From 60e59f5a7888d98e9150c3df69748d681ba702d9 Mon Sep 17 00:00:00 2001 From: ZacharyZcR Date: Fri, 8 Aug 2025 09:40:56 +0800 Subject: [PATCH] =?UTF-8?q?refactor:=20=E7=B2=BE=E7=AE=80=E5=88=A9?= =?UTF-8?q?=E7=94=A8=E5=8A=9F=E8=83=BD=EF=BC=8C=E5=8F=AA=E4=BF=9D=E7=95=99?= =?UTF-8?q?=E7=9C=9F=E6=AD=A3=E6=9C=89=E6=94=BB=E5=87=BB=E4=BB=B7=E5=80=BC?= =?UTF-8?q?=E7=9A=84=E5=88=A9=E7=94=A8=E6=96=B9=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 完全移除FTP、MySQL、SSH、ActiveMQ的利用功能,只保留弱密码扫描 - 重构Redis插件利用方法,严格按参数控制启用: * arbitrary_file_write: 需要-rwp和(-rwc或-rwf)参数 * ssh_key_write: 需要-rf参数 * crontab_injection: 需要-rs参数 - 修复Redis未授权访问时的利用条件检查问题 - 去除所有信息收集类利用,只保留GetShell和文件写入等实际攻击能力 现在利用功能完全参数驱动,只有提供对应参数时才启动相应利用方法 --- Plugins/services/activemq/exploiter.go | 83 +++++++++++++++----------- Plugins/services/ftp/exploiter.go | 28 +-------- Plugins/services/mysql/exploiter.go | 45 +------------- Plugins/services/redis/exploiter.go | 72 ++++++++++------------ Plugins/services/ssh/exploiter.go | 28 +-------- 5 files changed, 82 insertions(+), 174 deletions(-) diff --git a/Plugins/services/activemq/exploiter.go b/Plugins/services/activemq/exploiter.go index cc0e372..06c55a1 100644 --- a/Plugins/services/activemq/exploiter.go +++ b/Plugins/services/activemq/exploiter.go @@ -14,52 +14,65 @@ import ( // ActiveMQExploiter ActiveMQ利用模块 // 实现ActiveMQ相关的安全测试和利用功能 type ActiveMQExploiter struct { + *base.BaseExploiter connector *ActiveMQConnector timeout time.Duration } // NewActiveMQExploiter 创建新的ActiveMQ利用器 func NewActiveMQExploiter() *ActiveMQExploiter { - return &ActiveMQExploiter{ - connector: NewActiveMQConnector(), - timeout: time.Duration(common.Timeout) * time.Second, + exploiter := &ActiveMQExploiter{ + BaseExploiter: base.NewBaseExploiter("activemq"), + connector: NewActiveMQConnector(), + timeout: time.Duration(common.Timeout) * time.Second, } + + // 设置利用方法 + exploiter.setupExploitMethods() + + return exploiter } -// Exploit 执行ActiveMQ利用攻击 -func (e *ActiveMQExploiter) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { - target := fmt.Sprintf("%s:%s", info.Host, info.Ports) - - common.LogDebug(fmt.Sprintf("开始ActiveMQ利用攻击: %s", target)) - - // 按优先级尝试各种利用方法 - exploitMethods := []func(context.Context, *common.HostInfo, *base.Credential) (*base.ExploitResult, error){ - e.exploitInformationGathering, // 信息收集 - e.exploitMessageEnumeration, // 消息枚举 - e.exploitQueueManagement, // 队列管理 - e.exploitConfigurationDump, // 配置转储 +// setupExploitMethods 设置利用方法 +func (e *ActiveMQExploiter) setupExploitMethods() { + // ActiveMQ插件暂时不提供利用功能,因为当前实现的都是信息收集类功能 + // 没有实际的GetShell或文件写入等攻击价值 +} + +// exploitInformationGatheringNew 信息收集利用 (新架构) +func (e *ActiveMQExploiter) exploitInformationGatheringNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { + result, err := e.exploitInformationGathering(ctx, info, creds) + if err != nil { + return nil, err } - - var lastErr error - for _, method := range exploitMethods { - select { - case <-ctx.Done(): - return nil, ctx.Err() - default: - result, err := method(ctx, info, creds) - if err != nil { - lastErr = err - common.LogDebug(fmt.Sprintf("利用方法失败: %v", err)) - continue - } - - if result != nil && result.Success { - return result, nil - } - } + return result, nil +} + +// exploitMessageEnumerationNew 消息枚举利用 (新架构) +func (e *ActiveMQExploiter) exploitMessageEnumerationNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { + result, err := e.exploitMessageEnumeration(ctx, info, creds) + if err != nil { + return nil, err } - - return nil, fmt.Errorf("所有利用方法都失败了: %v", lastErr) + return result, nil +} + +// exploitQueueManagementNew 队列管理利用 (新架构) +func (e *ActiveMQExploiter) exploitQueueManagementNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { + result, err := e.exploitQueueManagement(ctx, info, creds) + if err != nil { + return nil, err + } + return result, nil +} + +// exploitConfigurationDumpNew 配置转储利用 (新架构) +func (e *ActiveMQExploiter) exploitConfigurationDumpNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) { + result, err := e.exploitConfigurationDump(ctx, info, creds) + if err != nil { + return nil, err + } + return result, nil } // exploitInformationGathering 信息收集利用 diff --git a/Plugins/services/ftp/exploiter.go b/Plugins/services/ftp/exploiter.go index 82f830e..7363172 100644 --- a/Plugins/services/ftp/exploiter.go +++ b/Plugins/services/ftp/exploiter.go @@ -9,7 +9,6 @@ import ( ftplib "github.com/jlaffaye/ftp" "github.com/shadow1ng/fscan/common" - "github.com/shadow1ng/fscan/common/i18n" "github.com/shadow1ng/fscan/plugins/base" ) @@ -34,32 +33,7 @@ func NewFTPExploiter() *FTPExploiter { // setupExploitMethods 设置利用方法 func (e *FTPExploiter) setupExploitMethods() { - // 1. 目录枚举 - dirMethod := base.NewExploitMethod(base.ExploitDataExtraction, "directory_enumeration"). - WithDescription(i18n.GetText("exploit_method_name_directory_enumeration")). - WithPriority(9). - WithConditions("has_credentials"). - WithHandler(e.exploitDirectoryEnumeration). - Build() - e.AddExploitMethod(dirMethod) - - // 2. 文件下载测试 - downloadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_download_test"). - WithDescription(i18n.GetText("exploit_method_name_file_read")). - WithPriority(8). - WithConditions("has_credentials"). - WithHandler(e.exploitFileDownloadTest). - Build() - e.AddExploitMethod(downloadMethod) - - // 3. 文件上传测试 - uploadMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_upload_test"). - WithDescription(i18n.GetText("exploit_method_name_file_write")). - WithPriority(7). - WithConditions("has_credentials"). - WithHandler(e.exploitFileUploadTest). - Build() - e.AddExploitMethod(uploadMethod) + // FTP插件不提供利用功能,仅进行弱密码扫描 } // exploitDirectoryEnumeration 目录枚举 diff --git a/Plugins/services/mysql/exploiter.go b/Plugins/services/mysql/exploiter.go index 0036661..3e36ef4 100644 --- a/Plugins/services/mysql/exploiter.go +++ b/Plugins/services/mysql/exploiter.go @@ -32,50 +32,7 @@ func NewMySQLExploiter() *MySQLExploiter { // setupExploitMethods 设置利用方法 func (e *MySQLExploiter) setupExploitMethods() { - // 1. 信息收集 - infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "information_gathering"). - WithDescription("收集MySQL服务器信息"). - WithPriority(8). - WithConditions("has_credentials"). - WithHandler(e.exploitInformationGathering). - Build() - e.AddExploitMethod(infoMethod) - - // 2. 数据库枚举 - enumMethod := base.NewExploitMethod(base.ExploitDataExtraction, "database_enumeration"). - WithDescription("枚举数据库和表"). - WithPriority(7). - WithConditions("has_credentials"). - WithHandler(e.exploitDatabaseEnumeration). - Build() - e.AddExploitMethod(enumMethod) - - // 3. 用户权限检查 - privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check"). - WithDescription("检查用户权限"). - WithPriority(6). - WithConditions("has_credentials"). - WithHandler(e.exploitPrivilegeCheck). - Build() - e.AddExploitMethod(privMethod) - - // 4. 文件读取(如果有FILE权限) - fileReadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_read"). - WithDescription("读取服务器文件"). - WithPriority(9). - WithConditions("has_credentials"). - WithHandler(e.exploitFileRead). - Build() - e.AddExploitMethod(fileReadMethod) - - // 5. 文件写入(如果有FILE权限) - fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_write"). - WithDescription("写入文件到服务器"). - WithPriority(10). - WithConditions("has_credentials"). - WithHandler(e.exploitFileWrite). - Build() - e.AddExploitMethod(fileWriteMethod) + // MySQL插件不提供利用功能,仅进行弱密码扫描 } // exploitInformationGathering 信息收集利用 diff --git a/Plugins/services/redis/exploiter.go b/Plugins/services/redis/exploiter.go index 022cb68..eb368a8 100644 --- a/Plugins/services/redis/exploiter.go +++ b/Plugins/services/redis/exploiter.go @@ -33,50 +33,38 @@ func NewRedisExploiter() *RedisExploiter { // setupExploitMethods 设置利用方法 func (e *RedisExploiter) setupExploitMethods() { - // 1. 