mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-09-14 14:06:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
e082e2bb59
fscan/plugins/services/rabbitmq.go
ZacharyZcR e082e2bb59 refactor: 重组插件目录结构,提升管理直观性 
将所有服务插件移动到plugins/services/目录下,使目录结构更加清晰直观:
• 创建plugins/services/目录统一管理服务扫描插件
• 添加init.go提供类型别名和函数导出
• 更新main.go导入路径
• 所有20个服务插件功能验证正常

新的目录结构更便于插件管理和维护。
2025-08-26 00:02:13 +08:00

508 lines
13 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package services
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"strings"
"time"
"github.com/shadow1ng/fscan/common"
"github.com/shadow1ng/fscan/common/i18n"
)
// RabbitMQPlugin RabbitMQ消息队列扫描和利用插件 - 包含队列信息提取利用功能
type RabbitMQPlugin struct {
name string
ports []int
}
// NewRabbitMQPlugin 创建RabbitMQ插件
func NewRabbitMQPlugin() *RabbitMQPlugin {
return &RabbitMQPlugin{
name: "rabbitmq",
ports: []int{5672, 15672, 5671}, // AMQP、管理界面、AMQPS端口
}
}
// GetName 实现Plugin接口
func (p *RabbitMQPlugin) GetName() string {
return p.name
}
// GetPorts 实现Plugin接口
func (p *RabbitMQPlugin) GetPorts() []int {
return p.ports
}
// Scan 执行RabbitMQ扫描 - 弱密码检测
func (p *RabbitMQPlugin) Scan(ctx context.Context, info *common.HostInfo) *ScanResult {
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
// 如果禁用暴力破解,只做服务识别
if common.DisableBrute {
return p.identifyService(ctx, info)
}
// RabbitMQ管理端口通常是15672AMQP端口是5672
if info.Ports == "5672" || info.Ports == "5671" {
// AMQP端口进行协议检测
return p.testAMQPProtocol(ctx, info)
}
// 生成测试凭据
credentials := GenerateCredentials("rabbitmq")
if len(credentials) == 0 {
// RabbitMQ默认凭据
credentials = []Credential{
{Username: "guest", Password: "guest"},
{Username: "admin", Password: "admin"},
{Username: "admin", Password: "password"},
{Username: "admin", Password: "123456"},
{Username: "rabbitmq", Password: "rabbitmq"},
{Username: "user", Password: "user"},
}
}
// 逐个测试凭据(针对管理接口)
for _, cred := range credentials {
// 检查Context是否被取消
select {
case <-ctx.Done():
return &ScanResult{
Success: false,
Service: "rabbitmq",
Error: ctx.Err(),
}
default:
}
// 测试凭据
if p.testCredential(ctx, info, cred) {
// RabbitMQ认证成功
common.LogSuccess(i18n.GetText("rabbitmq_scan_success", target, cred.Username, cred.Password))
return &ScanResult{
Success: true,
Service: "rabbitmq",
Username: cred.Username,
Password: cred.Password,
}
}
}
// 所有凭据都失败
return &ScanResult{
Success: false,
Service: "rabbitmq",
Error: fmt.Errorf("未发现弱密码"),
}
}
// Exploit 执行RabbitMQ利用操作 - 实现队列信息提取功能
func (p *RabbitMQPlugin) Exploit(ctx context.Context, info *common.HostInfo, creds Credential) *ExploitResult {
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
common.LogSuccess(fmt.Sprintf("RabbitMQ利用开始: %s (用户: %s)", target, creds.Username))
var output strings.Builder
output.WriteString(fmt.Sprintf("=== RabbitMQ利用结果 - %s ===\n", target))
// 获取集群信息
if clusterInfo := p.getClusterInfo(ctx, info, creds); clusterInfo != "" {
output.WriteString(fmt.Sprintf("\n[集群信息]\n%s\n", clusterInfo))
}
// 获取节点信息
if nodes := p.getNodes(ctx, info, creds); len(nodes) > 0 {
output.WriteString(fmt.Sprintf("\n[节点列表] (共%d个)\n", len(nodes)))
for i, node := range nodes {
if i >= 5 { // 限制显示前5个节点
output.WriteString("... (更多节点)\n")
break
}
output.WriteString(fmt.Sprintf(" %s\n", node))
}
}
// 获取虚拟主机
if vhosts := p.getVHosts(ctx, info, creds); len(vhosts) > 0 {
output.WriteString(fmt.Sprintf("\n[虚拟主机] (共%d个)\n", len(vhosts)))
for _, vhost := range vhosts {
output.WriteString(fmt.Sprintf(" %s\n", vhost))
}
}
// 获取用户列表
if users := p.getUsers(ctx, info, creds); len(users) > 0 {
output.WriteString(fmt.Sprintf("\n[用户列表] (共%d个)\n", len(users)))
for i, user := range users {
if i >= 10 { // 限制显示前10个用户
output.WriteString("... (更多用户)\n")
break
}
output.WriteString(fmt.Sprintf(" %s\n", user))
}
}
// 获取队列列表
if queues := p.getQueues(ctx, info, creds); len(queues) > 0 {
output.WriteString(fmt.Sprintf("\n[队列列表] (共%d个)\n", len(queues)))
for i, queue := range queues {
