fscan/plugins/services/mongodb.go

package services

import (
	"context"
	"fmt"
	"net"
	"strings"
	"time"

	"github.com/shadow1ng/fscan/common"
	"github.com/shadow1ng/fscan/plugins"
)

type MongoDBPlugin struct {
	plugins.BasePlugin
}

func NewMongoDBPlugin() *MongoDBPlugin {
	return &MongoDBPlugin{
		BasePlugin: plugins.NewBasePlugin("mongodb"),
	}
}



func (p *MongoDBPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)

	if common.DisableBrute {
		return p.identifyService(ctx, info)
	}

	credentials := GenerateCredentials("mongodb")
	if len(credentials) == 0 {
		return &ScanResult{
			Success: false,
			Service: "mongodb",
			Error:   fmt.Errorf("没有可用的测试凭据"),
		}
	}

	// 优化：只测试一次连接，检查是否允许无认证访问
	if p.testUnauthenticatedAccess(ctx, info) {
		common.LogSuccess(fmt.Sprintf("MongoDB %s 无认证访问", target))
		return &ScanResult{
			Success:  true,
			Service:  "mongodb",
			Username: "",
			Password: "",
			Banner:   "无认证访问",
		}
	}

	return &ScanResult{
		Success: false,
		Service: "mongodb",
		Error:   fmt.Errorf("未发现弱密码"),
	}
}



func (p *MongoDBPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool {
	// 这个方法现在不使用，保留以防向后兼容
	return p.testUnauthenticatedAccess(ctx, info)
}

func (p *MongoDBPlugin) testUnauthenticatedAccess(ctx context.Context, info *common.HostInfo) bool {
	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
	timeout := time.Duration(common.Timeout) * time.Second

	conn, err := net.DialTimeout("tcp", target, timeout)
	if err != nil {
		return false
	}
	defer conn.Close()

	conn.SetDeadline(time.Now().Add(timeout))
	return p.testBasicQuery(conn)
}

func (p *MongoDBPlugin) testBasicQuery(conn net.Conn) bool {
	queryMsg := p.createListDatabasesQuery()
	
	if _, err := conn.Write(queryMsg); err != nil {
		return false
	}

	response := make([]byte, 1024)
	n, err := conn.Read(response)
	if err != nil {
		return false
	}

	return n > 36 && p.isValidMongoResponse(response[:n])
}

func (p *MongoDBPlugin) isValidMongoResponse(data []byte) bool {
	if len(data) < 36 {
		return false
	}

	responseStr := string(data)
	return strings.Contains(responseStr, "databases") ||
		   strings.Contains(responseStr, "totalSize") ||
		   strings.Contains(responseStr, "name")
}






func (p *MongoDBPlugin) createListDatabasesQuery() []byte {
	query := make([]byte, 58)
	
	query[0] = 0x3A
	query[4] = 0x01
	query[12] = 0x04
	query[13] = 0x20
	
	copy(query[20:], "admin.$cmd\x00")
	
	bsonQuery := []byte{
		0x1A, 0x00, 0x00, 0x00,
		0x10,
		0x6C, 0x69, 0x73, 0x74, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x73, 0x00,
		0x01, 0x00, 0x00, 0x00,
		0x00,
	}
	
	copy(query[32:], bsonQuery)
	return query
}





func (p *MongoDBPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult {
	target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
	timeout := time.Duration(common.Timeout) * time.Second

	conn, err := net.DialTimeout("tcp", target, timeout)
	if err != nil {
		return &ScanResult{
			Success: false,
			Service: "mongodb",
			Error:   err,
		}
	}
	defer conn.Close()

	conn.SetDeadline(time.Now().Add(timeout))
	
	// 简化识别逻辑：先尝试基础查询，失败则使用端口推断
	if p.testBasicQuery(conn) {
		banner := "MongoDB"
		common.LogSuccess(fmt.Sprintf("MongoDB %s %s", target, banner))
		return &ScanResult{
			Success: true,
			Service: "mongodb",
			Banner:  banner,
		}
	}
	
	// 如果查询失败但能建立TCP连接，且是MongoDB默认端口，推断为MongoDB
	if info.Ports == "27017" || info.Ports == "27018" || info.Ports == "27019" {
		banner := "MongoDB (端口推断)"
		common.LogSuccess(fmt.Sprintf("MongoDB %s %s", target, banner))
		return &ScanResult{
			Success: true,
			Service: "mongodb", 
			Banner:  banner,
		}
	}

	return &ScanResult{
		Success: false,
		Service: "mongodb",
		Error:   fmt.Errorf("无法识别为MongoDB服务: 连接成功但协议查询失败"),
	}
}

func init() {
	// 使用高效注册方式：直接传递端口信息，避免实例创建
	RegisterPluginWithPorts("mongodb", func() Plugin {
		return NewMongoDBPlugin()
	}, []int{27017, 27018, 27019})
}