Skip to content

Commit

Permalink
add 联动python3 log4j-scan,结合tmux后台运行,结果并自动发送到配置到es中 2022-07-20
Browse files Browse the repository at this point in the history
  • Loading branch information
x51pwn committed Jul 20, 2022
1 parent 9c8f059 commit 997c737
Showing 28 changed files with 177 additions and 49 deletions.
1 change: 1 addition & 0 deletions .github/up.sh
Original file line number Diff line number Diff line change
@@ -11,5 +11,6 @@ cat ./pkg/fingerprint/dicts/localFinger.json|jq ".fingerprint[].cms"|wc -l
cat ./pkg/fingerprint/dicts/fg.json|jq ".[].kind"|wc -l
git add config/nuclei-templates
git status
go build


39 changes: 39 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: 🚨 CodeQL Analysis

on:
workflow_dispatch:
push:
pull_request:
branches:
- dev

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]

steps:
- name: Checkout repository
uses: actions/checkout@v3

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
15 changes: 11 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -42,10 +42,10 @@
* Jboss
* Winrm(wsman)
- 默认开启http密码智能爆破,需要http密码时才会自动启动,无需人工干预
- 默认检测系统是否存在nmap,存在优先则使用nmap进行快速扫描
- 检测系统是否存在nmap,存在通过 priorityNmap=true 启用nmap进行快速扫描,鉴于大多数人使用windows,默认关闭
使用nmap的弊端:因为设置网络包过大会导致结果不全
使用nmap另外需要将root密码设置到环境变量PPSSWWDD,更多参考config/doNmapScan.sh
默认使用naabu完成端口扫描 -stats=true 可以查看扫描进度
弊端:因为设置网络包过大会导致结果不全
另外需要将root密码设置到环境变量PPSSWWDD,更多参考config/doNmapScan.sh
- 快速 15000+ POC 检测功能,PoCs包含:
* nuclei POC
#### Nuclei Templates Top 10 statistics
@@ -87,6 +87,11 @@
* 1、当列表中多个域名的ip相同时,合并端口扫描,提高效率
* 2、智能处理http异常页面、及指纹计算和学习
- 自动化供应链识别、分析和扫描
- 联动 python3 <a href=https://github.com/hktalent/log4j-scan>log4j-scan</a>
* 该版本屏蔽你目标信息传递到 DNS Log Server 的bug,避免暴露漏洞
* 增加了将结果发送到 Elasticsearch 的功能,便于批量、盲打
* 未来有时间了再实现golang版本
- 智能识别蜜罐,并跳过目标,默认该功能是关闭的,可设置EnableHoneyportDetection=true开启
- 高度可定制:允许通过config/config.json配置定义自己的字典,或者控制更多细节,包含不限于:nuclei、httpx、naabu等

# 工作流程
@@ -95,7 +100,7 @@

# 如何安装
```bash
go install github.com/hktalent/scan4all@2.4.8
go install github.com/hktalent/scan4all@2.5.8
scan4all -h
```
# 如何使用
@@ -129,7 +134,9 @@ UrlPrecise=true ./scan4all -l xx.txt
- 整合 spider 以便发现更多漏洞

