crash.software
Projects
Pull Requests
Issues
Builds
scan4all
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY scan4all Commits ca1bb257
🤬

  • Optimize filefuzz to improve running speed 2022-09-18

  • Loading...
  • hktalent committed 2 years ago
    ca1bb257
    1 parent 9b411988
  • ■ ■ ■ ■ ■
    brute/dicts/filedic.txt
     1 +/bea_wls_internal/classes/mejb@/org/omg/stub/javax/management/j2ee/_ManagementHome_Stub.class
    1 2  !.gitignore
    2 3  !.htaccess
    3 4  !.htpasswd
    skipped 4 lines
    8 9  %2e%2e;test/
    9 10  %3f/
    10 11  %C0%AE%C0%AE%C0%AF
    11  -%EXT%
    12  -%EXT%.bak
    13  -%EXT%.old
    14  -%EXT%.php
    15  -%EXT%.tar
    16  -%EXT%.tgz
    17  -%EXT%.txt
    18  -%EXT%.zip
    19 12  %ff
    20 13  %ff/
    21 14  +CSCOE+/logon.html
    skipped 1743 lines
    1765 1758  /bbs
    1766 1759  /bbs.tar
    1767 1760  /bbs.tar.gz
    1768  -/bea_wls_internal/classes/mejb@/org/omg/stub/javax/management/j2ee/_ManagementHome_Stub.class
    1769 1761  /bea_wls_internal/index7833.jsp
    1770 1762  /bea_wls_internal/x3.jsp
    1771 1763  /beans
    skipped 2647 lines
    4419 4411  adm_cp
    4420 4412  admin
    4421 4413  admin%20/
    4422  -admin%EXT%
    4423 4414  admin-ANTIGO
    4424 4415  admin-admin
    4425 4416  admin-ajax.php
    skipped 4041 lines
    8467 8458  my_admin
    8468 8459  myadm/
    8469 8460  myadmin
    8470  -myadmin%EXT%
    8471 8461  myadmin/
    8472 8462  myadmin/index.php
    8473 8463  myadmin/scripts/setup.php
    skipped 2844 lines
  • ■ ■ ■ ■ ■ ■
    brute/filefuzz.go
    skipped 2 lines
    3 3  import (
    4 4   "context"
    5 5   _ "embed"
    6  - "fmt"
    7 6   "github.com/antlabs/strsim"
    8 7   "github.com/hktalent/scan4all/lib/util"
    9 8   "log"
    skipped 2 lines
    12 11   "strings"
    13 12   "sync"
    14 13   "sync/atomic"
     14 + "time"
    15 15  )
    16 16   
    17 17  // 备份、敏感文件后缀
    skipped 123 lines
    141 141   
    142 142  // 重写了fuzz:优化流程、优化算法、修复线程安全bug、增加智能功能
    143 143  func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody string) ([]string, []string) {
    144  - if eableFileFuzz || util.TestRepeat(u, "FileFuzz") {
    145  - return []string{}, []string{}
    146  - }
    147 144   u01, err := url.Parse(strings.TrimSpace(u))
    148 145   if nil == err {
    149 146   u = u01.Scheme + "://" + u01.Host + "/"
    150 147   }
     148 + if eableFileFuzz || util.TestRepeat(u, "FileFuzz") {
     149 + return []string{}, []string{}
     150 + }
     151 + 
    151 152   //log.Println("start file fuzz", u)
    152 153   var (
    153 154   //path404 = RandStr // 绝对404页面路径
    skipped 24 lines
    178 179   var wg sync.WaitGroup
    179 180   // 中途控制关闭当前目标所有fuzz
    180 181   ctx, stop := context.WithCancel(util.Ctx_global)
     182 + ctx2, stop2 := context.WithCancel(util.Ctx_global)
    181 183   // 控制 fuzz 线程数
    182 184   var ch = make(chan struct{}, util.Fuzzthreads)
    183 185   // 异步接收结果
    184  - var async_data = make(chan []string, 64)
    185  - var async_technologies = make(chan []string, 64)
     186 + var async_data = make(chan []string, util.Fuzzthreads*2)
     187 + var async_technologies = make(chan []string, util.Fuzzthreads*2)
     188 + // 字典长度的 70% 的错误
     189 + var MaxErrorTimes int32 = int32(float32(len(filedic)) * 0.7)
    186 190   defer func() {
    187 191   close(ch)
    188 192   close(async_data)
    skipped 4 lines
    193 197   go func() {
    194 198   for {
    195 199   select {
    196  - case <-ctx.Done():
     200 + case x1, ok := <-async_data:
     201 + if ok {
     202 + path = append(path, x1...)
