修复fofa语法解析

0x727 · Aug 8, 2024 · de8bf81 · de8bf81
1 parent 00911a1
commit de8bf81
Show file tree

Hide file tree

Showing 9 changed files with 91 additions and 25 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -11,5 +11,5 @@ serde = { version = "1.0.196", features = ["derive"] }
 serde_yaml = "0.9"
 serde_json = "1"
 pinyin = "0.10.0"
-engine = { git = "https://github.com/emo-crab/observer_ward.git" }
-#engine = { path = "../observer_ward/engine" }
+#engine = { git = "https://github.com/emo-crab/observer_ward.git" }
+engine = { path = "../observer_ward/engine" }
diff --git a/src/cli.rs b/src/cli.rs
@@ -1,5 +1,5 @@
-use std::path::PathBuf;
 use argh::FromArgs;
+use std::path::PathBuf;
 
 #[derive(Debug, Clone, FromArgs)]
 #[argh(description = "observer_ward version")]

diff --git a/src/lib.rs b/src/lib.rs
@@ -4,13 +4,13 @@ pub mod nmap;
 mod service;
 mod v3;
 
-pub use v3::{WebFingerPrint, V3WebFingerPrint};
 use crate::error::{new_io_error, Result};
 pub use crate::service::match_line::MatchLine;
 pub use crate::service::probe::{Probe, ZeroDuration};
 use engine::request::PortRange;
-use std::str::{FromStr, Lines};
 use pinyin::ToPinyin;
+use std::str::{FromStr, Lines};
+pub use v3::{V3WebFingerPrint, WebFingerPrint};
 
 // 转下划线风格
 pub fn to_kebab_case(input: &str) -> String {

diff --git a/src/main.rs b/src/main.rs
@@ -138,7 +138,7 @@ fn sync_nuclei() {
                       .join(sub_tag)
                       .join(yaml_path.file_name().unwrap().to_string_lossy().to_string()),
                   )
-                    .unwrap();
+                  .unwrap();
                   break;
                 }
               }
@@ -153,7 +153,7 @@ fn sync_nuclei() {
                     .join(product)
                     .join(yaml_path.file_name().unwrap().to_string_lossy().to_string()),
                 )
-                  .unwrap();
+                .unwrap();
               }
               continue;
             }
@@ -523,8 +523,15 @@ fn cse_to_template(one_cse: CSE, vpf: VPF) -> Template {
 fn v3_to_v4(v3_path: PathBuf) {
   let v3_yaml_list = find_yaml_file(&v3_path, false);
   let current_fingerprint_dir = env::current_dir().unwrap().join("web-fingerprint");
-  let all_product: Vec<String> = find_yaml_file(&current_fingerprint_dir, true).into_iter()
-    .map(|p| p.file_name().unwrap().to_string_lossy().trim_end_matches(".yaml").to_string())
+  let all_product: Vec<String> = find_yaml_file(&current_fingerprint_dir, true)
+    .into_iter()
+    .map(|p| {
+      p.file_name()
+        .unwrap()
+        .to_string_lossy()
+        .trim_end_matches(".yaml")
+        .to_string()
+    })
     .collect();
   for v3_path in v3_yaml_list {
     let v3_file = File::open(&v3_path).unwrap();
@@ -536,7 +543,9 @@ fn v3_to_v4(v3_path: PathBuf) {
           continue;
         }
       }
-      let v4_path = current_fingerprint_dir.join("00_unknown").join(format!("{}.yaml", template.info.name));
+      let v4_path = current_fingerprint_dir
+        .join("00_unknown")
+        .join(format!("{}.yaml", template.info.name));
       let v4_file = File::create(&v4_path).unwrap();
       serde_yaml::to_writer(v4_file, &template).unwrap();
     }

diff --git a/src/v3.rs b/src/v3.rs
@@ -1,10 +1,10 @@
-use std::collections::{BTreeMap, HashSet};
+use crate::hans_to_pinyin;
 use engine::info::{Info, Severity, VPF};
 use engine::matchers::{Condition, Favicon, Matcher, MatcherType, Part, Word};
 use engine::request::Requests;
 use engine::template::Template;
 use serde::{Deserialize, Serialize};
-use crate::hans_to_pinyin;
+use std::collections::{BTreeMap, HashSet};
 // 旧版指纹，数据结构
 
