package services import ( "context" "fmt" "io" "net/http" "strings" "time" "github.com/shadow1ng/fscan/common" "github.com/shadow1ng/fscan/plugins" ) type Neo4jPlugin struct { plugins.BasePlugin } func NewNeo4jPlugin() *Neo4jPlugin { return &Neo4jPlugin{ BasePlugin: plugins.NewBasePlugin("neo4j"), } } func (p *Neo4jPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) if common.DisableBrute { return p.identifyService(ctx, info) } if result := p.testUnauthorizedAccess(ctx, info); result != nil && result.Success { common.LogSuccess(fmt.Sprintf("Neo4j %s 未授权访问", target)) return result } credentials := GenerateCredentials("neo4j") if len(credentials) == 0 { return &ScanResult{ Success: false, Service: "neo4j", Error: fmt.Errorf("没有可用的测试凭据"), } } for _, cred := range credentials { if p.testCredential(ctx, info, cred) { common.LogSuccess(fmt.Sprintf("Neo4j %s %s:%s", target, cred.Username, cred.Password)) return &ScanResult{ Success: true, Service: "neo4j", Username: cred.Username, Password: cred.Password, } } } return &ScanResult{ Success: false, Service: "neo4j", Error: fmt.Errorf("未发现弱密码"), } } func (p *Neo4jPlugin) testUnauthorizedAccess(ctx context.Context, info *common.HostInfo) *ScanResult { // 检查发包限制 if canSend, reason := common.CanSendPacket(); !canSend { common.LogError(fmt.Sprintf("Neo4j未授权检测 %s:%s 受限: %s", info.Host, info.Ports, reason)) return nil } baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports) client := &http.Client{ Timeout: time.Duration(common.Timeout) * time.Second, } req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/db/data/", nil) if err != nil { return nil } resp, err := client.Do(req) if err != nil { common.IncrementTCPFailedPacketCount() return nil } common.IncrementTCPSuccessPacketCount() defer resp.Body.Close() if resp.StatusCode == 200 { return &ScanResult{ Success: true, Service: "neo4j", Banner: "未授权访问", } } return nil } func (p *Neo4jPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool { // 检查发包限制 if canSend, reason := common.CanSendPacket(); !canSend { common.LogError(fmt.Sprintf("Neo4j凭据测试 %s:%s 受限: %s", info.Host, info.Ports, reason)) return false } baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports) client := &http.Client{ Timeout: time.Duration(common.Timeout) * time.Second, } req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/user/neo4j", nil) if err != nil { return false } req.SetBasicAuth(cred.Username, cred.Password) req.Header.Set("Content-Type", "application/json") resp, err := client.Do(req) if err != nil { common.IncrementTCPFailedPacketCount() return false } common.IncrementTCPSuccessPacketCount() defer resp.Body.Close() return resp.StatusCode == 200 } func (p *Neo4jPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult { target := fmt.Sprintf("%s:%s", info.Host, info.Ports) // 检查发包限制 if canSend, reason := common.CanSendPacket(); !canSend { common.LogError(fmt.Sprintf("Neo4j识别 %s 受限: %s", target, reason)) return &ScanResult{ Success: false, Service: "neo4j", Error: fmt.Errorf("发包受限: %s", reason), } } baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports) client := &http.Client{ Timeout: time.Duration(common.Timeout) * time.Second, } req, err := http.NewRequestWithContext(ctx, "GET", baseURL, nil) if err != nil { return &ScanResult{ Success: false, Service: "neo4j", Error: err, } } resp, err := client.Do(req) if err != nil { common.IncrementTCPFailedPacketCount() return &ScanResult{ Success: false, Service: "neo4j", Error: err, } } common.IncrementTCPSuccessPacketCount() defer resp.Body.Close() var banner string if resp.Header.Get("Server") != "" && strings.Contains(strings.ToLower(resp.Header.Get("Server")), "neo4j") { banner = "Neo4j" } else if resp.StatusCode == 200 || resp.StatusCode == 401 { body, _ := io.ReadAll(resp.Body) if strings.Contains(strings.ToLower(string(body)), "neo4j") { banner = "Neo4j" } else { banner = "Neo4j" } } else { return &ScanResult{ Success: false, Service: "neo4j", Error: fmt.Errorf("无法识别为Neo4j服务"), } } common.LogSuccess(fmt.Sprintf("Neo4j %s %s", target, banner)) return &ScanResult{ Success: true, Service: "neo4j", Banner: banner, } } func init() { // 使用高效注册方式:直接传递端口信息,避免实例创建 RegisterPluginWithPorts("neo4j", func() Plugin { return NewNeo4jPlugin() }, []int{7474, 7687, 7473}) }