[
{
"path": ".idea/.gitignore",
"content": "# 默认忽略的文件\n/shelf/\n/workspace.xml\n# 基于编辑器的 HTTP 客户端请求\n/httpRequests/\n# Datasource local storage ignored files\n/dataSources/\n/dataSources.local.xml\n"
},
{
"path": ".idea/CodeScan-master.iml",
"content": "\n\n \n \n \n \n \n \n"
},
{
"path": ".idea/modules.xml",
"content": "\n\n \n \n \n \n \n"
},
{
"path": "CommonVul/Rce/Rce.go",
"content": "package Rce\n\nimport (\n\t\"CodeScan/CommonVul/Rule\"\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc JavaRce(dir string) {\n\tFindFile.FindFileByJava(dir, \"rce.txt\", Rule.JavaRceRuleList)\n\tfmt.Println(\"RCE分析完成\")\n}\n\nfunc PHPRce(dir string) {\n\tFindFile.FindFileByPHP(dir, \"rce.txt\", Rule.PHPRceRuleList)\n\tfmt.Println(\"RCE分析完成\")\n}\n"
},
{
"path": "CommonVul/Rule/MatchFileNameRule.go",
"content": "package Rule\n"
},
{
"path": "CommonVul/Rule/MatchFileReadRule.go",
"content": "package Rule\n\nvar PHPFileReadList = []string{\n\t\"file_get_contents(\", \"file(\", \"readfile(\", \"fopen(\",\n}\n"
},
{
"path": "CommonVul/Rule/MatchLineRule.go",
"content": "package Rule\n\nvar LineBlack = []string{\n\t\"import \",\n\t\"log.\",\n\t\"loaded from\",\n\t\"//\",\n\t\"document.write(\",\n\t\"getWriter().write(\",\n\t\"writer.write(\",\n\t\".write()\",\n}\n"
},
{
"path": "CommonVul/Rule/MatchPathRule.go",
"content": "package Rule\n\nvar PathBlackJava = []string{\n\t\"apache\", \"lombok\", \"microsoft\", \"solr\",\n\t\"amazonaws\", \"c3p0\", \"jodd\", \"afterturn\", \"hutool\",\n\t\"javassist\", \"alibaba\", \"aliyuncs\", \"javax\", \"jackson\",\n\t\"bytebuddy\", \"baomidou\", \"google\", \"netty\", \"redis\", \"mysql\",\n\t\"logback\", \"ognl\", \"oracle\", \"sun\", \"junit\", \"reactor\", \"github\",\n\t\"mchange\", \"taobao\", \"nimbusds\", \"opensymphony\", \"freemarker\", \"java\", \"apiguardian\", \"hibernate\", \"javassist\", \"jboss\", \"junit\", \"mybatis\",\n\t\"springframework\", \"slf4j\", \"aspectj\",\n}\n\nvar PathBlackPhp = []string{\n\t\"think\", \"vendor\",\n}\n"
},
{
"path": "CommonVul/Rule/MatchRceRule.go",
"content": "package Rule\n\nvar JavaRceRuleList = []string{\n\t\"Runtime.getRuntime().exec\", \"ProcessBuilder.start\",\n\t\"RuntimeUtil.exec(\", \"RuntimeUtil.execForStr(\",\n}\n\nvar PHPRceRuleList = []string{\n\t\"System(\", \"shell_exec(\", \"exec(\", \"eval(\", \"passthru(\", \"proc_open(\", \"popen(\",\n\t\"assert(\", \"call_user_func(\", \"call_user_func_array(\", \"create_function(\",\n}\n"
},
{
"path": "CommonVul/Rule/MatchUploadRule.go",
"content": "package Rule\n\nvar JavaUploadRuleList = []string{\n\t\"Streams.copy(\",\n\t\".getOriginalFilename(\", \".transferTo(\",\n\t\"UploadedFile(\", \"FileUtils.copyFile(\", \"MultipartHttpServletRequest\", \".getFileName(\", \".saveAs(\", \".getFileSuffix(\", \".getFile\", \"MultipartFile file\",\n}\n\nvar PHPUploadRuleList = []string{\n\t\"move_uploaded_file(\", \"file_put_contents(\", \"$_FILE[\", \"copy(\", \"->move(\", \"request()->file(\",\n}\n"
},
{
"path": "CommonVul/Rule/MtachSqlRule.go",
"content": "package Rule\n\nvar XmlSqlBlack = []string{\n\t\"\", \"id=\\\"dataSource\\\"\", \"\", \"\",\n\t\" 0 {\n\t\twriteToFile(\"sql.txt\", selectList)\n\t}\n}\n"
},
{
"path": "Java-Code/Sql/FindSqlByXml.go",
