+ {{ if .data.InfoPlugin }}
+
+
+ {{ range $plugin, $cnt := .data.VulPlugin }}
+
+ {{ end }}
+
+
+ {{ end }}
+
{{ range $index, $message := .data.VulMessage }}
- -
+
-
{{ if $message.VulnData.VulnType }} {{ $message.VulnData.VulnType }} - {{ end }}{{ $message.VulnData.Target }}
- Toggle Details
+
Toggle Details
{{ $message.Level }} {{ $message.Plugin }}
{{ if $message.VulnData.Ip }}
IP: {{ $message.VulnData.Ip }}
{{ end }}
{{ if $message.VulnData.CreateTime }}
Create Time: {{ $message.VulnData.CreateTime }}
{{ end }}
@@ -424,13 +444,77 @@
diff --git a/SCopilot/templates/index.html b/SCopilot/templates/index.html
index 33eab22..9a828dc 100644
--- a/SCopilot/templates/index.html
+++ b/SCopilot/templates/index.html
@@ -187,7 +187,6 @@ 清空所有数据
const listItems = document.querySelectorAll('.list-item');
if (searchTerm.length > 0) {
- console.log("11")
listItems.forEach(function (item) {
const itemText = item.textContent || item.innerText;
console.log(itemText.toLowerCase(searchTerm.toLowerCase()))
diff --git a/conf/default.go b/conf/default.go
index 1f6a4bf..2725ad5 100644
--- a/conf/default.go
+++ b/conf/default.go
@@ -52,5 +52,5 @@ var DangerHeaders = []string{
"X-Api-Version",
}
-// Parallelism 同时 10 插件运行
+// Parallelism 对一个网站同时扫描的最大 url 个数
var Parallelism = 10
diff --git a/conf/file.go b/conf/file.go
index 73d8736..fb8e0c3 100644
--- a/conf/file.go
+++ b/conf/file.go
@@ -20,7 +20,7 @@ var FileName = "Jie_config.yaml"
var defaultConfigYaml = []byte(`version: ` + Version + `
-parallel: 10 #同时运行几个插件
+parallel: 10 # 同时扫描的最大 url 个数
# 全局 http 发包配置
http:
diff --git a/go.mod b/go.mod
index 8aa4ec6..6c3712e 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
github.com/beevik/etree v1.3.0
github.com/buger/jsonparser v1.1.1
github.com/gin-gonic/gin v1.9.1
- github.com/go-rod/rod v0.114.8 // indirect
+ github.com/go-rod/rod v0.114.8
github.com/google/go-github v17.0.0+incompatible // indirect
github.com/google/uuid v1.6.0
github.com/json-iterator/go v1.1.12 // indirect
diff --git a/lib.go b/lib.go
index 5b9e890..fa25485 100644
--- a/lib.go
+++ b/lib.go
@@ -5,6 +5,7 @@ import (
"github.com/yhy0/Jie/SCopilot"
"github.com/yhy0/Jie/conf"
"github.com/yhy0/Jie/crawler"
+ "github.com/yhy0/Jie/pkg/mode"
"github.com/yhy0/Jie/pkg/output"
"github.com/yhy0/logging"
"net/url"
@@ -76,4 +77,6 @@ func lib() {
logging.Logger.Infoln(aurora.Red(v.PrintScreen()).String())
}
}()
+
+ mode.Active("http://testphp.vulnweb.com/", nil)
}
diff --git a/scan/bbscan/README.md b/scan/bbscan/README.md
index e532aa1..3b74780 100644
--- a/scan/bbscan/README.md
+++ b/scan/bbscan/README.md
@@ -7,4 +7,5 @@
- type_no 返回包 Content-Type 格式不包括
- tag 返回包内容匹配
- root_only 只有主目录下才会存在该路径
-- fingprints 网站的指纹, 多种形式以 , 分割 表示或
\ No newline at end of file
+- fingprints 网站的指纹, 多种形式以 , 分割 表示或
+
diff --git a/scan/bbscan/bbscan.go b/scan/bbscan/bbscan.go
index a7733a3..b92e154 100644
--- a/scan/bbscan/bbscan.go
+++ b/scan/bbscan/bbscan.go
@@ -270,7 +270,7 @@ func BBscan(u string, root bool, fingprints []string, header map[string]string,
wg.Add(1)
ch <- struct{}{}
- go func(t string, r *Rule) {
+ go func(t string, _path string, r *Rule) {
defer wg.Done()
defer func() { <-ch }()
<-time.After(time.Duration(100) * time.Millisecond)
@@ -285,7 +285,7 @@ func BBscan(u string, root bool, fingprints []string, header map[string]string,
}
// 黑名单,跳过
- if scan_util.IsBlackHtml(res.Body, res.Header["Content-Type"]) {
+ if scan_util.IsBlackHtml(res.Body, res.Header["Content-Type"], _path) {
return
}
@@ -377,7 +377,7 @@ func BBscan(u string, root bool, fingprints []string, header map[string]string,
}
}
}
- }(target, rule)
+ }(target, path, rule)
}
@@ -407,7 +407,7 @@ func SingleScan(targets []string, path string) {
return
}
// 黑名单,跳过
