mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-09-14 14:06:44 +08:00
refactor: 精简利用功能,只保留真正有攻击价值的利用方法
- 完全移除FTP、MySQL、SSH、ActiveMQ的利用功能,只保留弱密码扫描 - 重构Redis插件利用方法,严格按参数控制启用: * arbitrary_file_write: 需要-rwp和(-rwc或-rwf)参数 * ssh_key_write: 需要-rf参数 * crontab_injection: 需要-rs参数 - 修复Redis未授权访问时的利用条件检查问题 - 去除所有信息收集类利用,只保留GetShell和文件写入等实际攻击能力 现在利用功能完全参数驱动,只有提供对应参数时才启动相应利用方法
This commit is contained in:
ZacharyZcR
parent
4b482b603d
commit
60e59f5a78
@ -14,52 +14,65 @@ import (
|
|||||||
// ActiveMQExploiter ActiveMQ利用模块
|
// ActiveMQExploiter ActiveMQ利用模块
|
||||||
// 实现ActiveMQ相关的安全测试和利用功能
|
// 实现ActiveMQ相关的安全测试和利用功能
|
||||||
type ActiveMQExploiter struct {
|
type ActiveMQExploiter struct {
|
||||||
|
*base.BaseExploiter
|
||||||
connector *ActiveMQConnector
|
connector *ActiveMQConnector
|
||||||
timeout time.Duration
|
timeout time.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewActiveMQExploiter 创建新的ActiveMQ利用器
|
// NewActiveMQExploiter 创建新的ActiveMQ利用器
|
||||||
func NewActiveMQExploiter() *ActiveMQExploiter {
|
func NewActiveMQExploiter() *ActiveMQExploiter {
|
||||||
return &ActiveMQExploiter{
|
exploiter := &ActiveMQExploiter{
|
||||||
connector: NewActiveMQConnector(),
|
BaseExploiter: base.NewBaseExploiter("activemq"),
|
||||||
timeout: time.Duration(common.Timeout) * time.Second,
|
connector: NewActiveMQConnector(),
|
||||||
|
timeout: time.Duration(common.Timeout) * time.Second,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 设置利用方法
|
||||||
|
exploiter.setupExploitMethods()
|
||||||
|
|
||||||
|
return exploiter
|
||||||
}
|
}
|
||||||
|
|
||||||
// Exploit 执行ActiveMQ利用攻击
|
// setupExploitMethods 设置利用方法
|
||||||
func (e *ActiveMQExploiter) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
func (e *ActiveMQExploiter) setupExploitMethods() {
|
||||||
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
// ActiveMQ插件暂时不提供利用功能,因为当前实现的都是信息收集类功能
|
||||||
|
// 没有实际的GetShell或文件写入等攻击价值
|
||||||
|
}
|
||||||
|
|
||||||
common.LogDebug(fmt.Sprintf("开始ActiveMQ利用攻击: %s", target))
|
// exploitInformationGatheringNew 信息收集利用 (新架构)
|
||||||
|
func (e *ActiveMQExploiter) exploitInformationGatheringNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||||
// 按优先级尝试各种利用方法
|
result, err := e.exploitInformationGathering(ctx, info, creds)
|
||||||
exploitMethods := []func(context.Context, *common.HostInfo, *base.Credential) (*base.ExploitResult, error){
|
if err != nil {
|
||||||
e.exploitInformationGathering, // 信息收集
|
return nil, err
|
||||||
e.exploitMessageEnumeration, // 消息枚举
|
|
||||||
e.exploitQueueManagement, // 队列管理
|
|
||||||
e.exploitConfigurationDump, // 配置转储
|
|
||||||
}
|
}
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
var lastErr error
|
// exploitMessageEnumerationNew 消息枚举利用 (新架构)
|
||||||
for _, method := range exploitMethods {
|
func (e *ActiveMQExploiter) exploitMessageEnumerationNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||||
select {
|
result, err := e.exploitMessageEnumeration(ctx, info, creds)
|
||||||
case <-ctx.Done():
|
if err != nil {
|
||||||
return nil, ctx.Err()
|
return nil, err
|
||||||
default:
|
|
||||||
result, err := method(ctx, info, creds)
|
|
||||||
if err != nil {
|
|
||||||
lastErr = err
|
|
||||||
common.LogDebug(fmt.Sprintf("利用方法失败: %v", err))
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
if result != nil && result.Success {
|
|
||||||
return result, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
return nil, fmt.Errorf("所有利用方法都失败了: %v", lastErr)
|
// exploitQueueManagementNew 队列管理利用 (新架构)
|
||||||
|
func (e *ActiveMQExploiter) exploitQueueManagementNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||||
|
result, err := e.exploitQueueManagement(ctx, info, creds)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// exploitConfigurationDumpNew 配置转储利用 (新架构)
|
||||||
|
func (e *ActiveMQExploiter) exploitConfigurationDumpNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||||
|
result, err := e.exploitConfigurationDump(ctx, info, creds)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
return result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// exploitInformationGathering 信息收集利用
|
// exploitInformationGathering 信息收集利用
|
||||||
|
|||||||
@ -9,7 +9,6 @@ import (
|
|||||||
|
|
||||||
ftplib "github.com/jlaffaye/ftp"
|
ftplib "github.com/jlaffaye/ftp"
|
||||||
"github.com/shadow1ng/fscan/common"
|
"github.com/shadow1ng/fscan/common"
|
||||||
"github.com/shadow1ng/fscan/common/i18n"
|
|
||||||
"github.com/shadow1ng/fscan/plugins/base"
|
"github.com/shadow1ng/fscan/plugins/base"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -34,32 +33,7 @@ func NewFTPExploiter() *FTPExploiter {
|
|||||||
|
|
||||||
// setupExploitMethods 设置利用方法
|
// setupExploitMethods 设置利用方法
|
||||||
func (e *FTPExploiter) setupExploitMethods() {
|
func (e *FTPExploiter) setupExploitMethods() {
|
||||||
// 1. 目录枚举
|
// FTP插件不提供利用功能,仅进行弱密码扫描
|
||||||
dirMethod := base.NewExploitMethod(base.ExploitDataExtraction, "directory_enumeration").
