增加: 实验性的简易端口扫描

jasonsheh · Nov 16, 2018 · f686a44 · f686a44
1 parent 0305c70
commit f686a44
Show file tree

Hide file tree

Showing 9 changed files with 92 additions and 20 deletions.
diff --git a/core/controller.go b/core/controller.go
@@ -2,35 +2,67 @@ package core
 
 import (
 	"./info"
+	"./vuln"
 	"fmt"
 	"time"
 )
 
-func Control(domain string, dictLocation string, subDomainOption bool, sensitiveDirectoryOption bool, titleOption bool, thirdOption bool) {
+type InfoOption struct {
+	DictLocation             string
+	SubDomainOption          bool
+	TitleOption              bool
+	ThirdOption              bool
+	PortOption               bool
+	SensitiveDirectoryOption bool
+}
+
+func ControlInfo(domain string, infoOpt InfoOption) {
 	var allResults []info.SubDomainType
 
-	if subDomainOption {
-		allResults = info.SubDomain(domain, dictLocation, thirdOption, titleOption)
+	if infoOpt.SubDomainOption {
+		allResults = info.SubDomain(domain, infoOpt.DictLocation, infoOpt.ThirdOption, infoOpt.TitleOption, infoOpt.PortOption)
 
 		// 标题获取
-		if titleOption {
+		if infoOpt.TitleOption {
 			t := time.Now()
 			allResults = info.RunGetTitle(allResults)
 			fmt.Println("Title: ", time.Since(t))
 		}
 
+		if infoOpt.PortOption {
+			t := time.Now()
+			allResults = info.RunGetTitle(allResults)
+			fmt.Println("Port: ", time.Since(t))
+		}
+
 		// 保存csv
 		info.SaveFile("./results/"+domain+".csv", allResults)
 	}
 
 	// 同时子域名爆破和敏感目录扫描，则无需读取文件 -sub -sen
-	if sensitiveDirectoryOption && subDomainOption {
+	if infoOpt.SensitiveDirectoryOption && infoOpt.SubDomainOption {
 		for _, resultTemp := range allResults {
 			info.SensetiveDirectory(resultTemp.Domain)
 		}
 
 		// 对一个网站扫描 -sen
-	} else if sensitiveDirectoryOption {
+	} else if infoOpt.SensitiveDirectoryOption {
 		info.SensetiveDirectory(domain)
 	}
 }
+
+func ControlVuln(target string, sqliOption bool, xssOption bool, crawlOption bool) {
+	if crawlOption {
+		urls := vuln.Crawler(target)
+		if sqliOption {
+			for _, url := range urls {
+				vuln.Sqli(url)
+			}
+		}
+	}else if sqliOption {
+		vuln.Sqli(target)
+	}
+	if xssOption {
+		vuln.Xss(target)
+	}
+}
diff --git a/core/info/dnsquery.go → core/info/dns_query.go b/core/info/dnsquery.go → core/info/dns_query.go
diff --git a/core/info/port.go b/core/info/port.go
@@ -0,0 +1,23 @@
+package info
+
+import (
+	"fmt"
+	"net"
+)
+
+func GetPort(ipStr string) {
+	ip := net.ParseIP(ipStr)
+	portList := []int{80, 443, 3306, 8080}
+	for _, port := range portList {
+		tcpAddr := net.TCPAddr{
+			IP:   ip,
+			Port: port,
+		}
+		conn, err := net.DialTCP("tcp", nil, &tcpAddr)
+		if err != nil {
+			continue
+		}
+		conn.Close()
+		fmt.Println(ip, port, "open")
+	}
+}
diff --git a/core/info/savefile.go → core/info/save_file.go b/core/info/savefile.go → core/info/save_file.go
diff --git a/core/info/searchdomain.go → core/info/search_domain.go b/core/info/searchdomain.go → core/info/search_domain.go
@@ -2,7 +2,6 @@ package info
 
 import (
 	"../../utils"
-	"fmt"
 	"io/ioutil"
 	"net/http"
 	"regexp"
@@ -26,7 +25,7 @@ func (s searchDomain) searchSingleDomain(pageRange int, baseDomain string) []str
 		body, err := ioutil.ReadAll(resp.Body)
 		utils.CheckError(err)
 		resp.Body.Close()
-		bodyString := fmt.Sprintf("%s", body)
+		bodyString := string(body)
 
