fix filefuzz处理不当导致cpu持续上升的bug 2022-07-12 09:21:1657588876

Author: x51pwn

brute/filefuzz.go

@@ -4,6 +4,8 @@ import (
 	_ "embed"
 	"github.com/antlabs/strsim"
 	"github.com/hktalent/scan4all/pkg"
+	"log"
+	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -66,13 +68,10 @@ func reqPage(u string) (*page, *pkg.Response, error) {
 		}
 		page.title = gettitle(req.Body)
 		page.locationUrl = req.Location
-		regs := strings.Split(strings.TrimSpace(fuzzct), "\n")
-		InitGeneral()
-		regs = append(regs, ret...)
-		for _, reg := range regs {
-			if x0, ok := req.Header["Content-Type"]; ok && 0 < len(x0) {
-				matched, _ := regexp.Match(reg, []byte(x0[0]))
-				if matched {
+		if x0, ok := req.Header["Content-Type"]; ok && 0 < len(x0) {
+			x0B := []byte(x0[0])
+			for _, reg := range regs {
+				if matched, _ := regexp.Match(reg, x0B); matched {
 					page.isBackUpPage = true
 				}
 			}
@@ -91,16 +90,24 @@ var fuzz404 string
 
 //go:embed dicts/page404Content.txt
 var page404Content1 string
+var regs []string
 
 func init() {
 	bakSuffix = pkg.GetVal4File("bakSuffix", bakSuffix)
 	fuzzct = pkg.GetVal4File("fuzzct", fuzzct)
 	fuzz404 = pkg.GetVal4File("fuzz404", fuzz404)
 	page404Content1 = pkg.GetVal4File("page404Content1", page404Content1)
+	InitGeneral()
+	regs = strings.Split(strings.TrimSpace(fuzzct), "\n")
+	regs = append(regs, ret...)
 }
 
 // 文件fuzz
 func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody string) ([]string, []string) {
+	u01, err := url.Parse(u)
+	if nil == err {
+		u = u01.Scheme + "://" + u01.Host + "/"
+	}
 	var (
 		path404            = "/file_not_support"
 		page200CodeList    = []int{200, 301, 302}
@@ -153,6 +160,7 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 		ch <- struct{}{}
 		//log.Println(u, " ", payload)
 		go func(payload string) {
+			log.Println("fuzz: ", u+payload)
 			if url, req, err := reqPage(u + payload); err == nil {
 				// 403 by pass
 				if url.is403 {

main.go

@@ -2,13 +2,15 @@ package main
 
 import (
 	"embed"
+	"fmt"
 	"github.com/hktalent/scan4all/pkg"
 	naaburunner "github.com/hktalent/scan4all/pkg/naabu/v2/pkg/runner"
 	"github.com/projectdiscovery/gologger"
 	"io"
 	"log"
+	"net/http"
+	_ "net/http/pprof"
 	"runtime"
-	"sync"
 )
 
 //go:embed config/*
@@ -18,17 +20,23 @@ func init() {
 	pkg.Init2(&config)
 }
 
-var Wg sync.WaitGroup
-
 func main() {
-	naaburunner.Wg = &Wg
 	defer func() {
+		log.Println("start close cache, StopCPUProfile... ")
 		pkg.Cache1.Close()
 		//if "true" == pkg.GetVal("autoRmCache") {
 		//	os.RemoveAll(pkg.GetVal(pkg.CacheName))
 		//}
 	}()
 	options := naaburunner.ParseOptions()
+	if options.Debug {
+		// debug 优化时启用///////////////////////
+		go func() {
+			fmt.Println("debug info: \nopen http://127.0.0.1:6060/debug/pprof/\n")
+			http.ListenAndServe(":6060", nil)
+		}()
+		//////////////////////////////////////////*/
+	}
 	if false == options.Debug && false == options.Verbose {
 		// disable standard logger (ref: https://github.com/golang/go/issues/19895)
 		log.SetFlags(0)
@@ -52,5 +60,4 @@ func main() {
 	if err != nil {
 		gologger.Fatal().Msgf("naabuRunner.Httpxrun Could not run httpRunner: %s\n", err)
 	}
-	Wg.Wait()
 }

pkg/hydra/doNmapResult.go

@@ -10,18 +10,15 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"sync"
 )
 
 // 弱口令检测
-func CheckWeakPassword(ip, service string, port int, wg *sync.WaitGroup) {
-	defer wg.Done()
+func CheckWeakPassword(ip, service string, port int) {
 	// 在弱口令检测范围就开始检测，结果....
 	service = strings.ToLower(service)
 	if pkg.Contains(ProtocolList, service) {
 		//log.Println("start CheckWeakPassword ", ip, ":", port, "(", service, ")")
-		wg.Add(1)
-		Start(ip, port, service, wg)
+		Start(ip, port, service)
 	}
 }
 
@@ -34,8 +31,7 @@ func GetAttr(att []xmlquery.Attr, name string) string {
 	return ""
 }
 
