0.5

Author: a1phaboy

Console/console.go

@@ -39,6 +39,10 @@ func Start(options Utils.Option){
 		}(k,v,ch)
 	}
 	wg.Wait()
+	if options.Result != ""{
+		writeResults(options.Result,results)
+	}
+	fmt.Println(results)
 }
 
 func initTargetList(options Utils.Option,targets *[]string) {
@@ -68,3 +72,19 @@ func initTargetList(options Utils.Option,targets *[]string) {
 		}
 	}
 }
+
+func writeResults(file string, results []Utils.Result ){
+	var f *os.File
+	var err error
+	f,err = os.Create(file)
+	if err != nil{
+		fmt.Println(err.Error())
+		return
+	}
+	for _,v := range results{
+		if v.Type == "Fastjson" {
+			info := Utils.SCAN_RESULTS_OUTPUT_FACTORY(v)
+			_, err = io.WriteString(f, info)
+		}
+	}
+}

Detect/Detect.go renamed to Detect/detect.go

@@ -16,8 +16,9 @@ import (
 ***	识别fastjson(主要通过报错回显的方式)
 **/
 
+
 func DetectFastjson(url string) (bool,string){
-	fmt.Println("[+] 正在进行报错识别")
+	fmt.Println("["+url+"] :"+"[+] 正在进行报错识别")
 	jsonType, _ := ErrDetectVersion(url)
 	if jsonType == "jackson" {
 		return false,Utils.NOT_FS
@@ -34,57 +35,64 @@ func DetectFastjson(url string) (bool,string){
 
 func DetectVersion(url string ) Utils.Result {
 	var result Utils.Result
+	Utils.InitResult(result)
 	fmt.Println("开始检测 "+url)
 	result.Url = url
-	//是否出网
 	var payloads Utils.DNSPayloads
 	isFastjson,jsonType := DetectFastjson(url)
 	if jsonType == "jackson" {
 		result.Type = jsonType
 		return result
 	}
 	//出网探测
-	fmt.Println("[+] 正在进行出网探测")
+	fmt.Println("["+result.Url+"] :"+"[+] 正在进行出网探测")
 	payload, session := Utils.NET_DETECT_FACTORY()
-	if DnslogDetect(url, payload, session) != "[]" {
-		//出网
-		fmt.Println("[*] 目标可出网")
-		result.Netout = true
-		result.Type = "Fastjson"
-		fmt.Println("[+] 正在进行 AutoType状态 探测")
-		result.AutoType = DetectAutoType(url)
-		result.Dependency = DetectDependency(url)
-		if isFastjson && jsonType != Utils.NOT_FS && jsonType != ""{
-			fmt.Println("[+] Fastjson版本为 "+jsonType)
-			result.Version = jsonType
-			return result
-		}
-		fmt.Println("[+] 正在进行版本探测")
-		payloads, session = Utils.DNS_DETECT_FACTORY()
-		if DnslogDetect(url, payloads.Dns_48, session) == "48" {
-			result.Version = Utils.FJ_UNDER_48
-			return result
-		}
-		if DnslogDetect(url, payloads.Dns_68, session) == "68" {
-			if result.AutoType{
-				result.Version = Utils.FJ_BEYOND_48
+	record := DnslogDetect(url, payload, session)
+	if record != "[]" {
+		if record != Utils.NETWORK_NOT_ACCESS {
+			//出网
+			fmt.Println("[" + result.Url + "] :" + "[*] 目标可出网")
+			result.Netout = true
+			result.Type = "Fastjson"
+			fmt.Println("[" + result.Url + "] :" + "[+] 正在进行 AutoType状态 探测")
+			result.AutoType = DetectAutoType(url)
+			result.Dependency = DetectDependency(url)
+			if isFastjson && jsonType != Utils.NOT_FS && jsonType != "" {
+				fmt.Println("[" + result.Url + "] :" + "[+] Fastjson版本为 " + jsonType)
+				result.Version = jsonType
 				return result
 			}
-			result.Version = Utils.FJ_BETWEEN_48_68
-			return result
-		}
-		if DnslogDetect(url, payloads.Dns_80, session) == "80" {
-			result.Version = Utils.FJ_BETWEEN_69_80
-			return result
-		}
-		if DnslogDetect(url, payloads.Dns_80, session) == "83" {
-			result.Version = Utils.FS_BEYOND_80
-			return result
+			fmt.Println("[" + result.Url + "] :" + "[+] 正在进行版本探测")
+			payloads, session = Utils.DNS_DETECT_FACTORY()
+			if DnslogDetect(url, payloads.Dns_48, session) == "48" {
+				result.Version = Utils.FJ_UNDER_48
+				return result
+			}
+			if DnslogDetect(url, payloads.Dns_68, session) == "68" {
+				if result.AutoType {
+					result.Version = Utils.FJ_BEYOND_48
+					return result
+				}
+				result.Version = Utils.FJ_BETWEEN_48_68
+				return result
+			}
+			if DnslogDetect(url, payloads.Dns_80, session) == "80" {
+				result.Version = Utils.FJ_BETWEEN_69_80
+				return result
+			}
+			if DnslogDetect(url, payloads.Dns_80, session) == "83" {
+				result.Version = Utils.FS_BEYOND_80
+				return result
+			}
+		}else{
+			fmt.Println("客户端与dnslog平台网络不可达")
+			//内网测试场景  施工中
 		}
+
 	} else {
 		//不出网
-		fmt.Println("[-] 目标不出网")
-		fmt.Println("[+] 正在进行延迟探测")
+		fmt.Println("["+result.Url+"] :"+"[-] 目标不出网")
+		fmt.Println("["+result.Url+"] :"+"[+] 正在进行延迟探测")
 		if TimeDelayCheck(url) {
 			result.Netout = false
 			result.Type = "Fastjson"
@@ -95,7 +103,7 @@ func DetectVersion(url string ) Utils.Result {
 		}
 	}
 
