def get_port_info_nmap(self, ip):
try:
nm = nmap.PortScanner()
nm.scan(hosts=ip, arguments=GLOBAL_NMAP_ARGUMENTS)
result = []
"""
>>> nm['127.0.0.1']['tcp']
{8888: {'product': '', 'state': 'open', 'version': '', 'name': 'sun-answerbook', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}, 27017: {'product': '', 'state': 'open', 'version': '', 'name': 'unknown', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}, 22: {'product': '', 'state': 'open', 'version': '', 'name': 'ssh', 'conf': '10', 'extrainfo': 'protocol 2.0', 'reason': 'syn-ack', 'cpe': ''}, 50000: {'product': '', 'state': 'open', 'version': '', 'name': 'ibm-db2', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}}
"""
try:
for v, k in nm[ip].get('tcp').items():
_ = {}
#print k
try:
_['port'] = v
_['name'] = k['name']
_['version'] = k['version']
_['type'] = k['product'].lower()
result.append(_)
except Exception, e:
wrong_log('get_port_info_nmap ' + str(v))
#wrong_log(str(traceback.format_exc()))
except Exception, e:
pass
#print nm
#wrong_log(traceback.format_exc())
return result
def save_to_db(self, service, port_vuls, http_info, wait_scan, tiny_scan):
print 'save_to_db runing', self.target
try:
if len(service) > 0:
print 'store service'
cron = MongoHelper(self.target)
cron.insert_service(service)
if len(port_vuls) > 0:
print 'store port_vuls'
cron = MongoHelper(self.target)
cron.insert_port_vuls(port_vuls)
if len(http_info) > 0:
print 'store http_info'
cron = MongoHelper(self.target)
cron.insert_http_info(http_info)
if len(tiny_scan) > 0:
print 'store tiny_scan'
cron = MongoHelper(self.target)
cron.insert_tiny_scan(tiny_scan)
if len(wait_scan) > 0:
print 'store wait_scan'
cron = MongoHelper(self.target)
cron.insert_wait_scan(wait_scan)
except Exception, e:
wrong_log(traceback.format_exc())
def save_to_db(self,service,port_vuls,http_info,wait_scan,tiny_scan):
print 'save_to_db runing',self.target
try:
if len(service)>0:
print 'store service'
cron = MongoHelper(self.target)
cron.insert_service(service)
if len(port_vuls) > 0:
print 'store port_vuls'
cron = MongoHelper(self.target)
cron.insert_port_vuls(port_vuls)
if len(http_info) > 0:
print 'store http_info'
cron = MongoHelper(self.target)
cron.insert_http_info(http_info)
if len(tiny_scan) > 0:
print 'store tiny_scan'
cron = MongoHelper(self.target)
cron.insert_tiny_scan(tiny_scan)
if len(wait_scan) > 0:
print 'store wait_scan'
cron = MongoHelper(self.target)
cron.insert_wait_scan(wait_scan)
except Exception,e:
wrong_log(traceback.format_exc())
def get_port_info_nmap(self,ip):
try:
nm = nmap.PortScanner()
nm.scan(hosts=ip, arguments=GLOBAL_NMAP_ARGUMENTS)
result=[]
"""
>>> nm['127.0.0.1']['tcp']
{8888: {'product': '', 'state': 'open', 'version': '', 'name': 'sun-answerbook', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}, 27017: {'product': '', 'state': 'open', 'version': '', 'name': 'unknown', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}, 22: {'product': '', 'state': 'open', 'version': '', 'name': 'ssh', 'conf': '10', 'extrainfo': 'protocol 2.0', 'reason': 'syn-ack', 'cpe': ''}, 50000: {'product': '', 'state': 'open', 'version': '', 'name': 'ibm-db2', 'conf': '3', 'extrainfo': '', 'reason': 'syn-ack', 'cpe': ''}}
"""
try:
for v, k in nm[ip].get('tcp').items():
_ = {}
#print k
try:
_['port'] = v
_['name'] = k['name']
_['version'] = k['version']
_['type'] = k['product'].lower()
