mirror of
https://github.com/shadow1ng/fscan.git
synced 2025-09-14 14:06:44 +08:00
95497da8ca
主要改进: 1. 修复Services插件端口数据重复问题 - 删除插件结构体中的ports字段和GetPorts()方法 - 系统统一使用注册时的端口信息 2. 引入BasePlugin基础结构体 - 消除51个插件中重复的name字段和Name()方法 - 统一插件基础功能,简化代码维护 3. 统一插件接口设计 - 保持向后兼容,功能完全不变 - 代码更简洁,符合工程最佳实践 影响范围: - services插件:29个文件简化 - web插件:2个文件简化 - local插件:21个文件简化 - 总计删除约150行重复代码
135 lines
3.0 KiB
Go
135 lines
3.0 KiB
Go
package services
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/shadow1ng/fscan/common"
|
|
"github.com/shadow1ng/fscan/plugins"
|
|
)
|
|
|
|
type ElasticsearchPlugin struct {
|
|
plugins.BasePlugin
|
|
}
|
|
|
|
func NewElasticsearchPlugin() *ElasticsearchPlugin {
|
|
return &ElasticsearchPlugin{
|
|
BasePlugin: plugins.NewBasePlugin("elasticsearch"),
|
|
}
|
|
}
|
|
|
|
|
|
|
|
func (p *ElasticsearchPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
|
|
|
if common.DisableBrute {
|
|
return p.identifyService(ctx, info)
|
|
}
|
|
|
|
credentials := GenerateCredentials("elasticsearch")
|
|
if len(credentials) == 0 {
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "elasticsearch",
|
|
Error: fmt.Errorf("没有可用的测试凭据"),
|
|
}
|
|
}
|
|
|
|
for _, cred := range credentials {
|
|
if p.testCredential(ctx, info, cred) {
|
|
common.LogSuccess(fmt.Sprintf("Elasticsearch %s %s:%s", target, cred.Username, cred.Password))
|
|
return &ScanResult{
|
|
Success: true,
|
|
Service: "elasticsearch",
|
|
Username: cred.Username,
|
|
Password: cred.Password,
|
|
}
|
|
}
|
|
}
|
|
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "elasticsearch",
|
|
Error: fmt.Errorf("未发现弱密码"),
|
|
}
|
|
}
|
|
|
|
|
|
func (p *ElasticsearchPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool {
|
|
client := &http.Client{
|
|
Timeout: time.Duration(common.Timeout) * time.Second,
|
|
Transport: &http.Transport{
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
},
|
|
}
|
|
|
|
// 构建URL
|
|
protocol := "http"
|
|
if info.Ports == "9443" {
|
|
protocol = "https"
|
|
}
|
|
url := fmt.Sprintf("%s://%s:%s/", protocol, info.Host, info.Ports)
|
|
|
|
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
if cred.Username != "" || cred.Password != "" {
|
|
auth := base64.StdEncoding.EncodeToString([]byte(cred.Username + ":" + cred.Password))
|
|
req.Header.Set("Authorization", "Basic "+auth)
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode == 200 {
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
|
|
bodyStr := string(body)
|
|
return strings.Contains(bodyStr, "elasticsearch") || strings.Contains(bodyStr, "cluster_name")
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *ElasticsearchPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult {
|
|
if p.testCredential(ctx, info, Credential{Username: "", Password: ""}) {
|
|
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
|
|
banner := "Elasticsearch"
|
|
common.LogSuccess(fmt.Sprintf("Elasticsearch %s %s", target, banner))
|
|
return &ScanResult{
|
|
Success: true,
|
|
Service: "elasticsearch",
|
|
Banner: banner,
|
|
}
|
|
}
|
|
return &ScanResult{
|
|
Success: false,
|
|
Service: "elasticsearch",
|
|
Error: fmt.Errorf("无法识别为Elasticsearch服务"),
|
|
}
|
|
}
|
|
|
|
func init() {
|
|
// 使用高效注册方式:直接传递端口信息,避免实例创建
|
|
RegisterPluginWithPorts("elasticsearch", func() Plugin {
|
|
return NewElasticsearchPlugin()
|
|
}, []int{9200, 9300})
|
|
} |