Ejemplo n.º 1
0
Archivo: xcdn.py Proyecto: 3xp10it/xcdn 
 def domain_has_cdn(self):
     # 检测domain是否有cdn
     # 有cdn时,返回一个字典,如果cdn是cloudflare,返回{'has_cdn':1,'is_cloud_flare':1}
     # 否则返回{'has_cdn':1,'is_cloud_flare':0}或{'has_cdn':0,'is_cloud_flare':0}
     import re
     CLIOutput().good_print("现在检测domain:%s是否有cdn" % self.domain)
     has_cdn = 0
     # ns记录和mx记录一样,都要查顶级域名,eg.dig +short www.baidu.com ns VS dig +short baidu.com ns
     result = get_string_from_command("dig ns %s +short" %
                                      get_root_domain(self.domain))
     pattern = re.compile(
         r"(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)",
         re.I)
     cloudflare_pattern = re.compile(r"cloudflare", re.I)
     if re.search(pattern, result):
         if re.search(cloudflare_pattern, result):
             print("has_cdn=1 from ns,and cdn is cloudflare")
             return {'has_cdn': 1, 'is_cloud_flare': 1}
         else:
             print("has_cdn=1 from ns")
             return {'has_cdn': 1, 'is_cloud_flare': 0}
     else:
         # 下面通过a记录个数来判断,如果a记录个数>1个,认为有cdn
         result = get_string_from_command("dig a %s +short" % self.domain)
         find_a_record_pattern = re.findall(r"((\d{1,3}\.){3}\d{1,3})",
                                            result)
         if find_a_record_pattern:
             ip_count = 0
             for each in find_a_record_pattern:
                 ip_count += 1
             if ip_count > 1:
                 has_cdn = 1
                 return {'has_cdn': 1, 'is_cloud_flare': 0}
     return {'has_cdn': 0, 'is_cloud_flare': 0}
Ejemplo n.º 2
0
 def get_ip_from_mx_record(self):
     # 从mx记录中得到ip列表,尝试从mx记录中的c段中找真实ip
     print("[*]尝试从mx记录中找和%s顶级域名相同的mx主机" % self.domain)
     import socket
     # domain.eg:www.baidu.com
     from exp10it import get_root_domain
     root_domain = get_root_domain(self.domain)
     from exp10it import get_string_from_command
     popen = subprocess.Popen("nslookup -type=mx %s" % root_domain,
                              stdout=subprocess.PIPE,
                              shell=True,
                              close_fds=True)
     result, drr = popen.communicate()
     result = result.decode('utf-8', 'ignore')
     print(result)
     #result = get_string_from_command("nslookup -type=mx %s" % root_domain)
     sub_domains_list = re.findall(
         "(mail exchanger = )(.*\\.%s)" % root_domain.replace(".", "\\."),
         result)
     ip_list = []
     #print(sub_domains_list)
     for each in sub_domains_list:
         #print(each)
         ip = socket.gethostbyname_ex(each[1])[2]
         #print(ip)
         if ip[0] not in ip_list:
             ip_list.append(ip[0])
     return ip_list
Ejemplo n.º 3
0
Archivo: xcdn.py Proyecto: ziqi521/xcdn 
 def get_ip_from_mx_record(self):
     # 从mx记录中得到ip列表,尝试从mx记录中的c段中找真实ip
     print("尝试从mx记录中找和%s顶级域名相同的mx主机" % self.domain)
     import socket
     # domain.eg:www.baidu.com
     from exp10it import get_root_domain
     root_domain = get_root_domain(self.domain)
     from exp10it import get_string_from_command
     result = get_string_from_command("dig %s +short mx" % root_domain)
     sub_domains_list = re.findall(r"\d{1,} (.*\.%s)\." % root_domain.replace(".", "\."), result)
     ip_list = []
     for each in sub_domains_list:
         print(each)
         ip = socket.gethostbyname_ex(each)[2]
         if ip[0] not in ip_list:
             ip_list.append(ip[0])
     return ip_list
Ejemplo n.º 4
0
    def get_ip_value_from_ip138(self):
        print("3)尝试通过顶级域名寻找真实IP")
        #print('https://site.ip138.com/{}'.format(self.domain))
        headers = {
            'Connection':
            'close',
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36'
        }
        domain = get_root_domain(self.domain)

        rep_test = requests.get('https://site.ip138.com/{}'.format(domain),
                                timeout=15,
                                verify=False,
                                headers=headers).text
        allIP = re.findall("((\\d{1,3}\\.){3}\\d{1,3})", rep_test)
        ipList = []
        index = 1
        for each in allIP:
            if index < 6:
                ipList.append(each[0])
            else:
                break
            index = index + 1

        ipList = list(set(ipList))  #去重处理
        print(ipList)
        for each_ip in ipList:
            try:
                if True == self.check_if_ip_is_actual_ip_of_domain(each_ip):
                    print(each_ip)
                    return each_ip
            except Exception as e:
                print("[-]访问 %s 失败,跳过该IP测试" % each_ip)
                continue
        return 0
Ejemplo n.º 5
0
def get_sub_domains(target, use_tool="Sublist3r"):
    # target为http开头+domain
    # 注意target(http://www.baidu.com)要换成如baidu.com的结果,然后再当作参数传入下面可能用的工具中
    # www.baidu.com--->baidu.com,baidu.com是下面工具的参数
    # use_tool为子站获取工具选择
    # Sublist3r工具详情如下
    # 获取子站列表,domain为域名格式,不含http
    # https://github.com/aboul3la/Sublist3r
    # works in python2,use os.system get the execute output
    if target[:4] == "http":
        domain = target.split("/")[-1]
    else:
        print(
            "make sure your para in get_sub_domains func has scheme like http or https"
        )
        return
    figlet2file("geting sub domains", 0, True)

