-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathspringScan.go
175 lines (166 loc) · 5.02 KB
/
springScan.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
package main
import (
"bufio"
"crypto/tls"
"flag"
"fmt"
"io/ioutil"
"net/http"
"os"
"strconv"
"strings"
"sync"
"time"
)
var (
numberTasks []string
the_returned_result_is_200 []string
list_of_errors []string
t = &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
src_file string
des_file string
routineCountTotal int
urls string
)
func title() {
fmt.Println(`
▄████ ▒█████
██▒ ▀█▒▒██▒ ██▒
▒██░▄▄▄░▒██░ ██▒
░▓█ ██▓▒██ ██░
░▒▓███▀▒░ ████▓▒░
░▒ ▒ ░ ▒░▒░▒░
░ ░ ░ ▒ ▒░
░ ░ ░ ░ ░ ░ ▒
░ ░ ░
`)
}
func main() {
flag.StringVar(&src_file, "s", "spring.txt", "字典文件")
flag.StringVar(&urls, "u", "", "目标url")
flag.StringVar(&des_file, "d", "result.txt", "结果文件")
flag.IntVar(&routineCountTotal, "t", 40, "线程数量{默认为40}")
flag.Parse()
title()
file, err := os.Open(src_file)
if err != nil {
fmt.Println("打开文件时候出错")
}
defer func() {
file.Close()
}()
n := bufio.NewScanner(file)
for n.Scan() {
data := n.Text()
numberTasks = append(numberTasks, data)
}
client = &http.Client{
Transport: t,
Timeout: 20 * time.Second,
}
beg := time.Now()
wg := &sync.WaitGroup{}
tasks := make(chan string)
results := make(chan string)
go func() {
for result := range results {
if result == "" {
close(results)
} else if strings.Contains(result, "200") || strings.Contains(result, "端点") {
fmt.Println(result)
the_returned_result_is_200 = append(the_returned_result_is_200, result)
} else if strings.Contains(result, "500") {
if strings.Contains(result, "article") {
fmt.Println(result)
the_returned_result_is_200 = append(the_returned_result_is_200, result)
}
} else {
list_of_errors = append(list_of_errors, result)
}
}
}()
for i := 0; i < routineCountTotal; i++ {
wg.Add(1)
go worker(wg, tasks, results)
}
for _, task := range numberTasks {
tasks <- task
}
tasks <- ""
wg.Wait()
results <- ""
fmt.Println("\033[33m+++++++++++++++++++请求成功的++++++++++++++++++++++")
file_1, err := os.OpenFile(des_file, os.O_WRONLY|os.O_CREATE, 0666)
if err != nil {
fmt.Println("文件打开失败", err)
}
defer file_1.Close()
write_1 := bufio.NewWriter(file_1)
for _, v := range the_returned_result_is_200 {
fmt.Println(v)
write_1.WriteString(v + "\n")
}
write_1.Flush()
fmt.Println("发生了", len(list_of_errors), "个失败")
fmt.Printf("time consumed: %fs\n", time.Now().Sub(beg).Seconds())
fmt.Println("具体接口用法请参考:https://github.com/LandGrey/SpringBootVulExploit")
fmt.Println("小提醒:ctrl+单击会打开链接\033[0m")
}
func worker(group *sync.WaitGroup, tasks chan string, result chan string) {
for task := range tasks {
if task == "" {
close(tasks)
} else {
respBody, err := NumberQueryRequest(task)
if err != nil {
fmt.Printf("error occurred in NumberQueryRequest: %s\n", task)
result <- err.Error()
} else {
result <- respBody
}
}
}
group.Done()
}
var client *http.Client
func NumberQueryRequest(keyword string) (body string, err error) {
urls = strings.TrimRight(urls, "/")
url := fmt.Sprintf("%s%s", urls, keyword)
fmt.Println(url)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return "构造请求出错", err
}
req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36")
resp, err := client.Get(url)
if err != nil {
return "发送请求出错", err
}
return_value := resp.StatusCode
if resp != nil && resp.Body != nil {
defer resp.Body.Close()
}
if strings.Contains(keyword, "/env") {
body22, _ := ioutil.ReadAll(resp.Body)
if strings.Contains(string(body22), "spring.cloud.bootstrap.location") {
body = "url: " + url + " || " + "目标站点开启了 env 端点且spring.cloud.bootstrap.location属性开启,可进行环境属性覆盖RCE测试"
return body, nil
} else if strings.Contains(string(body22), "eureka.client.serviceUrl.defaultZone") {
body = "url: " + url + " || " + "目标站点开启了 env 端点且eureka.client.serviceUrl.defaultZone属性开启,可进行XStream反序列化RCE测试"
return body, nil
}
} else if strings.Contains(keyword, "/jolokia/list") {
body33, _ := ioutil.ReadAll(resp.Body)
if strings.Contains(string(body33), "reloadByURL") {
body = "url: " + url + " || " + "目标站点开启了 jolokia 端点且存在reloadByURL方法,可进行XXE/RCE测试"
return body, nil
} else if strings.Contains(string(body33), "createJNDIRealm") {
body = "url: " + url + " || " + "目标站点开启了 jolokia 端点且存在createJNDIRealm方法,可进行JNDI注入RCE测试"
return body, nil
}
}
body = "url:" + url + " || " + "返回值:" + strconv.Itoa(return_value)
return body, nil
}