mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-09-14 05:56:46 +08:00
refactor: 精简利用功能,只保留真正有攻击价值的利用方法
- 完全移除FTP、MySQL、SSH、ActiveMQ的利用功能,只保留弱密码扫描 - 重构Redis插件利用方法,严格按参数控制启用: * arbitrary_file_write: 需要-rwp和(-rwc或-rwf)参数 * ssh_key_write: 需要-rf参数 * crontab_injection: 需要-rs参数 - 修复Redis未授权访问时的利用条件检查问题 - 去除所有信息收集类利用,只保留GetShell和文件写入等实际攻击能力 现在利用功能完全参数驱动,只有提供对应参数时才启动相应利用方法
This commit is contained in:
ZacharyZcR
parent
4b482b603d
commit
60e59f5a78
@ -14,52 +14,65 @@ import (
|
||||
// ActiveMQExploiter ActiveMQ利用模块
|
||||
// 实现ActiveMQ相关的安全测试和利用功能
|
||||
type ActiveMQExploiter struct {
|
||||
*base.BaseExploiter
|
||||
connector *ActiveMQConnector
|
||||
timeout time.Duration
|
||||
}
|
||||
|
||||
// NewActiveMQExploiter 创建新的ActiveMQ利用器
|
||||
func NewActiveMQExploiter() *ActiveMQExploiter {
|
||||
return &ActiveMQExploiter{
|
||||
connector: NewActiveMQConnector(),
|
||||
timeout: time.Duration(common.Timeout) * time.Second,
|
||||
exploiter := &ActiveMQExploiter{
|
||||
BaseExploiter: base.NewBaseExploiter("activemq"),
|
||||
connector: NewActiveMQConnector(),
|
||||
timeout: time.Duration(common.Timeout) * time.Second,
|
||||
}
|
||||
|
||||
// 设置利用方法
|
||||
exploiter.setupExploitMethods()
|
||||
|
||||
return exploiter
|
||||
}
|
||||
|
||||
// Exploit 执行ActiveMQ利用攻击
|
||||
func (e *ActiveMQExploiter) Exploit(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
||||
// setupExploitMethods 设置利用方法
|
||||
func (e *ActiveMQExploiter) setupExploitMethods() {
|
||||
// ActiveMQ插件暂时不提供利用功能,因为当前实现的都是信息收集类功能
|
||||
// 没有实际的GetShell或文件写入等攻击价值
|
||||
}
|
||||
|
||||
common.LogDebug(fmt.Sprintf("开始ActiveMQ利用攻击: %s", target))
|
||||
|
||||
// 按优先级尝试各种利用方法
|
||||
exploitMethods := []func(context.Context, *common.HostInfo, *base.Credential) (*base.ExploitResult, error){
|
||||
e.exploitInformationGathering, // 信息收集
|
||||
e.exploitMessageEnumeration, // 消息枚举
|
||||
e.exploitQueueManagement, // 队列管理
|
||||
e.exploitConfigurationDump, // 配置转储
|
||||
// exploitInformationGatheringNew 信息收集利用 (新架构)
|
||||
func (e *ActiveMQExploiter) exploitInformationGatheringNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||
result, err := e.exploitInformationGathering(ctx, info, creds)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
var lastErr error
|
||||
for _, method := range exploitMethods {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return nil, ctx.Err()
|
||||
default:
|
||||
result, err := method(ctx, info, creds)
|
||||
if err != nil {
|
||||
lastErr = err
|
||||
common.LogDebug(fmt.Sprintf("利用方法失败: %v", err))
|
||||
continue
|
||||
}
|
||||
|
||||
if result != nil && result.Success {
|
||||
return result, nil
|
||||
}
|
||||
}
|
||||
// exploitMessageEnumerationNew 消息枚举利用 (新架构)
|
||||
func (e *ActiveMQExploiter) exploitMessageEnumerationNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||
result, err := e.exploitMessageEnumeration(ctx, info, creds)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("所有利用方法都失败了: %v", lastErr)
|
||||
// exploitQueueManagementNew 队列管理利用 (新架构)
|
||||
func (e *ActiveMQExploiter) exploitQueueManagementNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||
result, err := e.exploitQueueManagement(ctx, info, creds)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// exploitConfigurationDumpNew 配置转储利用 (新架构)
|
||||
func (e *ActiveMQExploiter) exploitConfigurationDumpNew(ctx context.Context, info *common.HostInfo, creds *base.Credential) (*base.ExploitResult, error) {
|
||||
result, err := e.exploitConfigurationDump(ctx, info, creds)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// exploitInformationGathering 信息收集利用
|
||||
|
||||
@ -9,7 +9,6 @@ import (
|
||||
|
||||
ftplib "github.com/jlaffaye/ftp"
|
||||
"github.com/shadow1ng/fscan/common"
|
||||
"github.com/shadow1ng/fscan/common/i18n"
|
||||
"github.com/shadow1ng/fscan/plugins/base"
|
||||
)
|
||||
|
||||
@ -34,32 +33,7 @@ func NewFTPExploiter() *FTPExploiter {
|
||||
|
||||
// setupExploitMethods 设置利用方法
|
||||
func (e *FTPExploiter) setupExploitMethods() {
|
||||
// 1. 目录枚举
|
||||
dirMethod := base.NewExploitMethod(base.ExploitDataExtraction, "directory_enumeration").
