up 2022-10-06

Author: hktalent

brute/dicts/filedic.txt

@@ -3419,7 +3419,10 @@ $metadata
 2022.sql
 2022.sql.tar.gz
 2022.sql.zip
+2022.tar
+2022.tar.bz2
 2022.tar.gz
+2022.tgz
 2022.txt.gz
 2022.zip
 2022_dump.sql
@@ -10923,6 +10926,7 @@ components/login.ascx
 components/raiz0worm_1618449492.php
 compose.sh
 composer
+composer-bx.json
 composer.json
 composer.lock
 composer.phar
@@ -23347,6 +23351,7 @@ public/web/css/add//index.css
 public/web/js/add/com.js
 public_html
 public_html.sql
+public_html/
 public_html/.env
 public_html/robots.txt
 public_root/.env
@@ -26621,6 +26626,9 @@ systemsoft
 systemstatus.xml
 sysuser
 sz.php
+szUrl
+szUrl.jsp
+szUrl.php
 szeredi
 szewo
 sánchez
@@ -27943,13 +27951,10 @@ ur-admin/
 urban
 uresk
 uri
-szUrl
-szUrl.jsp
-szUrl.php
-url_1.sql
-url_2.sql
 urlList.
 urlList.txt.gz
+url_1.sql
+url_2.sql
 urlmem-app/.env
 urlogy
 urls.py
@@ -30604,4 +30609,4 @@ zzz.php
 带回显执行cmd.jsp
 灭天远程管理.jsp
 灭天远程管理.jsp~
-内网渗透探测out.jsp".t.jsp!.gitignore
+内网渗透探测out.jsp".t.jsp

brute/filefuzz.go

@@ -165,7 +165,11 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 		path         []string     // 成功页面路径
 	)
 	url404, url404req, err, ok := util.TestIs404Page(u) //reqPage(u + path404)
-	if err == nil && ok {
+	if err == nil && ok && nil != url404req {
+		// 升级协议
+		if "" != url404req.Protocol && !strings.Contains(url404req.Protocol, "HTTP/1.") {
+			u = "https://" + u01.Host + "/"
+		}
 		go util.CheckHeader(url404req.Header, u)
 		// 跳过当前目标所有的fuzz,后续所有的fuzz都无意义了
 		if 200 == url404.StatusCode || 301 == url404.StatusCode || 302 == url404.StatusCode {
@@ -195,6 +199,9 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 	var async_technologies = make(chan []string, util.Fuzzthreads*2)
 	// 字典长度的 70% 的错误
 	var MaxErrorTimes int32 = int32(float32(len(filedic)) * 0.7)
+	if strings.HasPrefix(url404req.Protocol, "HTTP/2") || strings.HasPrefix(url404req.Protocol, "HTTP/3") {
+		MaxErrorTimes = int32(len(filedic))
+	}
 	//defer func() {
 	//	close(ch)
 	//	close(async_data)

config/config.json

@@ -74,7 +74,7 @@
   "priorityNmap": true,
   "noScan": false,
   "enableMultNuclei": false,
-  "enableNuclei": true,
+  "enableNuclei": false,
   "nuclei": {
     "Severities":  [5,4,3],
     "RateLimit": 150,

go.mod

@@ -101,7 +101,7 @@ require (
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/gosnmp/gosnmp v1.35.0
-	github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea
+	github.com/hktalent/PipelineHttp v0.0.0-20221006120713-f0d2d692285e
 	github.com/hktalent/goSqlite_gorm v1.1.1
 	github.com/hktalent/jarm-go v0.0.0-20220918133110-7801447b6267
 	github.com/huin/asn1ber v0.0.0-20120622192748-af09f62e6358
@@ -314,7 +314,7 @@ require (
 	go.uber.org/zap v1.23.0 // indirect
 	goftp.io/server/v2 v2.0.0 // indirect
 	golang.org/x/exp v0.0.0-20221004215720-b9f4876ce741 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e // indirect
+	golang.org/x/mod v0.6.0-dev.0.20221005201717-2666ed6287c1 // indirect
 	golang.org/x/sync v0.0.0-20220907140024-f12130a52804 // indirect
 	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect
 	golang.org/x/tools v0.1.12 // indirect