# 变更日志
- 2022-07-20 fix and PR nuclei <a href=https://github.com/projectdiscovery/nuclei/pull/2308>#2301</a> 并发多实例的bug
- 2022-07-20 add web cache vulnerability scanner
- 2022-07-19 PR nuclei <a href=https://github.com/projectdiscovery/nuclei/pull/2308>#2308</a> add dsl function: substr aes_cbc
- 2022-07-19 添加dcom Protocol enumeration network interfaces
- 2022-06-30 嵌入式集成私人版本nuclei-templates 共3744个YAML POC; 1、集成Elasticsearch存储中间结果 2、嵌入整个config目录到程序中
- 2022-06-27 优化模糊匹配,提高正确率、鲁棒性;集成ksubdomain进度
5 changes: 3 additions & 2 deletions config/config.json
Original file line number Diff line number Diff line change
@@ -65,8 +65,8 @@
"EnableKsubdomain": true,
"KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$",
"naabu_dns": {},
"naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 25},
"priorityNmap": true,
"naabu": {"TopPorts": "http","ScanAllIPS": true,"Threads": 50,"EnableProgressBar": false},
"priorityNmap": false,
"enableNuclei": false,
"nuclei": {
"Severities": "critical,high,medium",
@@ -75,6 +75,7 @@
"TemplateThreads": 64,
"HeadlessBulkSize": 10,
"DisableRedirects": true,
"EnableProgressBar": true,
"HeadlessTemplateThreads": 10,
"ReportingConfig": "config/nuclei_esConfig.yaml"
},
3 changes: 2 additions & 1 deletion config/config_me.json
Original file line number Diff line number Diff line change
@@ -55,14 +55,15 @@
"EnableHoneyportDetection": true,
"KsubdomainRegxp": "([0-9a-zA-Z\\-]+\\.[0-9a-zA-Z\\-]+)$",
"naabu_dns": {},
"naabu": {"TopPorts": "1000","ScanAllIPS": true,"Threads": 64},
"naabu": {"TopPorts": "http","ScanAllIPS": true,"Threads": 64,"EnableProgressBar": false},
"enableNuclei": true,
"nuclei": {
"RateLimit": 150,
"BulkSize":64,
"TemplateThreads": 64,
"HeadlessBulkSize": 10,
"DisableRedirects": true,
"EnableProgressBar": true,
"HeadlessTemplateThreads": 10,
"ReportingConfig": "config/nuclei_esConfig.yaml"
},
11 changes: 11 additions & 0 deletions config/doPy3log4j.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
# 请先安装好 python3、tmux
# brew install tmux
# brew install python3

tmux ls|grep "scan4all_log4j" || tmux new -s scan4all_log4j -d
tmux send -t "scan4all_log4j" "" Enter
tmux send -t "scan4all_log4j" "" Enter
tmux send -t "scan4all_log4j" "cd ${HOME}/MyWork/log4j-scan" Enter
tmux send -t "scan4all_log4j" "`which py3||which python3` --run-all-tests --waf-bypass --disable-http-redirects -u \"${1}\" --resulturl=\"$2\"" Enter
tmux send -t "scan4all_log4j" "" Enter
3 changes: 2 additions & 1 deletion config/initEs.sh
Original file line number Diff line number Diff line change
@@ -2,5 +2,6 @@
~/MyWork/scan4all/config/CreateEs.sh naabu
~/MyWork/scan4all/config/CreateEs.sh httpx
~/MyWork/scan4all/config/CreateEs.sh nuclei
~/MyWork/scan4all/config/CreateEs.sh vscan
~/MyWork/scan4all/config/CreateEs.sh scan4all
~/MyWork/scan4all/config/CreateEs.sh hydra
~/MyWork/scan4all/config/CreateEs.sh subfinder
4 changes: 2 additions & 2 deletions config/nuclei-templates/cves/2020/CVE-2020-35774.yaml
Original file line number Diff line number Diff line change
@@ -12,8 +12,8 @@ info:
- https://github.com/twitter/twitter-server/commit/e0aeb87e89a6e6c711214ee2de0dd9f6e5f9cb6c
- https://github.com/twitter/twitter-server/compare/twitter-server-20.10.0...twitter-server-20.12.0
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-35774
cwe-id: CWE-79
tags: cve,cve2020,xss,twitter-server
2 changes: 1 addition & 1 deletion config/nuclei-templates/cves/2022/CVE-2022-21500.yaml
Original file line number Diff line number Diff line change
@@ -16,8 +16,8 @@ info:
cvss-score: 7.5
cve-id: CVE-2022-21500
metadata:
verified: true
shodan-query: http.title:"Login" "X-ORACLE-DMS-ECID" 200
verified: "true"
tags: cve,cve2022,oracle,misconfig,auth-bypass

requests:
7 changes: 6 additions & 1 deletion config/nuclei-templates/cves/2022/CVE-2022-32007.yaml
Original file line number Diff line number Diff line change
@@ -9,8 +9,13 @@ info:
reference:
- https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-2.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-32007
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-32007
cwe-id: CWE-89
metadata:
verified: true
verified: "true"
tags: cve,cve2022,sqli,eris,authenticated

variables:
7 changes: 6 additions & 1 deletion config/nuclei-templates/cves/2022/CVE-2022-32018.yaml
Original file line number Diff line number Diff line change
@@ -9,8 +9,13 @@ info:
reference:
- https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-12.md
- https://nvd.nist.gov/vuln/detail/CVE-2022-32018
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2022-32018
cwe-id: CWE-89
metadata:
verified: true
verified: "true"
tags: cve,cve2022,sqli

variables:
Original file line number Diff line number Diff line change
@@ -5,6 +5,7 @@ info:
author: dhiyaneshDk
severity: info
metadata:
verified: true
shodan-query: http.title:"Cisco Telepresence"
tags: panel,cisco

