From 134b1bce5f2941cfcece0a3638aae9b201c7c136 Mon Sep 17 00:00:00 2001 From: hktalent <18223385+hktalent@users.noreply.github.com> Date: Thu, 21 Dec 2023 11:34:45 +0800 Subject: [PATCH 1/4] rm nuclei-templates 2023-12-21 --- .github/workflows/build.yml | 6 +++--- .gitmodules | 4 ---- config/nuclei-templates | 1 - go.mod | 2 +- vendor/modules.txt | 2 -- 5 files changed, 4 insertions(+), 11 deletions(-) delete mode 160000 config/nuclei-templates diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e956e9cf2..8dbeede52 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.21.3 + go-version: 1.21.4 - name: Install Dependences run: | brew install libpcap upx @@ -45,7 +45,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.21.3 + go-version: 1.21.4 - name: Install Dependences run: | sudo apt install -yy --fix-missing libpcap-dev upx @@ -78,7 +78,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: 1.21.3 + go-version: 1.21.4 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: diff --git a/.gitmodules b/.gitmodules index 5410476a2..b0136a512 100644 --- a/.gitmodules +++ b/.gitmodules @@ -2,10 +2,6 @@ path = config/jaeles-signatures url = https://github.com/jaeles-project/jaeles-signatures branch=master -[submodule "config/nuclei-templates"] - path = config/nuclei-templates - url = https://github.com/projectdiscovery/nuclei-templates.git - branch=main [submodule "config/fuzzing-templates"] path = config/fuzzing-templates url = https://github.com/projectdiscovery/fuzzing-templates.git diff --git a/config/nuclei-templates b/config/nuclei-templates deleted file mode 160000 index 9cd3519d9..000000000 --- a/config/nuclei-templates +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 9cd3519d9e41c8408bf8bcb649166969b24f4db1 diff --git a/go.mod b/go.mod index f7c50e3f3..4fcdd4d01 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/GhostTroops/scan4all -go 1.21 +go 1.21.4 require ( github.com/PuerkitoBio/goquery v1.8.1 diff --git a/vendor/modules.txt b/vendor/modules.txt index a998c72ba..ecf3db714 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -402,8 +402,6 @@ github.com/golang/glog/internal/stackdump # github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da ## explicit github.com/golang/groupcache/lru -# github.com/golang/mock v1.6.0 -## explicit; go 1.11 # github.com/golang/protobuf v1.5.3 ## explicit; go 1.9 github.com/golang/protobuf/proto From a33c9877af87caf733174b61ec56a332d59e6236 Mon Sep 17 00:00:00 2001 From: hktalent <18223385+hktalent@users.noreply.github.com> Date: Thu, 21 Dec 2023 13:10:56 +0800 Subject: [PATCH 2/4] fixed #125 #148 #151 #153 #159 2023-12-21 --- Formula.rb | 2 +- lib/util/checkerImp.go | 28 +++++++++++++++++----------- main.go | 2 ++ 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/Formula.rb b/Formula.rb index 