def uzc():
form = UpgradeZcForm(request.form)
if form.validate():
zc_id = form.zc_id.data
type = form.type.data
text = form.text.data
asset = Asset.query.get(zc_id)
if asset:
if type == '1':
asset.title=text
elif type == '2':
asset.ip = text
elif type == '3':
asset.cms = text
elif type == '4':
asset.operating_systems = text
elif type == '5':
asset.programming_languages = text
elif type == '6':
asset.web_servers = text
elif type == '7':
asset.web_frameworks = text
elif type == '8':
asset.javascript_frameworks = text
else:
asset.ports = text
asset.upgrade_time = datetime.datetime.now()
db.session.add(asset)
db.session.commit()
return field.success('更新成功!')
return field.params_error(message='没有该资产信息')
else:
message = form.get_error()
return field.params_error(message=message)
def updateuser():
form = UpdateUserForm(request.form)
if form.validate():
username = form.username.data
user_id = form.user_id.data
email = form.email.data
role = form.role.data
user = User.query.get(user_id)
pre_role = user.roles[0].name # 原有的角色
if user:
user.username = username
user.email = email
db.session.add(user)
db.session.commit()
Role = CMSRole.query.filter_by(name=role).first()
Pre_Role = CMSRole.query.filter_by(name=pre_role).first()
if Role:
Pre_Role.users.remove(user) # 删除原有的角色
Role.users.append(user) # 增加新角色
db.session.commit()
return field.success(message='修改信息成功')
else:
return field.params_error(message='没有该用户!')
else:
message = form.get_error()
return field.params_error(message=message)
def atask():
form = AddTaskFoem(request.form)
if form.validate():
url = form.url1.data
# TODO:改成前端验证
if not match_url(url=url):
return field.params_error(message='URL格式不正确!')
cycle = form.cycle.data
number = form.number.data
task = Task(url=url, cycle=IntToString(cycle), number=number, user_id=g.cms_user.id, referer='WEB')
db.session.add(task)
db.session.commit()
if unabletouch(url=url): #检测url是否可以访问
if number == 1:
task.state = 'State.ING_SCAN'
web_scan.delay(url=url, taskid=task.task_id)
host_scan.delay(url=url, taskid=task.task_id)
return field.success(message='添加任务成功!')
else:#如果不能访问直接返回结果
task.state = 'State.FINISH_SCAN'
task.result = str({'status': 'finish','reason':'URL不可达,无法进行扫描'})
return field.success(message='添加任务完成!')
else:
message = form.get_error()
return field.params_error(message=message)
def post(self):
form = LoginForm(request.form)
if form.validate():
email = form.email.data # 邮箱或者用户名
password = form.password.data
remember = form.remember.data
user = User.query.filter_by(email=email).first() or User.query.filter_by(username=email).first()
if user:
if user.is_use == 'UseEnum.UNUSE':
return field.unauth_error(message='该用户已经被禁用,请联系超级管理员解决!')
if user and user.check_password(password):
session[config['development'].CMS_USER_ID] = user.id # 保存用户登录信息
if remember:
# 如果设置session.permanent = True,那么过期时间为31天
session.permanent = True
user.last_login_time = datetime.datetime.now()
user.is_activate = IntToStatus(1)
db.session.add(user)
db.session.commit()
return field.success(message='登陆成功!')
else:
return field.params_error(message='邮箱或者密码错误')
else:
message = form.get_error()
return field.params_error(message=message)
def deletezc():
zc_id = request.form.get('zc_id')
if zc_id:
asset = Asset.query.get(zc_id)
if asset:
db.session.delete(asset)
db.session.commit()
return field.success(message='删除成功!')
else:
return field.params_error(message='没有该条资产信息!')
return field.params_error(message='没有接受到参数!')
def dcms():
form = DeleteCmsForm(request.form)
if form.validate():
cms_id = form.cms_id.data
cms = Cms_fingerprint.query.get(cms_id)
if cms:
db.session.delete(cms)
db.session.commit()
return field.success(message='删除成功!')
else:
return field.params_error(message='没有改CMS!')
else:
message = form.get_error()
return field.params_error(message=message)
def email_captcha():
from tasks import send_mail
email = request.args.get('email')
if not email:
return field.params_error('请传递邮箱参数!')
user = User.query.filter_by(email=email).first()
if user:
return field.params_error('该邮箱已经注册,请更换邮箱!')
source = list(string.ascii_letters)
source.extend(map(lambda x: str(x), range(0, 10)))
captcha = "".join(random.sample(source, 6))
print(captcha)
send_mail.delay('牧羊人邮箱验证码', [email], '您的验证码是:{}'.format(captcha))
zlcache.set(email, captcha)
return field.success()
def tresult():
task_id = request.args.get('task_id')
if not task_id:
return field.params_error(message='没有传任务ID')
task = Task.query.get(task_id)
if task:
web_data = task.result
cms_data = task.cms_result
host_data = task.host_result
result = field.result_parse(cms_data, web_data, host_data)
print(result)
return field.success(message='查询成功',
data={'task_id': task.task_id, 'result_id': task.result_id, 'result': result})
else:
return field.params_error(message='没有该任务!')
