def execution(self): try: if not self.file is None: self.initislis_file() if not self.subdomains_queue is None: self.initialis_subdomain() if not self.target is None: self.initis() while not self.target_url.empty(): target = self.target_url.get() strike_pre = assault_pre() strike_pre.payload_provide() while not target.empty(): original = target.get() # print(self.target_url.qsize()) # url = regex.URL_PATH.sub("=", original) """and self.filter_(url,self.requests_seen)""" # print("f*****g" + original) if self.domain in original: url, data = chambering(original,strike = False) received_ = requester(url,data,GET = True) print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}") if not received_ is None: self.url_extrator(received_.text) else: pass if "=" in original: url, data = chambering(original, strike=False) received = requester(url, data, GET=True) for vul_type, category in strike_pre.get_payload_category().items(): for count in range(category[1].qsize()): payload = category[0]() url, data = chambering(original,strike = True,payload=payload,type = vul_type) if vul_type in ["SQLi","file_inclusion","command_injection","ssrf"]: Poisoned = requester(url,data,GET = True) code = Poisoned.status_code if not Poisoned is None and code < 500 and code != 404: if error_check(Poisoned): if receive_check(received.text,Poisoned.text,vul_type,payload): message = vul_message(vul_type,original,payload) self.logger.critical(message) else: pass else: pass except Exception: pass
def execution(self): # 执行攻击 try: if not self.file is None: # 加载目标 self.initislis_file() if not self.subdomains_queue is None: self.initialis_subdomain() if not self.target is None: self.initis() while not self.target_url.empty(): target = self.target_url.get() # # strike_pre = assault_pre() # strike_pre.payload_provide() while not target.empty(): original = target.get() # url = regex.URL_PATH.sub("=", original) """and self.filter_(url,self.requests_seen)""" if self.domain in original: # 目标属于传入的域名 baidu.com/a/b/text?a=2&b=21 属于 baidu.com url, data = chambering(original,strike = False) received_ = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy) if not received_ is None and received_.status_code == 403: # 如果代理被ban则切换代理 if not self.proxy_queue is None and not self.proxy_queue.empty(): self.proxy = get_proxy(self.proxy_queue) print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}") if not received_ is None: self.url_extrator(received_.text) # 从这个域名中继续提取URL加入到目标中 else: pass if "=" in original: # 如果有参数 url, data = chambering(original, strike=False) strike_pre = assault_pre() # 实例化payload预处理类 strike_pre.payload_provide() # 加载payload received = requester(url, data, GET=True,cookie = self.cookie,proxy = self.proxy) for vul_type, category in strike_pre.get_payload_category().items(): for count in range(category[1].qsize()): # category[1] 为payload队列 payload = category[0]() # category[0] 为遍历攻击队列的方法 url, data = chambering(original,strike = True,payload=payload,type = vul_type) if vul_type in ["SQLi","XSS","file_inclusion","command_injection","ssrf"]: Poisoned = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy) if not Poisoned is None and Poisoned.status_code < 400: # 如果攻击有响应 if error_check(Poisoned.text): # 如果页面存在 if attack_check(received.text,Poisoned.text,vul_type,payload): # 如果页面不同 message = vul_message(vul_type,original,payload) # 输出攻击完成 self.logger.critical(message) else: pass else: pass except Exception: pass
def proxy_ip3366(self): for page in range(1,11): try: url, params = chambering(f"http://www.ip3366.net/?stype=1&page={page}", strike=False) result = requester(url,params,GET=True,timeout=None) text = regex.Espace_eliminate.sub("",result.text) proxy_ips, proxy_ports, proxy_types = self.dic['ip3366']['ip'].finditer(text),\ self.dic['ip3366']['port'].finditer(text),\ self.dic['ip3366']['type'].finditer(text) for ips, ports, types in zip(proxy_ips, proxy_ports, proxy_types): ip, port, type = self.dic['ip3366']['sub'].sub(" ",ips.group()),\ self.dic['ip3366']['sub'].sub(" ",ports.group()),\ self.dic['ip3366']['sub'].sub(" ",types.group()) proxy = eval(regex.Espace_eliminate.sub("", str((ip,port,type.lower())))) self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}") self.container.put(proxy) except: pass