     203 + if len(path) > nStop {
     204 + stop() //发停止指令
     205 + atomic.AddInt32(&errorTimes, MaxErrorTimes)
     206 + }
     207 + } else {
     208 + return
     209 + }
     210 + case x2, ok := <-async_technologies:
     211 + if ok {
     212 + technologies = append(technologies, x2...)
     213 + } else {
     214 + return
     215 + }
     216 + case <-ctx2.Done():
    197 217   return
    198  - case x1 := <-async_data:
    199  - path = append(path, x1...)
    200  - if len(path) > nStop {
    201  - stop() //发停止指令
    202  - atomic.AddInt32(&errorTimes, 21)
    203  - }
    204  - case x2 := <-async_technologies:
    205  - technologies = append(technologies, x2...)
    206 218   default:
    207 219   // <-time.After(time.Duration(100) * time.Millisecond)
    208 220   }
    skipped 1 lines
    210 222   }()
    211 223   for _, payload := range filedic {
    212 224   // 接收到停止信号
    213  - if atomic.LoadInt32(&errorTimes) >= 20 {
     225 + if atomic.LoadInt32(&errorTimes) >= MaxErrorTimes {
    214 226   break
    215 227   }
    216 228   //log.Println(u, " ", payload)
    skipped 6 lines
    223 235   wg.Done() // 控制所有线程结束
    224 236   <-ch // 并发控制
    225 237   }()
    226  - log.Printf("start file fuzz %s%s \r", u, payload)
     238 + //log.Printf("start file fuzz %s%s \r", u, payload)
    227 239   for {
    228 240   select {
    229 241   case _, ok := <-ch:
    skipped 2 lines
    232 244   return
    233 245   }
    234 246   case <-ctx.Done(): // 00-捕获所有线程关闭信号,并退出,close for all
    235  - atomic.AddInt32(&errorTimes, 21)
     247 + atomic.AddInt32(&errorTimes, MaxErrorTimes)
    236 248   return
    237 249   default:
    238 250   //if _, ok := noRpt.Load(szKey001Over); ok {
    skipped 1 lines
    240 252   // return
    241 253   //}
    242 254   // 01-异常>20关闭所有fuzz
    243  - if atomic.LoadInt32(&errorTimes) >= 20 {
     255 + if atomic.LoadInt32(&errorTimes) >= MaxErrorTimes {
    244 256   stop() //发停止指令
    245 257   return
    246 258   }
    skipped 2 lines
    249 261   if strings.HasPrefix(payload, "/") && endP {
    250 262   szUrl = u + payload[1:]
    251 263   }
    252  - log.Printf("start fuzz: [%s]", szUrl)
     264 + //log.Printf("start fuzz: [%s]", szUrl)
    253 265   if fuzzPage, req, err := reqPage(szUrl); err == nil && nil != req && 0 < len(req.Body) {
    254  - log.Printf("%d : %s \n", req.StatusCode, szUrl)
     266 + //if 200 == req.StatusCode {
     267 + // log.Printf("%d : %s \n", req.StatusCode, szUrl)
     268 + //}
    255 269   go util.CheckHeader(req.Header, u)
    256 270   // 02-状态码和req1相同,且与req1相似度>9.5,关闭所有fuzz
    257 271   fXsd := strsim.Compare(url404req.Body, req.Body)
    258 272   bBig95 := 9.5 < fXsd
     273 + //if "/bea_wls_internal/classes/mejb@/org/omg/stub/javax/management/j2ee/_ManagementHome_Stub.class" == payload {
     274 + // log.Println("start debug")
     275 + //}
    259 276   if url404.StatusCode == fuzzPage.StatusCode && bBig95 {
    260 277   stop() //发停止指令
    261  - atomic.AddInt32(&errorTimes, 21)
     278 + atomic.AddInt32(&errorTimes, MaxErrorTimes)
    262 279   return
    263 280   }
    264 281   var path1, technologies1 = []string{}, []string{}
    skipped 3 lines
    268 285   technologies = Addfingerprints404(technologies, req, fuzzPage) //基于404页面文件扫描指纹添加
    269 286   // 03.02-与绝对404相似度低于0.8,添加body 404 body list
    270 287   // 03.03-添加404titlelist
    271  - if 0.8 > fXsd {
     288 + if 0.8 > fXsd && fuzzPage.StatusCode != 200 && fuzzPage.StatusCode != url404.StatusCode {
    272 289   StudyErrPageAI(req, fuzzPage, "") // 异常页面学习