def dadmintask():
form = DeleteAdminTaskForm(request.form)
if form.validate():
task_id = form.task_id.data
task = Task.query.get(task_id)
if task:
if task.state == 'State.ING_SCAN':
return field.params_error(message='任务正在进行中,无法删除!')
db.session.delete(task)
db.session.commit()
return field.success(message='删除任务成功')
else:
return field.params_error(message='未找到该任务!')
else:
message = form.get_error()
return field.params_error(message=message)
def get(self):
type = request.args.get('type')
user = g.cms_user
if type:
# 生成key
if type == '1':
user.secret_key = str(uuid.uuid4())
db.session.add(user)
db.session.commit()
return field.success(message='生成密钥成功!')
# 删除key
elif type == '2':
user.secret_key = ''
db.session.add(user)
db.session.commit()
return field.success(message='删除密钥成功!')
# 更新密钥
elif type == '3':
user.secret_key = str(uuid.uuid4())
db.session.add(user)
db.session.commit()
return field.success(message='更新密钥成功!')
else:
return field.params_error(message='没有接收到请求!')
def addzc():
flag = request.args.get('flag')
if flag == '1':
tasks = Task.query.filter_by(state='State.FINISH_SCAN', is_add=1).all()
number = 0
db_url_list = []
to_url_list = []
assets = Asset.query.all()
for asset in assets:
db_url_list.append(asset.url)
for task in tasks:
cms = task.cms_result
web = task.result
host = task.host_result
if task.result or task.host_result or task.cms_result:
result = field.result_parse(cms,web,host)
if result:
try:
if task.url not in db_url_list and task.url not in to_url_list:
import pymysql
asert = Asset(url=task.url, ip=result.get('ip'), title=result.get('title'), cms=result.get('cms'),operating_systems=str(result.get('os'))
, web_servers=str(result.get('web_server')), programming_languages=str(result.get('programming_languages')),web_frameworks=str(result.get('web_frameworks')),javascript_frameworks=str(result.get('js')), ports=str(result.get(
'port'))
, upgrade_time=datetime.datetime.now(),
header=pymysql.escape_string(str(result.get('header'))),
body=pymysql.escape_string(str(result.get('body'))))
db.session.add(asert)
db.session.commit()
number += 1
to_url_list.append(task.url)
except Exception as e:
pass
return field.success(message='成功更新{}条资产!'.format(number))
else:
return field.params_error(message='没有接受到参数!')
def post(self):
form = ResetEmailForm(request.form)
if form.validate():
email = form.email.data
g.cms_user.email = email
db.session.commit()
return field.success()
else:
return field.params_error(form.get_error())
def utask():
form = UpgradeTaskForm(request.form)
if form.validate():
task_id = form.task_id.data
cycle = form.cycle.data
number = form.number.data
url = form.url1.data
if not match_url(url=url):
return field.params_error(message='URL格式不正确!')
task = Task.query.get(task_id)
if task:
'''
TODO: 代码优化
'''
if number == 1:
web_scan.delay(url=url, taskid=task_id)
host_scan.delay(url=url, taskid=task_id)
task.next_time = None
else:
if number > 1:
task.next_time = ''
for i in range(1, number+1):
a = (datetime.datetime.now() + datetime.timedelta(
days=(int((cycle) or 1) * i))).strftime(
'%Y-%m-%d %H:%M:%S')
if i != number:
task.next_time += str(a) + ','
else:
task.next_time += str(a)
task.cycle = IntToString(cycle)
task.url = url
task.number = number
task.referer = 'WEB'
db.session.add(task)
db.session.commit()
return field.success(message='更新任务成功')
else:
return field.params_error(message='未找到该任务')
else:
message = form.get_error()
return field.params_error(message=message)
def uusername():
form = UusernameForm(request.form)
if form.validate():
username = form.username.data
user = g.cms_user
user.username = username
db.session.add(user)
db.session.commit()
return field.success()
else:
message = form.get_error()
return field.params_error(message=message)
def acms():
form = AddCmsForm(request.form)
if form.validate():
url = form.url.data
name = form.name.data
re = form.re.data
md5 = form.md5.data
cms = Cms_fingerprint(url=url, name=name, re=re, md5=md5)
db.session.add(cms)
db.session.commit()
return field.success(message='增加成功!')
else:
message = form.get_error()
return field.params_error(message=message)
def post(self):
form = ResetpwdForm(request.form)
if form.validate():
oldpwd = form.oldpwd.data
newpwd = form.newpwd.data
user = g.cms_user
if user.check_password(oldpwd):
user.password = newpwd
db.session.commit()
return field.success()
else:
return field.params_error('旧密码错误!')
