def runpocwithsysname(self, keyword): try: poclist = list() self.loadmodule() sql = 'SELECT poc from hostexploit WHERE vulname like "%{}%"'.format( keyword) res = db().execute(sql) for item in res: poclist.append(item['poc']) self.queue.put_nowait(item['poc']) mylog('hostexploit', True).log.info(pyfancy().green( '[+]针对目标:{0}:{1} 加载{2} hostpoc {3}个'.format( self.host, self.port, keyword, len(poclist)))) threads = [gevent.spawn(self.Consumer, item) for item in poclist] gevent.joinall(threads) for vuln in self.vulns: sqlstr = 'INSERT INTO hostvulnlist (vulnhost, vulnport, vulnname, isvul, payload, proof, exception) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}")'.format( vuln['vulnhost'], vuln['vulnport'], vuln['vulnname'], vuln['isvul'], pymysql.escape_string(str(vuln['payload'])), vuln['proof'], pymysql.escape_string(str(vuln['exception']))) db().execute(sqlstr) vuln = json.dumps(vuln, indent=4) mylog('hostexploit').log.debug(pyfancy().magenta( '[*] {0}'.format(vuln))) self.vulns = [] except Exception as e: mylog('hostexploit').log.critical(pyfancy().red(e))
def runpocwithcmsname(self, keyword): try: poclist = list() pool = Pool(self.threads) self.loadmodule() sql = 'SELECT poc FROM webexploit WHERE vulname LIKE "%{}%"'.format( keyword) res = db().execute(sql) for item in res: poclist.append(item['poc']) mylog('webexploit', True).log.info(pyfancy().green( '[+]针对目标:{0} 加载{1} webpoc {2}个'.format(self.url, keyword, len(poclist)))) threads = [pool.spawn(self.pocexec, item) for item in poclist] gevent.joinall(threads) for vuln in self.vulns: db().execute( 'INSERT INTO webvulnlist (url, vulname, vulnurl, isvul, payload, proof, exception) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}")' .format(self.url, vuln['vulnname'], pymysql.escape_string(str(vuln['vulnurl'])), vuln['isvul'], pymysql.escape_string(str(vuln['payload'])), pymysql.escape_string(str(vuln['proof'])), pymysql.escape_string(str(vuln['exception'])))) vuln = json.dumps(vuln, indent=4) mylog('webexploit').log.debug(pyfancy().magenta( '[*] {}'.format(vuln))) self.vulns = [] except Exception as e: mylog('webexploit').log.critical(pyfancy().red(e))
def routineudp(self, port): service = self.hostrecon.useNmapServUDP(port) try: sqlstr = 'INSERT INTO hostrecon (Project, Host, Port, Service) VALUE ("{0}", "{1}", "{2}", "{3}")'.format( self.project, self.host, port, pymysql.escape_string(str(service))) db().execute(sqlstr) except Exception as e: mylog('hostprint').log.critical(pyfancy().red(e))
def runexplore(self, url): mylog('webprint', True).log.info(pyfancy().green('[+]执行web信息收集: {}'.format(url))) runApp = explore(url) cdnheader = runApp.useCDNHeader() dig = runApp.useDig() getheaders = runApp.header whois = runApp.useWhois() builtwith = runApp.useBuiltwith() mycdn = runApp.myCdnWaf() wappalyzer = runApp.useWappalyzer() whatweb = runApp.useWhatweb() hsec = runApp.hsecscan() '''网页版模板 webinfo_html = '{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}'.format( self.html_start(), self.webinfo_header(), self.webinfo_template('通用CDN检测', cdnheader), self.webinfo_template('Dig CDN', dig), self.webinfo_template('Get Headers', getheaders), self.webinfo_template('Whois', whois), self.webinfo_template('builtwith', builtwith), self.webinfo_template('CDN/WAF Detect', mycdn), self.webinfo_template('Wappalyzer', wappalyzer), self.webinfo_template('Whatweb', whatweb), self.webinfo_template('headers sec', hsec), self.html_end()) dirpath = os.path.join(GlobalConf().progpath['location'], 'Heaven_Hell/webrecon') if not os.path.isdir(dirpath): os.makedirs(dirpath) filename = '{0}_{1}.html'.format(urlparse(url)[1], time.strftime('%Y-%m-%d_%H_%M_%S',time.localtime(time.time()))) pathname = os.path.join(dirpath, filename) with open(pathname, 'w') as f: f.write(webinfo_html) mylog('webprint', True).log.info(pyfancy().light_cyan('[+]web信息写入文件: {}'.format(pathname))) ''' #数据库归并 iprecon = judgement(self.url).iplocation() sqlstr = 'INSERT INTO webrecon (Project, URL, cdnheader, Dig, Headers, Whois, Builtwith, Mycdn, wappalyzer, Whatweb, Hsec, Iprecon) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}", "{7}", "{8}", "{9}", "{10}", "{11}")'.format( self.project, self.url, cdnheader, dig, pymysql.escape_string(str(getheaders)), pymysql.escape_string(str(whois)), pymysql.escape_string(str(builtwith)), pymysql.escape_string(str(mycdn)), pymysql.escape_string(str(wappalyzer)), pymysql.escape_string(str(whatweb)), pymysql.escape_string(str(hsec)), pymysql.escape_string(str(iprecon))) db().execute(sqlstr) mylog('webprint', True).log.info(pyfancy().green('[*]结束web信息收集: {}'.format(url)))