"content": "package Sql\n\nimport (\n\tRule2 \"CodeScan/CommonVul/Rule\"\n\t\"bufio\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\n// findKeywordsInXMLFiles 函数用于检查 XML 文件中的关键字\nfunc findSqlByXml(dir string) {\n\txmlList := []string{}\n\tvar lastFile string // 记录上一次输出的文件,用于控制输出格式\n\n\t// 使用 Walk 函数遍历目录,查找所有的 .xml 文件\n\terr := filepath.Walk(dir, func(path string, f fs.FileInfo, err error) error {\n\t\tif !f.IsDir() && strings.HasSuffix(f.Name(), \".xml\") {\n\t\t\t// xml黑名单匹配\n\t\t\tif Rule2.MatchRule(f.Name(), Rule2.XmlBlack) {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\txmlList = append(xmlList, path)\n\t\t}\n\t\treturn nil\n\t})\n\tcheck(err)\n\n\t// 定义需要搜索的关键字\n\tkeywords := []string{\"${\", \"like '%${\", \"order by ${\"} // 这里可以添加更多关键字\n\n\t// 遍历 XML 文件列表\n\tfor _, file := range xmlList {\n\t\tfoundKeywords := []string{}\n\n\t\tlineNumber := 1\n\t\t// 打开 XML 文件\n\t\tf, err := os.Open(file)\n\t\tcheck(err)\n\t\tdefer f.Close()\n\n\t\t// 逐行扫描文件内容\n\t\tscanner := bufio.NewScanner(f)\n\t\tfor scanner.Scan() {\n\t\t\tline := strings.TrimSpace(scanner.Text())\n\t\t\t// 检查每一行是否包含关键字,并且不包含黑名单中的关键字\n\t\t\tif Rule2.MatchRule(line, Rule2.XmlSqlBlack) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// 检查每一行是否包含需要搜索的关键字\n\t\t\tfor _, keyword := range keywords {\n\t\t\t\tif strings.Contains(line, keyword) {\n\t\t\t\t\tif lastFile != f.Name() {\n\t\t\t\t\t\tfoundKeywords = append(foundKeywords, fmt.Sprintf(\"====================================================================\\n\"))\n\t\t\t\t\t\tfoundKeywords = append(foundKeywords, fmt.Sprintf(\"file [%s]\\n%d: %s\", f.Name(), lineNumber, line))\n\t\t\t\t\t\tlastFile = f.Name()\n\t\t\t\t\t} else {\n\t\t\t\t\t\tfoundKeywords = append(foundKeywords, fmt.Sprintf(\"====================================================================\\n\"))\n\t\t\t\t\t\tfoundKeywords = append(foundKeywords, fmt.Sprintf(\"%d : %s\", lineNumber, line))\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tlineNumber++\n\t\t}\n\n\t\t// 如果找到关键字,则将相关信息写入到 sql.txt 文件中\n\t\tif len(foundKeywords) > 0 {\n\t\t\twriteToFile(\"sql.txt\", foundKeywords)\n\t\t}\n\t}\n}\n"
},
{
"path": "Java-Code/Sql/Sql.go",
"content": "package Sql\n\nimport (\n\t\"fmt\"\n\t\"os\"\n)\n\n// check 函数用于检查错误,如果错误不为 nil 则触发 panic\nfunc check(e error) {\n\tif e != nil {\n\t\tpanic(e)\n\t}\n}\n\n// Sqlcheck 函数是我们的主函数,负责执行 SQL 检查的逻辑\nfunc Sqlcheck(dir string) {\n\t// 检查是否存在 @Select 注解\n\tfindSqlByCode(dir)\n\n\t// 检查 XML 文件中的关键字\n\tfindSqlByXml(dir)\n\n\tfmt.Println(\"sql分析完成\")\n}\n\n// writeToFile 函数用于将信息写入文件\nfunc writeToFile(filename string, lines []string) {\n\n\t// 创建或打开输出文件,以追加模式写入\n\tbasedir := \"./results/\"\n\n\t// 检查目录是否存在\n\tif _, err := os.Stat(basedir); os.IsNotExist(err) {\n\t\t// 如果目录不存在,则创建\n\t\terr := os.MkdirAll(basedir, os.ModePerm)\n\t\tif err != nil {\n\t\t\tfmt.Println(\"Error creating directory:\", err)\n\t\t\treturn\n\t\t}\n\t}\n\n\toutputfile := basedir + filename // 打开文件,如果文件不存在则创建,如果存在则追加写入\n\toutputFile, err := os.OpenFile(outputfile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\n\tcheck(err)\n\tdefer outputFile.Close()\n\n\t// 将每一行信息写入文件\n\tfor _, line := range lines {\n\t\t_, err = outputFile.WriteString(fmt.Sprintf(\"%s\\n\", line))\n\t\tcheck(err)\n\t}\n}\n"
},
{
"path": "Java-Code/Zip/Zipsilp.go",