|
||||
WithDescription(i18n.GetText("exploit_method_name_directory_enumeration")).
|
||||
WithPriority(9).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitDirectoryEnumeration).
|
||||
Build()
|
||||
e.AddExploitMethod(dirMethod)
|
||||
|
||||
// 2. 文件下载测试
|
||||
downloadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_download_test").
|
||||
WithDescription(i18n.GetText("exploit_method_name_file_read")).
|
||||
WithPriority(8).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitFileDownloadTest).
|
||||
Build()
|
||||
e.AddExploitMethod(downloadMethod)
|
||||
|
||||
// 3. 文件上传测试
|
||||
uploadMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_upload_test").
|
||||
WithDescription(i18n.GetText("exploit_method_name_file_write")).
|
||||
WithPriority(7).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitFileUploadTest).
|
||||
Build()
|
||||
e.AddExploitMethod(uploadMethod)
|
||||
// FTP插件不提供利用功能,仅进行弱密码扫描
|
||||
}
|
||||
|
||||
// exploitDirectoryEnumeration 目录枚举
|
||||
|
||||
@ -32,50 +32,7 @@ func NewMySQLExploiter() *MySQLExploiter {
|
||||
|
||||
// setupExploitMethods 设置利用方法
|
||||
func (e *MySQLExploiter) setupExploitMethods() {
|
||||
// 1. 信息收集
|
||||
infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "information_gathering").
|
||||
WithDescription("收集MySQL服务器信息").
|
||||
WithPriority(8).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitInformationGathering).
|
||||
Build()
|
||||
e.AddExploitMethod(infoMethod)
|
||||
|
||||
// 2. 数据库枚举
|
||||
enumMethod := base.NewExploitMethod(base.ExploitDataExtraction, "database_enumeration").
|
||||
WithDescription("枚举数据库和表").
|
||||
WithPriority(7).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitDatabaseEnumeration).
|
||||
Build()
|
||||
e.AddExploitMethod(enumMethod)
|
||||
|
||||
// 3. 用户权限检查
|
||||
privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check").
|
||||
WithDescription("检查用户权限").
|
||||
WithPriority(6).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitPrivilegeCheck).
|
||||
Build()
|
||||
e.AddExploitMethod(privMethod)
|
||||
|
||||
// 4. 文件读取(如果有FILE权限)
|
||||
fileReadMethod := base.NewExploitMethod(base.ExploitDataExtraction, "file_read").
|
||||
WithDescription("读取服务器文件").
|
||||
WithPriority(9).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitFileRead).
|
||||
Build()
|
||||
e.AddExploitMethod(fileReadMethod)
|
||||
|
||||
// 5. 文件写入(如果有FILE权限)
|
||||
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "file_write").
|
||||
WithDescription("写入文件到服务器").
|
||||
WithPriority(10).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitFileWrite).
|
||||
Build()
|
||||
e.AddExploitMethod(fileWriteMethod)
|
||||
// MySQL插件不提供利用功能,仅进行弱密码扫描
|
||||
}
|
||||
|
||||
// exploitInformationGathering 信息收集利用
|
||||
|
||||
@ -33,50 +33,38 @@ func NewRedisExploiter() *RedisExploiter {
|
||||
|
||||
// setupExploitMethods 设置利用方法
|
||||
func (e *RedisExploiter) setupExploitMethods() {
|
||||
// 1. 任意文件写入
|
||||
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write").
|
||||
WithDescription("利用Redis写入任意文件").
|
||||
WithPriority(10).
|
||||
WithConditions("has_write_config").
|
||||
WithHandler(e.exploitArbitraryFileWrite).
|
||||
Build()
|
||||
e.AddExploitMethod(fileWriteMethod)
|
||||
// 1. 任意文件写入 - 只有提供了-rwp和(-rwc或-rwf)参数时才启用
|
||||
if common.RedisWritePath != "" && (common.RedisWriteContent != "" || common.RedisWriteFile != "") {
|
||||
fileWriteMethod := base.NewExploitMethod(base.ExploitFileWrite, "arbitrary_file_write").
|
||||
WithDescription("利用Redis写入任意文件").
|
||||
WithPriority(10).
