4D
+1q2w3e
+1q2w3e4r
+1q2w3e4r5t
+1qaz2wsx
+1qazxsw2
+31415926
+456852
+5201314
+5201314a
+520520
+5211314
+521521
+584520
+5845201314
+666666
+753951
+7758258
+7758521
+ADMIN
+OvW*busr1
+Password1
+QAZ123
+QLogic66
+a000000
+a111111
+a123123
+a123321
+a123456
+a123456789
+a5201314
+aa123456
+aaa123
+aaaaaa
+abc123
+abc123456
+abcd1234
+admanager
+admin
+admin123
+admin888
+admin@123
+adrole1
+adroot
+ads3cret
+adtomcat
+advagrant
+aini1314
+aptx4869
+as123456
+asd123
+asd123456
+asdasd
+asdasd123
+caonima123
+changethis
+demo
+iloveyou
+j2deployer
+kdsxc
+love1314
+manager
+nihao123
+owaspbwa
+password
+password1
+q123456
+q1w2e3
+q1w2e3r4
+qazwsx123
+qq123123
+qq123456
+qq1314520
+qq5201314
+qwe123
+qwer1234
+r00t
+role1
+root
+root123
+root888
+root@123
+s123456
+s3cret
+test
+tomcat
+toor
+vagrant
+w123456
+wang123
+woaini
+woaini123
+woaini1314
+woaini520
+woaini521
+xampp
+z123456
+zhang123
+zxc123
+zxc123456
+zxcvbnm123

brute/dicts/httpuser.txt

@@ -0,0 +1,17 @@
+ADMIN
+QCC
+Tomcat-manager
+admin
+both
+cxsdk
+demo
+j2deployer
+manager
+ovwebusr
+role
+role1
+root
+server_admin
+test
+tomcat
+xampp

brute/dicts/page404Content.txt

@@ -1,4 +1,3 @@
-<script>document.getElementById("a-link").click();</script>
 404 Not Found
 您所提交的请求含有不合法的参数，已被网站管理员设置拦截
 404.safedog.cn