-func DoParseXml(s string, wg *sync.WaitGroup, bf *bytes.Buffer) {
-	defer wg.Done()
+func DoParseXml(s string, bf *bytes.Buffer) {
 	doc, err := xmlquery.Parse(strings.NewReader(s))
 	if err != nil {
 		log.Println("DoParseXml： ", err)
@@ -54,8 +50,7 @@ func DoParseXml(s string, wg *sync.WaitGroup, bf *bytes.Buffer) {
 				service := GetAttr(x.SelectElement("service").Attr, "name")
 				//bf.Write([]byte(fmt.Sprintf("%s:%s\n", ip, szPort)))
 				bf.Write([]byte(fmt.Sprintf("http://%s:%s\n", ip, szPort)))
-				wg.Add(1)
-				go CheckWeakPassword(ip, service, port, wg)
+				go CheckWeakPassword(ip, service, port)
 				// 存储结果到其他地方
 				//x9 := AuthInfo{IPAddr: ip, Port: port, Protocol: service}
 				if "true" == enableEsSv {
@@ -78,8 +73,7 @@ func DoParseXml(s string, wg *sync.WaitGroup, bf *bytes.Buffer) {
 	}
 }
 
-func DoNmapRst(wg *sync.WaitGroup, bf *bytes.Buffer) {
-	defer wg.Done()
+func DoNmapRst(bf *bytes.Buffer) {
 	if x1, ok := pkg.TmpFile[pkg.Naabu]; ok {
 		for _, x := range x1 {
 			defer func(r *os.File) {
@@ -89,8 +83,7 @@ func DoNmapRst(wg *sync.WaitGroup, bf *bytes.Buffer) {
 			b, err := ioutil.ReadFile(x.Name())
 			if nil == err && 0 < len(b) {
 				//fmt.Println("read nmap xml file ok: ", len(b))
-				wg.Add(1)
-				DoParseXml(string(b), wg, bf)
+				DoParseXml(string(b), bf)
 			} else {
 				log.Println("ioutil.ReadFile(x.Name()): ", err)
 			}

pkg/hydra/mysql/mysql.go

@@ -12,12 +12,12 @@ import (
 
 func Check(Host, Username, Password string, Port int) (bool, error) {
 	_ = mysql.SetLogger(log.New(io.Discard, "", log.Ldate|log.Ltime))
-	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/information_schema?charset=utf8&timeout=%v", Username, Password, Host, Port, 5*time.Second)
+	dataSourceName := fmt.Sprintf("%v:%v@tcp(%v:%v)/information_schema?charset=utf8&timeout=%v", Username, Password, Host, Port, 2*time.Second)
 	db, err := sql.Open("mysql", dataSourceName)
 	if err != nil {
 		return false, err
 	}
-	db.SetConnMaxLifetime(5 * time.Second)
+	db.SetConnMaxLifetime(2 * time.Second)
 	db.SetMaxIdleConns(0)
 	defer db.Close()
 	err = db.Ping()

pkg/hydra/runner.go

@@ -7,7 +7,6 @@ import (
 	"github.com/logrusorgru/aurora"
 	"log"
 	"strings"
-	"sync"
 )
 
 func init() {
@@ -27,10 +26,9 @@ func init() {
 }
 
 // 密码破解
-func Start(IPAddr string, Port int, Protocol string, wg *sync.WaitGroup) {
-	defer wg.Done()
+func Start(IPAddr string, Port int, Protocol string) {
 	authInfo := NewAuthInfo(IPAddr, Port, Protocol)
-	crack := NewCracker(authInfo, true, 128)
+	crack := NewCracker(authInfo, true, 8)
 	fmt.Printf("\n[hydra]->开始对%v:%v[%v]进行暴力破解，字典长度为：%d\n", IPAddr, Port, Protocol, crack.Length())
 	go crack.Run()
 	//爆破结果获取

pkg/naabu/v2/pkg/runner/targets.go

@@ -20,7 +20,6 @@ import (
 	"os"
 	"regexp"
 	"strings"
-	"sync"
 )
 
 func (r *Runner) Load() error {
@@ -102,8 +101,6 @@ func (r *Runner) DoSsl(target string) []string {
 	return []string{}
 }
 
-var Wg *sync.WaitGroup
-
 // target域名转多个ip处理
 func (r *Runner) DoTargets() (bool, error) {
 	data, err := ioutil.ReadFile(r.targetsFile)
@@ -182,8 +179,7 @@ func (r *Runner) DoTargets() (bool, error) {
 						}(x99[0])
 					}
 					pkg.TmpFile[pkg.Naabu] = []*os.File{tempInput1}
-					Wg.Add(1)
-					hydra.DoNmapRst(Wg, &Naabubuffer)
+					hydra.DoNmapRst(&Naabubuffer)
 					defer r.Close()
 					ioutil.WriteFile(r.targetsFile, []byte(""), os.ModePerm)
 					log.Println("do namp over naabu ")