fix nmap到下一流程未使用域名的bug 2022-10-15

GhostTroops · Oct 15, 2022 · 4484671 · 4484671
1 parent a9f5140
commit 4484671
Show file tree

Hide file tree

Showing 11 changed files with 75 additions and 130 deletions.
diff --git a/brute/admin_brute.go b/brute/admin_brute.go
@@ -11,9 +11,11 @@ import (
 
 var SkipAdminBrute bool
 
-var UserReg = regexp.MustCompile(`(?i)<input.*?name=['"]([^'"]*(name|user|uid|login|mail|log|account)[^'"]*).*?>`)
-var PswdReg = regexp.MustCompile(`(?i)<input.*?name=['"]([^'"]*(pass|pwd|word|mima|password|mm)[^'"]*).*?>`)
+var UserReg = regexp.MustCompile(`(?i)<input.*?(?:name|id)=['"]([^'"]*(?:name|user|uid|login|mail|log|account)[^'"]*).*?>`)
+var PswdReg = regexp.MustCompile(`(?i)<input.*?(?:name|id)=['"]([^'"]*(?:pass|pwd|word|mima|password|mm)[^'"]*).*?>`)
 var actionReg = regexp.MustCompile(`<form.*?action=['"](.*?)['"]`)
+var locationReg = regexp.MustCompile(`location.href=['"](.*?)['"]`)
+var r009 = regexp.MustCompile(`url.*?:.*?['"](.*?)['"],`)
 
 /*
 loginMailbox
@@ -36,7 +38,7 @@ func getinput(inputurl string) (usernamekey string, passwordkey string, loginurl
 		} else if u.Path == "" {
 			loginurl = loginurl + "/login"
 		}
-		hreflist := regexp.MustCompile(`location.href=['"](.*?)['"]`).FindStringSubmatch(req.Body)
+		hreflist := locationReg.FindStringSubmatch(req.Body)
 		if hreflist != nil {
 			href, _ := url.Parse(strings.TrimSpace(hreflist[len(hreflist)-1:][0]))
 			hrefurl := u.ResolveReference(href)
@@ -46,7 +48,7 @@ func getinput(inputurl string) (usernamekey string, passwordkey string, loginurl
 			}
 		}
 		usernamelist := UserReg.FindStringSubmatch(req.Body)
-		if usernamelist != nil {
+		if usernamelist != nil && 2 <= len(usernamelist) {
 			usernamekey = usernamelist[len(usernamelist)-1:][0]
 		}
 		passlist := PswdReg.FindStringSubmatch(req.Body)
@@ -59,11 +61,14 @@ func getinput(inputurl string) (usernamekey string, passwordkey string, loginurl
 				loginurl = u.ResolveReference(action).String()
 			}
 		} else {
-			domainlist2 := regexp.MustCompile(`url.*?:.*?['"](.*?)['"],`).FindStringSubmatch(req.Body)
+			domainlist2 := r009.FindStringSubmatch(req.Body)
 			if domainlist2 != nil {
 				if ajax, err := url.Parse(strings.TrimSpace(domainlist2[len(domainlist2)-1:][0])); err == nil {
 					loginurl = u.ResolveReference(ajax).String()
 				}
+			} else if strings.HasSuffix(inputurl, ".jsp") || strings.HasSuffix(inputurl, ".do") {
+				u01, _ := url.Parse("/login.do")
+				loginurl = u.ResolveReference(u01).String()
 			}
 		}
 	}
@@ -74,6 +79,9 @@ var LocationReg = regexp.MustCompile(`(.*?);`)
 
 // 登陆页面密码爆破
 func Admin_brute(u string) (username string, password string, loginurl string) {
+	if util.TestRepeat(u) {
+		return
+	}
 	if SkipAdminBrute {
 		return "", "", ""
 	}
@@ -85,7 +93,7 @@ func Admin_brute(u string) (username string, password string, loginurl string) {
 		testaccount           = true
 		usernames             []string
 		noaccount             = []string{"不存在", "用户名错误", "\\u4e0d\\u5b58\\u5728", "\\u7528\\u6237\\u540d\\u9519\\u8bef"}
-		lockContent           = []string{"锁定", "次数超", "超次数", "验证码错误", "请输入验证码", "请输入正确的验证码", "验证码不能为空", "\\u9501\\u5b9a", "\\u6b21\\u6570\\u8d85", "\\u8d85\\u6b21\\u6570", "\\u9a8c\\u8bc1\\u7801\\u9519\\u8bef", "\\u8bf7\\u8f93\\u5165\\u9a8c\\u8bc1\\u7801", "\\u8bf7\\u8f93\\u5165\\u6b63\\u786e\\u7684\\u9a8c\\u8bc1\\u7801", "\\u9a8c\\u8bc1\\u7801\\u4e0d\\u80fd\\u4e3a\\u7a7a"}
+		lockContent           = []string{"认证失败", "账号或密码错误", "锁定", "次数超", "超次数", "验证码错误", "请输入验证码", "请输入正确的验证码", "验证码不能为空", "\\u9501\\u5b9a", "\\u6b21\\u6570\\u8d85", "\\u8d85\\u6b21\\u6570", "\\u9a8c\\u8bc1\\u7801\\u9519\\u8bef", "\\u8bf7\\u8f93\\u5165\\u9a8c\\u8bc1\\u7801", "\\u8bf7\\u8f93\\u5165\\u6b63\\u786e\\u7684\\u9a8c\\u8bc1\\u7801", "\\u9a8c\\u8bc1\\u7801\\u4e0d\\u80fd\\u4e3a\\u7a7a"}
 		adminfalseContentlen  int
 		testfalseContentlen   int
 		falseis302            = false

