def ms17_010(target):
"""
MS17-010漏洞检测及验证
:param target: IP或IP段
:return:
"""
f = open('/tmp/smb.rc', 'w')
f.write('use auxiliary/scanner/smb/smb_ms17_010\n')
f.write('set RHOSTS ' + target + '\n')
f.write('exploit\n')
f.write('exit\n')
f.close()
rst = os.popen('msfconsole -r /tmp/smb.rc').read()
#print(rst)
if 'Host is likely VULNERABLE' in rst:
print("\033[1;32;1m[+]存在MS-17-010漏洞\033[0m")
vulnsum.addHigh()
report.whtml(
'MS17-010 Vulnerability',
'Metasploit EXP:\nexploit/windows/smb/ms17_010_eternalblue\n')
os.system('rm /tmp/smb.rc')
def py_nmap(target, flag, user, passwd, ufile, pfile):
global h_q
global d_rt
"""
:param target: target url
:param flag: Full ports scan
:return:
"""
#target url -> target ip
target = urltoip(target)
if flag:
get_nmap = os.popen("nmap -T4 -A -sV -p0-65535 " + target).read()
if 'Host seems down' in get_nmap:
get_nmap = os.popen('nmap -T4 -A -sV -Pn -p0-65535 ' +
target).read()
else:
get_nmap = os.popen("nmap " + target).read()
if 'Host seems down' in get_nmap:
get_nmap = os.popen('nmap -T4 -A -sV -Pn ' + target).read()
#原始数据rt
rt = re.findall(r'\d+/tcp[ ]*open[ ]*[a-zA-Z0-9_/?\-]*', get_nmap)
if rt == []:
print("\033[1;31;1m[!]目标未开放任何端口或网络不可达\033[0m")
return 0
#result list type
#print(rt)
if rt != []:
report.wnmap('Nmap Scan Result', 'Port/Protocal', 'State', 'Service',
rt)
for i in range(len(rt)):
print('\033[1;32;1m[+]' + rt[i] + '\033[0m')
rt[i] = rt[i].replace(' ', '')
rt[i] = rt[i].replace('/tcp', '')
rt[i] = rt[i].replace('open', ' ')
rt[i] = rt[i].replace('netbios-ssn', 'samba')
rt[i] = rt[i].replace('microsoft-ds', 'smb')
rt[i] = rt[i].replace('exec', 'rexec')
rt[i] = rt[i].replace('login', 'rlogin')
rt[i] = rt[i].replace('shell', 'rlogin')
rt[i] = rt[i].replace('nfs', 'pcnfs')
rt[i] = rt[i].replace('ccproxy-ftp', 'ftp')
rt[i] = rt[i].replace('postgresql', 'postgres')
rt[i] = rt[i].replace('vnc-1', 'vnc')
rt[i] = rt[i].replace('vnc-2', 'vnc')
rt[i] = rt[i].replace('vnc-3', 'vnc')
rt[i] = rt[i].replace('ms-wbt-server', 'rdp')
rt[i] = rt[i].split(' ')
rt[i] = {rt[i][1]: rt[i][0]}
#字典类型:{'services':'port'}:
#print(rt)
#将services和port加入d_rt
for i in range(len(rt)):
for j in rt[i]:
d_rt.setdefault(j, []).append(rt[i][j])
for i in list(d_rt.keys()):
if i == 'irc' or i == 'unknown' or i == 'X11' or i == 'samba' or i == 'ajp13' or i == 'msrpc' or i == 'IIS' or i == 'iad1' or i == 'ms-lsa' or i == 'NFS-or-IIS' or i == 'LSA-or-nterm' or i == 'http':
continue
brute(d_rt, i, target, user, passwd, usfile=ufile, pdfile=pfile)
while h_q.qsize():
# print(h_q.empty())
#if h_q.empty():
# break
# 注意.get()
h = h_q.get()
# print(h)
if h != '\x00':
# print(h_q.get())
h = h.read()
#print(h)
rst = re.findall(
r'\[\d+\]\[[a-zA-Z0-9]+\]\s*host:\s*\d+\.\d+\.\d+\.\d+\s*login:\s*[a-zA-Z0-9\-_]+\s*password:\s*[a-zA-Z0-9\-_!@#$%]+',
h)
# 输出存在的弱口令
for i in rst:
print('\033[1;32;1m' + '[+]' + i + '\033[0m')
vulnsum.addHigh()
if rst != []:
report.whtml('Port weak password', rst)
if '445' in list(d_rt.values()):
ms17_010(target)
def wapiti(target):
"""
检测并验证XSS,SQL注入,SSRF,EXEC等高危漏洞
:param target:目标 url
:return:
"""
uri = target.split('/')[2]
rst = os.popen("wapiti -u " + target + '/').read()
rst = re.findall(
r'/[a-zA-Z0-9_\-]*/.wapiti/generated_report/' + uri +
r'[a-zA-Z\d._]*.html', rst)
#print("wapiti report:",rst)
try:
f = open(rst[0], 'r').read()
soup = BeautifulSoup(f, 'html.parser')
tr = soup('td', 'small .text-centered')
if int(tr[0].string) > 0:
print('\033[1;32;1m[+]SQL Injection', tr[0].string + '\033[0m')
vulnsum.addHigh()
if int(tr[1].string) > 0:
print('\033[1;32;1m[+]Blind SQL Injection',
tr[1].string + '\033[0m')
vulnsum.addHigh()
if int(tr[2].string) > 0:
print('\033[1;32;1m[+]File Handling', tr[2].string + '\033[0m')
vulnsum.addHigh()
if int(tr[3].string) > 0:
print('\033[1;32;1m[+]Cross Site Scripting',
tr[3].string + '\033[0m')
vulnsum.addHigh()
if int(tr[4].string) > 0:
print('\033[1;32;1m[+]CRLF Injection', tr[4].string + '\033[0m')
vulnsum.addHigh()
if int(tr[5].string) > 0:
print('\033[1;32;1m[+]Commands execution',
tr[5].string + '\033[0m')
vulnsum.addHigh()
if int(tr[6].string) > 0:
print('\033[1;32;1m[+]Htaccess Bypass', tr[6].string + '\033[0m')
vulnsum.addHigh()
if int(tr[7].string) > 0:
print('\033[1;32;1m[+]Backup file', tr[7].string + '\033[0m')
vulnsum.addHigh()
if int(tr[8].string) > 0:
print('\033[1;32;1m[+]Potentially dangerous file',
tr[8].string + '\033[0m')
vulnsum.addHigh()
if int(tr[9].string) > 0:
print('\033[1;32;1m[+]Server Side Request Forgery',
tr[9].string + '\033[0m')
vulnsum.addHigh()
if int(tr[10].string) > 0:
print('\033[1;32;1m[+]Internal Server Error',
tr[10].string + '\033[0m')
vulnsum.addHigh()
if int(tr[11].string) > 0:
print('\033[1;32;1m[+]Resource consumption',
tr[11].string + '\033[0m')
vulnsum.addHigh()
#print(type(tr[11].string))
page = soup('tbody')
if page != []:
report.tbody(page[0])
detail = soup('div', id='details')
if soup != []:
report.wdiv(detail[0])
except FileNotFoundError:
pass
if rst != []:
os.system('rm ' + rst[0])
report.wvuln()