go.sum

@@ -518,6 +518,30 @@ github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad h1:NFVuThP+N
 github.com/hktalent/PipelineHttp v0.0.0-20221005141854-655e41c6acad/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
 github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea h1:riOxhSWDEbwbNFgCxBUkOsTYhZte/I+6Khf9Pab7uxU=
 github.com/hktalent/PipelineHttp v0.0.0-20221005170636-4c4c7c3108ea/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006042931-50e9738e9fa2 h1:Tg8VVpQY+Q/VY+Hktp5GzH3UX+9Wn9TAzg19i/MsSCA=
+github.com/hktalent/PipelineHttp v0.0.0-20221006042931-50e9738e9fa2/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006043319-d0b0b81444e9 h1:RST32dMeocSC1gaNIV9dr+nUm5+j1Tl/P4NlASpjV80=
+github.com/hktalent/PipelineHttp v0.0.0-20221006043319-d0b0b81444e9/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006050639-12d87d75cbb0 h1:kid3mPBRHpXqIfwu6J+8WOJHddluw0yiMB78ULqn1Ek=
+github.com/hktalent/PipelineHttp v0.0.0-20221006050639-12d87d75cbb0/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006052353-35d1b8a29240 h1:4M1Kwakhi8CUsXi+8zChYHkmn4YPRXoJf85U+YXDkco=
+github.com/hktalent/PipelineHttp v0.0.0-20221006052353-35d1b8a29240/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006061142-6d1c9910a885 h1:JVeoRVv1xq6tk9MaG2MTrnq551O/OcOwuW6CuqN+FSo=
+github.com/hktalent/PipelineHttp v0.0.0-20221006061142-6d1c9910a885/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006063238-3152c63b243e h1:/YPFONUnpnhqa5xD+44+HjdjnBS+8O8b9hPjD5969p4=
+github.com/hktalent/PipelineHttp v0.0.0-20221006063238-3152c63b243e/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006065030-cc56ca1f2105 h1:fOM6qSiVU17lxCYlEdNssNyfjNxWS+8i4yW1x2rBXLk=
+github.com/hktalent/PipelineHttp v0.0.0-20221006065030-cc56ca1f2105/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006072228-9ee8802d3fa4 h1:XR3LsI8g3WYmKdzIdQh7HldzrdUlwTwYAEDtOdn8prw=
+github.com/hktalent/PipelineHttp v0.0.0-20221006072228-9ee8802d3fa4/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006080839-6f699ce90f4d h1:jjgWWqXlQPXKnhLasC4oqMaat2pJ7i7ikQbJLoDZfio=
+github.com/hktalent/PipelineHttp v0.0.0-20221006080839-6f699ce90f4d/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006083938-811ae05bcab2 h1:uydQn2QkVQ9O8gdDPj4pawpIX4jNt7DIWbat7xrLO3M=
+github.com/hktalent/PipelineHttp v0.0.0-20221006083938-811ae05bcab2/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006102853-7270ca9cc3dc h1:dz5vNFzfGCCg3cq/vxNUzCXqKCTLiCHZDeBQBubZ0WY=
+github.com/hktalent/PipelineHttp v0.0.0-20221006102853-7270ca9cc3dc/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
+github.com/hktalent/PipelineHttp v0.0.0-20221006120713-f0d2d692285e h1:6Iy5XhPWznVIQEXJNFeE/RyXe3wrIfIjybW/yLAbch4=
+github.com/hktalent/PipelineHttp v0.0.0-20221006120713-f0d2d692285e/go.mod h1:ncw1+ugTc5GPQLUHHI7uWrgW2KWBppDBWwwjC984QJg=
 github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea h1:vuxZbB9vAwBi0Uj4F5GOfVtsi5E9MFX07EkCKypVu9M=
 github.com/hktalent/go-utils v0.0.0-20221004021941-7e10e0fb13ea/go.mod h1:9E0C0K+/zzyJ+VqFx1llC3y7+mGgW3toLoyMQnlNXhw=
 github.com/hktalent/go-utils v0.0.0-20221004095234-2e23f13b429d h1:z1IUP4hqn0LGgs78bU2gSlna92/p+RlB0MSZ+RxSmCo=
@@ -1282,6 +1306,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e h1:WhB000cGjOfbJiedMGvJkMTclI18VD69w27k+sceql8=
 golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.6.0-dev.0.20221005201717-2666ed6287c1 h1:OA6fBHK4jYnCov6kv7N79LNg3i6uYzpaWyGPbCuBz1s=
+golang.org/x/mod v0.6.0-dev.0.20221005201717-2666ed6287c1/go.mod h1:GcdizjqnHZfplEsgKNRaCUIjLeLmr0f33PF1GTBHBso=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