@@ -13,12 +14,14 @@ requests:
path:
- "{{BaseURL}}/login.html"

redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<title>Cisco TelePresence MCU - login:</title>"
- "Cisco TelePresence MCU - login:"

- type: status
status:
5 changes: 4 additions & 1 deletion lib/HoneypotDetection.go
Original file line number Diff line number Diff line change
@@ -17,7 +17,10 @@ var hdCache sync.Map
// 添加蜜罐检测,并自动跳过目标,默认false跳过蜜罐检测
// 考虑内存缓存结果
func HoneyportDetection(host string) bool {
if !strings.HasPrefix(host, "http") {
if 5 > len(host) {
return false
}
if "http" != strings.ToLower(host[0:4]) {
host = "http://" + host
}
oUrl, err := url.Parse(host)
10 changes: 6 additions & 4 deletions pkg/config.go
Original file line number Diff line number Diff line change
@@ -73,10 +73,6 @@ func GetValAsInt(key string, nDefault int) int {
return n
}

var (
Naabu = "naabu"
)

var TmpFile = map[string][]*os.File{}

// 临时结果文件,例如 nmap
@@ -281,8 +277,14 @@ func doDir(config *embed.FS, s fs.DirEntry, szPath string) {
}
}

var UserHomeDir string = "./"

// 初始化到开头
func Init2(config *embed.FS) {
dirname, err := os.UserHomeDir()
if nil == err {
UserHomeDir = dirname
}
szPath := "config"
log.Println("wait for init config files ... ")
if x1, err := config.ReadDir(szPath); nil == err {
41 changes: 41 additions & 0 deletions pkg/doPy3log4j.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
package pkg

import (
"fmt"
"github.com/hktalent/scan4all/lib"
"net/url"
"os"
"strings"
"sync"
)

var log4jsv sync.Map

// 1、检测 $HOME/MyWork/log4j-scan 存在就执行 python3 版本log4j检测
// 2、相同目标只执行一次,基于内存缓存
// 3、只支持:https://github.com/hktalent/log4j-scan 版本
func DoLog4j(szUrl string) {
if 5 > len(szUrl) || !FileExists(UserHomeDir+"/MyWork/log4j-scan") {
fmt.Println("DoLog4j: ", 5 > len(szUrl), !FileExists(UserHomeDir+"/MyWork/log4j-scan"))
return
}
lib.DoSyncFunc(func() {
if "" == esUrl {
esUrl = GetValByDefault("esUrl", "http://127.0.0.1:9200/%s_index/_doc/%s")
}
oUrl, err := url.Parse(esUrl)
if nil == err {
p1, err := os.Getwd()
if nil == err {
szU1 := oUrl.Scheme + "://" + oUrl.Host
if _, ok := log4jsv.Load(szU1); !ok {
log4jsv.Store(szU1, true)
if "http" != strings.ToLower(szUrl[0:4]) {
szUrl = "http://" + szUrl
}
DoCmd(p1+"/config/doPy3log4j.sh", szUrl, szU1)
}
}
}
})
}
2 changes: 1 addition & 1 deletion pkg/domain.go
Original file line number Diff line number Diff line change
@@ -59,7 +59,7 @@ func doSub(s string) (aRst []string, err1 error) {
}
}
if bSend {
SendAData[string](s[:2], aRst, "subfinder")
SendAData[string](s[:2], aRst, Subfinder)
}
return aRst, nil
}
5 changes: 3 additions & 2 deletions pkg/httpx/runner/runner.go
Original file line number Diff line number Diff line change
@@ -694,7 +694,7 @@ func (r *Runner) process(t string, wg *sizedwaitgroup.SizedWaitGroup, hp *httpx.
go func(target, method, protocol string) {
defer wg.Done()
result := r.analyze(hp, protocol, target, method, t, scanopts)
pkg.SendAnyData(result, "httpx")
pkg.SendAnyData(result, pkg.Httpx)
output <- result
if scanopts.TLSProbe && result.TLSData != nil {
scanopts.TLSProbe = false
@@ -749,7 +749,7 @@ func (r *Runner) process(t string, wg *sizedwaitgroup.SizedWaitGroup, hp *httpx.
defer wg.Done()
h, _ := urlutil.ChangePort(target, fmt.Sprint(port))
result := r.analyze(hp, protocol, h, method, t, scanopts)
pkg.SendAnyData(result, "httpx")
pkg.SendAnyData(result, pkg.Httpx)
output <- result
if scanopts.TLSProbe && result.TLSData != nil {
scanopts.TLSProbe = false
@@ -887,6 +887,7 @@ retry:
// in case of standard requests append the new path to the existing one
URL.RequestURI += scanopts.RequestURI
}
go pkg.DoLog4j(URL.String())
var req *retryablehttp.Request
if customIP != "" {
customHost = URL.Host
4 changes: 2 additions & 2 deletions pkg/hydra/doNmapResult.go
Original file line number Diff line number Diff line change
@@ -114,14 +114,14 @@ func DoParseXml(s string, bf *bytes.Buffer) {
if enableEsSv {
if 0 < len(m1) {
for k, x := range m1 {
pkg.SendAData[[]string](k, x, "nmap")
pkg.SendAData[[]string](k, x, pkg.Nmap)
}
}
}
}