-	result.Type = ""
+	result.Type = jsonType
 	return result
 }
 
@@ -105,25 +113,25 @@ func DetectVersion(url string ) Utils.Result {
 **/
 
 func DetectDependency(target string)[]string{
-	fmt.Println("[+] 正在进行依赖库探测")
-	fmt.Println("[+] 正在进行报错探测")
-	var result []string
+	fmt.Println("["+target+"] :"+"[+] 正在进行依赖库探测")
+	fmt.Println("["+target+"] :"+"[+] 正在进行报错探测")
+	var results []string
 	findDependency := ErrDetectDependency(target,Utils.DEPENDENCY_ERR_DETECT_FACTORY())
 	//fmt.Println(findDependency)
 	if findDependency[0] == "" {
-		fmt.Println("[-] 报错探测未发现任何依赖库")
-		result[0] = ""
+		fmt.Println("["+target+"] :"+"[-] 报错探测未发现任何依赖库")
+		results[0] = ""
 	}else{
-		fmt.Println("[*] 发现依赖库如下")
+		fmt.Println("["+target+"] :"+"[*] 发现依赖库如下")
 		for dependency := range findDependency{
 			if findDependency[dependency] != "" {
 				fmt.Println(findDependency[dependency])
-				result = append(result,findDependency[dependency])
+				results = append(results,findDependency[dependency])
 			}
 
 		}
 	}
-	return result
+	return results
 }
 
 
@@ -134,16 +142,17 @@ func DetectDependency(target string)[]string{
 
 func DetectAutoType(url string) bool{
 	dnsurl,session := Utils.GetDnslogUrl()
-	var result bool
+	var autoTypeStatus bool
 	payload := Utils.AUTOTYPE_DETECT_FACTORY(dnsurl)
-	if DnslogDetect(url,payload,session) == "[]" {
-		fmt.Println("[-] 目标没有开启 AutoType")
-		result = false
+	record := DnslogDetect(url,payload,session)
+	if  record == "[]" || record == Utils.NETWORK_NOT_ACCESS{
+		fmt.Println("["+url+"] :"+"[-] 目标没有开启 AutoType")
+		autoTypeStatus = false
 	}else{
-		fmt.Println("[*] 目标开启了 AutoType ")
-		result = true
+		fmt.Println("["+url+"] :"+"[*] 目标开启了 AutoType ")
+		autoTypeStatus = true
 	}
-	return result
+	return autoTypeStatus
 }
 
 func DnslogDetect(target string,payload string,session string) string{
@@ -178,7 +187,11 @@ func ErrDetectVersion(target string) (string,bool){
 	httpReq.Header.Add("Content-Type", "application/json")
 	httpRsp, err := http.DefaultClient.Do(httpReq)
 	if err != nil {
-		err.Error()
+		httpRsp = Utils.NetWorkErrHandle(http.DefaultClient,httpReq,err)
+		if httpRsp == nil{
+			fmt.Println("与"+target+"网络不可达,请检查网络")
+			return Utils.NETWORK_NOT_ACCESS,false
+		}
 	}
 	defer httpRsp.Body.Close()
 	body, err := ioutil.ReadAll(httpRsp.Body)
@@ -236,15 +249,15 @@ func TimeDelayCheck(url string) bool{
 	var count int
 	var start int64
 	var pos int64 = 0
-	for i := 0; i < 5; i++ {
+	for i := 0; i < 6; i++ {
 		start = pos
-		payloads := Utils.TIME_DETECT_FACTORY(5)
+		payloads := Utils.TIME_DETECT_FACTORY(6)
 		pos = TimeGet(url,payloads[i])
 		if pos - start > 0{
 			count ++
 		}
 	}
-	if count > 3 {
+	if count > 4 {
 		return true
 	}
 	return false