def do_show(self, args): if len(str(args)) == 0: cprint('[!]命令show用法:\n\tshow [poc] vulname', 'red') else: database = db() type = args.split()[0] showname = args.split()[1] if type in r'poc': sqlstring = 'SELECT poc FROM (SELECT poc FROM webexploit WHERE vulname="{0}") AS t1 UNION ALL SELECT poc FROM (SELECT poc FROM hostexploit WHERE vulname="{1}") AS t2'.format( showname, showname) show_result = database.execute(sqlstring) sourcecode = show_result[0]['poc'] if sourcecode is None: cprint('[!] Wooo! 没有poc代码!!!', 'red') else: print('\n') runhighlighting(sourcecode) print('\n') elif type in r'vuldb': sqlstring = 'SELECT filed FROM exploitdb WHERE id={0}'.format(showname) show_result = database.execute(sqlstring) exploitcode = show_result[0]['filed'] print('\n') try: runhighlighting(exploitcode) except: runhighlighting('"""\n{0}\n"""'.format(exploitcode)) print('\n') else: cprint('[!]命令show用法:\n\tshow [poc/vuldb] vulname', 'red')
def do_status(self, instance=None): tb = pt.PrettyTable() tb.field_names = ['实例类型', '实例状态', '实例值'] database = db() # MYSQL状态 if database.connectdb(): dbstatus = '已连接' else: dbstatus = '未连接' dbsize = database.execute( 'SELECT CONCAT(ROUND(SUM(INDEX_LENGTH)+SUM(DATA_LENGTH)/(1024*1024),2),"MB") AS "数据库容量" FROM information_schema.tables WHERE table_schema="SatanSword"')[ 0] tb.add_row(['MySQL', dbstatus, dbsize]) # CMS模块状态 table_status = \ database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="cmsprint"')[0] if table_status['TABLE_NAME'] == 'cmsprint': table_status = '已加载' else: table_status = '未加载' count = database.execute('SELECT COUNT(DISTINCT(cmsname)) AS "cms种类" FROM cmsprint')[0] checksum_num = database.execute('SELECT count(*) AS "Md5指纹" FROM cmsprint WHERE checksum !=""')[0] keyword_num = database.execute('SELECT count(*) AS "正则指纹" FROM cmsprint WHERE keyword !=""')[0] tb.add_row(['CMS指纹识别模块', table_status, dict(**count, **checksum_num, **keyword_num)]) # CDN/WAF模块状态 cdnwafdict = cdnwafidentity().cdnwafdb cdnwafcount = len(cdnwafdict) printcount = 0 for item in cdnwafdict.values(): printcount += len(item) tb.add_row(['CDN/WAF模块', '已加载', dict(**{"cdn/waf种类": cdnwafcount}, **{"cdn/waf指纹": printcount})]) # WEB POC模块状态 table_status = \ database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="webexploit"')[0] if table_status['TABLE_NAME'] == 'webexploit': table_status = '已加载' else: table_status = '未加载' poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM webexploit')[0] tb.add_row(['CMS漏洞验证模块', table_status, dict(**poccount)]) # HOST POC模块状态 table_status = \ database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="hostexploit"')[0] if table_status['TABLE_NAME'] == 'hostexploit': table_status = '已加载' else: table_status = '未加载' poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM hostexploit')[0] expcount = database.execute('SELECT COUNT(DISTINCT(exp)) AS "可利用exp数" FROM hostexploit')[0] tb.add_row(['HOST漏洞验证模块', table_status, dict(**poccount, **expcount)]) cprint(tb, 'yellow')
def webexeccheck(self, url): if isinstance(url, list): sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url in ({})'.format( ','.join(["'%s'" % x for x in url])) else: sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url="{}"'.format(url) show_result = db().execute(sqlstring) tb = pt.PrettyTable() tb.field_names = ['URL', 'VULNAME', 'VURL', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION'] for item in show_result: tb.add_row([item['url'], item['vulname'], item['vulnurl'], item['isvul'], item['payload'], item['proof'], item['exception']]) cprint(tb, 'red')
def hostexeccheck(self, host): if isinstance(host, list): sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost in ({})'.format( ','.join(["'%s'" % x for x in host])) else: sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost="{}"'.format(host) show_result = db().execute(sqlstring) tb = pt.PrettyTable() tb.field_names = ['HOST', 'PORT', 'VULNAME', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION'] for item in show_result: tb.add_row( [item['vulnhost'], item['vulnport'], item['vulnname'], item['isvul'], item['payload'], item['proof'], item['exception']]) cprint(tb, 'red')