|
||||
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||
WithHandler(e.exploitArbitraryFileWrite).
|
||||
Build()
|
||||
e.AddExploitMethod(fileWriteMethod)
|
||||
}
|
||||
|
||||
// 2. SSH密钥写入
|
||||
sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write").
|
||||
WithDescription("写入SSH公钥到authorized_keys").
|
||||
WithPriority(9).
|
||||
WithConditions("has_ssh_key").
|
||||
WithHandler(e.exploitSSHKeyWrite).
|
||||
Build()
|
||||
e.AddExploitMethod(sshKeyMethod)
|
||||
// 2. SSH密钥写入 - 只有提供了-rf参数时才启用
|
||||
if common.RedisFile != "" {
|
||||
sshKeyMethod := base.NewExploitMethod(base.ExploitFileWrite, "ssh_key_write").
|
||||
WithDescription("写入SSH公钥到authorized_keys").
|
||||
WithPriority(9).
|
||||
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||
WithHandler(e.exploitSSHKeyWrite).
|
||||
Build()
|
||||
e.AddExploitMethod(sshKeyMethod)
|
||||
}
|
||||
|
||||
// 3. Crontab定时任务
|
||||
cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection").
|
||||
WithDescription("注入Crontab定时任务").
|
||||
WithPriority(9).
|
||||
WithConditions().
|
||||
WithHandler(e.exploitCrontabInjection).
|
||||
Build()
|
||||
e.AddExploitMethod(cronMethod)
|
||||
|
||||
// 4. 数据提取
|
||||
dataExtractionMethod := base.NewExploitMethod(base.ExploitDataExtraction, "data_extraction").
|
||||
WithDescription("提取Redis中的数据").
|
||||
WithPriority(7).
|
||||
WithConditions().
|
||||
WithHandler(e.exploitDataExtraction).
|
||||
Build()
|
||||
e.AddExploitMethod(dataExtractionMethod)
|
||||
|
||||
// 5. 信息收集
|
||||
infoGatheringMethod := base.NewExploitMethod(base.ExploitDataExtraction, "info_gathering").
|
||||
WithDescription("收集Redis服务器信息").
|
||||
WithPriority(6).
|
||||
WithConditions().
|
||||
WithHandler(e.exploitInfoGathering).
|
||||
Build()
|
||||
e.AddExploitMethod(infoGatheringMethod)
|
||||
// 3. Crontab定时任务 - 只有提供了-rs参数时才启用
|
||||
if common.RedisShell != "" {
|
||||
cronMethod := base.NewExploitMethod(base.ExploitCommandExec, "crontab_injection").
|
||||
WithDescription("注入Crontab定时任务").
|
||||
WithPriority(9).
|
||||
WithConditions(). // Redis支持未授权访问,不需要凭据条件
|
||||
WithHandler(e.exploitCrontabInjection).
|
||||
Build()
|
||||
e.AddExploitMethod(cronMethod)
|
||||
}
|
||||
}
|
||||
|
||||
// exploitArbitraryFileWrite 任意文件写入利用
|
||||
|
||||
@ -31,32 +31,8 @@ func NewSSHExploiter() *SSHExploiter {
|
||||
|
||||
// setupExploitMethods 设置利用方法
|
||||
func (e *SSHExploiter) setupExploitMethods() {
|
||||
// 1. 系统信息收集
|
||||
infoMethod := base.NewExploitMethod(base.ExploitDataExtraction, "system_info").
|
||||
WithDescription("收集系统信息").
|
||||
WithPriority(8).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitSystemInfo).
|
||||
Build()
|
||||
e.AddExploitMethod(infoMethod)
|
||||
|
||||
// 2. 命令执行测试
|
||||
cmdMethod := base.NewExploitMethod(base.ExploitCommandExec, "command_test").
|
||||
WithDescription("测试命令执行能力").
|
||||
WithPriority(9).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitCommandTest).
|
||||
Build()
|
||||
e.AddExploitMethod(cmdMethod)
|
||||
|
||||
// 3. 用户权限检查
|
||||
privMethod := base.NewExploitMethod(base.ExploitDataExtraction, "privilege_check").
|
||||
WithDescription("检查用户权限").
|
||||
WithPriority(7).
|
||||
WithConditions("has_credentials").
|
||||
WithHandler(e.exploitPrivilegeCheck).
|
||||
Build()
|
||||
e.AddExploitMethod(privMethod)
|
||||
// SSH插件不提供利用功能,-sshkey参数用于私钥文件认证而非命令执行
|
||||
// SSH的价值在于弱密码发现,获取SSH访问权限本身就是目标
|
||||
}
|
||||
|
||||
// exploitSystemInfo 系统信息收集利用
|
||||
|
||||
Loading…
Reference in New Issue
Block a user