 		pattern, err := regexp.Compile(s.searchReg)
 		utils.CheckError(err)
@@ -67,7 +66,7 @@ func apiSubDomain(baseDomain string) []string {
 	body, err := ioutil.ReadAll(resp.Body)
 	utils.CheckError(err)
 	resp.Body.Close()
-	bodyString := fmt.Sprintf("%s", body)
+	bodyString := string(body)
 	bodyList := strings.SplitN(bodyString, "\n", -1)
 	for _, eachLine := range bodyList {
 		prefix := strings.Split(eachLine, "."+baseDomain)[0]

diff --git a/core/info/sensitivedirectory.go → core/info/sensitive_directory.go b/core/info/sensitivedirectory.go → core/info/sensitive_directory.go
diff --git a/core/info/subdomain.go b/core/info/subdomain.go
@@ -90,11 +90,13 @@ func subDomainBrute(baseDomain string, domainList chan string, titleOption bool)
 		if !titleOption {
 			fmt.Println(result.Domain, result.Cname, result.IP)
 		}
+
+
 	}
 	return allResults
 }
 
-func SubDomain(domain string, dictLocation string, thirdOption bool, titleOption bool) []SubDomainType {
+func SubDomain(domain string, dictLocation string, thirdOption bool, titleOption bool, portOption bool) []SubDomainType {
 	baseDomain := domain
 	domainList := make(chan string)
 

diff --git a/core/info/title.go b/core/info/title.go
@@ -33,10 +33,13 @@ func RunGetTitle(allResults []SubDomainType) []SubDomainType {
 func getTitle() {
 	pattern, err := regexp.Compile("<title ?>(?ms)(.*?)</title ?>")
 	utils.CheckError(err)
+	client := http.Client{
+		Timeout: time.Duration(5 * time.Second),
+	}
 	for {
 		select {
 		case result := <-title:
-			resp, err := http.Get("http://" + result.Domain)
+			resp, err := client.Get("http://" + result.Domain)
 			if err != nil {
 				fmt.Println(result.Domain, result.Cname, result.IP)
 				continue

diff --git a/main.go b/main.go
@@ -1,20 +1,27 @@
 package main
 
 import (
+	"./core"
 	"flag"
 	"fmt"
-	"./core"
 )
 
 func main() {
-	domain := flag.String("domain", "baidu.com", "determine target ")
-	dictLocation := flag.String("dict", "./dict/domain.txt", "brute-dict location. default ./dict/domain.txt")
-	subdomainOption := flag.Bool("sub", false, "brute subdomains of target")
-	titleOption := flag.Bool("title", false, "get website title (slow)")
-	thirdOption := flag.Bool("third", false, "get third-level info (slow)")
-	sensitiveDirectoryOption := flag.Bool("sendir", false, "brute sensitive directory of target")
-	version := flag.Bool("version", false, "print program version")
+	var infoOpt core.InfoOption
+	target := flag.String("target", "baidu.com", "determine target ")
 
+	infoOpt.DictLocation = *flag.String("dict", "./dict/domain.txt", "brute-dict location. default ./dict/domain.txt")
+	infoOpt.SubDomainOption = *flag.Bool("sub", false, "brute subdomains of target")
+	infoOpt.TitleOption = *flag.Bool("title", false, "get website title (slow)")
+	infoOpt.ThirdOption = *flag.Bool("third", false, "get third-level info (slow)")
+	infoOpt.PortOption = *flag.Bool("port", false, "get ip open port only work with sub domain brute otherwise use nmap or masscan")
+	infoOpt.SensitiveDirectoryOption = *flag.Bool("dir", false, "brute sensitive directory of target")
+
+	sqliOption := flag.Bool("sqli", false, "test sql injection")
+	xssOption := flag.Bool("xss", false, "test xss injection")
+	crawlOption := flag.Bool("crawl", false, "crawler one site")
+
+	version := flag.Bool("version", false, "print program version")
 
 	flag.Parse()
 
@@ -30,5 +37,11 @@ func main() {
 		return
 	}
 
-	core.Control(*domain, *dictLocation, *subdomainOption, *sensitiveDirectoryOption, *titleOption, *thirdOption)
+	if *sqliOption || *xssOption || *crawlOption {
+		core.ControlVuln(*target, *sqliOption, *xssOption, *crawlOption)
+	}
+
+	if infoOpt.SubDomainOption || infoOpt.SensitiveDirectoryOption || infoOpt.TitleOption {
+		core.ControlInfo(*target, infoOpt)
+	}
 }