    273 290   }
    274 291   // 04-403: 403 by pass
    skipped 18 lines
    293 310   // 1、状态码和绝对404一样 2、智能识别算出来
    294 311   is404Page := url404.StatusCode == fuzzPage.StatusCode || CheckIsErrPageAI(req, fuzzPage)
    295 312   // 06-成功页面, 非异常页面
    296  - if !is404Page {
     313 + if !is404Page || 200 == fuzzPage.StatusCode && url404.StatusCode != fuzzPage.StatusCode {
    297 314   // 1、指纹匹配
    298 315   technologies1 = Addfingerprintsnormal(payload, technologies1, req, fuzzPage) // 基于200页面文件扫描指纹添加
    299 316   // 2、成功fuzz路径结果添加
    skipped 6 lines
    306 323   async_technologies <- technologies1
    307 324   }
    308 325   } else { // 这里应该元子操作
    309  - fmt.Printf("%s is err %v\n", szUrl, err)
     326 + if nil != err {
     327 + log.Printf("%s is err %v\n", szUrl, err)
     328 + }
    310 329   atomic.AddInt32(&errorTimes, 1)
    311 330   }
    312 331   return
    skipped 3 lines
    316 335   }
    317 336   // 默认情况等待所有结束
    318 337   wg.Wait()
    319  - stop() //发停止指令
    320 338   log.Printf("fuzz is over: %s\n", u)
     339 + technologies = util.SliceRemoveDuplicates(technologies)
     340 + path = util.SliceRemoveDuplicates(path)
     341 + stop() //发停止指令
     342 + <-time.After(time.Second * 2)
     343 + stop2()
    321 344   return path, technologies
    322 345  }
    323 346   
    skipped 24 lines
  • ■ ■ ■ ■
    brute/fuzzfingerprints.go
    skipped 14 lines
    15 15  func Addfingerprints404(technologies []string, req *util.Response, oPage *util.Page) []string {
    16 16   var szKey string
    17 17   if nil != oPage {
    18  - szKey = fmt.Sprintf("Addfingerprints404:%s_%d", oPage.Url, oPage.BodyLen)
     18 + szKey = fmt.Sprintf("Addfingerprints404:%s_%d", *oPage.Url, oPage.BodyLen)
    19 19   data := util.Cache1.GetKeyForData(szKey)
    20 20   var rst []string
    21 21   if 0 < len(data) {
    skipped 90 lines
  • config/scan4all_db.db
    Binary file.
  • ■ ■ ■ ■ ■
    lib/socket/ConnTarget.go
    skipped 154 lines
    155 155  }
    156 156   
    157 157  // 连接目标
     158 +// sysctl -w net.ipv4.tcp_keepalive_time=300
     159 +// sysctl -w net.ipv4.tcp_keepalive_intvl=30
     160 +// sysctl -w net.ipv4.tcp_keepalive_probes=5
    158 161  func (r *CheckTarget) ConnTarget() (*CheckTarget, error) {
    159 162   var err error
    160 163   szErr := fmt.Sprintf("can not connect to: %s", r.UrlRaw)
    skipped 3 lines
    164 167   }
    165 168   r.Conn, err = tls.Dial(r.ConnType, fmt.Sprintf("%s:%d", r.Target, r.Port), conf)
    166 169   if err == nil {
     170 + //r.Conn.SetKeepAlive(true)
    167 171   // 设置读取超时
    168 172   err = r.Conn.SetReadDeadline(time.Now().Add(time.Duration(r.ReadTimeout) * time.Second))
    169 173   if err != nil {
    skipped 9 lines
    179 183   r.Log(szErr)
    180 184   return r, err
    181 185   }
     186 + //r.Conn.SetKeepAlive(true)
    182 187   // 设置读取超时
    183 188   err = r.Conn.SetReadDeadline(time.Now().Add(time.Duration(r.ReadTimeout) * time.Second))
    184 189   if err != nil {
    skipped 15 lines
  • ■ ■ ■ ■ ■ ■
    lib/util/util.go
    skipped 1 lines
    2 2   
    3 3  import (
    4 4   "crypto/tls"
     5 + "errors"
    5 6   "fmt"
    6 7   "github.com/corpix/uarand"
    7 8   "github.com/hbakhtiyor/strsim"
    8 9   "github.com/karlseguin/ccache"
     10 + "io"
    9 11   "io/ioutil"
    10 12   "log"
    11 13   "math/rand"
     14 + "net"
    12 15   "net/http"
    13 16   "net/http/cookiejar"
    14 17   "net/url"
    skipped 14 lines
    29 32   
    30 33  // http密码爆破
