fix 1、优化内存开销 2、支持url类型指纹 2022-07-14 11:58:1657771098

Author: x51pwn

.github/up.sh

@@ -5,4 +5,7 @@ go mod vendor
 # 工具静态分析代码实现
 go vet
 
+cat ./pkg/fingerprint/dicts/eHoleFinger.json|jq ".fingerprint[].cms"|wc -l
+cat ./pkg/fingerprint/dicts/localFinger.json|jq ".fingerprint[].cms"|wc -l
+cat ./pkg/fingerprint/dicts/fg.json|jq ".[].kind"|wc -l
 

brute/filefuzz.go

@@ -2,6 +2,7 @@ package brute
 
 import (
 	_ "embed"
+	"fmt"
 	"github.com/antlabs/strsim"
 	"github.com/hktalent/scan4all/pkg"
 	"log"
@@ -111,8 +112,13 @@ func init() {
 	//regs = append(regs, ret...)
 }
 
+var eableFileFuzz = "true" != pkg.GetValByDefault("enablFileFuzz", "false")
+
 // 文件fuzz
 func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody string) ([]string, []string) {
+	if eableFileFuzz {
+		return []string{}, []string{}
+	}
 	u01, err := url.Parse(u)
 	if nil == err {
 		u = u01.Scheme + "://" + u01.Host + "/"
@@ -177,7 +183,10 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 			if strings.HasPrefix(payload, "/") && endP {
 				szUrl = u + payload[1:]
 			}
-			log.Println("fuzz: ", szUrl)
+			if 0 < log.Flags() {
+				fmt.Printf("fuzz: %s\r", szUrl)
+				//log.Println("fuzz: ", szUrl)
+			}
 			if url, req, err := reqPage(szUrl); err == nil {
 				// 403 by pass
 				if url.is403 {

config/config.json

@@ -58,10 +58,19 @@
   "priorityNmap": true,
   "nuclei": {},
   "enablEmbedYaml": true,
-  "httpx": {},
+  "enablFileFuzz": true,
+  "httpx": {
+    "Pipeline": true,
+    "HTTP2Probe": true,
+    "VHost": true,
+    "CSPProbe": true,
+    "TLSProbe": true,
+    "TechDetect": true
+  },
   "enableEsSv": false,
   "esthread": 8,
   "hydrathread": 8,
   "Fuzzthreads": 32,
+  "enableFingerTitleHeaderMd5Hex": false,
   "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"
 }

config/config_me.json

@@ -58,7 +58,15 @@
   "nuclei": {},
   "priorityNmap": true,
   "enablEmbedYaml": true,
-  "httpx": {},
+  "enablFileFuzz": true,
+  "httpx": {
+    "Pipeline": true,
+    "HTTP2Probe": true,
+    "VHost": true,
+    "CSPProbe": true,
+    "TLSProbe": true,
+    "TechDetect": true
+  },
   "enableEsSv": true,
   "esthread": 8,
   "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"

config/doNmapScan.sh

@@ -2,9 +2,10 @@
 XRate=5000
 function doMasScan {
     if [[ -f $1 ]] ; then
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
+        # -F --top-ports=65535
+        echo $PPSSWWDD|sudo -S nmap  -p 80,443 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  -iL $1 -oX $2
     else
-        echo $PPSSWWDD|sudo -S nmap -F --top-ports=65535 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
+        echo $PPSSWWDD|sudo -S nmap  -p 80,443 -n --unique --resolve-all -Pn -sS --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate ${XRate} -T4  $1 -oX $2
     fi
 }
 doMasScan $1 $2

config/nuclei-templates/exposed-panels/smartping-dashboard.yaml

@@ -0,0 +1,27 @@
+id: smartping-dashboard
+
+info:
+  name: Unauth SmartPing Dashboard
+  author: DhiyaneshDk
+  severity: low
+  metadata:
+    verified: true
+    shodan-query: title:"SmartPing Dashboard"
+  tags: panel,misconfig,unauth,smartping
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/config.html"
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        part: body
+        words:
+          - 'SmartPing Dashboard'
+
+      - type: status
+        status:
+          - 200

db/vhost.txt

@@ -0,0 +1,173 @@
+%s
+127.0.0.1
+admin
+admin.%s
+administration
+administration.%s
+ads
+adserver
+alerts
+alpha
+alpha.%s
+ap
+apache
+api
+app
+apps
+appserver
+aptest
+auth
+backup
+beta
+beta.%s
+blog
+cdn
+chat
+citrix
+cms
+corp
+crs
+cvs
+dashboard
+database
+db
+demo
+dev
+dev.%s
+devel
+development
+development.%s
+devsql
+devtest
+dhcp
+direct
+dmz
+dns
+dns0
+dns1
+dns2
+download
+en
+erp
+eshop
+exchange
+f5
+fileserver
+firewall
+forum
+ftp
+ftp0
+git
+gw
+help
+helpdesk
+home
+host
+http
+id
+images
+info
+internal
+internet
+intra
+intranet
+ipv6
+lab
+ldap
+linux
+local
+localhost
+log
+m
+m.%s
+mail
+mail2
+mail3
+mailgate
+main
+manage
+mgmt
+mirror
+mobile
+mobile.%s
+monitor
+mssql
+mta
+mx
+mx0
+mx1
+mysql
+news
+noc
+ns
+ns0
+ns1
+ns2
+ns3
+ntp
+old
+old.%s
+ops
+oracle
+owa
+pbx
+portal
+s3
+secure
+secure.%s
+server
+sharepoint
+shop
+sip
+smtp
+sql
+squid
+ssh
+ssl
+stage
+staging
+staging.%s
+stats
+status
+status.%s
+svn
+syslog
+test
+test1
+test2
+testing
+uat
+uat.%s
+upload
+v1
+v1.%s
+v2
+v2.%s
+v3
+v3.%s
+vm
+vnc
+voip
+vpn
+web
+web2test
+whois
+wiki
+www
+www.%s
+www2
+xml
+administrator
+webmail
+door
+phone
+lol
+test
+tester
+vmm
+local
+localadmin
+admin10
+admin01
+blogadmin
+about