mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-09-14 05:56:46 +08:00
9e9485814d
- 修改Neo4j插件,在HTTP连接和服务识别中添加发包控制 - 修改Cassandra插件,在CQL连接和会话创建中添加发包控制 - 统一包计数逻辑,确保TCP连接成功和失败都正确计数 - 保持现有图数据库和分布式数据库检测功能
216 lines
4.8 KiB
Go
216 lines
4.8 KiB
Go
package services
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/shadow1ng/fscan/common"
|
|
"github.com/shadow1ng/fscan/plugins"
|
|
)
|
|
|
|
type Neo4jPlugin struct {
|
|
plugins.BasePlugin
|
|
}
|
|
|
|
func NewNeo4jPlugin() *Neo4jPlugin {
|
|
return &Neo4jPlugin{
|
|
BasePlugin: plugins.NewBasePlugin("neo4j"),
|
|
}
|
|
}
|
|
|
|
|
|
|
|
func (p *Neo4jPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
|
|
|
if common.DisableBrute {
|
|
return p.identifyService(ctx, info)
|
|
}
|
|
|
|
if result := p.testUnauthorizedAccess(ctx, info); result != nil && result.Success {
|
|
common.LogSuccess(fmt.Sprintf("Neo4j %s 未授权访问", target))
|
|
return result
|
|
}
|
|
|
|
credentials := GenerateCredentials("neo4j")
|
|
if len(credentials) == 0 {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: fmt.Errorf("没有可用的测试凭据"),
|
|
}
|
|
}
|
|
|
|
for _, cred := range credentials {
|
|
if p.testCredential(ctx, info, cred) {
|
|
common.LogSuccess(fmt.Sprintf("Neo4j %s %s:%s", target, cred.Username, cred.Password))
|
|
|
|
return &ScanResult{
|
|
Success: true,
|
|
Service: "neo4j",
|
|
Username: cred.Username,
|
|
Password: cred.Password,
|
|
}
|
|
}
|
|
}
|
|
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: fmt.Errorf("未发现弱密码"),
|
|
}
|
|
}
|
|
|
|
|
|
func (p *Neo4jPlugin) testUnauthorizedAccess(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
// 检查发包限制
|
|
if canSend, reason := common.CanSendPacket(); !canSend {
|
|
common.LogError(fmt.Sprintf("Neo4j未授权检测 %s:%s 受限: %s", info.Host, info.Ports, reason))
|
|
return nil
|
|
}
|
|
|
|
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
|
|
|
|
client := &http.Client{
|
|
Timeout: time.Duration(common.Timeout) * time.Second,
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/db/data/", nil)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
common.IncrementTCPFailedPacketCount()
|
|
return nil
|
|
}
|
|
common.IncrementTCPSuccessPacketCount()
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode == 200 {
|
|
return &ScanResult{
|
|
Success: true,
|
|
Service: "neo4j",
|
|
Banner: "未授权访问",
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *Neo4jPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool {
|
|
// 检查发包限制
|
|
if canSend, reason := common.CanSendPacket(); !canSend {
|
|
common.LogError(fmt.Sprintf("Neo4j凭据测试 %s:%s 受限: %s", info.Host, info.Ports, reason))
|
|
return false
|
|
}
|
|
|
|
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
|
|
|
|
client := &http.Client{
|
|
Timeout: time.Duration(common.Timeout) * time.Second,
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/user/neo4j", nil)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
req.SetBasicAuth(cred.Username, cred.Password)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
common.IncrementTCPFailedPacketCount()
|
|
return false
|
|
}
|
|
common.IncrementTCPSuccessPacketCount()
|
|
defer resp.Body.Close()
|
|
|
|
return resp.StatusCode == 200
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (p *Neo4jPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
|
|
|
// 检查发包限制
|
|
if canSend, reason := common.CanSendPacket(); !canSend {
|
|
common.LogError(fmt.Sprintf("Neo4j识别 %s 受限: %s", target, reason))
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: fmt.Errorf("发包受限: %s", reason),
|
|
}
|
|
}
|
|
|
|
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
|
|
|
|
client := &http.Client{
|
|
Timeout: time.Duration(common.Timeout) * time.Second,
|
|
}
|
|
|
|
req, err := http.NewRequestWithContext(ctx, "GET", baseURL, nil)
|
|
if err != nil {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: err,
|
|
}
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
common.IncrementTCPFailedPacketCount()
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: err,
|
|
}
|
|
}
|
|
common.IncrementTCPSuccessPacketCount()
|
|
defer resp.Body.Close()
|
|
|
|
var banner string
|
|
if resp.Header.Get("Server") != "" && strings.Contains(strings.ToLower(resp.Header.Get("Server")), "neo4j") {
|
|
banner = "Neo4j"
|
|
} else if resp.StatusCode == 200 || resp.StatusCode == 401 {
|
|
body, _ := io.ReadAll(resp.Body)
|
|
if strings.Contains(strings.ToLower(string(body)), "neo4j") {
|
|
banner = "Neo4j"
|
|
} else {
|
|
banner = "Neo4j"
|
|
}
|
|
} else {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "neo4j",
|
|
Error: fmt.Errorf("无法识别为Neo4j服务"),
|
|
}
|
|
}
|
|
|
|
common.LogSuccess(fmt.Sprintf("Neo4j %s %s", target, banner))
|
|
|
|
return &ScanResult{
|
|
Success: true,
|
|
Service: "neo4j",
|
|
Banner: banner,
|
|
}
|
|
}
|
|
|
|
func init() {
|
|
// 使用高效注册方式:直接传递端口信息,避免实例创建
|
|
RegisterPluginWithPorts("neo4j", func() Plugin {
|
|
return NewNeo4jPlugin()
|
|
}, []int{7474, 7687, 7473})
|
|
} |