"content": "package Zip\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc Zipsilp(dir string) {\n\tFindFile.FindFileByJava(dir, \"zip.txt\", []string{\"zipEntry.getName(\", \"ZipUtil.unpack(\", \"ZipUtil.unzip(\", \"entry.getName()\", \"AntZipUtils.unzip(\", \"zip.getEntries()\"})\n\tfmt.Println(\"Zipsilp分析完成\")\n}\n"
},
{
"path": "PHP-Code/FileRead/Read.go",
"content": "package FileRead\n\nimport (\n\t\"CodeScan/CommonVul/Rule\"\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc Read(dir string) {\n\tFindFile.FindFileByPHP(dir, \"FileRead_Phar.txt\", Rule.PHPFileReadList)\n\tfmt.Println(\"PHP文件读取分析完成\")\n\n}\n"
},
{
"path": "PHP-Code/FileWrite/Write.go",
"content": "package FileWrite\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc Write(dir string) {\n\tFindFile.FindFileByPHP(dir, \"FileWrite.txt\", []string{\n\t\t\"file_put_contents(\",\n\t})\n\tfmt.Println(\"PHP文件写入分析完成\")\n\n}\n"
},
{
"path": "PHP-Code/Include/Include.go",
"content": "package Include\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc Include(dir string) {\n\tFindFile.FindFileByPHP(dir, \"Include.txt\", []string{\n\t\t\"include(\",\n\t})\n\tfmt.Println(\"PHP文件包含分析完成\")\n}\n"
},
{
"path": "PHP-Code/PHPSql/FindSqlByCode.go",
"content": "package PHPSql\n\nimport (\n\t\"bufio\"\n\t\"fmt\"\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\n// 函数用于检查是否存在java代码内容,并将相关信息写入 sql.txt\nfunc findSqlByCode(dir string) {\n\tselectList := []string{}\n\tvar lastFile string // 记录上一次输出的文件,用于控制输出格式\n\n\tkeywords := []string{\"like '%\\\" +\", \"mysql_query(\", \"->where(\", \"->order(\", \"mysqli_query(\"}\n\n\terr := filepath.Walk(dir, func(path string, f fs.FileInfo, err error) error {\n\t\tif !f.IsDir() && strings.HasSuffix(f.Name(), \".php\") {\n\t\t\t// 打开文件\n\t\t\tlineNumber := 1 // 行号,用于标识匹配行的位置\n\t\t\tfile, err := os.Open(path)\n\t\t\tcheck(err)\n\t\t\tdefer file.Close()\n\n\t\t\t// 逐行扫描文件内容\n\t\t\tscanner := bufio.NewScanner(file)\n\t\t\tfor scanner.Scan() {\n\t\t\t\tline := strings.TrimSpace(scanner.Text())\n\t\t\t\t// 如果行中包含 @Select 注解,则将相关信息添加到 selectList 中\n\t\t\t\tfor _, keyword := range keywords {\n\t\t\t\t\tif strings.Contains(line, keyword) {\n\t\t\t\t\t\tif lastFile != file.Name() {\n\t\t\t\t\t\t\tselectList = append(selectList, fmt.Sprintf(\"====================================================================\\n\"))\n\t\t\t\t\t\t\tselectList = append(selectList, fmt.Sprintf(\"file [%s]\\n%d: %s\", file.Name(), lineNumber, line))\n\t\t\t\t\t\t\tlastFile = file.Name()\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tselectList = append(selectList, fmt.Sprintf(\"====================================================================\\n\"))\n\t\t\t\t\t\t\tselectList = append(selectList, fmt.Sprintf(\"%d : %s\", lineNumber, line))\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t}\n\t\t\t\tlineNumber++\n\t\t\t}\n\n\t\t}\n\t\treturn nil\n\t})\n\tcheck(err)\n\n\t// 如果存在 @Select 注解,则将相关信息写入到 sql.txt 文件中\n\tif len(selectList) > 0 {\n\t\twriteToFile(\"sql.txt\", selectList)\n\t}\n}\n"
},
{
"path": "PHP-Code/PHPSql/Sql.go",
"content": "package PHPSql\n\nimport (\n\t\"fmt\"\n\t\"os\"\n)\n\n// check 函数用于检查错误,如果错误不为 nil 则触发 panic\nfunc check(e error) {\n\tif e != nil {\n\t\tpanic(e)\n\t}\n}\n\n// Sqlcheck 函数是我们的主函数,负责执行 SQL 检查的逻辑\nfunc Sqlcheck(dir string) {\n\t// 检查是否存在 @Select 注解\n\tfindSqlByCode(dir)\n\n\tfmt.Println(\"sql分析完成\")\n}\n\n// writeToFile 函数用于将信息写入文件\nfunc writeToFile(filename string, lines []string) {\n\t// 打开文件,如果文件不存在则创建,如果存在则追加写入\n\toutputFile, err := os.OpenFile(filename, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)\n\tcheck(err)\n\tdefer outputFile.Close()\n\n\t// 将每一行信息写入文件\n\tfor _, line := range lines {\n\t\t_, err = outputFile.WriteString(fmt.Sprintf(\"%s\\n\", line))\n\t\tcheck(err)\n\t}\n}\n"
