def _initHttpClient():
if conf.GOOGLE_PROXY:
proxy_str = conf.GOOGLE_PROXY
elif ConfigFileParser().GoogleProxy():
proxy_str = ConfigFileParser().GoogleProxy()
else:
proxy_str = None
if not proxy_str:
return Http()
msg = 'Proxy: %s' % proxy_str
outputscreen.info(msg)
proxy = proxy_str.strip().split(' ')
if len(proxy) != 3:
msg = 'SyntaxError in GoogleProxy string, Please check your args or config file.'
sys.exit(outputscreen.error(msg))
if proxy[0].lower() == 'http':
type = PROXY_TYPE.HTTP
elif proxy[0].lower() == 'sock5':
type = PROXY_TYPE.SOCKS5
elif proxy[0].lower() == 'sock4':
type = PROXY_TYPE.SOCKS4
else:
msg = 'Invalid proxy-type in GoogleProxy string, Please check your args or config file.'
sys.exit(outputscreen.error(msg))
try:
port = int(proxy[2])
except ValueError:
msg = 'Invalid port in GoogleProxy string, Please check your args or config file.'
sys.exit(outputscreen.error(msg))
else:
http_client = Http(proxy_info=ProxyInfo(type, proxy[1], port))
return http_client
def run():
initEngine()
# 多线程模式
if conf.thread_mode:
outputscreen.info('Threading mode')
for i in range(th.thread_num):
t = threading.Thread(target=scan, name=str(i))
t.setDaemon(True)
t.start()
# It can quit with Ctrl-C
try:
while 1:
if th.thread_count > 0 and th.is_continue:
time.sleep(0.01)
else:
break
except KeyboardInterrupt as e:
outputscreen.nerror('User quit!')
th.is_continue = False
# 协程模式
elif conf.gevent_mode:
from gevent import monkey
monkey.patch_all()
import gevent
outputscreen.info('Coroutine mode')
while th.target.qsize() > 0 and th.is_continue:
try:
gevent.joinall([gevent.spawn(scan) for i in range(0, th.thread_num) if th.target.qsize() > 0])
except KeyboardInterrupt:
sys.exit(outputscreen.error('Ctrl+C quit!'))
# th.is_continue = False
# except KeyboardInterrupt:
# sys.exit(outputscreen.error('[-] Ctrl+C quit!'))
if 'errmsg' in th:
outputscreen.error(th.errmsg)
def _initial():
z = ZoomEye()
z.auto_login()
info = z.resources_info().get('resources')
if info:
msg = 'Available ZoomEye search: (search:%s)' % (info.get(
'search', 'NO FOUND'))
outputscreen.info(msg)
else:
msg = 'ZoomEye API authorization failed, Please re-run it and enter a new token.'
sys.exit(outputscreen.error(msg))
return z
def HookRegister(args):
if args.proxy_ip:
msg = 'Use proxy: %s' % args.proxy_ip
outputscreen.info(msg)
conf.PROXY_MODE = 'PROXY'
conf.INPUT_TARGET_PROXY = args.proxy_ip
elif args.proxy_pool_ip:
proxy_pool_file = os.path.join(paths.DATA_PATH, 'Proxy_pool',
'proxy_pool.txt')
if os.path.exists(proxy_pool_file):
msg = 'Use proxy ip file: proxy_pool.txt'
outputscreen.info(msg)
conf.PROXY_MODE = "RANDOM_PROXY"
conf.PROXY_IP_PATH = proxy_pool_file
else:
outputscreen.error(
"读取代理文件出错,请确保代理文件名为proxy_pool.txt,每行一条代理,格式如: 124.225.223.101:80"
)
sys.exit()
else:
conf.PROXY_MODE = ''
if args.user_agent:
msg = "Use User-Agent: %s" % args.user_agent
outputscreen.info(msg)
conf.UA_MODE = 'UA'
conf.INPUT_TARGET_UA = args.user_agent
else:
conf.UA_MODE = ''
if args.set_cookie:
msg = "Use Cookie: %s" % args.set_cookie
outputscreen.info(msg)
conf.COOKIE_MODE = 'COOKIE'
conf.INPUT_TARGET_COOKIE = args.set_cookie
else:
conf.COOKIE_MODE = ''
def setModule():
conf.queue = queue.Queue()
if conf.TARGET_MODE == 'SINGLE':
load_target_mode()
elif conf.TARGET_MODE == 'FILE':
load_file_mode()
elif conf.TARGET_MODE == 'API':
load_api_mode()
if conf.PROXY_MODE == 'PROXY':
load_proxy_ip()
if conf.UA_MODE == "UA":
load_ua()
if conf.COOKIE_MODE == "COOKIE":
load_cookie()
outputscreen.info('Total: %s' % str(conf.queue.qsize()))
def manual_login(self):
msg = 'Please input your ZoomEye Email and Password below.'
