Giter VIP home page Giter VIP logo

14finger's Introduction

14Finger

功能齐全的Web指纹扫描和分享平台,基于vue3+django前后端分离的web架构,并集成了长亭出品的rad爬虫的功能,内置了一万多条互联网开源的指纹信息。

image-20220515210254020

特点

  1. 基于强大的rad爬虫分析指纹,不局限于当前页面
  2. 能够执行js脚本,动态js加载的应用也能扫描,比如Vue应用
  3. 多线程多进程,速度尚可
  4. 人性化的指纹提交功能,指纹种类和信息划分精细,可供用户打造出自己的无敌指纹库
  5. 批量爬虫批量指纹,均在后台处理,无需前台等待

平台部署

如要部署到公网请修改django SECRET_KEY,在settings.py里,否则加密密钥泄漏会导致安全隐患

初始管理员用户名/密码:admin/admin,b1ackc4t/123456

演示视频:https://www.bilibili.com/video/BV1br4y1b7fF

Docker一键部署

下载 https://github.com/b1ackc4t/14Finger/releases 里已经打包好的docker包,解压后执行以下命令:

对于低配置主机,比如只有一两个核心的服务器,可以修改/14Finger-docker/main/14Finger/uwsgi.ini的进程数和线程数,避免过度使用资源导致卡死

 processes=10
 threads=300

mac和windows下请将/14Finger-docker/mysql/data文件夹清空,因为提前写入的data只能适配linux。

chmod -R 755 ./14Finger-docker  # 赋予足够权限
cd ./14Finger-docker
docker-compose up -d

然后访问 http://127.0.0.1:7990 即可,使用其他ip无法访问后端服务。

如要修改访问ip,请修改/14Finger-docker/nginx/html/config.jsonBASE_URL_PROD,然后重启服务即可

手动启动

依赖环境

  • mysql
  • redis
  • python

最好在linux下运行(因为使用了celery,celery对windows支持较差,不稳定)

修改_14Finger/setting.py的数据库配置为自己的数据库

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': '14finger',
        'USER': 'root',
        'PASSWORD': '',
        'HOST': '127.0.0.1',
        'PORT': '3306',
    }
}
# celery配置
CELERY_BROKER_URL = 'redis://root:[email protected]:6379/1'
CELERY_RESULT_BACKEND = 'redis://root:[email protected]:6379/2'

导入14finger.sql文件后,分别启动前后端和celery即可

前端 https://github.com/b1ackc4t/14Finger-client

npm install
npm run dev

后端 https://github.com/b1ackc4t/14Finger

pip install -r requirements.txt
python manage.py runserver

celery(在后端根目录执行)

# linux下(推荐)
celery -A core.celery_pak.main worker -l info
# windows下(需安装eventlet)
celery -A core.celery_pak.main worker -l info -P eventlet

然后访问http://127.0.0.1:3000/,修改ip的方法同docker部署一样

功能预览

单次查询

image-20220515210322713

image-20220515212514560

image-20220515213005447

  • 模拟浏览器用于执行js脚本
  • 爬虫模式会先爬取出所有URL,在对每个URL进行指纹识别
  • 仅爬虫则只会进行爬取,不进行指纹识别
  • 默认开启简洁扫描,避免动静太大,打草惊蛇

批量查询

image-20220515210645152

和单次查询一样的设置选项,只是在单次查询的基础上加入了并发,批量扫描URL列表。提交扫描后任务会在后台执行。

image-20220515210844172

个人资料页能够查看自己批量扫描任务的结果

image-20220515210936498

image-20220515210946971

结果将会以json文件的形式被下载

指纹提交

image-20220515211547682

image-20220515211852359

  • 指纹信息设置清晰
  • 应用可选平台已经存在的应用,也可以自己新建
  • 指纹可以即时进行测试
  • 管理员提交可以无需审核

指纹管理和检索

image-20220515212009255

  • 方便查阅指纹库
  • 审核平台用户提交的指纹

平台配置

image-20220515212144960

  • 对平台扫描的一些基础信息进行配置

学习与参考

感谢前辈们优秀的项目,给予了很大的帮助

https://github.com/TideSec/TideFinger

https://github.com/Lucifer1993/cmsprint

https://github.com/chaitin/rad

https://github.com/EASY233/Finger

14finger's People

Contributors

b1ackc4t avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

kagantua harry1080 gysf666 jxpsx explangcn klinklinklin g-gini nanaao darkkid0 rabbitsafe auxiliarya bgrstar zzhsec aqimmm inknull fengzihk 7ock qiudaxia134 u1n1come faint-memory qaz7791869 thecryinggame wyzmgmdg liudeguang sms2056 savior-only crackercat wlmsx losenineai bawed lay0us lighthouse-951 keyzf caoeryeyoushang fanyibo2009 kekewind bashrc21 vipersec1 chuanwei elijahahianyo antonizhubar rassec luoxiaohu6 tz0385 ctfer-researcher riskerchan transferhhh junl9798 muyugit soevai 17603127956 muvaikas kanuthia creazygan acodervic whoiszzr jepry230 oldjing 10cks balagpy