if i >= 10 { // 限制显示前10个队列
output.WriteString("... (更多队列)\n")
break
}
output.WriteString(fmt.Sprintf(" %s\n", queue))
}
}
// 获取交换器列表
if exchanges := p.getExchanges(ctx, info, creds); len(exchanges) > 0 {
output.WriteString(fmt.Sprintf("\n[交换器] (共%d个)\n", len(exchanges)))
for i, exchange := range exchanges {
if i >= 5 { // 限制显示前5个交换器
output.WriteString("... (更多交换器)\n")
break
}
output.WriteString(fmt.Sprintf(" %s\n", exchange))
}
}
common.LogSuccess(fmt.Sprintf("RabbitMQ利用完成: %s", target))
return &ExploitResult{
Success: true,
Output: output.String(),
}
}
// testAMQPProtocol 测试AMQP协议
func (p *RabbitMQPlugin) testAMQPProtocol(ctx context.Context, info *common.HostInfo) *ScanResult {
// 对于AMQP端口我们只做协议识别
// AMQP协议检测比较复杂这里简化处理
return &ScanResult{
Success: true,
Service: "rabbitmq",
Banner: "RabbitMQ AMQP协议端口",
}
}
// testCredential 测试单个凭据通过管理API
func (p *RabbitMQPlugin) testCredential(ctx context.Context, info *common.HostInfo, cred Credential) bool {
// 构建管理API URL
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
client := &http.Client{
Timeout: time.Duration(common.Timeout) * time.Second,
}
// 尝试访问API overview
req, err := http.NewRequestWithContext(ctx, "GET", baseURL+"/api/overview", nil)
if err != nil {
return false
}
req.SetBasicAuth(cred.Username, cred.Password)
req.Header.Set("Content-Type", "application/json")
resp, err := client.Do(req)
if err != nil {
return false
}
defer resp.Body.Close()
return resp.StatusCode == 200
}
// makeAPIRequest 执行API请求
func (p *RabbitMQPlugin) makeAPIRequest(ctx context.Context, info *common.HostInfo, creds Credential, endpoint string) (map[string]interface{}, error) {
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
client := &http.Client{
Timeout: time.Duration(common.Timeout) * time.Second,
}
req, err := http.NewRequestWithContext(ctx, "GET", baseURL+endpoint, nil)
if err != nil {
return nil, err
}
req.SetBasicAuth(creds.Username, creds.Password)
req.Header.Set("Accept", "application/json")
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return nil, fmt.Errorf("API请求失败状态码: %d", resp.StatusCode)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
var result map[string]interface{}
err = json.Unmarshal(body, &result)
if err != nil {
// 尝试解析为数组
var arrayResult []map[string]interface{}
if err2 := json.Unmarshal(body, &arrayResult); err2 == nil {
// 如果是数组,返回包装的结果
return map[string]interface{}{"data": arrayResult}, nil
}
return nil, err
}
return result, nil
}
// getClusterInfo 获取集群信息
func (p *RabbitMQPlugin) getClusterInfo(ctx context.Context, info *common.HostInfo, creds Credential) string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/overview")
if err != nil {
return ""
}
var info_str strings.Builder
if managementVersion, ok := result["management_version"]; ok {
info_str.WriteString(fmt.Sprintf("管理版本: %v\n", managementVersion))
}
if rabbitMQVersion, ok := result["rabbitmq_version"]; ok {
info_str.WriteString(fmt.Sprintf("RabbitMQ版本: %v\n", rabbitMQVersion))
}
if clusterName, ok := result["cluster_name"]; ok {
info_str.WriteString(fmt.Sprintf("集群名称: %v\n", clusterName))
}
return info_str.String()
}
// getNodes 获取节点列表
func (p *RabbitMQPlugin) getNodes(ctx context.Context, info *common.HostInfo, creds Credential) []string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/nodes")
if err != nil {
return nil
}
var nodes []string
if data, ok := result["data"].([]interface{}); ok {
for _, item := range data {
if node, ok := item.(map[string]interface{}); ok {
if name, ok := node["name"]; ok {
if nameStr, ok := name.(string); ok {
nodes = append(nodes, nameStr)
}
}
}
}
}
return nodes
}
// getVHosts 获取虚拟主机列表
func (p *RabbitMQPlugin) getVHosts(ctx context.Context, info *common.HostInfo, creds Credential) []string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/vhosts")
if err != nil {
return nil
}
var vhosts []string
if data, ok := result["data"].([]interface{}); ok {