3b70f47e4..c727f5f5a 100644 --- a/Formula.rb +++ b/Formula.rb @@ -2,7 +2,7 @@ class scan4all < Formula desc "Official repository vuls Scan: 15000+PoCs; 23 kinds of application password crack; 7000+Web fingerprints; 146 protocols and 90000+ rules Port scanning; Fuzz, HW, awesome BugBounty( ͡° ͜ʖ ͡°)..." homepage "https://github.com/GhostTroops/scan4all" url "https://github.com/GhostTroops/scan4all/releases/download/2.9.0/scan4all_2.9.0_macOS_amd64.zip" - sha256 "ccd874a283defad6a0deb11377cb9d6024cb5946b46f61f36008e0afe9db4950" + sha256 "542f26a2cbcbd37318d8cbb6e40607cfbff91f6c3a2ea945e143833c1a6aca19" version "V2.9.0" def install diff --git a/lib/util/checkerImp.go b/lib/util/checkerImp.go index f19090b62..7485020de 100644 --- a/lib/util/checkerImp.go +++ b/lib/util/checkerImp.go @@ -19,10 +19,11 @@ var ( ) // 检查器的设计:解耦、规范、统一,各类专注实现自己 -// 1、允许未响应header、body、js、css等构建不同的检查器 -// 2、每个检查器都有缓存 -// 3、避免重复检查 -// 4、具有自动释放缓存的机制,程序退出时自动消费(内存缓存) +// +// 1、允许未响应header、body、js、css等构建不同的检查器 +// 2、每个检查器都有缓存 +// 3、避免重复检查 +// 4、具有自动释放缓存的机制,程序退出时自动消费(内存缓存) type CheckerTools struct { Name string `json:"name"` // RespHeader,RespBody,RespJs,RespCss,RespTitle,ReqHeader checkFunc []func(*CheckerTools, ...interface{}) `json:"check_func"` // 注册的检查器 @@ -78,8 +79,10 @@ func (r *CheckerTools) GetBodyStr(a ...interface{}) string { // 检查 func (r *CheckerTools) Check(parm ...interface{}) { for _, f := range r.checkFunc { - log.Printf("Check %+v\n", parm) - f(r, parm...) + if nil != f { + log.Printf("Check %+v\n", parm) + f(r, parm...) + } } } @@ -112,12 +115,15 @@ func CheckRespHeader(parm ...interface{}) { } // 检查 response 对象 -// 1、包括头的检查 -// 2、包括body的检查 +// +// 1、包括头的检查 +// 2、包括body的检查 func CheckResp(szU string, resp ...*http.Response) { - for _, r := range resp { - CheckRespHeader(&r.Header, szU) - GetInstance(RespBody).Check(&r, szU) + if nil != resp && 0 < len(resp) { + for _, r := range resp { + CheckRespHeader(&r.Header, szU) + GetInstance(RespBody).Check(&r, szU) + } } } diff --git a/main.go b/main.go index 6a9d899ee..ee5a975cb 100644 --- a/main.go +++ b/main.go @@ -22,6 +22,8 @@ var Version string /* go tool pprof -seconds=180 -http=:9999 http://127.0.0.1:6060/debug/pprof/heap no leak +go tool pprof http://192.168.7.11:6060/debug/pprof/profile + http://localhost:9999/ui/ */ func main() { From 5f9d77808f18fd6af9190742454e0beae0a715f6 Mon Sep 17 00:00:00 2001 From: hktalent <18223385+hktalent@users.noreply.github.com> Date: Thu, 21 Dec 2023 22:03:12 +0800 Subject: [PATCH 3/4] fixed can not run nuclei 2023-12-21 --- config/config.json | 2 +- main.go | 2 +- projectdiscovery/nuclei_Yaml/nuclei_yaml.go | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/config.json b/config/config.json index b638b0fe0..804d04eec 100644 --- a/config/config.json +++ b/config/config.json @@ -79,7 +79,7 @@ "enableMultNuclei": false, "enableNuclei": true, "enableByWaf": true, - "enableDevDebug": true, + "enableDevDebug": false, "enableEmbedYaml": true, "enableFileFuzz": true, "httpx": { diff --git a/main.go b/main.go index ee5a975cb..6f1a29693 100644 --- a/main.go +++ b/main.go @@ -22,7 +22,7 @@ var Version string /* go tool pprof -seconds=180 -http=:9999 http://127.0.0.1:6060/debug/pprof/heap no leak -go tool pprof http://192.168.7.11:6060/debug/pprof/profile +go tool pprof http://127.0.0.1:6060/debug/pprof/profile http://localhost:9999/ui/ */ diff --git a/projectdiscovery/nuclei_Yaml/nuclei_yaml.go b/projectdiscovery/nuclei_Yaml/nuclei_yaml.go index 60f68091e..01a9257b5 100644 --- a/projectdiscovery/nuclei_Yaml/nuclei_yaml.go +++ b/projectdiscovery/nuclei_Yaml/nuclei_yaml.go @@ -31,8 +31,9 @@ func RunNuclei(buf *bytes.Buffer) { szP := util.SzPwd + "/config/" os.MkdirAll(szP+"tools/"+runtime.GOOS, os.ModePerm) a := []string{ - szP + "tools/" + runtime.GOOS + "/" + szCmd, - "-t", szP + "nuclei-templates", + //szP + "tools/" + runtime.GOOS + "/" + + szCmd, + //"-t", szP + "nuclei-templates", "-sa", "-duc", "-silent", "-nc", } From 0ffcfb62f4be7b5aaaebb97aad6624d5e2b59f34 Mon Sep 17 00:00:00 2001 From: 51pwn <18223385+hktalent@users.noreply.github.com> Date: Fri, 12 Jul 2024 17:55:24 +0800 Subject: [PATCH 4/4] =?UTF-8?q?Create=20=E5=B0=8F=E7=99=BD=E9=97=AE?= =?UTF-8?q?=E7=AD=94.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...17\347\231\275\351\227\256\347\255\224.md" | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 "\345\260\217\347\231\275\351\227\256\347\255\224.md" diff --git "a/\345\260\217\347\231\275\351\227\256\347\255\224.md" "b/\345\260\217\347\231\275\351\227\256\347\255\224.md" new file mode 100644 index 000000000..07ea6276b --- /dev/null +++ "b/\345\260\217\347\231\275\351\227\256\347\255\224.md" @@ -0,0 +1,53 @@ +# 你好我问一下scan4all可以进行poc扫描吗 +``` +1、开源的啊,开源自己加 +2、也可以加到nuclei中 +3、scan4all 集成nuclei了 +4、scan4all 也自集成了很多poc +``` + +# 调用poc扫描的命令你知道是什么吗 +``` +scan4all 工作流程 +1、web扫描,得到指纹信息,根据指纹调用不同的poc +2、端口扫描,根据指纹,调用不同的多任务进行密码破解,默认情况我记得是关闭了的 + +也就是说,如果没有捕获到指纹,poc不会运行 +``` + +# 端口扫描是不会进行poc扫描的是吧 +``` +要的,如果端口是web http服务,会走上面 1 的流程 +开源版本scan4all,poc比较单一,依赖指纹的命中 +没有开源的版本,跳过指纹,全fuzz,而且采用多种技术混淆poc +``` + +# 还有没有开源的版本吗 +``` +1、目前自己用的 +2、未来可能会开源,欢迎关注 +``` + +# 这个指纹是指的是含有某个漏洞的特征吗 +``` +指纹: 识别后端的特征,例如中间件weblogic、java、php、或者某种框架、产品等 +通过这些特征筛选出特定的poc对目标进行扫描、渗透 + +优点:发包量小,精准度高 +缺点:一旦系统没有暴露特征,很难筛选出精准的poc。目前很多CDN、WAF都会努力屏蔽这些指纹特征。 + +最新的scan4all、自用版本,则跳过指纹,每个目标、每个子目录都迭代若干次poc +缺点:发包量巨大,容易被WAF识别、拦截 +优点:在没有WAF、隐藏了指纹的情况,成功率会提高 + +``` + +# 最新、未开源版本 scan4all 特点都有哪些 +最大的变化是,这个版本 主要以 RCE 攻击、渗透为主,抛弃无法GET Shell的一些poc +``` +1、全fuzz +2、每个web子目录都会分别发包 +3、每个poc除非指定不多重编码,否则每个poc会 * 多种命令 * 多种编码(各种ByPass),最后发包 +每种命令:适应不同场景,例如,目标没有wget、curl、bash、nc等情况等RCE;不同的组合,解决目标的各种刁钻古怪苛刻的环境 +多种编码:目的是绕过WAF +```