def check_reverse():
ver = platform.system()
dns_random_str = "myscan_dnstest_" + get_random_str(10)
http_random_str = "myscan_httptest_" + get_random_str(10)
domain = "{}.{}".format(dns_random_str, reverse_set.get("reverse_domain"))
url = "http://{}:{}/?d={}".format(reverse_set.get("reverse_http_ip"),
reverse_set.get("reverse_http_port"),
http_random_str)
logger.info(
"Will exec ping ,nslookup,mshta,curl,wget to test server , it will take around 20s"
)
if ver.lower() == "windows":
cmd = "ping -n 2 {}>nul & nslookup {} >nul & mshta {}".format(
domain, domain, url)
else:
cmd = "ping -c 2 {} 2>&1 >/dev/null & nslookup {} 2>&1 >/dev/null & curl {} 2>&1 >/dev/null & wget {} --output-document=/dev/null".format(
domain, domain, url, url)
logger.info("Start exec cmd:{}".format(cmd))
run_cmd(cmd)
res_http = query_reverse(http_random_str)
res_dns = query_reverse(domain, False)
# 此处需添加rmi 服务的检测代码,需本地模拟一个rmi的client
if res_http[0]:
logger.critical("Client connect http reverse server: Success")
else:
logger.warning("Client connect http reverse server: Fail")
if res_dns[0]:
logger.critical("Client connect dns reverse server: Success")
else:
logger.warning("Client disconnect dns reverse server: Fail")
def saveResult(self):
for result in self.result:
if not isinstance(result, dict):
logger.warning("Poc (python script) result error,it's a dict .")
return
url_default = ""
if cmd_line_options.command == "webscan":
url_default = self.workdata.get("dictdata").get("url").get("url")
elif cmd_line_options.command == "hostscan":
url_default = "{type}://{addr}:{port}".format(**self.workdata.get("dictdata"))
result_data = {
"name": result.get("name", os.path.splitext(os.path.split(self.poc)[-1])[0]),
"url": result.get("url", url_default),
"level": result.get("level", "-1"),
"createtime": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
"detail": {
}
}
if result.get("detail", None) and isinstance(result.get("detail"), dict):
result_data["detail"] = result.get("detail")
else:
result_data["detail"] = {"noshow": "no details"}
random_id = get_random_str(9)
self.red.set("result_" + random_id, pickle.dumps(result_data))
self.red.lpush("vuln_" + result_data["name"].replace(" ", "_"), "result_" + random_id)
self.red.lpush("vuln_all", "result_" + random_id)
self.red.lpush("vuln_all_write", "result_" + random_id) # 保存结果
for k, v in result_data.get("detail").items():
if str(k).lower().startswith("request") or str(k).lower().startswith("response"):
if str(v).__len__() > 1000:
result_data.get("detail")[k] = str(v)[:500] + " ..."
logger.critical(result_data)
def saveResult(self):
for result in self.result:
if not isinstance(result, dict):
logger.warning("Poc (python script) result error,it's a dict .")
return
result_data = {
"name": result.get("name", os.path.splitext(os.path.split(self.poc)[-1])[0]),
"url": result.get("url", self.workdata.get("dictdata").get("url").get("url")),
"level": result.get("level", "-1"),
"createtime": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
"detail": {
}
}
if result.get("detail", None) and isinstance(result.get("detail"), dict):
result_data["detail"] = result.get("detail")
else:
result_data["detail"] = {"noshow": "no details"}
random_id = get_random_str(9)
self.red.set("result_" + random_id, pickle.dumps(result_data))
self.red.lpush("vuln_" + result_data["name"].replace(" ", "_"), "result_" + random_id)
self.red.lpush("vuln_all", "result_" + random_id)
self.red.lpush("vuln_all_write", "result_" + random_id) # 保存结果
logger.critical(result_data)
def saveresult(self, result_data, info):
red = getredis()
if not result_data.get("createtime", None):
result_data["createtime"] = time.strftime("%Y-%m-%d %H:%M:%S",
time.localtime())
parsehash = hash(
str(result_data.get("detail").get("parse")) +
result_data.get("url") + result_data.get("name"))
hosthash = "saerch_" + str(
hash(parse.urlparse(result_data.get("url")).netloc.split(":")[0]))
if not red.sismember(hosthash, parsehash):
self.output(info.get("vulmsg"), insert=True)
red.sadd(hosthash, parsehash)
logger.critical(result_data)
random_id = get_random_str(9)
red.set("result_" + random_id, pickle.dumps(result_data))
red.lpush("vuln_" + result_data["name"].replace(" ", "_"),
"result_" + random_id)
red.lpush("vuln_all", "result_" + random_id)
red.lpush("vuln_all_write",
"result_" + random_id) # 保存结果到html,save线程取