- if scan_util.IsBlackHtml(res.Body, res.Header["Content-Type"]) {
+ if scan_util.IsBlackHtml(res.Body, res.Header["Content-Type"], path) {
return
}
diff --git a/scan/bbscan/bbscan_test.go b/scan/bbscan/bbscan_test.go
new file mode 100644
index 0000000..0d4e633
--- /dev/null
+++ b/scan/bbscan/bbscan_test.go
@@ -0,0 +1,16 @@
+package bbscan
+
+import (
+ "fmt"
+ "testing"
+)
+
+/**
+ @author yhy
+ @since 2024/4/26
+ @desc //TODO
+**/
+
+func TestBBscan(t *testing.T) {
+ fmt.Println(Rules["/util/exec_sh?filePath=1"])
+}
diff --git a/scan/bbscan/rules/go_pprof_debug.txt b/scan/bbscan/rules/go_pprof_debug.txt
index 17fa13d..775c924 100644
--- a/scan/bbscan/rules/go_pprof_debug.txt
+++ b/scan/bbscan/rules/go_pprof_debug.txt
@@ -1,3 +1,3 @@
# add golang pprof
-/debug/pprof/heap?debug=1 {status=200} {type="text/plain"} {tag="heap profile"}
-/pprof/heap?debug=1 {status=200} {type="text/plain"} {tag="heap profile"}
+/debug/pprof/goroutine?debug=1 {status=200} {type="text/plain"} {tag="goroutine profile"}
+/pprof/goroutine?debug=1 {status=200} {type="text/plain"} {tag="goroutine profile"}
diff --git a/scan/gadget/swagger/swagger.go b/scan/gadget/swagger/swagger.go
index bf97a61..77dfe62 100644
--- a/scan/gadget/swagger/swagger.go
+++ b/scan/gadget/swagger/swagger.go
@@ -441,6 +441,10 @@ func scanApi(method, baseUrl, path, queryParams, bodyParams string, header map[s
}
func scanSwagger(method, target, bodyParams string, header map[string]string, client *httpx.Client) {
+ parse, err := url.Parse(target)
+ if err != nil {
+ return
+ }
// util.HttpProxy = "http://127.0.0.1:8080"
if strings.EqualFold(method, "get") {
res, err := client.Request(target, "GET", "", header)
@@ -448,9 +452,8 @@ func scanSwagger(method, target, bodyParams string, header map[string]string, cl
logging.Logger.Errorf("scanApi(GET %s) err %v", target, err)
return
}
-
// 可能是未授权, 然后对 200 的进行ssrf、注入测试
- if res.StatusCode == 200 && !util2.IsBlackHtml(res.Body, res.Header["Content-Type"]) {
+ if res.StatusCode == 200 && !util2.IsBlackHtml(res.Body, res.Header["Content-Type"], parse.Path) {
logging.Logger.Infof("Possibly unauthorized access: GET %s", target)
in := &input.CrawlResult{
@@ -523,7 +526,7 @@ func scanSwagger(method, target, bodyParams string, header map[string]string, cl
return
}
- if res.StatusCode == 200 && !util2.IsBlackHtml(res.Body, res.Header["Content-Type"]) { // 可能是未授权
+ if res.StatusCode == 200 && !util2.IsBlackHtml(res.Body, res.Header["Content-Type"], parse.Path) { // 可能是未授权
payload := fmt.Sprintf("%s %s %s", method, target, bodyParams)
logging.Logger.Infof("Possibly unauthorized access: %s", payload)
diff --git a/scan/util/black.go b/scan/util/black.go
index 7620ebf..5d78fa8 100644
--- a/scan/util/black.go
+++ b/scan/util/black.go
@@ -21,7 +21,7 @@ type BlackRule struct {
Rule string
}
-func IsBlackHtml(str string, contentType []string) bool {
+func IsBlackHtml(str string, contentType []string, uri string) bool {
for _, rule := range BlackLists {
if rule.Type == "text" {
if util.Contains(str, rule.Rule) {
@@ -40,10 +40,15 @@ func IsBlackHtml(str string, contentType []string) bool {
}
if len(str) < 250 && util.InSliceCaseFold("application/json", contentType) {
- reg, _ := regexp.Compile(`(?i)("(status|code|statusCode)"(\s+)?:(\s+)?(400|401|404|502)|"(message|msg)"(\s+)?:(\s+)?.*?(not exist|not found|请求非法)|not found)`)
+ reg, _ := regexp.Compile(`(?i)("(status|code|statusCode)"(\s+)?:(\s+)?(1\d{2}|400|401|404|5\d{2})|"(message|msg)"(\s+)?:(\s+)?.*?(not exist|not found|请求非法|Not Authorized)|not found)`)
if len(reg.FindStringSubmatch(str)) > 0 {
return true
}
+
+ // {"code":500,"msg":"No handler found for GET /assets/.env","data":null} 类似这种也是没啥用的
+ if strings.Contains(str, uri) {
+ return true
+ }
}
return false