def generator_proxies(self): for name in self.list_name: if name in self.dic: url,params = chambering(origin_proxies[name],strike=False) result = requester(url,params,GET=True,timeout=None) response = regex.Espace_eliminate.sub("",result.text) ips, ports, types = self.dic[name]['ip'].finditer(response),\ self.dic[name]['port'].finditer(response),\ self.dic[name]['type'].finditer(response) for i, j, k in zip(ips,ports,types): ip = self.dic[name]['sub'].sub(" ", i.group()) port = self.dic[name]['sub'].sub(" ", j.group()) type = self.dic[name]['sub'].sub(" ", k.group()) # self.count = self.count+1 # print((ip, port, type)) if Filter.filter(ip,self.filter_proxy): proxy = eval(regex.Espace_eliminate.sub("", str((ip, port, type.lower())))) self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}") self.container.put(proxy)
def generator_proxies(self): ''' 从默认代理池(list_name中定义的)获取可用代理 ''' for name in self.list_name: if name in self.dic: url, params = chambering(origin_proxies[name], strike=False) result = requester(url, params, GET=True, timeout=None) if result == None: continue response = regex.Espace_eliminate.sub("", result.text) ips, ports, types = self.dic[name]['ip'].finditer(response),\ self.dic[name]['port'].finditer(response),\ self.dic[name]['type'].finditer(response) for i, j, k in zip(ips, ports, types): ip = self.dic[name]['sub'].sub(" ", i.group()) port = self.dic[name]['sub'].sub(" ", j.group()) type = self.dic[name]['sub'].sub(" ", k.group()) # self.count = self.count+1 # print((ip, port, type)) if Filter.filter(ip, self.filter_proxy): # 不是特殊文件链接 就加入到代理集合中 proxy = eval( regex.Espace_eliminate.sub( "", str((ip, port, type.lower())))) # temp=r.replace('(','').replace(')','') # 字符串转元组安全方法 # a=tuple([int(i) for i in temp.split(',')]) self.logger.info( f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}" ) self.container.put(proxy)
def proxy_iphuan(self): url, params = chambering("https://ip.ihuan.me/", strike=False) url = requester("https://ip.ihuan.me/", params, GET=True, timeout=None) links = [ link.group() for link in self.dic['ip_huan']['link'].finditer(url.text) ] print(links) for i in range(len(links)): # print("".join(["https://ip.ihuan.me/",links[i]])) link = self.dic['ip_huan']['sub'].sub("", links[i]) print(link) result = requester("".join(["https://ip.ihuan.me/", link])) text = regex.Espace_eliminate.sub("", result) proxy_ips, proxy_ports = self.dic['ip_huan']['ip'].finditer(text),\ self.dic['ip_huan']['port'].finditer(text) for ips, ports in zip(proxy_ips, proxy_ports): ip, port, type = ips.group(),\ self.dic['ip_huan']['sub'].sub(" ",ports),\ "http" # print(ip) self.container.put((ip, port, type))
def check_waf(target, logger_type, proxy = None): # folder = Path.cwd().parent # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: try: target, payload = chambering(target, strike=True, payload=intruder) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) if not response is None: page, code, headers = response.text, response.status_code, response.headers if code >= 400: match = 0 for waf_name, waf_signature in waf_data.items(): if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def detect_info(target, logger_type): logger_middle = factory_logger(logger_type, target, "middleware") print(f"{red}[!][{time}] Collecting middleware information....