for _, item := range data {
if vhost, ok := item.(map[string]interface{}); ok {
if name, ok := vhost["name"]; ok {
if nameStr, ok := name.(string); ok {
vhosts = append(vhosts, nameStr)
}
}
}
}
}
return vhosts
}
// getUsers 获取用户列表
func (p *RabbitMQPlugin) getUsers(ctx context.Context, info *common.HostInfo, creds Credential) []string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/users")
if err != nil {
return nil
}
var users []string
if data, ok := result["data"].([]interface{}); ok {
for _, item := range data {
if user, ok := item.(map[string]interface{}); ok {
if name, ok := user["name"]; ok {
if nameStr, ok := name.(string); ok {
// 获取用户标签信息
var tags string
if tagsInterface, ok := user["tags"]; ok {
if tagsStr, ok := tagsInterface.(string); ok {
tags = fmt.Sprintf(" [%s]", tagsStr)
}
}
users = append(users, nameStr+tags)
}
}
}
}
}
return users
}
// getQueues 获取队列列表
func (p *RabbitMQPlugin) getQueues(ctx context.Context, info *common.HostInfo, creds Credential) []string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/queues")
if err != nil {
return nil
}
var queues []string
if data, ok := result["data"].([]interface{}); ok {
for _, item := range data {
if queue, ok := item.(map[string]interface{}); ok {
if name, ok := queue["name"]; ok {
if nameStr, ok := name.(string); ok {
// 获取队列消息数
var messages string
if messagesInterface, ok := queue["messages"]; ok {
messages = fmt.Sprintf(" (消息数: %v)", messagesInterface)
}
queues = append(queues, nameStr+messages)
}
}
}
}
}
return queues
}
// getExchanges 获取交换器列表
func (p *RabbitMQPlugin) getExchanges(ctx context.Context, info *common.HostInfo, creds Credential) []string {
result, err := p.makeAPIRequest(ctx, info, creds, "/api/exchanges")
if err != nil {
return nil
}
var exchanges []string
if data, ok := result["data"].([]interface{}); ok {
for _, item := range data {
if exchange, ok := item.(map[string]interface{}); ok {
if name, ok := exchange["name"]; ok {
if nameStr, ok := name.(string); ok {
// 过滤掉空名称的默认交换器
if nameStr == "" {
nameStr = "(default)"
}
// 获取交换器类型
var exchType string
if typeInterface, ok := exchange["type"]; ok {
if typeStr, ok := typeInterface.(string); ok {
exchType = fmt.Sprintf(" [%s]", typeStr)
}
}
exchanges = append(exchanges, nameStr+exchType)
}
}
}
}
}
return exchanges
}
// identifyService 服务识别 - 检测RabbitMQ服务
func (p *RabbitMQPlugin) identifyService(ctx context.Context, info *common.HostInfo) *ScanResult {
target := fmt.Sprintf("%s:%s", info.Host, info.Ports)
// 根据端口类型进行不同的识别
if info.Ports == "5672" || info.Ports == "5671" {
// AMQP端口
return &ScanResult{
Success: true,
Service: "rabbitmq",
Banner: "RabbitMQ AMQP协议服务",
}
}
// 管理端口尝试HTTP请求
baseURL := fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
client := &http.Client{
Timeout: time.Duration(common.Timeout) * time.Second,
}
req, err := http.NewRequestWithContext(ctx, "GET", baseURL, nil)
if err != nil {
return &ScanResult{
Success: false,
Service: "rabbitmq",
Error: err,
}
}
resp, err := client.Do(req)
if err != nil {
return &ScanResult{
Success: false,
Service: "rabbitmq",
Error: err,
}
}
defer resp.Body.Close()
// 检查响应是否包含RabbitMQ特征
var banner string
if resp.StatusCode == 200 || resp.StatusCode == 401 {
body, _ := io.ReadAll(resp.Body)
bodyStr := strings.ToLower(string(body))
if strings.Contains(bodyStr, "rabbitmq") {
banner = "RabbitMQ管理界面"
} else if strings.Contains(bodyStr, "management") {
banner = "RabbitMQ服务 (管理端口)"
} else {
banner = "RabbitMQ消息队列服务"
}
} else {
return &ScanResult{
Success: false,
Service: "rabbitmq",
Error: fmt.Errorf("无法识别为RabbitMQ服务"),
}
}
common.LogSuccess(i18n.GetText("rabbitmq_service_identified", target, banner))
return &ScanResult{
Success: true,
Service: "rabbitmq",
Banner: banner,
}
}
// init 自动注册插件
func init() {
RegisterPlugin("rabbitmq", func() Plugin {
return NewRabbitMQPlugin()
})
}
Reference in New Issue View Git Blame Copy Permalink