|
|
||||||
WithDescription(i18n.GetText("exploit_method_name_directory_enumeration")).
|
|
||||||
WithPriority(9).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitDirectoryEnumeration).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(dirMethod)
|
|
||||||
|
|
||||||
// 2. 文件下载测试
|
|
||||||
downloadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_download_test").
|
|
||||||
WithDescription(i18n.GetText("exploit_method_name_file_read")).
|
|
||||||
WithPriority(8).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitFileDownloadTest).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(downloadMethod)
|
|
||||||
|
|
||||||
// 3. 文件上传测试
|
|
||||||
uploadMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_upload_test").
|
|
||||||
WithDescription(i18n.GetText("exploit_method_name_file_write")).
|
|
||||||
WithPriority(7).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitFileUploadTest).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(uploadMethod)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// exploitDirectoryEnumeration 目录枚举
|
// exploitDirectoryEnumeration 目录枚举
|
||||||
|
|||||||
@ -32,50 +32,7 @@ func NewMySQLExploiter() *MySQLExploiter {
|
|||||||
|
|
||||||
// setupExploitMethods 设置利用方法
|
// setupExploitMethods 设置利用方法
|
||||||
func (e *MySQLExploiter) setupExploitMethods() {
|
func (e *MySQLExploiter) setupExploitMethods() {
|
||||||
// 1. 信息收集
|
// MySQL插件不提供利用功能,仅进行弱密码扫描
|
||||||
infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "information_gathering").
|
|
||||||
WithDescription("收集MySQL服务器信息").
|
|
||||||
WithPriority(8).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitInformationGathering).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(infoMethod)
|
|
||||||
|
|
||||||
// 2. 数据库枚举
|
|
||||||
enumMethod := base.NewExploitMethod(base.ExploitDataExtraction, "database_enumeration").
|
|
||||||
WithDescription("枚举数据库和表").
|
|
||||||
WithPriority(7).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitDatabaseEnumeration).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(enumMethod)
|
|
||||||
|
|
||||||
// 3. 用户权限检查
|
|
||||||
privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check").
|
|
||||||
WithDescription("检查用户权限").
|
|
||||||
WithPriority(6).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitPrivilegeCheck).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(privMethod)
|
|
||||||
|
|
||||||
// 4. 文件读取(如果有FILE权限)
|
|
||||||
fileReadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_read").
|
|
||||||
WithDescription("读取服务器文件").
|
|
||||||
WithPriority(9).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitFileRead).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(fileReadMethod)
|
|
||||||
|
|
||||||
// 5. 文件写入(如果有FILE权限)
|
|
||||||
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_write").
|
|
||||||
WithDescription("写入文件到服务器").
|
|
||||||
WithPriority(10).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitFileWrite).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(fileWriteMethod)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// exploitInformationGathering 信息收集利用
|
// exploitInformationGathering 信息收集利用
|
||||||
|
|||||||
@ -33,50 +33,38 @@ func NewRedisExploiter() *RedisExploiter {
|
|||||||
|
|
||||||
// setupExploitMethods 设置利用方法
|
// setupExploitMethods 设置利用方法
|
||||||
func (e *RedisExploiter) setupExploitMethods() {
|
func (e *RedisExploiter) setupExploitMethods() {
|
||||||
// 1. 任意文件写入
|
// 1. 任意文件写入 - 只有提供了-rwp和(-rwc或-rwf)参数时才启用
|
||||||
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write").
