def do_bomber(self, args):
if len(str(args)) == 0:
cprint('[!]命令bomber用法:\n\tbomber [web/host] file', 'red')
else:
type = args.split()[0]
filepath = args.split()[1]
if type in 'web':
urlist = []
if os.path.isfile(filepath):
with open(filepath) as f:
for line in f.readlines():
line = line.strip()
urlist.append(line)
project = input('[*]请设置project标签: ')
process_num = input('[*]请设置进程并发数: ')
ppool = Pool(int(process_num))
threads = [ppool.spawn(self.routineWeb, project, url) for url in urlist]
gevent.joinall(threads)
elif type in 'host':
hostlist = []
if os.path.isfile(filepath):
with open(filepath) as f:
for line in f.readlines():
line = line.strip()
hostlist.append(line)
project = input('[*]请设置project标签: ')
process_num = input('[*]请设置进程并发数: ')
ppool = Pool(int(process_num))
threads = [ppool.spawn(self.routineHost, project, host) for host in hostlist]
gevent.joinall(threads)
else:
cprint('[!]不是有效文件!!!', 'red')
def sendrequestshead(self, url):
headers = {'User-Agent': findProxy().randomUA()}
targeturl = self.url + url
self.count += 1
#cprint("[*] 加载")
cprint('#Process: {}\t[{:.2%}]{}\r'.format(
targeturl, (self.count / 9739), ' ' * (len(targeturl) - 90)),
'yellow',
attrs=['bold'],
end='',
flush=True)
sys.stdout.flush()
try:
req = requests.head(targeturl,
headers=headers,
verify=False,
timeout=10,
allow_redirects=False)
if req.status_code != 404 and req.status_code != 400 and req.status_code != 412 and req.status_code != 403:
if url in self._403 and req.status_code == 403:
pass
else:
tmpdict = {
'url': targeturl,
'status_code': req.status_code
}
mylog('webpath', True).log.info(pyfancy().green(
'[+]发现web路径: {0}'.format(str(tmpdict))))
self.webpath.append(tmpdict)
except:
pass
gevent.sleep(0)
def do_unconfig(self, args):
if len(str(args)) == 0:
cprint('[!]命令unconfig用法:\n\tunconfig keyname', 'red')
else:
if args in "cookies":
self.cookies = {}
if args in "threads":
self.threads = 10
def do_status(self, instance=None):
tb = pt.PrettyTable()
tb.field_names = ['实例类型', '实例状态', '实例值']
database = db()
# MYSQL状态
if database.connectdb():
dbstatus = '已连接'
else:
dbstatus = '未连接'
dbsize = database.execute(
'SELECT CONCAT(ROUND(SUM(INDEX_LENGTH)+SUM(DATA_LENGTH)/(1024*1024),2),"MB") AS "数据库容量" FROM information_schema.tables WHERE table_schema="SatanSword"')[
0]
tb.add_row(['MySQL', dbstatus, dbsize])
# CMS模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="cmsprint"')[0]
if table_status['TABLE_NAME'] == 'cmsprint':
table_status = '已加载'
else:
table_status = '未加载'
count = database.execute('SELECT COUNT(DISTINCT(cmsname)) AS "cms种类" FROM cmsprint')[0]
checksum_num = database.execute('SELECT count(*) AS "Md5指纹" FROM cmsprint WHERE checksum !=""')[0]
keyword_num = database.execute('SELECT count(*) AS "正则指纹" FROM cmsprint WHERE keyword !=""')[0]
tb.add_row(['CMS指纹识别模块', table_status, dict(**count, **checksum_num, **keyword_num)])
# CDN/WAF模块状态
cdnwafdict = cdnwafidentity().cdnwafdb
cdnwafcount = len(cdnwafdict)
printcount = 0
for item in cdnwafdict.values():
printcount += len(item)
tb.add_row(['CDN/WAF模块', '已加载', dict(**{"cdn/waf种类": cdnwafcount}, **{"cdn/waf指纹": printcount})])
# WEB POC模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="webexploit"')[0]
if table_status['TABLE_NAME'] == 'webexploit':
table_status = '已加载'
else:
table_status = '未加载'
poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM webexploit')[0]
tb.add_row(['CMS漏洞验证模块', table_status, dict(**poccount)])
# HOST POC模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="hostexploit"')[0]
if table_status['TABLE_NAME'] == 'hostexploit':
table_status = '已加载'
else:
table_status = '未加载'
poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM hostexploit')[0]