func DoNmapRst(bf *bytes.Buffer) {
if x1, ok := pkg.TmpFile[pkg.Naabu]; ok {
if x1, ok := pkg.TmpFile[string(pkg.Naabu)]; ok {
for _, x := range x1 {
defer func(r *os.File) {
r.Close()
2 changes: 1 addition & 1 deletion pkg/hydra/runner.go
Original file line number Diff line number Diff line change
@@ -41,7 +41,7 @@ func Start(IPAddr string, Port int, Protocol string) {
for info := range crack.Out {
out = info
if nil != &out && "" != out.Protocol && out.IPAddr != "" && "" != out.Auth.Username {
pkg.SendAData[AuthInfo](fmt.Sprintf("%s:%d", out.IPAddr, out.Port), []AuthInfo{out}, "hydra")
pkg.SendAData[AuthInfo](fmt.Sprintf("%s:%d", out.IPAddr, out.Port), []AuthInfo{out}, pkg.Hydra)
data, _ := json.Marshal(out)
fmt.Println("成功密码破解:", aurora.BrightRed(string(data)))
}
2 changes: 1 addition & 1 deletion pkg/log.go
Original file line number Diff line number Diff line change
@@ -65,7 +65,7 @@ func BurteLog(log string) {
}

func writeoutput(log string) {
SendAnyData(log, "vscan")
SendAnyData(log, Scan4all)
if "" == Output {
return
}
2 changes: 1 addition & 1 deletion pkg/naabu/v2/pkg/runner/options.go
Original file line number Diff line number Diff line change
@@ -120,7 +120,7 @@ func ParseOptions() *Options {
if runtime.GOOS == "windows" {
szNmap = strings.Replace(szNmap, "nmap", "nmap.exe", -1)
}
tempInput := pkg.GetTempFile(pkg.Naabu)
tempInput := pkg.GetTempFile(string(pkg.Naabu))
if tempInput != nil {
szNmap = strings.ReplaceAll(szNmap, "{filename}", tempInput.Name())
}
3 changes: 2 additions & 1 deletion pkg/naabu/v2/pkg/runner/runner.go
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ import (

"github.com/hktalent/scan4all/nuclei_Yaml"
httpxrunner "github.com/hktalent/scan4all/pkg/httpx/runner"

"github.com/hktalent/scan4all/pkg/naabu/v2/pkg/privileges"
"github.com/hktalent/scan4all/pkg/naabu/v2/pkg/scan"
"github.com/pkg/errors"
@@ -618,7 +619,7 @@ func (r *Runner) handleOutput() {
aN = append(aN, port)
gologger.Silent().Msgf("%s:%d\n", host, port)
}
pkg.SendAData[int](host, aN, "naabu")
pkg.SendAData[int](host, aN, pkg.Naabu)
}
// file output
if file != nil {
Loading

0 comments on commit 997c737

Please sign in to comment.