},
{
"path": "PHP-Code/SSRF/SSRF.go",
"content": "package SSRF\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc PHP_SSRF(dir string) {\n\tFindFile.FindFileByPHP(dir, \"SSRF.txt\", []string{\n\t\t\"curl_exec(\",\n\t})\n\tfmt.Println(\"PHPSSRF分析完成\")\n}\n"
},
{
"path": "PHP-Code/Unserialize/ser.go",
"content": "package Unserialize\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc Unserialize(dir string) {\n\n\tFindFile.FindFileByPHP(dir, \"Unserialize.txt\", []string{\n\t\t\"__destruct(\",\n\t})\n\tfmt.Println(\"PHP反序列化分析完成\")\n\n}\n"
},
{
"path": "README.md",
"content": "# CodeScan\n\n## 工具概述\n\n该工具目的为对大多数不完整的代码以及依赖快速进行Sink点匹配来帮助红队完成快速代码审计,开发该工具的初衷是以`Sink`到`Source`的思路来开发,为了将所有可疑的Sink点匹配出来并且凭借第六感进行快速漏洞挖掘,并且该工具开发可扩展性强,成本极低,目前工具支持的语言有PHP,Java(JSP)\n\n## 编译\n\n```bash\n./build.sh\n\n# 会生成所有版本在releases下\n```\n\n## 功能\n\n1. 框架识别\n2. 涵盖大部分漏洞的Sink点的匹配(如图)\n \n3. 可自定义定制化修改黑白名单内容\n4. 多模块化多语言化代码审计\n5. 进行融于鉴权代码的快速匹配抓取\n6. 根据Jar进行静态分析(默认分析)\n\n* mysqlconnect-->jdbc\n* Xstream --> xml/json\n\n## 使用\n\n```bash\nUsage of ./CodeScan_darwin_arm64:\n -L string\n 审计语言\n -d string\n 要扫描的目录\n -h string\n 使用帮助\n -lb string\n 行黑名单\n -m string\n 过滤的字符串\n -pb string\n 路径黑名单\n -r string\n RCE规则\n -u string\n 文件上传规则\n\n\nExample:\n\tCodeScan_windows_amd64.exe -L java -d ./net\n\tCodeScan_windows_amd64.exe -L php -d ./net\n\tCodeScan_windows_amd64.exe -d ./net -m \"CheckSession.jsp\"\n```\n\n## 高级用法+案例分析\n\n### 高级用法\n\n`以下均以Java作为示例`\n\n#### 高扩展性\n\n很简单的自定义,如果需要自定义一些匹配规则,首先可以在这里加入\n\n\n\n\n其次如果需要新增漏洞类型,只需要三步(这里以Sql为例)\n\n1. 新建SQL目录\n2. 定义一个方法叫 SqlCheck\n3. 写一个sqlcheck.txt(生成的文件名) + 你自定义的规则\n4. 最后在这里加入包名+方法名即可\n\n\n\n```go\npackage SqlTest\n\nimport (\n\t\"CodeScan/FindFile\"\n\t\"fmt\"\n)\n\nfunc SqlCheck(dir string) {\n\tFindFile.FindFileByJava(dir, \"fastjson.txt\", []string{\".parseObject(\"})\n\tfmt.Println(\"SqlCheck分析完成\")\n\n}\n\n```\n\n#### 扫描位置\n\n在打一些闭源代码的时候经常就一个Jar或者Class,反编译的时候会把依赖进行一起反编译,所以为了避免扫描一些依赖的误报,在工具中自带的黑名单中会过滤掉如下黑名单的包名,需要自定义的时候可自行修改,位置在`CommonVul/Rule/MatchPathRule.go`\n\n```go\nvar PathBlackJava = []string{\n\t\"apache\", \"lombok\", \"microsoft\", \"solr\",\n\t\"amazonaws\", \"c3p0\", \"jodd\", \"afterturn\", \"hutool\",\n\t\"javassist\", \"alibaba\", \"aliyuncs\", \"javax\", \"jackson\",\n\t\"bytebuddy\", \"baomidou\", \"google\", \"netty\", \"redis\", \"mysql\",\n\t\"logback\", \"ognl\", \"oracle\", \"sun\", \"junit\", \"reactor\", \"github\",\n\t\"mchange\", \"taobao\", \"nimbusds\", \"opensymphony\", \"freemarker\", \"java\", \"apiguardian\", \"hibernate\", \"javassist\", \"jboss\", \"junit\", \"mybatis\",\n\t\"springframework\", \"slf4j\",\n}\n```\n\n所以这也导致了一个问题,不能从顶层上直接扫描\n\n\n\n`请把CodeScan放在Net同级目录下扫描(否则会忽略掉直接一个Java目录)`\n\n请`-d`后面的参数尽量在`/src/main/java`之后,比如这里就需要把CodeScan放到`net`目录下开始扫描\n\n```bash\nCodeScan_windows_amd64.exe -L java -d ./net\n```\n\n#### 过滤字符串(只写了JSP + PHP)\n\n比如现在有一个代码百分百为鉴权代码在JSP中\n\n```java\n<%@ include file=\"../../common/js/CheckSession.jsp\"%>\n```\n\n此时可以用一下功能来进行快速获取未鉴权代码\n\n```bash\nCodeScan_windows_amd64.exe -d ./yuan -m \"CheckSession.jsp\"\n```\n\n此时会将不存在这个代码的文件都放到`NoAuthDir`目录中,然后可以再扫一遍就可以立刻定位到存在未鉴权并且存在Sink点的函数文件了\n\n```bash\nCodeScan_windows_amd64.exe -L java -d ./NoAuthDir\n```\n\n#### 静态分析依赖情况\n\n只需要在CodeScan的目录下放入EvilJarList.txt即可匹配出来\n\n`EvilJarList.txt` 内容为存在可打漏洞的`Jar`,模版如下\n\n```bash\nfastjson-1.2.47.jar\nresin-4.0.63.jar\njackson-core-2.13.3.jar\nc3p0-0.9.5.2.jar\ncommons-beanutils-1.9.4.jar\ncommons-beanutils-1.9.3.jar\ncommons-beanutils-1.9.2.jar\ncommons-collections-3.2.1.jar\nmysql-connector-java-8.0.17.jar\ncommons-collections4-4.0.jar\nshiro-core-1.10.1.jar\naspectjweaver-1.9.5.jar\nrome-1.0.jar\nxstream-1.4.11.1.jar\nsqlite-jdbc-3.8.9.jar\nvaadin-server-7.7.14.jar\nhessian-4.0.63.jar\n```\n\n#### 案例\n案例请参考我的博客\n```bash\nhttps://zjackky.github.io/post/develop-codescan-zwcz53.html\n```\n\n## TODO\n\n* [ ] 将结果从TXT转为Excel\n* [ ] Sink点继续完善\n* [ ] ASP\n\n## 支持项目\n\n* 如果有师傅发现Bug或者有更好的建议请提issue感谢\n* 要是各位师傅通过本人的小工具挖到一些好洞记得回头点点Stars诶\n\n## 免责申明\n\n* 如果您下载、安装、使用、修改本工具及相关代码,即表明您信任本工具\n* 在使用本工具时造成对您自己或他人任何形式的损失和伤害,我们不承担任何责任\n* 如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任\n* 请您务必审慎阅读、充分理解各条款内容,特别是免除或者限制责任的条款,并选择接受或不接受\n* 除非您已阅读并接受本协议所有条款,否则您无权下载、安装或使用本工具\n* 您的下载、安装、使用等行为即视为您已阅读并同意上述协议的约束\n\n## 更新日志\n\n**2024/09/29**\n\n* 开源\n\n**2024/10/7**\n\n* 将扫描结果写入result目录中\n\n## 鸣谢\n\n[xiaoqiuxx(github.com)](https://github.com/xiaoqiuxx)\n"
},
{
"path": "Utils/JavaScanUtil.go",
"content": "package Utils\n\nimport (\n\t\"CodeScan/CommonVul/Rce\"\n\t\"CodeScan/CommonVul/Upload\"\n\t\"CodeScan/Java-Code/AMF\"\n\t\"CodeScan/Java-Code/Auth_Bypass\"\n\t\"CodeScan/Java-Code/El\"\n\t\"CodeScan/Java-Code/Fastjson\"\n\t\"CodeScan/Java-Code/Frame_Analysis\"\n\t\"CodeScan/Java-Code/JDBC\"\n\t\"CodeScan/Java-Code/JNDI\"\n\t\"CodeScan/Java-Code/JS\"\n\t\"CodeScan/Java-Code/JarStatic\"\n\t\"CodeScan/Java-Code/JavaSrciptShell\"\n\t\"CodeScan/Java-Code/Log4j\"\n\t\"CodeScan/Java-Code/ReadObject\"\n\t\"CodeScan/Java-Code/Reflect\"\n\t\"CodeScan/Java-Code/SSTI/FreeMarker\"\n\t\"CodeScan/Java-Code/Sql\"\n\t\"CodeScan/Java-Code/Zip\"\n\t\"github.com/cheggaaa/pb/v3\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n)\n\nfunc Java_Codeing() {\n\tStartTime = time.Now()\n\t// 所有要执行的扫描函数\n\tscanFuncs := []func(string){\n\t\tFrame_Analysis.FrameAnalysiser,\n\t\tAuth_Bypass.Auth,\n\t\tZip.Zipsilp,\n\t\tJNDI.Jndi,\n\t\tSql.Sqlcheck,\n\t\tRce.JavaRce,\n\t\tUpload.JavaUpload_check,\n\t\tReadObject.Readobjectcheck,\n\t\tEl.Elcheck,\n\t\tFastjson.Parsecheck,\n\t\tReflect.ReflectCheck,\n\t\tLog4j.Log4j,\n\t\tAMF.AmfCheck,\n\t\tFreeMarker.FreeSsti,\n\t\tJDBC.FindJDBC,\n\t\tJavaSrciptShell.FindJavaSrciptShell,\n\t\tJarStatic.Jarstaticer,\n\t\tJS.Eval,\n\t}\n\n\tvar wg sync.WaitGroup\n\twg.Add(len(scanFuncs)) // 根据方法数量动态调整 goroutine 数量\n\tprogressBar = pb.New(len(scanFuncs)).SetRefreshRate(time.Millisecond * 100).Start()\n\t// 启动 goroutine 来执行扫描任务\n\tfor _, scanFunc := range scanFuncs {\n\t\tgo scanDirectory(scanFunc, *Dir, &wg)\n\t}\n\n\twg.Wait()\n\tprogressBar.Finish()\n\n\t// 处理web.xml\n\tFrame_Analysis.WebXmlScan(*Dir, []string{\"*.htm\", \"*.do\", \"*.action\", \"exclude\"})\n\n\t// 清理空文件\n\troot := \"./\" // 设置要检查的目录\n\tfilepath.Walk(root, func(path string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !info.IsDir() && strings.HasSuffix(info.Name(), \".txt\") {\n\t\t\tif info.Size() == 0 {\n\t\t\t\tos.Remove(path)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n"