else:
message = form.get_error()
return field.unauth_error(message=message)
def ucms():
form = UpgradeCmsForm(request.form)
if form.validate():
cms_id = form.cms_id.data
name = form.name.data
re = form.re.data
md5 = form.md5.data
url = form.url.data
create_time = datetime.datetime.now()
cms = Cms_fingerprint.query.get(cms_id)
if cms:
cms.name = name
cms.re = re
cms.md5 = md5
cms.url = url
cms.create_time = create_time
db.session.add(cms)
db.session.commit()
return field.success(message='修改成功!')
else:
return field.params_error(message='没有改CMS!')
else:
message = form.get_error()
return field.params_error(message=message)
def iskey():
user_id = request.form.get('user_id')
key = request.form.get('key')
user = User.query.get(user_id)
print(user_id, key)
if user:
if key == 'down':
user.is_api = 'ApiEnum.DOWN'
else:
user.is_api = 'ApiEnum.UP'
db.session.add(user)
db.session.commit()
return field.success()
else:
return field.params_error(message='没有改用户!')
def stopuser():
user_id = request.form.get('user_id')
status = request.form.get('status')
if status == 'down':
is_use = 'UseEnum.UNUSE'
else:
is_use = 'UseEnum.USE'
user = User.query.get(user_id)
if user:
user.is_use = is_use
db.session.add(user)
db.session.commit()
return field.success()
else:
return field.params_error(message='没有该用户!')
def post(self):
file = request.files['avatar_upload']
base_path = './static/cms/img/user/'
filename = str(g.cms_user.email) + '.' + file.filename.rsplit('.', 1)[1]
if not allowd_file(file.filename):
return field.params_error('上传的文件格式不合法,请选择图片格式文件上传!')
file_path = os.path.join(base_path, filename)
print(file_path)
for i in config['development'].ALLOWED_EXTENSIONS:
try:
print(os.path.join(base_path,g.cms_user.email)+'.'+ i)
os.remove(os.path.join(base_path,g.cms_user.email)+'.'+i)
except:
pass
file.save(file_path)
user = g.cms_user
user.avatar_path = '/static/cms/img/user/' + filename
db.session.add(user)
db.session.commit()
return field.success('修改头像成功!')
def adduser():
form = AddUserForm(request.form)
if form.validate():
username = form.username.data
password = form.password.data
email = form.email.data
role = form.role.data
avatar = user_avatar.GithubAvatarGenerator()
path = '../static/cms/img/user/' + email + '.png'
avatar.save_avatar(filepath='./static/cms/img/user/' + email + '.png')
user = User(username=username, password=password, email=email, avatar_path=path)
db.session.add(user)
db.session.commit()
Role = CMSRole.query.filter_by(name=role).first()
if Role:
Role.users.append(user)
db.session.commit()
return field.success(message='添加用户成功!')
else:
message = form.get_error()
return field.params_error(message=message)
def post(self):
result_list = []
search = request.form.get('search')
print(search)
if search:
if match_url(search):
asert = Asset.query.filter(
Asset.url.contains(urlTodomain(search))).all()
elif search.lower().startswith('title='):
context = re.search(r"title=\"(.*?)\"", search,
re.I).groups()[0]
asert = Asset.query.filter(
Asset.title.contains(context)).order_by(
Asset.upgrade_time).all()
elif search.lower().startswith('server='):
context = re.search(r"server=\"(.*?)\"", search,
re.I).groups()[0]
asert = Asset.query.filter(
func.lower(Asset.web_servers).contains(
func.lower(context))).order_by(
Asset.upgrade_time).all()
elif search.lower().startswith('os'):
context = re.search(r"os=\"(.*?)\"", search, re.I).groups()[0]
asert = Asset.query.filter(
func.lower(Asset.operating_systems).contains(
func.lower(context))).order_by(
Asset.upgrade_time).all()
elif search.lower().startswith('ip'):
context = re.search(r"ip=\"(.*?)\"", search, re.I).groups()[0]
asert = Asset.query.filter_by(ip=context).order_by(
Asset.upgrade_time).all()
else:
return field.params_error(message='不支持查询类型!')
if asert:
for i in asert:
result = {
'url': '',
'ip': '',
'web_server': '',
'jsf': '',
'pj': '',
'wf': '',
'os': '',
'cms': '',
'title': '',
'ports': '',
'ut': ''
}
result['url'] = i.url
result['ip'] = i.ip
result['web_server'] = i.web_servers
result['jsf'] = i.javascript_frameworks
result['pj'] = i.programming_languages
result['wf'] = i.web_frameworks
result['os'] = i.operating_systems
result['cms'] = i.cms
result['title'] = i.title
result['ports'] = i.ports
result['ut'] = str(i.upgrade_time)
result_list.append(result)
return field.success(data=result_list, message='查询成功!')
else:
return field.params_error(message='没有查到相关信息!')