def do_search(self, args): if len(str(args)) == 0: cprint('[!]命令search用法:\n\tsearch keyword', 'red') else: database = db() keyword = args.split()[0] # 查询webexploit和hostexploit做表连接 sqlstring = 'SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM webexploit WHERE vulname LIKE "%{0}%") AS t1 UNION ALL SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM hostexploit WHERE vulname LIKE "%{1}%") AS t2'.format( keyword, keyword) search_result = database.execute(sqlstring) tb = pt.PrettyTable() tb.field_names = ['漏洞名称', '漏洞描述', '漏洞等级', '传递参数'] for item in search_result: tb.add_row([item['vulname'], item['description'], item['level'], item['param']]) cprint(tb, 'magenta', attrs=['bold']) cprint("[+]"+"="*20+"| 搜索到{0}个POC |".format(len(search_result))+"="*20, "green")
def useScript(self, port): self.tport = port mylog('hostprint', True).log.info(pyfancy().green('[+]执行自定义脚本探测系统服务: {}'.format(self.host))) pool = Pool(20) servlist = list() self.loadmodule() poclist = list() try: sqlstring = 'SELECT servicepoc FROM hostprint' res = db().execute(sqlstring) for item in res: poclist.append(item['servicepoc']) threads = [pool.spawn(self.pocexec, item) for item in poclist] gevent.joinall(threads) for servprint in self.prints: if servprint['isService']: servlist.append(servprint) print(servlist) except Exception as e: mylog('hostprint').log.critical(e)
def useCmsprint(self, proxy): mylog('webprint', True).log.info(pyfancy().green( '[+]执行cms识别通用系统信息: {}'.format(self.url))) urls = list() prefix_urls = list() cmsname = list() """ 提取静态文件md5方式 """ sql = "SELECT staticurl FROM cmsprint" for item in db().execute(sql): prefix_urls.append(item['staticurl']) # 去除空元素和重复元素 prefix_urls = list(set(filter(None, prefix_urls))) # 组合url for item in prefix_urls: urls.append(self.url + item) # 设置并发协程 pool = Pool(30) if proxy: proxyclass = findProxy() proxyclass.search() proxyclass.connectest(self.url) self.proxies = proxyclass.proxylist if self.check404(self.url): checksumlist = list( set(filter(None, pool.map(self.sendproxyrequesthead, urls)))) else: self.get404length(self.url) checksumlist = list( set(filter(None, pool.map(self.sendproxyrequestget, urls)))) else: if self.check404(self.url): checksumlist = list( set(filter(None, pool.map(self.sendrequesthead, urls)))) else: self.get404length(self.url) checksumlist = list( set(filter(None, pool.map(self.sendrequestget, urls)))) if checksumlist: # 重新置空 prefix_urls = [] for item in checksumlist: prefix_urls.append(urlparse(item)[2]) cms_set = db().execute( 'SELECT cmsname, staticurl, checksum FROM cmsprint WHERE staticurl!=""' ) for text in prefix_urls: md5sum = self.getchecksum(text) for item in cms_set: if md5sum in item['checksum']: cmsname.append(item['cmsname']) mylog('cmsprint').log.debug(pyfancy().blue( '匹配到cms: {0} {1}'.format(item['cmsname'], item['checksum']))) """ 搜索页面关键字方式 """ urls = [] prefix_urls = [] sql = "SELECT homeurl FROM cmsprint" for item in db().execute(sql): prefix_urls.append(item['homeurl']) # 去除空元素和重复元素 prefix_urls = list(set(filter(None, prefix_urls))) # 组合url for item in prefix_urls: urls.append(self.url + item) pool = Pool(30) if proxy: if self.check404(self.url): preglist = list( set(filter(None, pool.map(self.sendproxyrequesthead, urls)))) else: self.get404length(self.url) preglist = list( set(filter(None, pool.map(self.sendproxyrequestget, urls)))) else: if self.check404(self.url): preglist = list( set(filter(None, pool.map(self.sendrequesthead, urls)))) else: self.get404length(self.url) preglist = list( set(filter(None, pool.map(self.sendrequestget, urls)))) if preglist: # 重新置空 prefix_urls = [] for item in preglist: prefix_urls.append(urlparse(item)[2]) cms_set = db().execute( 'SELECT cmsname, homeurl, keyword FROM cmsprint WHERE homeurl!=""' ) for text in prefix_urls: for item in cms_set: if item['homeurl'] in text: if self.pregmatch(text, item['keyword']): cmsname.append(item['cmsname']) mylog('cmsprint').log.debug(pyfancy().blue( '匹配到cms: {0} {1} {2}'.format( item['cmsname'], item['homeurl'], item['keyword']))) # 去重cmsname cmsname = list(set(cmsname)) return cmsname