|
if common.RedisWritePath != "" && (common.RedisWriteContent != "" || common.RedisWriteFile != "") {
|
||||||
WithDescription("利用Redis写入任意文件").
|
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write").
|
||||||
WithPriority(10).
|
WithDescription("利用Redis写入任意文件").
|
||||||
WithConditions("has_write_config").
|
WithPriority(10).
|
||||||
WithHandler(e.exploitArbitraryFileWrite).
|
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||||
Build()
|
WithHandler(e.exploitArbitraryFileWrite).
|
||||||
e.AddExploitMethod(fileWriteMethod)
|
Build()
|
||||||
|
e.AddExploitMethod(fileWriteMethod)
|
||||||
|
}
|
||||||
|
|
||||||
// 2. SSH密钥写入
|
// 2. SSH密钥写入 - 只有提供了-rf参数时才启用
|
||||||
sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write").
|
if common.RedisFile != "" {
|
||||||
WithDescription("写入SSH公钥到authorized_keys").
|
sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write").
|
||||||
WithPriority(9).
|
WithDescription("写入SSH公钥到authorized_keys").
|
||||||
WithConditions("has_ssh_key").
|
WithPriority(9).
|
||||||
WithHandler(e.exploitSSHKeyWrite).
|
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||||
Build()
|
WithHandler(e.exploitSSHKeyWrite).
|
||||||
e.AddExploitMethod(sshKeyMethod)
|
Build()
|
||||||
|
e.AddExploitMethod(sshKeyMethod)
|
||||||
|
}
|
||||||
|
|
||||||
// 3. Crontab定时任务
|
// 3. Crontab定时任务 - 只有提供了-rs参数时才启用
|
||||||
cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection").
|
if common.RedisShell != "" {
|
||||||
WithDescription("注入Crontab定时任务").
|
cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection").
|
||||||
WithPriority(9).
|
WithDescription("注入Crontab定时任务").
|
||||||
WithConditions().
|
WithPriority(9).
|
||||||
WithHandler(e.exploitCrontabInjection).
|
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||||
Build()
|
WithHandler(e.exploitCrontabInjection).
|
||||||
e.AddExploitMethod(cronMethod)
|
Build()
|
||||||
|
e.AddExploitMethod(cronMethod)
|
||||||
// 4. 数据提取
|
}
|
||||||
dataExtractionMethod := base.NewExploitMethod(base.ExploitDataExtraction, "data_extraction").
|
|
||||||
WithDescription("提取Redis中的数据").
|
|
||||||
WithPriority(7).
|
|
||||||
WithConditions().
|
|
||||||
WithHandler(e.exploitDataExtraction).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(dataExtractionMethod)
|
|
||||||
|
|
||||||
// 5. 信息收集
|
|
||||||
infoGatheringMethod := base.NewExploitMethod(base.ExploitDataExtraction, "info_gathering").
|
|
||||||
WithDescription("收集Redis服务器信息").
|
|
||||||
WithPriority(6).
|
|
||||||
WithConditions().
|
|
||||||
WithHandler(e.exploitInfoGathering).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(infoGatheringMethod)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// exploitArbitraryFileWrite 任意文件写入利用
|
// exploitArbitraryFileWrite 任意文件写入利用
|
||||||
|
|||||||
@ -31,32 +31,8 @@ func NewSSHExploiter() *SSHExploiter {
|
|||||||
|
|
||||||
// setupExploitMethods 设置利用方法
|
// setupExploitMethods 设置利用方法
|
||||||
func (e *SSHExploiter) setupExploitMethods() {
|
func (e *SSHExploiter) setupExploitMethods() {
|
||||||
// 1. 系统信息收集
|
// SSH插件不提供利用功能,-sshkey参数用于私钥文件认证而非命令执行
|
||||||
infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "system_info").
|
// SSH的价值在于弱密码发现,获取SSH访问权限本身就是目标
|
||||||
WithDescription("收集系统信息").
|
|
||||||
WithPriority(8).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitSystemInfo).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(infoMethod)
|
|
||||||
|
|
||||||
// 2. 命令执行测试
|
|
||||||
cmdMethod := base.NewExploitMethod(base.ExploitCommandExec, "command_test").
|
|
||||||
WithDescription("测试命令执行能力").
|
|
||||||
WithPriority(9).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitCommandTest).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(cmdMethod)
|
|
||||||
|
|
||||||
// 3. 用户权限检查
|
|
||||||
privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check").
|
|
||||||
WithDescription("检查用户权限").
|
|
||||||
WithPriority(7).
|
|
||||||
WithConditions("has_credentials").
|
|
||||||
WithHandler(e.exploitPrivilegeCheck).
|
|
||||||
Build()
|
|
||||||
e.AddExploitMethod(privMethod)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// exploitSystemInfo 系统信息收集利用
|
// exploitSystemInfo 系统信息收集利用
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user