},
{
"path": "Utils/PHPScanUtil.go",
"content": "package Utils\n\nimport (\n\t\"CodeScan/CommonVul/Rce\"\n\t\"CodeScan/CommonVul/Upload\"\n\t\"CodeScan/PHP-Code/FileRead\"\n\t\"CodeScan/PHP-Code/Include\"\n\t\"CodeScan/PHP-Code/PHPSql\"\n\t\"CodeScan/PHP-Code/SSRF\"\n\t\"CodeScan/PHP-Code/Unserialize\"\n\t\"github.com/cheggaaa/pb/v3\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n)\n\nfunc PHP_Codeing() {\n\tStartTime = time.Now()\n\n\t// 所有要执行的扫描函数\n\tscanFuncs := []func(string){\n\t\tUpload.PHPUpload_check,\n\t\tRce.PHPRce,\n\t\tPHPSql.Sqlcheck,\n\t\tFileRead.Read,\n\t\tUnserialize.Unserialize,\n\t\tSSRF.PHP_SSRF,\n\t\tInclude.Include,\n\t}\n\n\tvar wg sync.WaitGroup\n\twg.Add(len(scanFuncs)) // 根据方法数量动态调整 goroutine 数量\n\tprogressBar = pb.New(len(scanFuncs)).SetRefreshRate(time.Millisecond * 100).Start()\n\t// 启动 goroutine 来执行扫描任务\n\tfor _, scanFunc := range scanFuncs {\n\t\tgo scanDirectory(scanFunc, *Dir, &wg)\n\t}\n\n\twg.Wait()\n\tprogressBar.Finish()\n\t// 清理空文件\n\troot := \"./\" // 设置要检查的目录\n\tfilepath.Walk(root, func(path string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif !info.IsDir() && strings.HasSuffix(info.Name(), \".txt\") {\n\t\t\tif info.Size() == 0 {\n\t\t\t\tos.Remove(path)\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t})\n}\n"
},
{
"path": "Utils/common.go",
"content": "package Utils\n\nimport (\n\t\"github.com/cheggaaa/pb/v3\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n)\n\nvar (\n\tprogressBar *pb.ProgressBar\n\tStartTime time.Time\n)\n\n// scanDirectory 函数用于启动一个 goroutine 来扫描指定目录\nfunc scanDirectory(scanFunc func(string), dir string, wg *sync.WaitGroup) {\n\tscanFunc(dir)\n\tprogressBar.Increment()\n\twg.Done()\n}\n\nfunc ClearDir(dir string) string {\n\n\t// 将 \\ 转换为 /\n\tdir = strings.ReplaceAll(dir, `\\\\`, \"/\")\n\tdir = strings.ReplaceAll(dir, `\\`, \"/\")\n\n\treturn dir\n}\n"
},
{
"path": "Utils/flag.go",
"content": "package Utils\n\nimport (\n\tRule2 \"CodeScan/CommonVul/Rule\"\n\t\"CodeScan/Filter\"\n\t\"flag\"\n\t\"fmt\"\n\t\"github.com/fatih/color\"\n\t\"strings\"\n)\n\nvar (\n\tDir *string\n\tlanguage *string\n\thelp *string\n)\n\nfunc Start() {\n\t// 开始审计\n\n\tparseFlag()\n\t*language = strings.ToLower(*language)\n\tif *language == \"java\" {\n\t\tJava_Codeing()\n\t}\n\n\tif *language == \"php\" {\n\t\tPHP_Codeing()\n\t}\n\n}\n\nfunc parseFlag() {\n\n\t// 高级命令行解析\n\thelp = flag.String(\"h\", \"\", \"使用帮助\")\n\tDir = flag.String(\"d\", \"\", \"要扫描的目录\")\n\tlanguage = flag.String(\"L\", \"\", \"审计语言\")\n\tpathBlackRule := flag.String(\"pb\", \"\", \"路径黑名单\")\n\tlineBlackRule := flag.String(\"lb\", \"\", \"行黑名单\")\n\tuploadRule := flag.String(\"u\", \"\", \"文件上传规则\")\n\trceRule := flag.String(\"r\", \"\", \"RCE规则\")\n\tfilterfile := flag.String(\"m\", \"\", \"过滤的字符串\")\n\t//outdir := flag.String(\"o\", \"\", \"输出结果\")\n\tflag.Parse()\n\n\tif *language == \"\" && *filterfile == \"\" {\n\t\tcolor.Red(\"请使用 -L 选项提供扫描语言\")\n\t\treturn\n\t}\n\n\tif *language != \"\" {\n\n\t\tif *Dir != \"\" {\n\t\t\t*Dir = ClearDir(*Dir)\n\t\t\tif *pathBlackRule != \"\" {\n\t\t\t\t// 读取路径黑名单\n\t\t\t\tRule2.PathBlackJava = append(Rule2.PathBlackJava, *pathBlackRule)\n\t\t\t\tfmt.Println(\"路径黑名单:\", Rule2.PathBlackJava)\n\t\t\t} // 