outputscreen.info(msg)
try:
from lib.core.data import conf, cmdLineOptions
self.username = input('[!] ZoomEye Username(Email): ').strip()
self.password = getpass.getpass(
prompt='[!] ZoomEye Password: '******'[!] ZoomEye Password: '******'User quit!'))
self.get_token()
if not self.get_token():
msg = 'Invalid ZoomEye username or password.'
sys.exit(outputscreen.error(msg))
def auto_login(self):
msg = 'Trying to login with credentials in config file: %s.' % paths.CONFIG_PATH
outputscreen.info(msg)
try:
self.username = ConfigFileParser().ZoomEyeEmail()
self.password = ConfigFileParser().ZoomEyePassword()
except:
pass
if bool(self.username and self.password):
if self.get_token():
return
msg = 'Automatic authorization failed.'
outputscreen.warning(msg)
self.manual_login()
def initEngine():
# init control parameter
th.result = ''
th.thread_count = th.thread_num = conf.thread_num
th.thread_mode = conf.thread_mode
th.target = conf.queue
th.s_flag = True
# 是否继续扫描标志位
th.is_continue = True
# 控制台宽度
th.console_width = 100
# 记录开始时间
th.start_time = time.time()
setThreadLock()
th.scan_count = th.found_count = 0
msg = 'Set the number of thread: %d' % th.thread_num
outputscreen.info(msg)
def GoogleSearch(query, limit, offset=0):
key = ConfigFileParser().GoogleDeveloperKey()
engine = ConfigFileParser().GoogleEngine()
if not key or not engine:
msg = "Please config your 'developer_key' and 'search_enging' at toolkit.conf"
sys.exit(outputscreen.error(msg))
try:
service = build("customsearch",
"v1",
http=_initHttpClient(),
developerKey=key)
result_info = service.cse().list(q=query, cx=engine).execute()
msg = 'Max query results: %s' % str(
result_info.get('searchInformation', {}).get('totalResults'))
outputscreen.info(msg)
ans = list()
limit += offset
for i in range(int(offset / 10), int((limit + 10 - 1) / 10)):
result = service.cse().list(q=query,
cx=engine,
num=10,
start=i * 10 + 1).execute()
if 'items' in result:
for url in result.get('items'):
ans.append(url.get('link'))
return ans
except SocketError:
sys.exit(
outputscreen.error(
'Unable to connect Google, maybe agent/proxy error.'))
except ApiNameOrVersion:
msg = '使用-As加载的脚本超过12个会有这个未知的bug,还不知道怎么解决QAQ,先使用-s吧。'
sys.exit(outputscreen.error(msg))
except ServerHttpDenied:
outputscreen.warning(
'It seems like Google-Server denied this request.')
sys.exit()
def TargetRegister(args):
"""
加载目标
:param args:
:return:
"""
msg = 'Initialize targets...'