diff --git a/brute/dicts/filedic.txt b/brute/dicts/filedic.txt
@@ -1,6 +1,8 @@
+/Login.jsp
+/login.jsp
 .*org/login
-../../../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log
 ../../../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log%00
+../../../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log
 ../../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log
 ../../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log%00
 ../../../../../../../../../../../../../../../../usr/local/cpanel/logs/login_log
@@ -63,7 +65,6 @@
 /CFIDE/componentutils/login.cfm?_cf_containerID=blahblah'
 /Citrix/AccessPlatform/auth/clientscripts/login.js
 /Login.aspx
-/Login.jsp
 /Umbraco/Views/common/login.html
 /Umbraco/assets/img/login.jpg
 /_layouts/login.aspx
@@ -156,7 +157,6 @@
 /login.cfm
 /login.do
 /login.html
-/login.jsp
 /login.php
 /login.php3
 /login.php4

diff --git a/brute/fuzzfingerprints.go b/brute/fuzzfingerprints.go
@@ -50,8 +50,16 @@ func Addfingerprints404(technologies []string, req *util.Response, oPage *util.P
 	return technologies
 }
 
-// 正常页面指纹处理
 func Addfingerprintsnormal(payload string, technologies []string, req *util.Response, fuzzPage *util.Page) []string {
+	a := Addfingerprintsnormal1(payload, []string{}, req, fuzzPage)
+	if 0 < len(a) {
+		util.PocCheck_pipe <- &util.PocCheck{Wappalyzertechnologies: &a, URL: req.RequestUrl, FinalURL: req.RequestUrl, Checklog4j: false}
+	}
+	return append(technologies, a...)
+}
+
+// 正常页面指纹处理
+func Addfingerprintsnormal1(payload string, technologies []string, req *util.Response, fuzzPage *util.Page) []string {
 	// StatusCode 200, 301, 302, 401, 500
 	switch payload {
 	case "/manager/html":
@@ -74,9 +82,9 @@ func Addfingerprintsnormal(payload string, technologies []string, req *util.Resp
 		if util.StrContains(req.Body, "/seeyon/common/") {
 			technologies = append(technologies, "seeyon")
 		}
-	case "/admin", "/admin-console", "/admin.asp", "/admin.aspx", "/admin.do", "/admin.html", "/admin.jsp", "/admin.php", "/admin/", "/admin/admin", "/admin/adminLogin.do", "/admin/checkLogin.do", "/admin/index.do", "/Admin/Login", "/admin/Login.aspx", "/admin/login.do", "/admin/menu", "/Adminer", "/adminer.php", "/administrator", "/adminLogin.do", "/checkLogin.do", "/doc/Page/login.asp", "/login", "/Login.aspx", "/login/login", "/login/Login.jsp", "/manage", "/manage/login.htm", "/management", "/manager", "/manager.aspx", "/manager.do", "/manager.jsp", "/manager.jspx", "/manager.php", "/memadmin/index.php", "/myadmin/login.php", "/Systems/", "/user-login.html", "/wp-login.php":
+	case "/admin", "/admin-console", "/admin.asp", "/admin.aspx", "/admin.do", "/admin.html", "/admin.jsp", "/admin.php", "/admin/", "/admin/admin", "/admin/adminLogin.do", "/admin/checkLogin.do", "/admin/index.do", "/Admin/Login", "/admin/Login.aspx", "/admin/login.do", "/admin/menu", "/Adminer", "/adminer.php", "/administrator", "/adminLogin.do", "/checkLogin.do", "/doc/Page/login.asp", "/login", "/Login.aspx", "/login/login", "/login/Login.jsp", "/Login.jsp", "/manage", "/manage/login.htm", "/management", "/manager", "/manager.aspx", "/manager.do", "/manager.jsp", "/manager.jspx", "/manager.php", "/memadmin/index.php", "/myadmin/login.php", "/Systems/", "/user-login.html", "/wp-login.php":
 		if reqlogin, err := util.HttpRequset(req.RequestUrl, "GET", "", true, nil); err == nil {
-			if util.StrContains(reqlogin.Body, "<input") && (util.StrContains(reqlogin.Body, "pass") || strings.Contains(reqlogin.Body, "Pass") || strings.Contains(reqlogin.Body, "PASS")) {
+			if util.StrContains(reqlogin.Body, "<input") && (util.StrContains(reqlogin.Body, "pass") || util.StrContains(reqlogin.Body, "type=\"password\"") || strings.Contains(reqlogin.Body, "Pass") || strings.Contains(reqlogin.Body, "PASS")) {
 				technologies = append(technologies, "AdminLoginPage")
 				username, password, loginurl := Admin_brute(req.RequestUrl)
 				if loginurl != "" {

