fscan/plugins/services/neo4j.go

package services

import (
	"context"
	"fmt"
	"io"
	"net/http"
	"strings"
	"time"

	"github.com/shadow1ng/fscan/common"
)

type Neo4jPlugin struct {
	name  string
	ports []int
}

func NewNeo4jPlugin() *Neo4jPlugin {
	return &Neo4jPlugin{
		name:  "neo4j",
		ports: []int{7474, 7687, 7473},
	}
}

func (p *Neo4jPlugin) GetName() string {
	return p.name
}

func (p *Neo4jPlugin) GetPorts() []int {
	return p.ports
}

func (p *Neo4jPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)

	if common.DisableBrute {
		return p.identifyService(ctx, info)
	}

	if result := p.testUnauthorizedAccess(ctx, info); result != nil && result.Success {
		common.LogSuccess(fmt.Sprintf("Neo4j %s 未授权访问", target))
		return result
	}

	credentials := GenerateCredentials("neo4j")
	if len(credentials) == 0 {
		return &ScanResult{
			Success: false,
			Service: "neo4j",
			Error:   fmt.Errorf("没有可用的测试凭据"),
		}
	}

	for _, cred := range credentials {
		if p.testCredential(ctx, info, cred) {
			common.LogSuccess(fmt.Sprintf("Neo4j %s %s:%s", target, cred.Username, cred.Password))

			return &ScanResult{
				Success:  true,
				Service:  "neo4j",
				Username: cred.Username,
				Password: cred.Password,
			}
		}
	}

	return &ScanResult{
		Success: false,
		Service: "neo4j",
		Error:   fmt.Errorf("未发现弱密码"),
	}
}


func (p *Neo4jPlugin) testUnauthorizedAccess(ctx context.Context, info *common.HostInfo) *ScanResult {
	baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
	
	client := &http.Client{
		Timeout: time.Duration(common.Timeout) * time.Second,
	}

	req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/db/data/", nil)
	if err != nil {
		return nil
	}

	resp, err := client.Do(req)
	if err != nil {
		return nil
	}
	defer resp.Body.Close()

	if resp.StatusCode == 200 {
		return &ScanResult{
			Success: true,
			Service: "neo4j",
			Banner:  "未授权访问",
		}
	}

	return nil
}

func (p *Neo4jPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool {
	baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
	
	client := &http.Client{
		Timeout: time.Duration(common.Timeout) * time.Second,
	}

	req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/user/neo4j", nil)
	if err != nil {
		return false
	}

	req.SetBasicAuth(cred.Username, cred.Password)
	req.Header.Set("Content-Type", "application/json")

	resp, err := client.Do(req)
	if err != nil {
		return false
	}
	defer resp.Body.Close()

	return resp.StatusCode == 200
}







func (p *Neo4jPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult {
	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
	baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)

	client := &http.Client{
		Timeout: time.Duration(common.Timeout) * time.Second,
	}

	req, err := http.NewRequestWithContext(ctx, "GET", baseURL, nil)
	if err != nil {
		return &ScanResult{
			Success: false,
			Service: "neo4j",
			Error:   err,
		}
	}

	resp, err := client.Do(req)
	if err != nil {
		return &ScanResult{
			Success: false,
			Service: "neo4j",
			Error:   err,
		}
	}
	defer resp.Body.Close()

	var banner string
	if resp.Header.Get("Server") != "" && strings.Contains(strings.ToLower(resp.Header.Get("Server")), "neo4j") {
		banner = "Neo4j"
	} else if resp.StatusCode == 200 || resp.StatusCode == 401 {
		body, _ := io.ReadAll(resp.Body)
		if strings.Contains(strings.ToLower(string(body)), "neo4j") {
			banner = "Neo4j"
		} else {
			banner = "Neo4j"
		}
	} else {
		return &ScanResult{
			Success: false,
			Service: "neo4j",
			Error:   fmt.Errorf("无法识别为Neo4j服务"),
		}
	}

	common.LogSuccess(fmt.Sprintf("Neo4j %s %s", target, banner))

	return &ScanResult{
		Success: true,
		Service: "neo4j",
		Banner:  banner,
	}
}

func init() {
	// 使用高效注册方式：直接传递端口信息，避免实例创建
	RegisterPluginWithPorts("neo4j", func() Plugin {
		return NewNeo4jPlugin()
	}, []int{7474, 7687, 7473})
}