expcount = database.execute('SELECT COUNT(DISTINCT(exp)) AS "可利用exp数" FROM hostexploit')[0]
tb.add_row(['HOST漏洞验证模块', table_status, dict(**poccount, **expcount)])
cprint(tb, 'yellow')
def do_exploit(self, args):
try:
if len(str(args)) == 0:
cprint('[!]命令exploit用法:\n\texploit [web/host] vulname target',
'red')
else:
type = args.split()[0]
vulname = args.split()[1]
target = args.split()[2]
if type in r'web':
exploit = webpocfactory(target, self.cookies, self.threads)
if r'http' in target:
exploit.runpocwithcmsname(vulname)
self.webexeccheck(target)
else:
explist = list()
pool = Pool(10)
with open(target, 'r') as f:
for targetline in f.readlines():
explist.append(targetline.strip('\n').strip())
threads = [
pool.spawn(self.webexecfile, item, vulname)
for item in explist
]
gevent.joinall(threads)
self.webexeccheck(explist)
elif type in r'host':
if re.match(r'[0-9]+.[0-9]+.[0-9]+.[0-9]+', target):
host = target.split(':')[0]
port = target.split(':')[1]
exploit = hostpocfactory(host, port, self.threads)
exploit.runpocwithsysname(vulname)
self.hostexeccheck(host)
else:
pool = Pool(10)
explist = list()
tmpexplist = list()
with open(target, 'r') as f:
for targetline in f.readlines():
explist.append(targetline.strip('\n').strip())
threads = [
pool.spawn(self.hostexecfile, item, vulname)
for item in explist
]
gevent.joinall(threads)
for item in explist:
tmpexplist.append(item.split(":")[0])
self.hostexeccheck(tmpexplist)
else:
cprint(
'[!]命令exploit用法:\n\texploit [web/host] vulname target',
'red')
except Exception as e:
print(e)
def webexeccheck(self, url):
if isinstance(url, list):
sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url in ({})'.format(
','.join(["'%s'" % x for x in url]))
else:
sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url="{}"'.format(url)
show_result = db().execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['URL', 'VULNAME', 'VURL', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION']
for item in show_result:
tb.add_row([item['url'], item['vulname'], item['vulnurl'], item['isvul'], item['payload'], item['proof'],
item['exception']])
cprint(tb, 'red')
def hostexeccheck(self, host):
if isinstance(host, list):
sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost in ({})'.format(
','.join(["'%s'" % x for x in host]))
else:
sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost="{}"'.format(host)
show_result = db().execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['HOST', 'PORT', 'VULNAME', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION']
for item in show_result:
tb.add_row(
[item['vulnhost'], item['vulnport'], item['vulnname'], item['isvul'], item['payload'], item['proof'],
item['exception']])
cprint(tb, 'red')
def do_banner(self, args):
args = '''
/ )) |\ ) ).
c--. (\ ( `. / ) (\ ( `. ). ( (
| | )) ) ) ( ( `.`. ) ) ( ( ) )
| | ( ( / _..----.._ ) | ( ( _..----.._ ( (
,-. | |---) V.'-------.. `-. )-/.-' ..------ `--) \._
| /===========| | ( | ) ( ``-.`\/'.-'' ( ) ``-._
| | / / / / / | |---------------------> <-------------------------_>=-
| \===========| | ..-'./\.`-.. _,,-'
`-' | |-------._------''_.-'----`-._``------_.-----'
| | ``----'' ``----''
| |
c--` SatanSword
'''
cprint(args, 'magenta', attrs=['bold'])
def do_config(self, args):
if len(str(args)) == 0:
tb = pt.PrettyTable()
tb.field_names = ['配置名称', '属性值']
tb.add_row(['threads', self.threads])
tb.add_row(['cookies', self.cookies])
cprint(tb, 'yellow')
else:
keyname = args.split()[0]
valuename = args.split()[1]
if keyname in r'cookies':
try:
with open(valuename, 'r') as fp:
mycookie = SimpleCookie()
mycookie.load(fp.read())