 #[derive(Debug, Serialize, Deserialize, Clone)]
@@ -60,10 +60,7 @@ impl Into<Template> for V3WebFingerPrint {
       name: self.name.to_lowercase().clone(),
       severity: Severity::Info,
       author: vec!["cn-kali-team".to_string()],
-      tags: vec![
-        "detect".to_string(),
-        "tech".to_string(),
-      ],
+      tags: vec!["detect".to_string(), "tech".to_string()],
       ..Info::default()
     };
     info.set_vpf(VPF {
@@ -92,12 +89,27 @@ fn v3_finger_to_matcher(finger: &Vec<WebFingerPrint>) -> Vec<Matcher> {
   let mut header = HashSet::new();
   let mut favicon = HashSet::new();
   for wfp in finger.iter() {
-    header.extend(wfp.match_rules.headers.iter().map(|(k, v)| format!("{}: {}", k.to_lowercase(), v.trim_end_matches("*").to_lowercase())).collect::<Vec<String>>());
+    header.extend(
+      wfp
+        .match_rules
+        .headers
+        .iter()
+        .map(|(k, v)| {
+          format!(
+            "{}: {}",
+            k.to_lowercase(),
+            v.trim_end_matches("*").to_lowercase()
+          )
+        })
+        .collect::<Vec<String>>(),
+    );
     favicon.extend(wfp.match_rules.favicon_hash.clone());
     if wfp.match_rules.keyword.len() > 1 {
       // 多个必须AND关系
       ms.push(Matcher {
-        matcher_type: MatcherType::Word(Word { words: wfp.match_rules.keyword.clone() }),
+        matcher_type: MatcherType::Word(Word {
+          words: wfp.match_rules.keyword.clone(),
+        }),
         condition: Condition::And,
         ..Matcher::default()
       })
@@ -112,22 +124,28 @@ fn v3_finger_to_matcher(finger: &Vec<WebFingerPrint>) -> Vec<Matcher> {
   if !header.is_empty() {
     ms.push(Matcher {
       part: Part::Header,
-      matcher_type: MatcherType::Word(Word { words: header.into_iter().map(|x| x).collect() }),
+      matcher_type: MatcherType::Word(Word {
+        words: header.into_iter().map(|x| x).collect(),
+      }),
       ..Matcher::default()
     })
   }
   if !favicon.is_empty() {
     ms.push(Matcher {
-      matcher_type: MatcherType::Favicon(Favicon { hash: favicon.into_iter().map(|x| x).collect() }),
+      matcher_type: MatcherType::Favicon(Favicon {
+        hash: favicon.into_iter().map(|x| x).collect(),
+      }),
       ..Matcher::default()
     })
   }
   if !or_word.is_empty() {
     ms.push(Matcher {
-      matcher_type: MatcherType::Word(Word { words: or_word.into_iter().map(|x| x).collect() }),
+      matcher_type: MatcherType::Word(Word {
+        words: or_word.into_iter().map(|x| x).collect(),
+      }),
       condition: Condition::Or,
       ..Matcher::default()
     })
   }
   return ms;
-}
+}
diff --git a/web-fingerprint/fortra/goanywhere_managed_file_transfer.yaml b/web-fingerprint/fortra/goanywhere_managed_file_transfer.yaml
@@ -26,5 +26,4 @@ http:
     hash:
     - '1170495932'
     - '1484947000'
-    - 1484947000,1828756398,1170495932
     - '1828756398'
diff --git a/web-fingerprint/netgear/readynas_surveillance.yaml b/web-fingerprint/netgear/readynas_surveillance.yaml
@@ -0,0 +1,20 @@
+id: readynas_surveillance
+info:
+  name: readynas_surveillance
+  author: cn-kali-team
+  tags: detect,tech,readynas_surveillance
+  severity: info
+  metadata:
+    fofa-query:
+    - app="nuuo-nvrmini" || app="nuuo-nvr" || title="network video recorder login"
+    product: readynas_surveillance
+    vendor: netgear
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: regex
+    regex:
+    - (?mi)<title[^>]*>network video recorder login.*?</title>
diff --git a/web-fingerprint/severalnines/cluster_control.yaml b/web-fingerprint/severalnines/cluster_control.yaml
@@ -17,5 +17,5 @@ http:
   matchers:
   - type: favicon
     hash:
-    - ' icon_hash="-1815707560'
-    - '160707013" '
+    - '-1815707560'
+    - '160707013'
diff --git a/web-fingerprint/terra-master/tos.yaml b/web-fingerprint/terra-master/tos.yaml
@@ -0,0 +1,20 @@
+id: tos
+info:
+  name: tos
+  author: cn-kali-team
+  tags: detect,tech,tos
+  severity: info
+  metadata:
+    fofa-query:
+    - '"terramaster" && header="tos"'
+    product: tos
+    vendor: terra-master
+    verified: true
+http:
+- method: GET
+  path:
+  - '{{BaseURL}}/'
+  matchers:
+  - type: word
+    words:
+    - terramaster