{end}") info = { 'Waf': None, 'CDN': None, 'CMS': None, 'Web Servers': None, 'Web Frameworks': None, 'Operating Systems': None, 'JavaScript Frameworks': None, 'Programming Languages': None } keys = [ 'Waf', 'CDN', 'Web Servers', 'Web Frameworks', 'Operating Systems', 'JavaScript Frameworks', 'Programming Languages' ] url, data = chambering(target, strike=False) try: response = requester(url, data, GET=True) whatweb_dict = { "url": response.url, "text": response.text, "headers": dict(response.headers) } whatweb_dict = json.dumps(whatweb_dict) whatweb_dict = whatweb_dict.encode() whatweb_dict = zlib.compress(whatweb_dict) data = {"info": whatweb_dict} result = requests.post("http://whatweb.bugscaner.com/api.go", files=data) data_json = result.json() data = dict(data_json) except Exception: pass if 'error' not in data: for key in keys: if key in dict(data): info[key] = data[key] logger_middle.info(info) return info else: info.clear() info['message'] = "Error Message!" logger_middle.info(info)
def initialis_subdomain(self): # 从子域名队列中提取URL加入到目标 try: while not self.subdomains_queue.empty(): target = self.subdomains_queue.get() url, data = chambering(target, strike = False) received = requester(url, data, GET=True, timeout = 5) if not received is None: self.url_extrator(received.text) else: pass except Exception: pass
def initislis_file(self): # 从文件中提取域名中的URL加入到目标 try: domains = file_handler(self.file) while not domains.empty(): target = domains.get() url, data = chambering(target, strike = False) received = requester(url, data, GET=True) if not received is None: self.url_extrator(received.text) else: pass except Exception: pass
def proxy_xiladaili(self): url, params = chambering("http://www.xiladaili.com", strike=False) result = requester(url,params,GET=True,timeout=None) text = regex.Espace_eliminate.sub("",result.text) proxy_ips,proxy_types = self.dic['xiladaili']['ip'].finditer(text),\ self.dic['xiladaili']['type'].finditer(text) for ips, types in zip(proxy_ips,proxy_types): ip, type = self.dic['xiladaili']['sub'].sub(" ",ips.group()),\ self.dic['xiladaili']['sub'].sub(" ",types.group()) pro = eval(regex.Espace_eliminate.sub("", str((ip,type.lower())))) proxy = (pro[0].split(":")[0],pro[0].split(":")[1],pro[1]) self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}") self.container.put(proxy)
def initis(self): # 访问原始URL,爬取页面URL加入到目标URL url, data = chambering(self.target, strike=False) received = requester(url, data, GET=True) self.url_extrator(received.text)
def check_waf(target, logger_type, proxy = None): original_target = target if "=" not in original_target: # 检验URL是否有效 print(f"{red}[!][{time}] Please provide a url with parameters! {end}") quit() # folder = Path.cwd().parent # Debug 使用 # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: # 加载WAF指纹信息 waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: # 加载fuzz payload , 测试waf try: intruder_type = "XSS" if intruder.startswith("<") else "SQLi" target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) # ('www.baidu.com', {'a': '1', 'bb': '22'}) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) # 发送payload print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}") if not response is None: page, code, headers = response.text, response.status_code, response.headers if code >= 400: match = 0 for waf_name, waf_signature in waf_data.items(): # 返回信息与WAF指纹库匹配 大小写不敏感 if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): # 取waf_match字典中的key最大值,做判断 获取到最佳匹配 waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: # 检测有没有绕过方法 waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: # 输出匹配到的WAF信息 logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def check_waf(target, logger_type, proxy = None): original_target = target if "=" not in original_target: print(f"{red}[!][{time}] Please provide a url with parameters! {end}") quit() # folder = Path.cwd().parent # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: try: intruder_type = "XSS" if intruder.startswith("<") else "SQLi" target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}") if code >= 400 and not response is None: match = 0 page, code, headers = response.text, response.status_code, response.headers for waf_name, waf_signature in waf_data.items(): if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")