up 2022-11-15

Author: hktalent

.DistributedId

@@ -0,0 +1 @@
+862934f8-06a3-99a1-a162-a2cdef4dae97

brute/fuzzAI.go

@@ -2,17 +2,19 @@ package brute
 
 import (
 	_ "embed"
-	"encoding/json"
 	"github.com/antlabs/strsim"
 	"github.com/hktalent/ProScan4all/lib/util"
 	"github.com/hktalent/ProScan4all/pkg"
 	"github.com/hktalent/ProScan4all/pkg/fingerprint"
+	jsoniter "github.com/json-iterator/go"
 	"gorm.io/gorm"
 	"net/url"
 	"regexp"
 	"strings"
 )
 
+var json = jsoniter.ConfigCompatibleWithStandardLibrary
+
 // 异常页面数据库
 type ErrPage struct {
 	gorm.Model

brute/fuzzfingerprints.go

@@ -1,7 +1,6 @@
 package brute
 
 import (
-	"encoding/json"
 	"fmt"
 	"github.com/hktalent/ProScan4all/lib/util"
 	"strings"

config/51pwn/iiop.yaml

@@ -0,0 +1,26 @@
+id: httpIiop_51pwn
+info:
+  name: Arbitrary File Read on Skype For Business Server
+  author:
+  - 51pwn
+  description: |-
+    Arbitrary File Read on Skype For Business Server
+requests:
+  - raw:
+      - |
+        POST /TunnelSendServlet?wl-login=true HTTP/1.1
+        Host: {{Hostname}}
+
+        {{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}
+    matchers:
+      - type: status
+        status:
+        - 200
+      - type: word
+        condition: and
+        part: body
+        words:
+        - '[extensions]'
+    matchers-condition: and
+    redirects: false
+  

config/config.json

@@ -109,10 +109,12 @@
   "CheckWeakPassword": true,
   "jaelesThread": 8,
   "esthread": 8,
+  "LimitTask": 4,
   "hydrathread": 64,
   "Fuzzthreads": 16,
   "enableFingerTitleHeaderMd5Hex": false,
   "Cookie": "",
+  "DtServer":"https://127.0.0.1:8081/api/v1.0/syncResult/task/%d",
   "esUrl": "https://127.0.0.1:8081/%s_index/_doc/%s",
   "Exploit":{
     "Path": "./config/poc/",

engine/dispather.go

@@ -10,44 +10,44 @@ import (
 // 扫描任务分发
 //   为不同类型扫描构造参数，进行事件分发
 func Dispather(task *models.Target4Chan) {
-	x1 := G_Engine.GetCaseScanFunc()
+	x1 := GEngine.GetCaseScanFunc()
 	x1.Range(func(k1, value any) bool {
 		if k, ok := k1.(int64); ok {
 			if lib.HasScanType(task.ScanType, k) {
 				x1 := &models.EventData{EventType: k, Task: task}
 				switch k {
 				case ScanType_SSLInfo: // 01- SSL信息分析，并对域名信息进行收集、进入下一步流程
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_SubDomain: // 02- 子域名爆破，新域名回归 到:  1 <-- -> 2，做去重处理
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_MergeIps: // 03- 默认自动合并ip，记录ip与域名的关联关系，再发送payload时考虑：相同ip不同域名，相同payload分别发送 合并相同目标 若干域名的ip，避免扫描时重复
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_Pswd4hydra: // 04- 密码破解，隐含包含了: 端口扫描(05-masscan + 06-nmap)
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_Masscan: // 05- 合并后的ip 进行快速端口扫描; // 06、精准 端口指纹，排除masscan已经识别的几种指纹
 					x1.EventData = []interface{}{[]interface{}{portScan.TargetStr(task.ScanWeb)}}
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_Nmap: // 05- 合并后的ip 进行快速端口扫描; // 06、精准 端口指纹，排除masscan已经识别的几种指纹
 					x1.EventData = []interface{}{x1.Target2Ip(), []string{"0-65535"}}
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_IpInfo: // 07- 获取ip info
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_GoPoc: // 08- go-poc 检测, 隐含包含了: 端口扫描(05-masscan + 06-nmap)
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_PortsWeb: // 09- web端口识别，Naabu,识别 https，识别存活的web端口，再进入下一流程
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebFingerprints: // 10- web指纹，识别蜜罐，并标识
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebDetectWaf: // 11- detect WAF
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebScrapy: // 12- 爬虫分析，form表单识别，字段名识别，form action提取；
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebInfo: // 13- server、x-powerby、x***，url、ip、其他敏感信息（姓名、电话、地址、身份证）
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebVulsScan: // 14-nuclei
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				case ScanType_WebDirScan: // 14-dir爆破,Gobuster
-					G_Engine.EventData <- x1
+					GEngine.EventData <- x1
 				default:
 