    root_domain = get_root_domain(domain)
    if os.path.exists(logFolderPath) == False:
        os.system("mkdir %s" % logFolderPath)
    if os.path.exists("%s/sub" % logFolderPath) == False:
        os.system("cd %s && mkdir sub" % logFolderPath)
    store_file = logFolderPath + "/sub/" + domain.replace(".",
                                                          "_") + "_sub.txt"
    Sublist3r_store_file = "Sublist3r.out.txt"
    subDomainsBrute_store_file = "subDomainsBrute.out.txt"

    def Sublist3r(domain):
        # 用Sublist3r方式获取子站
        if os.path.exists(ModulePath + "Sublist3r") == False:
            os.system(
                "git clone https://github.com/aboul3la/Sublist3r.git %sSublist3r"
                % ModulePath)
            # 下面的cd到一个目录只在一句代码中有效,执行完就不在Sublist3r目录里了
            os.system("cd %sSublist3r && pip install -r requirements.txt" %
                      ModulePath)
            # 下面的命令执行不受上面的cd到一个目录影响
            os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" %
                      (ModulePath, root_domain, Sublist3r_store_file))
        else:
            os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" %
                      (ModulePath, root_domain, Sublist3r_store_file))

    def subDomainsBrute(domain):
        # 用subDomainsBrute方式获取子站
        # https://github.com/lijiejie/subDomainsBrute.git
        if os.path.exists(ModulePath + "subDomainsBrute") == False:
            os.system(
                "git clone https://github.com/lijiejie/subDomainsBrute.git %ssubDomainsBrute"
                % ModulePath)
            os.system("pip install dnspython")
            os.system(
                "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s"
                % (ModulePath, subDomainsBrute_store_file, root_domain))
        else:
            os.system(
                "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s"
                % (ModulePath, subDomainsBrute_store_file, root_domain))

    if os.path.exists(store_file) == False:

        if use_tool == "all":
            Sublist3r(root_domain)
            os.system("cat %sSublist3r/%s >> %s" %
                      (ModulePath, Sublist3r_store_file, store_file))
            os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file))
            subDomainsBrute(root_domain)
            with open(
                    "%ssubDomainsBrute/%s" %
                (ModulePath, subDomainsBrute_store_file), "r+") as f:
                with open(store_file, "a+") as outfile:
                    for each in f:
                        if each not in outfile.readlines():
                            outfile.write(each)
            os.system("rm %ssubDomainsBrute/%s" %
                      (ModulePath, subDomainsBrute_store_file))
        if use_tool == "Sublist3r":
            Sublist3r(domain)
            os.system("cat %sSublist3r/%s >> %s" %
                      (ModulePath, Sublist3r_store_file, store_file))
            os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file))
        if use_tool == "subDomainsBrute":
            subDomainsBrute(domain)
            os.system("cat %ssubDomainsBrute/%s >> %s" %
                      (ModulePath, subDomainsBrute_store_file, store_file))
            os.system("rm %ssubDomainsBrute/%s" %
                      (ModulePath, subDomainsBrute_store_file))

    else:
        # 文件存在说明上次已经获取sub domains
        print("you have got the sub domains last time")

    with open(store_file, "r+") as f:
        string = f.read()

    return string
Ejemplo n.º 6
0
 def domain_has_cdn(self):
     # 检测domain是否有cdn
     # 有cdn时,返回一个字典,如果cdn是cloudflare,返回{'has_cdn':1,'is_cloud_flare':1}
     # 否则返回{'has_cdn':1,'is_cloud_flare':0}或{'has_cdn':0,'is_cloud_flare':0}
     import re
     print("[*]现在检测domain:%s是否有cdn" % self.domain)
     has_cdn = 0
     # ns记录和mx记录一样,都要查顶级域名,eg.dig +short www.baidu.com ns VS dig +short baidu.com ns
     popen = subprocess.Popen("nslookup -type=ns %s" %
                              get_root_domain(self.domain),
                              stdout=subprocess.PIPE,
                              shell=True,
                              close_fds=True)
     #result = get_string_from_command("nslookup -type=ns %s" % get_root_domain(self.domain))
     result, drr = popen.communicate()
     result = result.decode("utf-8", "ignore")
     pattern = re.compile(
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)"
         r"(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)",
         re.I)
     cloudflare_pattern = re.compile(
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         "cloudflare"
         r"cloudflare", re.I)
     if re.search(pattern, result):
         if re.search(cloudflare_pattern, result):
             print("has_cdn=1 from ns,and cdn is cloudflare")
             return {'has_cdn': 1, 'is_cloud_flare': 1}
         else:
             print("has_cdn=1 from ns")
             return {'has_cdn': 1, 'is_cloud_flare': 0}
     else:
         # 下面通过a记录个数来判断,如果a记录个数>1个,认为有cdn
         result = get_string_from_command("nslookup -type=a %s" %
                                          self.domain)
         find_a_record_pattern = re.findall("((\\d{1,3}\\.){3}\\d{1,3})",
                                            result)
         #print(find_a_record_pattern)
         if find_a_record_pattern:
             ip_count = 0
             for each in find_a_record_pattern:
                 ip_count += 1
             if ip_count > 1:
                 has_cdn = 1
                 return {'has_cdn': 1, 'is_cloud_flare': 0}
     return {'has_cdn': 0, 'is_cloud_flare': 0}