result.append(_)
except Exception,e:
wrong_log('get_port_info_nmap ' + str(v))
#wrong_log(str(traceback.format_exc()))
except Exception, e:
pass
#print nm
#wrong_log(traceback.format_exc())
return result
def detect(self, req):
url = str(req[1])
#domain = url.split('/')[2]
# http://140.207.69.83:80/thread-45758770-10-1.html 待解决
#http:fm.qq.com/category/39110_38942
#http://www.iqiyi.com/w_19ruj41o0l.html
try:
if url:
_ = urlparse.urlparse(url)
if req[0]:
# get 伪静态
if _[4]:
pass
elif '_' in url or '-' in url:
pass
else:
return 0
#if self.ip in domain or self.target in domain: # detect domain area
some_control_word = [
'method',
'm',
'action',
'act',
'cmd',
'commmand',
'ac',
]
url = re.sub(r'[\w_-]{28,}', '', url)
url = re.sub(r'[\w_-]{16}', '', url)
url = re.sub(r'[\d]{10,13}', '', url)
_ = urlparse.urlparse(url)
params = urlparse.parse_qs(_[4])
path = re.sub(r'\d+', '', _[2])
path_tmp = path.split('/')
path_new = ''
for i in path_tmp:
count = i.count('_') + i.count('-')
if count:
path_new = path_new + '/' + str(count)
else:
path_new = path_new + '/' + i
tmp = _[0] + _[1] + path_new
for i in some_control_word:
if i in params:
try:
tmp += params[i][0]
except:
pass
#wrong_log(params[i][0])
if tmp in self.detecion:
return 0
else:
self.detecion.append(tmp)
self.req_scan.append(req)
return 1
except Exception, e:
wrong_log(traceback.format_exc() + url)
def get_title(text):
try:
soup = BeautifulSoup(text, "html.parser")
if soup.title:
return soup.title.string
else:
return text[:20]
except Exception, e:
wrong_log(traceback.format_exc())
def get_title(text):
try:
soup = BeautifulSoup(text, "html.parser")
if soup.title:
return soup.title.string
else:
return text[:20]
except Exception,e:
wrong_log(traceback.format_exc())
def scan(self,ipinfo):
try:
service = []
port_vuls = [] # id ip_domain port type version
http_info = [] # id ip url title src tinyscan - { url_domain title src isvul }
wait_scan = []
tiny_scan = []
_id = ipinfo['_id']
ip = ipinfo['ip']
print 'scan', ip
if '|sep|' in ipinfo['domain']:
domains = ipinfo['domain'].split('|sep|')[0].split('|')
else:
domains = ipinfo['domain'].split('|')
cron = MongoHelper(self.target)
cron.update_ip_list_status(_id)
if self.new:
portinfos = self.get_port_info_nmap(ip)
else:
portinfos = ipinfo['portinfo']
if portinfos == 0:
print 'nmap error'
return 0
cron = MongoHelper(self.target)
cron.update_ip_list(_id,portinfos)
# portinfo [{port,type,version},]
for portinfo in portinfos:
for domain in domains:
webinfo = self.get_web_info(ip,portinfo['port'],domain)
if webinfo:
#http
ip_domain = ip+'-'+domain
service.append({'ip_domain':ip_domain,'port':portinfo['port'],'type':portinfo['type'],'version':portinfo['version']}) # id ip_domain port type version
# service Redundancy
#info_log('append service' + ip_domain)
if 'https' in webinfo['scheme']:
ssl_info = heratbleed_attack(ip,portinfo['port'])
if ssl_info:
port_vuls.append(ssl_info)
self.http_tiny_scan(webinfo, ip, portinfo['port'], domain,http_info,wait_scan,tiny_scan)
else:
if self.send_to_http_port_plugins(webinfo,ip,portinfo['port'],domain,port_vuls):
self.http_tiny_scan(webinfo,ip,portinfo['port'],domain,http_info,wait_scan,tiny_scan)
self.send_to_normal_plugins(ip, portinfo, domain, port_vuls)
# something wrong strtus2 weblojic
else:
#normal
service.append({'ip_domain': ip, 'port': portinfo['port'], 'type': portinfo['type'],'version': portinfo['version']})