README.md

@@ -12,6 +12,7 @@ FastjsonExpFramework一共分为探测、利用、混淆、bypass JDK等多个
 
 ### HOW?
 目前fastjsonScan支持  
+☑️支持批量接口探测  
 ☑️1.2.83及以下的区间探测(主要分为48,68,80三大安全版本)  
 ☑️支持报错回显探测  
 ☑️DNS出网检测  
@@ -21,9 +22,11 @@ FastjsonExpFramework一共分为探测、利用、混淆、bypass JDK等多个
 
 ### TODO
 适配内网环境下的探测  
+适配webpack做自动化扫描  
 完善DNS回显探测依赖库的探测  
 完善在61版本以上并且不出网的检测方式  
-完善其他不同json解析库的探测  
+完善其他不同json解析库的探测
+完善相关依赖库检测
 
 ### 如果在使用过程中有任何问题欢迎提出issues👏
 

Utils/dnslog.go

@@ -1,6 +1,7 @@
 package Utils
 
 import (
+	"fmt"
 	"io/ioutil"
 	"math/rand"
 	"net/http"
@@ -20,8 +21,16 @@ func GetDnslogUrl()	(string,string){
 		err.Error()
 	}
 	req.Header.Add("Cookie","PHPSESSID="+session)
-	resp, _ := client.Do(req)
+	resp, err := client.Do(req)
+	if err != nil{
+		resp = NetWorkErrHandle(client,req,err)
+		if resp == nil{
+			fmt.Println("与dns平台网络不可达,请检查网络")
+			return NETWORK_NOT_ACCESS,""
+		}
+	}
 	domain, _ := ioutil.ReadAll(resp.Body)
+
 	return string(domain),session
 }
 
@@ -32,7 +41,14 @@ func GetDnslogRecord(PHPSESSID string) string{
 		err.Error()
 	}
 	req.Header.Add("Cookie","PHPSESSID=" + PHPSESSID)
-	resp, _ := client.Do(req)
+	resp, err := client.Do(req)
+	if err != nil{
+		resp = NetWorkErrHandle(client,req,err)
+		if resp == nil{
+			fmt.Println("与dns平台网络不可达,请检查网络")
+			return NETWORK_NOT_ACCESS
+		}
+	}
 	body, _ := ioutil.ReadAll(resp.Body)
 	dns_48 := regexp.MustCompile(`48_.`)
 	dns_68 := regexp.MustCompile(`68_.`)

Utils/err.go

@@ -0,0 +1,41 @@
+package Utils
+
+import (
+	"net/http"
+	"strings"
+	"time"
+)
+
+/**
+***	异常处理函数封装
+**/
+
+func NetWorkErrHandle(client *http.Client,req *http.Request,err error) *http.Response{
+	if strings.Contains(err.Error(), "Timeout") {
+		i := 0
+		for {
+			time.Sleep(2 * time.Second)
+			resp, err := client.Do(req)
+			i++
+			if err == nil {
+				return resp
+			}
+			if i > 3 {
+				defer client.CloseIdleConnections()
+				return nil
+			}
+		}
+	} else {
+		defer client.CloseIdleConnections()
+		return nil
+	}
+}
+
+
+
+
+
+
+
+
+

Utils/factory.go

@@ -149,3 +149,35 @@ func DEPENDENCY_ERR_DETECT_FACTORY() map[string]string{
 	return payloads
 
 }
+
+func SCAN_RESULTS_OUTPUT_FACTORY(result Result) string{
+	var outputString string
+	var buffer bytes.Buffer
+	var outputStringTemplate = RESULT_OUTPUT
+	var net string
+	var autotype string
+	if result.Netout{
+		net = "可出网"
+	}else{
+		net = "不出网"
+	}
+	if result.AutoType {
+		autotype = "开启"
+	}else{
+		autotype = "未开启"
+	}
+	field := &ResultFomat{}
+	field.Variables = make(map[string]string)
+	field.Dependency = make([]string,len(result.Dependency))
+	field.Variables["Url"] = result.Url
+	field.Variables["Version"] = result.Version
+	field.Variables["Netout"] = net
+	field.Variables["Autotype"] = autotype
+	field.Dependency = result.Dependency
+	buffer.Reset()
+	resultTemplate ,_ := template.New("field").Parse(outputStringTemplate)
+	_ = resultTemplate.Execute(&buffer,field)
+	outputString  = buffer.String()
+	return outputString
+}
+