所有要执行的扫描函数\n\n\t\t\tif *lineBlackRule != \"\" {\n\t\t\t\tRule2.LineBlack = append(Rule2.LineBlack, *lineBlackRule)\n\t\t\t}\n\n\t\t\tif *uploadRule != \"\" {\n\t\t\t\tif *language == \"java\" {\n\t\t\t\t\tRule2.JavaUploadRuleList = append(Rule2.JavaUploadRuleList, *uploadRule)\n\t\t\t\t} else if *language == \"php\" {\n\t\t\t\t\tRule2.PHPUploadRuleList = append(Rule2.PHPUploadRuleList, *uploadRule)\n\t\t\t\t}\n\n\t\t\t}\n\n\t\t\tif *rceRule != \"\" {\n\t\t\t\tRule2.JavaRceRuleList = append(Rule2.JavaRceRuleList, *rceRule)\n\t\t\t}\n\n\t\t}\n\n\t}\n\n\tif *filterfile != \"\" {\n\t\tif *Dir != \"\" {\n\t\t\tFilter.FilterFile(*filterfile, *Dir)\n\n\t\t} else {\n\t\t\tcolor.Red(\"请使用 -d 选项提供目录\")\n\t\t\treturn\n\t\t}\n\n\t}\n\n}\n"
},
{
"path": "build.sh",
"content": "#!/bin/bash\n\n# Define the list of target operating systems and architectures\nos_archs=(\"darwin:amd64\" \"darwin:arm64\" \"linux:amd64\" \"windows:amd64\")\n\n# Define the Go compiler flags\nLDFLAGS=\"-s -w\"\n\n# Loop through each OS/architecture pair and build JodeScanner\nfor pair in \"${os_archs[@]}\"; do\n os=$(echo \"$pair\" | cut -d \":\" -f 1)\n arch=$(echo \"$pair\" | cut -d \":\" -f 2)\n output=\"./releases/CodeScan_${os}_${arch}\"\n\n # For Windows, add .exe extension to the output file\n if [[ \"$os\" == \"windows\" ]]; then\n output=\"$output.exe\"\n fi\n\n # Build JodeScanner for the current OS/architecture pair\n echo \"Building $output...\"\n GOOS=\"$os\" GOARCH=\"$arch\" go build -trimpath -ldflags \"$LDFLAGS\" -o \"$output\" main.go\n echo \"Build $output done\"\ndone\n\n"
},
{
"path": "go.mod",
"content": "module CodeScan\n\ngo 1.22.1\n\nrequire (\n\tgithub.com/cheggaaa/pb/v3 v3.1.5\n\tgithub.com/fatih/color v1.16.0\n)\n\nrequire (\n\tgithub.com/VividCortex/ewma v1.2.0 // indirect\n\tgithub.com/mattn/go-colorable v0.1.13 // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/mattn/go-runewidth v0.0.15 // indirect\n\tgithub.com/rivo/uniseg v0.2.0 // indirect\n\tgolang.org/x/sys v0.14.0 // indirect\n)\n"
},
{
"path": "go.sum",
"content": "github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=\ngithub.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=\ngithub.com/cheggaaa/pb/v3 v3.1.5 h1:QuuUzeM2WsAqG2gMqtzaWithDJv0i+i6UlnwSCI4QLk=\ngithub.com/cheggaaa/pb/v3 v3.1.5/go.mod h1:CrxkeghYTXi1lQBEI7jSn+3svI3cuc19haAj6jM60XI=\ngithub.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=\ngithub.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=\ngithub.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=\ngithub.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=\ngithub.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=\ngithub.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=\ngithub.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=\ngithub.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=\ngolang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=\ngolang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=\n"
},
{
"path": "jarFiles.txt",