self.send_to_normal_plugins(ip,portinfo,domain,port_vuls)
#info_log('append service'+ip)
break
self.save_to_db(service,port_vuls,http_info,wait_scan,tiny_scan)
except Exception,e:
wrong_log(traceback.format_exc())
def run(self):
while self.reqque.qsize() > 0:
try:
_ = self.reqque.get()
html = self.get_html(_[0])
reqs = self.get_links_forms(html, _[0][1])
if _[1] < self.depth:
new_dep = _[1] + 1
for i in reqs:
self.reqque.put([i, new_dep])
except Exception, e:
wrong_log(traceback.format_exc())
def run(self):
while self.reqque.qsize()>0:
try:
_ = self.reqque.get()
html = self.get_html(_[0])
reqs = self.get_links_forms(html,_[0][1])
if _[1] < self.depth:
new_dep = _[1] + 1
for i in reqs:
self.reqque.put([i,new_dep])
except Exception,e:
wrong_log(traceback.format_exc())
def detect(self,req):
url = str(req[1])
#domain = url.split('/')[2]
# http://140.207.69.83:80/thread-45758770-10-1.html 待解决
#http:fm.qq.com/category/39110_38942
#http://www.iqiyi.com/w_19ruj41o0l.html
try:
if url:
_ = urlparse.urlparse(url)
if req[0]:
# get 伪静态
if _[4]:
pass
elif '_' in url or '-' in url:
pass
else:
return 0
#if self.ip in domain or self.target in domain: # detect domain area
some_control_word = ['method','m','action','act','cmd','commmand','ac',]
url = re.sub(r'[\w_-]{28,}', '', url)
url = re.sub(r'[\w_-]{16}', '', url)
url = re.sub(r'[\d]{10,13}', '', url)
_ = urlparse.urlparse(url)
params = urlparse.parse_qs(_[4])
path = re.sub(r'\d+', '', _[2])
path_tmp = path.split('/')
path_new = ''
for i in path_tmp:
count = i.count('_') + i.count('-')
if count:
path_new = path_new + '/' + str(count)
else:
path_new = path_new + '/' + i
tmp = _[0] + _[1] + path_new
for i in some_control_word:
if i in params:
try:
tmp += params[i][0]
except:
pass
#wrong_log(params[i][0])
if tmp in self.detecion:
return 0
else:
self.detecion.append(tmp)
self.req_scan.append(req)
return 1
except Exception, e:
wrong_log(traceback.format_exc()+url)
def get_links_forms(self, html, url):
reqs = []
if isinstance(html, str):
try:
etreeHtml = etree.HTML(html)
title = etreeHtml.xpath('//title/text()')
if title:
if self.black_detect(title[0]):
return []
links = etreeHtml.xpath('//a[@href]/@href')
# get forms
for i in links:
if i:
if 'javascript' in i or 'mailto' in i:
pass
else:
if '//' not in i:
if i[0] == '/':
i = get_current_host(url) + i
else:
i = get_current_path(url) + i
elif i[:2] == '//':
i = get_scheme(url) + i
if self.detect(['GET', i, '']):
#info_log(i)
reqs.append(['GET', i, ''])
forms = etreeHtml.xpath('//form')
for i in forms:
try:
action = str(i.xpath('@action')[0])
if 'javascript' in i or 'mailto' in action:
continue
else:
if '//' not in action:
if action[0] == '/':
action = get_current_host(url) + action
else:
action = get_current_path(url) + action
elif i[:2] == '//':
action = get_scheme(url) + action
if self.detect(['post', i, '']):
# info_log(i)
reqs.append(['post', i, ''])
inputs = i.xpath('//input')
data = ''
for t in inputs:
name = ''
value = ''
try:
name = t.xpath('@name')[0]
value = t.xpath('@value')[0]
except:
pass
#wrong_log(str(t.xpath('@name')))
#wrong_log(str(t.xpath('@value')))
data = data + name + '=' + value + '&'
if self.detect(['post', action, data[:-1]]):
reqs.append(['post', action, data[:-1]
]) # data[:-1] delet the last &
except Exception, e:
wrong_log(url + traceback.format_exc())
except Exception, e:
wrong_log(traceback.format_exc())
def scan(self, ipinfo):
try:
service = []
port_vuls = [] # id ip_domain port type version
http_info = [
] # id ip url title src tinyscan - { url_domain title src isvul }
wait_scan = []
tiny_scan = []
_id = ipinfo['_id']
ip = ipinfo['ip']
print 'scan', ip
if '|sep|' in ipinfo['domain']:
domains = ipinfo['domain'].split('|sep|')[0].split('|')
else:
domains = ipinfo['domain'].split('|')
cron = MongoHelper(self.target)
cron.update_ip_list_status(_id)
if self.new:
portinfos = self.get_port_info_nmap(ip)
else:
portinfos = ipinfo['portinfo']
if portinfos == 0:
print 'nmap error'
return 0
cron = MongoHelper(self.target)
cron.update_ip_list(_id, portinfos)
# portinfo [{port,type,version},]
for portinfo in portinfos:
for domain in domains:
webinfo = self.get_web_info(ip, portinfo['port'], domain)
if webinfo:
#http
ip_domain = ip + '-' + domain
service.append({
'ip_domain': ip_domain,
'port': portinfo['port'],
'type': portinfo['type'],
'version': portinfo['version']
}) # id ip_domain port type version
# service Redundancy
#info_log('append service' + ip_domain)
if 'https' in webinfo['scheme']:
ssl_info = heratbleed_attack(ip, portinfo['port'])
if ssl_info:
port_vuls.append(ssl_info)
self.http_tiny_scan(webinfo, ip, portinfo['port'],
domain, http_info, wait_scan,
tiny_scan)
else:
if self.send_to_http_port_plugins(
webinfo, ip, portinfo['port'], domain,
port_vuls):
self.http_tiny_scan(webinfo, ip,
portinfo['port'], domain,
http_info, wait_scan,
tiny_scan)
self.send_to_normal_plugins(ip, portinfo, domain,
port_vuls)
# something wrong strtus2 weblojic
else:
#normal
service.append({
'ip_domain': ip,
'port': portinfo['port'],
'type': portinfo['type'],
'version': portinfo['version']
})
self.send_to_normal_plugins(ip, portinfo, domain,
port_vuls)
#info_log('append service'+ip)
break
self.save_to_db(service, port_vuls, http_info, wait_scan,
tiny_scan)
except Exception, e:
wrong_log(traceback.format_exc())
def get_links_forms(self,html,url):
reqs = []
if isinstance(html, str):
try:
etreeHtml = etree.HTML(html)
title = etreeHtml.xpath('//title/text()')
if title:
if self.black_detect(title[0]):
return []
links = etreeHtml.xpath('//a[@href]/@href')
# get forms
for i in links:
if i:
if 'javascript' in i or 'mailto' in i:
pass
else:
if '//' not in i:
if i[0] == '/':
i = get_current_host(url) + i
else:
i = get_current_path(url) + i
elif i[:2] == '//':
i = get_scheme(url) + i
if self.detect(['GET',i,'']):
#info_log(i)
reqs.append(['GET',i,''])
forms = etreeHtml.xpath('//form')
for i in forms:
try:
action = str(i.xpath('@action')[0])
if 'javascript' in i or 'mailto' in action:
continue
else:
if '//' not in action:
if action[0] == '/':
action = get_current_host(url) + action
else:
action = get_current_path(url) + action
elif i[:2] == '//':
action = get_scheme(url) + action
if self.detect(['post', i, '']):
# info_log(i)
reqs.append(['post', i, ''])
inputs = i.xpath('//input')
data = ''
for t in inputs:
name = ''
value = ''
try:
name = t.xpath('@name')[0]
value = t.xpath('@value')[0]
except:
pass
#wrong_log(str(t.xpath('@name')))
#wrong_log(str(t.xpath('@value')))
data = data + name + '=' + value + '&'
if self.detect(['post',action,data[:-1]]):
reqs.append(['post',action,data[:-1]]) # data[:-1] delet the last &
except Exception, e:
wrong_log(url+traceback.format_exc())
except Exception, e:
wrong_log(traceback.format_exc())