lib/test/test.go

@@ -1,16 +1,45 @@
 package main
 
 import (
-	"github.com/hktalent/scan4all/lib/socket"
-	"io/ioutil"
+	"fmt"
+	"github.com/hktalent/scan4all/lib/util"
+	"log"
+	"sync"
 )
 
 func main() {
+	//
+	//data, err := ioutil.ReadFile("/Users/51pwn/MyWork/TestPoc/JRMPListener.ser")
+	//if nil == err {
+	//	x1 := socket.NewCheckTarget("http://127.0.0.1:4444", "tcp", 15)
+	//	x1.SendPayload(data, 15)
+	//	x1.Close()
+	//}
+	//
+	//x1 := PipelineHttp.NewPipelineHttp()
+	////x1.ErrLimit = 9999999
+	//defer x1.Close()
+	//x1.DoGet("https://127.0.0.1:8081/scan4all", func(resp *http.Response, err error, szU string) {
+	//	if nil != resp {
+	//		log.Println(resp.StatusCode)
+	//	}
+	//})
+	var Wg = sync.WaitGroup{}
+	// 单独测试没有问题
+	for i := 33; i < 8082; i++ {
+		Wg.Add(1)
+		go func(n int) {
+			defer Wg.Done()
+			s1 := fmt.Sprintf("http://127.0.0.1:%d/scan4all", n)
+			if resp, err := util.HttpRequset(s1, "GET", "", false, nil); nil == err {
+				log.Println(resp.StatusCode, s1)
+			} else {
+				if n == 8081 {
+					log.Println(err)
+				}
+			}
+		}(i)
 
-	data, err := ioutil.ReadFile("/Users/51pwn/MyWork/TestPoc/JRMPListener.ser")
-	if nil == err {
-		x1 := socket.NewCheckTarget("http://127.0.0.1:4444", "tcp", 15)
-		x1.SendPayload(data, 15)
-		x1.Close()
 	}
+	Wg.Wait()
 }

lib/util/config.go

@@ -13,7 +13,6 @@ import (
 	"io/ioutil"
 	"log"
 	"math/rand"
-	"net/http"
 	"os"
 	"os/exec"
 	"reflect"
@@ -441,20 +440,31 @@ func TestIs404(szUrl string) (r01 *Response, err error, ok bool) {
 	sz404 := szUrl + Abs404
 	client := GetClient(sz404)
 	if nil != client {
-		client.Client.Timeout = 5
+		//client.Client.Timeout = 500
+		//client.ErrCount = 0
+		//client.ErrLimit = 9999
 		//log.Printf("%v %s \n", client, sz404)
-		var x05 *http.Transport = client.Client.Transport.(*http.Transport)
-		if nil != x05 {
-			x05.DisableKeepAlives = true
-		}
 	}
 