 				}

engine/engineImp.go

@@ -1,30 +1,49 @@
 package engine
 
 import (
+	"bytes"
 	"context"
+	"fmt"
 	"github.com/hktalent/51pwnPlatform/lib"
 	"github.com/hktalent/51pwnPlatform/pkg/models"
 	"github.com/hktalent/ProScan4all/lib/util"
 	"github.com/hktalent/ProScan4all/pocs_go"
 	"github.com/hktalent/jaeles/cmd"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/panjf2000/ants/v2"
+	"github.com/ulule/deepcopier"
+	"io/ioutil"
 	"log"
+	"net"
+	"net/url"
 	"os"
 	"os/signal"
+	"strconv"
+	"strings"
 	"sync"
+	"time"
 )
 
+var json = jsoniter.ConfigCompatibleWithStandardLibrary
+
 // 引擎对象，全局单实例
 type Engine struct {
 	Context      *context.Context       // 上下文
 	Wg           *sync.WaitGroup        // Wg
 	Pool         int                    // 线程池
 	PoolFunc     *ants.PoolWithFunc     // 线程调用
 	EventData    chan *models.EventData // 数据队列
+	NodeId       string                 `json:"node_id"`    // 分布式引擎节点的id，除非系统更换，docker重制，否则始终一致
+	LimitTask    int                    `json:"limit_task"` // 当前节点任务并发数的限制
+	SyTask       int                    `json:"sy_task"`    // 剩余task
+	DtServer     string                 `json:"dt_server"`  // 获取任务、提交任务状态的server
 	caseScanFunc sync.Map
 }
 
-var G_Engine *Engine
+var GEngine *Engine
+
+// 获取分布式任务
+// /api/v1.0/syncResult/task/
 
 // 创建引擎
 //  默认每个 goroutine 占用 8KB 内存
@@ -34,7 +53,17 @@ func NewEngine(c *context.Context, pool int) *Engine {
 	if nil != util.G_Engine {
 		return util.G_Engine.(*Engine)
 	}
-	x1 := &Engine{Context: c, Wg: &sync.WaitGroup{}, Pool: pool, EventData: make(chan *models.EventData, pool)}
+
+	x1 := &Engine{
+		Context:   c,
+		Wg:        &sync.WaitGroup{},
+		Pool:      pool,
+		DtServer:  util.GetVal("DtServer"),
+		EventData: make(chan *models.EventData, pool),
+		LimitTask: util.GetValAsInt("LimitTask", 4),
+	}
+	x1.SyTask = x1.LimitTask // 初始化剩余任务等于最大任务数
+	x1.initNodeId()
 	p, err := ants.NewPoolWithFunc(pool, func(i interface{}) {
 		defer x1.Wg.Done()
 		x1.DoEvent(i.(*models.EventData))
@@ -44,13 +73,115 @@ func NewEngine(c *context.Context, pool int) *Engine {
 	}
 	x1.PoolFunc = p
 	util.G_Engine = x1
-	G_Engine = x1
+	GEngine = x1
 	util.EngineFuncFactory = x1.EngineFuncFactory
 	util.SendEvent = x1.SendEvent
 	log.Println("Engine init ok")
 	return x1
 }
 