    31 34  func HttpRequsetBasic(username string, password string, urlstring string, method string, postdata string, isredirect bool, headers map[string]string) (*Response, error) {
    32  - client := GetClient(urlstring)
    33  - var err error
    34  - if isredirect {
    35  - jar, _ := cookiejar.New(nil)
    36  - client.Jar = jar
    37  - } else {
    38  - client.Jar = nil
    39  - }
    40  - req, err := http.NewRequest(strings.ToUpper(method), urlstring, strings.NewReader(postdata))
    41  - if err != nil {
    42  - return nil, err
    43  - }
    44  - req.SetBasicAuth(username, password)
    45  - req.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
    46  - req.Header.Set("User-Agent", uarand.GetRandom())
    47  - SetHeader(&req.Header)
    48  - for v, k := range headers {
    49  - req.Header[v] = []string{k}
    50  - }
    51  - var resp *http.Response
    52  - 
    53  - // resp, err = tr.RoundTrip(req)
    54  - resp, err = client.Do(req)
    55  - if err != nil {
    56  - //防止空指针
    57  - return &Response{"999", 999, "", nil, 0, "", ""}, err
    58  - }
    59  - var location string
    60  - var reqbody string
    61  - defer resp.Body.Close()
    62  - if body, err := ioutil.ReadAll(resp.Body); err == nil {
    63  - reqbody = string(body)
    64  - }
    65  - if resplocation, err := resp.Location(); err == nil {
    66  - location = resplocation.String()
    67  - }
    68  - return &Response{resp.Status, resp.StatusCode, reqbody, &resp.Header, len(reqbody), resp.Request.URL.String(), location}, nil
     35 + rsps, _, _, err := GetResponse(username, password, urlstring, method, postdata, isredirect, headers)
     36 + return rsps, err
    69 37  }
    70 38   
    71 39  // client缓存
    skipped 41 lines
    113 81   }
    114 82   var tr *http.Transport
    115 83   tr = &http.Transport{
    116  - TLSClientConfig: &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS10},
    117  - DisableKeepAlives: false,
    118  - MaxIdleConns: 300,
    119  - IdleConnTimeout: 180,
    120  - TLSHandshakeTimeout: 60,
    121  - ExpectContinueTimeout: 30,
    122  - MaxIdleConnsPerHost: 100,
     84 + DialContext: (&net.Dialer{
     85 + Timeout: 30 * time.Second,
     86 + KeepAlive: 30 * time.Second,
     87 + DualStack: true,
     88 + }).DialContext,
     89 + MaxIdleConns: 100,
     90 + MaxIdleConnsPerHost: 1024,
     91 + TLSHandshakeTimeout: 0 * time.Second,
     92 + IdleConnTimeout: 90 * time.Second,
     93 + ExpectContinueTimeout: 1 * time.Second,
     94 + MaxResponseHeaderBytes: 4096, // net/http default is 10Mb
     95 + TLSClientConfig: &tls.Config{
     96 + Renegotiation: tls.RenegotiateOnceAsClient,
     97 + InsecureSkipVerify: true,
     98 + },
     99 + DisableKeepAlives: false,
    123 100   }
    124 101   if HttpProxy != "" {
    125 102   uri, _ := url.Parse(strings.TrimSpace(HttpProxy))
    skipped 25 lines
    151 128   }
    152 129  }
    153 130   
    154  -// 需要考虑缓存
    155  -// 1、缓解网络不好的情况
    156  -// 2、缓存有效期为当天
    157  -// 3、缓存命中需和请求的数据完全匹配
    158  -func HttpRequset(urlstring string, method string, postdata string, isredirect bool, headers map[string]string) (*Response, error) {
     131 +// 数组去重
     132 +func SliceRemoveDuplicates(slice []string) []string {
     133 + if nil == slice || 0 == len(slice) {
     134 + return slice
     135 + }
     136 + sort.Strings(slice)
     137 + i := 0
     138 + var j int
     139 + for {
     140 + if i >= len(slice)-1 {
     141 + break
     142 + }
     143 + for j = i + 1; j < len(slice) && slice[i] == slice[j]; j++ {
     144 + }
     145 + slice = append(slice[:i+1], slice[j:]...)