-	log.Println("start test ", sz404)
-	r01, err = HttpRequset(sz404, "GET", "", false, map[string]string{"Connection": "close"})
+	//log.Println("start test ", sz404)
+	var mh1 map[string]string
+	if strings.HasPrefix(sz404, "http://") {
+		mh1 = map[string]string{
+			//"Connection":   "close",
+			"Content-Type": "",
+		}
+	}
+	r01, err = HttpRequset(sz404, "GET", "", false, mh1)
 	ok = err == nil && nil != r01 && 404 == r01.StatusCode
+	if nil != err {
+		CloseHttpClient(sz404)
+		//log.Println(sz404, err)
+	} else {
+		log.Printf("%d %s %s\n", r01.StatusCode, r01.Protocol, sz404)
+	}
 	noRpt.Set(key, []interface{}{r01, err, ok}, defaultInteractionDuration)
 	//client.Client.Timeout = 10
-	log.Println("end test ", sz404)
+	//log.Println("end test ", sz404)
 	return r01, err, ok
 }
 func TestIs404Page(szUrl string) (page *Page, r01 *Response, err error, ok bool) {

lib/util/config_test.go

@@ -0,0 +1,29 @@
+package util
+
+import (
+	"fmt"
+	"sync"
+	"testing"
+)
+
+func TestTestIs404(t *testing.T) {
+	Init2()
+	var Wg = sync.WaitGroup{}
+	// 单独测试没有问题
+	for i := 8070; i < 8082; i++ {
+		Wg.Add(1)
+		go func(n int) {
+			defer Wg.Done()
+			s1 := fmt.Sprintf("https://127.0.0.1:%d/scan4all", n)
+			if resp, err, ok := TestIs404(s1); ok && nil == err {
+				t.Log(resp.StatusCode, s1)
+			} else {
+				if n == 8081 && nil != err {
+					t.Error(s1, err)
+				}
+			}
+		}(i)
+
+	}
+	Wg.Wait()
+}

lib/util/modle.go

@@ -8,9 +8,10 @@ type Response struct {
 	StatusCode    int
 	Body          string
 	Header        *http.Header // 不用负责对象，引用，节约内存开销
-	ContentLength int
-	RequestUrl    string
-	Location      string
+	ContentLength int          `json:"content_length"`
+	RequestUrl    string       `json:"request_url"`
+	Location      string       `json:"location"`
+	Protocol      string       `json:"protocol"`
 }
 
 // fuzz请求返回的结果

lib/util/sv2es.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"bytes"
 	"crypto/sha1"
 	"encoding/hex"
 	"encoding/json"
@@ -87,12 +88,14 @@ func SendReq(data1 interface{}, id string, szType ESaveType) {
 			<-nThreads
 		}()
 		szUrl := fmt.Sprintf(EsUrl, szType, url.QueryEscape(id))
-		log.Println("logs EsUrl = ", EsUrl)
+		//log.Println("logs EsUrl = ", EsUrl)
 		m1 := map[string]string{
 			"User-Agent":   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15",
 			"Content-Type": "application/json;charset=UTF-8",
 		}
-		SendData2Url(szUrl, data1, &m1, func(resp *http.Response, err error, szU string) {
+		c1 := GetClient(szUrl, map[string]interface{}{"UseHttp2": true})
+		data, _ := json.Marshal(data1)
+		c1.DoGetWithClient4SetHd(c1.GetClient4Http2(), szUrl, "POST", bytes.NewReader(data), func(resp *http.Response, err error, szU string) {
 			if nil != err {
 				log.Println("pphLog.DoGetWithClient4SetHd ", err)
 			} else {
@@ -103,6 +106,8 @@ func SendReq(data1 interface{}, id string, szType ESaveType) {
 					Log(err)
 				}
 			}
-		})
+		}, func() map[string]string {
+			return m1
+		}, true)
 	})
 }