+func (e *Engine) initNodeId() {
+	dirname, err := os.Getwd()
+	szP := dirname + "/.DistributedId"
+	if nil == err {
+		if util.FileExists(szP) {
+			data, err := ioutil.ReadFile(szP)
+			if nil == err {
+				e.NodeId = strings.TrimSpace(string(data))
+			}
+		}
+	}
+	if "" == e.NodeId {
+		e.NodeId = util.GenUuid()
+		ioutil.WriteFile(szP, []byte(e.NodeId), os.ModePerm)
+	}
+}
+
+// "https://dt.51pwn.com/api/v1.0/syncResult/task/%d"
+// curl -v -XPOST -d '{"Num":22,"task_ids":"","node_id":"xx","task_num":443}'  https://127.0.0.1:8081/api/v1.0/syncResult/task/33
+// 结果反馈 /api/v1.0/syncResult/task/%d
+// 获取、确认分布式任务，Distributed Tasks
+func (e *Engine) GetTask(okTaskIds string) {
+	if resp, err := util.DoPost(fmt.Sprintf(e.DtServer, e.LimitTask), map[string]string{
+		"Content-Type": "application/json",
+	}, strings.NewReader(`{"Num":`+strconv.Itoa(e.SyTask)+`,"task_ids":"`+okTaskIds+`","node_id":"`+e.NodeId+`","task_num":`+strconv.Itoa(e.LimitTask)+`}`)); nil == err && nil != resp {
+		defer resp.Body.Close()
+		var n1 = models.EventData{}
+		if data, err := ioutil.ReadAll(resp.Body); nil == err {
+			if err := json.Unmarshal(data, &n1); nil == err {
+				e.SendEvent(&n1, n1.EventType)
+			}
+		}
+	}
+}
+
+// 获取公共ip
+func (r *Engine) GetPublicIP() ([]string, error) {
+	ifas, err := net.Interfaces()
+	if err != nil {
+		return nil, err
+	}
+	var as []string
+
+	for _, ifa := range ifas {
+		a := ifa.HardwareAddr.String()
+		// have mac
+		if a != "" {
+			addrs, err := ifa.Addrs()
+			// get Ip error
+			if nil != err {
+				continue
+			}
+			for _, addr := range addrs {
+				switch v := addr.(type) {
+				case *net.IPNet:
+					if v.IP.IsPrivate() {
+						continue
+					}
+					as = append(as, v.IP.String())
+				case *net.IPAddr:
+					if v.IP.IsPrivate() {
+						continue
+					}
+					as = append(as, v.IP.String())
+				}
+			}
+		}
+	}
+	return as, nil
+}
+func (e *Engine) generateTaskId(s string) string {
+	return util.GetSha1(s)
+}
+
+// 发送任务
+//  只发送非私有网络的任务
+func (e *Engine) SendTask(s string) {
+	szUrl := fmt.Sprintf(e.DtServer, e.LimitTask)
+	if oU, err := url.Parse(szUrl); nil == err {
+		szUrl = strings.Join([]string{oU.Scheme, "://", oU.Host, "/api/v1.0/alipay_task"}, "")
+		szSendData := ""
+		sW := util.Base64Encode(s)
+		szTaskId := e.generateTaskId(s)
+		szSendData = "task_id=" + szTaskId + "&" + "scan_web=" + sW
+		base64Str := util.GetSig(szSendData, prvKey)
+		m1 := map[string]string{"task_id": szTaskId, "op": "0", "data_sign": base64Str}
+		data, _ := json.Marshal(&m1)
+
+		if resp, err := util.DoPost(fmt.Sprintf(e.DtServer, e.LimitTask), map[string]string{
+			"Content-Type": "application/json",
+		}, bytes.NewReader(data)); nil == err && nil != resp {
+			defer resp.Body.Close()
+			var n1 = models.EventData{}
+			if data, err := ioutil.ReadAll(resp.Body); nil == err {
+				if err := json.Unmarshal(data, &n1); nil == err {
