--payload新增从文件中读的功能, 并允许通过--attack-type指定参数组合方式.

v2/go.mod

@@ -4,13 +4,12 @@ go 1.10
 
 require (
 	github.com/M09ic/go-ntlmssp v1.2.9
-	github.com/chainreactors/files v0.2.0
+	github.com/chainreactors/files v0.2.3
 	github.com/chainreactors/ipcs v0.0.9
 	github.com/chainreactors/logs v0.5.0
 	github.com/chainreactors/parsers v0.0.2
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/panjf2000/ants/v2 v2.5.0
 	golang.org/x/net v0.0.0-20190603091049-60506f45cf65
 	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
 )

v2/go.sum

@@ -1,7 +1,8 @@
 github.com/M09ic/go-ntlmssp v1.2.9 h1:VVpoldqbRlmyhxrVsJBy0qjAF1RSq89kSLEie/IWRew=
 github.com/M09ic/go-ntlmssp v1.2.9/go.mod h1:yMNEF6ulbFipt3CakMhcmcNVACshPRG4Ap4l00V+mMs=
-github.com/chainreactors/files v0.2.0 h1:LeN97o4VxIvK9ZACjXfdRTR+N7puXuWyQO5GarCkMLM=
 github.com/chainreactors/files v0.2.0/go.mod h1:/Xa9YXhjBlaC33JTD6ZTJFig6pcplak2IDcovf42/6A=
+github.com/chainreactors/files v0.2.3 h1:rDU53H9BPFyQWuIsjZdTm4m7e2/SSemobaU2QUVfLow=
+github.com/chainreactors/files v0.2.3/go.mod h1:/Xa9YXhjBlaC33JTD6ZTJFig6pcplak2IDcovf42/6A=
 github.com/chainreactors/ipcs v0.0.9 h1:4Onroq7gXLG5SLCCgNDx3JmtLxB4XgepGdHCtLp1Ows=
 github.com/chainreactors/ipcs v0.0.9/go.mod h1:E9M3Ohyq0TYQLlV4i2dbM9ThBZB1Nnd7Oexoie2xLII=
 github.com/chainreactors/logs v0.5.0 h1:6CwTR1KaqZS0quIQRU3Ceq/gBoV0+seUF8gUJTrZvew=
@@ -42,10 +43,6 @@ golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

v2/internal/core/options.go

@@ -71,6 +71,7 @@ type ConfigOption struct {
 	ExploitFile string   `long:"ef" description:"String, load specified templates file "`                   // 指定漏扫文件
 	Filters     []string `long:"filter" description:"String, filter formatting(-F) results "`
 	Payloads    []string `long:"payload" description:"String, specify nuclei payload"`
+	AttackType  string   `long:"attack-type" description:"nuclei attack types, sniper|clusterbomb|pitchfork" choice:"pitchfork" choice:"clusterbomb" choice:"sniper"`
 	Extract     []string `long:"extract" description:"String, custom Extract regexp"`
 	Extracts    string   `long:"extracts" description:"String, choice preset Extract regexp, e.g. --Extracts ip,url"`
 	Delay       int      `short:"d" long:"timeout" default:"2" description:"Int, socket and http timeout"`

v2/internal/core/runner.go

@@ -142,6 +142,9 @@ func (r *Runner) Init() {
 
 	// 加载配置文件中的全局变量
 	templatesLoader()
+	if r.AttackType != "" {
+		ExecuterOptions.Options.AttackType = r.AttackType
+	}
 	nucleiLoader(r.ExploitFile, r.Payloads)
 }
 

v2/pkg/load_nuclei.go

@@ -3,6 +3,7 @@ package pkg
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/chainreactors/files"
 	"github.com/chainreactors/gogo/v2/pkg/nuclei/protocols"
 	"github.com/chainreactors/gogo/v2/pkg/nuclei/templates"
 	"github.com/chainreactors/gogo/v2/pkg/utils"
@@ -22,8 +23,9 @@ func ParserCmdPayload(payloads []string) *protocols.ExecuterOptions {
 
 	var vars = make(map[string][]interface{})
 	for _, payload := range payloads {
-		if i := strings.Index(payload, ":"); i != -1 {
-			vars[payload[:i]] = append(vars[payload[:i]], payload[i+1:])
+		if i := strings.Index(payload, "="); i != -1 {
+			content := files.LoadCommonArg(payload[i+1:])
+			vars[payload[:i]] = append(vars[payload[:i]], utils.CleanSpiltCFLR(string(content)))
 		} else {
 			fmt.Println("[warn] incorrect format, skip " + payload)
 		}

v2/pkg/nuclei/protocols/http/request.go

@@ -232,10 +232,17 @@ func (r *Request) Compile(options *protocols.ExecuterOptions) error {
 	}
 
 	if len(r.Payloads) > 0 {
-		attackType := r.AttackType
-		if attackType == "" {
+		var attackType string
+		if r.options.Options.AttackType != "" {
+			attackType = r.options.Options.AttackType
+		} else if len(r.options.Options.VarsPayload) > 0 {
+			attackType = "clusterbomb"
+		} else if r.AttackType != "" {
+			attackType = r.AttackType
+		} else {
 			attackType = "sniper"
 		}
+
 		r.attackType = protocols.StringToType[attackType]
 		// 允许使用命令行定义对应的参数, 会替换对应的参数, 如果参数的数量对不上可能会报错
 		for k, v := range r.options.Options.VarsPayload {

v2/pkg/nuclei/protocols/options.go

@@ -2,4 +2,5 @@ package protocols
 
 type Options struct {
 	VarsPayload map[string]interface{}
+	AttackType  string
 }

v2/pkg/result_data.go

@@ -317,7 +317,8 @@ func loadSmartResult(content []byte) (*SmartData, error) {
 
 func LoadResultFile(file *os.File) interface{} {
 	var data interface{}
-	content, err := DecryptFile(file, Key)
+	var err error
+	content := DecryptFile(file, Key)
 
 	content = bytes.TrimSpace(content) // 去除前后空格
 	if bytes.Contains(content, []byte("\"smartb\",")) || bytes.Contains(content, []byte("\"smartc\",")) || bytes.Contains(content, []byte("\"ping\",")) {
@@ -334,7 +335,7 @@ func LoadResultFile(file *os.File) interface{} {
 	} else if !IsJson(content) {
 		// 解析按行分割的 ip:port:framework 输入
 		var results Results
-		for _, target := range strings.Split(string(content), "\n") {
+		for _, target := range utils.CleanSpiltCFLR(string(content)) {
 			var result *Result
 			if strings.Contains(target, ":") {
 				if strings.Contains(target, "http") {