diff --git a/config/51pwn_poc/CVE-2022-35914.yaml b/config/51pwn_poc/CVE-2022-35914.yaml
diff --git a/config/config.json b/config/config.json
@@ -105,7 +105,7 @@
     "MaxRedirects": 3
   },
   "enableEsSv": true,
-  "CheckWeakPassword": false,
+  "CheckWeakPassword": true,
   "esthread": 8,
   "hydrathread": 64,
   "Fuzzthreads": 16,
@@ -116,5 +116,5 @@
     "Path": "./config/poc/",
     "Logs": "./logs/errror.log"
   },
-  "enableWebScan": false
+  "enableWebScan": true
 }
diff --git a/main.go b/main.go
@@ -8,7 +8,6 @@ import (
 	"log"
 	"net/http"
 	_ "net/http/pprof"
-	"os"
 	"runtime"
 	"runtime/debug"
 )
@@ -26,7 +25,7 @@ func main() {
 	//os.Args = []string{"", "-host", "http://127.0.0.1", "-v"}
 	//os.Args = []string{"", "-host", "https://www.sina.com.cn/", "-v", "-o", "xxx.csv"}
 	//os.Args = []string{"", "-list", "list.txt", "-v"}
-	os.Args = []string{"", "-list", "./5701580f708064a329d2c2bca41727b4c13a3126.xml", "-v"}
+	//os.Args = []string{"", "-list", "./5701580f708064a329d2c2bca41727b4c13a3126.xml", "-v"}
 
 	runtime.GOMAXPROCS(runtime.NumCPU())
 	util.DoInit(&config)

diff --git a/pkg/httpx/runner/runner.go b/pkg/httpx/runner/runner.go
@@ -1280,7 +1280,7 @@ retry:
 		}
 		// 登陆页面检测
 		if brute.CheckLoginPage(finalURL, resp) {
-			technologies = append(technologies, "loginpage")
+			technologies = append(technologies, "登陆页面")
 			// 做一次 http
 			util.PocCheck_pipe <- &util.PocCheck{
 				Wappalyzertechnologies: &[]string{"httpCheckSmuggling"},
@@ -1339,16 +1339,18 @@ retry:
 			filefuzzTechnologies = SliceRemoveDuplicates(filefuzzTechnologies)
 			// 取差集合
 			filefuzzTechnologies = difference(filefuzzTechnologies, technologies)
-			poctechnologies2 = pocs_go.POCcheck(filefuzzTechnologies, ul, finalURL, true) //通过敏感文件扫描获取到的指纹进行检测gopoc check
-			Vullist = append(Vullist, poctechnologies2...)
-			for _, technology := range filefuzzTechnologies {
-				pocYmlList2 := pocs_yml.Check(ul, scanopts.CeyeApi, scanopts.CeyeDomain, r.options.HTTPProxy, strings.ToLower(technology)) //通过敏感文件扫描获取到的指纹进行检测ymlpoc check
-				Vullist = append(Vullist, pocYmlList2...)
+			if 0 < len(filefuzzTechnologies) {
+				poctechnologies2 = pocs_go.POCcheck(filefuzzTechnologies, ul, finalURL, true) //通过敏感文件扫描获取到的指纹进行检测gopoc check
+				Vullist = append(Vullist, poctechnologies2...)
+				for _, technology := range filefuzzTechnologies {
+					pocYmlList2 := pocs_yml.Check(ul, scanopts.CeyeApi, scanopts.CeyeDomain, r.options.HTTPProxy, strings.ToLower(technology)) //通过敏感文件扫描获取到的指纹进行检测ymlpoc check
+					Vullist = append(Vullist, pocYmlList2...)
+				}
+				// 输出加入敏感文件扫描 获取到的指纹
+				technologies = append(technologies, filefuzzTechnologies...)
+				// 指纹去重
+				technologies = SliceRemoveDuplicates(technologies)
 			}
-			// 输出加入敏感文件扫描 获取到的指纹
-			technologies = append(technologies, filefuzzTechnologies...)
-			// 指纹去重
-			technologies = SliceRemoveDuplicates(technologies)
 		}
 		if len(technologies) > 0 {
 			sort.Strings(technologies)

diff --git a/pkg/naabu/v2/pkg/runner/targets.go b/pkg/naabu/v2/pkg/runner/targets.go
@@ -121,6 +121,26 @@ func (r *Runner) DoSsl(target string) []string {
 	return []string{}
 }
 