     146 + i++
     147 + }
     148 + return slice
     149 +}
     150 + 
     151 +func GetResponse(username string, password string, urlstring string, method string, postdata string, isredirect bool, headers map[string]string) (resp1 *Response, reqbody, location string, err error) {
    159 152   client := GetClient(urlstring)
    160 153   if nil == client {
    161  - log.Printf("client is nil, url [%s]\n", urlstring)
    162  - return nil, nil
     154 + return nil, "", "", errors.New(urlstring + " client is nil")
    163 155   }
    164 156   if isredirect {
    165 157   jar, _ := cookiejar.New(nil)
    skipped 3 lines
    169 161   }
    170 162   req, err := http.NewRequest(strings.ToUpper(method), urlstring, strings.NewReader(postdata))
    171 163   if err != nil {
    172  - return nil, err
     164 + return nil, "", "", err
    173 165   }
    174  - req.Header.Set("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
    175  - req.Header.Set("User-Agent", uarand.GetRandom())
    176  - // 设置全局自定义头、cookie信息
    177  - SetHeader(&req.Header)
    178  - for v, k := range headers {
    179  - req.Header[v] = []string{k}
     166 + if "" != username && "" != password {
     167 + req.SetBasicAuth(username, password)
    180 168   }
    181  - resp, err := client.Do(req)
    182  - if nil != resp {
    183  - defer resp.Body.Close()
     169 + req.Header.Add("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8")
     170 + req.Header.Add("User-Agent", uarand.GetRandom())
     171 + //req.Header.Add("Connection", "keep-alive")// http1.1 默认 开启
     172 + SetHeader(&req.Header)
     173 + for k, v := range headers {
     174 + req.Header.Add(k, v)
    184 175   }
     176 + 
     177 + var resp *http.Response
     178 + // resp, err = tr.RoundTrip(req)
     179 + resp, err = client.Do(req)
     180 + defer func() {
     181 + req.Body.Close()
     182 + if nil != resp {
     183 + //io.Copy(ioutil.Discard, resp.Body)
     184 + resp.Body.Close()
     185 + }
     186 + }()
     187 + 
    185 188   if err != nil {
     189 + if nil != resp {
     190 + io.Copy(ioutil.Discard, resp.Body)
     191 + }
    186 192   //防止空指针
    187  - return &Response{"999", 999, "", nil, 0, "", ""}, err
     193 + return &Response{"999", 999, "", nil, 0, "", ""}, "", "", err
    188 194   }
    189  - var location string
    190  - var reqbody string
     195 + 
    191 196   if body, err := ioutil.ReadAll(resp.Body); err == nil {
    192 197   reqbody = string(body)
    193 198   }
    194 199   if resplocation, err := resp.Location(); err == nil {
    195 200   location = resplocation.String()
    196 201   }
    197  - return &Response{resp.Status, resp.StatusCode, reqbody, &resp.Header, len(reqbody), resp.Request.URL.String(), location}, nil
     202 + return &Response{resp.Status, resp.StatusCode, reqbody, &resp.Header, len(reqbody), resp.Request.URL.String(), location}, reqbody, location, nil
     203 +}
     204 + 
     205 +// 需要考虑缓存
     206 +// 1、缓解网络不好的情况
     207 +// 2、缓存有效期为当天
     208 +// 3、缓存命中需和请求的数据完全匹配
     209 +func HttpRequset(urlstring string, method string, postdata string, isredirect bool, headers map[string]string) (*Response, error) {
     210 + rsps, _, _, err := GetResponse("", "", urlstring, method, postdata, isredirect, headers)
     211 + return rsps, err
    198 212  }
    199 213   
    200 214  func Dnslogchek(randomstr string) bool {
    skipped 134 lines
  • ■ ■ ■ ■ ■
    main.go
    skipped 17 lines
    18 18  var Wg sync.WaitGroup
    19 19   
    20 20  func main() {
     21 + //os.Args = []string{"", "-host", "http://127.0.0.1"}
    21 22   runtime.GOMAXPROCS(runtime.NumCPU())
    22 23   util.Wg = &Wg
    23 24   util.DoInit(&config)
    skipped 16 lines
  • ■ ■ ■ ■ ■
    pkg/httpx/runner/runner.go
    skipped 1332 lines
    1333 1333   }
    1334 1334   // 敏感文件fuzz扫描
    1335 1335   filePaths, filefuzzTechnologies = brute.FileFuzz(ul, resp.StatusCode, resp.ContentLength, resp.Raw)
    1336  - gologger.Debug().Msgf("%s fuzz\n%+v\n", ul, filePaths)
     1336 + //if 0 < len(filePaths) {
     1337 + // gologger.Debug().Msgf("%s fuzz\n%+v\n", ul, filePaths)
     1338 + //}
    1337 1339   filefuzzTechnologies = SliceRemoveDuplicates(filefuzzTechnologies)
    1338 1340   // 取差集合
    1339 1341   filefuzzTechnologies = difference(filefuzzTechnologies, technologies)
    skipped 453 lines
Please wait...
Page is in error, reload to recover