self.cookies = {key: morsel.value for key, morsel in mycookie.items()}
except:
cprint('[!]请载入cookies文件!!!', 'red')
if keyname in r'threads':
self.threads = int(valuename)
def do_show(self, args):
if len(str(args)) == 0:
cprint('[!]命令show用法:\n\tshow [poc] vulname', 'red')
else:
database = db()
type = args.split()[0]
showname = args.split()[1]
if type in r'poc':
sqlstring = 'SELECT poc FROM (SELECT poc FROM webexploit WHERE vulname="{0}") AS t1 UNION ALL SELECT poc FROM (SELECT poc FROM hostexploit WHERE vulname="{1}") AS t2'.format(
showname, showname)
show_result = database.execute(sqlstring)
sourcecode = show_result[0]['poc']
if sourcecode is None:
cprint('[!] Wooo! 没有poc代码!!!', 'red')
else:
print('\n')
runhighlighting(sourcecode)
print('\n')
elif type in r'vuldb':
sqlstring = 'SELECT filed FROM exploitdb WHERE id={0}'.format(showname)
show_result = database.execute(sqlstring)
exploitcode = show_result[0]['filed']
print('\n')
try:
runhighlighting(exploitcode)
except:
runhighlighting('"""\n{0}\n"""'.format(exploitcode))
print('\n')
else:
cprint('[!]命令show用法:\n\tshow [poc/vuldb] vulname', 'red')
def check(self):
if Envcheck().modulecheck() is not True:
cprint('[-]检查Python模块失败!!!', 'red')
exit(1)
if Envcheck().commandcheck() is not True:
cprint('[-]检查命令模块失败!!!', 'red')
exit(1)
if Envcheck().apicheck() is not True:
cprint('[-]检查api模块失败!!!', 'red')
exit(1)
def do_sniper(self, args):
if len(str(args)) == 0:
cprint('[!]命令sniper用法:\n\tsniper [web/host] project target', 'red')
else:
type = args.split()[0]
project = args.split()[1]
url = args.split()[2]
if type in r'web':
try:
webInstance = webschedule(project, url, self.cookies)
webInstance.runexplore(url)
except Exception as e:
cprint('[!]web调度错误!! 原因: {0}'.format(e))
elif type in r'host':
try:
hostInstence = hostschedule(project, url)
hostInstence.runexplore()
except Exception as e:
cprint('[!]host调度错误!! 原因: {0}'.format(e))
else:
cprint('[!]命令sniper用法:\n\tsniper [web/host] project target', 'red')
def do_search(self, args):
if len(str(args)) == 0:
cprint('[!]命令search用法:\n\tsearch keyword', 'red')
else:
database = db()
keyword = args.split()[0]
# 查询webexploit和hostexploit做表连接
sqlstring = 'SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM webexploit WHERE vulname LIKE "%{0}%") AS t1 UNION ALL SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM hostexploit WHERE vulname LIKE "%{1}%") AS t2'.format(
keyword, keyword)
search_result = database.execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['漏洞名称', '漏洞描述', '漏洞等级', '传递参数']
for item in search_result:
tb.add_row([item['vulname'], item['description'], item['level'], item['param']])
cprint(tb, 'magenta', attrs=['bold'])
cprint("[+]"+"="*20+"| 搜索到{0}个POC |".format(len(search_result))+"="*20, "green")
def do_jsfinder(self, args):
if len(str(args)) == 0:
cprint('[!]命令jsfinder用法:\n\tjsfinder filename', 'red')
else:
try:
pool = Pool(20)
urllist = list()
with open(args, 'r') as fp:
for line in fp.readlines():
urllist.append(line.strip('\n').strip())
threads = [pool.spawn(self.jsfinder_routine, item) for item in urllist]
gevent.joinall(threads)
print('[+]JSFinder搜集子域名如下:\n')
for subdom in self.domains:
cprint('http://' + subdom, 'green')
self.domains = []
except:
cprint('[!]请载入url文件!!!', 'red')
def do_version(self, args): args = 'v0.1' cprint(args, 'cyan')
def do_dirsearch(self, args):
if len(str(args)) == 0:
cprint('[!]命令dirsearch用法:\n\tdirsearch targeturl', 'red')
else:
runApp = dirsearch(args.strip())
runApp.run()
def do_whatcms(self, args):
if len(str(args)) == 0:
cprint('[!]命令whatcms用法:\n\twhatcms targeturl', 'red')
else:
runApp = explore(args.strip())
print(runApp.useCmsprint(False))