+func (r *Runner) DoDns001(x string, aR []string) []string {
+	aR = append(aR, r.DoDns2Ips(x)...)
+	a1 := r.DoSsl(x)
+	if 1 < len(a1) { // 如果只有1个是没有意义的，说明和x一样
+		for _, j := range a1 {
+			if j == x {
+				continue
+			}
+			aR = append(aR, r.DoDns2Ips(j)...)
+		}
+		aR = append(aR, a1...)
+	}
+	if 1 == len(aR) { // 只有一个就直接用域名了，这样nmap的结果才能用
+		aR = []string{x}
+	} else {
+		aR = append(aR, x)
+	}
+	return aR
+}
+
 // target域名转多个ip处理
 func (r *Runner) DoTargets() (bool, error) {
 	data, err := ioutil.ReadFile(r.targetsFile)
@@ -134,18 +154,12 @@ func (r *Runner) DoTargets() (bool, error) {
 		if 3 > len(x) {
 			continue
 		}
-		if govalidator.IsURL(x) {
+		if govalidator.IsDNSName(x) {
+			aR = r.DoDns001(x, aR)
+		} else if govalidator.IsURL(x) {
 			if x1, err := url.Parse(strings.TrimSpace(x)); nil == err {
 				if govalidator.IsDNSName(x) {
-					aR = append(aR, r.DoDns2Ips(x)...)
-					a1 := r.DoSsl(x)
-					if 0 < len(a1) {
-						for _, j := range a1 {
-							aR = append(aR, r.DoDns2Ips(j)...)
-						}
-						aR = append(aR, a1...)
-						continue
-					}
+					aR = r.DoDns001(x, aR)
 				} else {
 					if "" == x1.Hostname() {
 						aR = append(aR, x)
@@ -154,17 +168,6 @@ func (r *Runner) DoTargets() (bool, error) {
 					}
 					continue
 				}
-			} else {
-				aR = append(aR, x)
-			}
-		} else if govalidator.IsDNSName(x) {
-			aR = append(aR, r.DoDns2Ips(x)...)
-			a1 := r.DoSsl(x)
-			if 0 < len(a1) {
-				for _, j := range a1 {
-					aR = append(aR, r.DoDns2Ips(j)...)
-				}
-				aR = append(aR, a1...)
 			}
 		}
 		aR = append(aR, x)

diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go
@@ -243,7 +243,7 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
 			if seeyon.BackdoorScan(URL) {
 				technologies = append(technologies, "exp-seeyon|Backdoor")
 			}
-		case "loginpage":
+		case "loginpage", "登陆页面", "AdminLoginPage":
 			username, password, loginurl := brute.Admin_brute(finalURL)
 			if loginurl != "" {
 				technologies = append(technologies, fmt.Sprintf("brute-admin|%s:%s", username, password))

diff --git a/projectdiscovery/nuclei_Yaml/nuclei_yaml.go b/projectdiscovery/nuclei_Yaml/nuclei_yaml.go
@@ -425,12 +425,12 @@ func readConfig(options *types.Options) {
 
 	options.UpdateNuclei = false
 	options.UpdateTemplates = false
-	// options.TemplatesDirectory = pwd + "/config/nuclei-templates"
-	options.TemplatesDirectory = pwd + "/config"
+	options.TemplatesDirectory = pwd + "/config/nuclei-templates"
+	//options.TemplatesDirectory = pwd + "/config"
 	// 嵌入式集成私人版本nuclei-templates 共3744个YAML POC
 	if util.GetValAsBool("enableEmbedYaml") {
-		// options.Templates = []string{pwd + "/config/nuclei-templates"}
-		options.Templates = []string{pwd + "/config"}
+		options.Templates = []string{pwd + "/config/nuclei-templates"}
+		//options.Templates = []string{pwd + "/config"}
 		options.NoUpdateTemplates = true
 	} else {
 		options.NoUpdateTemplates = false

diff --git a/webScan/Functions/HttpClient.go b/webScan/Functions/HttpClient.go
@@ -27,6 +27,9 @@ func Client(method string, url string, body io.Reader, Headers map[string]string
 	}
 	muxs.Unlock()
 	client := util.GetClient(url)
+	if nil == client.Client {
+		client.Client = client.GetClient(nil)
+	}
 
 	if redirects == "true" {
 		client.Client.CheckRedirect = nil