outputscreen.warning(msg)
# 单一目标
if args.target_single:
msg = 'Load target: %s' % args.target_single
outputscreen.info(msg)
conf.TARGET_MODE = 'SINGLE'
conf.INPUT_TARGET_URL = args.target_single
# 目标为文件
elif args.target_file:
msg = 'Load targets from: %s' % args.target_file
outputscreen.info(msg)
conf.TARGET_MODE = 'FILE'
conf.INPUT_FILE_PATH = args.target_file
# 目标为Zoomeye搜索后的IP或web
elif args.zoomeye_dork:
msg = 'Load targets from Zoomeye_Api: %s' % args.zoomeye_dork
outputscreen.info(msg)
conf.TARGET_MODE = 'API'
conf.API_MODE = 'Zoomeye'
conf.API_DORK = args.zoomeye_dork
elif args.google_dork:
msg = 'Load targets from Google_Api: %s' % args.google_dork
outputscreen.info(msg)
conf.TARGET_MODE = 'API'
conf.API_MODE = 'Google'
conf.API_DORK = args.google_dork
# 目标为IP段
else:
err_msg = 'No target or target file is specified!'
outputscreen.error(err_msg)
sys.exit()
def ScriptsRegister(args):
script_name = args.script_name
all_scripts = args.all_scripts
pocs_path = paths.POCS_PATH
# 存放脚本文件名
script_name_list = []
# 存放脚本文件路径
script_path_list = []
# 判断script是否存在,不存在为0
flag = 0
# script列表的长度,flag=len_script_name时退出查找文件的循环
len_script_name = len(script_name)
if not (script_name or all_scripts):
err_msg = 'Use -s/-As load script/scripts'
outputscreen.error(err_msg)
sys.exit()
# 设置单个或多个poc的路径,type(script_name)=list
if script_name:
for root, dirs, files in os.walk(pocs_path):
"""
root :所指的是当前正在遍历的目录的地址
dirs :当前文件夹中所有目录名字的 list (不包括子目录)
files :当前文件夹中所有的文件 (不包括子目录中的文件)
"""
for file in files:
# 文件名
file_name = os.path.splitext(file)[0]
# 文件后缀
file_suffix = os.path.splitext(file)[1]
# 路径
file_path = os.path.join(root, file)
file_abs_path = os.path.abspath(file)
# 文件父目录
file_parent = os.path.dirname(file_path)
# print("file : {0}".format(file))
# print("file_name : {0}".format(file_name))
# # print("file_suffix : {0}".format(file_suffix))
# print("file_path : {0}".format(file_path))
# # print("file_parent : {0}".format(file_parent))
for target_file in script_name:
if target_file == file_name:
flag += 1
script_name_list.append(file_name)
script_path_list.append(file_path)
if flag == len_script_name:
break
conf.MODULE_NAME = script_name_list
conf.MODULE_FILE_PATH = script_path_list
# print('flagxxxxxxxxxxxxx',flag)
if flag == 0:
outputscreen.error('Script not %s exist, please check spelling' %
script_name)
sys.exit()
else:
msg = 'Load script:%s' % conf.MODULE_NAME
outputscreen.info(msg)
# 同种类型下的所有poc,eg.struts2_all包含003-053的全部poc
if all_scripts:
for root, dirs, files in os.walk(pocs_path):
for di in dirs:
if all_scripts == di:
file_path = os.path.join(root, di)
file_name_list = list(
map(
lambda filename: '{}'.format(filename),
filter(
lambda filename: False
if '__' in filename else True,
os.listdir(file_path))))
for sn in file_name_list:
if sn[-3:] == '.py':
script_name_list.append(sn)
for file_name in file_name_list:
script_path = os.path.join(file_path, file_name)
# print('script_path', script_path)
flag += 1
if file_name[-3:] == '.py':
script_path_list.append(script_path)
conf.MODULE_NAME = script_name_list
conf.MODULE_FILE_PATH = script_path_list
if flag == 0:
outputscreen.error('File not %s exist. please check spelling' %
all_scripts)
sys.exit()
else:
msg = 'Load script:%s' % conf.MODULE_NAME
outputscreen.info(msg)