任意文件写入 - fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write"). - WithDescription("利用Redis写入任意文件"). - WithPriority(10). - WithConditions("has_write_config"). - WithHandler(e.exploitArbitraryFileWrite). - Build() - e.AddExploitMethod(fileWriteMethod) + // 1. 任意文件写入 - 只有提供了-rwp和(-rwc或-rwf)参数时才启用 + if common.RedisWritePath != "" && (common.RedisWriteContent != "" || common.RedisWriteFile != "") { + fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write"). + WithDescription("利用Redis写入任意文件"). + WithPriority(10). + WithConditions(). // Redis支持未授权访问,不需要凭据条件 + WithHandler(e.exploitArbitraryFileWrite). + Build() + e.AddExploitMethod(fileWriteMethod) + } - // 2. SSH密钥写入 - sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write"). - WithDescription("写入SSH公钥到authorized_keys"). - WithPriority(9). - WithConditions("has_ssh_key"). - WithHandler(e.exploitSSHKeyWrite). - Build() - e.AddExploitMethod(sshKeyMethod) + // 2. SSH密钥写入 - 只有提供了-rf参数时才启用 + if common.RedisFile != "" { + sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write"). + WithDescription("写入SSH公钥到authorized_keys"). + WithPriority(9). + WithConditions(). // Redis支持未授权访问,不需要凭据条件 + WithHandler(e.exploitSSHKeyWrite). + Build() + e.AddExploitMethod(sshKeyMethod) + } - // 3. Crontab定时任务 - cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection"). - WithDescription("注入Crontab定时任务"). - WithPriority(9). - WithConditions(). - WithHandler(e.exploitCrontabInjection). - Build() - e.AddExploitMethod(cronMethod) - - // 4. 数据提取 - dataExtractionMethod := base.NewExploitMethod(base.ExploitDataExtraction, "data_extraction"). - WithDescription("提取Redis中的数据"). - WithPriority(7). - WithConditions(). - WithHandler(e.exploitDataExtraction). - Build() - e.AddExploitMethod(dataExtractionMethod) - - // 5. 信息收集 - infoGatheringMethod := base.NewExploitMethod(base.ExploitDataExtraction, "info_gathering"). - WithDescription("收集Redis服务器信息"). - WithPriority(6). - WithConditions(). - WithHandler(e.exploitInfoGathering). - Build() - e.AddExploitMethod(infoGatheringMethod) + // 3. Crontab定时任务 - 只有提供了-rs参数时才启用 + if common.RedisShell != "" { + cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection"). + WithDescription("注入Crontab定时任务"). + WithPriority(9). + WithConditions(). // Redis支持未授权访问,不需要凭据条件 + WithHandler(e.exploitCrontabInjection). + Build() + e.AddExploitMethod(cronMethod) + } } // exploitArbitraryFileWrite 任意文件写入利用 diff --git a/Plugins/services/ssh/exploiter.go b/Plugins/services/ssh/exploiter.go index cfa0858..095608c 100644 --- a/Plugins/services/ssh/exploiter.go +++ b/Plugins/services/ssh/exploiter.go @@ -31,32 +31,8 @@ func NewSSHExploiter() *SSHExploiter { // setupExploitMethods 设置利用方法 func (e *SSHExploiter) setupExploitMethods() { - // 1. 系统信息收集 - infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "system_info"). - WithDescription("收集系统信息"). - WithPriority(8). - WithConditions("has_credentials"). - WithHandler(e.exploitSystemInfo). - Build() - e.AddExploitMethod(infoMethod) - - // 2. 命令执行测试 - cmdMethod := base.NewExploitMethod(base.ExploitCommandExec, "command_test"). - WithDescription("测试命令执行能力"). - WithPriority(9). - WithConditions("has_credentials"). - WithHandler(e.exploitCommandTest). - Build() - e.AddExploitMethod(cmdMethod) - - // 3. 用户权限检查 - privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check"). - WithDescription("检查用户权限"). - WithPriority(7). - WithConditions("has_credentials"). - WithHandler(e.exploitPrivilegeCheck). - Build() - e.AddExploitMethod(privMethod) + // SSH插件不提供利用功能,-sshkey参数用于私钥文件认证而非命令执行 + // SSH的价值在于弱密码发现,获取SSH访问权限本身就是目标 } // exploitSystemInfo 系统信息收集利用