"content": "HikariCP-2.7.8.jar\naliyun-java-sdk-core-3.4.0.jar\naliyun-java-sdk-ecs-4.2.0.jar\naliyun-java-sdk-kms-2.7.0.jar\naliyun-java-sdk-ram-3.0.0.jar\naliyun-java-sdk-sts-3.0.0.jar\naliyun-sdk-oss-3.10.1.jar\nbyte-buddy-1.7.10.jar\nclassmate-1.3.4.jar\ncommons-codec-1.11.jar\ncommons-pool2-2.5.0.jar\nfastjson-1.2.83.jar\ngson-2.8.2.jar\nguava-18.0.jar\nhibernate-validator-6.0.7.Final.jar\nhttpclient-4.5.2.jar\nhttpcore-4.4.9.jar\njackson-annotations-2.9.0.jar\njackson-core-2.9.4.jar\njackson-databind-2.9.4.jar\njackson-dataformat-yaml-2.9.4.jar\njackson-datatype-jdk8-2.9.4.jar\njackson-datatype-jsr310-2.9.4.jar\njackson-module-parameter-names-2.9.4.jar\njava-semver-0.9.0.jar\njavassist-3.21.0-GA.jar\njavax.annotation-api-1.3.2.jar\njboss-logging-3.3.2.Final.jar\njdom-1.1.jar\njedis-2.9.0.jar\njettison-1.1.jar\njsqlparser-1.3.jar\njul-to-slf4j-1.7.25.jar\njxl-2.6.12.jar\nlog4j-1.2.14.jar\nlog4j-api-2.10.0.jar\nlog4j-to-slf4j-2.15.0.jar\nlogback-classic-1.2.3.jar\nlogback-core-1.2.3.jar\nlombok-1.18.12.jar\nmapstruct-1.1.0.Final.jar\nmybatis-3.4.6.jar\nmybatis-plus-3.0.7.1.jar\nmybatis-plus-annotation-3.0.7.1.jar\nmybatis-plus-boot-starter-3.0.7.1.jar\nmybatis-plus-core-3.0.7.1.jar\nmybatis-plus-extension-3.0.7.1.jar\nmybatis-spring-1.3.2.jar\nmysql-connector-java-8.0.11.jar\npf4j-3.1.0.jar\nprotobuf-java-2.6.0.jar\nreflections-0.9.11.jar\nslf4j-api-1.7.25.jar\nsnakeyaml-1.19.jar\nspring-aop-5.0.4.RELEASE.jar\nspring-beans-5.0.4.RELEASE.jar\nspring-boot-2.0.0.RELEASE.jar\nspring-boot-autoconfigure-2.0.0.RELEASE.jar\nspring-boot-starter-2.0.0.RELEASE.jar\nspring-boot-starter-jdbc-2.0.0.RELEASE.jar\nspring-boot-starter-json-2.0.0.RELEASE.jar\nspring-boot-starter-logging-2.0.0.RELEASE.jar\nspring-boot-starter-redis-1.4.1.RELEASE.jar\nspring-boot-starter-tomcat-2.0.0.RELEASE.jar\nspring-boot-starter-web-2.0.0.RELEASE.jar\nspring-context-5.0.4.RELEASE.jar\nspring-context-support-5.0.4.RELEASE.jar\nspring-core-5.0.4.RELEASE.jar\nspring-data-commons-2.0.5.RELEASE.jar\nspring-data-keyvalue-2.0.5.RELEASE.jar\nspring-data-redis-2.0.5.RELEASE.jar\nspring-expression-5.0.4.RELEASE.jar\nspring-jcl-5.0.4.RELEASE.jar\nspring-jdbc-5.0.4.RELEASE.jar\nspring-oxm-5.0.4.RELEASE.jar\nspring-plugin-core-1.2.0.RELEASE.jar\nspring-plugin-metadata-1.2.0.RELEASE.jar\nspring-tx-5.0.4.RELEASE.jar\nspring-web-5.0.4.RELEASE.jar\nspring-webmvc-5.0.4.RELEASE.jar\nspringboot-plugin-framework-2.2.1-RELEASE.jar\nspringboot-plugin-framework-extension-mybatis-2.2.1-RELEASE.jar\nspringfox-core-2.7.0.jar\nspringfox-schema-2.7.0.jar\nspringfox-spi-2.7.0.jar\nspringfox-spring-web-2.7.0.jar\nspringfox-swagger-common-2.7.0.jar\nspringfox-swagger2-2.7.0.jar\nstax-api-1.0.1.jar\nswagger-annotations-1.5.13.jar\nswagger-bootstrap-ui-1.6.jar\nswagger-models-1.5.13.jar\ntomcat-embed-core-8.5.28.jar\ntomcat-embed-el-8.5.28.jar\ntomcat-embed-websocket-8.5.28.jar\nvalidation-api-2.0.1.Final.jar"
},
{
"path": "main.go",
"content": "package main\n\nimport (\n\t\"CodeScan/Utils\"\n\t\"fmt\"\n\t\"github.com/fatih/color\"\n\t\"time\"\n)\n\nfunc main() {\n\tfmt.Println(`\n\n\n' ██████╗ ██████╗ ██████╗ ███████╗███████╗ ██████╗ █████╗ ███╗ ██╗\n' ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗ ██║\n' ██║ ██║ ██║██║ ██║█████╗ ███████╗██║ ███████║██╔██╗ ██║\n' ██║ ██║ ██║██║ ██║██╔══╝ ╚════██║██║ ██╔══██║██║╚██╗██║\n' ╚██████╗╚██████╔╝██████╔╝███████╗███/.████║╚██████╗██║ ██║██║ ╚████║\n' ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝\n' -- by zjacky,xiaoqiuxx \n\n `)\n\tUtils.Start()\n\telapsed := time.Since(Utils.StartTime) // 计\n\tcolor.Green(\"[+] 扫描完成! 花费时长:%s\\n\", elapsed) // 算经过的时间\n}\n"
}
]