14finger's Issues

在服务器本地使用admin也登录不了

情况时这样的,登录返回的json为404,然后web界面显示用户名或密码错误:
root@VM-8-2-debian:~/14Finger-docker# cat nginx/html/config.json
{
"BASE_URL_PROD": "http://127.0.0.1:7990",
"BASE_URL_DEV": "http://127.0.0.1:8000"

}
root@VM-8-2-debian:/14Finger-docker# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
201c912fcaf9 nginx:1.20.2 "/docker-entrypoint.…" 31 minutes ago Up 2 minutes 0.0.0.0:7990->80/tcp 14finger-docker_nginx_1
43c18f3d0250 14finger-docker_main "sh -c 'uwsgi --ini …" 31 minutes ago Up 2 minutes 8000/tcp 14finger-docker_main_1
6161e917cdff redis:7.0.4 "docker-entrypoint.s…" 31 minutes ago Up 2 minutes 14finger-docker_redis_1
77e41fa5d790 mysql:8.0.15 "docker-entrypoint.s…" 31 minutes ago Up 2 minutes 3306/tcp, 33060/tcp 14finger-docker_db_1
root@VM-8-2-debian:/14Finger-docker# curl -X POST http://127.0.0.1:7990/api/user/login
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0'
-H 'Accept: application/json, text/plain, /'
-H 'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'
-H 'Accept-Encoding: gzip, deflate'
-H 'Content-Type: application/json'
-H 'Origin: http://127.0.0.1:7990'
-H 'Connection: keep-alive'
-H 'Referer: http://127.0.0.1:7990/login'
-d '{"username":"admin","password":"admin","email":null}'

<title>404 Not Found</title>

404 Not Found

nginx/1.20.2 root@VM-8-2-debian:~/14Finger-docker#

安装好后mysql打不开,大佬求助

2023-08-12T00:57:08.929393Z 0 [ERROR] [MY-010020] [Server] Data Dictionary initialization failed.
2023-08-12T00:57:08.929557Z 0 [ERROR] [MY-010119] [Server] Aborting
2023-08-12T00:57:10.289360Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.
2023-08-12T00:58:11.338091Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2023-08-12T00:58:11.338509Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1
2023-08-12T00:58:11.345649Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /var/lib/mysql/ is case insensitive
2023-08-12T00:58:11.862528Z 1 [ERROR] [MY-011087] [Server] Different lower_case_table_names settings for server ('2') and data dictionary ('0').
2023-08-12T00:58:11.862716Z 0 [ERROR] [MY-010020] [Server] Data Dictionary initialization failed.
2023-08-12T00:58:11.862858Z 0 [ERROR] [MY-010119] [Server] Aborting
2023-08-12T00:58:13.314304Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.
2023-08-12T00:59:14.264133Z 0 [Warning] [MY-011070] [Server] 'Disabling symbolic links using --skip-symbolic-links (or equivalent) is the default. Consider not using this option as it' is deprecated and will be removed in a future release.
2023-08-12T00:59:14.265313Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.15) starting as process 1
2023-08-12T00:59:14.274425Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /var/lib/mysql/ is case insensitive
2023-08-12T00:59:14.823615Z 1 [ERROR] [MY-011087] [Server] Different lower_case_table_names settings for server ('2') and data dictionary ('0').
2023-08-12T00:59:14.823861Z 0 [ERROR] [MY-010020] [Server] Data Dictionary initialization failed.
2023-08-12T00:59:14.824070Z 0 [ERROR] [MY-010119] [Server] Aborting
2023-08-12T00:59:16.183835Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.15) MySQL Community Server - GPL.

image

后端接口404问题

有的师傅反应后端请求接口爆出404,无法访问
docker-compose up日志里看到是有些文件权限不够
image
给够权限,解决问题

# 一般755就够了,但实际有的环境需要777暂不清楚原因
chmod -R 755 ./14Finger-docker
chmod -R 777 ./14Finger-docker

安装报错

安装时报这个错误,是网络的问题么?
3
da但是在浏览器里是可以打开这个地址的
4

I found four vulnerability related to user management authority.

Verison

master branch

Vulnerability List

The first Vulnerability :14Finger User Sensitive Information Leakage Vulnerability
The second vulnerability: 14Finger User privilege escalation vulnerability
The third vulnerability: 14Finger Arbitrary user deletion vulnerability
The fourth vulnerability: 14Finger Arbitrary User Password Reset Vulnerability

Summary:

14Finger does not strictly verify the identity permission of the current user operation, which causes the user to operate functions beyond the scope of his/her management permission, thus operating some behaviors that the user cannot operate.

Repair suggestions:

  1. API authentication
  2. principle of least privilege

For more vulnerability details, please refer to the PDF.
14Finger User Sensitive Information Leakage Vulnerability.pdf
14Finger User privilege escalation vulnerability.pdf
14Finger Arbitrary user deletion vulnerability.pdf
14Finger Arbitrary User Password Reset Vulnerability.pdf

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.