+					e.SendEvent(&n1, n1.EventType)
+				}
+			}
+		}
+	}
+}
+
 func (e *Engine) EngineFuncFactory(nT int64, fnCbk interface{}) {
 	e.RegCaseScanFunc(nT, fnCbk)
 }
@@ -83,7 +214,7 @@ func (e *Engine) DoCase(ed *models.EventData) util.EngineFuncType {
 func (e *Engine) SendEvent(evt *models.EventData, argsTypes ...int64) {
 	for _, i := range argsTypes {
 		var n1 = models.EventData{}
-		util.DeepCopy(evt, &n1)
+		deepcopier.Copy(evt).To(n1)
 		n1.EventType = i
 		e.EventData <- &n1
 	}
@@ -114,6 +245,9 @@ func (x1 *Engine) Running() {
 		signal.Notify(c, os.Interrupt)
 		//nMax := 120 // 等xxx秒都没有消息进入就退出
 		//nCnt := 0
+		// 每10秒获取一次任务
+		c1Task := time.NewTicker(5 * time.Second)
+		c2Task := time.NewTicker(15 * time.Second)
 		for {
 			select {
 			case <-util.Ctx_global.Done():
@@ -146,8 +280,11 @@ func (x1 *Engine) Running() {
 						})
 					}(x1)
 				}
-			default:
+			case <-c1Task.C:
+				x1.GetTask("")
+			case <-c2Task.C:
 				util.DoDelayClear(x1.Wg) // panic: sync: WaitGroup misuse: Add called concurrently with Wait
+			default:
 				//util.DoSleep()
 			}
 		}
@@ -168,3 +305,35 @@ func init() {
 		})
 	})
 }
+
+// 发送方 的签名key
+var prvKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,0B3A74436D1F0AAE
+
+hzXeizI3DX5udIFmtfBpIEbQYz4ConOmdD/Vel2ppj6EG8PLI3oirlH7eRKxsCtU
+khRVyYhUhb9II1jKF0tu7glnZabHnTGFAeo5nEXjTl/dp5Of6eJIaNcWlc7nXTft
+koodNonRFZtGe7cHI5+WM4AvjWEXztuyPKCa0Zepz7k77IdxxQ+gzIonbni0OGeh
+ze2kkBZMgCnS2LNqhk5zAhb0ATCTMLfd1FbsJXieXQAyCZQBER6J8hXvvZP2oZyq
+izou+5BsT9/W/4crq0glYSc2SMSWUFj5sSSPgVj7dV8KiRueD1ybm13B0N5XKEoY
+YK+IfdVBu6NspMfW8b+mp4JoAChA360d12Zyrg4J9gtOvoR4eOhtm4c0D0GPsubS
+XjK8Jvp41QtLRz9trNshrXI8/3z5bc26zHBLbQ6lRJSA9Q5Guc70/8FHxPOik+SZ
+57gMsG0OuxvUfoIif5dwwtYh5dWYktE+Ii/FnFH/X3wROiq+D4ZWI0dKNED7fFry
+RYmLJK+Bn7BjbzC+ZWwmKgMpmZyKF1/AB7031rB77z5Zq4Ksk+F5UEGLA4287CRT
+6vYY7eKpkRnZ2QHI5fdQ+fZ/A40n3NO1letf2MXB6Fxcz1P2DMYGJVVHfNSurj32
+F2fUckcHe9Kvy5FCXwui7aXZUkhbREAnAiKFHeRwlyjYUwxeo9QZUHt06hUKaY4c
+HJOLBzpjErtRfYLtGLADzaKAPe+fV+FqBWquoOG3/3aoz9oiiyxIj2a9D9ORLsy+
+e3QgdgiAluQ2QMqdNeYO7POWXjasaqZ8XVanSCHn3Tw5GdEq6naWz4cGxaJiXHV1
+PTiH2g/KEgu+L6b2xnwvEmpOKD33DEkB5xlnqUUFzAksbpL8l/sk9LPRjbjHl2Nu
+yL9myaJgpbPhw12Ika97VJp6ooH7Qy2WRGJ67FXGBkXXpTcItQzqqs6ZIFdwadq6
+Z1jNv+Wiq/o8IuVZys0a/LJlYYKrnHvKVl6LQrmcd+SWUgwbbKUBytsMDPB6OwHB
+Qrf3flcVIYvgqS+R1745JeFK/kxI1vtYlyNlveiAi9yRtDVnw+0DWrY03kWNsGfg
+9swsfO+/nHUxf81hC2g/Carrkdz7BLrsMKZnHlNVVFTNsHeELpmlGIO4VxOJzjel
+nuz4sITlXjBPsZernQuIbJ7GYqDv8Zb/dsW47BqIcl0PQ5FLOjJYBcIjpOnU1tLn
+e6pShBS4KWK/YegJdo+SxDvqLl66fdn58s1TlaZfgQic6P/mSzHgBYImb7rIlrUk
+aEWbEs4rAi0i8cwlg313ASK35E5enKM0C9uPaqnmFUQlT8X9SD+ELB7qHGRaXjcr
+rd1HBuFu2bxJm6Tcfmy4bf+6QYW5czg1mJpGjvM9zCVHDtBxVj71XvVM6MLIruYn
+zvNHq6ia8y1XUfkCxE5pzb0ap0LSS2XIEZxdRUCapGLAg4GNiA3Zkq4aDt8s7rGJ
+fARzsx7PrOF3TgCxF97GZhRU6chMK8YAChRfwqsg0Mpw2plqiYa9v99KrRwPdzJo
+7J8M8tAQhZB8YzG0U4Dsvb6odc8OYAFJTPpFvNjyQGgcjWudp6vo0YbK54z/z5s4
+-----END RSA PRIVATE KEY-----`)